-1

We all know that there are reserved IP range CIDR from the entire pool of IPV4 address range that is 2^32 (0.0.0.0 and 255.255.255.255) and that range includes 10.0.0.0/8 (10.0.0.0 - 10.255.255.255) 172.16.0.0/12 (172.16.0.0 - 172.31.255.255) 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)

So if any organization were to set up its LAN (intranet), it can only use one of the above three.

But when it comes to AWS or any cloud provider, it seems they allow to create VPC using public IPV4 CIDR range which means any instance created in a private/public subnet in that VPC can default to a private IP address that can still actually be a public routable address outside of the above reserved private pool.

As stated under https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html "We refer to private IP addresses as the IP addresses that are within the IPv4 CIDR range of the VPC. Most VPC IP address ranges fall within the private (non-publicly routable) IP address ranges specified in RFC 1918; however, you can use publicly routable CIDR blocks for your VPC. Regardless of the IP address range of your VPC, we do not support direct access to the Internet from your VPC's CIDR block, including a publicly-routable CIDR block" So my question is how does AWS do this. I know DHCP/routing etc have their own mechanism, but how is it allowed to even choose a global public IPV4 address (WAN address pool) as private address inside its VPC. How does IETF/IANA allow that. Also if i were to set up my private home network why can't i then choose for my LAN those public IPV4 address range as oppossed to 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

I do understand that choosing public ips have their own risks since then if they conflict with actual ones on the internet i won't be able to browse those public sites from my private network. But then how does AWS manage this. Is it that it gives it the acronym as private IP and so if the same corresponding public ip is hit it will still resolve it as public and render you the site (i mean directly hitting the site public IP) or will it not see that its my own private ip and resolve it through its own private DNS

Ashley
  • 1,447
  • 3
  • 26
  • 52
  • This seems like an obscure use case. Are you asking how the Internet Gateway assigns or translates public/elastic IP addresses to instances? – James Shapiro Jun 11 '20 at 14:36
  • I am asking that say some global public ip say google.com 172.217.9.36 is assigned as private ip to an ec2 in aws. if you hit that in vpc will it resolve to google.com which it does from my public/private network. or will aws try to resolve it to its internal private dns – Ashley Jun 11 '20 at 15:05
  • My understanding is that you can only add public IPs to VPC that you actually own (i.e. in your example if Google had an AWS account then they would be the only company in the world that would be allowed to add that IP and you as an individual would not be able to do so). But I'm not 100% sure about that. – James Shapiro Jun 11 '20 at 15:11
  • I totally understand that but then as per aws doc you can choose any ip cidr for your vpc even outside of global reserved pool for private networking. – Ashley Jun 11 '20 at 17:20
  • As stated under https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html "We refer to private IP addresses as the IP addresses that are within the IPv4 CIDR range of the VPC. Most VPC IP address ranges fall within the private (non-publicly routable) IP address ranges specified in RFC 1918; however, you can use publicly routable CIDR blocks for your VPC. Regardless of the IP address range of your VPC, we do not support direct access to the Internet from your VPC's CIDR block, including a publicly-routable CIDR block" – Ashley Jun 11 '20 at 17:20
  • So in this case if i were to use google.com public ip as a private ip for my ec2, how would that resolve. will then hitting that ip resolve to that ec2 or actual google.com from my private aws vpc networking – Ashley Jun 11 '20 at 17:22
  • Why not try this out as an experiment and see what happens? Basic VPC creation is easy. It should only take you a few minutes. You can also post the results as an answer to your own question. – James Shapiro Jun 12 '20 at 03:38
  • It's the same thing as if you took a public IP block you don't own and assign it within your private LAN. Within your LAN you can control everything, and so you can route 8.8.8.8 however you want. But the rest of the world won't be cooperating with you. – Angelo Jun 21 '22 at 05:11

2 Answers2

0

In case you choose a global public IPV4 (outside of reserved pool) as your EC2 private address, the routing tables for the subnet where the EC2 resides will decide how to resolve it and in that case the order of precedence would be how the route tables are set up . So usually its like :- Destination (your VPC CIDR) Target local

So the moment you hit that private IP from your network, the route table will see its a local VPC IP and resolve it to that EC2 private DNS, so you won't be able to resolve that to the actual global IP.

Ashley
  • 1,447
  • 3
  • 26
  • 52
0

I know the question is getting dated but...

As the doc's say - AWS won't advertise these route (unlike BYOIP where they do advertise those routes) - so AWS can't route to them.

The VPC FAQ explains you have to route to them over a site-to-site VPN or Direct Connect.

So you'll have to advertise these CIDRs from your Data center, and do the routing to these over the VPN to the VPC.

I don't know if a NAT gateway would work or not for outgoing.

rktinker
  • 1
  • 1