If you have a simple VPC with 1 public and 1 private subnet and you are able to connect to internet from ec2 instances running in your public subnet but not your private subnet instances, then check the following:-
- Check your NAT instance to see if "source/destination" check is disabled
- Check to see if your VPC route tables have been created correctly with main route table not being explicitly associated with a subnet
- Check to see if your secondary route table has association with the internet gateway (igw-*) and is shown as "Active"
- Check to see if your secondary route table has "subnet association" to the public subnet CIDR as you have defined when you created the VPC
NOTE - If you need the instances in your private subnet to use IGW instead of NAT for outbound traffic, then you will need to add your private subnet to this "subnet association" table above. e.g. (10.98.1.0/24).
- Once all of the above have been checked, then most likely it an ingress port issue on your NAT instance's security group. You have to make sure to add the private subnet(s) CIDR in the "inbound" port rules of your NAT instance security group (assuming your NAT instance is not part of "default" VPC security group)
NOTE - In future if you add additional subnets to your VPC, you will have to explicitly add the CIDR block of the new subnet in the ingress security rules of the NAT sg. You may also add the entire CIDR block of the VPC if you want to automatically add all subnets to connect through NAT instance.
Running a simple telnet could confirm whether you now have access to internet after making the above changes.
No comments:
Post a Comment