Menu
Do route tables need to be enabled in both the sending and receiving VPCs/subnets for traffic to flow?
I have configured 2 VPCs that I have peered but would like traffic only to flow in one direction from VPC A to VPC B. Is this possible?
I played around with the VPCs and route tables but had to configure route tables in both VPC A and B so that they could route traffic to each other through the VPC peering connection. Is bi-directional traffic the only solution or is it possible to have traffic flow in one direction only? i.e. only allow requests to originate from VPC A but allow VPC B to return responses back.
My initial assumption was that one way traffic was supported so I had configured route tables in VPC A so that traffic could be routed to VPC B through VPC peering connection. However as there was no corresponding route in VPC B it seemed like the ping response could not find its route back to VPC A.
Also is there documentation on this? I had a read through the AWS docs (including route table basics) but couldn't seem to find anything that addressed my question.
529
To enable private IPv4 traffic between instances in peered VPCs, you must add a route to the route tables associated with the subnets for both instances.
The route table contains existing routes with targets other than a network interface, Gateway Load Balancer endpoint, or the default local route. The route table contains existing routes to CIDR blocks outside of the ranges in your VPC. Route propagation is enabled for the route table.
Within a VPC, route tables are assigned to individual subnets. With only 1 route table created in a VPC, all of the subnets would be assigned to that route table. You can create multiple route tables in a VPC, or you can leave the 1 default route table.
You cannot have more than one VPC peering connection between two VPCs at the same time. Any tags that you create for your VPC peering connection are only applied in the account or Region in which you create them. You cannot connect to or query the Amazon DNS server in a peer VPC.
Docs:
To send traffic from your instance to an instance in a peer VPC using private IPv4 addresses, you must add a route to the route table that's associated with the subnet in which the instance resides.
...
The owner of the other VPC in the peering connection must also add a route to their subnet's route table to direct traffic back to your VPC.
http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html
Route tables don't simply tell instances on my networks how to initiate connections to yours. They also tell my instances how to reply to you when you try to establish a connection to me. The same applies on the other side. Routes are required in both directions, at least for TCP and ICMP. UDP might work without route symmetry but that's still wrong, since incoming UDP messages can trigger ICMP responses, so symmetric routes are still correct, even if there are cases where it is not strictly mandatory.
54
If you're concerned with traffic going in one direction, simply block that side via the Security Group around the instance(s) you don't want receiving traffic.
cheers!
Joseph P.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
