Gateways and route tables

Recommended gateway and route table configurations for CDP Public Cloud for AWS.

Connectivity from Control Plane to CDP workloads

  • As described in Use Cases, nodes in the CDP workloads will need to connect to the CDP Control Plane over the internet to establish a ‘reverse tunnel’ over which the CDP Control Plane can send instructions to the workloads.
  • In order to accomplish this, there are two gateways that need to be configured - a NAT Gateway in each of the public subnets and an Internet Gateway at the VPC level.
  • The private subnet hosting the CDP workloads should be configured with a route table where the default route (0.0.0.0/0) points to a NAT Gateway in the public subnet of its AZ.
  • The public subnet hosting the NAT Gateway should be configured with a route table where the default route (0.0.0.0/0) points to an Internet Gateway the VPC is configured with.
  • Each NAT gateway requires an elastic IP address. The VPC should contain as many elastic IP addresses as NAT gateways across the AZs in the VPC.

Connectivity from customer on-prem to CDP workloads

  • As described in Use Cases, Data consumers will need to access data processing or consumption services in the CDP workloads. Given these are created with private IP addresses in private subnets, the customers will need to arrange for access to these addresses from their on-prem or corporate networks in specific ways.
  • There are several possible solutions for achieving this, but one that is depicted in the Architecture Diagram, uses a AWS VPN Gateway service.
  • In this solution, the customer has to create a Virtual Private Gateway, and connect it to the VPN service on the on-prem network.