Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can EC2 instances in different regions communicate over their private IP addresses?

I have two EC2 instances from an Ubuntu image, they are located in different regions. I just want to ask, whether they can communicate over the private IP addresses?

I have opened the required ports with a security group. I use netcat to test the communication, but it only works, when I use the public IP addresses.

like image 512
jubi4dition Avatar asked Mar 27 '12 14:03

jubi4dition


People also ask

Which of the following allows EC2 instances in different regions to communicate using private IP addresses?

VPN Solution It enables the resources in two VPCs that are in different regions, even in different accounts, to be able to communicate with the private IP address, just like in the same LAN.

Which of the following allows EC2 instances in different regions to communicate using private IP addresses choose three?

VPC peering, transit gateways, and VPNs all allow EC2 instances in different regions to communicate using private IP addresses. Direct Connect is for connecting VPCs to on-premises networks, not for connecting VPCs together.

Can we connect with EC2 instance for private IP?

To connect using the Amazon EC2 console (browser-based client), the instance must have a public IPv4 address. If the instance does not have a public IP address, you can connect to the instance over a private network using an SSH client or the EC2 Instance Connect CLI.

How do I connect EC2 instances in different regions?

Moving an EC2 Instance to a Different Availability Zone And if you need to change the zone, here's how to do so: Shutdown / stop the instance. Right-click the instance and select Create Image to make an AMI from the instance. Go to the AMI page, right-click on the new AMI and select Launch Instance.


2 Answers

It is not possible to communicate between Amazon EC2 regions via the private IP addresses (except if you setup a VPN and respective routing for this, see section VPN Solution below), traffic between regions is in fact passing the public internet and is not distinguishable from any other internet traffic, see e.g. the following FAQs from the Region and Availability Zone FAQ:

  • Can instances use group-based firewall rules across Regions? - No. Group-based firewall rules only work within a Region. If you need instances to communicate with each other across Regions, you should use CIDR based firewall rules. [...]

  • What is the cost for data transfer between Regions? - Data transferred from one Region to another is charged at both sides at the Internet data transfer rate.

This applies to an Amazon VPC as well, see e.g. the FAQ Can Amazon EC2 instances within a VPC in one region communicate with Amazon EC2 instances within a VPC in another region?:

Yes, as long as all communication takes place over the Internet Gateway of each VPC and uses the Elastic IP addresses assigned to the instances in each VPC. Please note: security groups cannot span regions. All traffic filtering between instances in one VPC and instances in another VPC must use the Elastic IP addresses as the specified source or destination address. [emphasis mine]

VPN Solution

AWS has meanwhile released two walkthroughs describing a solution for Connecting Multiple VPCs with EC2 Instances based on either IPsec or OpenVPN:

  • Connecting Multiple VPCs with EC2 Instances (IPSec)
    • please note that this tutorial facilitates Openswan, but you can achieve the same with strongSwan (or even the Linux IPsec stack built in as of kernel 2.6+, see e.g. IPsec L2TP VPN server)
  • Connecting Multiple VPCs with EC2 Instances (SSL)
like image 195
Steffen Opel Avatar answered Sep 29 '22 11:09

Steffen Opel


Now you can do it with AWS VPC peer connection.

It enables the resources in two VPCs that are in different regions, even in different accounts, to be able to communicate with the private IP address, just like in the same LAN.

One thing you need to know is the CIDR blocks you choose for your both VPCs, they must not be in conflict. Otherwise, the peer connection can't be made successfully.

See the official doc about VPC peer connection.

like image 31
alex Avatar answered Sep 29 '22 09:09

alex