aws-transit-vpc icon indicating copy to clipboard operation
aws-transit-vpc copied to clipboard

Published 20 hours ago verified publisher icon PaloAltoNetworks

Routing test

Open vincentcabosart opened this issue 6 years ago • 2 comments

Hello,

I deployed all the stacks and everything seems OK. The tunnels are up. I'm trying to do some routing tests (point 11 in the deployment guide). I have set up an EC2 instance in the Subscriber VPC (AppAz1 subnet). ICMP is allowed on all security groups. And I have manually put the VGW as default route for the routing table "Subscribing-priv-rt" (the one associated with the AppAz1 subnet). In this situation I'm still not able to ping the private IP address Eth1 of the Palo Alto. Is there something I am missing?

Thank you in advance.

vincentcabosart avatar Apr 26 '18 13:04 vincentcabosart

After further investigating I found this! https://forums.aws.amazon.com/thread.jspa?messageID=842285 And the bug seems to be confirmed: as written above, I had manually put the VGW in the routing table --> no traffic was passing through the VPN. Once I advertise the default route from the Palo Alto and I let the default route propagation work via BGP, it appears as VGW in the "Subscribing-priv-rt" route table as default route. At as from this moment, traffic is flowing through the VPN tunnel!

vincentcabosart avatar Apr 26 '18 15:04 vincentcabosart

Thanks for providing that information @Vinch157 In the GitHub repo we also provided information on how to set up the default routing using BGP that we didn't have any issue with. If you are setting your VGW as the default routes this should work and effectively bypass having to do it statically. If you follow this guide we wrote nothing should have to be done statically.

https://github.com/PaloAltoNetworks/aws-transit-vpc/blob/master/documentation/Default_Route_to_SubscriberVPC.pdf

jpeezus avatar Apr 27 '18 16:04 jpeezus