This repo contains sample files to demonstrate how secondary non-routable CIDRs can be used on VPCs for non-workload subnets including TGW subnets and GWLB endpoint subnets. This is a sample implementation from AWS prescriptive guidance.
Use the following steps to set up a pair of VPCs that leverage a TGW.
- Run the
tgw.yamlto create the TGW and TGW route tables. (Default parameters are ok) - Run the
public-vpc.yamlto create a VPC that will attach to the TGW.- leave default parameters
- Set the
TransitGatewayIdparameter. Thetgw.yamloutput has the TransitGatewayId needed.
- Associate and propagate the TGW attachment to the
sandbox-route-domainTGW routing table. - (Optional) Run the
public-vpc.yamlagain to create an additional VPC. Again, associate and propagate the routes.
The Lab Setup described above will deploy a TGW and a VPC attached to the TGW. It will use the non-routable CIDR for the TGW subnets.
This option will deploy a TGW and a VPC attached to the TGW. The VPC will also have GWLBe subnets used for ingress routing from the IGW to an appliance of your choosing. This option does not deploy endpoints within the GWLBe subnets, rather demonstrates how the pattern can be applied for your appliances.
Important Note - An existing GWLB endpoint service is required.
Follow the deployment steps from Option 1. On the public-vpc.yaml template, specify the following parameters:
UseIngressRouting- trueIngressFirewallGWLBEServiceName- Specify the name of your existing GWLB endpoint service (VPC PrivateLink Service Name).
Afterwards you can deploy your GWLB VPC endpoints into the GWLBe subnets.
This option builds on Option 2 by deploying an additional set of non-routable workload subnets to the VPC. These can be used for EKS deployments for example where the only required direct connectivity is from the routable CIDR range within the VPC.
Follow the deployment steps for option 2. Specify true for the CreateNonRoutableWorkloadSubnets parameter on the public-vpc.yaml template to deploy these additional non-routable workload subnets.
This option builds on Option 1 by deploying an additional set of non-routable workload subnets to the VPC. These can be used for EKS deployments for example where the only required direct connectivity is from the routable CIDR range within the VPC.
Follow the deployment steps for option 1. Specify true for the CreateNonRoutableWorkloadSubnets parameter on the public-vpc.yaml template to deploy these additional non-routable workload subnets.
There are two reference architectures for this pattern; one with both subnets for TGW attachments and GWLBe, and another with just TGW attachments.
The following diagram represents a reference architecture for a 2 AZ VPC implementation that uses a non-routable CIDR range for the TGW attachment subnet and the GWLBe subnet. In this example the /23 routable CIDR is divided up and fully allocated to routable subnets.
The following diagram represents a reference architecture for a 2 AZ VPC implementation that uses a non-routable CIDR range only for the TGW attachments subnet. In this example the /23 routable CIDR is divided up and fully allocated to routable subnets.
These two patterns can be extended to support additional non-routable workload subnets as demonstrated in Option 3 and Option 4 above.
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.