Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TGW, TGW attachment & Routing extensibility for secure mode #139

Open
ntwkninja opened this issue Apr 5, 2023 · 4 comments
Open

TGW, TGW attachment & Routing extensibility for secure mode #139

ntwkninja opened this issue Apr 5, 2023 · 4 comments
Assignees
@zack-is-cool @bunchmj
Labels
impact : high needs-refinement size : medium v0.1 Resolution needed for v0.1 release

Comments

@ntwkninja
Copy link
Member

ntwkninja commented Apr 5, 2023
edited

As a platform engineer / user of secure mode, I would like the ability to place my k8s workloads behind a separate boundary / account.

I would like the following in the VPC module or example.

  • add VPC private subnet CIDRs to existing TGW peering attachments route table to enable ingress routing
  • create a TGW attachment & TGW Route Table to attach VPC to existing TGW
  • add a 0.0.0.0/0 route to a private_subnet that maps to the attached TGW to enable egress routing
  • add allowed egress routes to VPC TGW Route Table (i.e. 0.0.0.0/0 to remote/peering TGW) to enable egress routing

This feature is needed to place the private eks loadbalancer behind a boundary in a different VPC connected via TGW.
@ntwkninja ntwkninja changed the title TGW, TGW attachment, Routing & Security Group extensibility for secure mode TGW, TGW attachment & Routing extensibility for secure mode Apr 11, 2023
@ntwkninja ntwkninja mentioned this issue Apr 17, 2023
Closed
@ntwkninja ntwkninja added v0.1 Resolution needed for v0.1 release Pri:2 labels Apr 21, 2023
@ntwkninja
Copy link
Member Author

ntwkninja commented May 1, 2023
edited by zack-is-cool

VPC-A, subnet-A and EC2-A are provisioned
VPC-B, subnet-B and EC2-B are provisioned
TGW-A & TGW-B are provisioned and attached on both sides

I can add a 0.0.0.0/0 route (or a more specific route) to Subnet A or B that maps to a destination of TGW-A / TGW-B
I can add a 0.0.0.0/0 route (or a more specific route) to the TGW-A / TGW-B route table that points to the remote TGW

Definition of Done
There is an example in this repo that allows EC2-A to talk to EC2-B via a TGW.

done edit:
We essentially just want to add logic to our VPC module where we optionally create a TGW and attach another VPC

Question: Can I add routes for subnets with our current VPC module?

@RothAndrew
Copy link
Member

I think we should decide which direction we want to go here before starting to execute on it. 3 options were discussed:

Do we want to vote on it or something? Or just have @ntwkninja make the call?

@zack-is-cool
Copy link
Member

^
I vote https://github.com/terraform-aws-modules/terraform-aws-transit-gateway as it looks like the vpc module that we are already using integrates with it nicely.

@ntwkninja
Copy link
Member Author

^ I vote https://github.com/terraform-aws-modules/terraform-aws-transit-gateway as it looks like the vpc module that we are already using integrates with it nicely.

my vote would be to use this as it feels weird to use some cloud posse iac modules and not others; however, I'm not opposed to evaluating previous decisions on this and shaking up a lot of the IaC things

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zack-is-cool zack-is-cool

@bunchmj bunchmj

Labels
impact : high needs-refinement size : medium v0.1 Resolution needed for v0.1 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@RothAndrew @zack-is-cool @ntwkninja @bunchmj