-2

here is the example I want to ask

this following brief shapes of architecture

    □          <-------->               □           <---------->            □
    ↓                ↓                  ↓                 ↓                 ↓

private subnet----- networking(A)----- private subnet ----- networking(C) ------ private subnet

following considering conditions

  • total 4 subnets : 1 public subnet / 3 private subnets
  • the brief architecture omitted public part only shows private subnets part
  • already I got 1 Load balancer on the internet facing area in public subnet already
  • I got 3 private subnets in VPC
  • I want to make them network send and request packets between private subnets

I want to ask you

according to above pretenses,

there is already internet facing load balancer

but at this point

I want to ask you

Q. 1 Do I need "additional" Load balancers to communicate and build network between private subnets?

especially

Q. 2 Do I have to put Load balancer inbetween private subnets which is pointing "network A section" or "network C section" ?

Q. 2' DO I need to put Load balancer in networking A section or networking C section to build network with each other? (sending http packets, communicate, build network)

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
devopssec
  • 1
  • 1
  • 1
    You only need route tables to route traffic between subnets. – Rodrigo Murillo May 29 '21 at 03:25
  • 1
    which means do I need route table in each of intervals between private subnets ? – devopssec May 29 '21 at 03:34
  • 1
    All subnets in the same VPC can communicate with each other. There is an automatic `local` entry in the Route Tables that enable this (and can't be removed). The only way to block communication between subnets is to use Network ACLs. – John Rotenstein May 29 '21 at 05:52
  • thank you so much for your explanation! does the automatic local entry mean the default configuration provided when you created route table such as "10.0.0.0/16 local" ? and do you mean subnets can communicate because of the automatic local entry in the route table? – devopssec May 29 '21 at 06:09

1 Answers1

1

You don't need a load balancer to facilitate communication between subnets. You need to have routes defined in route table associated with the subnet. Usually you will see a routes similar to 10.0.0.1/16 => local where the 10.0.0.1/16 is the CIDR of the VPC. Local route allows to communicate with in the VPC. So The subnet can communicate with other subnets with in the VPC. So all you need is a local route.

A load balancer is used for a completely different reason. An example scenario would be, when you have a multiple web server instances that serves the http web traffic, You can add a load balancer in front of the instances to distribute the traffic between the instances. You can prevent single server from getting overloaded by using a load balancer and distribute the load to multiple servers.

Arun Kamalanathan
  • 8,107
  • 4
  • 23
  • 39
  • thank you so much for your detailed explanation ! I should have told you something about my route table for the suggested brief architecture 1. VPC's ip ranges : 10.0.0.0/16 I configured 2 route tables that consists of 2. public route table configuration - 10.0.0.0/16 local (default) - 0.0.0.0/0 Internet gateway - subnet inclusion : public subnet 3. private route table configuration - 10.0.0.0/16 local (default) - 0.0.0.0/0 NAT gateway - subnet inclusion : 3 private subnets with same availability zone Above 3 factors that I configured for the pre-settings – devopssec May 29 '21 at 05:46
  • your configuration looks good to me. your subnets should be able to communicate with each other. is it not the case ? – Arun Kamalanathan May 29 '21 at 10:10
  • All subnets inside a VPC will always be able to communicate with each other, regardless of the Route Table to which they are assigned. If you want to limit the communication between networks you should configure a Network Access Control List or NACL. A "private subnet" is a subnet attached to a Route Table whose default route doesn't point to an Internet Gateway. – guzmonne May 29 '21 at 16:29