From 67a227b0cfdc8ab7248830efe67f7b9a3c4c46f2 Mon Sep 17 00:00:00 2001 From: aslanvyos Date: Wed, 4 Jun 2025 11:07:35 +0400 Subject: Terraform project for VyOS HA deployment on AWS --- .../ha-instances-with-configs/transit_gateway.tf | 82 ++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 Terraform/AWS/ha-instances-with-configs/transit_gateway.tf (limited to 'Terraform/AWS/ha-instances-with-configs/transit_gateway.tf') diff --git a/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf b/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf new file mode 100644 index 0000000..afe6b2d --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf @@ -0,0 +1,82 @@ +# TRANSIT GATEWAY + +resource "aws_ec2_transit_gateway" "tgw" { + description = "Main Transit Gateway" + amazon_side_asn = 64512 + auto_accept_shared_attachments = "enable" + default_route_table_association = "disable" + default_route_table_propagation = "disable" + + tags = { + Name = "${var.prefix}-tgw" + } +} + +# TRANSIT GATEWAY ATTACHMENT + +resource "aws_ec2_transit_gateway_vpc_attachment" "transit_vpc_attachment" { + subnet_ids = [aws_subnet.transit_vpc_private_subnet_01.id, aws_subnet.transit_vpc_private_subnet_02.id] + transit_gateway_id = aws_ec2_transit_gateway.tgw.id + vpc_id = aws_vpc.transit_vpc.id + + tags = { + Name = "${var.prefix}-${var.transit_vpc_name}-attachment" + } +} + +resource "aws_ec2_transit_gateway_vpc_attachment" "data_vpc_attachment" { + subnet_ids = [aws_subnet.data_vpc_private_subnet.id] + transit_gateway_id = aws_ec2_transit_gateway.tgw.id + vpc_id = aws_vpc.data_vpc.id + + tags = { + Name = "${var.prefix}-${var.data_vpc_name}-attachment" + } +} + +resource "aws_ec2_transit_gateway_connect" "tgw_connect" { + transport_attachment_id = aws_ec2_transit_gateway_vpc_attachment.transit_vpc_attachment.id + transit_gateway_id = aws_ec2_transit_gateway.tgw.id + + tags = { + Name = "${var.prefix}-${var.transit_vpc_name}-connect" + } +} + +# TRANSIT GATEWAY ROUTE + +resource "aws_ec2_transit_gateway_route_table" "tgw_rt" { + transit_gateway_id = aws_ec2_transit_gateway.tgw.id + + tags = { + Name = "${var.prefix}-tgw-rtb" + } +} + +resource "aws_ec2_transit_gateway_route" "azure" { + transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_rt.id + destination_cidr_block = var.on_prem_subnet_cidr + transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.transit_vpc_attachment.id +} + +# TRANSIT GATEWAY ASSOCIATION and PROPAGATION + +resource "aws_ec2_transit_gateway_route_table_association" "transit_vpc_rt_assoc" { + transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.transit_vpc_attachment.id + transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_rt.id +} + +resource "aws_ec2_transit_gateway_route_table_association" "data_vpc_rt_assoc" { + transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.data_vpc_attachment.id + transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_rt.id +} + +resource "aws_ec2_transit_gateway_route_table_propagation" "transit_vpc_rt_prop" { + transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.transit_vpc_attachment.id + transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_rt.id +} + +resource "aws_ec2_transit_gateway_route_table_propagation" "data_vpc_rt_prop" { + transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.data_vpc_attachment.id + transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_rt.id +} -- cgit v1.2.3 From 9fffee3ecbf3830d0b6df4fbb3e00ee745e3956a Mon Sep 17 00:00:00 2001 From: aslanvyos Date: Wed, 18 Jun 2025 11:55:46 +0400 Subject: Added VPC Route Server module --- .../files/vyos_01_user_data.tfpl | 60 ++++++------- .../files/vyos_02_user_data.tfpl | 61 +++++++------- Terraform/AWS/ha-instances-with-configs/main.tf | 69 +++++++++------ Terraform/AWS/ha-instances-with-configs/output.tf | 4 - Terraform/AWS/ha-instances-with-configs/readme.md | 89 +------------------- .../ha-instances-with-configs/transit_gateway.tf | 2 +- .../AWS/ha-instances-with-configs/variables.tf | 2 +- .../ha-instances-with-configs/vpc_route_server.tf | 98 ++++++++++++++++++++++ 8 files changed, 204 insertions(+), 181 deletions(-) create mode 100644 Terraform/AWS/ha-instances-with-configs/vpc_route_server.tf (limited to 'Terraform/AWS/ha-instances-with-configs/transit_gateway.tf') diff --git a/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl b/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl index be25c3a..e8df410 100644 --- a/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl +++ b/Terraform/AWS/ha-instances-with-configs/files/vyos_01_user_data.tfpl @@ -7,7 +7,7 @@ vyos_config_commands: - set interfaces ethernet eth1 dhcp-options no-default-route - set system name-server '${dns}' - set service dns forwarding name-server '${dns}' - - set service dns forwarding listen-address '${vyos_priv_nic_ip}' + - set service dns forwarding listen-address '${vyos_01_priv_nic_ip}' - set service dns forwarding allow-from '${transit_vpc_cidr}' - set service dns forwarding no-serve-rfc1918 - set nat source rule 10 outbound-interface name 'eth0' @@ -33,20 +33,20 @@ vyos_config_commands: - set interfaces vti vti1 description 'Tunnel for VyOS in Azure' - set interfaces vti vti1 ip adjust-mss '1350' - set protocols static route 10.2.100.11/32 interface vti1 - - set protocols static route ${vyos_pub_subnet} blackhole distance '254' - - set protocols static route ${vyos_priv_subnet} blackhole distance '254' - - set vpn ipsec authentication psk VyOS id '${vyos_public_ip_address}' - - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip_address}' + - set protocols static route ${vyos_01_pub_subnet} blackhole distance '254' + - set protocols static route ${vyos_01_priv_subnet} blackhole distance '254' + - set vpn ipsec authentication psk VyOS id '${vyos_01_public_ip}' + - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip}' - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk' - - set vpn ipsec site-to-site peer AZURE authentication local-id '${vyos_public_ip_address}' + - set vpn ipsec site-to-site peer AZURE authentication local-id '${vyos_01_public_ip}' - set vpn ipsec site-to-site peer AZURE authentication mode 'pre-shared-secret' - - set vpn ipsec site-to-site peer AZURE authentication remote-id '${on_prem_public_ip_address}' + - set vpn ipsec site-to-site peer AZURE authentication remote-id '${on_prem_public_ip}' - set vpn ipsec site-to-site peer AZURE connection-type 'initiate' - set vpn ipsec site-to-site peer AZURE description 'TUNNEL to VyOS on AZURE' - set vpn ipsec site-to-site peer AZURE ike-group 'AZURE' - set vpn ipsec site-to-site peer AZURE ikev2-reauth 'inherit' - - set vpn ipsec site-to-site peer AZURE local-address '${vyos_pub_nic_ip}' - - set vpn ipsec site-to-site peer AZURE remote-address '${on_prem_public_ip_address}' + - set vpn ipsec site-to-site peer AZURE local-address '${vyos_01_pub_nic_ip}' + - set vpn ipsec site-to-site peer AZURE remote-address '${on_prem_public_ip}' - set vpn ipsec site-to-site peer AZURE vti bind 'vti1' - set vpn ipsec site-to-site peer AZURE vti esp-group 'AZURE' - set policy prefix-list AS65001-OUT rule 10 action 'permit' @@ -72,15 +72,15 @@ vyos_config_commands: - set policy route-map AS65002-OUT rule 20 match ip address prefix-list 'AS65002-OUT' - set policy route-map AS65011-OUT rule 10 action 'permit' - set policy route-map AS65011-OUT rule 10 match ip address prefix-list 'AS65011-OUT' - - set protocols bfd peer ${vyos_02_pub_nic_ip_address} interval multiplier '3' - - set protocols bfd peer ${vyos_02_pub_nic_ip_address} interval receive '300' - - set protocols bfd peer ${vyos_02_pub_nic_ip_address} interval transmit '300' + - set protocols bfd peer ${vyos_02_pub_nic_ip} interval multiplier '3' + - set protocols bfd peer ${vyos_02_pub_nic_ip} interval receive '300' + - set protocols bfd peer ${vyos_02_pub_nic_ip} interval transmit '300' + - set protocols bfd peer ${route_server_endpoint_01_ip} interval multiplier '3' + - set protocols bfd peer ${route_server_endpoint_01_ip} interval receive '300' + - set protocols bfd peer ${route_server_endpoint_01_ip} interval transmit '300' - set