Routing/forwarding to onprem site

Question

Hi,

Here my setup:
 - one on prem site (range 10.1.0.0/16)
 - one AWS Org with two account A & B, with a VPC peering between VPC-A (10.50.0.0/16) and VPC-B (10.20.0.0/16)
 - Wireguard VPN setup between vm1 (on prem) and vmA-1 (VPC-A)
 - VPC-A route: 
         - 10.1.0.0/16 -> vmA-1
         - 10.20.0.0/16 -> peering
         - 10.50.0.0/16 -> local
         - 0.0.0.0/0 -> igw
 - VPC-B route:
         - 10.0.0.0/8 -> peering
         - 10.20.0.0/16 -> local
         - 0.0.0.0/0 -> igw
- IP src/dest check is disable on vmA-1

From an ec2 on any subnet in VPC-A, I can reach vms on prem.
From an vm on prem, I can reach ec2s in VPC-A and VPC-B.
From ec2 on any subnet in VPC-B, I can reach vmA-1.
From ec2 on any subnet in VPC-B, I cannot reach vms on prem.

Did I miss something (obviously yes) ? Is there any src/dest check that need to be disable as well at the peering, route table level ?

Thanks for sharing your ideas !

Answer

This setup will not work, you can only target the VPCA CIDR over the VPC peering connection. You would need to NAT the traffic on vmA-1 to make this work the way you have it setup now. Using a TGW in place of the VPC peer will allow you to route the traffic the way you are trying to over the VPC peer as TGWs provide transitive routing and the TGW attachment subnets in the VPCA can redirect the 10.1.0.0/16 traffic to vmA-1. You could also setup the VPN to the Transit Gateway directly or from the on-prem vm1 to VGWs on both VPCs or to EC2 instances in both VPCs.

Routing/forwarding to onprem site

相關內容