By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Route an IP range via VPC peering with an IP address outside the VPC CIDRs?

0

Hello, I am trying to find a way to install Wireguard with IP forwarding on AWS.

Here is my current configuration

  • 2 VPCs : VPC A with range 10.1.0.0/16, and VPC B with range 10.2.0.0/16
  • the 2 VPCs are peered
  • Routing tables in VPC A have a special rule to route the range 10.50.64.0/19 to an EC2 instance in VPC a that contains a Wireguard config (these IPs are for wireguard clients). These allows other EC2 instances in VPC A to reach Wireguard IPs

Problem : I want to allow EC2 instances in VPC B to also reach these IPs in Wireguard VM. This is because I want to be able to implement Security group rules based on VPN clients' IPs in the rest of my infrastructure.

Is there any way to achieve this ? I've seen talks about Transit gateway in this related question https://repost.aws/questions/QUvpd47zdLTLuJxvfLiBWOpw/it-is-possible-to-route-an-ip-address-via-vpc-peering-with-an-ip-address-outside-the-vpc-cidrs , but I'm not sure how it would have to be implemented.

  • Oleksii Bebych EXPERT
    18 days ago

    please accept the answer if it was useful

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon VPCNetworking & Content DeliverySecuritySecurity Group
Language
English
Jeremy
asked 21 days ago422 views
2 Answers
2

To add context to the other (long) answer about setting up Transit Gateway:

You can't do as you need because you can't route to a specific destination in VPC A from VPC B - you can only route to the VPC peering endpoint. And once the traffic "arrives" in VPC A there is no route evaluation happening - the destination must be in the CIDR range of VPC A.

An easier solution would be to set up a Wireguard endpoint in VPC B.

profile pictureAWS
EXPERT
Brettski-AWS
answered 20 days ago
1
Accepted Answer

To achieve your goal of allowing EC2 instances in VPC B to reach the Wireguard IPs managed by an EC2 instance in VPC A, you can indeed use AWS Transit Gateway. This approach provides a scalable and flexible solution for connecting multiple VPCs and handling routing across them. Here's a step-by-step guide on how to implement this solution:

1. Set Up AWS Transit Gateway

1.1. Create a Transit Gateway:

  • Go to the AWS Management Console.
  • Navigate to the VPC dashboard.
  • Select Transit Gateways and click Create Transit Gateway.
  • Configure the Transit Gateway according to your needs (give it a name, enable default route table association and propagation, etc.).

1.2. Attach VPC A and VPC B to the Transit Gateway:

  • After creating the Transit Gateway, select it and go to the Attachments tab.
  • Click Create Transit Gateway Attachment.
  • Choose VPC as the resource type and select VPC A.
  • Repeat the process to attach VPC B to the Transit Gateway.

2. Configure Route Tables

2.1. Update VPC A Route Table:

  • Navigate to the VPC dashboard and select the route table for VPC A.
  • Add a route for the Wireguard client IP range (10.50.64.0/19) pointing to the Wireguard EC2 instance.
  • Add another route for VPC B CIDR (10.2.0.0/16) pointing to the Transit Gateway.

2.2 Update VPC B Route Table:

  • Navigate to the VPC dashboard and select the route table for VPC B.
  • Add a route for the Wireguard client IP range (10.50.64.0/19) pointing to the Transit Gateway.

2.3. Update Transit Gateway Route Tables:

  • Navigate to the Transit Gateway console.
  • Select the Transit Gateway and go to the Route Tables tab.
  • Ensure that routes are propagated between VPC A and VPC B.
  • You might need to add explicit routes in the Transit Gateway route table to direct traffic for the Wireguard client IP range to VPC A.

3. Security Groups and Network ACLs

3.1. Update Security Groups:

  • Ensure the Security Group associated with the Wireguard EC2 instance in VPC A allows inbound traffic from VPC B CIDR (10.2.0.0/16).
  • Configure Security Groups in VPC B to allow traffic to the Wireguard client IP range (10.50.64.0/19).

3.2. Network ACLs:

  • Ensure Network ACLs for subnets in VPC A and VPC B allow traffic for the necessary IP ranges.

4. Test the Configuration

4.1. Verification:

  • From an EC2 instance in VPC B, try to ping or access a Wireguard client IP to verify the connection.
  • Ensure that the traffic is correctly routed through the Transit Gateway to the Wireguard EC2 instance in VPC A.

Alternative Approach: Direct VPC Peering (Advanced) If you prefer to stick with VPC peering without using a Transit Gateway, you would need to set up more complex routing and possibly a NAT or similar mechanism to forward traffic between the VPCs correctly. However, using a Transit Gateway is typically more scalable and simpler to manage in larger or growing environments.

By following these steps, you should be able to route traffic from EC2 instances in VPC B to the Wireguard IPs managed by an EC2 instance in VPC A, leveraging the AWS Transit Gateway for efficient and manageable inter-VPC routing.

profile picture
EXPERT
Oleksii Bebych
answered 21 days ago
  • Jeremy
    17 days ago

    Thanks, it is very useful, I will try it out !

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content