protocols bfd peer 10.2.100.11 interval multiplier '3' - set protocols bfd peer 10.2.100.11 interval receive '300' - set protocols bfd peer 10.2.100.11 interval transmit '300' - - set protocols bfd peer 172.16.11.115 interval multiplier '3' - - set protocols bfd peer 172.16.11.115 interval receive '300' - - set protocols bfd peer 172.16.11.115 interval transmit '300' - set protocols bgp system-as '${vyos_bgp_as_number}' - set protocols bgp address-family ipv4-unicast network ${data_vpc_public_subnet} - set protocols bgp address-family ipv4-unicast redistribute connected @@ -91,18 +91,18 @@ vyos_config_commands: - set protocols bgp neighbor 10.2.100.11 bfd - set protocols bgp neighbor 10.2.100.11 disable-connected-check - set protocols bgp neighbor 10.2.100.11 update-source '10.1.100.11' - - set protocols bgp neighbor 172.16.11.115 address-family ipv4-unicast route-map export 'AS65011-OUT' - - set protocols bgp neighbor 172.16.11.115 address-family ipv4-unicast soft-reconfiguration inbound - - set protocols bgp neighbor 172.16.11.115 disable-connected-check - - set protocols bgp neighbor 172.16.11.115 remote-as '65011' - - set protocols bgp neighbor 172.16.11.115 timers holdtime '30' - - set protocols bgp neighbor 172.16.11.115 bfd - - set protocols bgp neighbor 172.16.11.115 update-source '${vyos_priv_nic_ip}' - - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} address-family ipv4-unicast nexthop-self force - - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} address-family ipv4-unicast route-map export 'AS65001-OUT' - - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} address-family ipv4-unicast soft-reconfiguration inbound - - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} disable-connected-check - - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} remote-as '${vyos_bgp_as_number}' - - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} timers holdtime '30' - - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} bfd - - set protocols bgp neighbor ${vyos_02_pub_nic_ip_address} update-source '${vyos_pub_nic_ip}' + - set protocols bgp neighbor ${vyos_02_pub_nic_ip} address-family ipv4-unicast nexthop-self force + - set protocols bgp neighbor ${vyos_02_pub_nic_ip} address-family ipv4-unicast route-map export 'AS65001-OUT' + - set protocols bgp neighbor ${vyos_02_pub_nic_ip} address-family ipv4-unicast soft-reconfiguration inbound + - set protocols bgp neighbor ${vyos_02_pub_nic_ip} disable-connected-check + - set protocols bgp neighbor ${vyos_02_pub_nic_ip} remote-as '${vyos_bgp_as_number}' + - set protocols bgp neighbor ${vyos_02_pub_nic_ip} timers holdtime '30' + - set protocols bgp neighbor ${vyos_02_pub_nic_ip} bfd + - set protocols bgp neighbor ${vyos_02_pub_nic_ip} update-source '${vyos_01_pub_nic_ip}' + - set protocols bgp neighbor ${route_server_endpoint_01_ip} address-family ipv4-unicast route-map export 'AS65011-OUT' + - set protocols bgp neighbor ${route_server_endpoint_01_ip} address-family ipv4-unicast soft-reconfiguration inbound + - set protocols bgp neighbor ${route_server_endpoint_01_ip} disable-connected-check + - set protocols bgp neighbor ${route_server_endpoint_01_ip} remote-as '${route_server_endpoint_bgp_as_number}' + - set protocols bgp neighbor ${route_server_endpoint_01_ip} timers holdtime '30' + - set protocols bgp neighbor ${route_server_endpoint_01_ip} bfd + - set protocols bgp neighbor ${route_server_endpoint_01_ip} update-source '${vyos_01_priv_nic_ip}' diff --git a/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl b/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl index 039d80b..38535e6 100644 --- a/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl +++ b/Terraform/AWS/ha-instances-with-configs/files/vyos_02_user_data.tfpl @@ -7,7 +7,7 @@ vyos_config_commands: - set interfaces ethernet eth1 dhcp-options no-default-route - set system name-server '${dns}' - set service dns forwarding name-server '${dns}' - - set service dns forwarding listen-address '${vyos_priv_nic_ip}' + - set service dns forwarding listen-address '${vyos_02_priv_nic_ip}' - set service dns forwarding allow-from '${transit_vpc_cidr}' - set service dns forwarding no-serve-rfc1918 - set nat source rule 10 outbound-interface name 'eth0' @@ -33,20 +33,20 @@ vyos_config_commands: - set interfaces vti vti1 description 'Tunnel for VyOS in Azure' - set interfaces vti vti1 ip adjust-mss '1350' - set protocols static route 10.2.100.12/32 interface vti1 - - set protocols static route ${vyos_pub_subnet} blackhole distance '254' - - set protocols static route ${vyos_priv_subnet} blackhole distance '254' - - set vpn ipsec authentication psk VyOS id '${vyos_public_ip_address}' - - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip_address}' + - set protocols static route ${vyos_02_pub_subnet} blackhole distance '254' + - set protocols static route ${vyos_02_priv_subnet} blackhole distance '254' + - set vpn ipsec authentication psk VyOS id '${vyos_02_public_ip}' + - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip}' - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk' - - set vpn ipsec site-to-site peer AZURE authentication local-id '${vyos_public_ip_address}' + - set vpn ipsec site-to-site peer AZURE authentication local-id '${vyos_02_public_ip}' - set vpn ipsec site-to-site peer AZURE authentication mode 'pre-shared-secret' - - set vpn ipsec site-to-site peer AZURE authentication remote-id '${on_prem_public_ip_address}' + - set vpn ipsec site-to-site peer AZURE authentication remote-id '${on_prem_public_ip}' - set vpn ipsec site-to-site peer AZURE connection-type 'initiate' - set vpn ipsec site-to-site peer AZURE description 'TUNNEL to VyOS on AZURE' - set vpn ipsec site-to-site peer AZURE ike-group 'AZURE' - set vpn ipsec site-to-site peer AZURE ikev2-reauth 'inherit' - - set vpn ipsec site-to-site peer AZURE local-address '${vyos_pub_nic_ip}' - - set vpn ipsec site-to-site peer AZURE remote-address '${on_prem_public_ip_address}' + - set vpn ipsec site-to-site peer AZURE local-address '${vyos_02_pub_nic_ip}' + - set vpn ipsec site-to-site peer AZURE remote-address '${on_prem_public_ip}' - set vpn ipsec site-to-site peer AZURE vti bind 'vti1' - set vpn ipsec site-to-site peer AZURE vti esp-group 'AZURE' - set policy prefix-list AS65001-OUT rule 10 action 'permit' @@ -72,15 +72,15 @@ vyos_config_commands: - set policy route-map AS65002-OUT rule 20 match ip address prefix-list 'AS65002-OUT' - set policy route-map AS65011-OUT rule 10 action 'permit' - set policy route-map AS65011-OUT rule 10 match ip address prefix-list 'AS65011-OUT' - - set protocols bfd peer ${vyos_01_pub_nic_ip_address} interval multiplier '3' - - set protocols bfd peer ${vyos_01_pub_nic_ip_address} interval receive '300' - - set protocols bfd peer ${vyos_01_pub_nic_ip_address} interval transmit '300' + - set protocols bfd peer ${vyos_01_pub_nic_ip} interval multiplier '3' + - set protocols bfd peer ${vyos_01_pub_nic_ip} interval receive '300' + - set protocols bfd peer ${vyos_01_pub_nic_ip} interval transmit '300' + - set protocols bfd peer ${route_server_endpoint_02_ip} interval multiplier '3' + - set protocols bfd peer ${route_server_endpoint_02_ip} interval receive '300' + - set protocols bfd peer ${route_server_endpoint_02_ip} interval transmit '300' - set protocols bfd peer 10.2.100.12 interval multiplier '3' - set protocols bfd peer 10.2.100.12 interval receive '300' - set protocols bfd peer 10.2.100.12 interval transmit '300' - - set protocols bfd peer 172.16.21.177 interval multiplier '3' - - set protocols bfd peer 172.16.21.177 interval receive '300' - - set protocols bfd peer 172.16.21.177 interval transmit '300' - set protocols bgp system-as '${vyos_bgp_as_number}' - set protocols bgp address-family ipv4-unicast network ${data_vpc_public_subnet} - set protocols bgp address-family ipv4-unicast redistribute connected @@ -91,19 +91,18 @@ vyos_config_commands: - set protocols bgp neighbor 10.2.100.12 bfd - set protocols bgp neighbor 10.2.100.12 disable-connected-check - set protocols bgp neighbor 10.2.100.12 update-source '10.1.100.12' - - set protocols bgp neighbor 