I'm testing a scenario where I have two peered VPCs:
- VPC A has a CIDR of 10.0.0.0/16
- VPC B has a CIDR of 172.17.0.0/16
Both VPCs have private and public subnets with the following CIDRs:
- VPC-A-PRIV has a CIDR of 10.0.1.0/24
VPC-A-PUB has a CIDR of 10.0.101.0/24
VPC-B-PRIV has a CIDR of 172.17.1.0/24
- VPC-B-PUB has a CIDR of 172.17.101.0/24
I understand that the peering connection route tables tab contains tables that have entries associated with the VPC Peering Connection. One of these tables is associated with the public subnet in VPC A and looks like this:
- 10.0.0.0/16 --> Local
- 0.0.0.0/0 --> igw-id
- 172.17.0.0/16 --> vpc-peering-connection-A-to-B
So to test that this is working, I create an instance in the VPC-A-PUB subnet and another instance in the VPC-B-PUB subnet. I can successfully ping between these instances.
However, if I instead make the VPC-B instance in the VPC-B-PRIV subnet, I cannot ping it from the VPC-A-PUB subnet. This confuses me, because the peering connection route in the table above encompasses the entirety of the VPC B address range (172.17.0.0/16 --> vpc-peering-connection-A-to-B).
If I were to perform this same test of pinging a private instance from a public instance within the same VPC, the test would pass... and I assume the reason it would pass was because the local rule encompasses the entire VPC range (10.0.0.0/16 --> local).
I feel like I'm not understanding something about the relationship between private and public subnets in AWS. Specifically around how private subnets receive traffic from foreign networks (whether that be a VPC or the internet).
