Can’t ping ec2 instance from another ec2 instance in another account

amazon-vpcamazon-web-servicesnetworking

I want to establish host to host libreswan ipsec VPN. I have done following.

  1. Created ubuntu instance ubuntu-1 in default vpc in 1st account.
  2. Assigned EIP and security group to my ubuntu instance allowing TCP port 1701, UDP port 4500,500 and Enabled All ICMP anywhere.
  3. Created ubuntu instance ubuntu-2 in non-default VPC in public subnet of 2nd account.
  4. Assigned EIP and security group to ubuntu instance allowing TCP port 1701, UDP port 4500,500 and Enabled all ICMP anywhere.

I am able to ping to ubuntu-2 from ubuntu-1 instance however I am not able to ping to ubuntu-1 from ubuntu-2 instance.

I am not sure what is wrong with my ubuntu-2 instance. It has internet gateway assigned to its public subnet. All the security group rules are mirrored for both server.

Best Answer

Instance security depends on the Security Group. In your scenario as you mentioned already that you have allowed ICMP port from anywhere in both your security group. Another security aspect we can consider is that Network ACL. Network ACLs are stateless. You should check Network ACLs for ubuntu-2 instance's subnet. ICMP protocol is request and response kind of protocol so Inbound and outbound rule should be allow by Network ACL of ubuntu-2's subnet.

Related Topic