AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Routing/forwarding to onprem site

0

Hi,

Here my setup:

  • one on prem site (range 10.1.0.0/16)
  • one AWS Org with two account A & B, with a VPC peering between VPC-A (10.50.0.0/16) and VPC-B (10.20.0.0/16)
  • Wireguard VPN setup between vm1 (on prem) and vmA-1 (VPC-A)
  • VPC-A route: - 10.1.0.0/16 -> vmA-1 - 10.20.0.0/16 -> peering - 10.50.0.0/16 -> local - 0.0.0.0/0 -> igw
  • VPC-B route: - 10.0.0.0/8 -> peering - 10.20.0.0/16 -> local - 0.0.0.0/0 -> igw
  • IP src/dest check is disable on vmA-1

From an ec2 on any subnet in VPC-A, I can reach vms on prem. From an vm on prem, I can reach ec2s in VPC-A and VPC-B. From ec2 on any subnet in VPC-B, I can reach vmA-1. From ec2 on any subnet in VPC-B, I cannot reach vms on prem.

Did I miss something (obviously yes) ? Is there any src/dest check that need to be disable as well at the peering, route table level ?

Thanks for sharing your ideas !

トピック
ネットワークとコンテンツ配信
タグ
Amazon VPC
言語
English
ed
質問済み 1年前263ビュー
1回答
1

This setup will not work, you can only target the VPCA CIDR over the VPC peering connection. You would need to NAT the traffic on vmA-1 to make this work the way you have it setup now. Using a TGW in place of the VPC peer will allow you to route the traffic the way you are trying to over the VPC peer as TGWs provide transitive routing and the TGW attachment subnets in the VPCA can redirect the 10.1.0.0/16 traffic to vmA-1. You could also setup the VPN to the Transit Gateway directly or from the on-prem vm1 to VGWs on both VPCs or to EC2 instances in both VPCs.

AWS
エキスパート
Thaddeus_W
回答済み 1年前
  • ed
    1年前

    Thanks a lot for confirming that something was wrong in my setup ! I'll give a try to the TGW and review my peering setup.

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