1

There are two instances: A with IP 172.31.129.238/28 B with IP 172.31.129.232/28 and 10.0.0.200/32

there is a static route in A, saying "10.0.0.200 via 172.31.129.232". B 172.31.129.232 is pingable from A, however 10.0.0.200 is not pingable. I would expect this to work because of the static route.

The tcpdump in B shows that the ICMP request is never reaching the interface. No packets received at all. The tcpdump in A shows ICMP requests being sent in the egress interface.

Any ideas? Is there a possibility AWS blocking the traffic because the IP addressing is assigned internally in instance level? But in this case how simple loopback routing can be achieved?

The security groups are allowing everything, so there is no blocking there.

maiky
  • 3,503
  • 7
  • 28
  • 28

1 Answers1

2

Quoting this AWS doc on NAT,

Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives.

This needs to be disabled, of course, for NAT, but will also need to be disabled in your case (which the same as NAT router except without the NAT). It should be disabled on instance B (Instance A's VPC IP will always be either source or destination from AWS perspective).

there is a static route in A

(edited: OP verified no AWS routes are required)

erik258
  • 14,701
  • 2
  • 25
  • 31
  • 1
    Amazing! Thanks! Never noticed that there is such setting for source/destination checks. After disabling it it works! The routes were deleted in the AWS routing table and it works with the routes on the instance level. This is what we need , as we need to test some BGP configs. Works now, thanks again! – maiky Mar 22 '23 at 21:15