Nat – AWS Private subnet not redirected to NAT Instance

AWS is not setting up properly default gw for instance in private subnet.

NAT address:

ec2din i-ef7f8a3a|grep PRIVATEIPADDRESS
PRIVATEIPADDRESS    172.16.0.31

ROUTING TABLE configuration:

ec2drtb rtb-7c9f3618
ROUTETABLE  rtb-7c9f3618    vpc-43da3455
ROUTE   local       active  172.16.0.0/16           CreateRouteTable
ROUTE       i-ef7f8a3a  active  0.0.0.0/0   eni-4055320a        CreateRoute
ASSOCIATION rtbassoc-cc1764a8   main
ASSOCIATION rtbassoc-51b7c435   subnet-c92429be`

PRIVATE SUBNET configuration:

ec2dsubnet subnet-c92429be
SUBNET  subnet-c92429be available   vpc-43da3455    172.16.1.0/24   250 us-east-1a  false   false
TAG subnet  subnet-c92429be`

Like we see I configured instance i-ef7f8a3a as NAT, and set it in routing table as default gw for all traffic.

When I login to my machine started in private subnet (172.16.1.220) and check the routing table it is not showing default gw as ip of my NAT instance, instead, it redirects to default router:

ip r
default via 172.16.1.1 dev eth0 
default via 172.16.1.1 dev eth0  metric 1024 
172.16.1.0/24 dev eth0  proto kernel  scope link  src 172.16.1.220 
172.16.1.1 dev eth0  scope link  metric 1024`

Default route on NAT is set up as 172.16.0.1 not to igw, so I thought all magic is done on AWS router and it will redirect to my NAT anyway, so I start tests.

I try to ping some outside IP and I start tcpdump on my nat instance but I dont see any incoming packets from my private subnet:

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
20 packets transmitted, 0 received, 100% packet loss, time 19150ms`

tcpdump -n host 8.8.8.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel`

Both instances can "see" each other — I can ssh in both directions, but when I even try to set up default route with my NAT as gw im getting:

ip r add default via 172.16.0.31
RTNETLINK answers: Network is unreachable

Did I miss something? How should the route table look on an instance on private subnet? Should my NAT IP be there, or the default?

Best Answer

Leave the IP stack on the instances alone. The default gateway it picks up from DHCP is correct, and routing to the NAT instance is done by the VPC infrastructure.

The security group on your NAT instance needs to be configured to accept all traffic from 172.16.0.0/16 (you can set it more restrictive if needed, but you first need to get it working).

You also need to disable the source/destination check on the NAT instance.

Best Answer

Related Solutions

Nat – Internet access from private VPC subnet

Nat – can’t connect aws VPC private instance to internet through NAT

Related Topic