I have two AWS accounts in AWS China (Beijing). There is a shared-services account and an application account. As there is no VPN gateway service available in AWS China, we setup a ec2 instance within the shared-services account running StrongSwan, which holds an IPSec tunnel with my company's firewall.
The VPC in my app account is peered with the VPC in the shared-services account. Mostly everything is working fine, I can reach some endpoints in my company's network via the IPSec tunnel from ec2 instances within the shared-services account and I can reach the StrongSwan VPN instance from ec2 instances within the app account.
Unfortunately, I'm not able to reach endpoints in my companies network from ec2 instances within the app account.
In the app account, routes to my company's IP networks are set to be reachable via the VPC peering connection. In the main route table in my shared-services account, I also have routes for my company's networks to be reached via the network interface of the StrongSwan ec2 instance.
Are there any limitations in VPC peering, so that I can't reach my company's networks via the VPC peering connection in first instance and the StrongSwan in second instance? Does AWS block packages which are sent over a VPC peering connection but have a destination IP outside the peered VPC's network?
- Connections from instances in shared-services account to endpoints in my company's network are working
- Connections from instances in shared-services account to endpoints in app account are working
- Connections from instances in app account to instances in shared-services account are working
- Connections from instances in app account to instances in my company's network, which can be reached via a Strongswan vpn instance in shared-services account, are NOT working.