I have an AWS VPC with two subnets: Public and Private. I can access the internet (via a NAT Gateway) from the public subnet, but not from the private subnet, and I can't work out what's wrong.
- Both subnets have NACLs which allow all traffic in and out.
- Both EC2 instances I'm using for my testing (one in each subnet) have the exact same security groups: (allow https out, ssh in)
I have enabled flow logs to try and see what the problem is. Here is what I see when connecting to youtube from the box in the public subnet:
216.58.210.206 10.0.129.171 443 40682 6 9 4760 1596476113 1596476173 ACCEPT OK
10.0.129.171 216.58.210.206 40682 443 6 11 1218 1596476113 1596476173 ACCEPT OK
Here we can see the outbound request, and the response, both allowed to pass through.
When repeating the same test from a box in the private subnet, here's what I see:
10.0.40.146 216.58.210.206 46398 443 6 2 120 1596469555 1596469612 ACCEPT OK
The above line shows the https request from my private subnet EC2 instance to https://youtube.com - the traffic is allowed. No response is logged.
Because I can ssh from public to private subnet, I can deduce that the route is present and correct. So where's the response? Why is the traffic blocked?
Security groups are identical between the two boxes, and they allow tcp on 443 to 0.0.0.0/0
Interestingly, the route from the public subnet to the internet points to the internet gateway, but the route from the private subnet points to the NAT Gateway.
How do I debug this further?
This was a simple case of misconfiguration - I had put the NAT Gateways into the private subnet (to check something) and forgotten to put them back...