4

I am trying to setup a barebones VPC connection within the same AWS account.

  • VPC-A and Subnet-A have CIDR: 10.200.1.0/24
  • VPC-B and Subnet-B have CIDR: 10.200.2.0/24

Each VPC contains one EC2 instance

  • 10.200.1.17 (in VPC-A, Subnet-A), let's call it EC2-A
  • 10.200.2.67 (in VPC-B, Subnet-B), let's call it EC2-B

I have added the following route to the route table that is associated with both VPC-A and Subnet-A, which should route traffic from VPC-A to VPC-B based on the CIDR range of VPC-B

  • (Dest | Target): 10.200.2/24 | PCX-123

(where PCX-123 is the ID of the VPC Peering Connection)

The security group associated with EC2-A and EC2-B allow all inbound and outbound traffic.

NACL for both networks are allowing all traffic

When I SSH into EC2-A, and try to ping EC2-B, I get timeout.

ping 10.200.2.67
...
...
... timeout

What am I missing?

FYI

  1. I tried asking in stackoverflow, but it was deemed off topic
  2. Yes, it in conceptually the same question as cannot ping ec2 in another vpc through peer connection, but this question is dead, the asker never responded or followed up.
James Wierzba
  • 143
  • 1
  • 6
  • 1
    When you say the security groups allow "all inbound and outbound traffic", have you specifically allowed ICMP traffic, not just TCP/UDP? – ceejayoz Apr 24 '19 at 23:38
  • @ceejayoz I've enabled both ICMP and TCP for all ports and IPs. Also, I tried other methods of verifying connectivity (I tried to SSH from EC2-A to EC2-B, and still no luck) – James Wierzba Apr 24 '19 at 23:45
  • 1
    *"I have added the following route to the route table"* ...but did you a similar route in the other VPC to handle the traffic in the other direction? You need symmetric route table entries. – Michael - sqlbot Apr 25 '19 at 13:19
  • @Michael-sqlbot why? I thought route table was for routing egress traffic only?? – James Wierzba Apr 25 '19 at 18:29
  • 2
    @JamesWierzba that's true from a packet perspective. And on the other side of the peering connection, the reply traffic is egress traffic and needs to know how to find its destination (the original source). – Michael - sqlbot Apr 25 '19 at 20:55
  • @Michael-sqlbot -- that was the answer, thank you! – James Wierzba Apr 26 '19 at 18:38
  • @Michael-sqlbot We should put this as an answer to the question for future readers. Would you like to do it? Since you found the solution. – James Wierzba Apr 26 '19 at 19:30
  • 1
    @JamesWierzba thanks for the confirmation. Answer posted. Welcome to Server Fault. – Michael - sqlbot Apr 26 '19 at 20:14

1 Answers1

5

VPC peering requires symmetrical route table entries -- the tables on each side of the peering connection need a route pointing across the peering connection to the other side.

To send traffic from your instance to an instance in a peer VPC using private IPv4 addresses, you must add a route to the route table that's associated with the subnet in which the instance resides.

...

The owner of the other VPC in the peering connection must also add a route to their subnet's route table to direct traffic back to your VPC.

http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html

(This still holds true when the same account is the owner of both VPCs.)

Michael - sqlbot
  • 21,988
  • 1
  • 57
  • 81