Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Ping Goole from Azure VM via AWS EC2 (BGP VPN) fails – traffic drops on AWS side

0

Hi, I'm setting up a site-to-site VPN between Azure and AWS using BGP dynamic routing. My goal is to route internet-bound traffic from an Azure VM via an EC2 instance in AWS (acting as a NAT or gateway). The VPN is up, and BGP routes are exchanged correctly.

Setup: Azure: VPN Gateway with BGP enabled. AWS: Site-to-Site VPN with a VGW, and a NAT-enabled EC2 instance in a private subnet.Public subnet has IGW BGP Routing: Verified Azure is advertising routes to AWS and receiving AWS routes correctly.

Verified Security Groups and NACLs allow the traffic. Ping from Azure VM to EC2 is working fine. Confirmed that EC2 instance has proper IP forwarding and NAT rules. Verified route table in AWS has proper entries for the Azure subnet pointing to VGW. Tunnel is UP, and BGP routes look fine.

Issue: When I ping google.com from the Azure VM: Azure sends traffic via the VPN tunnel to AWS (confirmed via packet capture / flow logs). But traffic appears to get dropped in AWS—no reply is received. EC2 instance is not seeing the ping.

Topics
Networking & Content Delivery
Tags
AWS Virtual Private Network (VPN)Amazon VPC
Language
English
asked 10 months ago142 views
1 Answer
0

Based on your description, it sounds like you have a routing issue within AWS that's preventing the traffic from your Azure VM from reaching the internet via your EC2 instance. Here are some potential causes and solutions:

  1. Source/Destination Check: If your EC2 instance is acting as a NAT or router, you need to disable the "Source/Destination Check" on its network interface. By default, EC2 instances verify that they're the source or destination of any traffic they receive. When an instance acts as a router, it needs to be able to send and receive traffic where it's neither the source nor the destination.

  2. Asymmetric Routing: Your VPN might be experiencing asymmetric routing issues. This happens when traffic enters through one path (like one VPN tunnel) but returns via another path. If both tunnels are in an Active/Active configuration, you may need to ensure your EC2 instance supports asymmetric routing.

  3. NAT Configuration: Verify that your EC2 instance is properly configured for NAT masquerade. The instance needs to correctly translate the source IP addresses of packets from your Azure VM to its own IP address when forwarding them to the internet.

  4. Route Tables: While you've verified that the route table has entries for the Azure subnet pointing to the VGW, also check that:

  • The subnet where your EC2 instance resides has a route to the internet (0.0.0.0/0) via an Internet Gateway
  • The EC2 instance has a route back to your Azure network via the VGW

  1. Firewall Rules: Even though you've verified security groups and NACLs, double-check that your EC2 instance's OS-level firewall (like iptables if it's Linux) is configured to allow forwarding traffic.

  2. MTU Issues: VPN connections can sometimes cause issues with packet sizes. Try adjusting the MTU on your Azure VM to a lower value (e.g., 1400 or 1300) to see if that resolves the issue.

Since you mentioned the EC2 instance is not seeing the ping traffic at all, I would first focus on checking the route tables and ensuring the Source/Destination Check is disabled on your EC2 instance.
Sources
EC2 Instances in eu-south-2 Subnet Cannot Access Internet Despite Correct NAT and Routing Setup. | AWS re:Post
ec2 instance not routing through virtual private gateway | AWS re:Post
VPN stopped working - not receiving ESP traffic back from AWS | AWS re:Post

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content