We are trying to set up the same thing right now, so maybe we can help each other.
We have one “admin” VPC, “vpc1,” 172.16.0.0/17 in us-east-1, and then regional VPCs in each of the AWS regions, defined as the next successive CIDR blocks.
We deployed a VyOS instance in the admin VPC and gave it an elastic IP.
In the regional VPCs, for example vpc2, we:
- Added a Customer Gateway set to the VyOS’ elastic IP, with a BGP ASN of 65000 (default)
- Added a Virtual Private Gateway for vpc1 and its CIDR range
- Added a dynamic (BGP) VPN Connection between the VPG and CG
Then, we go to the VyOS and use https://github.com/mboret/aws-vyos to configure it. Both tunnels come up, yay.
And then we go to the route tables and
- Add static routes through the VyOS to the regional VPCs in vpc1
- Set the route tables to “propagate” in vpc2…n
And lo and behold the route back to vpc1 via the vgw magically appears in vpc2…n’s route tables. It all looks good.
But it still doesn’t fully work. Traffic from vpc1 to systems in the regional VPCs go over the link, get to the box, get back to the VyOS, and then don’t get any farther (as tcpdumping on the hosts shows). You can even see a ssh connection initiate to a system in the regional VPC, but since no responses get back it times out. Traffic from vpc2 to a host in vpc1 gets “no route to host.” From the VyOS I can hit servers in vpc1 (ssh, ping) but not in the regional VPCs.
No network ACLs, and security groups open to facilitate the testing.