- Newest
- Most votes
- Most comments
Hello.
Do you allow ICMP in the inbound rules of the EC2 security groups running in each subnet?
Please try configuring each EC2 security group as described in the document below.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-ping
Also, check that the VPC CIDR route is registered as local in the subnet route table.
Please check that the network ACL allows all communication.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
Firstly regarding Routing between subnets in different AZ of same VPC: You don't need to configure Routing between Subnets. Every route table contains a local route for communication within the VPC. This route is added by default to all route tables. If your VPC has more than one IPv4 CIDR block, your route tables contain a local route for each IPv4 CIDR block. More details can be found here: https://docs.aws.amazon.com/vpc/latest/userguide/subnet-route-tables.html#route-table-routes
Secondly regarding communication not working: This could be due to following reasons.
- Security Groups on Source and Destination: Please verify the SG rules (Inbound and Outbound) are configured correctly on Source and Destination to allow the desired communication. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html
- NACL Rules on subnet level: Please verify the NACL rules on Source and Destination subnets are configured correctly to allow the desired communication. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
- OS Firewall: Verify if there are any OS level Firewall rules which are blocking the connectivity.
You can utilize AWS VPC flow logs to verify if restrictive SG or NACL rules are blocking the connectivity. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-security-groups
