AWS VPC Internet Gateway traffic direction

I know how to connect to an EC2 instance by following https://aws.amazon.com/premiumsupport/knowledge-center/vpc-connect-instance/

I want to ask is there any traffic direction concept in AWS VPC Internet Gateway. Why we set 0.0.0.0/0 as Destination, and IGW as Target for my public subnet, then we can ssh to the EC2 host? This route looks like an outbound traffic setting to me. ssh to EC2 looks inbound from a VPC perspective.

Does 0.0.0.0/0 mean both directions?


Solution 1:

You have Network Access Control Lists who play role of firewall and take care of the inbound and outbound traffic, the rout table have no idea how to manage your request, just reads the destination IP and if is any IP 0.0.0.0/0 send it to the next hoop, which is the IGW.

Solution 2:

In AWS VPCs and subnets have the concept of route tables.

A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.

In a route table we specify where should the traffic redirected from our subnet, meaning the we are specifying rules for outgoing traffic. In order to give internet access for a subnet, we have to redirect traffic to an IGW (internet gateway).

Route tables are using CIDR notation. In CIDR notation 0.0.0.0/0 is basically a wildcard address, meaning it will match everything. Usually this is a lower priority rule in the route table. Traffic which is targeting private IP ranges will be routed internally, while everything else will be routed to the internet through the IGW.

SSH implies both incoming and outgoing traffic. This is why you have to specify the 0.0.0.0/0, so the traffic coming from the EC2 will reach the internet and your PC afterwards.