bucklander
commented
6 years ago Good find! The ability to now specify inside tunnel IP addresses should help scale this a bit more (as you more or less already pointed out).
Open nickpowpow opened 6 years ago
bucklander
commented
6 years ago Good find! The ability to now specify inside tunnel IP addresses should help scale this a bit more (as you more or less already pointed out).
This template uses the IP addresses the VGW assigns. Those come from a pool of 256 addresses in the 169.254.x.x space. At some point, I think mathematically it's around 8-15 VPCs, you'll get the same address twice from the VGW. Since the firewall doesn't support duplicate addresses, you get a conflict. VRFs don't help since the VRF functionality still doesn't support duplicate addresses.
The fix would involve knowing which addresses have been assigned and assigning unique addresses to the inner tunnel IP per VPN connection.