diff options
| author | Daniil Baturin <daniil@vyos.io> | 2025-06-24 15:27:28 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-06-24 15:27:28 +0100 |
| commit | d641a40e515ad2c8ad5257d34178f14746ab4348 (patch) | |
| tree | 6b943f142760e022fba18466be75c3e801c01dbd | |
| parent | fc9128e33469aea2b65b81589a3e9c9399ddc0c7 (diff) | |
| parent | 9fffee3ecbf3830d0b6df4fbb3e00ee745e3956a (diff) | |
| download | vyos-automation-d641a40e515ad2c8ad5257d34178f14746ab4348.tar.gz vyos-automation-d641a40e515ad2c8ad5257d34178f14746ab4348.zip | |
Merge pull request #6 from aslanvyos/main
Terraform project for VyOS HA deployment on AWS
15 files changed, 1743 insertions, 0 deletions
diff --git a/Terraform/AWS/ha-instances-with-configs/diagram/VyOS-HA-setup-on-AWS.png b/Terraform/AWS/ha-instances-with-configs/diagram/VyOS-HA-setup-on-AWS.png Binary files differnew file mode 100644 index 0000000..043f28f --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/diagram/VyOS-HA-setup-on-AWS.png diff --git a/Terraform/AWS/ha-instances-with-configs/files/on-prem-vyos-config.txt b/Terraform/AWS/ha-instances-with-configs/files/on-prem-vyos-config.txt new file mode 100644 index 0000000..242161f --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/files/on-prem-vyos-config.txt @@ -0,0 +1,84 @@ + - set system host-name 'VyOS-for-On-Prem'
+ - set system login banner pre-login 'Welcome to the VyOS for DEMO'
+ - set interfaces ethernet eth0 description 'WAN'
+ - set interfaces ethernet eth1 description 'LAN'
+ - set interfaces ethernet eth1 dhcp-options no-default-route
+ - set system name-server '<DNS>'
+ - set service dns forwarding name-server '<DNS>'
+ - set service dns forwarding listen-address '<VYOS_PRIV_NIC_IP>'
+ - set service dns forwarding allow-from '<VYOS_CIDR>'
+ - set service dns forwarding no-serve-rfc1918
+ - set nat source rule 10 outbound-interface name 'eth0'
+ - set nat source rule 10 source address '<VYOS_CIDR>'
+ - set nat source rule 10 translation address 'masquerade'
+ - set vpn ipsec interface 'eth0'
+ - set vpn ipsec esp-group AWS lifetime '3600'
+ - set vpn ipsec esp-group AWS mode 'tunnel'
+ - set vpn ipsec esp-group AWS pfs 'dh-group2'
+ - set vpn ipsec esp-group AWS proposal 1 encryption 'aes256'
+ - set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
+ - set vpn ipsec ike-group AWS dead-peer-detection interval '15'
+ - set vpn ipsec ike-group AWS ikev2-reauth
+ - set vpn ipsec ike-group AWS key-exchange 'ikev2'
+ - set vpn ipsec ike-group AWS lifetime '28800'
+ - set vpn ipsec ike-group AWS proposal 1 dh-group '2'
+ - set vpn ipsec ike-group AWS proposal 1 encryption 'aes256'
+ - set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group AWS close-action start
+ - set vpn ipsec option disable-route-autoinstall
+ - set interfaces vti vti1 address '10.2.100.11/32'
+ - set interfaces vti vti1 description 'Tunnel for VyOS-01 in AWS'
+ - set interfaces vti vti1 ip adjust-mss '1350'
+ - set interfaces vti vti2 address '10.2.100.12/32'
+ - set interfaces vti vti2 description 'Tunnel for VyOS-02 in AWS'
+ - set interfaces vti vti2 ip adjust-mss '1350'
+ - set protocols bfd peer 10.1.100.11 interval multiplier '3'
+ - set protocols bfd peer 10.1.100.11 interval receive '300'
+ - set protocols bfd peer 10.1.100.11 interval transmit '300'
+ - set protocols bfd peer 10.1.100.12 interval multiplier '3'
+ - set protocols bfd peer 10.1.100.12 interval receive '300'
+ - set protocols bfd peer 10.1.100.12 interval transmit '300'
+ - set protocols static route 10.1.100.11/32 interface vti1
+ - set protocols static route 10.1.100.12/32 interface vti2
+ - set vpn ipsec authentication psk VyOS id '<VYOS_PUBLIC_IP>'
+ - set vpn ipsec authentication psk VyOS id '<AWS_VYOS_PUBLIC_IP_01>'
+ - set vpn ipsec authentication psk VyOS id '<AWS_VYOS_PUBLIC_IP_02>'
+ - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 authentication local-id '<VYOS_PUBLIC_IP>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 authentication mode 'pre-shared-secret'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 authentication remote-id '<AWS_VYOS_PUBLIC_IP_01>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 connection-type 'none'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 description 'TUNNEL to VyOS on AWS'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 ike-group 'AWS'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 ikev2-reauth 'inherit'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 local-address '<vyos_pub_nic_ip>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 remote-address '<AWS_VYOS_PUBLIC_IP_01>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 vti bind 'vti1'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 vti esp-group 'AWS'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 authentication local-id '<VYOS_PUBLIC_IP>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 authentication mode 'pre-shared-secret'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 authentication remote-id '<AWS_VYOS_PUBLIC_IP_02>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 connection-type 'none'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 description 'TUNNEL to VyOS on AWS'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 ike-group 'AWS'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 ikev2-reauth 'inherit'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 local-address '<vyos_pub_nic_ip>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 remote-address '<AWS_VYOS_PUBLIC_IP_02>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 vti bind 'vti2'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 vti esp-group 'AWS'
+ - set protocols bgp system-as '<vyos_bgp_as_number>'
+ - set protocols bgp address-family ipv4-unicast network <VYOS_CIDR>
+ - set protocols bgp neighbor 10.1.100.11 remote-as '<on_prem_bgp_as_number>'
+ - set protocols bgp neighbor 10.1.100.11 address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor 10.1.100.11 timers holdtime '30'
+ - set protocols bgp neighbor 10.1.100.11 bfd
+ - set protocols bgp neighbor 10.1.100.11 disable-connected-check
+ - set protocols bgp neighbor 10.1.100.11 update-source '10.2.100.11'
+ - set protocols bgp neighbor 10.1.100.12 remote-as '<on_prem_bgp_as_number>'
+ - set protocols bgp neighbor 10.1.100.12 address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor 10.1.100.12 timers holdtime '30'
+ - set protocols bgp neighbor 10.1.100.12 bfd
+ - set protocols bgp neighbor 10.1.100.12 disable-connected-check
+ - set protocols bgp neighbor 10.1.100.12 update-source '10.2.100.12'
+
diff --git a/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl b/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl new file mode 100644 index 0000000..e8df410 --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl @@ -0,0 +1,108 @@ +#cloud-config
+vyos_config_commands:
+ - set system host-name 'VyOS-01-on-AWS'
+ - set system login banner pre-login 'Welcome to the VyOS for DEMO on AWS'
+ - set interfaces ethernet eth0 description 'WAN'
+ - set interfaces ethernet eth1 description 'LAN'
+ - set interfaces ethernet eth1 dhcp-options no-default-route
+ - set system name-server '${dns}'
+ - set service dns forwarding name-server '${dns}'
+ - set service dns forwarding listen-address '${vyos_01_priv_nic_ip}'
+ - set service dns forwarding allow-from '${transit_vpc_cidr}'
+ - set service dns forwarding no-serve-rfc1918
+ - set nat source rule 10 outbound-interface name 'eth0'
+ - set nat source rule 10 source address '${transit_vpc_cidr}'
+ - set nat source rule 10 translation address 'masquerade'
+ - set vpn ipsec interface 'eth0'
+ - set vpn ipsec esp-group AZURE lifetime '3600'
+ - set vpn ipsec esp-group AZURE mode 'tunnel'
+ - set vpn ipsec esp-group AZURE pfs 'dh-group2'
+ - set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
+ - set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
+ - set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
+ - set vpn ipsec ike-group AZURE ikev2-reauth
+ - set vpn ipsec ike-group AZURE key-exchange 'ikev2'
+ - set vpn ipsec ike-group AZURE lifetime '28800'
+ - set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
+ - set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
+ - set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group AZURE close-action start
+ - set vpn ipsec option disable-route-autoinstall
+ - set interfaces vti vti1 address '10.1.100.11/32'
+ - set interfaces vti vti1 description 'Tunnel for VyOS in Azure'
+ - set interfaces vti vti1 ip adjust-mss '1350'
+ - set protocols static route 10.2.100.11/32 interface vti1
+ - set protocols static route ${vyos_01_pub_subnet} blackhole distance '254'
+ - set protocols static route ${vyos_01_priv_subnet} blackhole distance '254'
+ - set vpn ipsec authentication psk VyOS id '${vyos_01_public_ip}'
+ - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip}'
+ - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
+ - set vpn ipsec site-to-site peer AZURE authentication local-id '${vyos_01_public_ip}'
+ - set vpn ipsec site-to-site peer AZURE authentication mode 'pre-shared-secret'
+ - set vpn ipsec site-to-site peer AZURE authentication remote-id '${on_prem_public_ip}'
+ - set vpn ipsec site-to-site peer AZURE connection-type 'initiate'
+ - set vpn ipsec site-to-site peer AZURE description 'TUNNEL to VyOS on AZURE'
+ - set vpn ipsec site-to-site peer AZURE ike-group 'AZURE'
+ - set vpn ipsec site-to-site peer AZURE ikev2-reauth 'inherit'
+ - set vpn ipsec site-to-site peer AZURE local-address '${vyos_01_pub_nic_ip}'
+ - set vpn ipsec site-to-site peer AZURE remote-address '${on_prem_public_ip}'
+ - set vpn ipsec site-to-site peer AZURE vti bind 'vti1'
+ - set vpn ipsec site-to-site peer AZURE vti esp-group 'AZURE'
+ - set policy prefix-list AS65001-OUT rule 10 action 'permit'
+ - set policy prefix-list AS65001-OUT rule 10 prefix '${data_vpc_public_subnet}'
+ - set policy prefix-list AS65001-OUT rule 20 action 'permit'
+ - set policy prefix-list AS65001-OUT rule 20 prefix '${transit_vpc_cidr}'
+ - set policy prefix-list AS65001-OUT rule 20 ge '24'
+ - set policy prefix-list AS65001-OUT rule 30 action 'permit'
+ - set policy prefix-list AS65001-OUT rule 30 prefix '${on_prem_subnet_cidr}'
+ - set policy prefix-list AS65001-OUT rule 30 ge '24'
+ - set policy prefix-list AS65002-OUT rule 10 action 'permit'
+ - set policy prefix-list AS65002-OUT rule 10 prefix '${transit_vpc_cidr}'
+ - set policy prefix-list AS65002-OUT rule 10 ge '24'
+ - set policy prefix-list AS65002-OUT rule 20 action 'permit'
+ - set policy prefix-list AS65002-OUT rule 20 prefix '${data_vpc_public_subnet}'
+ - set policy prefix-list AS65002-OUT rule 20 ge '24'
+ - set policy prefix-list AS65011-OUT rule 10 action 'permit'
+ - set policy prefix-list AS65011-OUT rule 10 prefix '${on_prem_subnet_cidr}'
+ - set policy prefix-list AS65011-OUT rule 10 ge '24'
+ - set policy route-map AS65001-OUT rule 20 action 'permit'
+ - set policy route-map AS65001-OUT rule 20 match ip address prefix-list 'AS65001-OUT'
+ - set policy route-map AS65002-OUT rule 20 action 'permit'
+ - set policy route-map AS65002-OUT rule 20 match ip address prefix-list 'AS65002-OUT'
+ - set policy route-map AS65011-OUT rule 10 action 'permit'
+ - set policy route-map AS65011-OUT rule 10 match ip address prefix-list 'AS65011-OUT'
+ - set protocols bfd peer ${vyos_02_pub_nic_ip} interval multiplier '3'
+ - set protocols bfd peer ${vyos_02_pub_nic_ip} interval receive '300'
+ - set protocols bfd peer ${vyos_02_pub_nic_ip} interval transmit '300'
+ - set protocols bfd peer ${route_server_endpoint_01_ip} interval multiplier '3'
+ - set protocols bfd peer ${route_server_endpoint_01_ip} interval receive '300'
+ - set protocols bfd peer ${route_server_endpoint_01_ip} interval transmit '300'
+ - set protocols bfd peer 10.2.100.11 interval multiplier '3'
+ - set protocols bfd peer 10.2.100.11 interval receive '300'
+ - set protocols bfd peer 10.2.100.11 interval transmit '300'
+ - set protocols bgp system-as '${vyos_bgp_as_number}'
+ - set protocols bgp address-family ipv4-unicast network ${data_vpc_public_subnet}
+ - set protocols bgp address-family ipv4-unicast redistribute connected
+ - set protocols bgp neighbor 10.2.100.11 remote-as '${on_prem_bgp_as_number}'
+ - set protocols bgp neighbor 10.2.100.11 address-family ipv4-unicast route-map export 'AS65002-OUT'
+ - set protocols bgp neighbor 10.2.100.11 address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor 10.2.100.11 timers holdtime '30'
+ - set protocols bgp neighbor 10.2.100.11 bfd
+ - set protocols bgp neighbor 10.2.100.11 disable-connected-check
+ - set protocols bgp neighbor 10.2.100.11 update-source '10.1.100.11'
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} address-family ipv4-unicast nexthop-self force
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} address-family ipv4-unicast route-map export 'AS65001-OUT'
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} disable-connected-check
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} remote-as '${vyos_bgp_as_number}'
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} timers holdtime '30'
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} bfd
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} update-source '${vyos_01_pub_nic_ip}'
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} address-family ipv4-unicast route-map export 'AS65011-OUT'
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} disable-connected-check
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} remote-as '${route_server_endpoint_bgp_as_number}'
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} timers holdtime '30'
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} bfd
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} update-source '${vyos_01_priv_nic_ip}'
diff --git a/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl b/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl new file mode 100644 index 0000000..38535e6 --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl @@ -0,0 +1,108 @@ +#cloud-config
+vyos_config_commands:
+ - set system host-name 'VyOS-02-on-AWS'
+ - set system login banner pre-login 'Welcome to the VyOS for DEMO on AWS'
+ - set interfaces ethernet eth0 description 'WAN'
+ - set interfaces ethernet eth1 description 'LAN'
+ - set interfaces ethernet eth1 dhcp-options no-default-route
+ - set system name-server '${dns}'
+ - set service dns forwarding name-server '${dns}'
+ - set service dns forwarding listen-address '${vyos_02_priv_nic_ip}'
+ - set service dns forwarding allow-from '${transit_vpc_cidr}'
+ - set service dns forwarding no-serve-rfc1918
+ - set nat source rule 10 outbound-interface name 'eth0'
+ - set nat source rule 10 source address '${transit_vpc_cidr}'
+ - set nat source rule 10 translation address 'masquerade'
+ - set vpn ipsec interface 'eth0'
+ - set vpn ipsec esp-group AZURE lifetime '3600'
+ - set vpn ipsec esp-group AZURE mode 'tunnel'
+ - set vpn ipsec esp-group AZURE pfs 'dh-group2'
+ - set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
+ - set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
+ - set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
+ - set vpn ipsec ike-group AZURE ikev2-reauth
+ - set vpn ipsec ike-group AZURE key-exchange 'ikev2'
+ - set vpn ipsec ike-group AZURE lifetime '28800'
+ - set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
+ - set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
+ - set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group AZURE close-action start
+ - set vpn ipsec option disable-route-autoinstall
+ - set interfaces vti vti1 address '10.1.100.12/32'
+ - set interfaces vti vti1 description 'Tunnel for VyOS in Azure'
+ - set interfaces vti vti1 ip adjust-mss '1350'
+ - set protocols static route 10.2.100.12/32 interface vti1
+ - set protocols static route ${vyos_02_pub_subnet} blackhole distance '254'
+ - set protocols static route ${vyos_02_priv_subnet} blackhole distance '254'
+ - set vpn ipsec authentication psk VyOS id '${vyos_02_public_ip}'
+ - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip}'
+ - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
+ - set vpn ipsec site-to-site peer AZURE authentication local-id '${vyos_02_public_ip}'
+ - set vpn ipsec site-to-site peer AZURE authentication mode 'pre-shared-secret'
+ - set vpn ipsec site-to-site peer AZURE authentication remote-id '${on_prem_public_ip}'
+ - set vpn ipsec site-to-site peer AZURE connection-type 'initiate'
+ - set vpn ipsec site-to-site peer AZURE description 'TUNNEL to VyOS on AZURE'
+ - set vpn ipsec site-to-site peer AZURE ike-group 'AZURE'
+ - set vpn ipsec site-to-site peer AZURE ikev2-reauth 'inherit'
+ - set vpn ipsec site-to-site peer AZURE local-address '${vyos_02_pub_nic_ip}'
+ - set vpn ipsec site-to-site peer AZURE remote-address '${on_prem_public_ip}'
+ - set vpn ipsec site-to-site peer AZURE vti bind 'vti1'
+ - set vpn ipsec site-to-site peer AZURE vti esp-group 'AZURE'
+ - set policy prefix-list AS65001-OUT rule 10 action 'permit'
+ - set policy prefix-list AS65001-OUT rule 10 prefix '${data_vpc_public_subnet}'
+ - set policy prefix-list AS65001-OUT rule 20 action 'permit'
+ - set policy prefix-list AS65001-OUT rule 20 prefix '${transit_vpc_cidr}'
+ - set policy prefix-list AS65001-OUT rule 20 ge '24'
+ - set policy prefix-list AS65001-OUT rule 30 action 'permit'
+ - set policy prefix-list AS65001-OUT rule 30 prefix '${on_prem_subnet_cidr}'
+ - set policy prefix-list AS65001-OUT rule 30 ge '24'
+ - set policy prefix-list AS65002-OUT rule 10 action 'permit'
+ - set policy prefix-list AS65002-OUT rule 10 prefix '${transit_vpc_cidr}'
+ - set policy prefix-list AS65002-OUT rule 10 ge '24'
+ - set policy prefix-list AS65002-OUT rule 20 action 'permit'
+ - set policy prefix-list AS65002-OUT rule 20 prefix '${data_vpc_public_subnet}'
+ - set policy prefix-list AS65002-OUT rule 20 ge '24'
+ - set policy prefix-list AS65011-OUT rule 10 action 'permit'
+ - set policy prefix-list AS65011-OUT rule 10 prefix '${on_prem_subnet_cidr}'
+ - set policy prefix-list AS65011-OUT rule 10 ge '24'
+ - set policy route-map AS65001-OUT rule 20 action 'permit'
+ - set policy route-map AS65001-OUT rule 20 match ip address prefix-list 'AS65001-OUT'
+ - set policy route-map AS65002-OUT rule 20 action 'permit'
+ - set policy route-map AS65002-OUT rule 20 match ip address prefix-list 'AS65002-OUT'
+ - set policy route-map AS65011-OUT rule 10 action 'permit'
+ - set policy route-map AS65011-OUT rule 10 match ip address prefix-list 'AS65011-OUT'
+ - set protocols bfd peer ${vyos_01_pub_nic_ip} interval multiplier '3'
+ - set protocols bfd peer ${vyos_01_pub_nic_ip} interval receive '300'
+ - set protocols bfd peer ${vyos_01_pub_nic_ip} interval transmit '300'
+ - set protocols bfd peer ${route_server_endpoint_02_ip} interval multiplier '3'
+ - set protocols bfd peer ${route_server_endpoint_02_ip} interval receive '300'
+ - set protocols bfd peer ${route_server_endpoint_02_ip} interval transmit '300'
+ - set protocols bfd peer 10.2.100.12 interval multiplier '3'
+ - set protocols bfd peer 10.2.100.12 interval receive '300'
+ - set protocols bfd peer 10.2.100.12 interval transmit '300'
+ - set protocols bgp system-as '${vyos_bgp_as_number}'
+ - set protocols bgp address-family ipv4-unicast network ${data_vpc_public_subnet}
+ - set protocols bgp address-family ipv4-unicast redistribute connected
+ - set protocols bgp neighbor 10.2.100.12 remote-as '${on_prem_bgp_as_number}'
+ - set protocols bgp neighbor 10.2.100.12 address-family ipv4-unicast route-map export 'AS65002-OUT'
+ - set protocols bgp neighbor 10.2.100.12 address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor 10.2.100.12 timers holdtime '30'
+ - set protocols bgp neighbor 10.2.100.12 bfd
+ - set protocols bgp neighbor 10.2.100.12 disable-connected-check
+ - set protocols bgp neighbor 10.2.100.12 update-source '10.1.100.12'
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} address-family ipv4-unicast nexthop-self force
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} address-family ipv4-unicast route-map export 'AS65001-OUT'
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} disable-connected-check
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} remote-as '${vyos_bgp_as_number}'
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} timers holdtime '30'
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} bfd
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} update-source '${vyos_02_pub_nic_ip}'
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} address-family ipv4-unicast route-map export 'AS65011-OUT'
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} disable-connected-check
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} remote-as '${route_server_endpoint_bgp_as_number}'
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} timers holdtime '30'
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} bfd
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} update-source '${vyos_02_priv_nic_ip}'
diff --git a/Terraform/AWS/ha-instances-with-configs/keys/vyos_lab_private_key.pem b/Terraform/AWS/ha-instances-with-configs/keys/vyos_lab_private_key.pem new file mode 100644 index 0000000..4c8d388 --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/keys/vyos_lab_private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvZj8U767XO84ws+eng0bviq0hUvc+iP2q5Gc+3XPDWEu3S9s +ajBsvtEuLzlZk5QThRxRfjFuB1h+rWLJN2qawv978qpcySqi9IhHfVWLLbIgDuPr +hh8qXkaZ9W/FpLsRR0m+jcrcA1Efvr8cpMSvjHpFfLoH6KI2mbRC05OyfOij7ccz +ahxgBV3G3nil53PkNa5lTDuBYurx3K3jmvmlsC6Du5MSA5dOZ6QXeOT6RTbqJbSj +vSoL9/ku1DjGzTS0bghXWk1l7MkAYG6egMXQkJQmnYlwken1dxSCsH5HaPv8vkEZ +rakdejfRWgqil+OlHrp6D3lWoQbok58WmHH/qQIDAQABAoIBAQCJQH2x1kpmnZr2 +lDxcaFrkEKA8Os4OmwhP7Yq6Eu+/3NGDN3iBaurePCn178tj5Xc4DmcENp5TXQHf +XLsTje3ZKgA9jIy86EutQBaYqdumSeOhQ+fVYSxXsT51CeQHO5DnjYAPv4IEOK8F +c+41bVk0FbPF9hoRk5R5MqCJ78rvVm7q8gpGxftWIKMwVc7lSi2IH9GkrUGe6Y/W +lR6EqXDUHWep7rZN59bHXa82HYy98TzydeQtxBIWTSqfL5X2MGwfOkgNcBI9N4gi +Gj37Ng9lCWLgTfN/bs7chHKo8GrEmzxmSwP7ly+8fEGSvOQOwQ8ITmXN7rrnlTA8 +L0T/1qNNAoGBAOrunMHaZZ6moFU86aBhEJcxth3n10YpXl7AjwrvuquWYa76Hczp +PVs+f4uUYHG4lHwxLtvMVAw89MxRQnLB860l85qkwotoA5s8HIkhANLC/PbY/uHc +rEtrMQEV9z2vtcpFvxHlxut3a8hKONRaXJGJpnOYxKn5vnm3xoVQ/nU7AoGBAM6Z +nqIkYbWOySKbiWy7lKy7jIXlaiNn+vM7hQ5OS60mzDY0Z+yqV2u8y4VeufhiFQd+ +PSXpvosmKGBO4SB3HfE67y4JUFd3Nli6T0884QqsAeL1RIC/H+YK0DAUXLl6/oBL +LKCRt9c99rCnk/8CxqLzYuRPmpSbf2hvgj9c1QBrAoGBALUmhI0dwBnTVfIj4+mc +rtRGqqzopiAdqfzZ8fJ247OHY48uoWftuTfwOxz/rlZCA4y3x/AH4A8HuaMKTXh7 +gU/T4cEupiwkahN7CG3cmuvpGnGk5PR32grVfpXdwCU6paxwl2JPkVDjZqKsSKHF +g3ddcpHUDGEch/kG8fa+e1cdAoGAeaVCHj5Fud1E2Le0Bu278KjNaNlX0VkcDbNx ++KZpMJ6zhwb8WgFCUBFt1C2eWn2F3E+cOYKTyuLAy1QmgjMg0jTdN8IMKDPtL/kj +UYiLCPmWcsfvec8PPSgIxQZ4Qk4FJA0fTbv+/yFg60sAfRppUvDzvXKRlgao0hk2 +G5DRadkCgYAvPYH5NCk/jOa5Mv/6VfUPPaIhzHwADBv9ZXxg8jxw23zwxmozOUHa +v8sZF60s/4Kfd8NKnRPWlFPuvBqEkMQhfbJmP9lUmZkqxnYsXBV8wlPKIx7XAi+3 +CUBSZqJ6SrVewKc2Dx0on5Tr4OFTscK4NdFlp5PrQzZK9cuEn9rWgA== +-----END RSA PRIVATE KEY----- diff --git a/Terraform/AWS/ha-instances-with-configs/keys/vyos_lab_public_key.pem b/Terraform/AWS/ha-instances-with-configs/keys/vyos_lab_public_key.pem new file mode 100644 index 0000000..2b662ee --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/keys/vyos_lab_public_key.pem @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9mPxTvrtc7zjCz56eDRu+KrSFS9z6I/arkZz7dc8NYS7dL2xqMGy+0S4vOVmTlBOFHFF+MW4HWH6tYsk3aprC/3vyqlzJKqL0iEd9VYstsiAO4+uGHypeRpn1b8WkuxFHSb6NytwDUR++vxykxK+MekV8ugfoojaZtELTk7J86KPtxzNqHGAFXcbeeKXnc+Q1rmVMO4Fi6vHcreOa+aWwLoO7kxIDl05npBd45PpFNuoltKO9Kgv3+S7UOMbNNLRuCFdaTWXsyQBgbp6AxdCQlCadiXCR6fV3FIKwfkdo+/y+QRmtqR16N9FaCqKX46UeunoPeVahBuiTnxaYcf+p Admin@DESKTOP-R1T9R87 diff --git a/Terraform/AWS/ha-instances-with-configs/main.tf b/Terraform/AWS/ha-instances-with-configs/main.tf new file mode 100644 index 0000000..d4f3bb0 --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/main.tf @@ -0,0 +1,223 @@ +# EC2 KEY PAIR
+
+resource "aws_key_pair" "ec2_key" {
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ public_key = file(var.public_key_path)
+
+ tags = {
+ Name = "${var.prefix}-${var.key_pair_name}"
+ }
+}
+
+# THE LATEST AMAZON VYOS 1.4 IMAGE
+#
+# VyOS AWS Marketplace publisher account ID: 679593333241
+# This ID is required for filtering official VyOS AMIs via `aws ec2 describe-images`.
+# The value corresponds to the AMI owner ID used by VyOS in the AWS Marketplace.
+#
+# To confirm or update the AMI and owner ID, you must first subscribe to VyOS in the AWS Marketplace.
+# Then run the following command to fetch the correct AMI ID and Owner ID for your AWS region (e.g., us-east-1):
+#
+# aws ec2 describe-images --owners aws-marketplace --filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" --query 'Images[*].[ImageId,OwnerId,Name]' --output table
+
+data "aws_ami" "vyos" {
+ most_recent = true
+
+ filter {
+ name = "name"
+ values = ["VyOS 1.4*"]
+ }
+
+ filter {
+ name = "virtualization-type"
+ values = ["hvm"]
+ }
+
+ owners = ["679593333241"]
+}
+
+# Latest Amazon Linux 2 AMI
+data "aws_ami" "amazon_linux" {
+ most_recent = true
+ owners = ["amazon"]
+
+ filter {
+ name = "name"
+ values = ["amzn2-ami-hvm-*-x86_64-gp2"]
+ }
+
+ filter {
+ name = "virtualization-type"
+ values = ["hvm"]
+ }
+}
+
+# VYOS INSTANCE
+
+resource "aws_instance" "vyos_01" {
+ ami = data.aws_ami.vyos.id
+ # ami = var.vyos_ami_id
+ instance_type = var.vyos_instance_type
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ availability_zone = var.availability_zone_01
+
+ user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_01_user_data.tfpl", {
+ transit_vpc_cidr = var.transit_vpc_cidr,
+ data_vpc_public_subnet = var.data_vpc_public_subnet_cidr,
+ vyos_01_public_ip = aws_eip.vyos_01_eip.public_ip,
+ vyos_01_pub_subnet = var.transit_vpc_public_subnet_01_cidr,
+ vyos_01_priv_subnet = var.transit_vpc_private_subnet_01_cidr,
+ vyos_01_pub_nic_ip = aws_network_interface.vyos_01_public_nic.private_ip,
+ vyos_01_priv_nic_ip = aws_network_interface.vyos_01_private_nic.private_ip,
+ vyos_02_pub_nic_ip = aws_network_interface.vyos_02_public_nic.private_ip,
+ vyos_bgp_as_number = var.vyos_bgp_as_number,
+ dns = var.dns,
+ on_prem_public_ip = var.on_prem_public_ip_address,
+ on_prem_bgp_as_number = var.on_prem_bgp_as_number,
+ on_prem_subnet_cidr = var.on_prem_subnet_cidr,
+ route_server_endpoint_01_ip = aws_vpc_route_server_endpoint.vyos_01_endpoint.eni_address,
+ route_server_endpoint_bgp_as_number = aws_vpc_route_server.vyos_route_server.amazon_side_asn
+ }))
+
+ depends_on = [
+ aws_network_interface.vyos_01_public_nic,
+ aws_network_interface.vyos_01_private_nic
+ ]
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_01_public_nic.id
+ device_index = 0
+ }
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_01_private_nic.id
+ device_index = 1
+ }
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-01"
+ }
+}
+
+resource "aws_instance" "vyos_02" {
+ ami = data.aws_ami.vyos.id
+ # ami = var.vyos_ami_id
+ instance_type = var.vyos_instance_type
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ availability_zone = var.availability_zone_02
+
+ user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_02_user_data.tfpl", {
+ transit_vpc_cidr = var.transit_vpc_cidr,
+ data_vpc_public_subnet = var.data_vpc_public_subnet_cidr,
+ vyos_02_public_ip = aws_eip.vyos_02_eip.public_ip,
+ vyos_02_pub_subnet = var.transit_vpc_public_subnet_02_cidr,
+ vyos_02_priv_subnet = var.transit_vpc_private_subnet_02_cidr,
+ vyos_02_pub_nic_ip = aws_network_interface.vyos_02_public_nic.private_ip,
+ vyos_02_priv_nic_ip = aws_network_interface.vyos_02_private_nic.private_ip,
+ vyos_01_pub_nic_ip = aws_network_interface.vyos_01_public_nic.private_ip,
+ vyos_bgp_as_number = var.vyos_bgp_as_number,
+ dns = var.dns,
+ on_prem_public_ip = var.on_prem_public_ip_address,
+ on_prem_bgp_as_number = var.on_prem_bgp_as_number,
+ on_prem_subnet_cidr = var.on_prem_subnet_cidr,
+ route_server_endpoint_02_ip = aws_vpc_route_server_endpoint.vyos_02_endpoint.eni_address,
+ route_server_endpoint_bgp_as_number = aws_vpc_route_server.vyos_route_server.amazon_side_asn
+ }))
+
+ depends_on = [
+ aws_network_interface.vyos_02_public_nic,
+ aws_network_interface.vyos_02_private_nic
+ ]
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_02_public_nic.id
+ device_index = 0
+ }
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_02_private_nic.id
+ device_index = 1
+ }
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-02"
+ }
+}
+
+# EC2 Instance in Data VPC
+
+resource "aws_instance" "data_vpc_instance" {
+ ami = data.aws_ami.amazon_linux.id
+ availability_zone = var.availability_zone_01
+ instance_type = "t3.micro"
+ key_name = "${var.prefix}-${var.key_pair_name}"
+
+ network_interface {
+ network_interface_id = aws_network_interface.data_vpc_instance_nic.id
+ device_index = 0
+ }
+
+ depends_on = [
+ aws_network_interface.data_vpc_instance_nic
+ ]
+
+ tags = {
+ Name = "${var.prefix}-data-vpc-instance"
+ }
+}
+
+# NETWORK INTERFACES
+
+resource "aws_network_interface" "vyos_01_public_nic" {
+ subnet_id = aws_subnet.transit_vpc_public_subnet_01.id
+ security_groups = [aws_security_group.public_sg.id]
+ private_ips = [var.vyos_01_pub_nic_ip_address]
+ source_dest_check = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-01-PublicNIC"
+ }
+}
+
+resource "aws_network_interface" "vyos_02_public_nic" {
+ subnet_id = aws_subnet.transit_vpc_public_subnet_02.id
+ security_groups = [aws_security_group.public_sg.id]
+ private_ips = [var.vyos_02_pub_nic_ip_address]
+ source_dest_check = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-02-PublicNIC"
+ }
+}
+
+resource "aws_network_interface" "vyos_01_private_nic" {
+ subnet_id = aws_subnet.transit_vpc_private_subnet_01.id
+ security_groups = [aws_security_group.private_sg.id]
+ private_ips = [var.vyos_01_priv_nic_address]
+ source_dest_check = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-01-PrivateNIC"
+ }
+}
+
+resource "aws_network_interface" "vyos_02_private_nic" {
+ subnet_id = aws_subnet.transit_vpc_private_subnet_02.id
+ security_groups = [aws_security_group.private_sg.id]
+ private_ips = [var.vyos_02_priv_nic_address]
+ source_dest_check = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-02-PrivateNIC"
+ }
+}
+
+resource "aws_network_interface" "data_vpc_instance_nic" {
+ subnet_id = aws_subnet.data_vpc_public_subnet.id
+ security_groups = [aws_security_group.data_vpc_instance_sg.id]
+ source_dest_check = false
+
+ tags = {
+ Name = "${var.prefix}-Data-VPC-Instance-NIC"
+ }
+}
diff --git a/Terraform/AWS/ha-instances-with-configs/network.tf b/Terraform/AWS/ha-instances-with-configs/network.tf new file mode 100644 index 0000000..8de8576 --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/network.tf @@ -0,0 +1,326 @@ +# VPC AND PEERING
+
+resource "aws_vpc" "transit_vpc" {
+ cidr_block = var.transit_vpc_cidr
+ instance_tenancy = "default"
+
+ tags = {
+ Name = "${var.prefix}-${var.transit_vpc_name}"
+ }
+}
+
+resource "aws_vpc" "data_vpc" {
+ cidr_block = var.data_vpc_cidr
+ instance_tenancy = "default"
+
+ tags = {
+ Name = "${var.prefix}-${var.data_vpc_name}"
+ }
+}
+
+# PUBLIC AND PRIVATE SUBNETS FOR TRANSIT VPC
+
+resource "aws_subnet" "transit_vpc_public_subnet_01" {
+ vpc_id = aws_vpc.transit_vpc.id
+ cidr_block = var.transit_vpc_public_subnet_01_cidr
+ availability_zone = var.availability_zone_01
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.transit_vpc_name}-${var.transit_vpc_public_subnet_name}-01"
+ }
+
+ depends_on = [aws_internet_gateway.transit_vpc_igw]
+}
+
+resource "aws_subnet" "transit_vpc_public_subnet_02" {
+ vpc_id = aws_vpc.transit_vpc.id
+ cidr_block = var.transit_vpc_public_subnet_02_cidr
+ availability_zone = var.availability_zone_02
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.transit_vpc_name}-${var.transit_vpc_public_subnet_name}-02"
+ }
+
+ depends_on = [aws_internet_gateway.transit_vpc_igw]
+}
+
+resource "aws_subnet" "transit_vpc_private_subnet_01" {
+ vpc_id = aws_vpc.transit_vpc.id
+ cidr_block = var.transit_vpc_private_subnet_01_cidr
+ availability_zone = var.availability_zone_01
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.transit_vpc_name}-${var.transit_vpc_private_subnet_name}-01"
+ }
+}
+
+resource "aws_subnet" "transit_vpc_private_subnet_02" {
+ vpc_id = aws_vpc.transit_vpc.id
+ cidr_block = var.transit_vpc_private_subnet_02_cidr
+ availability_zone = var.availability_zone_02
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.transit_vpc_name}-${var.transit_vpc_private_subnet_name}-02"
+ }
+}
+
+
+# PUBLIC AND PRIVATE SUBNETS FOR DATA VPC
+
+resource "aws_subnet" "data_vpc_public_subnet" {
+ vpc_id = aws_vpc.data_vpc.id
+ cidr_block = var.data_vpc_public_subnet_cidr
+ availability_zone = var.availability_zone_01
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.data_vpc_name}-${var.data_vpc_public_subnet_name}"
+ }
+
+ depends_on = [aws_internet_gateway.data_vpc_igw]
+}
+
+resource "aws_subnet" "data_vpc_private_subnet" {
+ vpc_id = aws_vpc.data_vpc.id
+ cidr_block = var.data_vpc_private_subnet_cidr
+ availability_zone = var.availability_zone_01
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.data_vpc_name}-${var.data_vpc_private_subnet_name}"
+ }
+}
+
+
+# INTERNET GATEWAYS
+
+resource "aws_internet_gateway" "transit_vpc_igw" {
+ vpc_id = aws_vpc.transit_vpc.id
+
+ tags = {
+ Name = join("-", [var.prefix, var.transit_vpc_igw_name])
+ }
+}
+
+resource "aws_internet_gateway" "data_vpc_igw" {
+ vpc_id = aws_vpc.data_vpc.id
+
+ tags = {
+ Name = join("-", [var.prefix, var.data_vpc_igw_name])
+ }
+}
+
+
+# ELASTICS IP FOR VYOS INSTANCES
+
+resource "aws_eip" "vyos_01_eip" {
+ domain = "vpc"
+
+ tags = {
+ Name = join("-", [var.prefix, var.vyos_eip_name, "01"])
+ }
+}
+
+resource "aws_eip_association" "vyos_eip_association_01" {
+ allocation_id = aws_eip.vyos_01_eip.id
+ network_interface_id = aws_network_interface.vyos_01_public_nic.id
+}
+
+resource "aws_eip" "vyos_02_eip" {
+ domain = "vpc"
+
+ tags = {
+ Name = join("-", [var.prefix, var.vyos_eip_name, "02"])
+ }
+}
+
+resource "aws_eip_association" "vyos_eip_association_02" {
+ allocation_id = aws_eip.vyos_02_eip.id
+ network_interface_id = aws_network_interface.vyos_02_public_nic.id
+}
+
+
+# ELASTICS IP FOR TEST INSTANCE
+
+resource "aws_eip" "data_vpc_instance_eip" {
+ domain = "vpc"
+ depends_on = [aws_internet_gateway.data_vpc_igw]
+
+ tags = {
+ Name = "${var.prefix}-data-vpc-instance-eip"
+ }
+}
+
+resource "aws_eip_association" "data_vpc_instance_eip_assoc" {
+ allocation_id = aws_eip.data_vpc_instance_eip.id
+ network_interface_id = aws_network_interface.data_vpc_instance_nic.id
+}
+
+
+# TRANSIT VPC ROUTE PUBLIC TABLES
+
+resource "aws_route_table" "transit_vpc_public_rtb_01" {
+ vpc_id = aws_vpc.transit_vpc.id
+
+ route {
+ cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.transit_vpc_igw.id
+ }
+
+ route {
+ cidr_block = var.data_vpc_cidr
+ transit_gateway_id = aws_ec2_transit_gateway.tgw.id
+ }
+
+ route {
+ cidr_block = var.on_prem_subnet_cidr
+ network_interface_id = aws_network_interface.vyos_02_public_nic.id
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.transit_vpc_public_rtb_01_name])
+ }
+
+}
+
+resource "aws_route_table_association" "transit_vpc_public_rtb_01_assn" {
+ subnet_id = aws_subnet.transit_vpc_public_subnet_01.id
+ route_table_id = aws_route_table.transit_vpc_public_rtb_01.id
+}
+
+
+resource "aws_route_table" "transit_vpc_public_rtb_02" {
+ vpc_id = aws_vpc.transit_vpc.id
+
+ route {
+ cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.transit_vpc_igw.id
+ }
+
+ route {
+ cidr_block = var.data_vpc_cidr
+ transit_gateway_id = aws_ec2_transit_gateway.tgw.id
+ }
+
+ route {
+ cidr_block = var.on_prem_subnet_cidr
+ network_interface_id = aws_network_interface.vyos_01_public_nic.id
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.transit_vpc_public_rtb_02_name])
+ }
+
+}
+
+resource "aws_route_table_association" "transit_vpc_public_rtb_02_assn" {
+ subnet_id = aws_subnet.transit_vpc_public_subnet_02.id
+ route_table_id = aws_route_table.transit_vpc_public_rtb_02.id
+}
+
+
+# TRANSIT VPC ROUTE PRIVATE TABLES
+
+resource "aws_route_table" "transit_vpc_private_rtb_01" {
+ vpc_id = aws_vpc.transit_vpc.id
+
+
+ route {
+ cidr_block = var.data_vpc_cidr
+ transit_gateway_id = aws_ec2_transit_gateway.tgw.id
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.transit_vpc_private_rtb_01_name])
+ }
+
+}
+
+resource "aws_route_table_association" "transit_vpc_private_rtb_01_assn" {
+ subnet_id = aws_subnet.transit_vpc_private_subnet_01.id
+ route_table_id = aws_route_table.transit_vpc_private_rtb_01.id
+}
+
+
+resource "aws_route_table" "transit_vpc_private_rtb_02" {
+ vpc_id = aws_vpc.transit_vpc.id
+
+
+ route {
+ cidr_block = var.data_vpc_cidr
+ transit_gateway_id = aws_ec2_transit_gateway.tgw.id
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.transit_vpc_private_rtb_02_name])
+ }
+
+}
+
+resource "aws_route_table_association" "transit_vpc_private_rtb_02_assn" {
+ subnet_id = aws_subnet.transit_vpc_private_subnet_02.id
+ route_table_id = aws_route_table.transit_vpc_private_rtb_02.id
+}
+
+
+# DATA VPC PUBLIC ROUTE TABLE
+
+resource "aws_route_table" "data_vpc_public_rtb" {
+ vpc_id = aws_vpc.data_vpc.id
+
+ route {
+ cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.data_vpc_igw.id
+ }
+
+ route {
+ cidr_block = var.transit_vpc_cidr
+ transit_gateway_id = aws_ec2_transit_gateway.tgw.id
+ }
+
+ route {
+ cidr_block = var.on_prem_subnet_cidr
+ transit_gateway_id = aws_ec2_transit_gateway.tgw.id
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.data_vpc_public_rtb_name])
+ }
+
+}
+
+resource "aws_route_table_association" "data_vpc_public_rtb_assn" {
+ subnet_id = aws_subnet.data_vpc_public_subnet.id
+ route_table_id = aws_route_table.data_vpc_public_rtb.id
+}
+
+
+# DATA VPC PRIVATE ROUTE TABLE
+
+resource "aws_route_table" "data_vpc_private_rtb" {
+ vpc_id = aws_vpc.data_vpc.id
+
+ route {
+ cidr_block = var.transit_vpc_cidr
+ transit_gateway_id = aws_ec2_transit_gateway.tgw.id
+ }
+
+ route {
+ cidr_block = var.on_prem_subnet_cidr
+ transit_gateway_id = aws_ec2_transit_gateway.tgw.id
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.data_vpc_private_rtb_name])
+ }
+
+}
+
+resource "aws_route_table_association" "data_vpc_private_rtb_assn" {
+ subnet_id = aws_subnet.data_vpc_private_subnet.id
+ route_table_id = aws_route_table.data_vpc_private_rtb.id
+}
diff --git a/Terraform/AWS/ha-instances-with-configs/output.tf b/Terraform/AWS/ha-instances-with-configs/output.tf new file mode 100644 index 0000000..ffe4b41 --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/output.tf @@ -0,0 +1,24 @@ +
+output "vyos_01_public_ip" {
+ value = aws_instance.vyos_01.public_ip
+}
+
+output "vyos_02_public_ip" {
+ value = aws_instance.vyos_02.public_ip
+}
+
+output "data_vpc_instance_public_ip" {
+ value = aws_instance.data_vpc_instance.public_ip
+}
+
+output "ssh_command_for_vyos_01" {
+ value = "ssh -i keys/vyos_lab_private_key.pem vyos@${aws_instance.vyos_01.public_ip}"
+}
+
+output "ssh_command_for_vyos_02" {
+ value = "ssh -i keys/vyos_lab_private_key.pem vyos@${aws_instance.vyos_02.public_ip}"
+}
+
+output "ssh_command_for_data_vpc_instance" {
+ value = "ssh -i keys/vyos_lab_private_key.pem ec2-user@${aws_instance.data_vpc_instance.public_ip}"
+}
\ No newline at end of file diff --git a/Terraform/AWS/ha-instances-with-configs/provider.tf b/Terraform/AWS/ha-instances-with-configs/provider.tf new file mode 100644 index 0000000..c6b24ff --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/provider.tf @@ -0,0 +1,22 @@ +# AWS PROVIDER CONFIGURATION
+
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+ }
+}
+
+provider "aws" {
+ region = var.aws_region
+ default_tags {
+ tags = {
+ Company = "VyOS Inc"
+ Project = "VyOS-Demo"
+ Environment = "Lab"
+ ManagedBy = "Terraform"
+ }
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/ha-instances-with-configs/readme.md b/Terraform/AWS/ha-instances-with-configs/readme.md new file mode 100644 index 0000000..0dc53d5 --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/readme.md @@ -0,0 +1,159 @@ +# Terraform Project for deploying VyOS HA on AWS with VPC Route Server and Transit Gateway
+
+This Terraform project automates the deployment of **two VyOS instances** in High Availability (HA) mode on AWS, integrated with a **VPC Route Server** and **Transit Gateway** for advanced network connectivity, routing and High Availability (HA) use cases.
+
+In addition to the VyOS HA setup, this project also deploys two VPCs: a **Transit VPC** and a **Data VPC**.
+- The **Transit VPC** is used for deploying VyOS instances and the VPC Route Server.
+- The **Data VPC** simulates a VPC attachment and includes a test **Amazon Linux EC2 instance** to validate data path connectivity.
+
+> If you already have an existing AWS infrastructure, you can **exclude** the Data VPC, its subnets, and the EC2 instance. To do so, update the following Terraform files accordingly: `main.tf`, `network.tf`, `transit_gateway.tf`, `variables.tf`, and `outputs.tf`.
+
+This is the connection diagram:
+
+
+## Why This Topology?
+
+This solution is designed for organizations that require **highly available** routing with dynamic connectivity to multiple AWS VPCs or hybrid environments.
+
+### Key Benefits of the HA Topology:
+
+- **Effective Failover with BGP Redundancy**
+ Two VyOS EC2 instances are deployed as BGP peers, each connected to the AWS VPC Route Server. While technically both routers are active BGP participants, only one is typically preferred as the next-hop.
+
+ If one VyOS instance fails or is taken offline for maintenance, **Bidirectional Forwarding Detection (BFD)** detects the failure in milliseconds. The route server:
+ - Withdraws routes for the failed peer from the RIB.
+ - Recalculates the best path using the FIB.
+ - Updates affected VPC route tables with the new next-hop (preferred VyOS instance).
+
+ This process enables **sub-second failover** (typically <1s), far faster than AWS native route table failover mechanisms using the API.
+
+ This approach is particularly valuable for use cases requiring **business continuity**, **low RTO**, and **fast edge recovery** during:
+ - Instance crashes
+ - VyOS OS upgrades or maintenance procedures
+ - Network disruptions
+
+This architecture is ideal for:
+- Cloud edge routing with failover
+- Multi-VPC and multi-region route control
+- Enterprises requiring resilient and scalable cloud network infrastructure
+
+## Prerequisites
+
+Before applying this module, ensure you have:
+
+### AWS Requirements
+
+- An active AWS account.
+- AWS CLI installed. [Installation link](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
+- Terraform installed. [Installation link](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
+
+### Set AWS environment variables
+
+- Run the following commands in your terminal to set the AWS environment variables:
+
+```sh
+export AWS_ACCESS_KEY_ID="<AWS_ACCESS_KEY_ID>"
+export AWS_SECRET_ACCESS_KEY="<AWS_SECRET_ACCESS_KEY>"
+export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"
+export AWS_DEFAULT_REGION="<AWS_REGION>" # e.g us-east-1
+```
+
+### Fetch AMI ID and Owner ID (Required for main.tf)
+1. Subscribe to VyOS in the AWS Marketplace.
+2. Use the following AWS CLI command to find the correct AMI ID, Owner ID, and ensure you're querying the correct region (e.g., `us-east-1`):
+
+```sh
+aws ec2 describe-images \
+ --owners aws-marketplace \
+ --filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" \
+ --query 'Images[*].[ImageId,OwnerId,Name]' \
+ --output table
+```
+Alternatively, you can hardcode the latest AMI ID for your region in `variables.tf` adding the `vyos_ami_id` variable.
+
+### Generate SSH keypair
+
+A demo key is included in the `keys/` folder. To generate your own:
+
+```sh
+ssh-keygen -b 2048 -t rsa -m PEM -f keys/vyos_custom_key.pem
+```
+
+## Project Structure
+
+```
+.
+├── files/
+│ ├── on-prem-vyos-config.txt
+│ ├── vyos_01_user_data.tfpl
+│ └── vyos_02_user_data.tfpl
+├── keys/
+│ ├── vyos_lab_private_key.pem
+│ └── vyos_lab_public_key.pem
+├── main.tf
+├── network.tf
+├── security_groups.tf
+├── transit_gateway.tf
+├── output.tf
+├── provider.tf
+├── variables.tf
+└── README.md
+```
+
+## Usage
+
+### Setup Variables
+
+All variables are defined in `variables.tf`. Customize values like instance type, region, `vyos_ami_id`, etc.
+
+## How to Run the Module
+
+Follow these steps to initialize, plan, apply, and manage your infrastructure with Terraform:
+
+1. **Initialize the Module**
+ ```sh
+ terraform init
+ ```
+
+2. **Format the Terraform Code**
+ ```sh
+ terraform fmt
+ ```
+
+3. **Validate Configuration**
+ ```sh
+ terraform validate
+ ```
+
+4. **Preview Infrastructure Changes Before Deployment**
+ ```sh
+ terraform plan
+ ```
+
+5. **Apply the Configuration**
+ ```sh
+ terraform apply
+ ```
+ Confirm the execution when prompted to provision the infrastructure.
+
+6. **View Outputs**
+ ```sh
+ terraform output
+ ```
+ This will display the management IP and test results for the VyOS instance.
+
+## Management
+
+To manage the VyOS instance, use the `vyos_public_ip` from `terraform output`:
+```sh
+ssh vyos@<vyos_public_ip> -i keys/vyos_lab_private_key.pem
+```
+The on-premises VyOS configuration can be found in `files/on-prem-vyos-config.txt`
+
+## Destroying Resources
+
+To clean up the deployed infrastructure:
+```sh
+terraform destroy
+```
+Confirm when prompted.
diff --git a/Terraform/AWS/ha-instances-with-configs/security_groups.tf b/Terraform/AWS/ha-instances-with-configs/security_groups.tf new file mode 100644 index 0000000..9a7919b --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/security_groups.tf @@ -0,0 +1,222 @@ +# SECURITY GROUP FOR PUBLIC RESOURCES
+
+resource "aws_security_group" "public_sg" {
+ name = join("-", [var.prefix, var.transit_vpc_public_sg_name])
+ description = "Security Group for public resources"
+ vpc_id = aws_vpc.transit_vpc.id
+
+ # Allow SSH Traffic
+ ingress {
+ description = "Allow SSH"
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow Wireguard Traffic
+ ingress {
+ description = "Allow Wireguard"
+ from_port = 51820
+ to_port = 51820
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow OpenVPN Traffic
+ ingress {
+ description = "Allow OpenVPN"
+ from_port = 1194
+ to_port = 1194
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow ESP Traffic
+ ingress {
+ description = "Allow ESP"
+ from_port = 0
+ to_port = 0
+ protocol = "50"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IKE Traffic
+ ingress {
+ description = "Allow IKE"
+ from_port = 500
+ to_port = 500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IPSEC Traffic
+ ingress {
+ description = "Allow IPSEC"
+ from_port = 1701
+ to_port = 1701
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow NAT Traversal
+ ingress {
+ description = "Allow NAT Traversal"
+ from_port = 4500
+ to_port = 4500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow ICMP Traffic
+ ingress {
+ description = "Allow ICMP"
+ from_port = -1
+ to_port = -1
+ protocol = "icmp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow BGP Traffic
+ ingress {
+ description = "Allow BGP"
+ from_port = 179
+ to_port = 179
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow all outbound traffic
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.transit_vpc_public_sg_name])
+ }
+}
+
+# SECURITY GROUP FOR PRIVATE RESOURCES
+
+resource "aws_security_group" "private_sg" {
+ name = join("-", [var.prefix, var.transit_vpc_private_sg_name])
+ description = "Security Group for private resources"
+ vpc_id = aws_vpc.transit_vpc.id
+
+ ingress {
+ description = "Allow all inbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.transit_vpc_private_sg_name])
+ }
+}
+
+# SECURITY GROUP FOR DATA VPC
+
+resource "aws_security_group" "data_vpc_instance_sg" {
+ name = join("-", [var.prefix, var.data_vpc_public_sg_name])
+ description = "Security Group for public resources"
+ vpc_id = aws_vpc.data_vpc.id
+
+ # Allow SSH Traffic
+ ingress {
+ description = "Allow SSH"
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow Wireguard Traffic
+ ingress {
+ description = "Allow Wireguard"
+ from_port = 51820
+ to_port = 51820
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow OpenVPN Traffic
+ ingress {
+ description = "Allow OpenVPN"
+ from_port = 1194
+ to_port = 1194
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow ESP Traffic
+ ingress {
+ description = "Allow ESP"
+ from_port = 0
+ to_port = 0
+ protocol = "50"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IKE Traffic
+ ingress {
+ description = "Allow IKE"
+ from_port = 500
+ to_port = 500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IPSEC Traffic
+ ingress {
+ description = "Allow IPSEC"
+ from_port = 1701
+ to_port = 1701
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow NAT Traversal
+ ingress {
+ description = "Allow NAT Traversal"
+ from_port = 4500
+ to_port = 4500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow ICMP Traffic
+ ingress {
+ description = "Allow ICMP"
+ from_port = -1
+ to_port = -1
+ protocol = "icmp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow all outbound traffic
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.data_vpc_public_sg_name])
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf b/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf new file mode 100644 index 0000000..e7b4509 --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf @@ -0,0 +1,82 @@ +# TRANSIT GATEWAY
+
+resource "aws_ec2_transit_gateway" "tgw" {
+ description = "Main Transit Gateway"
+ amazon_side_asn = 64512
+ auto_accept_shared_attachments = "enable"
+ default_route_table_association = "disable"
+ default_route_table_propagation = "disable"
+
+ tags = {
+ Name = "${var.prefix}-tgw"
+ }
+}
+
+# TRANSIT GATEWAY ATTACHMENT
+
+resource "aws_ec2_transit_gateway_vpc_attachment" "transit_vpc_attachment" {
+ subnet_ids = [aws_subnet.transit_vpc_private_subnet_01.id, aws_subnet.transit_vpc_private_subnet_02.id]
+ transit_gateway_id = aws_ec2_transit_gateway.tgw.id
+ vpc_id = aws_vpc.transit_vpc.id
+
+ tags = {
+ Name = "${var.prefix}-${var.transit_vpc_name}-attachment"
+ }
+}
+
+resource "aws_ec2_transit_gateway_vpc_attachment" "data_vpc_attachment" {
+ subnet_ids = [aws_subnet.data_vpc_private_subnet.id]
+ transit_gateway_id = aws_ec2_transit_gateway.tgw.id
+ vpc_id = aws_vpc.data_vpc.id
+
+ tags = {
+ Name = "${var.prefix}-${var.data_vpc_name}-attachment"
+ }
+}
+
+resource "aws_ec2_transit_gateway_connect" "tgw_connect" {
+ transport_attachment_id = aws_ec2_transit_gateway_vpc_attachment.transit_vpc_attachment.id
+ transit_gateway_id = aws_ec2_transit_gateway.tgw.id
+
+ tags = {
+ Name = "${var.prefix}-${var.transit_vpc_name}-connect"
+ }
+}
+
+# TRANSIT GATEWAY ROUTE
+
+resource "aws_ec2_transit_gateway_route_table" "tgw_rt" {
+ transit_gateway_id = aws_ec2_transit_gateway.tgw.id
+
+ tags = {
+ Name = "${var.prefix}-tgw-rtb"
+ }
+}
+
+resource "aws_ec2_transit_gateway_route" "azure" {
+ transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_rt.id
+ destination_cidr_block = var.on_prem_subnet_cidr
+ transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.transit_vpc_attachment.id
+}
+
+# TRANSIT GATEWAY ASSOSIATION and PROPAGATION
+
+resource "aws_ec2_transit_gateway_route_table_association" "transit_vpc_rt_assoc" {
+ transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.transit_vpc_attachment.id
+ transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_rt.id
+}
+
+resource "aws_ec2_transit_gateway_route_table_association" "data_vpc_rt_assoc" {
+ transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.data_vpc_attachment.id
+ transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_rt.id
+}
+
+resource "aws_ec2_transit_gateway_route_table_propagation" "transit_vpc_rt_prop" {
+ transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.transit_vpc_attachment.id
+ transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_rt.id
+}
+
+resource "aws_ec2_transit_gateway_route_table_propagation" "data_vpc_rt_prop" {
+ transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.data_vpc_attachment.id
+ transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_rt.id
+}
diff --git a/Terraform/AWS/ha-instances-with-configs/variables.tf b/Terraform/AWS/ha-instances-with-configs/variables.tf new file mode 100644 index 0000000..58009aa --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/variables.tf @@ -0,0 +1,259 @@ +variable "aws_region" {
+ description = "AWS Region"
+ type = string
+ default = "us-east-1"
+}
+
+variable "availability_zone_01" {
+ description = "AWS Availability Zone"
+ type = string
+ default = "us-east-1a"
+}
+
+variable "availability_zone_02" {
+ description = "AWS Availability Zone"
+ type = string
+ default = "us-east-1b"
+}
+
+variable "vyos_ami_id" {
