Are you trying to give the internal lxd containers the extra internally routable addresses given to your host inside AWS?
You might be able get the host to respond on behalf of the containers using the AWS ip’s by using proxy-arp and some interface routes internally on the hosts bridge.
You need to enable proxy-arp in sysctl on the interface in question. e.g.
echo
1
> /proc/sys/net/ipv4/conf/eth0/proxy_arp
Give the container the new IP address you want to use which Amazon gave you:
e.g. 10.170.10.100/24
then on the container as it will be in the wrong subnet, create an interface route to get out via the lxd bridge, in my case the lxd bridge gw is 10.132.125.1
ip route add 10.132.125.1/32 dev eth0 (this enables connectivity to the gateway even thought its on the wrong subnet.)
now add a default route via the gateway above (this is like a recursive lookup)
ip route add 0.0.0.0/0 10.132.125.1
on the container host, create a /32 host route for the AWS ip to go internally via the lxd bridge:
ip route add 10.170.10.100/32 via dev lxdbr0
I’ve done this but not in pub cloud so theres a good chance it will not work as some things just don’t work in public cloud as your bound to the strict rules of their overlay networking. As stated, broadcasts just don’t exist in the usual sense. Not sure about the ARP side.
other options would be to just nat containers on egress of the host and port forward traffic in through the host, or forward the traffic to an internal haproxy container which then forwards tcp connections or http on to the containers.
You could also run tunnels between the aws vms and create an overlay within their overlay, using vxlan, ipsec tunnels, fan bridges etc, but you would likely have to nat on egress to get to the outside world. You may have issues with mtu though .
edit: to say I think you can route to your internal lxd ranges if needed but you have to modify the routing tables in AWS to say the next hop for your lxdbrX network is via VM1 or whatever, also you have to disable “enable source dest check” (source / destination routing verification , otherwise it drops the traffic)