Can someone connect/discover my AWS service/instance locally (using a private addresses)?

Question

I am not an expert in networking, so I want to get a clearer image. I have an AWS running instance, and its local network is 172.31.16.0/20 with address. I know that Amazon uses 172.31.0.0/16 CIDR to manage private addresses.

If someone does a scan on 172.31.0.0/16, could he/she discover my instance?

I tried to do it with another instance of mine and it detects it, but I am not sure if it works, for instance, I don't own because of this notion of VPC that I don't really understand.

Answer 1

For public IP addresses, you definitely can be discovered.

For intern IP addresses, to the extent I know, it is a virtual network, and it is isolated from other VPCs.

Answer 2

Simply no. This CIDR is for a VPC, and your VPC is different from another AWS user's VPC.

To allow another AWS user to access your VPC network, you need to share it manually, so if you do not share it, it is not possible for other users to detect your instance by a brute force query.

Answer 3

Traffic for private RFC1918 addresses is not routable over the Internet. No one can hit your 172.31 address across the Internet. Not from outside AWS and not from another VPC (yours or anyone else's).

VPCs are per account and are isolated from each other. You can, however, share subnets of your VPC with another AWS account within the same AWS Organization, if you choose to. You can also peer VPCs, if you choose to.

Other instances within your VPC can reach an instance in the same VPC, of course, assuming the default routing and NACLs, as can anyone on your VPC's extended network, for example if you have a VPN connection into your VPC (but I assume that's not relevant here).