0

I have created a vpc. Within that I have 2 subnets, one is private and other is public on two different az's. Within these subnets, I have one ec2 instance in private subnet nd other in public subnet. Now what I want is to ssh into the private ec2 instance. Till now what I have done is:

  1. On the Public instance, I have added a Security Group (public-SG) that permits Inbound connections on port 22 (SSH) from anywhere.
  2. On the Private instance, I have added a Security Group (Private-SG) that permits Inbound connections on port 22 from public-SG.

I am able to ssh into public EC2 instance but from that instance I am unable to ping the private EC2.

I have create public and private subnets and each subnet has route table associated with them. I am attaching the route table information.

Public route table:

enter image description here

And private route table is: enter image description here

Also adding private ec2 security group details: enter image description here

Nikhil
  • 101
  • 2
  • 13
  • Ping is a bad debugging tool for this, because the protocol it uses is blocked on AWS by default. Try using `traceroute` or `dig`. In general, make sure you are trying to connect to the private instance via its private IP or private DNS name. – Mark B Nov 11 '21 at 13:07
  • Hey @MarkB. I have tried traceroute as well. Below is the output of traceroute: [ec2-user@ip-10-0-0-32 ~]$ traceroute 10.0.32.178 traceroute to 10.0.32.178 (10.0.32.178), 30 hops max, 60 byte packets 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * As far as I know I should be able to ping the IP if it is within the same VPC. – Nikhil Nov 11 '21 at 13:14
  • What ingress rules and protocols do you have on the SGs of the private EC2 instance? Do they allow inbound ICMP? – jarmod Nov 11 '21 at 13:29
  • Hi @MarkB. What route do I need to add in my public route table. ? Currently it has a local route and an internet gateway route added. – Nikhil Nov 11 '21 at 15:18
  • How about editing your question to provide more information? – Mark B Nov 11 '21 at 15:25
  • Hi @MarkB, I have added route table information. Let me know if you need more info. – Nikhil Nov 11 '21 at 15:46
  • 1
    Did you try the **Reachability Analyzer** that is shown in your screenshot? In general, your steps seem correct, assuming that the EC2 instance in the public subnet has an "Allow All" Outbound rule and the NACLs have not been changed from their default "Allow All" settings. I agree with @MarkB -- do not use Ping to test network connections. Instead, test the actual connections that you want to use (eg SSH). If both instances are in the same VPC, then Route Tables are not a problem (they can always communicate.) – John Rotenstein Nov 11 '21 at 21:16

0 Answers0