Open in app

Sign in

Write

Sign in

In this article I’m continuing with route tables especially focusing on some example options.

Routing to an internet gateway

Make a subnet a public subnet by adding a route in the subnet route table to an internet gateway. To do this, create and attach an internet gateway to the VPC, and then add a route with a destination of 0.0.0.0/0 for IPv4 traffic or ::/0 for IPv6 traffic, and a target of the internet gateway ID (igw-xxxxxxxxxxxxxxxxx).

Routing to a NAT device

To enable instances in a private subnet to connect to the internet, you can create a NAT gateway or launch a NAT instance in a public subnet. Then add a route for the private subnet’s route table that routes IPv4 internet traffic (0.0.0.0/0) to the NAT device.

Create more specific routes to other targets to avoid unnecessary data processing charges for using a NAT gateway, or to route certain traffic privately. In the following example, Amazon S3 traffic (pl-xxxxxxxx; a specific IP address range for Amazon S3) is routed to a gateway VPC endpoint, and 10.25.0.0/16 traffic is routed to a VPC peering connection. The pl-xxxxxxxx and 10.25.0.0/16 IP address ranges are more specific than 0.0.0.0/0. When instances send traffic to Amazon S3 or the peer VPC, the traffic is sent to the gateway VPC endpoint or the VPC peering connection. All other traffic is sent to the NAT gateway. Currently no support IPv6 traffic over an AWS Site-to-Site VPN connection. However, there is support for IPv6 traffic routed through a virtual private gateway to an AWS Direct Connect connection.

Routing to an AWS Outposts local gateway

Subnets that are in VPCs associated with AWS Outposts can have an additional target type of a local gateway. Consider the case to have the local gateway route traffic with a destination address of 192.168.10.0/24 to the customer network. To do this, add the following route with the destination network and a target of the local gateway (lgw-xxxx).

Routing to a VPC peering connection

A VPC peering connection is a networking connection between two VPCs that allows to route traffic between it using private IPv4 addresses. Instances in either VPC can communicate with each other as if they are part of the same network.

To enable the routing of traffic between VPCs in a VPC peering connection, add a route to one or more of the subnet route tables that points to the VPC peering connection. This allows access to all or part of the CIDR block of the other VPC in the peering connection. Similarly, the owner of the other VPC must add a route to their subnet route table to route traffic back to your VPC.

For example, A VPC peering connection (pcx-11223344556677889) between two VPCs, with the following information:
• VPC A: CIDR block is 10.0.0.0/16
• VPC B: CIDR block is 172.31.0.0/16
To enable traffic between the VPCs and allow access to the entire IPv4 CIDR block of either VPC, the VPC
A route table is configured as follows.

The VPC B route table is configured as follows.

VPC peering connection can also support IPv6 communication between instances in the VPCs, if the VPCs and instances are enabled for IPv6 communication.

Enable routing of IPv6 traffic between VPCs, by adding a route to thr route table that points to the VPC peering connection to access all or part of the IPv6 CIDR block of the peer VPC.
For example, using the same VPC peering connection (pcx-11223344556677889) above, assume the
VPCs have the following information:
• VPC A: IPv6 CIDR block is 2001:db8:1234:1a00::/56
• VPC B: IPv6 CIDR block is 2001:db8:5678:2b00::/56
To enable IPv6 communication over the VPC peering connection, add the following route to the subnet route table for VPC A.

Add the following route to the route table for VPC B.

Routing for ClassicLink

ClassicLink is a feature that enables you to link an EC2-Classic instance to a VPC, allowing communication between the EC2-Classic instance and instances in the VPC using private IPv4 addresses.

When VPC for ClassicLink is enabled, a route is added to all of the subnet route tables with a destination of 10.0.0.0/8 and a target of local. This allows communication between instances in the VPC and any EC2-Classic instances that are then linked to the VPC. If you add another route table to a ClassicLink-enabled VPC, it automatically receives a route with a destination of 10.0.0.0/8 and a target of local. If you disable ClassicLink for a VPC, this route is automatically deleted in all the subnet route tables.

If any of the subnet route tables have existing routes for address ranges within the 10.0.0.0/8 CIDR, it cannot enable VPC for ClassicLink. This does not include local routes for VPCs with 10.0.0.0/16 and 10.1.0.0/16 IP address ranges.

If VPC for ClassicLink is enabled, then it not possible to add any more specific routes to the route tables for the 10.0.0.0/8 IP address range.

When modifying a VPC peering connection to enable communication between instances in the VPC and an EC2-Classic instance that’s linked to the peer VPC, a static route is automatically added to the route tables with a destination of 10.0.0.0/8 and a target of local. When modifying a VPC peering connection to enable communication between instances in the VPC and an EC2-Classic instance that’s linked to the peer VPC, a static route is automatically added to the route tables with a destination of 10.0.0.0/8 and a target of local.

Routing to a gateway VPC endpoint

A gateway VPC endpoint enables to create a private connection between the VPC and another AWS service. When creating a gateway endpoint, specify subnet route tables in the VPC that are used by the gateway endpoint. A route is automatically added to each of the route tables with a destination that specifies the prefix list ID of the service (pl-xxxxxxxx), and a target with the endpoint ID (vpce-xxxxxxxxxxxxxxxxx). Not allowed to explicitly delete or modify the endpoint route but can change the route tables that are used by the endpoint.

