AWS Classroom Series – 11/Jul/2020

Route table forwarding packets to internet gateway

  • We want router to forward packets to internet gateway, when the destination is other that vpc cidr range Preview

  • Before we do this lets examine the route table rules (routes) Preview

  • If we examine this it states when the destination cidr range is send it to local. This is default rule for any route table which you create

  • when we write rules in route tables/security groups etc we can put restrictions only on network ids

  • So lets add a rule to send any packet other than local range to internet gateway Preview Preview Preview Preview Preview

  • Internet gateway gives us dual connectivity, machines in vpc subnet can access internet and machines from internet can access machines in vpc subnet

  • Doing this will expose all of our applications/databases etc to open internet, so its not a good idea to connect all the subnets to internet gateway. so here we have a concept of public subnet and private subnet.

  • Public subnet is connected to a route table which has route to internet gateway. Private subnet is connected to a route table which does not connect to internet gateway.

  • So lets make subnet1 and subnet2 public. subnet 3 and subnet 4 private Preview

  • lets create a new route table and call it private. Then associate subnet3 and subnet 4 with this new route table Preview Preview Preview Preview Preview

  • To test this vpc, lets create two vms (ec2) one in subnet1 and other in subnet3. Then lets try to login into vms from your laptops.

  • Amazon while creating ec2 instances will give us an option whether you need public ip or not. so for these two instances lets create public ip addresses and check the connectivity from our laptops Preview Preview

  • Now since both machines are started lets look at overview Preview Preview

  • Now lets ssh into public subnet machine (ec2 instance) and you should be login into ec2 instance as there is route b/w routetable and igw Preview

  • Now lets ssh into private subnet machine. Even though we have public ip for ec2 instance in private subnet it will not be reachable as there is no route to igw Preview

  • Now lets try to connect to private subnet machine from public subnet machine. public ec2 instance can reach ec2 instance in private subnet using private ip not public ip address Preview

  • Whenever we need to connect to a machine in private subnet, we use a machine in public subnet to connect to private subnet. This machine in public subnet is referred as bastion-host

  • Lets login into to the machine in private subnet using machine in public subnet.

    • For this ensure you copy the pem file into machine in public subnet you can use scp command Preview
    • Now lets use ssh command to login into private subnets ec2 instance ssh -i <path to pem> ec2-user@<privateipaddress> Preview
    • Now lets see if machine in private subnet can access internet or not. We are unable to access internet Preview
  • In some cases we want our servers in the private subnet to access internet but we dont want our servers to be accessed from internet

  • How to solve this ?

    • Wait for one more session.

How ec2 instance is connected to the subnet

  • Ec2 instances are connected to the subnet using network interface known as Elastic Network Interface(ENI) Preview
  • ENI interface will help ec2 instance or other aws resources to connect to subnet. Private and public ipaddresses are assigned to ENI.
  • One ec2 instance can be connected to multiple ENI’s from the same subnet.
  • Lets add one more network interface to the public subnet ec2 instance Preview Preview Preview Preview Preview
  • Now lets navigate to ec2 instance and see the private ip addresses Preview Preview

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin