Reasons for Unable to Ping Instance in VPCB from VPCA

Troubleshooting AWS Certified Advanced Networking - Specialty Exam Question from Amazon

Prev Question Next Question

Question

You have 2 VPC's , VPC A and VPC B.

Both the VPC's have been peered.

You have configured the route tables in VPC A so that traffic can flow from VPCA to VPCB.

You try to ping an instance in VPCB from VPCA , but are unable to do so.

You have confirmed that the NACL's and Security Groups have been configured properly.

What could be the reason for this issue?

Answers

A. The VPC’s have overlapping CIDR blocks

B. Security Groups don’t work in peered VPC’s hence the requests will not work.

C. NACL’s don’t work in peered VPC’s hence the requests will not work.

D. The route tables in VPCB have not been configured.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - D.

The AWS Documentation mentions the following.

To send traffic from your instance to an instance in a peer VPC using private IPv4 addresses, you must add a route to the route table that's associated with the subnet in which the instance resides.

The route points to the CIDR block (or portion of the CIDR block) of the other VPC in the VPC peering connection.

The owner of the other VPC in the peering connection must also add a route to their subnet's route table to direct traffic back to your VPC.For more information on VPC Peering routing, please visit the below URL:

http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html

The issue described in the question where a ping from an instance in VPC A to an instance in VPC B fails even though the VPCs are peered and route tables have been configured correctly, can have multiple causes.

A. The VPCs have overlapping CIDR blocks: This could be a possible cause of the issue. VPCs that are peered must have non-overlapping CIDR blocks. If there is an overlap in the CIDR blocks, the route tables will not be able to determine the correct path for the traffic, and the traffic will not be able to reach the destination instance.

B. Security Groups don't work in peered VPC's: This statement is incorrect. Security groups work across peered VPCs. Security groups control the inbound and outbound traffic to and from the instances. As long as the security groups are configured properly, they should not be a reason for the ping to fail.

C. NACL's don't work in peered VPC's: This statement is also incorrect. Network ACLs (NACLs) do work in peered VPCs. NACLs are stateless and evaluate inbound and outbound traffic separately. If the NACLs are not configured properly, they could potentially block the ping traffic, but they are not inherently disabled in a peered VPC setup.

D. The route tables in VPCB have not been configured: This could be a possible cause of the issue. Even though the route tables in VPC A have been configured correctly to allow traffic to flow to VPC B, if the route tables in VPC B have not been configured properly to route traffic back to VPC A, the ping will fail.

In conclusion, the possible reasons for the ping failure could be overlapping CIDR blocks or misconfigured route tables in VPC B. Security groups and NACLs should not be the cause of the issue as they do work across peered VPCs.

Prev Question Next Question