Couple days ago I was thinking about in a traditional network environment, we might have a server with two NICs, each with a different network segment configured to it, so that this server can communicates with servers inside these two different networks.
At first, I thought that I could simulate the same way as adding extra NIC on EC2 but soon I realized that I couldn’t assign different VPC network from where the EC2 is located to that extra NIC. After scratching my head a bit, I suddenly realized that VPC Peering is the answer.
For long I know the existence of VPC Peering but had never really used it before, not even a lab. Therefore, it is a good time to try it out. From AWS,
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
This lab is quite simple, there are two goals:
- Enable two EC2s located in different VPCs to communicate with each other.
- Disallow an EC2 from a VPC to communicate with other EC2 in another VPC.
Steps for this lab:
- Create two VPCs.
- Deploy one EC2 into each of VPC.
- Configure S.G of EC2 to allow ping protocol.
- Configure VPC peering between two VPCs.
- Configure the route table of subnets where EC2 is deployed.
- Deploy another EC2 into one of the VPCs.
- Configure Network ACL to disallow the newly created EC2 to communicate with EC2 in another VPC.
Two EC2s are created.
Two VPCs are created. Pay attention that the network segment of two VPCs can’t overlap. For more VPC limitations, please refer here.
Next, start VPC Peering configuration. The process is pretty simple, just follow the instructions.
That’s it! VPC Peering between two VPCs are created!
Now, the last step is to accept the VPC Peering request. It makes sense for this final step so that you can control who can connect to your VPC. From Peering list, you can see that the Status is Pending Acceptance.
Click Accept Request and a confirmation box pop out.
After you click Accept, the peering connection between two VPCs is completed. You need to configured the route tables so that EC2s can talk to each other.
As for now, the status of VPC Peering is Active.
Let’s configure the route table. You need to do this for both 192 and 10 network segments.
For 192 network segment, add 10 network segment destination through the target of VPC Peering endpoint just created.
Repeat the steps for 192 network segment.
Don’t forget to allow ICMP between these two EC2s. Let’s give it a try if one can ping another and vice versa. I have two terminates each connected to one for the EC2. From IP started with 192 pinging IP started with 10 and vice versa and it works.
Now, I want to try out the Network ACL function so I deploy another EC2 into 192 network segment and ping EC2 IP started with 10 and it worked.
Next I configured Network ACL on the 10 network segment to explicitly deny the newly created EC2 from accessing 10 network segment. Pay attentions that Network ACL examine the rules by the rule #. Once a match rule is found, it will not examine further down the list.
Once it is done, let try to ping IP start with 10 EC2 again from the newly created EC2. It is clear that the ICMP is denied!