search

aws-ia / terraform-aws-network-hubandspoke

https://registry.terraform.io/modules/aws-ia/network-hubandspoke/aws
Apache License 2.0
28 stars 10 forks source link

fix: route from inspection to ingress (so spoke VPC can talk back with Load Balancers) #14

Closed Eagleman7 closed 1 year ago

Eagleman7 commented 1 year ago

Hello! I deployed a setup with ingress/egress and an inspection VPC with the config below:

module "hub-and-spoke" {
  source  = "aws-ia/network-hubandspoke/aws"
  version = "1.0.1"

  identifier         = "development"
  transit_gateway_id = aws_ec2_transit_gateway.tgw.id

  network_definition = {
    type  = "PREFIX_LIST"
    value = aws_ec2_managed_prefix_list.network_prefix_list.id
  }

  spoke_vpcs = {
      application-x = {
          dev = {
              vpc_id = "vpc-123456"
              transit_gateway_attachment_id = "tgw-attach-123456"
          }
      }
  }

  central_vpcs = {
    egress = {
      name       = "egress-vpc"
      cidr_block = "10.0.1.0/24"
      az_count   = 3

      subnets = {
        public          = { netmask = 26 }
        transit_gateway = { netmask = 28 }
      }
    }

    ingress = {
      name       = "ingress-vpc"
      cidr_block = "10.0.0.0/24"
      az_count   = 3

      subnets = {
        public          = { netmask = 26 }
        transit_gateway = { netmask = 28 }
      }
    }

    inspection = {
        name = "inspection-vpc"
        cidr_block = "10.0.2.0/24"
        az_count = 3
        inspection_flow = "all"

        aws_network_firewall = {
            name = "firewall-dev"
            policy_arn = aws_networkfirewall_firewall_policy.test.arn
        }

        subnets = {
            endpoints       = { netmask = 26 }
            transit_gateway = { netmask = 28 }
        }
    }
  }
}

I found out when placing an EC2 machine or Load Balancer on the Ingress VPC the traffic never comes back when sending some data to a spoke VPC. I found out this is caused by the inspection VPC not having a route back to the Ingress VPC. This PR will add a route from inspection to ingress when using above setup. Or maybe I'm missing a setting somewhere that should enable this?

pablo19sc commented 1 year ago

Hi!

Checking this... I think it's better to add a propagation of the Ingress VPC to the Inspection Route Table

resource "aws_ec2_transit_gateway_route_table_propagation" "ingress_to_inspection_propagation" {
  count = local.ingress_to_inspection_network ? 1 : 0

  transit_gateway_attachment_id  = module.central_vpcs["ingress"].transit_gateway_attachment_id
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_route_table["inspection"].id
}

I'm planning to add this change in an update soon (following weeks), so if you are happy with this change we can close this and I'll ping you once the changes are applied.

Thanks for the heads up! When I saw this PR I went to check the code and saw the missing route

Eagleman7 commented 1 year ago

Thanks for the reply,

I will test your solution somewhere this week and let you know!

Eagleman7 commented 1 year ago

Hi @pablo19sc,

On a code level this looks like it will work! However I have not tested it, since we're not going to use the inspection VPC for now.

pablo19sc commented 1 year ago

Hi @Eagleman7, have tested it from my side and it works - maybe I add an example to ensure everything will work. So, should we close this PR?

Anyways... thanks for this! Definitely we will be working in more updates, so happy to hear from you about fixes and new things to add :)

Eagleman7 commented 1 year ago

Hi @Eagleman7, have tested it from my side and it works - maybe I add an example to ensure everything will work. So, should we close this PR?

Anyways... thanks for this! Definitely we will be working in more updates, so happy to hear from you about fixes and new things to add :)

Thanks for testing! I found another one today, but I am not sure on the solution yet. It is about the ALB in the Ingress VPC routing traffic to a spoke VPC, but the spoke VPC doesn't have a route back to the Ingress VPC. This is without an inspection VPC being used in the setup.

pablo19sc commented 1 year ago

I guess this should be solved at the Spoke VPC level routing side - which we recommend using the aws-ia/vpc module. If you add in that Spoke VPC a route to the TGW containing the Ingress VPC route, the Hub and Spoke should be able to get you back to the Ingress VPC.

If you want we can chat in Slack about this in detail. We have a public channel about Cloud Network Automation - https://join.slack.com/t/cloud-network-as-code/shared_invite/zt-1p5acdvnr-~ds~x9bW~qpCcQ3_TGUcsA

Eagleman7 commented 1 year ago

Thanks for the invite @pablo19sc . Let's discuss it there!