Reputation: 571
Can an instance with public IP in private subnet receive internet traffic?
Shorter version of my questions:
- If an instance has a public ip but it is located in a private subnet, can it receive inbound traffic? (assume no firewall blocks it)
- When there isn’t route for internet gateway in a route table, does this mean (1) it just drops outbound traffic to the internet or (2) there isn't a “connection” between the route table and the internet gateway at all, therefore, it also doesn’t receive inbound traffic from the internet? If (2) is the case, can you elaborate on how this “connection” is established?
Longer version of my question:
I am watching a course on Whizlab where the instructor built the network structure in the image below to demonstrate how transit gateway works for private subnets. I am confused about what stops green ec2_1 from accessing blue ec2_2.
He tested this inaccessibility by:
- ssh into
green ec_1 - then, ping
blue ec2_1 private ip, success - then, ping
blue ec2_2 private ip, no response
Then he says, the ping to blue ec2_2 private ip won’t work because “we have no route from the green instance to a blue instance in private subnet”.
However, I think the reasons should be “we have no route from the blue instance in the private subnet to a green instance”. Basically, I think what fails the ping is the outbound traffic in blue private subnet, not the inbound.
More of my current understanding:
- Any route table in a vpc can receive any traffic being forwarded to it. It sends the traffic to the next hop called
targetgiven thedestinationcontained in the packet. If it doesn’t have a givendestination, it simply drops the traffic. - The second testing ping can route into
blue ec2_2based on the “20.0.0.0/16=>local” route inblue route_table_2
(Sorry for the small image! Too many details to include, feel free to open it in a new tab!)
I found this post helpful after posting this question. That post explains how NAT and private subnet work in vpc and why it is possible for an instance with public ip inside private subnet to receive internet traffic but not send out useful outbound traffic.
Upvotes: 3
Views: 1393
Answers (2)
Reputation: 238747
- If an instance has a public ip but it is located in a private subnet, can it receive inbound traffic?
Not it can't. You can only initiate outbound internet traffic from it if you have NAT. "private" means that instance is not accessible from the internet, with or without public ip.
- When there isn’t route for internet gateway in a route table, does this mean (1) it just drops outbound traffic to the internet or (2) there isn't a “connection” between the route table and the internet gateway at all, therefore, it also doesn’t receive inbound traffic from the internet? If (2) is the case, can you elaborate on how this “connection” is established?
If there is no route table to IGW, then there is no inbound nor outbound internet traffic in your VPC. Sadly I don't understand what you are asking regarding the "connection".
Upvotes: 3
Reputation: 1226
An instance in a private subnet can have internet traffic. Depending on your nat gateway, ACL and security groups.
If there is no nat gateway then I think there will be a timeout when trying to acces internet.
Upvotes: 0
Related Questions
- EC2 instance in public subnet has no public IP
- Can VPC with Internet Gateway attached have private subnets?
- Connecting from public subnet to private subnet
- How can ec2 instances in private and public subnet communicate?
- EC2 instance in a public subnet has no public IP
- AWS Public Subnet Internet Access for Non Public IP Instances
- Access Internet from AWS VPC instance without public IP address
- How to access the internet from VPC private subnet
- AWS vpc access the Internet from public subnet
- Accessing an EC2 instance launched into a VPC without public IP address?