Added VPC Route Server module

author: aslanvyos <a.hajiyev@vyos.io> 2025-06-18 11:55:46 +0400
committer: aslanvyos <a.hajiyev@vyos.io> 2025-06-18 14:55:10 +0400
commit: 9fffee3ecbf3830d0b6df4fbb3e00ee745e3956a (patch)
tree: 6b943f142760e022fba18466be75c3e801c01dbd
parent: 67a227b0cfdc8ab7248830efe67f7b9a3c4c46f2 (diff)
download: vyos-automation-9fffee3ecbf3830d0b6df4fbb3e00ee745e3956a.tar.gz
vyos-automation-9fffee3ecbf3830d0b6df4fbb3e00ee745e3956a.zip
8 files changed, 204 insertions, 181 deletions
diff --git a/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl b/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl
index be25c3a..e8df410 100644
--- a/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl
+++ b/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl
@@ -7,7 +7,7 @@ vyos_config_commands:
     - set interfaces ethernet eth1 dhcp-options no-default-route
     - set system name-server '${dns}'
     - set service dns forwarding name-server '${dns}'
-    - set service dns forwarding listen-address '${vyos_priv_nic_ip}'
+    - set service dns forwarding listen-address '${vyos_01_priv_nic_ip}'
     - set service dns forwarding allow-from '${transit_vpc_cidr}'
     - set service dns forwarding no-serve-rfc1918
     - set nat source rule 10 outbound-interface name 'eth0'
@@ -33,20 +33,20 @@ vyos_config_commands:
     - set interfaces vti vti1 description 'Tunnel for VyOS in Azure'
     - set interfaces vti vti1 ip adjust-mss '1350'
     - set protocols static route 10.2.100.11/32 interface vti1
-    - set protocols static route ${vyos_pub_subnet} blackhole distance '254'
-    - set protocols static route ${vyos_priv_subnet} blackhole distance '254'
-    - set vpn ipsec authentication psk VyOS id '${vyos_public_ip_address}'
-    - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip_address}'
+    - set protocols static route ${vyos_01_pub_subnet} blackhole distance '254'
+    - set protocols static route ${vyos_01_priv_subnet} blackhole distance '254'
+    - set vpn ipsec authentication psk VyOS id '${vyos_01_public_ip}'
+    - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip}'
     - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
-    - set vpn ipsec site-to-site peer AZURE authentication local-id '${vyos_public_ip_address}'
+    - set vpn ipsec site-to-site peer AZURE authentication local-id '${vyos_01_public_ip}'
     - set vpn ipsec site-to-site peer AZURE authentication mode 'pre-shared-secret'
-    - set vpn ipsec site-to-site peer AZURE authentication remote-id '${on_prem_public_ip_address}'
+    - set vpn ipsec site-to-site peer AZURE authentication remote-id '${on_prem_public_ip}'
     - set vpn ipsec site-to-site peer AZURE connection-type 'initiate'
     - set vpn ipsec site-to-site peer AZURE description 'TUNNEL to VyOS on AZURE'
     - set vpn ipsec site-to-site peer AZURE ike-group 'AZURE'
     - set vpn ipsec site-to-site peer AZURE ikev2-reauth 'inherit'
-    - set vpn ipsec site-to-site peer AZURE local-address '${vyos_pub_nic_ip}'
-    - set vpn ipsec site-to-site peer AZURE remote-address '${on_prem_public_ip_address}'
+    - set vpn ipsec site-to-site peer AZURE local-address '${vyos_01_pub_nic_ip}'
+    - set vpn ipsec site-to-site peer AZURE remote-address '${on_prem_public_ip}'
     - set vpn ipsec site-to-site peer AZURE vti bind 'vti1'
     - set vpn ipsec site-to-site peer AZURE vti esp-group 'AZURE'
     - set policy prefix-list AS65001-OUT rule 10 action 'permit'
@@ -72,15 +72,15 @@ vyos_config_commands:
     - set policy route-map AS65002-OUT rule 20 match ip address prefix-list 'AS65002-OUT'
     - set policy route-map AS65011-OUT rule 10 action 'permit'
     - set policy route-map AS65011-OUT rule 10 match ip address prefix-list 'AS65011-OUT'
-    - set protocols bfd peer ${vyos_02_pub_nic_ip_address} interval multiplier '3'
-    - set protocols bfd peer ${vyos_02_pub_nic_ip_address} interval receive '300'
-    - set protocols bfd peer ${vyos_02_pub_nic_ip_address} interval transmit '300'
+    - set protocols bfd peer ${vyos_02_pub_nic_ip} interval multiplier '3'
+    - set protocols bfd peer ${vyos_02_pub_nic_ip} interval receive '300'
+    - set protocols bfd peer ${vyos_02_pub_nic_ip} interval transmit '300'
+    - set protocols bfd peer ${route_server_endpoint_01_ip} interval multiplier '3'
+    - set protocols bfd peer ${route_server_endpoint_01_ip} interval receive '300'
+    - set protocols bfd peer ${route_server_endpoint_01_ip} interval transmit '300'
     - set protocols bfd peer 10.2.100.11 interval multiplier '3'
     - set protocols bfd peer 10.2.100.11 interval receive '300'
     - set protocols bfd peer 10.2.100.11 interval transmit '300'
-    - set protocols bfd peer 172.16.11.115 interval multiplier '3'
-    - set protocols bfd peer 172.16.11.115 interval receive '300'
-    - set protocols bfd peer 172.16.11.115 interval transmit '300'
     - set protocols bgp system-as '${vyos_bgp_as_number}'
     - set protocols bgp address-family ipv4-unicast network ${data_vpc_public_subnet}
     - set protocols bgp address-family ipv4-unicast redistribute connected 
@@ -91,18 +91,18 @@ vyos_config_commands:
     - set protocols bgp neighbor 10.2.100.11 bfd
     - set protocols bgp neighbor 10.2.100.11 disable-connected-check
     - set protocols bgp neighbor 10.2.100.11 update-source '10.1.100.11'
-    - set protocols bgp neighbor 172.16.11.115 address-family ipv4-unicast route-map export 'AS65011-OUT'
-    - set protocols bgp neighbor 172.16.11.115 address-family ipv4-unicast soft-reconfiguration inbound
-    - set protocols bgp neighbor 172.16.11.115 disable-connected-check
-    - set protocols bgp neighbor 172.16.11.115 remote-as '65011'
-    - set protocols bgp neighbor 172.16.11.115 timers holdtime '30'
-    - set protocols bgp neighbor 172.16.11.115 bfd
-    - set protocols bgp neighbor 172.16.11.115 update-source '${vyos_priv_nic_ip}'
-    - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} address-family ipv4-unicast nexthop-self force
-    - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} address-family ipv4-unicast route-map export 'AS65001-OUT'
-    - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} address-family ipv4-unicast soft-reconfiguration inbound
-    - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} disable-connected-check
-    - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} remote-as '${vyos_bgp_as_number}'
-    - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} timers holdtime '30'
-    - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} bfd
-    - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} update-source '${vyos_pub_nic_ip}'
+    - set protocols bgp neighbor ${vyos_02_pub_nic_ip} address-family ipv4-unicast nexthop-self force
+    - set protocols bgp neighbor ${vyos_02_pub_nic_ip} address-family ipv4-unicast route-map export 'AS65001-OUT'
+    - set protocols bgp neighbor ${vyos_02_pub_nic_ip} address-family ipv4-unicast soft-reconfiguration inbound
+    - set protocols bgp neighbor ${vyos_02_pub_nic_ip} disable-connected-check
+    - set protocols bgp neighbor ${vyos_02_pub_nic_ip} remote-as '${vyos_bgp_as_number}'
+    - set protocols bgp neighbor ${vyos_02_pub_nic_ip} timers holdtime '30'
+    - set protocols bgp neighbor ${vyos_02_pub_nic_ip} bfd
+    - set protocols bgp neighbor ${vyos_02_pub_nic_ip} update-source '${vyos_01_pub_nic_ip}'
+    - set protocols bgp neighbor ${route_server_endpoint_01_ip} address-family ipv4-unicast route-map export 'AS65011-OUT'
+    - set protocols bgp neighbor ${route_server_endpoint_01_ip} address-family ipv4-unicast soft-reconfiguration inbound
+    - set protocols bgp neighbor ${route_server_endpoint_01_ip} disable-connected-check
+    - set protocols bgp neighbor ${route_server_endpoint_01_ip} remote-as '${route_server_endpoint_bgp_as_number}'
+    - set protocols bgp neighbor ${route_server_endpoint_01_ip} timers holdtime '30'
+    - set protocols bgp neighbor ${route_server_endpoint_01_ip} bfd
+    - set protocols bgp neighbor ${route_server_endpoint_01_ip} update-source '${vyos_01_priv_nic_ip}'
diff --git a/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl b/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl
index 039d80b..38535e6 100644
--- a/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl
+++ b/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl
@@ -7,7 +7,7 @@ vyos_config_commands:
     - set interfaces ethernet eth1 dhcp-options no-default-route
     - set system name-server '${dns}'
     - set service dns forwarding name-server '${dns}'
-    - set service dns forwarding listen-address '${vyos_priv_nic_ip}'
+    - set service dns forwarding listen-address '${vyos_02_priv_nic_ip}'
     - set service dns forwarding allow-from '${transit_vpc_cidr}'
     - set service dns forwarding no-serve-rfc1918
     - set nat source rule 10 outbound-interface name 'eth0'
@@ -33,20 +33,20 @@ vyos_config_commands:
     - set interfaces vti vti1 description 'Tunnel for VyOS in Azure'
     - set interfaces vti vti1 ip adjust-mss '1350'
     - set protocols static route 10.2.100.12/32 interface vti1
-    - set protocols static route ${vyos_pub_subnet} blackhole distance '254'
-    - set protocols static route ${vyos_priv_subnet} blackhole distance '254'
-    - set vpn ipsec authentication psk VyOS id '${vyos_public_ip_address}'
-    - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip_address}'
+    - set protocols static route ${vyos_02_pub_subnet} blackhole distance '254'
+    - set protocols static route ${vyos_02_priv_subnet} blackhole distance '254'
+    - set vpn ipsec authentication psk VyOS id '${vyos_02_public_ip}'
+    - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip}'
     - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
-    - set vpn ipsec site-to-site peer AZURE authentication local-id '${vyos_public_ip_address}'
+    - set vpn ipsec site-to-site peer AZURE authentication local-id '${vyos_02_public_ip}'
     - set vpn ipsec site-to-site peer AZURE authentication mode 'pre-shared-secret'
-    - set vpn ipsec site-to-site peer AZURE authentication remote-id '${on_prem_public_ip_address}'
+    - set vpn ipsec site-to-site peer AZURE authentication remote-id '${on_prem_public_ip}'
     - set vpn ipsec site-to-site peer AZURE connection-type 'initiate'
     - set vpn ipsec site-to-site peer AZURE description 'TUNNEL to VyOS on AZURE'
     - set vpn ipsec site-to-site peer AZURE ike-group 'AZURE'
     - set vpn ipsec site-to-site peer AZURE ikev2-reauth 'inherit'
-    - set vpn ipsec site-to-site peer AZURE local-address '${vyos_pub_nic_ip}'
-    - set vpn ipsec site-to-site peer AZURE remote-address '${on_prem_public_ip_address}'
+    - set vpn ipsec site-to-site peer AZURE local-address '${vyos_02_pub_nic_ip}'
+    - set vpn ipsec site-to-site peer AZURE remote-address '${on_prem_public_ip}'
     - set vpn ipsec site-to-site peer AZURE vti bind 'vti1'
     - set vpn ipsec site-to-site peer AZURE vti esp-group 'AZURE'
     - set policy prefix-list AS65001-OUT rule 10 action 'permit'
@@ -72,15 +72,15 @@ vyos_config_commands:
     - set policy route-map AS65002-OUT rule 20 match ip address prefix-list 'AS65002-OUT'
     - set policy route-map AS65011-OUT rule 10 action 'permit'
     - set policy route-map AS65011-OUT rule 10 match ip address prefix-list 'AS65011-OUT'
-    - set protocols bfd peer ${vyos_01_pub_nic_ip_address} interval multiplier '3'
-    - set protocols bfd peer ${vyos_01_pub_nic_ip_address} interval receive '300'
-    - set protocols bfd peer ${vyos_01_pub_nic_ip_address} interval transmit '300'
+    - set protocols bfd peer ${vyos_01_pub_nic_ip} interval multiplier '3'
+    - set protocols bfd peer ${vyos_01_pub_nic_ip} interval receive '300'
+    - set protocols bfd peer ${vyos_01_pub_nic_ip} interval transmit '300'
+    - set protocols bfd peer ${route_server_endpoint_02_ip} interval multiplier '3'
+    - set protocols bfd peer ${route_server_endpoint_02_ip} interval receive '300'
+    - set protocols bfd peer ${route_server_endpoint_02_ip} interval transmit '300'
     - set protocols bfd peer 10.2.100.12 interval multiplier '3'
     - set protocols bfd peer 10.2.100.12 interval receive '300'
     - set protocols bfd peer 10.2.100.12 interval transmit '300'
-    - set protocols bfd peer 172.16.21.177 interval multiplier '3'
-    - set protocols bfd peer 172.16.21.177 interval receive '300'
-    - set protocols bfd peer 172.16.21.177 interval transmit '300'
     - set protocols bgp system-as '${vyos_bgp_as_number}'
     - set protocols bgp address-family ipv4-unicast network ${data_vpc_public_subnet}
     - set protocols bgp address-family ipv4-unicast redistribute connected 
@@ -91,19 +91,18 @@ vyos_config_commands:
     - set protocols bgp neighbor 10.2.100.12 bfd
     - set protocols bgp neighbor 10.2.100.12 disable-connected-check
     - set protocols bgp neighbor 10.2.100.12 update-source '10.1.100.12'
-    - set protocols bgp neighbor 172.16.21.177 address-family ipv4-unicast route-map export 'AS65011-OUT'
-    - set protocols bgp neighbor 172.16.21.177 address-family ipv4-unicast soft-reconfiguration inbound
-    - set protocols bgp neighbor 172.16.21.177 disable-connected-check
-    - set protocols bgp neighbor 172.16.21.177 remote-as '65011'
-    - set protocols bgp neighbor 172.16.21.177 timers holdtime '30'
-    - set protocols bgp neighbor 172.16.21.177 bfd
-    - set protocols bgp neighbor 172.16.21.177 update-source '${vyos_priv_nic_ip}'
-    - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} address-family ipv4-unicast nexthop-self force
-    - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} address-family ipv4-unicast route-map export 'AS65001-OUT'
-    - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} address-family ipv4-unicast soft-reconfiguration inbound
-    - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} disable-connected-check
-    - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} remote-as '${vyos_bgp_as_number}'
-    - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} timers holdtime '30'
-    - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} bfd
-    - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} update-source '${vyos_pub_nic_ip}'
-    
-\ No newline at end of file
+    - set protocols bgp neighbor ${vyos_01_pub_nic_ip} address-family ipv4-unicast nexthop-self force
+    - set protocols bgp neighbor ${vyos_01_pub_nic_ip} address-family ipv4-unicast route-map export 'AS65001-OUT'
+    - set protocols bgp neighbor ${vyos_01_pub_nic_ip} address-family ipv4-unicast soft-reconfiguration inbound
+    - set protocols bgp neighbor ${vyos_01_pub_nic_ip} disable-connected-check
+    - set protocols bgp neighbor ${vyos_01_pub_nic_ip} remote-as '${vyos_bgp_as_number}'
+    - set protocols bgp neighbor ${vyos_01_pub_nic_ip} timers holdtime '30'
+    - set protocols bgp neighbor ${vyos_01_pub_nic_ip} bfd
+    - set protocols bgp neighbor ${vyos_01_pub_nic_ip} update-source '${vyos_02_pub_nic_ip}'
+    - set protocols bgp neighbor ${route_server_endpoint_02_ip} address-family ipv4-unicast route-map export 'AS65011-OUT'
+    - set protocols bgp neighbor ${route_server_endpoint_02_ip} address-family ipv4-unicast soft-reconfiguration inbound
+    - set protocols bgp neighbor ${route_server_endpoint_02_ip} disable-connected-check
+    - set protocols bgp neighbor ${route_server_endpoint_02_ip} remote-as '${route_server_endpoint_bgp_as_number}'
+    - set protocols bgp neighbor ${route_server_endpoint_02_ip} timers holdtime '30'
+    - set protocols bgp neighbor ${route_server_endpoint_02_ip} bfd
+    - set protocols bgp neighbor ${route_server_endpoint_02_ip} update-source '${vyos_02_priv_nic_ip}'
diff --git a/Terraform/AWS/ha-instances-with-configs/main.tf b/Terraform/AWS/ha-instances-with-configs/main.tf
index c2b971b..d4f3bb0 100644
--- a/Terraform/AWS/ha-instances-with-configs/main.tf
+++ b/Terraform/AWS/ha-instances-with-configs/main.tf
@@ -10,6 +10,15 @@ resource "aws_key_pair" "ec2_key" {
 }
 
 # THE LATEST AMAZON VYOS 1.4 IMAGE
+#
+# VyOS AWS Marketplace publisher account ID: 679593333241
+# This ID is required for filtering official VyOS AMIs via `aws ec2 describe-images`.
+# The value corresponds to the AMI owner ID used by VyOS in the AWS Marketplace.
+#
+# To confirm or update the AMI and owner ID, you must first subscribe to VyOS in the AWS Marketplace.
+# Then run the following command to fetch the correct AMI ID and Owner ID for your AWS region (e.g., us-east-1):
+#
+# aws ec2 describe-images --owners aws-marketplace --filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" --query 'Images[*].[ImageId,OwnerId,Name]' --output table
 
 data "aws_ami" "vyos" {
   most_recent = true
@@ -53,19 +62,21 @@ resource "aws_instance" "vyos_01" {
   availability_zone = var.availability_zone_01
 
   user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_01_user_data.tfpl", {
-    transit_vpc_cidr           = var.transit_vpc_cidr,
-    data_vpc_public_subnet     = var.data_vpc_public_subnet_cidr,
-    vyos_public_ip_address     = aws_eip.vyos_01_eip.public_ip,
-    vyos_pub_subnet            = var.transit_vpc_public_subnet_01_cidr,
-    vyos_priv_subnet           = var.transit_vpc_private_subnet_01_cidr,
-    vyos_02_pub_nic_ip_address = aws_network_interface.vyos_02_public_nic.private_ip,
-    vyos_pub_nic_ip            = aws_network_interface.vyos_01_public_nic.private_ip,
-    vyos_priv_nic_ip           = aws_network_interface.vyos_01_private_nic.private_ip,
-    vyos_bgp_as_number         = var.vyos_bgp_as_number,
-    dns                        = var.dns,
-    on_prem_public_ip_address  = var.on_prem_public_ip_address,
-    on_prem_bgp_as_number      = var.on_prem_bgp_as_number,
-    on_prem_subnet_cidr        = var.on_prem_subnet_cidr
+    transit_vpc_cidr                    = var.transit_vpc_cidr,
+    data_vpc_public_subnet              = var.data_vpc_public_subnet_cidr,
+    vyos_01_public_ip                   = aws_eip.vyos_01_eip.public_ip,
+    vyos_01_pub_subnet                  = var.transit_vpc_public_subnet_01_cidr,
+    vyos_01_priv_subnet                 = var.transit_vpc_private_subnet_01_cidr,
+    vyos_01_pub_nic_ip                  = aws_network_interface.vyos_01_public_nic.private_ip,
+    vyos_01_priv_nic_ip                 = aws_network_interface.vyos_01_private_nic.private_ip,
+    vyos_02_pub_nic_ip                  = aws_network_interface.vyos_02_public_nic.private_ip,
+    vyos_bgp_as_number                  = var.vyos_bgp_as_number,
+    dns                                 = var.dns,
+    on_prem_public_ip                   = var.on_prem_public_ip_address,
+    on_prem_bgp_as_number               = var.on_prem_bgp_as_number,
+    on_prem_subnet_cidr                 = var.on_prem_subnet_cidr,
+    route_server_endpoint_01_ip         = aws_vpc_route_server_endpoint.vyos_01_endpoint.eni_address,
+    route_server_endpoint_bgp_as_number = aws_vpc_route_server.vyos_route_server.amazon_side_asn
   }))
 
   depends_on = [
@@ -96,19 +107,21 @@ resource "aws_instance" "vyos_02" {
   availability_zone = var.availability_zone_02
 
   user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_02_user_data.tfpl", {
-    transit_vpc_cidr           = var.transit_vpc_cidr,
-    data_vpc_public_subnet     = var.data_vpc_public_subnet_cidr,
-    vyos_public_ip_address     = aws_eip.vyos_02_eip.public_ip,
-    vyos_pub_subnet            = var.transit_vpc_public_subnet_02_cidr,
-    vyos_priv_subnet           = var.transit_vpc_private_subnet_02_cidr,
-    vyos_01_pub_nic_ip_address = aws_network_interface.vyos_01_public_nic.private_ip,
-    vyos_pub_nic_ip            = aws_network_interface.vyos_02_public_nic.private_ip,
-    vyos_priv_nic_ip           = aws_network_interface.vyos_02_private_nic.private_ip,
-    vyos_bgp_as_number         = var.vyos_bgp_as_number,
-    dns                        = var.dns,
-    on_prem_public_ip_address  = var.on_prem_public_ip_address,
-    on_prem_bgp_as_number      = var.on_prem_bgp_as_number,
-    on_prem_subnet_cidr        = var.on_prem_subnet_cidr
+    transit_vpc_cidr                    = var.transit_vpc_cidr,
