Table of Contents

AWS Gateway Load Balancer

Description

Diagram

Testing Network

Below are the networks and route tables that were used during testing. I also used the default Security Group for each VPC but I added rule to allow all traffic from 10.0.0.0/8. In a production environment the security group should be more restrictive.

Hub Spoke 1 Spoke 2
CIDR 10.0.0.0/23 10.1.0.0/23 10.1.2.0/23
Public A 10.0.0.0/26 10.1.0.0/26 10.1.2.0/26
Public B 10.0.0.64/26 10.1.0.64/26 10.1.2.64/26
Private A / Management A 10.0.1.0/26 10.1.1.0/26 10.1.3.0/26
Private B / Management B 10.0.1.64/26 10.1.1.64/26 10.1.3.64/26

Spoke VPC Route Tables

VPC Spoke 1 Inbound Route Table
Destination Target
10.1.0.0/23 Local
10.1.1.0/26 GWLB VPCE 1A
VPC Spoke 1 Public A Route Table
Destination Target
10.1.0.0/23 Local
0.0.0.0/0 IGW
VPC Spoke 1 Private A Route Table
Destination Target
10.1.0.0/23 Local
0.0.0.0/0 GWLB VPCE 1A
VPC Spoke 2 Inbound Route Table
Destination Target
10.1.2.0/23 Local
10.1.3.0/26 GWLB VPCE 2A
VPC Spoke 2 Public A Route Table
Destination Target
10.1.2.0/23 Local
0.0.0.0/0 IGW
VPC Spoke 2 Private A Route Table
Destination Target
10.1.2.0/23 Local
0.0.0.0/0 GWLB VPCE 2A

Shared VPC route Tables

VPC Hub Public A Route Table
Destination Target
10.0.0.0/23 Local
0.0.0.0/0 IGW
VPC Hub Management A Route Table
Destination Target
10.0.0.0/23 Local
0.0.0.0/0 IGW
VPC Hub Public B Route Table
Destination Target
10.0.0.0/23 Local
0.0.0.0/0 IGW
VPC Hub Management B Route Table
Destination Target
10.0.0.0/23 Local
0.0.0.0/0 IGW

Instance Firewall (VyOS) Configuration

This configuration hairpins the GENEVE traffic from the GWLB to the VyOS instance back to the GWLB. This allows for testing but does not allow for inspection. This configuration should only be used as a POC and not used in production as it allows all traffic.

Public Interface (EC2 eth0) 10.0.0.7
Management Interface (EC2 eth1) 10.0.1.7
GWLB Interface 10.0.0.49
vyos@ip-10-0-0-7:~$ show configuration commands
set interfaces ethernet ens5 address 'dhcp'
set interfaces ethernet ens6 address 'dhcp'
set nat destination rule 100 destination address '10.0.0.7'
set nat destination rule 100 inbound-interface 'ens5'
set nat destination rule 100 protocol 'udp'
set nat destination rule 100 source address '10.0.0.49'
set nat destination rule 100 translation address '10.0.0.49'
set nat destination rule 100 translation port '6081'
set nat source rule 100 destination address '10.0.0.49'
set nat source rule 100 destination port '6081'
set nat source rule 100 outbound-interface 'ens5'
set nat source rule 100 protocol 'udp'
set nat source rule 100 source address '10.0.0.49'
set nat source rule 100 translation address 'masquerade'
set protocols static route 0.0.0.0/0 dhcp-interface 'ens6'

vyos@ip-10-0-0-7:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
ens5             10.0.0.7/26                       u/u
ens6             10.0.1.7/26                       u/u
vyos@ip-10-0-0-7:~$

Findings