Routing on an AWS OpenVPN multi-VPC + ClassicLink

Question

I am having trouble connecting between servers in a multi-region network I’m setting up in AWS, as not all servers are able to be reached from any point in the network.

I’m connecting a VPC (A) in eu-central-1 to another one (B) in eu-southeast-1 via an openvpn tunnel, with the second VPC being connected via ClassicLink to an EC2-Classic (EC2) nodes. This connection is made via a couple of peering servers, peering-a in VPC A and peering-b in VPC B. Users connect via openvpn to VPC A via a openvpn server vpnserver-a.

The network diagram is like this:

+---------+   +---------+   +---------+   +----+
|user     |   |VPC A    |   |VPC B    |   |EC2 |
|172.20/16+---+172.29/16+---+172.31/16+---+10/8|
+---------+   +---------+   +---------+   +----+
           VPN           VPN       ClassicLink

The problem is that I’m not able make any of this connections:

• user to any node in EC2
• any node in VPC A to any node in EC2
• any node in EC2 to any node in VPC A

Connections from user to VPC A & B, and between VPCs A & B are working fine.

I suspect there is a problem in the routing, but I have not been able to solve it.

The routing is set up so:

• vpnserver-a publishes routes 172.29/16, 172.31/16 and 10/8 to the user (openvpn config file)
• peering-a publishes routes 172.31/16 and 10/8 to VPC A (openvpn config file)
• peering-b publishes routes 172.29/16 and 172.20/16 to VPC B (openvpn config file)
• route table in VPC A routes 172.31/16 and 10/8 to peering-a (AWS VPC subnet routing table)
• route table in VPC B routes 172.29/16 and 172.20/16 to peering-b (AWS VPC subnet routing table)

Network ACLs are open to all traffic between those subnets. Security groups are also setup to accept connections.

I made some (basic) packet inspection with tcpdump to try to understand if the routes are working with this results: - Attempting to connect from node-a in VPC A to node-ec2 in EC2, I can see packets going through peering-a and peering-b, but not reaching node-ec2 - Attempting to connect from node-ec2 to node-a, I cannot even see packets reaching peering-b

So I suspect the routing in ClassicLink involves additional configuration I am not aware of.

How can I setup the missing routes? Is this even possible?

Thanks!

Answer 1

ClassicLink doesn't support access to anything outside the VPC.

You notice there is no route table that applies to traffic from ClassicLink -- the routes from there back to your instances in this VPC are implicit, and thus there is no way to deliver the foreign traffic back to your "peering-b" instance.

Strictly speaking, the following does not specifically say that it won't work, because the VPN connections they refer to are the VPN connections provided by VPC's Hardware VPN service, not connections you engineer with your own instance...

ClassicLink does not support transitive relationships out of the VPC. Your linked EC2-Classic instance will not have access to any VPN connection, VPC endpoint, or Internet gateway associated with the VPC. Similarly, resources on the other side of a VPN connection, or an Internet gateway will not have access to a linked EC2-Classic instance.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/vpc-classiclink.html#classiclink-limitations

...however, the implications are there, and the fact that the ClassicLink machines don't have a configurable VPC route table that handles their traffic coming towards the VPC means you there's not technically even a way to attempt to configure your VPC to work the way this scenario requires.