Attempting to setup AWS Inter VPC communication using VyOS

aws

#1

Hi there,

I’m attempting to setup a connection from a VyOS instance in one AWS VPC, to another AWS VPC. I’m broadly following this guide, but I don’t fully understand the AWS config side of things (I’m not sure if the steps outlined in this guide will actually work either). https://www.cloudreach.com/gb-en/2014/06/2435/

I have a few questions then.
Do the steps in the above guide make sense? (struggling with the CGW/VGW side of the config.)
Will my VyOS instance be able to connect to several different VPCs? (E.g. eu-central, eu-west, Sydney)
Am I ok with a simple eth0 and a public Elastic IP address (which does not show up in VyOS?)

Any help much appreciated, thanks.


#2

Hello,
CGW(Customer gateway) is your VyOS instance,
VGW(Amazon Virtual gateway) is AWS side of connection
see


for example


#3

Hi syncer, thanks for the response. I’m still a little confused though, as in VPC_A my VyOS instance cannot setup a VPN connex to a VGW in VPC_B, unless I’m mistaken.

I would have thought that it would be something like:
VyOS instance in VPC_A
CGW in VPC_B, which the VyOS instance creates a VPN connection to. The CGW is bound to the VGW in VPC_B which allows the Inter VPC network access.

The link shows how to set up a NAT GW, using VyOS - is that a requirement of the scenario outlined above then?

Much obliged for your response.


#4

UPDATE: So I’ve established the VPN connection, however ping only works one way: from destination network to source. My VyOS cannot ping the remote network. sounds like someone else at this page had same issue https://www.cloudreach.com/gb-en/2014/06/2435/


#5

We are trying to set up the same thing right now, so maybe we can help each other.

We have one “admin” VPC, “vpc1,” 172.16.0.0/17 in us-east-1, and then regional VPCs in each of the AWS regions, defined as the next successive CIDR blocks.

We deployed a VyOS instance in the admin VPC and gave it an elastic IP.

In the regional VPCs, for example vpc2, we:

  1. Added a Customer Gateway set to the VyOS’ elastic IP, with a BGP ASN of 65000 (default)
  2. Added a Virtual Private Gateway for vpc1 and its CIDR range
  3. Added a dynamic (BGP) VPN Connection between the VPG and CG

Then, we go to the VyOS and use https://github.com/mboret/aws-vyos to configure it. Both tunnels come up, yay.

And then we go to the route tables and

  1. Add static routes through the VyOS to the regional VPCs in vpc1
  2. Set the route tables to “propagate” in vpc2…n

And lo and behold the route back to vpc1 via the vgw magically appears in vpc2…n’s route tables. It all looks good.

But it still doesn’t fully work. Traffic from vpc1 to systems in the regional VPCs go over the link, get to the box, get back to the VyOS, and then don’t get any farther (as tcpdumping on the hosts shows). You can even see a ssh connection initiate to a system in the regional VPC, but since no responses get back it times out. Traffic from vpc2 to a host in vpc1 gets “no route to host.” From the VyOS I can hit servers in vpc1 (ssh, ping) but not in the regional VPCs.

No network ACLs, and security groups open to facilitate the testing.