172.16.21.177 address-family ipv4-unicast route-map export 'AS65011-OUT' - - set protocols bgp neighbor 172.16.21.177 address-family ipv4-unicast soft-reconfiguration inbound - - set protocols bgp neighbor 172.16.21.177 disable-connected-check - - set protocols bgp neighbor 172.16.21.177 remote-as '65011' - - set protocols bgp neighbor 172.16.21.177 timers holdtime '30' - - set protocols bgp neighbor 172.16.21.177 bfd - - set protocols bgp neighbor 172.16.21.177 update-source '${vyos_priv_nic_ip}' - - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} address-family ipv4-unicast nexthop-self force - - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} address-family ipv4-unicast route-map export 'AS65001-OUT' - - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} address-family ipv4-unicast soft-reconfiguration inbound - - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} disable-connected-check - - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} remote-as '${vyos_bgp_as_number}' - - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} timers holdtime '30' - - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} bfd - - set protocols bgp neighbor ${vyos_01_pub_nic_ip_address} update-source '${vyos_pub_nic_ip}' - \ No newline at end of file + - set protocols bgp neighbor ${vyos_01_pub_nic_ip} address-family ipv4-unicast nexthop-self force + - set protocols bgp neighbor ${vyos_01_pub_nic_ip} address-family ipv4-unicast route-map export 'AS65001-OUT' + - set protocols bgp neighbor ${vyos_01_pub_nic_ip} address-family ipv4-unicast soft-reconfiguration inbound + - set protocols bgp neighbor ${vyos_01_pub_nic_ip} disable-connected-check + - set protocols bgp neighbor ${vyos_01_pub_nic_ip} remote-as '${vyos_bgp_as_number}' + - set protocols bgp neighbor ${vyos_01_pub_nic_ip} timers holdtime '30' + - set protocols bgp neighbor ${vyos_01_pub_nic_ip} bfd + - set protocols bgp neighbor ${vyos_01_pub_nic_ip} update-source '${vyos_02_pub_nic_ip}' + - set protocols bgp neighbor ${route_server_endpoint_02_ip} address-family ipv4-unicast route-map export 'AS65011-OUT' + - set protocols bgp neighbor ${route_server_endpoint_02_ip} address-family ipv4-unicast soft-reconfiguration inbound + - set protocols bgp neighbor ${route_server_endpoint_02_ip} disable-connected-check + - set protocols bgp neighbor ${route_server_endpoint_02_ip} remote-as '${route_server_endpoint_bgp_as_number}' + - set protocols bgp neighbor ${route_server_endpoint_02_ip} timers holdtime '30' + - set protocols bgp neighbor ${route_server_endpoint_02_ip} bfd + - set protocols bgp neighbor ${route_server_endpoint_02_ip} update-source '${vyos_02_priv_nic_ip}' diff --git a/Terraform/AWS/ha-instances-with-configs/main.tf b/Terraform/AWS/ha-instances-with-configs/main.tf index c2b971b..d4f3bb0 100644 --- a/Terraform/AWS/ha-instances-with-configs/main.tf +++ b/Terraform/AWS/ha-instances-with-configs/main.tf @@ -10,6 +10,15 @@ resource "aws_key_pair" "ec2_key" { } # THE LATEST AMAZON VYOS 1.4 IMAGE +# +# VyOS AWS Marketplace publisher account ID: 679593333241 +# This ID is required for filtering official VyOS AMIs via `aws ec2 describe-images`. +# The value corresponds to the AMI owner ID used by VyOS in the AWS Marketplace. +# +# To confirm or update the AMI and owner ID, you must first subscribe to VyOS in the AWS Marketplace. +# Then run the following command to fetch the correct AMI ID and Owner ID for your AWS region (e.g., us-east-1): +# +# aws ec2 describe-images --owners aws-marketplace --filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" --query 'Images[*].