Below are the networks and route tables that were used during testing. I also used the default Security Group for each VPC but I added rule to allow all traffic from 10.0.0.0/8. In a production environment the security group should be more restrictive.
Hub | Spoke 1 | Spoke 2 | |
---|---|---|---|
CIDR | 10.0.0.0/23 | 10.1.0.0/23 | 10.1.2.0/23 |
Public A | 10.0.0.0/26 | 10.1.0.0/26 | 10.1.2.0/26 |
Public B | 10.0.0.64/26 | 10.1.0.64/26 | 10.1.2.64/26 |
Private A / Management A | 10.0.1.0/26 | 10.1.1.0/26 | 10.1.3.0/26 |
Private B / Management B | 10.0.1.64/26 | 10.1.1.64/26 | 10.1.3.64/26 |
VPC Spoke 1 Inbound Route Table | |
---|---|
Destination | Target |
10.1.0.0/23 | Local |
10.1.1.0/26 | GWLB VPCE 1A |
VPC Spoke 1 Public A Route Table | |
---|---|
Destination | Target |
10.1.0.0/23 | Local |
0.0.0.0/0 | IGW |
VPC Spoke 1 Private A Route Table | |
---|---|
Destination | Target |
10.1.0.0/23 | Local |
0.0.0.0/0 | GWLB VPCE 1A |
VPC Spoke 2 Inbound Route Table | |
---|---|
Destination | Target |
10.1.2.0/23 | Local |
10.1.3.0/26 | GWLB VPCE 2A |
VPC Spoke 2 Public A Route Table | |
---|---|
Destination | Target |
10.1.2.0/23 | Local |
0.0.0.0/0 | IGW |
VPC Spoke 2 Private A Route Table | |
---|---|
Destination | Target |
10.1.2.0/23 | Local |
0.0.0.0/0 | GWLB VPCE 2A |
VPC Hub Public A Route Table | |
---|---|
Destination | Target |
10.0.0.0/23 | Local |
0.0.0.0/0 | IGW |
VPC Hub Management A Route Table | |
---|---|
Destination | Target |
10.0.0.0/23 | Local |
0.0.0.0/0 | IGW |
VPC Hub Public B Route Table | |
---|---|
Destination | Target |
10.0.0.0/23 | Local |
0.0.0.0/0 | IGW |
VPC Hub Management B Route Table | |
---|---|
Destination | Target |
10.0.0.0/23 | Local |
0.0.0.0/0 | IGW |
This configuration hairpins the GENEVE traffic from the GWLB to the VyOS instance back to the GWLB. This allows for testing but does not allow for inspection. This configuration should only be used as a POC and not used in production as it allows all traffic.
Public Interface (EC2 eth0) | 10.0.0.7 |
Management Interface (EC2 eth1) | 10.0.1.7 |
GWLB Interface | 10.0.0.49 |
vyos@ip-10-0-0-7:~$ show configuration commands set interfaces ethernet ens5 address 'dhcp' set interfaces ethernet ens6 address 'dhcp' set nat destination rule 100 destination address '10.0.0.7' set nat destination rule 100 inbound-interface 'ens5' set nat destination rule 100 protocol 'udp' set nat destination rule 100 source address '10.0.0.49' set nat destination rule 100 translation address '10.0.0.49' set nat destination rule 100 translation port '6081' set nat source rule 100 destination address '10.0.0.49' set nat source rule 100 destination port '6081' set nat source rule 100 outbound-interface 'ens5' set nat source rule 100 protocol 'udp' set nat source rule 100 source address '10.0.0.49' set nat source rule 100 translation address 'masquerade' set protocols static route 0.0.0.0/0 dhcp-interface 'ens6' vyos@ip-10-0-0-7:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- ens5 10.0.0.7/26 u/u ens6 10.0.1.7/26 u/u vyos@ip-10-0-0-7:~$