1

I've setup IPSEC tunnels between 3 management VPCs in 3 distinct AWS regions. Each of those regions has additional VPCs (dev/prod) that are peered to the management VPCs. It's setup in a hub/spoke like this:

DEV                  DEV

^                      ^

|                      |

MGMT2<----->MGMT1<---->MGMT3

MGMT1 is the main VPC. We're able to ping other MGMT VPCs. However, the route from MGMT1 -> MGMT3 -> DEV doesn't seem to be available. I can't ping. I can ping from MGMT3 -> DEV however. That fact leads me to believe all the routes are correct. However, MGMT1 isn't aware of DEV despite being connected to MGMT3 and it knowing about DEV through the peering route table. Am I missing something?

Thanks!

EDIT: All security groups are very permissive as indicated by the ability to ping across the MGMT layer and from MGMT to DEV within the same region.

Publiccert
  • 1,112
  • 1
  • 8
  • 22
  • Possibly a trick question: How, in the routing tables of the DEV3 VPC, is the route back to the IP space in MGMT1 VPC configured, and what is the target of that route table entry? (I say *"possibly"* a trick question because I can envision no valid way to configure this, but I would like to be proven incorrect). – Michael - sqlbot Dec 15 '16 at 04:05

0 Answers0