Routing to an egress-only internet gateway

Example of route to egress-only internet gateway

Create an egress-only internet gateway for the VPC to enable instances in a private subnet to initiate outbound communication to the internet, but prevent the internet from initiating connections with the instances. An egress-only internet gateway is used for IPv6 traffic only. To configure routing for an egress-only internet gateway, add a route in the private subnet’s route table that routes IPv6 internet traffic (::/0) to the egress-only internet gateway.

Routing for a transit gateway

When attaching a VPC to a transit gateway, its required to add a route to the subnet route table for traffic to route through the transit gateway.

Consider the following scenario where there are 3 VPCs that are attached to a transit gateway. In this scenario, all attachments are associated with the transit gateway route table and propagate to the transit gateway route table. Therefore, all attachments can route packets to each other, with the transit gateway serving as a simple layer 3 IP hub.
For example, there is two VPCs, with the following information:
• VPC A: 10.1.0.0/16, attachment ID tgw-attach-11111111111111111
• VPC B: 10.2.0.0/16, attachment ID tgw-attach-22222222222222222
To enable traffic between the VPCs and allow access to the transit gateway the VPC A route table is configured as follows.

The following is an example of the transit gateway route table entries for the VPC attachments.

Routing for a middlebox appliance in your VPC

Traffic that enters the VPC through an internet gateway or a virtual private gateway can be intercepted by directing it to a middlebox appliance in the VPC. For example, it can be configured as a security appliance that screens all traffic, or a WAN acceleration appliance. The appliance is deployed as an Amazon EC2 instance in a subnet in the VPC, and is represented by an elastic network interface (network interface) in the subnet.

To route inbound VPC traffic to an appliance, associate a route table with the internet gateway or virtual private gateway, and specify the network interface of the appliance as the target for VPC traffic. It can also route outbound traffic from the subnet to a middlebox appliance in another subnet.
Note
If route propagation is enabled for the destination subnet route table, be aware of route priority. AWS prioritize the most specific route, and if the routes match, AWS prioritize static routes over propagated routes. Review routes to ensure that traffic is routed correctly and that there are no unintended consequences if route propagation is enabled or disabled (for example, route propagation is required for an AWS Direct Connect connection that supports jumbo frames).

Appliance considerations
Choose a third-party appliance from AWS Marketplace, or configure own appliance.
When creating or configuring an appliance, take note of the following:
• The appliance must be configured in a separate subnet to the source or destination traffic.
• disable source/destination checking on the appliance.
• Service chaining is not supported.
• Cannot route traffic between hosts in the same subnet through an appliance.
• Cannot route traffic between subnets through an appliance.
• The appliance does not have to perform network address translation (NAT).
• To intercept IPv6 traffic, ensure to configure the VPC, subnet, and appliance for IPv6. Virtual private gateways do not support IPv6 traffic.
Appliance routing configuration
To route inbound traffic to an appliance, create a route table and add a route that points the traffic destined for a subnet to the appliance’s network interface. This route is more specific than the local route for the route table. Associate this route table with the internet gateway or virtual private gateway.

The following route table routes IPv4 traffic destined for a subnet to the appliance’s network interface.

Alternatively, replace the target for the local route with the appliance’s network interface. Do this to ensure that all traffic is automatically routed to the appliance, including traffic destined for subnets that is added to the VPC later.

To route traffic from subnet to an appliance in another subnet, add a route to the subnet route table that routes traffic to the appliance’s network interface. The destination must be less specific than the destination for the local route.

For example, for traffic destined for the internet, specify 0.0.0.0/0 (all IPv4 addresses) for the destination.

Then, in the route table associated with the appliance’s subnet, add a route that routes the traffic back to the internet gateway or virtual private gateway.

Apply the same routing configuration for IPv6 traffic. For example, in the gateway route table, Replace the target for both the IPv4 and IPv6 local routes with the appliance’s network interface.

In the following diagram, a firewall appliance is installed and configured on an Amazon EC2 instance in subnet A in your VPC. The appliance inspects all traffic that enters and leaves the VPC through the internet gateway. Route table A is associated with the internet gateway. Traffic destined for subnet B that enters the VPC through the internet gateway is routed to the appliance’s network interface (eni-11223344556677889). All traffic that leaves subnet B is also routed to the appliance’s network interface.

The following example has the same setup as the preceding example, but includes IPv6 traffic. IPv6 traffic that’s destined for subnet B that enters the VPC through the internet gateway is routed to the appliance’s network interface (eni-11223344556677889). All traffic (IPv4 and IPv6) that leaves subnet B is also routed to the appliance’s network interface.

Route table can be checked off the list & now moving on to the next topic which is Internet Gateway. See you soon!

AWS
Aws Networking
Cloud Computing
Cloud Networking

--

--

Danesh Raj

Written by Danesh Raj

8 Followers

I'm a Technology Enthusiast that passionate to help people live better by using Technology

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams