EC2 instances inside a VPC use their default route to send all traffic to the virtual router provided by VPC itself

The VPC router then forwards the traffic according the the VPC route tables for the instance’s subnet.

The routes in the VPC route table do not propagate back into the instances themselves, but they’re used to make forwarding decisions for all the traffic.

Forwarding traffic “directly” from one instance to another in VPC isn’t a meaningful concept, because the VPC network is not a “real” Ethernet network, in spite of appearances to the contrary — everything is virtual (it’s a software-defined network). All traffic between any two instances, whether they’re on the same subnet or not, always traverses the VPC network infrastructure in pretty much the same way.

If an instance is on a subnet that has the NAT instance as its default route in the subnet’s VPC route table, the instance will automatically use the NAT machine as its default gateway for all traffic outside the VPC supernet, with no configuration necessary in the instance itself.

Note that unlike a conventional network, the NAT instance needs to be on a different subnet than any of the instances that use it as their gateway. The route table for the subnet where the NAT instance is actually installed must have the the igw-xxxxxxxx Internet Gateway object as its default route.

Leave a Comment

Scroll to Top