We have an AWS presence that is in the 1000's of VPC's. We are now in the midst of a huge project to tidy that up and provide a common transit VPC configuration so all the engineering teams (vpc's) can talk to each other. So basically we are going to roll out a hub-spoke configuration. We've established a fleet of transit hub firewall's using Paloalto. And all the VPC's VPN into the transit hub. Each region (more or less) has a PAN, and all the PAN's are meshed.
So I'm trying to decide the best way to divide up the ASN's across this. The transit PAN's are all 65512 since they are all meshed so they can route traffic between them unobstructed.
I thought about making each region an ASN. Then adjusting loop detection a little. However in the spokes we are using the built in VPG's in AWS. It doesn't appear you can do anything like that in AWS. So I guess I am stuck making each VPC's it's own ASN. I'm not sure at that point if I can think of a different way to do it. I'm not really advertising a lot into the VPC. A couple summarized routes. I suppose I could do that in the automation and set static routes. blech.
No comments:
Post a Comment