Reputation: 6360
AWS VPC Peering and route tables
Do route tables need to be enabled in both the sending and receiving VPCs/subnets for traffic to flow?
I have configured 2 VPCs that I have peered but would like traffic only to flow in one direction from VPC A to VPC B. Is this possible?
I played around with the VPCs and route tables but had to configure route tables in both VPC A and B so that they could route traffic to each other through the VPC peering connection. Is bi-directional traffic the only solution or is it possible to have traffic flow in one direction only? i.e. only allow requests to originate from VPC A but allow VPC B to return responses back.
My initial assumption was that one way traffic was supported so I had configured route tables in VPC A so that traffic could be routed to VPC B through VPC peering connection. However as there was no corresponding route in VPC B it seemed like the ping response could not find its route back to VPC A.
Also is there documentation on this? I had a read through the AWS docs (including route table basics) but couldn't seem to find anything that addressed my question.
Upvotes: 9
Views: 13566
Answers (5)
Reputation: 176
No, we have to setup the route tables on both sides to make the VPC peering works. But instead of VPC peering, we can use another way to let a node to be unaccessible, like Joseph said, using a security group.
Upvotes: 0
Reputation: 81
If you're concerned with traffic going in one direction, simply block that side via the Security Group around the instance(s) you don't want receiving traffic.
- But, yes, routes need to be added to both VPC's route tables.
cheers!
Joseph P.
Upvotes: 8
Reputation: 304
The reply from Ryan Harris is very important. TCP/IP is bi-directional - packets have to flow in both directions. Therefore RouteTables and NACLs have to be configured to allow that from both VPCs (or subnets).
I think a great deal of the confusion on that point arises from all the consumer-grade routers use NAT and automatically generate reciprocal rules when "allowing" a particular port/application.
Upvotes: 3
Reputation: 179364
Docs:
To send traffic from your instance to an instance in a peer VPC using private IPv4 addresses, you must add a route to the route table that's associated with the subnet in which the instance resides.
...
The owner of the other VPC in the peering connection must also add a route to their subnet's route table to direct traffic back to your VPC.
http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html
Route tables don't simply tell instances on my networks how to initiate connections to yours. They also tell my instances how to reply to you when you try to establish a connection to me. The same applies on the other side. Routes are required in both directions, at least for TCP and ICMP. UDP might work without route symmetry but that's still wrong, since incoming UDP messages can trigger ICMP responses, so symmetric routes are still correct, even if there are cases where it is not strictly mandatory.
Upvotes: 20
Reputation: 1686
You can use a NACL to deny traffic outflow from one to the other. For example, VPC A has a NACL to allow flow out to VPC B, and VPC B has a NACL to allow inflow from VPC A.
Upvotes: 0
Related Questions
- AWS ECS: VPC Endpoints and NAT Gateways
- AWS Route Table config for public facing web server
- AWS: Public subnet + VPN gateway
- Understanding route tables
- VPC Peering via aws-cdk
- Routing decision in AWS route table
- Peering AWS VPC private to NAT
- AWS Transit Gateway
- AWS VPC Peering
- AWS EC2 instance route table and VPC route table