0

So, we're running a simulated network on a server in AWS and i'm trying to figure our how to enable routing to that simulated network both from inside AWS and from our remote offices.

Our VPC CIDR is 10.10.0.0/18 The Simulated network is 10.10.128.0/20 (just outside the range of the CIDR associated with the VPC Our server is sitting on 10.10.10.5

BGP is avertising the 10.10.0.0/18 route to our offices and I can access the server (not the simulation network) from within AWS and from remote office sites.

Within the routing table associated with the VPC, I can add a route to 10.10.128.0/20 via the network interface of the server. This works, and allows traffic from AWS servers to the Simulated network. However, remote sites cannot, as 10.10.128.0/20 is outside 10.10.0.0/18 that is advertised through BGP.

I cannot add 10.10.128.0/20 as a CIDR associated with the VPC, without removing the routing entry from the routing table. I've tried this, and 10.10.128.0/20 gets advertised to remote sites but there is nothing inside AWS to tell the traffic to go to the server interface, so anything to 10.10.128.0/20 addresss gets "effectivly" blackholed.

While the simulation network CIDR is added to the VPC, I cannot add a static route for the same CIDR to route via the Server Interface. While the simulation network CIDR is added to the routing table through through the intances eni, I cannot add the simulation network CIDR to the VPC.

I'm stumped where to go next...

MCC
  • 1
  • You can send *everything* from a virtual private gateway to an EC2 ENI first... not sure if that's helpful, but you might take a look since it might be the only workaround. https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/ – Michael - sqlbot Mar 31 '20 at 19:02

1 Answers1

0

You need to add a static route at your remote sites to forward traffic to 10.10.128.0/20 to the address of the AWS bgp peer. Redistribute that route inside your remote site(s).

You could also consider NATing your simulated network (maybe just management interfaces?) to something in the VPC range.

Ron Trunk
  • 2,149
  • 1
  • 10
  • 19
  • There isn't a VPC route table that applies to traffic coming in from a VGW. – Michael - sqlbot Mar 31 '20 at 19:01
  • The route goes at the remote site, not the VPC. In other words add ip route 10.10.128.0/24 . (169.254.x.y) – Ron Trunk Mar 31 '20 at 19:29
  • Yes, you theoretically need that too... but it won't help, because in a VPC, there is no route table for handling the inbound traffic from a VGW. All the inbound routing is implicit and none of the VPC route tables, including the default table, are used... so only traffic destined for IP addresses *assigned* to ENIs can actually be delivered into a VPC from a virtual private gateway. – Michael - sqlbot Mar 31 '20 at 20:26
  • @Michael-sqlbot The OP said *"Within the routing table associated with the VPC, I can add a route to 10.10.128.0/20 via the network interface of the server. This works, and allows traffic from AWS servers to the Simulated network."* Adding the static at the remote should do it. although I confess I haven't lab'ed this up. – Ron Trunk Mar 31 '20 at 20:48
  • *"This works, and allows traffic* ***from AWS servers*** *to the Simulated network."* It does not allow traffic from the Virtual Private Gateway -- only traffic from VMs whose subnets are associated with that route table, explicitly or implicitly. As I've asserted, no user-accessible route table is consulted for incoming traffic. – Michael - sqlbot Apr 01 '20 at 00:43
  • 1
    VPC route tables can be associated with VGWs and IGWs using the VPC Ingress Routing feature that AWS launched in 2019. I've used this feature to force all inbound traffic toward the Elastic Network Interface (ENI) of a FW implemented on an EC2 instance. – Jeff Loughridge Apr 01 '20 at 11:47