It is possible to route an IP address via VPC peering with an IP address outside the VPC CIDRs?

0

Hello,

I have this VPC.

VPC A - 10.10.0.0/16

  • EC2 instance with an eni accepting 10.20.1.1 (the source/destination check flag is disable for this eic). Let's call this ec2-eni.
  • Route table:
    • 10.20.1.0/24 ec2-eni

Now I have a VPC B with CIDR 10.11.0.0/16 and some EC2 running in it. I need to make sure 10.20.1.1 is reachable also from this VPC. I tried peering between the twos, and in the route table of VPC B I added:

  • 10.20.1.0/24 A-B-Peering

But it doesn't seem to work. There is a way to make this working in AWS?

Thanks

asked 2 years ago1301 views
1 Answer
0

Maybe it's a typo but the way you've written it, your VPC A is the 10.10.x.x block but it contains a 10.20.x.x instance - that doesn't look right.

Assuming VPC A is actually 10.20.0.0/16, you need the following routes:

  • The route table for the subnet in VPC A containing 10.20.1.1 needs a route directing traffic for 10.11.0.0/16 to the peering connection.
  • The route table for the subnet in VPC B containing your other instance needs a route directing traffic for 10.20.0.0/16 to the peering connection.

That way both requests and responses are handled.

In addition you need your subnet ACLs set appropriately (default should do). And the Security Group egress rules on the instance initiating a request, and the Security Group ingress ruled on the instance receiving a request need to be set up allowing the other SG, instance IP, subnet CIDR or VPC CIDR.

EXPERT
answered 2 years ago
  • Unfortunately not a typo. For legacy reason, I really have a 10.20.1.1 into a 10.10.0.0 subnet. Inside the subnet this works thanks to the eni. Wondering if peering is possible though.

  • Oh I see. In short no, you can't do this with VPC Peering as it's not transitive. The traffic doesn't originate or terminate on a network interface in the VPC so there's no associated route table directing traffic for the next hop, which is looks like is what you need (10.20.1.0/24 ec2-eni). Transit Gateway can do this if that suits your environment. Another option that may be worth exploring is using part of the "Transit VPC" Strategy that pre-dates Transit Gateway. Basically you could put a VGW in one VPC and make a VPN connection between it and VPN software running in an EC2 instance (or preferably two for redundancy) in the other VPC.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions