aws Transit VPC and Pool members in different VPC

Question

Hello,&nbsp;
I have an AWS and VPC specific question. I'm trying to deploy multi-VPC environment with a version of a transit VPC (https://aws.amazon.com/answers/networking/transit-vpc/). The basic idea is to have environment per VPC - DEV, UAT, PRE-PROD and PROD that connect to the internet using the TRANSIT VPC. &nbsp;
Right now I have a TRANSIT VPC with f5 connected to 3 subnets - external, internal and management. I have another VPC (UAT) with a web server that I want to present to the internet using the f5. So basically I have a node in a different VPC. I have peer connections between both VPCs and Routing table set up to, in theory, allow f5 to communicate with the node... however, when I add the node to f5 and create a new pool with ICMP it's failing health checks... 
I double checked all aws routeing tables and security groups and all rules are set up correctly... &nbsp;
Any ideas? what should I double check, or what am I missing? Is there any additional f5 setup required for this to work?&nbsp;
Thanks
Lukasz&nbsp;

jeremy_harris_2 · Answer

without knowing the full config of your setup other things to look at are&nbsp;
(a) routing table for each subnet in each VPC, does it know have a route to the IP address of the node in the other VPC
(b) routing table on the F5, add a route for the subnet on the other VPC using either the external or internal interface.  for the subnet this interface is in check the AWS routing table has a route to the node in the other VPC as per item (a) above.&nbsp;
it makes no difference if the node you are trying to run the ICMP health check on is not in the internal or external interface on the F5. this is probably a routing or network access issue.&nbsp;

buzzy101_12743 · Answer

I managed to get this configuration to work, however I needed to route the traffic that was destined for the peer VPC via the .1 address of the entire VPC.  If it was routed to the first IP of the individual subnet the traffic would not traverse the peering connection.  It was a pain as it just so happened that my first subnet was being used for the management interface so the F5 wouldn't route the traffic over that address and complained if I added a route as it wasn't directly connected.  Once I changed the management network to another subnet so I could route the peer VPC range to the VPC .1 address it all worked.  
&nbsp;
I was able to health check nodes in the peered VPC and route traffic to them via a VIP.&nbsp;
I've logged an AWS support ticket for clarification, hope that helps.&nbsp;

buzzy101_12743 · Answer

Just to be clear if your VPC is 10.0.0.0/24 you would need to route the traffic to the peer via 10.0.0.1 by adding this static route to the F5&nbsp;

Forum Discussion

aws Transit VPC and Pool members in different VPC

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Centralizing Cloud Security with F5 and AWS Transit Gateway

Copper SFP Differences

DevCentral's Featured Member for March - Thomas Dahlmann

DevCentral's Featured Member for April - Mihai Cziraki

DevCentral's Featured Member for December - Mohamed Kansoh