Hey all!
So I'm aware of the limitation in routing between two peered VPCs, where basically only one hop is allowed (AWS will not reference a route table in a destination VPC once the packet has traversed a peering link).
I'm attempting to build a Palo Alto VM in an AWS account that is peered with about 20 other accounts, each with a single VPC. This Palo will be used basically as a remote access VPN server. Due to the peering routing limitations, remote access VPN users are unable to reach resources in accounts outside of the account where the Palo resides. The traffic from VPN users reaches the remote resource, but return traffic is unsuccessful due to the route limitation.
I believe the typical solution to this is to switch from peering to transit gateway, but I was curious if there was a way to get around this using NAT on the Palo (or some other way). We plan to switch over to transit gateways for inter-VPC traffic in 2022 or 2023, but I was hoping I could design a stop gap solution that would allow VPN users to reach resources in other VPCs until that time.
Any information or suggestions greatly appreciated!
No comments:
Post a Comment