+    data_vpc_public_subnet              = var.data_vpc_public_subnet_cidr,
+    vyos_02_public_ip                      = aws_eip.vyos_02_eip.public_ip,
+    vyos_02_pub_subnet                     = var.transit_vpc_public_subnet_02_cidr,
+    vyos_02_priv_subnet                    = var.transit_vpc_private_subnet_02_cidr,
+    vyos_02_pub_nic_ip                     = aws_network_interface.vyos_02_public_nic.private_ip,
+    vyos_02_priv_nic_ip                    = aws_network_interface.vyos_02_private_nic.private_ip,
+    vyos_01_pub_nic_ip                  = aws_network_interface.vyos_01_public_nic.private_ip,
+    vyos_bgp_as_number                  = var.vyos_bgp_as_number,
+    dns                                 = var.dns,
+    on_prem_public_ip                   = var.on_prem_public_ip_address,
+    on_prem_bgp_as_number               = var.on_prem_bgp_as_number,
+    on_prem_subnet_cidr                 = var.on_prem_subnet_cidr,
+    route_server_endpoint_02_ip         = aws_vpc_route_server_endpoint.vyos_02_endpoint.eni_address,
+    route_server_endpoint_bgp_as_number = aws_vpc_route_server.vyos_route_server.amazon_side_asn
   }))
 
   depends_on = [
@@ -144,6 +157,10 @@ resource "aws_instance" "data_vpc_instance" {
     device_index         = 0
   }
 
+  depends_on = [
+    aws_network_interface.data_vpc_instance_nic
+  ]
+
   tags = {
     Name = "${var.prefix}-data-vpc-instance"
   }
diff --git a/Terraform/AWS/ha-instances-with-configs/output.tf b/Terraform/AWS/ha-instances-with-configs/output.tf
index 301a3d0..ffe4b41 100644
--- a/Terraform/AWS/ha-instances-with-configs/output.tf
+++ b/Terraform/AWS/ha-instances-with-configs/output.tf
@@ -11,10 +11,6 @@ output "data_vpc_instance_public_ip" {
   value = aws_instance.data_vpc_instance.public_ip
 }
 
-output "data_vpc_instance_nic_ip" {
-  value = aws_network_interface.data_vpc_instance_nic.private_ip
-}
-
 output "ssh_command_for_vyos_01" {
   value = "ssh -i keys/vyos_lab_private_key.pem vyos@${aws_instance.vyos_01.public_ip}"
 }
diff --git a/Terraform/AWS/ha-instances-with-configs/readme.md b/Terraform/AWS/ha-instances-with-configs/readme.md
index ad1c5bd..0dc53d5 100644
--- a/Terraform/AWS/ha-instances-with-configs/readme.md
+++ b/Terraform/AWS/ha-instances-with-configs/readme.md
@@ -148,94 +148,7 @@ To manage the VyOS instance, use the `vyos_public_ip` from `terraform output`:
 ```sh
 ssh vyos@<vyos_public_ip> -i keys/vyos_lab_private_key.pem
 ```
-The on-premises VyOS configuration can be found in `files/on-prem-vyos-config.txt`.
-
-## Post-Deployment Operations
-
-**VPC Route Server** is not managed by Terraform and must be deployed manually.
-
-### References
-
-- [How it Works](https://docs.aws.amazon.com/vpc/latest/userguide/route-server-how-it-works.html)
-- [Dynamic Routing Guide](https://docs.aws.amazon.com/vpc/latest/userguide/dynamic-routing-route-server.html)
-- [Tutorial](https://docs.aws.amazon.com/vpc/latest/userguide/route-server-tutorial.html)
-
-## Manual Steps
-
-### Step 1: Required IAM Permissions
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {"Sid": "CreateRouteServer","Effect": "Allow","Action": ["sns:CreateTopic"],"Resource": "*"},
-    {"Sid": "DeleteRouteServer","Effect": "Allow","Action": ["sns:DeleteTopic"],"Resource": "*"},
-    {"Sid": "CreateRouteServerEndpoint","Effect": "Allow","Action": [
-      "ec2:CreateNetworkInterface","ec2:CreateNetworkInterfacePermission","ec2:CreateSecurityGroup",
-      "ec2:DescribeSecurityGroups","ec2:AuthorizeSecurityGroupIngress","ec2:CreateTags","ec2:DeleteTags"
-    ],"Resource": "*"},
-    {"Sid": "DeleteRouteServerEndpoint","Effect": "Allow","Action": [
-      "ec2:DeleteNetworkInterface","ec2:DeleteSecurityGroup","ec2:RevokeSecurityGroupIngress",
