I have two EC2 instances from an Ubuntu image, they are located in different regions. I just want to ask, whether they can communicate over the private IP addresses?
I have opened the required ports with a security group. I use netcat to test the communication, but it only works, when I use the public IP addresses.
VPN Solution It enables the resources in two VPCs that are in different regions, even in different accounts, to be able to communicate with the private IP address, just like in the same LAN.
VPC peering, transit gateways, and VPNs all allow EC2 instances in different regions to communicate using private IP addresses. Direct Connect is for connecting VPCs to on-premises networks, not for connecting VPCs together.
To connect using the Amazon EC2 console (browser-based client), the instance must have a public IPv4 address. If the instance does not have a public IP address, you can connect to the instance over a private network using an SSH client or the EC2 Instance Connect CLI.
Moving an EC2 Instance to a Different Availability Zone And if you need to change the zone, here's how to do so: Shutdown / stop the instance. Right-click the instance and select Create Image to make an AMI from the instance. Go to the AMI page, right-click on the new AMI and select Launch Instance.
It is not possible to communicate between Amazon EC2 regions via the private IP addresses (except if you setup a VPN and respective routing for this, see section VPN Solution below), traffic between regions is in fact passing the public internet and is not distinguishable from any other internet traffic, see e.g. the following FAQs from the Region and Availability Zone FAQ:
Can instances use group-based firewall rules across Regions? - No. Group-based firewall rules only work within a Region. If you need instances to communicate with each other across Regions, you should use CIDR based firewall rules. [...]
What is the cost for data transfer between Regions? - Data transferred from one Region to another is charged at both sides at the Internet data transfer rate.
This applies to an Amazon VPC as well, see e.g. the FAQ Can Amazon EC2 instances within a VPC in one region communicate with Amazon EC2 instances within a VPC in another region?:
Yes, as long as all communication takes place over the Internet Gateway of each VPC and uses the Elastic IP addresses assigned to the instances in each VPC. Please note: security groups cannot span regions. All traffic filtering between instances in one VPC and instances in another VPC must use the Elastic IP addresses as the specified source or destination address. [emphasis mine]
AWS has meanwhile released two walkthroughs describing a solution for Connecting Multiple VPCs with EC2 Instances based on either IPsec or OpenVPN:
Now you can do it with AWS VPC peer connection.
It enables the resources in two VPCs that are in different regions, even in different accounts, to be able to communicate with the private IP address, just like in the same LAN.
One thing you need to know is the CIDR blocks you choose for your both VPCs, they must not be in conflict. Otherwise, the peer connection can't be made successfully.
See the official doc about VPC peer connection.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With