Unable to access another instance in different VPC

Question

So I have 2 different VPCs in the same account.

In the first VPC (A), I have an instance which is a part of a private subnet, and all the data is routed to a NAT gateway (Working on previous configurations).

Currently I am trying to access an instance (telnet/ping/anything) in the other VPC(B) from this instance.

I setup VPC peering and changed the main route tables of both the VPCs to target the peering connection. (Did not work)

Then I tried changing the route table of the private subnet to directly route to the peering Connection. (Did not work)

There are many security groups in play, however when I changed the SG on instance in B to accept all Connections, I was able to connect from my local PC but still not from instance in A. So i don't think SG is an issue. I thought it might be routing tables but was unable to find the cause.

When I traceroute from the instance in A, it goes to the NAT gateway private IP, and then to some AWS instance (OWNED BY AWS, NOT ME) and then gets lost.

Where can the connection be possibly wrong?

Answer 1

It is difficult to debug the situation from what you have described.

So, instead, I have tried to recreate your situation and have documented all the steps I took. Please follow these steps to create two more VPCs so that you feel comfortable with the fact that it actually can work.

Then, once you have it working, you can compare this configuration with your existing configuration to figure out what might be wrong with your current VPC configuration.

Here's what I did. Follow along!

• Created VPC-A with the VPC Wizard ("VPC with a Single Public Subnet") and a CIDR of 10.0.0.0/16 and a public subnet of 10.0.0.0/24
• Manually created VPC-B with a CIDR of 10.5.0.0/16 and a private subnet 10.5.0.0/24
• Launched EC2 Instance-A in VPC-A (publicly accessible, with a Security Group permitting SSH access from 0.0.0.0/0)
• Launched EC2 Instance-B in VPC-B (in the private subnet, with a Security Group permitting SSH access from 0.0.0.0/0)
• Created a VPC Peering connection from VPC-A to VPC-B
• Accepted the Peering connection
• Added a route to the main Route Table for VPC-A with destination of 10.5.0.0/16 (the range of VPC-B), pointing to the peering connection
• Added a route to the main Route Table for VPC-B with destination of 10.0.0.0/16 (the range of VPC-A), pointing to the peering connection
• Logged into Instance-A via SSH
• From Instance-A, connected via SSH to the private IP address of Instance-B

I had to first paste my private key into a PEM file on Instance-A, use chmod to set permissions, then use:

ssh -i keypair.pem ec2-user@10.5.0.15

I used the private IP address of Instance-B (10.5.0.15). This was randomly assigned, so it would be slightly different when you try this yourself.

And the result was... I successfully connected via SSH from Instance-A in VPC-A to Instance-B in VPC-B via the Peering connection (as proven by the fact that I connected via a Private IP address and the fact that VPC-B has no Internet Gateway).

So, if you follow along with the above steps and get it working, you'll then be able to compare your existing setup and figure out what's different!

Answer 2

I followed all the steps mentioned above and went through all the documentation of AWS. When I added a route in the subnet route table (of VPC A) with the CIDR of the peered VPC (VPC B) pointing to the peering connection it worked.

In my case VPC B (the peered VPC) has a CIDR of 172.31.0.0/16