Lab Information
The Nautilus DevOps team has been tasked with demonstrating the use of VPC Peering to enable communication between two VPCs. One VPC will be a private VPC that contains a private EC2 instance, while the other will be the default public VPC containing a publicly accessible EC2 instance.
1) There is already an existing EC2 instance in the public vpc/subnet:
Name: nautilus-public-ec2
2) There is already an existing Private VPC:
Name: nautilus-private-vpc
CIDR: 10.1.0.0/16
3) There is already an existing Subnet in nautilus-private-vpc:
Name: nautilus-private-subnet
CIDR: 10.1.1.0/24
4) There is already an existing EC2 instance in the private subnet:
Name: nautilus-private-ec2
5) Create a Peering Connection between the Default VPC and the Private VPC:
VPC Peering Connection Name: nautilus-vpc-peering
6) Configure Route Tables to enable communication between the two VPCs.
Ensure the private EC2 instance is accessible from the public EC2 instance.
7) Test the Connection:
Add /root/.ssh/id_rsa.pub public key to the public EC2 instance's ec2-user's authorized_keys to make sure we are able to ssh into this instance from AWS client host. You may also need to update the security group of the private EC2 instance to allow ICMP traffic from the public/default VPC CIDR. This will enable you to ping the private instance from the public instance.
SSH into the public EC2 instance and ensure that you can ping the private EC2 instance.
Lab Solutions
Step-by-Step
1) Create and accept the VPC Peering connection
VPC → Peering connections → Create peering connection
Configure:
Name: nautilus-vpc-peering
Requester VPC: Default VPC
Accepter VPC: nautilus-private-vpc
Region: same region
Create, then Accept the request.
Status should be Active.
2) Configure Route Tables (CRITICAL)
2.1 Default VPC route table
VPC → Route Tables
Select the main route table for the Default VPC
Edit routes → Add route
Destination: 10.1.0.0/16
Target: nautilus-vpc-peering
Save.
2.2 Private VPC route table
Select the route table associated with nautilus-private-subnet
Edit routes → Add route
Destination: 172.31.0.0/16 (Default VPC CIDR)
Target: nautilus-vpc-peering
Save.
✔ Both sides must have routes to each other’s CIDR via the peering connection.
3) Update Security Groups
3.1 Public EC2 security group
Ensure inbound allows SSH:
SSH (22) from 0.0.0.0/0 (or your IP)
3.2 Private EC2 security group (to allow ping)
Add inbound rule:
ICMP – Echo Request
Source: 172.31.0.0/16 (Default VPC CIDR)
✔ This allows the public EC2 to ping the private EC2.
4) Add your SSH key to the public EC2
On aws-client, display your public key:
cat /root/.ssh/id_rsa.pub
# Connect to the public EC2 (via console/EC2 Instance Connect or existing access), then:
mkdir -p ~/.ssh
vi ~/.ssh/authorized_keys
Paste the public key, save, then fix permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
5) SSH to the public EC2 from aws-client
ssh -i /root/.ssh/id_rsa ec2-user@<PUBLIC_EC2_PUBLIC_IP>
Login should succeed.
6) Test connectivity: ping the private EC2
From inside nautilus-public-ec2, ping the private IP of nautilus-private-ec2 (example):
ping 10.1.1.x
Expected: replies received (ICMP works).
Top comments (0)