AWS - Cannot ping EC2 instance on private subnet in VPC

Question

My goal is to create an EC2 instance in a private subnet on a VPC that I will be able to ping from external internet.

So far, I have:

1. created an elastic IP
2. created a VPC with one public subnet and one private subnet
3. created a NAT Gateway on the public subnet and set its public IP to the elastic IP
4. created an EC2 instance in the VPC on the private subnet
5. created a security group for the EC2 instance which allows all ICMP traffic

When I try to ping the elastic IP address, then pings time out.

What do I need to be able to do to ping the EC2 instance on the private subnet?

Answer 1

Your Amazon EC2 instance is in a private subnet. Therefore, it cannot be reached from the Internet. This is good! That is why private subnets exist.

Therefore, you correctly cannot ping the private instance from the Internet.

In fact, when you ping the Elastic IP address associated with the NAT Gateway, you are actually pinging the NAT Gateway, not the instance. The NAT Gateway is either rejecting the requests and/or has a security group that does not permit inbound ICMP requests.

The NAT Gateway allows outbound communication from resources in a private subnet to the Internet. It does not forward inbound requests. This is per design.