Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Preventing spoke to spoke network traffic with routing domains and network definition without Inspection VPC #29

Open
Eagleman7 opened this issue Jul 5, 2024 · 2 comments
Open

Preventing spoke to spoke network traffic with routing domains and network definition without Inspection VPC #29

Eagleman7 opened this issue Jul 5, 2024 · 2 comments

Comments

@Eagleman7
Copy link
Contributor

Hello AWS-IA,

I want to prevent traffic going from 1 spoke VPC to another spoke VPC. For this I am using the following code to add a routing domain for every new VPC attached to the TGW:

...
  network_definition = {
    type  = "PREFIX_LIST"
    value = aws_ec2_managed_prefix_list.network_prefix_list.id
  }

  spoke_vpcs = {
    routing_domains = [
      "spoke-1",
      "spoke-2",
      ...
    ]

    number_vpcs = 9

    vpc_information = {
      spoke-1 = {
        vpc_id                                        = "tgw-attach-12345678"
        transit_gateway_attachment_id = "tgw-attach-12345678"
        routing_domain                         = "spoke-1"
      }
      spoke-2 = {
        vpc_id                                        = tgw-attach-87654321
        transit_gateway_attachment_id = tgw-attach-87654321
        routing_domain                        = "spoke-2"
      }
...

resource "aws_ec2_managed_prefix_list" "network_prefix_list" {
  name           = "Network's Prefix List"
  address_family = "IPv4"
  max_entries    = 25

  entry {
    cidr        = "192.168.0.0/24"
    description = "spoke-1"
  }
  entry {
    cidr        = 192.168.1.0/24
    description = "spoke-2"
  }
}

This creates a seperate routing table with only routes to it's own spoke VPC and to egress through 0.0.0.0/0. However the egress VPC has the network_prefix_list attached which contains the subnets for the spokes VPC's. So by default all spoke VPC are able to connect to each other anyway, because network_prefix_list contains the routes to all spoke VPC's.

What is the correct way to prevent network traffic going from 1 spoke to another spoke without the network firewall? While still allowing traffic going to the internet?
@Eagleman7
Copy link
Contributor Author

@pablo19sc are you still with this project :) ?

@pablo19sc
Copy link
Collaborator

Hello @Eagleman7, sorry for the delay. Yes, still working on it (I had crazy months, but back to these modules). Give me a couple of weeks to clear all the pending items and I'll start working on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Eagleman7 @pablo19sc