This message was deleted.
# aws
s
This message was deleted.
l
Yes, but (iirc) you need to import the default route, so you can't do it with just a single
up
.
s
ooof that is an unfortunate state of affairs if this is the only available option
l
Yes, pretty much anything where AWS "knows best" and creates extra resources doesn't play well with IaC.
It's not a Pulumi-specific problem.
However, it's safe to always ignore the default route, and create a managed route to local with higher priority, which sidesteps the problem.
s
I need to use the same CIDR as the default route but want it to go elsewhere.
l
Same as default VPC, default NACL, etc. Just ignore the defaults and manage your own ones...
I don't think that'll be a problem.
s
can i deploy a route table and instruct it to not produce a route at all?
l
Just set up the Route and RouteTableAssociation in the normal way, as if the default route wasn't there.
Not sure... 🤔
The default route doesn't have a CIDR, does it? Other than 0.0.0.0....
s
I might be able to deploy more specific targets… but that only sidesteps the problem…
yea it has the same cidr as the vpc by default
l
Ah.. you said default route... you mean default RouteTable.
Don't use the default RouteTable. Ignore it. Don't associate it with any subnets. This is a standard rule for all IaC.
s
uhh… yes… route inside the routetable when its generated
l
Just don't use that RouteTable. Create your own ones.
s
hmmm ok we may have gotten confused
l
The default RouteTable isn't used by anything except the default subnet, and you shouldn't be using that.
s
i am generating a brand new route table, it comes with a local route. i can’t seem to update that route
l
I think I'm missing something. Checking my own Pulumi-created resources...
s
Copy code
error creating Route in Route Table (rtb-x) with destination (10.1.130.0/24): RouteAlreadyExists: The route identified by 10.1.130.0/24 already exists.
I think you were right when you said that Pulumi is not aware of the local route created when the route table is created
perhaps we can perform an inline import of that route and then replace it….
l
No, I don't think so. You can use the AWS SDK to make the change, after Pulumi has finished doing its thing.
You can also create another RouteTable with the correct route defined inline (rather than via Route / RouteTableAssoication).. not certain that'd work, but it might.
I've been looking through the AWS SDK to see if there's a different API for the default route, but there isn't. It's just a regular route that's set up by AWS.
(Grr)
s
Tested that… same error. RouteAlreadyExists
l
In fact.. it's a documented "feature" that if you create a RouteTable with inline routes, then set up Route / RouteTableAssociation routes, then all the inline routes are overwritten.. you might be able to make that work to your advantage... just define a dummy useless inline route, then set up all the real routes using Route. https://www.pulumi.com/registry/packages/aws/api-docs/ec2/routetable/
NOTE on Route Tables and Routes: This provider currently provides both a standalone Route resource and a Route Table resource with routes defined in-line. At this time you cannot use a Route Table with in-line routes in conjunction with any Route resources. Doing so will cause a conflict of rule settings and will overwrite rules.
s
I can try…
l
I have a question about why you'd want this though.. normally if you want to redirect traffic through a VPC to another one, you'd set up either a virtual gateway, or peering. Would either of those options be better?
s
this is for an igw which sits in front of a firewall. All local traffic coming back from the igw should be sent back to the vpce (firewall)
i THINK with my architecture i’m gonna need to use more specific subnet routes to redirect traffic to respective AZ’s anyhow. So that will be a good workaround….
l
Is the VPCE not inside a subnet? You shouldn't need to bother with the default route if the device is in an AWS subnet, right?
s
the igw exists only at the vpc level. It needs a route table edge association to send traffic specifically back to the vpce…