[ImageId,OwnerId,Name]' --output table data "aws_ami" "vyos" { most_recent = true @@ -53,19 +62,21 @@ resource "aws_instance" "vyos_01" { availability_zone = var.availability_zone_01 user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_01_user_data.tfpl", { - transit_vpc_cidr = var.transit_vpc_cidr, - data_vpc_public_subnet = var.data_vpc_public_subnet_cidr, - vyos_public_ip_address = aws_eip.vyos_01_eip.public_ip, - vyos_pub_subnet = var.transit_vpc_public_subnet_01_cidr, - vyos_priv_subnet = var.transit_vpc_private_subnet_01_cidr, - vyos_02_pub_nic_ip_address = aws_network_interface.vyos_02_public_nic.private_ip, - vyos_pub_nic_ip = aws_network_interface.vyos_01_public_nic.private_ip, - vyos_priv_nic_ip = aws_network_interface.vyos_01_private_nic.private_ip, - vyos_bgp_as_number = var.vyos_bgp_as_number, - dns = var.dns, - on_prem_public_ip_address = var.on_prem_public_ip_address, - on_prem_bgp_as_number = var.on_prem_bgp_as_number, - on_prem_subnet_cidr = var.on_prem_subnet_cidr + transit_vpc_cidr = var.transit_vpc_cidr, + data_vpc_public_subnet = var.data_vpc_public_subnet_cidr, + vyos_01_public_ip = aws_eip.vyos_01_eip.public_ip, + vyos_01_pub_subnet = var.transit_vpc_public_subnet_01_cidr, + vyos_01_priv_subnet = var.transit_vpc_private_subnet_01_cidr, + vyos_01_pub_nic_ip = aws_network_interface.vyos_01_public_nic.private_ip, + vyos_01_priv_nic_ip = aws_network_interface.vyos_01_private_nic.private_ip, + vyos_02_pub_nic_ip = aws_network_interface.vyos_02_public_nic.private_ip, + vyos_bgp_as_number = var.vyos_bgp_as_number, + dns = var.dns, + on_prem_public_ip = var.on_prem_public_ip_address, + on_prem_bgp_as_number = var.on_prem_bgp_as_number, + on_prem_subnet_cidr = var.on_prem_subnet_cidr, + route_server_endpoint_01_ip = aws_vpc_route_server_endpoint.vyos_01_endpoint.eni_address, + route_server_endpoint_bgp_as_number = aws_vpc_route_server.vyos_route_server.amazon_side_asn })) depends_on = [ @@ -96,19 +107,21 @@ resource "aws_instance" "vyos_02" { availability_zone = var.availability_zone_02 user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_02_user_data.tfpl", { - transit_vpc_cidr = var.transit_vpc_cidr, - data_vpc_public_subnet = var.data_vpc_public_subnet_cidr, - vyos_public_ip_address = aws_eip.vyos_02_eip.public_ip, - vyos_pub_subnet = var.transit_vpc_public_subnet_02_cidr, - vyos_priv_subnet = var.transit_vpc_private_subnet_02_cidr, - vyos_01_pub_nic_ip_address = aws_network_interface.vyos_01_public_nic.private_ip, - vyos_pub_nic_ip = aws_network_interface.vyos_02_public_nic.private_ip, - vyos_priv_nic_ip = aws_network_interface.vyos_02_private_nic.private_ip, - vyos_bgp_as_number = var.vyos_bgp_as_number, - dns = var.dns, - on_prem_public_ip_address = var.on_prem_public_ip_address, - on_prem_bgp_as_number = var.on_prem_bgp_as_number, - on_prem_subnet_cidr = var.on_prem_subnet_cidr + transit_vpc_cidr = var.transit_vpc_cidr, + data_vpc_public_subnet = var.data_vpc_public_subnet_cidr, + vyos_02_public_ip = aws_eip.vyos_02_eip.public_ip, + vyos_02_pub_subnet = var.transit_vpc_public_subnet_02_cidr, + vyos_02_priv_subnet = var.transit_vpc_private_subnet_02_cidr, + vyos_02_pub_nic_ip = aws_network_interface.vyos_02_public_nic.private_ip, + vyos_02_priv_nic_ip = aws_network_interface.vyos_02_private_nic.private_ip, + vyos_01_pub_nic_ip = aws_network_interface.vyos_01_public_nic.private_ip, + vyos_bgp_as_number = var.vyos_bgp_as_number, + dns = var.dns, + on_prem_public_ip = var.on_prem_public_ip_address, + on_prem_bgp_as_number = var.on_prem_bgp_as_number, + on_prem_subnet_cidr = var.on_prem_subnet_cidr, + route_server_endpoint_02_ip = aws_vpc_route_server_endpoint.vyos_02_endpoint.eni_address, + route_server_endpoint_bgp_as_number = aws_vpc_route_server.vyos_route_server.amazon_side_asn })) depends_on = [ @@ -144,6 +157,10 @@ resource "aws_instance" "data_vpc_instance" { device_index = 0 } + depends_on = [ + aws_network_interface.data_vpc_instance_nic + ] + tags = { Name = "${var.prefix}-data-vpc-instance" } diff --git a/Terraform/AWS/ha-instances-with-configs/output.tf b/Terraform/AWS/ha-instances-with-configs/output.tf index 301a3d0..ffe4b41 100644 --- a/Terraform/AWS/ha-instances-with-configs/output.tf +++ b/Terraform/AWS/ha-instances-with-configs/output.tf @@ -11,10 +11,6 @@ output "data_vpc_instance_public_ip" { value = aws_instance.data_vpc_instance.public_ip } -output "data_vpc_instance_nic_ip" { - value = aws_network_interface.data_vpc_instance_nic.private_ip -} - output "ssh_command_for_vyos_01" { value = "ssh -i