aws-secure-environment-accelerator
aws-secure-environment-accelerator copied to clipboard
Published
20 hours ago •
aws-samples
aws-samples
[BUG][Functional] Routes - pcx routes only allow targeting one subnet group, not entire vpc CIDR range
Required Basic Info
- Accelerator Version: v1.3.5
Describe the bug
- pcx routes only allow targeting one subnet, not entire vpc CIDR range
- see example
Failure Info
- Not a failure, simply a feature gap
Steps To Reproduce
- use a sample config file, with a local workload account based VPC which is NOT TGW attached
- On a workload account named {account-name} on VPC named {vpcname}, add the following config
"pcx": {
"source": "operations",
"source-vpc": "Central",
"source-subnets": "App",
"local-subnets": "App"
}
On that same VPC, add the following to the route table (i.e. {vpcname}VPC_Common):
{
"destination": {
"account": "operations",
"vpc": "Central",
"subnet": "App"
},
"target": "pcx"
}
Add the following to the CentralVPC_Common route table on the Central VPC, Central OU:
{
"destination": {
"account": "{account-name}",
"vpc": "{vpcname}",
"subnet": "App"
},
"target": "pcx"
}
- This works as expected, adding the route to the workload accounts App subnet CIDR's to the Central VPC
- but Central should be able to communicate with all subnets in the peered VPC
- subnet field is mandatory and removal causes SM to fail
- we also do not support adding multiple routes to the same pcx in the same route table
Expected behavior
- add ability to drop the subnet parameter (maintain it as optional parameter for existing customers)
- use the VPC CIDR range for route creation, rather than the subnets
- true for both ends of the connection
Additional context
- Customers need to join all workloads in App, Data, Management to the MAD
Fixed in this PR :
https://github.com/aws-samples/aws-secure-environment-accelerator/pull/877
