moon
moon

Reputation: 571

Can an instance with public IP in private subnet receive internet traffic?

Shorter version of my questions:

  1. If an instance has a public ip but it is located in a private subnet, can it receive inbound traffic? (assume no firewall blocks it)
  2. When there isn’t route for internet gateway in a route table, does this mean (1) it just drops outbound traffic to the internet or (2) there isn't a “connection” between the route table and the internet gateway at all, therefore, it also doesn’t receive inbound traffic from the internet? If (2) is the case, can you elaborate on how this “connection” is established?

Longer version of my question:

I am watching a course on Whizlab where the instructor built the network structure in the image below to demonstrate how transit gateway works for private subnets. I am confused about what stops green ec2_1 from accessing blue ec2_2.

He tested this inaccessibility by:

  1. ssh into green ec_1
  2. then, ping blue ec2_1 private ip, success
  3. then, ping blue ec2_2 private ip, no response

Then he says, the ping to blue ec2_2 private ip won’t work because “we have no route from the green instance to a blue instance in private subnet”.

However, I think the reasons should be “we have no route from the blue instance in the private subnet to a green instance”. Basically, I think what fails the ping is the outbound traffic in blue private subnet, not the inbound.

More of my current understanding:

  1. Any route table in a vpc can receive any traffic being forwarded to it. It sends the traffic to the next hop called target given the destination contained in the packet. If it doesn’t have a given destination, it simply drops the traffic.
  2. The second testing ping can route into blue ec2_2 based on the “20.0.0.0/16=>local” route in blue route_table_2

enter image description here

(Sorry for the small image! Too many details to include, feel free to open it in a new tab!)


I found this post helpful after posting this question. That post explains how NAT and private subnet work in vpc and why it is possible for an instance with public ip inside private subnet to receive internet traffic but not send out useful outbound traffic.

Upvotes: 3

Views: 1393

Answers (2)

Marcin
Marcin

Reputation: 238747

  1. If an instance has a public ip but it is located in a private subnet, can it receive inbound traffic?

Not it can't. You can only initiate outbound internet traffic from it if you have NAT. "private" means that instance is not accessible from the internet, with or without public ip.

  1. When there isn’t route for internet gateway in a route table, does this mean (1) it just drops outbound traffic to the internet or (2) there isn't a “connection” between the route table and the internet gateway at all, therefore, it also doesn’t receive inbound traffic from the internet? If (2) is the case, can you elaborate on how this “connection” is established?

If there is no route table to IGW, then there is no inbound nor outbound internet traffic in your VPC. Sadly I don't understand what you are asking regarding the "connection".

Upvotes: 3

Lucasz
Lucasz

Reputation: 1226

An instance in a private subnet can have internet traffic. Depending on your nat gateway, ACL and security groups.

If there is no nat gateway then I think there will be a timeout when trying to acces internet.

Upvotes: 0

Related Questions