keys/vyos_lab_private_key.pem vyos@${aws_instance.vyos_01.public_ip}" } diff --git a/Terraform/AWS/ha-instances-with-configs/readme.md b/Terraform/AWS/ha-instances-with-configs/readme.md index ad1c5bd..0dc53d5 100644 --- a/Terraform/AWS/ha-instances-with-configs/readme.md +++ b/Terraform/AWS/ha-instances-with-configs/readme.md @@ -148,94 +148,7 @@ To manage the VyOS instance, use the `vyos_public_ip` from `terraform output`: ```sh ssh vyos@ -i keys/vyos_lab_private_key.pem ``` -The on-premises VyOS configuration can be found in `files/on-prem-vyos-config.txt`. - -## Post-Deployment Operations - -**VPC Route Server** is not managed by Terraform and must be deployed manually. - -### References - -- [How it Works](https://docs.aws.amazon.com/vpc/latest/userguide/route-server-how-it-works.html) -- [Dynamic Routing Guide](https://docs.aws.amazon.com/vpc/latest/userguide/dynamic-routing-route-server.html) -- [Tutorial](https://docs.aws.amazon.com/vpc/latest/userguide/route-server-tutorial.html) - -## Manual Steps - -### Step 1: Required IAM Permissions - -```json -{ - "Version": "2012-10-17", - "Statement": [ - {"Sid": "CreateRouteServer","Effect": "Allow","Action": ["sns:CreateTopic"],"Resource": "*"}, - {"Sid": "DeleteRouteServer","Effect": "Allow","Action": ["sns:DeleteTopic"],"Resource": "*"}, - {"Sid": "CreateRouteServerEndpoint","Effect": "Allow","Action": [ - "ec2:CreateNetworkInterface","ec2:CreateNetworkInterfacePermission","ec2:CreateSecurityGroup", - "ec2:DescribeSecurityGroups","ec2:AuthorizeSecurityGroupIngress","ec2:CreateTags","ec2:DeleteTags" - ],"Resource": "*"}, - {"Sid": "DeleteRouteServerEndpoint","Effect": "Allow","Action": [ - "ec2:DeleteNetworkInterface","ec2:DeleteSecurityGroup","ec2:RevokeSecurityGroupIngress", - "ec2:CreateTags","ec2:DeleteTags" - ],"Resource": "*"}, - {"Sid": "CreateRouteServerPeer","Effect": "Allow","Action": ["ec2:AuthorizeSecurityGroupIngress"],"Resource": "*"}, - {"Sid": "DeleteRouteServerPeer","Effect": "Allow","Action": ["ec2:RevokeSecurityGroupIngress"],"Resource": "*"} - ] -} -``` - -### Step 2–7: Route Server Setup (Summarized) - -#### Step 2: Create Route Server -- Go to AWS Console > VPC > Route Servers > Create -- Set name, ASN (e.g., `65011`), no persist routes - -#### Step 3: Associate with VPC - -#### Step 4: Create Route Server Endpoints -- Create 2 endpoints (1 per VyOS) - -#### Step 5: Enable Route Propagation -- From the Route Server UI → Propagations → Enable - -#### Step 6: Create Route Server Peers -- Create peer for each VyOS using endpoint IP, ASN (65001), BFD - -### Step 7: Configure VyOS BGP Sessions - -#### VyOS-01 - -```vyos -delete protocols bfd peer 172.16.11.115 -set protocols bfd peer interval multiplier '3' -set protocols bfd peer interval receive '300' -set protocols bfd peer interval transmit '300' - -delete protocols bgp neighbor 172.16.11.115 -set protocols bgp neighbor address-family ipv4-unicast route-map export 'AS65011-OUT' -set protocols bgp neighbor address-family ipv4-unicast soft-reconfiguration inbound -set protocols bgp neighbor bfd -set protocols bgp neighbor disable-connected-check -set protocols bgp neighbor remote-as '65011' -set protocols bgp neighbor timers holdtime '30' -``` - -#### VyOS-02 - -```vyos -delete protocols bfd peer 172.16.21.177 -set protocols bfd peer interval multiplier '3' -set protocols bfd peer interval receive '300' -set protocols bfd peer interval transmit '300' - -delete protocols bgp neighbor 172.16.21.177 -set protocols bgp neighbor address-family ipv4-unicast route-map export 'AS65011-OUT' -set protocols bgp neighbor address-family ipv4-unicast soft-reconfiguration inbound -set protocols bgp neighbor bfd -set protocols bgp neighbor disable-connected-check -set protocols bgp neighbor remote-as '65011' -set protocols bgp neighbor timers holdtime '30' -``` +The on-premises VyOS configuration can be found in `files/on-prem-vyos-config.txt` ## Destroying Resources diff --git a/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf b/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf index afe6b2d..e7b4509 100644 --- a/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf +++ b/Terraform/AWS/ha-instances-with-configs/transit_gateway.tf @@ -59,7 +59,7 @@ resource "aws_ec2_transit_gateway_route" "azure" { transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.transit_vpc_attachment.id } -# TRANSIT GATEWAY ASSOCIATION and PROPAGATION +# TRANSIT GATEWAY ASSOSIATION and PROPAGATION resource "aws_ec2_transit_gateway_route_table_association" "transit_vpc_rt_assoc" { transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.transit_vpc_attachment.id diff --git a/Terraform/AWS/ha-instances-with-configs/variables.tf b/Terraform/AWS/ha-instances-with-configs/variables.tf index 3d299ac..58009aa 100644 --- a/Terraform/AWS/ha-instances-with-configs/variables.tf +++ b/Terraform/AWS/ha-instances-with-configs/variables.tf @@ -142,7 +142,7 @@ variable "data_vpc_public_subnet_name" { } variable "data_vpc_private_subnet_name" { - description = "The name of the private subnet" + description = "The name of the private subnet 01" type = string default = "priv-subnet" } diff --git a/Terraform/AWS/ha-instances-with-configs/vpc_route_server.tf b/Terraform/AWS/ha-instances-with-configs/vpc_route_server.tf new file mode 100644 index 0000000..8bc565e --- /dev/null +++ b/Terraform/AWS/ha-instances-with-configs/vpc_route_server.tf @@ -0,0 +1,98 @@ +# VPC ROUTE SERVER +resource "aws_vpc_route_server" "vyos_route_server" { + amazon_side_asn = 65011 + tags = { + Name = join("-", [var.prefix, "vyos-route-server"]) + } +} + +# VPC ROUTE SERVER ASSOCIATION +resource "aws_vpc_route_server_vpc_association" "vyos_association" { + route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id + vpc_id = aws_vpc.transit_vpc.id +} + +# VPC ROUTE SERVER ENDPOINTS +resource "aws_vpc_route_server_endpoint" "vyos_01_endpoint" { + route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id + subnet_id = aws_subnet.transit_vpc_private_subnet_01.id + + tags = { + Name = join("-", [var.prefix, "vyos-route-server", "vyos-01"]) + } + + depends_on = [ + aws_vpc_route_server_vpc_association.vyos_association + ] +} + +resource "aws_vpc_route_server_endpoint" "vyos_02_endpoint" { + route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id + subnet_id = aws_subnet.transit_vpc_private_subnet_02.id + + tags = { + Name = join("-", [var.prefix, "vyos-route-server", "vyos-02"]) + } + + depends_on = [ + aws_vpc_route_server_vpc_association.vyos_association + ] + +} + +# VPC ROUTE SERVER PEERS +resource "aws_vpc_route_server_peer" "vyos_01_peer" { + route_server_endpoint_id = aws_vpc_route_server_endpoint.vyos_01_endpoint.route_server_endpoint_id + peer_address = aws_network_interface.vyos_01_private_nic.private_ip + bgp_options { + peer_asn = var.vyos_bgp_as_number + peer_liveness_detection = "bfd" + } + + tags = { + Name = "vyos-01-peer" + } + + depends_on = [ + aws_vpc_route_server_endpoint.vyos_01_endpoint + ] +} + + +resource "aws_vpc_route_server_peer" "vyos_02_peer" { + route_server_endpoint_id = aws_vpc_route_server_endpoint.vyos_02_endpoint.route_server_endpoint_id + peer_address = aws_network_interface.vyos_02_private_nic.private_ip + bgp_options { + peer_asn = var.vyos_bgp_as_number + peer_liveness_detection = "bfd" + } + + tags = { + Name = "vyos-02-peer" + } + + depends_on = [ + aws_vpc_route_server_endpoint.vyos_02_endpoint + ] +} + +# VPC ROUTE SERVER PROPOGATIONS +resource "aws_vpc_route_server_propagation" "vyos_01_propagation" { + route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id + route_table_id = aws_route_table.transit_vpc_private_rtb_01.id + + depends_on = [ + aws_vpc_route_server_peer.vyos_01_peer, + aws_route_table.transit_vpc_private_rtb_01 + ] +} + +resource "aws_vpc_route_server_propagation" "vyos_02_propagation" { + route_server_id = aws_vpc_route_server.vyos_route_server.route_server_id + route_table_id = aws_route_table.transit_vpc_private_rtb_02.id + + depends_on = [ + aws_vpc_route_server_peer.vyos_02_peer, + aws_route_table.transit_vpc_private_rtb_02 + ] +} \ No newline at end of file -- cgit v1.2.3