I'm reading everywhere (including the official documentation) that an EC2 instance in a private subnet cannot be reached from the internet, even if it has a public IP.
Let's say I have a 10.0.0.0/16
VPC with a 10.0.0.0/20
public subnet and a 10.0.0.128/20
private subnet containing an EC2 instance with a public IP.
According to me, in this configuration, a packet sent to the EC2 instance would :
- Be received by the Internet Gateway of the VPC, which would perform NAT and emit that packet with its private network interface (I guess
10.0.0.1
) - That packet would then be routable to the EC2 instance thanks to the rule saying that the packets targeting
10.0.0.0/16
should be forwarded to the local network
However, the EC2 instance wouldn't be able to reply to that packet (in order to establish a TCP connection for example) because it has no route to an Internet Gateway or a NAT instance.
So according to me the statement "an EC2 instance in a private subnet cannot be reached from the internet, even if it has a public IP" is not true, it is actually reachable (if the network ACLs and the security groups allow the traffic) but it cannot respond to any sollicitation.
Is my reasoning correct?