amazon-web-servicesamazon-vpcamazon-gateway

Does an AWS routing table only affect outbound traffic?

According to the AWS docs,

If a subnet is associated with a route table that has a route to an internet gateway, it's known as a public subnet

However, in my understanding, the subnet routing table only affects outbound traffic from the subnet, is that correct? What about the inbound traffic?

I assume that inbound traffic is enabled by default via the routing table of the internet gateway, but maybe my understanding is wrong. How could I check the hypothesis that inbound traffic is allowed? Commands like ping depend on bi-directional package flow, or?

Solution

  • Keep in mind that:

    A route table contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed.

    That's what a route table does it routes traffic according to rules.

    Each route in a table specifies a destination and a target. That's it.

    Your VPC has an implicit router, and you use route tables to control where network traffic is directed. Each subnet in your VPC must be associated with a route table, which controls the routing for the subnet (subnet route table). You can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table.

    Moving on...

    A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a specified subnet. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that won't be connected to the internet.

    The part that allows the inbound and outbound traffic is on the subnet level.

    To protect the AWS resources in each subnet, you can use multiple layers of security, including security groups and network access control lists (ACL).

    From the docs:

    By default, each custom network ACL denies all inbound and outbound traffic until you add rules. Each subnet in your VPC must be associated with a network ACL.

    In other words, if you have a subnet, you must have a NACL, which supports allow rules and deny rules.

    NACL is stateless, its return traffic must be allowed explicitly.

    This is already set-up for you in all default VPCs your AWS account comes with. However, if you create a custom VPC, you need to take care of creating your own subnet, routing tables, Internet Gateways, NACLs and Security Groups etc.