Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection?
Symptom
After a VPC peering connection is created, the local and peer VPCs cannot communicate with each other.
Troubleshooting
The issues here are described in order of how likely they are to occur.
No. |
Possible Cause |
Solution |
---|---|---|
1 |
Overlapping CIDR blocks of local and peer VPCs
|
|
2 |
Incorrect route configuration for the local and peer VPCs
|
Refer to Incorrect Route Configuration for Local and Peer VPCs. |
3 |
Incorrect network configuration
|
Refer to Incorrect Network Configuration. |
4 |
ECS network failure |
Refer to ECS Network Failure. |
Overlapping CIDR Blocks of Local and Peer VPCs
If the CIDR blocks of VPCs connected by a VPC peering connection overlap, the connection may not take effect due to route conflicts.
Scenario |
Description |
Solution |
---|---|---|
VPCs with overlapping CIDR blocks also include subnets that overlap. |
As shown in Figure 1, the CIDR blocks of VPC-A and VPC-B overlap, and all their subnets overlap.
|
VPC-A and VPC-B cannot be connected using a VPC peering connection. Replan the network. |
Two VPCs have overlapping CIDR blocks but some of their subnets do not overlap. |
As shown in Figure 2, the CIDR blocks of VPC-A and VPC-B overlap, and some of their subnets overlap.
|
|
If CIDR blocks of VPCs overlap and some of their subnets overlap, you can create a VPC peering connection between their subnets with non-overlapping CIDR blocks. Figure 3 shows the networking diagram of connecting Subnet-A02 and Subnet-B02. Table 3 describes the routes required.
Route Table |
Destination |
Next Hop |
Description |
---|---|---|---|
VPC-A route table |
10.0.2.0/24 |
Peering-AB |
Add a route with the CIDR block of Subnet-B02 as the destination and Peering-AB as the next hop. |
VPC-B route table |
10.0.1.0/24 |
Peering-AB |
Add a route with the CIDR block of Subnet-A02 as the destination and Peering-AB as the next hop. |
Incorrect Route Configuration for Local and Peer VPCs
Check the routes in the route tables of the local and peer VPCs by referring to Viewing Routes Configured for a VPC Peering Connection. Table 4 lists the items that you need to check.
Item |
Solution |
---|---|
Check whether routes are added to the route tables of the local and peer VPCs. |
If routes are not added, add routes by referring to: |
Check the destinations of routes added to the route tables of the local and peer VPCs.
|
If the route destination is incorrect, change it by referring to Modifying Routes Configured for a VPC Peering Connection. |
Incorrect Network Configuration
- Check whether the security group rules of the ECSs that need to communicate with each other allow inbound traffic from each other.
- If the ECSs are associated with the same security group, you do not need to check their rules.
- If the ECSs are associated with different security groups, add an inbound rule to allow access from each other by referring to Security Group Configuration Examples.
- Check whether the firewall of the ECS NIC blocks traffic.
If the firewall blocks traffic, configure the firewall to allow inbound traffic.
- Check whether network ACL rules of the subnets connected by the VPC peering connection deny inbound traffic.
If the network ACL rules deny inbound traffic, configure the rules to allow the traffic.
- If an ECS has more than one NIC, check whether correct policy-based routing has been configured for the ECS and packets with different source IP addresses match their own routes from each NIC.
If an ECS has two NICs (eth0 and eth1):
- IP address of eth0: 192.168.1.10; Subnet gateway: 192.168.1.1
- IP address of eth1: 192.168.2.10; Subnet gateway: 192.168.2.1
Command format:- ping -l IP address of eth0 Subnet gateway address of eth0
- ping -l IP address of eth1 Subnet gateway address of eth1
Run the following commands:- ping -I 192.168.1.10 192.168.1.1
- ping -I 192.168.2.10 192.168.2.1
If the network communication is normal, the routes of the NICs are correctly configured.
ECS Network Failure
- Log in to the ECS.
- Check whether the ECS NIC has an IP address assigned.
- Linux ECS: Use the ifconfig or ip address command to view the IP address of the NIC.
- Windows ECS: In the search box, enter cmd and press Enter. In the displayed command prompt, run the ipconfig command.
If the ECS NIC has no IP address assigned, see
- Check whether the subnet gateway of the ECS can be pinged.
- In the ECS list, click the ECS name.
- On the ECS details page, click the hyperlink of VPC.
- In the VPC list, locate the target VPC and click the number in the Subnets column.
The Subnets page is displayed.
- In the subnet list, click the subnet name.
- Click the IP Addresses tab and view the gateway address of the subnet.
- Check whether the gateway communication is normal:
Example command: ping 172.17.0.1
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot