diff options
| author | Daniil Baturin <daniil@vyos.io> | 2025-06-24 15:27:28 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-06-24 15:27:28 +0100 |
| commit | d641a40e515ad2c8ad5257d34178f14746ab4348 (patch) | |
| tree | 6b943f142760e022fba18466be75c3e801c01dbd /Terraform/AWS/ha-instances-with-configs/files | |
| parent | fc9128e33469aea2b65b81589a3e9c9399ddc0c7 (diff) | |
| parent | 9fffee3ecbf3830d0b6df4fbb3e00ee745e3956a (diff) | |
| download | vyos-automation-d641a40e515ad2c8ad5257d34178f14746ab4348.tar.gz vyos-automation-d641a40e515ad2c8ad5257d34178f14746ab4348.zip | |
Merge pull request #6 from aslanvyos/main
Terraform project for VyOS HA deployment on AWS
Diffstat (limited to 'Terraform/AWS/ha-instances-with-configs/files')
3 files changed, 300 insertions, 0 deletions
diff --git a/Terraform/AWS/ha-instances-with-configs/files/on-prem-vyos-config.txt b/Terraform/AWS/ha-instances-with-configs/files/on-prem-vyos-config.txt new file mode 100644 index 0000000..242161f --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/files/on-prem-vyos-config.txt @@ -0,0 +1,84 @@ + - set system host-name 'VyOS-for-On-Prem'
+ - set system login banner pre-login 'Welcome to the VyOS for DEMO'
+ - set interfaces ethernet eth0 description 'WAN'
+ - set interfaces ethernet eth1 description 'LAN'
+ - set interfaces ethernet eth1 dhcp-options no-default-route
+ - set system name-server '<DNS>'
+ - set service dns forwarding name-server '<DNS>'
+ - set service dns forwarding listen-address '<VYOS_PRIV_NIC_IP>'
+ - set service dns forwarding allow-from '<VYOS_CIDR>'
+ - set service dns forwarding no-serve-rfc1918
+ - set nat source rule 10 outbound-interface name 'eth0'
+ - set nat source rule 10 source address '<VYOS_CIDR>'
+ - set nat source rule 10 translation address 'masquerade'
+ - set vpn ipsec interface 'eth0'
+ - set vpn ipsec esp-group AWS lifetime '3600'
+ - set vpn ipsec esp-group AWS mode 'tunnel'
+ - set vpn ipsec esp-group AWS pfs 'dh-group2'
+ - set vpn ipsec esp-group AWS proposal 1 encryption 'aes256'
+ - set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
+ - set vpn ipsec ike-group AWS dead-peer-detection interval '15'
+ - set vpn ipsec ike-group AWS ikev2-reauth
+ - set vpn ipsec ike-group AWS key-exchange 'ikev2'
+ - set vpn ipsec ike-group AWS lifetime '28800'
+ - set vpn ipsec ike-group AWS proposal 1 dh-group '2'
+ - set vpn ipsec ike-group AWS proposal 1 encryption 'aes256'
+ - set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group AWS close-action start
+ - set vpn ipsec option disable-route-autoinstall
+ - set interfaces vti vti1 address '10.2.100.11/32'
+ - set interfaces vti vti1 description 'Tunnel for VyOS-01 in AWS'
+ - set interfaces vti vti1 ip adjust-mss '1350'
+ - set interfaces vti vti2 address '10.2.100.12/32'
+ - set interfaces vti vti2 description 'Tunnel for VyOS-02 in AWS'
+ - set interfaces vti vti2 ip adjust-mss '1350'
+ - set protocols bfd peer 10.1.100.11 interval multiplier '3'
+ - set protocols bfd peer 10.1.100.11 interval receive '300'
+ - set protocols bfd peer 10.1.100.11 interval transmit '300'
+ - set protocols bfd peer 10.1.100.12 interval multiplier '3'
+ - set protocols bfd peer 10.1.100.12 interval receive '300'
+ - set protocols bfd peer 10.1.100.12 interval transmit '300'
+ - set protocols static route 10.1.100.11/32 interface vti1
+ - set protocols static route 10.1.100.12/32 interface vti2
+ - set vpn ipsec authentication psk VyOS id '<VYOS_PUBLIC_IP>'
+ - set vpn ipsec authentication psk VyOS id '<AWS_VYOS_PUBLIC_IP_01>'
+ - set vpn ipsec authentication psk VyOS id '<AWS_VYOS_PUBLIC_IP_02>'
+ - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 authentication local-id '<VYOS_PUBLIC_IP>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 authentication mode 'pre-shared-secret'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 authentication remote-id '<AWS_VYOS_PUBLIC_IP_01>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 connection-type 'none'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 description 'TUNNEL to VyOS on AWS'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 ike-group 'AWS'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 ikev2-reauth 'inherit'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 local-address '<vyos_pub_nic_ip>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 remote-address '<AWS_VYOS_PUBLIC_IP_01>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 vti bind 'vti1'
