Why traceroute ignores route table in AWS EC2 with VPC

Question

Here my route table in AWS EC2 with VPC

ubuntu@ip-10-10-47-44:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.32.1      0.0.0.0         UG    100    0        0 eth0
10.10.32.0      0.0.0.0         255.255.240.0   U     0      0        0 eth0
10.10.32.1      0.0.0.0         255.255.255.255 UH    100    0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0

I expect traffic to internet will go throw 10.10.32.1

ubuntu@ip-10-10-47-44:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  ec2-52-56-0-2.eu-west-2.compute.amazonaws.com (52.56.0.2)  20.219 ms ec2-52-56-0-0.eu-west-2.compute.amazonaws.com (52.56.0.0)  14.119 ms  14.127 ms
 2  100.66.0.170 (100.66.0.170)  12.679 ms 100.66.0.130 (100.66.0.130)  18.149 ms 100.66.0.164 (100.66.0.164)  19.795 ms
 3  100.66.0.49 (100.66.0.49)  16.561 ms 100.66.0.15 (100.66.0.15)  17.874 ms 100.66.0.29 (100.66.0.29)  17.863 ms
 4  100.65.1.97 (100.65.1.97)  0.556 ms 100.65.1.193 (100.65.1.193)  0.273 ms 100.65.1.97 (100.65.1.97)  0.278 ms
 5  52.94.33.3 (52.94.33.3)  0.956 ms 52.94.33.7 (52.94.33.7)  0.970 ms  1.037 ms
 6  52.94.33.126 (52.94.33.126)  2.002 ms 52.94.33.116 (52.94.33.116)  2.753 ms  2.549 ms
 7  52.95.61.97 (52.95.61.97)  1.461 ms 52.94.34.17 (52.94.34.17)  0.936 ms 54.239.101.109 (54.239.101.109)  1.355 ms
 8  52.95.219.217 (52.95.219.217)  1.604 ms 52.95.219.127 (52.95.219.127)  0.833 ms 72.21.221.227 (72.21.221.227)  1.900 ms
 9  74.125.242.65 (74.125.242.65)  1.305 ms  1.841 ms 74.125.242.97 (74.125.242.97)  3.129 ms
10  172.253.50.223 (172.253.50.223)  1.235 ms 172.253.68.23 (172.253.68.23)  1.280 ms 172.253.50.223 (172.253.50.223)  1.731 ms
11  dns.google (8.8.8.8)  0.732 ms  1.242 ms  1.056 ms

Instead it goes throw 52.56.0.2 Where is 52.56.0.2 specified? Why it does not go throw 10.10.32.1

Answer 1

First we can see two things - VPC traffic routing and how traceroute works

• VPC traffic routing

  When you create a subnet, five IP's of the subnet are being reserved for internal purpose out of which the second ip x.x.x.1 (for your subnet it is 10.10.32.1) is being used for vpc gateway (virtual) and from route table you could see by default all traffic goes to it and from the gateway it is being routed to next target based on the subnet's route table rules. The next target could be another gateway (for public subnet) or it could be a NAT (private subnet) if destination is not inside the local network. For outside internet traffic, the packets are routed to one of the aws internet routers from vpc internet gateway, for your case its IP is 52.56.0.2.

• Traceroute working

  Briefly traceroute works on ICMP protocol, it initially send packet with TTL as 1 and when it gets ICMP time exceeded error from any router it record the router IP and send another Packet with last TTL + 1 and it does till it reaches the target.

Now coming to the question on why 10.10.32.1 IP is not recorded in traceroute is because those intermediate VPC gateways are not decrementing the TTL values and just for forwarding the packets to next hop, when the packet reaches the internet routers then normal decrement process started happening and ICMP error message is being sent back and recorded.