I'm trying to get routing configured on an AWS vSRX which will be responsible for routing 4 different subnets (mgmt, untrust, trust, & dmz). Right now I'm having trouble getting the dmz (172.20.52.0/23) and trust (172.20.56.0/23) subnets to behave. Based on recommendations listed here Juniper vSRX AWS Documentation I've created 3 different routing-instances to handle the routing needs of the 3 subnets I care about (untrust, dmz, & trust).
interfaces {
ge-0/0/0 {
description rtr-or-west2a-untrust-juniper;
unit 0 {
family inet {
address 172.20.48.10/23;
}
}
}
ge-0/0/1 {
description rtr-or-west2a-trust-juniper;
unit 0 {
family inet {
address 172.20.56.10/23;
}
}
}
ge-0/0/2 {
description rtr-or-west2a-dmz-juniper;
unit 0 {
family inet {
address 172.20.52.10/23;
}
}
}
}
routing-instances {
aws-dmz {
instance-type virtual-router;
interface ge-0/0/2.0;
routing-options {
static {
route 10.0.0.0/8 next-hop 172.20.52.1;
}
}
}
aws-trust {
instance-type virtual-router;
interface ge-0/0/1.0;
routing-options {
static {
route 10.0.0.0/8 next-hop 172.20.56.1;
}
}
}
aws-untrust {
instance-type virtual-router;
interface ge-0/0/0.0;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.20.48.1;
}
}
}
}
I figured I needed to do this because I would need to point my corporate static route of 10.0.0.0/8 to the appropriate router in AWS. My host on the dmz subnet (pointing to the dmz interface as it's default gateway) isn't able to ping my corporate resources. Is this the correct setup? Should I be throwing the dmz & trust interface in the same routing-instance and setting up some sort of policy based route so if a packet is coming from my dmz network?
Perhaps the problem is something else??? I'm able to ping the dmz interface from my corporate network. I'm at a loss, can someone assist me here?