+ - set vpn ipsec site-to-site peer AWS-VyOS-01 vti esp-group 'AWS'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 authentication local-id '<VYOS_PUBLIC_IP>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 authentication mode 'pre-shared-secret'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 authentication remote-id '<AWS_VYOS_PUBLIC_IP_02>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 connection-type 'none'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 description 'TUNNEL to VyOS on AWS'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 ike-group 'AWS'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 ikev2-reauth 'inherit'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 local-address '<vyos_pub_nic_ip>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 remote-address '<AWS_VYOS_PUBLIC_IP_02>'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 vti bind 'vti2'
+ - set vpn ipsec site-to-site peer AWS-VyOS-02 vti esp-group 'AWS'
+ - set protocols bgp system-as '<vyos_bgp_as_number>'
+ - set protocols bgp address-family ipv4-unicast network <VYOS_CIDR>
+ - set protocols bgp neighbor 10.1.100.11 remote-as '<on_prem_bgp_as_number>'
+ - set protocols bgp neighbor 10.1.100.11 address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor 10.1.100.11 timers holdtime '30'
+ - set protocols bgp neighbor 10.1.100.11 bfd
+ - set protocols bgp neighbor 10.1.100.11 disable-connected-check
+ - set protocols bgp neighbor 10.1.100.11 update-source '10.2.100.11'
+ - set protocols bgp neighbor 10.1.100.12 remote-as '<on_prem_bgp_as_number>'
+ - set protocols bgp neighbor 10.1.100.12 address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor 10.1.100.12 timers holdtime '30'
+ - set protocols bgp neighbor 10.1.100.12 bfd
+ - set protocols bgp neighbor 10.1.100.12 disable-connected-check
+ - set protocols bgp neighbor 10.1.100.12 update-source '10.2.100.12'
+
diff --git a/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl b/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl new file mode 100644 index 0000000..e8df410 --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl @@ -0,0 +1,108 @@ +#cloud-config
+vyos_config_commands:
+ - set system host-name 'VyOS-01-on-AWS'
+ - set system login banner pre-login 'Welcome to the VyOS for DEMO on AWS'
+ - set interfaces ethernet eth0 description 'WAN'
+ - set interfaces ethernet eth1 description 'LAN'
+ - set interfaces ethernet eth1 dhcp-options no-default-route
+ - set system name-server '${dns}'
+ - set service dns forwarding name-server '${dns}'
+ - set service dns forwarding listen-address '${vyos_01_priv_nic_ip}'
+ - set service dns forwarding allow-from '${transit_vpc_cidr}'
+ - set service dns forwarding no-serve-rfc1918
+ - set nat source rule 10 outbound-interface name 'eth0'
+ - set nat source rule 10 source address '${transit_vpc_cidr}'
+ - set nat source rule 10 translation address 'masquerade'
+ - set vpn ipsec interface 'eth0'
+ - set vpn ipsec esp-group AZURE lifetime '3600'
+ - set vpn ipsec esp-group AZURE mode 'tunnel'
+ - set vpn ipsec esp-group AZURE pfs 'dh-group2'
+ - set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
+ - set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
+ - set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
+ - set vpn ipsec ike-group AZURE ikev2-reauth
+ - set vpn ipsec ike-group AZURE key-exchange 'ikev2'
+ - set vpn ipsec ike-group AZURE lifetime '28800'
+ - set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
+ - set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
+ - set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group AZURE close-action start
+ - set vpn ipsec option disable-route-autoinstall
+ - set interfaces vti vti1 address '10.1.100.11/32'
+ - set interfaces vti vti1 description 'Tunnel for VyOS in Azure'
+ - set interfaces vti vti1 ip adjust-mss '1350'
+ - set protocols static route 10.2.100.11/32 interface vti1
+ - set protocols static route ${vyos_01_pub_subnet} blackhole distance '254'
+ - set protocols static route ${vyos_01_priv_subnet} blackhole distance '254'
+ - set vpn ipsec authentication psk VyOS id '${vyos_01_public_ip}'
+ - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip}'
+ - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
+ - set vpn ipsec site-to-site peer AZURE authentication local-id '${vyos_01_public_ip}'
+ - set vpn ipsec site-to-site peer AZURE authentication mode 'pre-shared-secret'
+ - set vpn ipsec site-to-site peer AZURE authentication remote-id '${on_prem_public_ip}'
+ - set vpn ipsec site-to-site peer AZURE connection-type 'initiate'
+ - set vpn ipsec site-to-site peer AZURE description 'TUNNEL to VyOS on AZURE'
+ - set vpn ipsec site-to-site peer AZURE ike-group 'AZURE'
+ - set vpn ipsec site-to-site peer AZURE ikev2-reauth 'inherit'
+ - set vpn ipsec site-to-site peer AZURE local-address '${vyos_01_pub_nic_ip}'
+ - set vpn ipsec site-to-site peer AZURE remote-address '${on_prem_public_ip}'
+ - set vpn ipsec site-to-site peer AZURE vti bind 'vti1'
+ - set vpn ipsec site-to-site peer AZURE vti esp-group 'AZURE'
+ - set policy prefix-list AS65001-OUT rule 10 action 'permit'
+ - set policy prefix-list AS65001-OUT rule 10 prefix '${data_vpc_public_subnet}'
+ - set policy prefix-list AS65001-OUT rule 20 action 'permit'
+ - set policy prefix-list AS65001-OUT rule 20 prefix '${transit_vpc_cidr}'
+ - set policy prefix-list AS65001-OUT rule 20 ge '24'
+ - set policy prefix-list AS65001-OUT rule 30 action 'permit'
+ - set policy prefix-list AS65001-OUT rule 30 prefix '${on_prem_subnet_cidr}'
+ - set policy prefix-list AS65001-OUT rule 30 ge '24'
+ - set policy prefix-list AS65002-OUT rule 10 action 'permit'
+ - set policy prefix-list AS65002-OUT rule 10 prefix '${transit_vpc_cidr}'
+ - set policy prefix-list AS65002-OUT rule 10 ge '24'
+ - set policy prefix-list AS65002-OUT rule 20 action 'permit'
+ - set policy prefix-list AS65002-OUT rule 20 prefix '${data_vpc_public_subnet}'
+ - set policy prefix-list AS65002-OUT rule 20 ge '24'
+ - set policy prefix-list AS65011-OUT rule 10 action 'permit'
+ - set policy prefix-list AS65011-OUT rule 10 prefix '${on_prem_subnet_cidr}'
+ - set policy prefix-list AS65011-OUT rule 10 ge '24'
+ - set policy route-map AS65001-OUT rule 20 action 'permit'
+ - set policy route-map AS65001-OUT rule 20 match ip address prefix-list 'AS65001-OUT'
+ - set policy route-map AS65002-OUT rule 20 action 'permit'
+ - set policy route-map AS65002-OUT rule 20 match ip address prefix-list 'AS65002-OUT'
+ - set policy route-map AS65011-OUT rule 10 action 'permit'
+ - set policy route-map AS65011-OUT rule 10 match ip address prefix-list 'AS65011-OUT'
+ - set protocols bfd peer ${vyos_02_pub_nic_ip} interval multiplier '3'
+ - set protocols bfd peer ${vyos_02_pub_nic_ip} interval receive '300'
+ - set protocols bfd peer ${vyos_02_pub_nic_ip} interval transmit '300'
+ - set protocols bfd peer ${route_server_endpoint_01_ip} interval multiplier '3'
+ - set protocols bfd peer ${route_server_endpoint_01_ip} interval receive '300'
+ - set protocols bfd peer ${route_server_endpoint_01_ip} interval transmit '300'
+ - set protocols bfd peer 10.2.100.11 interval multiplier '3'
+ - set protocols bfd peer 10.2.100.11 interval receive '300'
+ - set protocols bfd peer 10.2.100.11 interval transmit '300'
+ - set protocols bgp system-as '${vyos_bgp_as_number}'
+ - set protocols bgp address-family ipv4-unicast network ${data_vpc_public_subnet}
+ - set protocols bgp address-family ipv4-unicast redistribute connected
+ - set protocols bgp neighbor 10.2.100.11 remote-as '${on_prem_bgp_as_number}'
+ - set protocols bgp neighbor 10.2.100.11 address-family ipv4-unicast route-map export 'AS65002-OUT'
+ - set protocols bgp neighbor 10.2.100.11 address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor 10.2.100.11 timers holdtime '30'
+ - set protocols bgp neighbor 10.2.100.11 bfd
+ - set protocols bgp neighbor 10.2.100.11 disable-connected-check
+ - set protocols bgp neighbor 10.2.100.11 update-source '10.1.100.11'
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} address-family ipv4-unicast nexthop-self force
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} address-family ipv4-unicast route-map export 'AS65001-OUT'
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} disable-connected-check
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} remote-as '${vyos_bgp_as_number}'
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} timers holdtime '30'
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} bfd
+ - set protocols bgp neighbor ${vyos_02_pub_nic_ip} update-source '${vyos_01_pub_nic_ip}'
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} address-family ipv4-unicast route-map export 'AS65011-OUT'
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} disable-connected-check
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} remote-as '${route_server_endpoint_bgp_as_number}'
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} timers holdtime '30'
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} bfd
+ - set protocols bgp neighbor ${route_server_endpoint_01_ip} update-source '${vyos_01_priv_nic_ip}'
diff --git a/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl b/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl new file mode 100644 index 0000000..38535e6 --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl @@ -0,0 +1,108 @@ +#cloud-config
+vyos_config_commands:
+ - set system host-name 'VyOS-02-on-AWS'
+ - set system login banner pre-login 'Welcome to the VyOS for DEMO on AWS'
+ - set interfaces ethernet eth0 description 'WAN'
+ - set interfaces ethernet eth1 description 'LAN'
+ - set interfaces ethernet eth1 dhcp-options no-default-route
+ - set system name-server '${dns}'
+ - set service dns forwarding name-server '${dns}'
+ - set service dns forwarding listen-address '${vyos_02_priv_nic_ip}'
+ - set service dns forwarding allow-from '${transit_vpc_cidr}'
+ - set service dns forwarding no-serve-rfc1918
+ - set nat source rule 10 outbound-interface name 'eth0'
+ - set nat source rule 10 source address '${transit_vpc_cidr}'
+ - set nat source rule 10 translation address 'masquerade'
+ - set vpn ipsec interface 'eth0'
+ - set vpn ipsec esp-group AZURE lifetime '3600'
+ - set vpn ipsec esp-group AZURE mode 'tunnel'
+ - set vpn ipsec esp-group AZURE pfs 'dh-group2'
+ - set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
+ - set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
+ - set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
+ - set vpn ipsec ike-group AZURE ikev2-reauth
+ - set vpn ipsec ike-group AZURE key-exchange 'ikev2'
+ - set vpn ipsec ike-group AZURE lifetime '28800'
+ - set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
+ - set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
+ - set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group AZURE close-action start
+ - set vpn ipsec option disable-route-autoinstall
+ - set interfaces vti vti1 address '10.1.100.12/32'
+ - set interfaces vti vti1 description 'Tunnel for VyOS in Azure'
+ - set interfaces vti vti1 ip adjust-mss '1350'
+ - set protocols static route 10.2.100.12/32 interface vti1
+ - set protocols static route ${vyos_02_pub_subnet} blackhole distance '254'
+ - set protocols static route ${vyos_02_priv_subnet} blackhole distance '254'
+ - set vpn ipsec authentication psk VyOS id '${vyos_02_public_ip}'
+ - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip}'
+ - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
+ - set vpn ipsec site-to-site peer AZURE authentication local-id '${vyos_02_public_ip}'
+ - set vpn ipsec site-to-site peer AZURE authentication mode 'pre-shared-secret'
+ - set vpn ipsec site-to-site peer AZURE authentication remote-id '${on_prem_public_ip}'
+ - set vpn ipsec site-to-site peer AZURE connection-type 'initiate'
+ - set vpn ipsec site-to-site peer AZURE description 'TUNNEL to VyOS on AZURE'
+ - set vpn ipsec site-to-site peer AZURE ike-group 'AZURE'
+ - set vpn ipsec site-to-site peer AZURE ikev2-reauth 'inherit'
+ - set vpn ipsec site-to-site peer AZURE local-address '${vyos_02_pub_nic_ip}'
+ - set vpn ipsec site-to-site peer AZURE remote-address '${on_prem_public_ip}'
+ - set vpn ipsec site-to-site peer AZURE vti bind 'vti1'
+ - set vpn ipsec site-to-site peer AZURE vti esp-group 'AZURE'
+ - set policy prefix-list AS65001-OUT rule 10 action 'permit'
+ - set policy prefix-list AS65001-OUT rule 10 prefix '${data_vpc_public_subnet}'
+ - set policy prefix-list AS65001-OUT rule 20 action 'permit'
+ - set policy prefix-list AS65001-OUT rule 20 prefix '${transit_vpc_cidr}'
+ - set policy prefix-list AS65001-OUT rule 20 ge '24'
+ - set policy prefix-list AS65001-OUT rule 30 action 'permit'
+ - set policy prefix-list AS65001-OUT rule 30 prefix '${on_prem_subnet_cidr}'
+ - set policy prefix-list AS65001-OUT rule 30 ge '24'
+ - set policy prefix-list AS65002-OUT rule 10 action 'permit'
+ - set policy prefix-list AS65002-OUT rule 10 prefix '${transit_vpc_cidr}'
+ - set policy prefix-list AS65002-OUT rule 10 ge '24'
+ - set policy prefix-list AS65002-OUT rule 20 action 'permit'
+ - set policy prefix-list AS65002-OUT rule 20 prefix '${data_vpc_public_subnet}'
+ - set policy prefix-list AS65002-OUT rule 20 ge '24'
+ - set policy prefix-list AS65011-OUT rule 10 action 'permit'
+ - set policy prefix-list AS65011-OUT rule 10 prefix '${on_prem_subnet_cidr}'
+ - set policy prefix-list AS65011-OUT rule 10 ge '24'
+ - set policy route-map AS65001-OUT rule 20 action 'permit'
+ - set policy route-map AS65001-OUT rule 20 match ip address prefix-list 'AS65001-OUT'
+ - set policy route-map AS65002-OUT rule 20 action 'permit'
+ - set policy route-map AS65002-OUT rule 20 match ip address prefix-list 'AS65002-OUT'
+ - set policy route-map AS65011-OUT rule 10 action 'permit'
+ - set policy route-map AS65011-OUT rule 10 match ip address prefix-list 'AS65011-OUT'
+ - set protocols bfd peer ${vyos_01_pub_nic_ip} interval multiplier '3'
+ - set protocols bfd peer ${vyos_01_pub_nic_ip} interval receive '300'
+ - set protocols bfd peer ${vyos_01_pub_nic_ip} interval transmit '300'
+ - set protocols bfd peer ${route_server_endpoint_02_ip} interval multiplier '3'
+ - set protocols bfd peer ${route_server_endpoint_02_ip} interval receive '300'
+ - set protocols bfd peer ${route_server_endpoint_02_ip} interval transmit '300'
+ - set protocols bfd peer 10.2.100.12 interval multiplier '3'
+ - set protocols bfd peer 10.2.100.12 interval receive '300'
+ - set protocols bfd peer 10.2.100.12 interval transmit '300'
+ - set protocols bgp system-as '${vyos_bgp_as_number}'
+ - set protocols bgp address-family ipv4-unicast network ${data_vpc_public_subnet}
+ - set protocols bgp address-family ipv4-unicast redistribute connected
+ - set protocols bgp neighbor 10.2.100.12 remote-as '${on_prem_bgp_as_number}'
+ - set protocols bgp neighbor 10.2.100.12 address-family ipv4-unicast route-map export 'AS65002-OUT'
+ - set protocols bgp neighbor 10.2.100.12 address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor 10.2.100.12 timers holdtime '30'
+ - set protocols bgp neighbor 10.2.100.12 bfd
+ - set protocols bgp neighbor 10.2.100.12 disable-connected-check
+ - set protocols bgp neighbor 10.2.100.12 update-source '10.1.100.12'
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} address-family ipv4-unicast nexthop-self force
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} address-family ipv4-unicast route-map export 'AS65001-OUT'
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} disable-connected-check
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} remote-as '${vyos_bgp_as_number}'
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} timers holdtime '30'
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} bfd
+ - set protocols bgp neighbor ${vyos_01_pub_nic_ip} update-source '${vyos_02_pub_nic_ip}'
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} address-family ipv4-unicast route-map export 'AS65011-OUT'
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} disable-connected-check
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} remote-as '${route_server_endpoint_bgp_as_number}'
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} timers holdtime '30'
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} bfd
+ - set protocols bgp neighbor ${route_server_endpoint_02_ip} update-source '${vyos_02_priv_nic_ip}'
|