search

terraform-aws-modules / terraform-aws-vpn-gateway

Terraform module to create AWS VPN gateway resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/vpn-gateway/aws
Apache License 2.0
111 stars 156 forks source link

Confusion over public/private subnets for route table propagation #17

Closed statwoodland closed 5 years ago

statwoodland commented 5 years ago

I have a question about the labeling in the examples. It's unclear to me what is supposed to be public and private, and whether or not the public subnets also need to be included in vpc_subnet_route_table_ids

This variable seems to define a list of private subnets:

variable "vpc_private_subnets" {
  type    = "list"
  default = ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"]
}

But it is actually being used as public subnets:

module "vpc" {
...
  private_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"]
  public_subnets  = ["${var.vpc_private_subnets}"]

And, where I'm most confused, the only route tables with propagation added are the private subnets, but the count is the public subnet variable.

module "vpn_gateway" {
...
  vpc_subnet_route_table_ids   = ["${module.vpc.private_route_table_ids}"]
  vpc_subnet_route_table_count = "${length(var.vpc_private_subnets)}"

My questions are:

1) is this naming accidental or intentional? (perhaps I'm missing something!) 2) do public subnets also need to be added to vpc_subnet_route_table_ids? 3) why are propagate_public_route_tables_vgw and propagate_private_route_tables_vgw not set in the VPC module?

Thanks for your time!

statwoodland commented 5 years ago

I'm still not certain why, but my route propagation wasn't working until I did the following:

1) no longer set vpc_subnet_route_table_ids and vpc_subnet_route_table_count from this module 2) set propagate_public_route_tables_vgw and propagate_private_route_tables_vgw to true in the VPC module

Apologies for not having a clearer diagnosis of what's going wrong. This is anecdotal, of course, but perhaps there is some amount of conflict between the two modules (or, just as likely, I had a configuration error without realizing it).

miguelaferreira commented 5 years ago

Hi @statwoodland. Apologies for the late reaction. I'm trying to understand what you are reporting and I don't really see where are the private subnets being mixed up with the public subnets.

Where did you see this?

module "vpc" {
...
  private_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"]
  public_subnets  = ["${var.vpc_private_subnets}"]

Regarding the routing rules, and whether that should include public subnets or not, that is entirely up to the user. I usually only route traffic to/from the VPN Gateway to my private subnets. But there are for sure use cases where it makes sense to also route traffic to/from the VPN Gateway to the public subnets.

Finally, the propagation of the routing rules should be enabled only once to avoid trying to add the same rule twice. Therefore propagation has to be enabled either in the VPC module or in the VPN gateway module. Never in both.

I hope this answer helps clarify what you have seen, but please ping me if you have any other questions.

statwoodland commented 5 years ago

It does clarify, thank you @miguelaferreira

github-actions[bot] commented 2 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.