AWS - Cannot ping EC2 instance on private subnet in VPC

0
votes

My goal is to create an EC2 instance in a private subnet on a VPC that I will be able to ping from external internet.

So far, I have:

  1. created an elastic IP
  2. created a VPC with one public subnet and one private subnet
  3. created a NAT Gateway on the public subnet and set its public IP to the elastic IP
  4. created an EC2 instance in the VPC on the private subnet
  5. created a security group for the EC2 instance which allows all ICMP traffic

When I try to ping the elastic IP address, then pings time out.

What do I need to be able to do to ping the EC2 instance on the private subnet?

1
amazon-web-servicesamazon-ec2aws-vpc
WHY do you want to be able to ping the instance? Surely you aren't going to all this effort just to do a Ping. What is your actual goal?John Rotenstein
The ping is just to prove that I am able to connect to the instance from the outside world. Once I am able to do that, then I want to restrict incoming traffic to an API Gateway.Petar Ivcec
Ping is a very poor way to test connectivity. It is better to test actual traffic on normal ports. Anyway, as mentioned below, you won't be able tor each the instance from the Internet.John Rotenstein

1 Answers

0
votes

Your Amazon EC2 instance is in a private subnet. Therefore, it cannot be reached from the Internet. This is good! That is why private subnets exist.

Therefore, you correctly cannot ping the private instance from the Internet.

In fact, when you ping the Elastic IP address associated with the NAT Gateway, you are actually pinging the NAT Gateway, not the instance. The NAT Gateway is either rejecting the requests and/or has a security group that does not permit inbound ICMP requests.

The NAT Gateway allows outbound communication from resources in a private subnet to the Internet. It does not forward inbound requests. This is per design.