-2

My public IP address (of my personal computer) from which I access the internet ranges from 112.110.x.x. For experiment, I created a VPC in AWS and chose the CIDR block as 112.110.0.0/16. In the route table, destination IP 112.110.0.0/16 has a target "local". I launched an EC2 instance in this VPC which uses this CIDR block 112.110.0.0/16 for internal IP assignment. Now, I am unable to connect to this instance from my local computer even though NACL allows 0/0 inbound and outbound traffic, and I've even allowed 0/0 traffic in the Security Group of this instance.

I want to know:

  1. Do route tables reserve CIDR block IP address for both inbound as well as outbound connections and blocks all incoming internet (from outside the private network) traffic from any IP address which falls under the reserved IP address range in the CIDR block?

  2. Is there any way for me to connect to this instance from local computer directly without using any VPN or a bastion host?

Sanjay Vig
  • 7
  • 6
  • 2
    Please don't obfuscate IP addresses, we don't like to guess. This range is advertised on the Internet in smaller prefixes than a /16, but which one are you from? – John Mahowald Jul 17 '19 at 11:56
  • Hey @JohnMahowald sorry for that. Why does last to decimal places of IP address matter for my question? – Sanjay Vig Jul 17 '19 at 12:07
  • 3
    Because 112.110.0.0/16 is advertised as smaller prefixes on the Internet. Just don't obfuscate at all, simpler. If you must make something up, use the documentation prefixes which are obviously fake. – John Mahowald Jul 17 '19 at 12:13
  • @JohnMahowald Pardon my inexperience. I am unable to understand what do you mean by "112.110.0.0/16 is advertised as smaller prefixes". Will be a great help if you explain this and also give me an example of how I would've put up this question without obfuscation – Sanjay Vig Jul 17 '19 at 14:35
  • 1
    Check the BGP routing tables. https://bgp.he.net/ip/112.110.8.1 for example is 112.110.8.0/21. Not only is this prefix not yours, it is more specific. So it probably never gets to AWS, gets routed back to your ISP, hits some customer's firewall, and is dropped. – John Mahowald Jul 18 '19 at 11:03
  • Provide all bits of an address, applies to both IPv4 and IPv6. To pick an arbitrary address from that subnet, 112.110.4.42. Hiding some bits adds zero security and only makes diagnosing problems more difficult. – John Mahowald Jul 18 '19 at 11:11

1 Answers1

4

That 112.110.x.x belongs to Idea Cellular Ltd, you shouldn’t use it in your VPC. Instead choose one of the reserved “private IP ranges” (RFC1918): 10.0.0.0/16, 172.16.0.0/12 or 192.168.0.0/16

Having said that you should still be able to connect to your EC2 instance.

  1. Make sure it’s got a Public IP address assigned, it will probably be something like 3.x.x.x or 52.x.x.x or something like that.

  2. Find out your public IP address, for example through ifconfig.co - lets say it’s 112.110.12.34.

  3. In your VPC route table add a route for your public IP (e.g. 112.110.12.34) via your IGW.

That should work. However I strongly suggest against using non-RFC1918 addresses in your VPC, it’s only calling for problems.

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • So that means it's safe to use the RFC1918 suggested private IP ranges? I mean no one in the world would be using those IP address ranges on the internet/glocal network? – Sanjay Vig Jul 17 '19 at 12:03
  • RFC 1918 addresses are, by agreement, never advertised on the Internet. – Ron Trunk Jul 17 '19 at 15:11
  • @SanjayVig those three RFC1918 ranges are specifically reserved for private networks and will never be advertised on the global internet. – MLu Jul 17 '19 at 21:45
  • @RonTrunk and MLu Thanks for the clarification! – Sanjay Vig Jul 18 '19 at 06:35