+ description = "VyOS custom AMI from AWS"
+ type = string
+ default = "<VYOS AMI>"
+}
+
+variable "prefix" {
+ type = string
+ description = "Prefix for the resource names and Name tags"
+ default = "lab"
+}
+
+variable "key_pair_name" {
+ description = "SSH key pair name"
+ type = string
+ default = "vyos-test-key"
+}
+
+variable "private_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_lab_private_key.pem"
+}
+
+variable "public_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_lab_public_key.pem"
+}
+
+# Transit VPC and Subnets
+
+variable "transit_vpc_name" {
+ description = "Name for VPC"
+ default = "transit-vpc"
+}
+
+variable "transit_vpc_public_subnet_name" {
+ description = "The name of the public subnet"
+ type = string
+ default = "pub-subnet"
+}
+
+variable "transit_vpc_private_subnet_name" {
+ description = "The name of the private subnet 01"
+ type = string
+ default = "priv-subnet"
+}
+
+variable "transit_vpc_cidr" {
+ description = "CIDR block for VPC"
+ default = "172.16.0.0/16"
+}
+
+variable "transit_vpc_public_subnet_01_cidr" {
+ description = "CIDR block for public subnet"
+ default = "172.16.1.0/24"
+}
+
+variable "transit_vpc_private_subnet_01_cidr" {
+ description = "CIDR block for private subnet"
+ default = "172.16.11.0/24"
+}
+
+variable "transit_vpc_public_subnet_02_cidr" {
+ description = "CIDR block for public subnet"
+ default = "172.16.2.0/24"
+}
+
+variable "transit_vpc_private_subnet_02_cidr" {
+ description = "CIDR block for private subnet"
+ default = "172.16.21.0/24"
+}
+
+variable "transit_vpc_igw_name" {
+ type = string
+ default = "transit-vpc-igw"
+}
+
+variable "vyos_eip_name" {
+ type = string
+ default = "vyos"
+}
+
+variable "transit_vpc_public_rtb_01_name" {
+ type = string
+ default = "transit-vpc-public-rtb-01"
+}
+
+variable "transit_vpc_private_rtb_01_name" {
+ type = string
+ default = "transit-vpc-private-rtb-01"
+}
+
+variable "transit_vpc_public_rtb_02_name" {
+ type = string
+ default = "transit-vpc-public-rtb-02"
+}
+
+variable "transit_vpc_private_rtb_02_name" {
+ type = string
+ default = "transit-vpc-private-rtb-02"
+}
+
+variable "transit_vpc_public_sg_name" {
+ type = string
+ default = "transit-vpc-public-sg"
+}
+
+variable "transit_vpc_private_sg_name" {
+ type = string
+ default = "transit-vpc-private-sg"
+}
+
+# Data VPC and Subnets
+
+variable "data_vpc_name" {
+ description = "Name for VPC"
+ default = "data-vpc"
+}
+
+variable "data_vpc_public_subnet_name" {
+ description = "The name of the public subnet"
+ type = string
+ default = "pub-subnet"
+}
+
+variable "data_vpc_private_subnet_name" {
+ description = "The name of the private subnet 01"
+ type = string
+ default = "priv-subnet"
+}
+
+variable "data_vpc_cidr" {
+ description = "CIDR block for VPC"
+ default = "10.0.0.0/16"
+}
+
+variable "data_vpc_public_subnet_cidr" {
+ description = "CIDR block for public subnet"
+ default = "10.0.1.0/24"
+}
+
+variable "data_vpc_private_subnet_cidr" {
+ description = "CIDR block for private subnet"
+ default = "10.0.11.0/24"
+}
+
+variable "data_vpc_public_rtb_name" {
+ type = string
+ default = "data-vpc-public-rtb"
+}
+
+variable "data_vpc_private_rtb_name" {
+ type = string
+ default = "data-vpc-private-rtb"
+}
+
+variable "data_vpc_public_sg_name" {
+ type = string
+ default = "data-vpc-public-sg"
+}
+
+variable "data_vpc_private_sg_name" {
+ type = string
+ default = "data-vpc-private-sg"
+}
+
+variable "data_vpc_igw_name" {
+ type = string
+ default = "data-vpc-igw"
+}
+
+# VyOS instance
+
+variable "vyos_01_pub_nic_ip_address" {
+ description = "VyOS Instance Public address"
+ type = string
+ default = "172.16.1.11"
+}
+
+variable "vyos_01_priv_nic_address" {
+ description = "VyOS Instance Private NIC address"
+ type = string
+ default = "172.16.11.11"
+}
+
+variable "vyos_02_pub_nic_ip_address" {
+ description = "VyOS Instance Public address"
+ type = string
+ default = "172.16.2.11"
+}
+
+variable "vyos_02_priv_nic_address" {
+ description = "VyOS Instance Private NIC address"
+ type = string
+ default = "172.16.21.11"
+}
+
+variable "vyos_pub_nic_virt_ip_address" {
+ description = "VyOS Instance Public address"
+ type = string
+ default = "172.16.1.10"
+}
+
+variable "vyos_priv_nic_virt_address" {
+ description = "VyOS Instance Private NIC address"
+ type = string
+ default = "172.16.11.10"
+}
+
+variable "vyos_instance_type" {
+ description = "The type of the VyOS Instance"
+ type = string
+ default = "c5n.xlarge"
+}
+
+variable "vyos_instance_name" {
+ type = string
+ default = "VyOS"
+}
+
+variable "dns" {
+ default = "8.8.8.8"
+}
+
+variable "vyos_bgp_as_number" {
+ default = "65001"
+}
+
+# On Prem Data Center
+
+variable "on_prem_bgp_as_number" {
+ default = "65002"
+}
+
+variable "on_prem_public_ip_address" {
+ default = "192.0.2.1"
+}
+
+variable "on_prem_subnet_cidr" {
+ default = "192.168.0.0/16"
+}
diff --git a/Terraform/AWS/ha-instances-with-configs/vpc_route_server.tf b/Terraform/AWS/ha-instances-with-configs/vpc_route_server.tf new file mode 100644 index 0000000..8bc565e --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/vpc_route_server.tf @@ -0,0 +1,98 @@ +# VPC ROUTE SERVER
+resource "aws_vpc_route_server" "vyos_route_server" {
+ amazon_side_asn = 65011
+ tags = {
+ Name = join("-", [var.prefix, "vyos-route-server"])
+ }
+}
+
+# VPC ROUTE SERVER ASSOCIATION
+resource "aws_vpc_route_server_vpc_association" "vyos_association" {
+ route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id
+ vpc_id = aws_vpc.transit_vpc.id
+}
+
+# VPC ROUTE SERVER ENDPOINTS
+resource "aws_vpc_route_server_endpoint" "vyos_01_endpoint" {
+ route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id
+ subnet_id = aws_subnet.transit_vpc_private_subnet_01.id
+
+ tags = {
+ Name = join("-", [var.prefix, "vyos-route-server", "vyos-01"])
+ }
+
+ depends_on = [
+ aws_vpc_route_server_vpc_association.vyos_association
+ ]
+}
+
+resource "aws_vpc_route_server_endpoint" "vyos_02_endpoint" {
+ route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id
+ subnet_id = aws_subnet.transit_vpc_private_subnet_02.id
+
+ tags = {
+ Name = join("-", [var.prefix, "vyos-route-server", "vyos-02"])
+ }
+
+ depends_on = [
+ aws_vpc_route_server_vpc_association.vyos_association
+ ]
+
+}
+
+# VPC ROUTE SERVER PEERS
+resource "aws_vpc_route_server_peer" "vyos_01_peer" {
+ route_server_endpoint_id = aws_vpc_route_server_endpoint.vyos_01_endpoint.route_server_endpoint_id
+ peer_address = aws_network_interface.vyos_01_private_nic.private_ip
+ bgp_options {
+ peer_asn = var.vyos_bgp_as_number
+ peer_liveness_detection = "bfd"
+ }
+
+ tags = {
+ Name = "vyos-01-peer"
+ }
+
+ depends_on = [
+ aws_vpc_route_server_endpoint.vyos_01_endpoint
+ ]
+}
+
+
+resource "aws_vpc_route_server_peer" "vyos_02_peer" {
+ route_server_endpoint_id = aws_vpc_route_server_endpoint.vyos_02_endpoint.route_server_endpoint_id
+ peer_address = aws_network_interface.vyos_02_private_nic.private_ip
+ bgp_options {
+ peer_asn = var.vyos_bgp_as_number
+ peer_liveness_detection = "bfd"
+ }
+
+ tags = {
+ Name = "vyos-02-peer"
+ }
+
+ depends_on = [
+ aws_vpc_route_server_endpoint.vyos_02_endpoint
+ ]
+}
+
+# VPC ROUTE SERVER PROPOGATIONS
+resource "aws_vpc_route_server_propagation" "vyos_01_propagation" {
+ route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id
+ route_table_id = aws_route_table.transit_vpc_private_rtb_01.id
+
+ depends_on = [
+ aws_vpc_route_server_peer.vyos_01_peer,
+ aws_route_table.transit_vpc_private_rtb_01
+ ]
+}
+
+resource "aws_vpc_route_server_propagation" "vyos_02_propagation" {
+ route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id
+ route_table_id = aws_route_table.transit_vpc_private_rtb_02.id
+
+ depends_on = [
+ aws_vpc_route_server_peer.vyos_02_peer,
+ aws_route_table.transit_vpc_private_rtb_02
+ ]
+}
\ No newline at end of file |
