1

My goal is to create an EC2 instance in a private subnet on a VPC that I will be able to ping from external internet.

So far, I have:

  1. created an elastic IP
  2. created a VPC with one public subnet and one private subnet
  3. created a NAT Gateway on the public subnet and set its public IP to the elastic IP
  4. created an EC2 instance in the VPC on the private subnet
  5. created a security group for the EC2 instance which allows all ICMP traffic

When I try to ping the elastic IP address, then pings time out.

What do I need to be able to do to ping the EC2 instance on the private subnet?

Petar Ivcec
  • 672
  • 1
  • 8
  • 23
  • _WHY_ do you want to be able to ping the instance? Surely you aren't going to all this effort just to do a Ping. What is your _actual_ goal? – John Rotenstein Apr 15 '19 at 01:05
  • The ping is just to prove that I am able to connect to the instance from the outside world. Once I am able to do that, then I want to restrict incoming traffic to an API Gateway. – Petar Ivcec Apr 15 '19 at 01:07
  • Ping is a very poor way to test connectivity. It is better to test _actual_ traffic on normal ports. Anyway, as mentioned below, you won't be able tor each the instance from the Internet. – John Rotenstein Apr 15 '19 at 01:08

2 Answers2

2

Your Amazon EC2 instance is in a private subnet. Therefore, it cannot be reached from the Internet. This is good! That is why private subnets exist.

Therefore, you correctly cannot ping the private instance from the Internet.

In fact, when you ping the Elastic IP address associated with the NAT Gateway, you are actually pinging the NAT Gateway, not the instance. The NAT Gateway is either rejecting the requests and/or has a security group that does not permit inbound ICMP requests.

The NAT Gateway allows outbound communication from resources in a private subnet to the Internet. It does not forward inbound requests. This is per design.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Ok, thanks. Do you happen to have any suggestions for a good way to secure that only authenticated API Gateway traffic is able to reach an instance on a VPC? – Petar Ivcec Apr 15 '19 at 01:23
  • I'm not familiar enough with API Gateway to recommend how to do that. It's probably worth asking as a Question, either here or on ServerFault. – John Rotenstein Apr 15 '19 at 02:48
  • This seems to be on the right topic: [Set up API Gateway Private Integrations - Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html) – John Rotenstein Apr 15 '19 at 02:58
  • Also: [Can I specify HTTP endpoint in a VPC as resource in AWS API Gateway?](https://stackoverflow.com/a/32678649/174777) – John Rotenstein Apr 15 '19 at 05:35
0

Actually I think the right thing you need to is connect public and private subnets through a Route Table.

Destination     Target

10.0.0.0/16     local

0.0.0.0/0       nat-gateway-id

enter image description here

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html

tim
  • 1,454
  • 1
  • 25
  • 45