Over the past two weeks, I’ve been working on setting up a virtual router on the cloud with the goal of building redundancy, and achieving high availability. After working on different platforms, I’ve come to the conclusion that Vyatta is the best way to go, whether on the cloud or not.
The router is being used for site to site vpn communication between a central and remote location. There will also be an application server on either end. Your typical network setup would look somewhat like the picture below.
Since moving our router over to Amazon, our setup slightly changes. Your new network setup would now look like the picture below.
With Amazon, when you create an instance of a server (in our case, a Vyatta router), you are given a private IP address, and a public dns address. You are able to order an elastic (static public IP) address, and you’re off to the races. However, chances are that your application server and router will have private IP address on different subnets (such as in our case). But you are able to communicate between the two, irrespective of the subnet.
The Vyatta router in the first diagram has two ethernet interfaces, one for inside and the other for outside. The Vyatta router on the second diagram is only given one ethernet interface. Here is where the challenge comes in. In my current configuration, I am able to setup NAT translation for the destination (DNAT). Once I try and setup a NAT translation for the source (SNAT) on the application server that just so happens to be on a separate subnet, I am faced with an “iptables error: Index too big”.
As of this moment, I’m not sure if this is a bug, or possibly an issue with the build of the Vyatta image on Amazon.
Nonetheless, there is an alternate solution I came across being used by Cohesive Flexible Technologies. Basically, their solution (not cheap) is to have a VPN site-to-site communication between the Main and Remote location, and VPN remote-access from the Application server to the Main.
I guess the next step is to take that approach, and implement that into my design.
This approach will allow us to have secure communications between the Application Server and the Vyatta router, and between the Vyatta router and Remote router. I’ll keep you posted on this development.