-      "ec2:CreateTags","ec2:DeleteTags"
-    ],"Resource": "*"},
-    {"Sid": "CreateRouteServerPeer","Effect": "Allow","Action": ["ec2:AuthorizeSecurityGroupIngress"],"Resource": "*"},
-    {"Sid": "DeleteRouteServerPeer","Effect": "Allow","Action": ["ec2:RevokeSecurityGroupIngress"],"Resource": "*"}
-  ]
-}
-```
-
-### Step 2–7: Route Server Setup (Summarized)
-
-#### Step 2: Create Route Server
-- Go to AWS Console > VPC > Route Servers > Create
-- Set name, ASN (e.g., `65011`), no persist routes
-
-#### Step 3: Associate with VPC
-
-#### Step 4: Create Route Server Endpoints
-- Create 2 endpoints (1 per VyOS)
-
-#### Step 5: Enable Route Propagation
-- From the Route Server UI → Propagations → Enable
-
-#### Step 6: Create Route Server Peers
-- Create peer for each VyOS using endpoint IP, ASN (65001), BFD
-
-### Step 7: Configure VyOS BGP Sessions
-
-#### VyOS-01
-
-```vyos
-delete protocols bfd peer 172.16.11.115
-set protocols bfd peer <VPC ROUTE SRV ENDPOINT-01 IP> interval multiplier '3'
-set protocols bfd peer <VPC ROUTE SRV ENDPOINT-01 IP> interval receive '300'
-set protocols bfd peer <VPC ROUTE SRV ENDPOINT-01 IP> interval transmit '300'
-
-delete protocols bgp neighbor 172.16.11.115
-set protocols bgp neighbor <VPC ROUTE SRV ENDPOINT-01 IP> address-family ipv4-unicast route-map export 'AS65011-OUT'
-set protocols bgp neighbor <VPC ROUTE SRV ENDPOINT-01 IP> address-family ipv4-unicast soft-reconfiguration inbound
-set protocols bgp neighbor <VPC ROUTE SRV ENDPOINT-01 IP> bfd
-set protocols bgp neighbor <VPC ROUTE SRV ENDPOINT-01 IP> disable-connected-check
-set protocols bgp neighbor <VPC ROUTE SRV ENDPOINT-01 IP> remote-as '65011'
-set protocols bgp neighbor <VPC ROUTE SRV ENDPOINT-01 IP> timers holdtime '30'
-```
-
-#### VyOS-02
-
-```vyos
-delete protocols bfd peer 172.16.21.177
-set protocols bfd peer <VPC ROUTE SRV ENDPOINT-02 IP> interval multiplier '3'
-set protocols bfd peer <VPC ROUTE SRV ENDPOINT-02 IP> interval receive '300'
-set protocols bfd peer <VPC ROUTE SRV ENDPOINT-02 IP> interval transmit '300'
-
-delete protocols bgp neighbor 172.16.21.177
-set protocols bgp neighbor <VPC ROUTE SRV ENDPOINT-02 IP> address-family ipv4-unicast route-map export 'AS65011-OUT'
-set protocols bgp neighbor <VPC ROUTE SRV ENDPOINT-02 IP> address-family ipv4-unicast soft-reconfiguration inbound
-set protocols bgp neighbor <VPC ROUTE SRV ENDPOINT-02 IP> bfd
-set protocols bgp neighbor <VPC ROUTE SRV ENDPOINT-02 IP> disable-connected-check
-set protocols bgp neighbor <VPC ROUTE SRV ENDPOINT-02 IP> remote-as '65011'
-set protocols bgp neighbor <VPC ROUTE SRV ENDPOINT-02 IP> timers holdtime '30'
-```
+The on-premises VyOS configuration can be found in `files/on-prem-vyos-config.txt`
 
 ## Destroying Resources
 
diff --git a/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf b/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf
index afe6b2d..e7b4509 100644
--- a/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf
+++ b/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf
@@ -59,7 +59,7 @@ resource "aws_ec2_transit_gateway_route" "azure" {
   transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.transit_vpc_attachment.id
 }
 
-# TRANSIT GATEWAY ASSOCIATION and PROPAGATION
+# TRANSIT GATEWAY ASSOSIATION and PROPAGATION
 
 resource "aws_ec2_transit_gateway_route_table_association" "transit_vpc_rt_assoc" {
   transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.transit_vpc_attachment.id
diff --git a/Terraform/AWS/ha-instances-with-configs/variables.tf b/Terraform/AWS/ha-instances-with-configs/variables.tf
index 3d299ac..58009aa 100644
--- a/Terraform/AWS/ha-instances-with-configs/variables.tf
+++ b/Terraform/AWS/ha-instances-with-configs/variables.tf
@@ -142,7 +142,7 @@ variable "data_vpc_public_subnet_name" {
