aws-quickstart / quickstart-cisco-meraki-sd-wan-vmx Goto Github PK

The deployment guide documentation says to set the "network tags" in the Meraki Dashboard to "vMX-1" and "vMX-2", but in Table 1 lower down, and more crucially as a pre-populated parameter in the CloudFormation template, the tags are set to "vMX1" and "vMX2".

As these tags are used as environment variables in the Lambda job that is executed to fail over the routing, this discrepancy causes the job to fail until corrected, so the documentation should be changed to make it consistent with the table and CFT.

Our existing SD-WAN topology is Hub and Spoke, with the Hub currently set to a pair of physical MX appliances in an on-prem DC and both vMX's set as spokes.

When the below Lambda function ran with our topology, no routes were extracted at all, so no routing updates were made.

I wondered whether this might be to do with what the get_all_vpn_routes function is expecting the topology to be like?

This line clearly has a logic problem:

Should it be

if (ec2_vmx1_id and meraki_vmx1_id) or (ec2_vmx2_id and meraki_vmx2_id):

to check that at least one vmx has both an ec2 and a meraki id?

The architecture document indicates some usage of private subnets. From the doc: In the private subnets, elastic network interfaces to enable traffic routing from all subnets in the Availability Zone to AWS Transit Gateway

However the template parameters are set to disabled.

https://github.com/aws-quickstart/quickstart-cisco-meraki-sd-wan-vmx/blob/main/templates/quickstart-cisco-meraki-sdwan-vmx-entrypoint-new-vpc.template.yaml#L219

What am I missing?

Modify the existing lambda used to update the VPC and TGW routes, to now support CW (if the CW option is selected at the time of deployment). If the CW option is selected, the lambda should:

• Update the VPC route tables to point to the core network, instead of pointing to the TGW
• Update the core-network policy and create/update segment routes for the MX branch routes to point to the SD-WAN VPC.

Route Table from Meraki can be large and exceed the recommended values for AWS route table size. Sure the size can be increased to 1000 but even then some environment can exceed those numbers. Having the ability to select during the deployment to leverage Summary Addresses (RFC1918) vs Specific API Pulled Routes would be beneficial.

As part of extending the current vMX Quickstart to support AWS Cloud WAN, we need to add an option to either select TGW or Cloud WAN during the deployment, the following templates will require the updates:

1. For new VPC deployments: quickstart-cisco-meraki-sdwan-vmx-entrypoint-new-vpc.template.yaml
2. For existing VPC deployments: quickstart-cisco-meraki-sdwan-vmx-workload.template.yaml

Create a new lambda to deploy and setup the Cloud WAN resource. The lambda should do the following:

• Deploy a new global network
• Deploy and setup the core network with support for a single SD-WAN segment in a single region.
• Create VPC attachments for the SD-WAN VPC
• Next, update the core network policy to setup the appropriate sharing/segment actions for the SD-WAN and Workload segments.

Moreover, the lambda should automate all the manual steps mentioned in the vMX and AWS Cloud WAN KB

This string comparison need to be reviewed since on the left side it's converting string to lower case, but on the right side not, so it fails when tags are not all lowercase.

Many companies have existing environment with TGW as a core. It would be beneficial to make creation of TGW optional and add parameters to specify existing TransitGateway, TransitGatewayAttachment, TransitGatewayRouteTable etc that could be passed to lambda.

Section heading: Design
Documentation issue description:

I don't have any issue with design and content. I have couple of questions.
I want to deploy Cisco Meraki vMX in Active/Active mode on AWS. Do I need to use any load balancer?
If I don't want to use any Load Balancer then how traffic is handled by both the Meraki Firewall.

Attaching the diagram, is valid for HA Active-Active deployment or I need to go without private subnet as per the your documents.

Meraki Dashboard API Keys are stored in AWS Secrets Manager and read from AWS Lambda Script.
However, the API Key is also stored in the AWS Lambda environment variable.

Variable name: MERAKI_API_KEY

Hi Team,

We want vMX-HA on Cisco Meraki for which we are trying to deploy the vMX instances on AWS using the script - https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-cisco-meraki-sd-wan-vmx/templates/quickstart-cisco-meraki-sdwan-vmx-entrypoint-new-vpc.template.yaml

After submitting we get below error on AWS:
Resource handler returned message: "The runtime parameter of python3.7 is no longer supported for creating or updating AWS Lambda functions. We recommend you use the new runtime (python3.12) while creating or updating functions. (Service: Lambda, Status Code: 400, Request ID: def02545-17ed-4776-ad97-cd93544e5238)" (RequestToken: e439a555-a799-782c-acd5-b05b2872613f, HandlerErrorCode: InvalidRequest)

Below is the reply from AWS support:
It appears that an outdated runtime is hard-coded in the Lambda function resource, 'CopyObjectsFunction'. You can resolve this error by modifying the template to use a supported runtime.

Requesting to please change the below Python Runtime to 3.12 version: quickstart-cisco-meraki-sd-wan-vmx/templates
/copy-lambdas.yaml

Description: Copies objects from a source S3 bucket to a destination S3 bucket
Handler: index.handler
Role:
Fn::GetAtt:
- CopyObjectsRole
- Arn
Runtime: python3.7 <<<<<<
Timeout: 240
Type: AWS::Lambda::Function

Description: Empty the S3 Bucket
Handler: index.handler
Role:
Fn::GetAtt:
- S3CleanUpRole
- Arn
Runtime: python3.7 <<<<<<<<
Timeout: 240
Type: AWS::Lambda::Function

Log file attached with error snap.
vMXHA deployment error using Cloudformation on AWS.docx

There are conditions in lambda_function.py that defines the target of route learning.

https://github.com/aws-quickstart/quickstart-cisco-meraki-sd-wan-vmx/blob/main/functions/source/lambda_function.py

    if networks['vpnMode'] == 'spoke': 
        for peers in networks['merakiVpnPeers']:
            if peers['networkId'] == vmx1_id or peers['networkId'] == vmx2_id:

vMX will only learn routes for Networks that have designated vMX as a Hub in Spoke.
In other words, AWS's Route table does not learn the routes of other Hubs.
Therefore, if you have a DC-DC Failover Topoglogy with a multi-sided configuration of DC and AWS, you will need to modify your scripts.

Functions update_tgw_rt update_vpc_rt only creating new routes. There is no automated way to delete VPC and TGW routes in case it was removed or modified on the Spoke MX.