Route table forwarding packets to internet gateway
-
We want router to forward packets to internet gateway, when the destination is other that vpc cidr range
-
Before we do this lets examine the route table rules (routes)
-
If we examine this it states when the destination cidr range is 192.168.0.0/16 send it to local. This is default rule for any route table which you create
-
when we write rules in route tables/security groups etc we can put restrictions only on network ids
-
So lets add a rule to send any packet other than local range to internet gateway
-
Internet gateway gives us dual connectivity, machines in vpc subnet can access internet and machines from internet can access machines in vpc subnet
-
Doing this will expose all of our applications/databases etc to open internet, so its not a good idea to connect all the subnets to internet gateway. so here we have a concept of public subnet and private subnet.
-
Public subnet is connected to a route table which has route to internet gateway. Private subnet is connected to a route table which does not connect to internet gateway.
-
So lets make subnet1 and subnet2 public. subnet 3 and subnet 4 private
-
lets create a new route table and call it private. Then associate subnet3 and subnet 4 with this new route table
-
To test this vpc, lets create two vms (ec2) one in subnet1 and other in subnet3. Then lets try to login into vms from your laptops.
-
Amazon while creating ec2 instances will give us an option whether you need public ip or not. so for these two instances lets create public ip addresses and check the connectivity from our laptops
-
Now since both machines are started lets look at overview
-
Now lets ssh into public subnet machine (ec2 instance) and you should be login into ec2 instance as there is route b/w routetable and igw
-
Now lets ssh into private subnet machine. Even though we have public ip for ec2 instance in private subnet it will not be reachable as there is no route to igw
-
Now lets try to connect to private subnet machine from public subnet machine. public ec2 instance can reach ec2 instance in private subnet using private ip not public ip address
-
Whenever we need to connect to a machine in private subnet, we use a machine in public subnet to connect to private subnet. This machine in public subnet is referred as bastion-host
-
Lets login into to the machine in private subnet using machine in public subnet.
- For this ensure you copy the pem file into machine in public subnet you can use scp command
- Now lets use ssh command to login into private subnets ec2 instance
ssh -i <path to pem> ec2-user@<privateipaddress>
- Now lets see if machine in private subnet can access internet or not. We are unable to access internet
- For this ensure you copy the pem file into machine in public subnet you can use scp command
-
In some cases we want our servers in the private subnet to access internet but we dont want our servers to be accessed from internet
-
How to solve this ?
- Wait for one more session.
How ec2 instance is connected to the subnet
- Ec2 instances are connected to the subnet using network interface known as Elastic Network Interface(ENI)
- ENI interface will help ec2 instance or other aws resources to connect to subnet. Private and public ipaddresses are assigned to ENI.
- One ec2 instance can be connected to multiple ENI’s from the same subnet.
- Lets add one more network interface to the public subnet ec2 instance
- Now lets navigate to ec2 instance and see the private ip addresses