I have configured VPC peering connection between VPC A and VPC B (they are in different accounts but in the same region), and when I try to resolve the domain name of a service (e.g. sometest.com) that is in the VPC B from an instance VPC A, it is supposed to point to a private IP but it resolves to the public IP. The route tables for both VPCs have corresponding entries for peer connection, also security groups allow traffic from/to the peered VPC, and both VPC have "Enable DNS resolution/hostnames enabled.
I'm not sure why it resolves to the public IP - what am I missing?
you need to have vpc-association-authorization established between 2 VPC's and private zones to be able to resolve private hosted zone addresses from 1 vpc in one region/account to another vpc in another region/account
you can follow this step to step guide : https://aws.amazon.com/premiumsupport/knowledge-center/route53-private-hosted-zone/
Related
I have a vpc with 2 private and 2 public subnets. I have added ec2 instance in a public subnet.
The EC2 is given a private ip according to CIDR of VPN and public subnet.
Route table contains a row of 0.0.0.0/0 with internet gateway
the public subnet is associated with this route table.
EC2 is also healthy
I am unable to troubleshoot how to ssh to my instance.
I am new to VPC and this is my first time working with my own so I might have missed something.
Inbound rules on sg
inbound rules on NACL
Several things to check:
Make sure the EC2 has a public IP assigned (enable auto-assign IPv4 address on the public subnet)
NACL outbound rule allows your IP/ any IP to port 22/ any port since NACLs are stateless
The internet gateway is attached to the correct VPC
The subnet is associated with the correct route table that has internet gateway
The EC2 is provisioned under the correct public subnet that is associated with the route table
The SG that allows port 22 inbound is attached to the EC2
Can instance1 and instance2 with default security groups communicate with each other if they are in different vpc and in same region?
EC2 instances can't communicate with each other using their private IPs unless both VPCs are peered.
Once Peering is established which includes addition of route table entires for CIDR ranges of peer VPC, pointing to peering connection, then each VPC know where to route requests to when private instances from one vpc tries to talk to private ip of other vpc.
This question is in the context of Private DNS hostnames.
In AWS, for each subnet in a VPC, the IP address of the DNS server is the base of the VPC network range plus two - Curious to understand
If it is a single DNS server for the entire VPC with interfaces in each subnet or
There are separate instances of DNS servers for each subnet
If there are separate instances of DNS servers for each subnet, how does the Private DNS name of an EC2 instance in a different subnet (within same VPC) gets resolved?
There is only one DNS server per VPC, and its private IP address is the base of the VPC network range plus two. [ref]
I m looking for a way to communicate (https requests) from a vpc A to another vpc B.
VPC A is behind an Elastic load balancer (ELB) with 3 EC2
VPC B has one server for the moment and not behind an ELB
On my ELB, when i try to add a new rule with the new target group i created ,I can't select it in the list. It's probably because it s on other VPC isn't it?
I tried by a peering connection like this:
ASk : VPC A
Acceptor : VPC B
I check both dns resolutions (from A to B and B to A )
The peering connection is active.
I change my routable tables :
I added on VPC A routage the peering connection with the public ip
of a server VPC B
I added on VPC B routage the peering connection with the public ip
of a server(master) VPC A
No difference i can t select it on my ELB rules
What i miss ?
Could you help me please?
Cheers
You are not able to use a target group in one VPC, within the load balancer from another VPC.
There is functionality to allow an instance from another peered VPC (assuming that it is in the same region) however. If you create an IP based target group (in the VPC with the ALB) you can specify the IP address of the instance in the peered VPC.
More information about this is available in: New – Application Load Balancing via IP Address to AWS & On-Premises Resources | AWS News Blog
I have two instances in public subnet of 2 different VPCs.
To allow communication between them, I have to add public IP of one instance to the other.
If one of the server is changed, I need to add the IP again to other servers security group.
If I just add security group of one VPC to other or even all the allowed IPs of VPC, it does not work.
So I am looking for a workaround to not add IP each time .
Facing this issue because both servers are in public subnet.
VPC peering is already present bwteen both VPCs. issue is communication between public subnets in different VPCs
There should be no need to use the public IP address of the instances. The instances should communicate with each other via their private IP address across the VPC Peering connection.
The best way to do this is:
Create a security group (SG-A) and assign it to Instance-A
Create a security group (SG-B) and assign it to Instance-B
SG-A should permit inbound connections from SG-B
SG-B should permit inbound connections from SG-A
There is no need to reference specific IP addresses. Referencing the other security group will automatically enable communication on the chosen port(s).
See: Updating Your Security Groups to Reference Peer VPC Groups - Amazon Virtual Private Cloud
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-peering.html
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html