On AWS how can the ENI of my squid proxy become a blackhole in my route table if the EC2 instance still exists?

Taylor

4/29/23, 7:37 PM

Been googling like crazy and can't find an answer. We have three AZs/subnets since we're in Ohio. But this diagram is close enough to explain the issue.

We've set up squid proxies to filter outbound traffic from one of our services.

For each AZ, app servers are in a private subnet.
Then there's a proxy in each public subnet for that AZ.
The route table for the private subnet points 0.0.0.0 to the ENI of the proxy in the corresponding public subnet.

Over time, outbound traffic from each subnet died. It took us a bit to figure out what was going wrong so as each subnet died, we removed the instances in that subnet from the ALB for the service and motored on with a hobbled service while we researched. Yesterday the third subnet died and we decided to "route around" the proxies directly to the NAT gateway for each subnet. When we got to the route table, we noticed the ENI of each proxy was listed as a blackhole.

We've inspected

Proxy instance logs
ENI allocation times, and
Cloudtrail logs

...looking for any indication as to why the ENIs had become invalid breaking our default routes. Nothing useful at all.

The instances have been up for over three weeks
The ENI allocation time stamp matches up with the instance creation time
The boot logs don't show any reboots
Cloudtrail doesn't show any modifications to the ENIs / instances.

We're stumped. How can our route table "suddenly" contain a route to an ENI that doesn't exist?

0 + 0

amazon-ec2

amazon-web-services

amazon-vpc

shearn89

5/12/23, 9:02 AM

If the proxy is in the same subnet in which the route for 0/0 routes to the proxy, isn't that a circular route? Wouldn't you want the proxy in one subnet and the service in another?

Taylor

7/15/23, 5:41 PM

@shearn89 thanks for responding. I need to update my description. App servers are in a private subnet, no internet access. Proxies are in a public subnet with a NAT gateway. Private subnet route has 0.0.0.0 > ENI of proxy in corresponding public subnet (same AZ). Public subnet route, 0.0.0.0 > nat gateway. The rub here is that with no explanation, the private subnet RTB suddenly showed 0.0.0.0 route as a blackhole.

Tim

7/15/23, 7:12 PM

@Taylor if you want to update your question please edit it, rather than commenting. You should probably draw a diagram to help people understand your setup / scenario and ideally break your wall of text into paragraphs for readability.

Tim

7/15/23, 7:14 PM

You could consider using AWS Network Firewall instead of squid proxies. It's probably a lot more expensive, but it's also likely much more reliable. https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/ I wonder if your ENIs turned into black hole routes because the instance was rejecting traffic, or something like that

shearn89

7/16/23, 9:32 AM

The public subnet can't have the NAT GW in it and also have a default route pointing to that GW, as where does the NAT GW talk to? Public subnet needs a default route to an Internet GW, and then you could seperately route the proxies to the NAT GW via a specific table.

Taylor

7/24/23, 2:05 AM

@Tim per you suggestions, slightly less of a wall of text and a borrowed diagram that is close enough to illustrate the point.

Tim

7/24/23, 9:02 AM

I suggest that you get AWS Support for a month and talk to them. With your permission AWS support can look directly into your account to help you solve this somewhat unusual problem. I suspect the answer will be in the CloudTrail logs, but finding anything in CloudTrail can be difficult.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: On AWS how can the ENI of my squid proxy become a blackhole in my route table if the EC2 instance still exists?

TH: บน AWS ENI ของพร็อกซี Squid ของฉันจะกลายเป็นหลุมดำในตารางเส้นทางของฉันได้อย่างไรหากยังมีอินสแตนซ์ EC2 อยู่

RO: Pe AWS, cum poate ENI-ul proxy-ului meu squid să devină o gaură neagră în tabelul meu de rute dacă instanța EC2 încă există?

RU: Как в AWS ENI моего прокси-сервера squid может стать черной дырой в моей таблице маршрутов, если экземпляр EC2 все еще существует?

VI: Trên AWS, làm cách nào để ENI của proxy mực của tôi trở thành lỗ đen trong bảng lộ trình của tôi nếu phiên bản EC2 vẫn tồn tại?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.