0

I'm reading everywhere (including the official documentation) that an EC2 instance in a private subnet cannot be reached from the internet, even if it has a public IP.

Let's say I have a 10.0.0.0/16 VPC with a 10.0.0.0/20 public subnet and a 10.0.0.128/20 private subnet containing an EC2 instance with a public IP.

According to me, in this configuration, a packet sent to the EC2 instance would :

  • Be received by the Internet Gateway of the VPC, which would perform NAT and emit that packet with its private network interface (I guess 10.0.0.1)
  • That packet would then be routable to the EC2 instance thanks to the rule saying that the packets targeting 10.0.0.0/16 should be forwarded to the local network

However, the EC2 instance wouldn't be able to reply to that packet (in order to establish a TCP connection for example) because it has no route to an Internet Gateway or a NAT instance.

So according to me the statement "an EC2 instance in a private subnet cannot be reached from the internet, even if it has a public IP" is not true, it is actually reachable (if the network ACLs and the security groups allow the traffic) but it cannot respond to any sollicitation.

Is my reasoning correct?

2
  • I agree with the response to your question on Stack Overflow. Test it. You will probably find it is like most corporate networks, there is probably a way to put the square peg in the round hole. stackoverflow.com/questions/78451271/…
    – Greg Askew
    Commented May 9 at 11:03
  • Well, generally speaking, I think, "reachable" means "communication can be established" instead of "some packets successfully arrived at the destination". (Like if you call a friend on phone, as long as you don't hear anything back from him, you would/could say that you couldn't reach him, regardless of whether he heard anything from you, since you wouldn't know anyway.)
    – Tom Yan
    Commented May 9 at 14:28

1 Answer 1

0

In the comments, I was advised to test and and answer my own question which I did :

  • Created an EC2 instance with a public IP in a private subnet
  • Modified its security group to allow incoming traffic on port 53 (UDP)
  • Verified that the VPC NACL allowed all the traffic
  • Connected to the instance and run sudo nc -ul 53
  • Sent an UDP packet containing some text from my own machine to the public IP, on port 53

The text appeared on the EC2 instance, meaning that, as I thought, the sentence "an EC2 instance in a private subnet cannot be reached from the internet" is partially true. If we want to send data to an EC2 instance in this configuration :

  • Fire and forget protocols like UDP will still work
  • Connection-based protocols like TCP will not work because the instance is unable to respond

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .