Amazon VPC – How to Access Internal ELB from a Peered VPC

amazon-vpcamazon-web-servicesinternal-dnsnetworkingrouting

I have two AWS VPCs in the same region. VPC A has an internal ELB that routes to my application. VPC B has resources that need access to this application. The VPCs are peered, with routing tables having routes that point to each others' main CIDR block.

Currently, I can access the ELB from instances in the same VPC A, but not yet from those in VPC B.

How do I set up DNS and routing so that the resources in VPC B can resolve and access this ELB?

Best Answer

You could directly use the DNS name of the internal load balancer.

The nodes of an internal load balancer have only private IP addresses. The DNS name of an internal load balancer is publicly resolvable to the private IP addresses of the nodes. Therefore, internal load balancers can only route requests from clients with access to the VPC for the load balancer.

You could also create a CNAME record in Route53 (or other DNS service) if you'd like to name it something different.

If the routes are correct for your VPC peer, your application (VPC B) will be able to resolve and reach the application in VPC A.

Make sure you add entries in the Internal Load Balancers Security Group(s) to allow traffic from VPC B

References

Internal Load Balancers
VPC Peering Security Groups

Related Solutions

VPN Connections with Same CIDR – How to Make VPN Connections to Different Networks with the Same CIDR

The "right" solution is to change the CIDR block of your VPC to prevent such an overlap. Since this is not a simple task, as currently, you need to start copies of your instances in the newly created VPC, you can consider using the following hack:

Define your VPN device as a Dynamic NAT, that will translate a non-overlapping IP address to the real private IP of your VPC, while providing a local DNS for the servers in the VPC with the above set of non-overlapping IPs.

To be more specific you will have the following components on the client network, assuming that you have some sort of VPN device there:

VPC-facing router has an IP address route for say 192.168.3.0/24 pointing to VPC
Customer implements an internal DNS server that implements DNS A records of the type: customer-A-record.customerdomain.com -> 192.168.3.x
Users on premise (home network) access VPC resources using DNS names (NOT IP addresses); so when an internal network user is trying to SSH or HTTP into a VPC host, they do so against the DNS name (NOT the IP address): customer-A-record.customerdomain.com
Internal DNS server resolves the DNS name to an 192.168.3.x/24 IP address
Internal router/layer-3 switch routing tables have a routing table entry for 192.168.3.x/24 pointing to the VPC customer gateway (which is the VPN gateway on the client network terminating the VPN connection to VPC)
The Customer VPN gateway receives a packet going to 192.168.3.x/24; it has a static destination NAT DNAT entry to translate 192.168.3.x-> 192.168.0.x
The Customer VPN gateway ensures that the source IP is translated as well to ensure that there is a non-overlapping return IP address, so besides DNAT it all does source NAT SNAT: 192.168.0.x->192.168.3.x (may be a different source IP subnet – it’s more efficient to use the same for both SNAT & DNAT)
The customer VPN gateway now forwards a packet on it’s IPSec tunnel/interface which has (Source-IP, Destination-IP)=(192.168.3.x,192.168.0.x) which poses on conflicts on the destination network (VPC)
The VPC hosts receives a non-conflicting packet, does what it’s supposed to do with it and sends a response packet of the form (Source-IP, Destination-IP)=(192.168.0.x,192.168.3.x) across the VPN tunnel to client network
The Customer VPN gateway on client network does both DNAT/SNAT and ends up with another non-conflicting response of the form (Source-IP, Destination-IP)=(192.168.3.x,192.168.0.x), which it then forwards to its local (home) network on 192.168.0.0/24.

How to get the VPC CIDR range from within an AWS Instance

You can get the VPC CIDR block by doing e.g.

$ metadata="http://169.254.169.254/latest/meta-data"
$ mac=$(curl -s $metadata/network/interfaces/macs/ | head -n1 | tr -d '/')
$ cidr=$(curl -s $metadata/network/interfaces/macs/$mac/vpc-ipv4-cidr-block/)

Best Answer

Related Solutions

VPN Connections with Same CIDR – How to Make VPN Connections to Different Networks with the Same CIDR

How to get the VPC CIDR range from within an AWS Instance

Related Topic