Home / server / Questions / 231784
Accepted
ks78
Asked: 2011-02-06 23:15:19 +0800 CST

What could prevent one Amazon EC2 instance from pinging another instance's Private IP?

  • 772

I have multiple Amazon EC2 instances which need to communicate using private IPs. However, so far I've been unable to ping one instance's private IP from another instance.

I can ping external addresses, such as their Elastic IPs and other sites (yahoo, google, etc), so it seems there's nothing wrong with the instances' network configuration.

Also, they are all in the same zone, so that shouldn't be an issue.

Does anyone have any idea what I could be doing wrong? Could this related to the Security Group settings?

firewall networking amazon-ec2 ip ip-address

4 Answers

  1. Best Answer

    It turns out the problem was the Security Group settings after all.

    I had been IP-restricting traffic, so only my external IP could communicate with the instances. I assumed the Security Groups didn't apply to communication between instances, but they do.

    The solution was to also allow traffic from 10.0.0.0/8, which covers all possible EC2 private IPs. It would be more secure, to only allow traffic from specific private IPs, but that's a hassle since they can change.

    This solves my problem for now. Probably the best solution would be to utilize Amazon's API to automatically tweak the Security Group IP-restrictions when instances are stopped and started.

    • 7

  2. According to AWS FAQs as long as you don't stop your instance... your private IP will stay the same.

    Q: Do I need one Elastic IP address for every instance that I have running? No. You do not need an Elastic IP address for all your instances. By default, every instance comes with a private IP address and an internet routable public IP address. The private address is associated exclusively with the instance and is only returned to Amazon EC2 when the instance is stopped or terminated. The public address is associated exclusively with the instance until it is stopped, terminated or replaced with an Elastic IP address. These IP addresses should be adequate for many applications where you do not need a long lived internet routable end point. Compute clusters, web crawling, and backend services are all examples of applications that typically do not require Elastic IP addresses.

    • 2

  3. The statement "Security Group settings do not affect internal IPs " is incorrect. You have to add the inbound traffic to the security group for the private IP, just like an external IP.

    I had to add entries from a specific private IP so that I could allow one instance to conenct to another using subversion, CouchDB, map a network drive, etc.

    However, ping is different... Check that the security settings are set to ICMP, or just to "All Traffic".
    Not just TCP. Because PING is an ICMP message. Don't think that because you turned on "All TCP" that it will work.

    Hope that helps.

    • 1

  4. Security Group settings do not affect internal IPs since they're enforced on the cluster gateway.

    As the instances are on the same zone you can check that your instances firewall if activated is accepting ping requests (ICMP echo)

    Otherwise try spawning a third instance and ping both of them, if that succeeds then it could be due to a problem on the host server of one of the instances

    • 0