aws Transit VPC and Pool members in different VPC

Question

Hello,&nbsp;
I have an AWS and VPC specific question. I'm trying to deploy multi-VPC environment with a version of a transit VPC (https://aws.amazon.com/answers/networking/transit-vpc/). The basic idea is to have environment per VPC - DEV, UAT, PRE-PROD and PROD that connect to the internet using the TRANSIT VPC. &nbsp;
Right now I have a TRANSIT VPC with f5 connected to 3 subnets - external, internal and management. I have another VPC (UAT) with a web server that I want to present to the internet using the f5. So basically I have a node in a different VPC. I have peer connections between both VPCs and Routing table set up to, in theory, allow f5 to communicate with the node... however, when I add the node to f5 and create a new pool with ICMP it's failing health checks... 
I double checked all aws routeing tables and security groups and all rules are set up correctly... &nbsp;
Any ideas? what should I double check, or what am I missing? Is there any additional f5 setup required for this to work?&nbsp;
Thanks
Lukasz&nbsp;

jeremy_harris_2 · Answer

without knowing the full config of your setup other things to look at are&nbsp;
(a) routing table for each subnet in each VPC, does it know have a route to the IP address of the node in the other VPC
(b) routing table on the F5, add a route for the subnet on the other VPC using either the external or internal interface.  for the subnet this interface is in check the AWS routing table has a route to the node in the other VPC as per item (a) above.&nbsp;
it makes no difference if the node you are trying to run the ICMP health check on is not in the internal or external interface on the F5. this is probably a routing or network access issue.&nbsp;

buzzy101_12743 · Answer

I managed to get this configuration to work, however I needed to route the traffic that was destined for the peer VPC via the .1 address of the entire VPC.  If it was routed to the first IP of the individual subnet the traffic would not traverse the peering connection.  It was a pain as it just so happened that my first subnet was being used for the management interface so the F5 wouldn't route the traffic over that address and complained if I added a route as it wasn't directly connected.  Once I changed the management network to another subnet so I could route the peer VPC range to the VPC .1 address it all worked.  
&nbsp;
I was able to health check nodes in the peered VPC and route traffic to them via a VIP.&nbsp;
I've logged an AWS support ticket for clarification, hope that helps.&nbsp;

buzzy101_12743 · Answer

Just to be clear if your VPC is 10.0.0.0/24 you would need to route the traffic to the peer via 10.0.0.1 by adding this static route to the F5&nbsp;

Forum Discussion

aws Transit VPC and Pool members in different VPC

3 Replies

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

APM webtop – problem with websockets for Serverside Blazor app

What is the recommended TCP Profile settings monitor settings for ISO 8583 traffic in F5 Big IP ?

Need F5 iRules Consultant - HTTP Header Manipulation Issues

WebSocket connection to 'wss://...' failed: Invalid frame header

F5 BGP Peering in Active /Standby Cluster

Related Content

AWS Transit Gateway Connect: GRE + BGP = ?

From GSLB to Modern Apps in the Cloud: A Transition Plan for Distributed Cloud.

Differences between Disabled vs. Force Offline (Pool Member)

Using F5 Distributed Cloud Network Connect to transit, route, & secure private cloud environments

Demo: Multi-Cloud Networking and transit routing with F5 Distributed Cloud

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS