aws-network-hub-for-terraform

aws-network-hub-for-terraform copied to clipboard

This PR by @jplock introduced support for IPv6.

However, IPv6 connectivity within a spoke_app subnet, e.g. spoke_app_eu-west-2a, doesn't appear to be working. E.g. from an EC2 instance with IPv6 configuration:

$ ping6 localhost
PING localhost(localhost6) 56 data bytes
64 bytes from localhost6: icmp_seq=1 ttl=64 time=0.022 ms
^C

$ traceroute6 google.com
traceroute to google.com (2a00:1450:4009:821::200e), 30 hops max, 80 byte packets
 1  * * *
...
30  * * *

The above-mentioned PR also reads:

To reduce costs, we could have IPv6 traffic egress directly from the example spoke VPC for now.

The PR does indeed create an Egress-only IGW in each spoke VPC too but these are not used anywhere.

Routing non-local IPv6 traffic (by changing the route table of the spoke_app subnets) to the spoke VPC EIGW does make IPv6 connectivity to the Internet work:

$ traceroute6 google.com
traceroute to google.com (2a00:1450:4009:821::200e), 30 hops max, 80 byte packets
 1  * * *
...
20  lhr48s28-in-x0e.1e100.net (2a00:1450:4009:821::200e)  2.381 ms  1.592 ms  2.358 ms

If I were to raise a PR, would it be preferable to use spoke VPC EIGWs, or remove these spoke VPC EIGWs and fix IPv6 connectivity so that IPv6 traffic goes through the single EIGW in the inspection VPC?

Remove spike EIGW and have it pushed through the central egress solution would be preferable

Thank you for raising this issue