 }
 
 variable "data_vpc_private_subnet_name" {
-  description = "The name of the private subnet"
+  description = "The name of the private subnet 01"
   type        = string
   default     = "priv-subnet"
 }
diff --git a/Terraform/AWS/ha-instances-with-configs/vpc_route_server.tf b/Terraform/AWS/ha-instances-with-configs/vpc_route_server.tf
new file mode 100644
index 0000000..8bc565e
--- /dev/null
+++ b/Terraform/AWS/ha-instances-with-configs/vpc_route_server.tf
@@ -0,0 +1,98 @@
+# VPC ROUTE SERVER
+resource "aws_vpc_route_server" "vyos_route_server" {
+  amazon_side_asn = 65011
+  tags = {
+    Name = join("-", [var.prefix, "vyos-route-server"])
+  }
+}
+
+# VPC ROUTE SERVER ASSOCIATION
+resource "aws_vpc_route_server_vpc_association" "vyos_association" {
+  route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id
+  vpc_id          = aws_vpc.transit_vpc.id
+}
+
+# VPC ROUTE SERVER ENDPOINTS
+resource "aws_vpc_route_server_endpoint" "vyos_01_endpoint" {
+  route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id
+  subnet_id       = aws_subnet.transit_vpc_private_subnet_01.id
+
+  tags = {
+    Name = join("-", [var.prefix, "vyos-route-server", "vyos-01"])
+  }
+
+  depends_on = [
+    aws_vpc_route_server_vpc_association.vyos_association
+  ]
+}
+
+resource "aws_vpc_route_server_endpoint" "vyos_02_endpoint" {
+  route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id
+  subnet_id       = aws_subnet.transit_vpc_private_subnet_02.id
+
+  tags = {
+    Name = join("-", [var.prefix, "vyos-route-server", "vyos-02"])
+  }
+
+  depends_on = [
+    aws_vpc_route_server_vpc_association.vyos_association
+  ]
+
+}
+
+# VPC ROUTE SERVER PEERS
+resource "aws_vpc_route_server_peer" "vyos_01_peer" {
+  route_server_endpoint_id = aws_vpc_route_server_endpoint.vyos_01_endpoint.route_server_endpoint_id
+  peer_address             = aws_network_interface.vyos_01_private_nic.private_ip
+  bgp_options {
+    peer_asn                = var.vyos_bgp_as_number
+    peer_liveness_detection = "bfd"
+  }
+
+  tags = {
+    Name = "vyos-01-peer"
+  }
+
+  depends_on = [
+    aws_vpc_route_server_endpoint.vyos_01_endpoint
+  ]
+}
+
+
+resource "aws_vpc_route_server_peer" "vyos_02_peer" {
+  route_server_endpoint_id = aws_vpc_route_server_endpoint.vyos_02_endpoint.route_server_endpoint_id
+  peer_address             = aws_network_interface.vyos_02_private_nic.private_ip
+  bgp_options {
+    peer_asn                = var.vyos_bgp_as_number
+    peer_liveness_detection = "bfd"
+  }
+
+  tags = {
+    Name = "vyos-02-peer"
+  }
+
+  depends_on = [
+    aws_vpc_route_server_endpoint.vyos_02_endpoint
+  ]
+}
+
+# VPC ROUTE SERVER PROPOGATIONS
+resource "aws_vpc_route_server_propagation" "vyos_01_propagation" {
+  route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id
+  route_table_id  = aws_route_table.transit_vpc_private_rtb_01.id
+
+  depends_on = [
+    aws_vpc_route_server_peer.vyos_01_peer,
+    aws_route_table.transit_vpc_private_rtb_01
+  ]
+}
+
+resource "aws_vpc_route_server_propagation" "vyos_02_propagation" {
+  route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id
+  route_table_id  = aws_route_table.transit_vpc_private_rtb_02.id
+
+  depends_on = [
+    aws_vpc_route_server_peer.vyos_02_peer,
+    aws_route_table.transit_vpc_private_rtb_02
+  ]
+}
+\ No newline at end of file
author	aslanvyos <a.hajiyev@vyos.io>	2025-06-18 11:55:46 +0400
committer	aslanvyos <a.hajiyev@vyos.io>	2025-06-18 14:55:10 +0400
commit	9fffee3ecbf3830d0b6df4fbb3e00ee745e3956a (patch)
tree	6b943f142760e022fba18466be75c3e801c01dbd
parent	67a227b0cfdc8ab7248830efe67f7b9a3c4c46f2 (diff)
download	vyos-automation-9fffee3ecbf3830d0b6df4fbb3e00ee745e3956a.tar.gz vyos-automation-9fffee3ecbf3830d0b6df4fbb3e00ee745e3956a.zip