search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
532 stars 424 forks source link

Using both CIDR and IPAM allocation in vpc templates #538

Open firegrass opened 1 month ago

firegrass commented 1 month ago

Is your feature request related to a problem? Please describe.

We would like to use vpc templates to provide standardized networking with both routable and non-routable address space. However if both are specified the following error is raised.

Both a CIDR and IPAM allocation are defined. Please choose only one

Describe the feature you'd like

Support both ipamAllocations: for pooled routable address space and cidrs: for statically allocated non-routable address space.

Additional context Add any other context or screenshots about the feature request here.

bo1984 commented 1 month ago

Hi Patrick!

Thank you for reaching out and for using the Landing Zone Accelerator on AWS (LZA) solution. As you've experienced, you're running into one of our validation scripts that typically happen at the Prepare stage of the pipeline. I'd like to understand the specific use case for needing to have statically set non-routable address. If you could, could you provide me with a sample config on what you're trying to do? For using vpcTemplates for routeable and non-routeable addresses for your subnets within the VPC, you should still be able to achieve this with IPAM.

amitsmlaws commented 1 month ago

you should be able to do only via IPAM. You might not need to use CIDR if using IPAM

firegrass commented 4 weeks ago

Thanks @bo1984

The user case is to reuse (internally agreed) non-routable CIDR for private subnets in all workload accounts. This allow us to have a small IPAM allocation of routable space and large private subnets, which could be applied as a generic VPC template for all workload accounts. This reduces per workload account customization and account sizing activities for vending.

We also have another user case. When using Firewall Manager Service with Palo Alto Cloud NGFW, it can be configured to create subnets with specific CIDRs. Again it would be useful allocate IPAM CIDR for (in our case) CWAN attachments and reused private CIDRs for consistent NGFW configuration and again to reduce IP waste.

I don't have a snippet to hand now, because it doesn't work, but essentially just add both ipamAllocations and cidrs config to vpcTemplates or vpcs.

I haven't tried this yet, but if we were to add the CIDR in a customization, would it get removed when the pipeline next runs?

We want to avoid a custom solution here and lose the benefit of lza integrations, so open to ideas!