Disable source destination check for instances that forward traffic

[wheller]

EC2 Machines need source-destination check disabled to accept traffic for addresses that are not assigned to them.

[jmhale]

@wheller Can you give an example of a situation where having the source/dest check enabled is blocking operation of wireguard?

I'm able to access resources inside the VPC and on the internet while this check is enabled.

[wheller]

Hi @jmhale, that's really strange. I was unable to get my Wireguard instance to accept any traffic other than that destined for the IP addresses assigned to it. I'm using the Ubuntu 16.x and 18.x AMIs but I thought that was standard for EC2 instances especially in a VPC.

from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

Source/destination checking

Disabling source/destination checking enables an instance to handle network traffic that isn't specifically destined for the instance. For example, instances running services such as network address translation, routing, or a firewall should disable the source/destination check attribute. This attribute is enabled by default.