Updated mDNS documentation from 1.5 branch (#1674)

Updated mDNS documentation from 1.5 branch.
The previous topic was not updated since 1.3 branch.

docs/configuration/service/mdns.rst

@@ -5,30 +5,78 @@ Starting with VyOS 1.2 a :abbr:`mDNS (Multicast DNS)` repeater functionality is
 provided. Additional information can be obtained from
 https://en.wikipedia.org/wiki/Multicast_DNS.
 
-Multicast DNS uses the 224.0.0.251 address, which is "administratively scoped"
+Multicast DNS uses the reserved address ``224.0.0.251``, which is
-and does not leave the subnet. It retransmits mDNS packets from one interface
+`"administratively scoped"` and does not leave the subnet. mDNS repeater
-to other interfaces. This enables support for e.g. Apple Airplay devices across
+retransmits mDNS packets from one interface to other interfaces. This enables
-multiple VLANs.
+support for devices using mDNS discovery (like network printers, Apple Airplay,
+Chromecast, various IP based home-automation devices etc) across multiple VLANs.
 
-Since the mDNS protocol sends the AA records in the packet itself, the repeater
+Since the mDNS protocol sends the :abbr:`AA(Authoritative Answer)` records in
-does not need to forge the source address. Instead, the source address is of
+the packet itself, the repeater does not need to forge the source address.
-the interface that repeats the packet.
+Instead, the source address is of the interface that repeats the packet.
+
+.. note:: You can not run this in a VRRP setup, if multiple mDNS repeaters
+   are launched in a subnet you will experience the mDNS packet storm death!
 
 Configuration
 =============
 
 .. cfgcmd:: set service mdns repeater interface <interface>
 
-   To enable mDNS repeater you need to configure at least two interfaces. To
+   To enable mDNS repeater you need to configure at least two interfaces so that
-   re-broadcast all incoming mDNS packets from any interface configured here to
+   all incoming mDNS packets from one interface configured here can be
-   any other interface configured under this section.
+   re-broadcasted to any other interface(s) configured under this section.
 
 .. cfgcmd:: set service mdns repeater disable
 
    mDNS repeater can be temporarily disabled without deleting the service using
 
-.. note:: You can not run this in a VRRP setup, if multiple mDNS repeaters
+.. cfgcmd:: set service mdns repeater ip-version <ipv4 | ipv6 | both>
-   are launched in a subnet you will experience the mDNS packet storm death!
+
+   mDNS repeater can be enabled either on IPv4 socket or on IPv6 socket or both
+   to re-broadcast. By default, mDNS repeater will listen on both IPv4 and IPv6.
+
+.. cfgcmd:: set service mdns repeater allow-service <service>
+
+   mDNS repeater can be configured to re-broadcast only specific services. By
+   default, all services are re-broadcasted.
+
+.. cfgcmd:: set service mdns repeater browse-domain <domain>
+
+   Allow listing additional custom domains to be browsed (in addition to the
+   default ``local``) so that they can be reflected.
+
+.. cfgcmd:: set service mdns repeater cache-entries <entries>
+
+   Specify how many resource records are cached per interface. Bigger values
+   allow mDNS work correctly in large LANs but also increase memory consumption.
+
+   Defaults to: 4096
+
+Firewall recommendations
+========================
+
+Unlike typical routed traffic, mDNS packets relayed between interfaces do not
+traverse the FORWARD hook chain in the firewall. Instead, they are processed
+through the following hooks:
+
+ - **INPUT**: For packets received by the local system
+ - **OUTPUT**: For packets sent from the local system
+
+To control or allow mDNS packet forwarding via the relay, you must define
+appropriate rules in the INPUT and OUTPUT directions. Rules in the FORWARD
+direction will have no effect on mDNS relay traffic.
+
+.. code-block:: none
+
+ set firewall ipv4 input filter rule 10 action 'accept'
+ set firewall ipv4 input filter rule 10 destination address '224.0.0.251'
+ set firewall ipv4 input filter rule 10 destination port '5353'
+ set firewall ipv4 input filter rule 10 protocol 'udp'
+ set firewall ipv4 output filter rule 10 action 'accept'
+ set firewall ipv4 output filter rule 10 destination address '224.0.0.251'
+ set firewall ipv4 output filter rule 10 destination port '5353'
+ set firewall ipv4 output filter rule 10 protocol 'udp'
 
 Example
 =======
@@ -41,4 +89,35 @@ received on `eth0` to `eth1` (and vice-versa) use the following commands:
   set service mdns repeater interface 'eth0'
   set service mdns repeater interface 'eth1'
 
+To allow only specific services, for example ``_airplay._tcp`` or ``_ipp._tcp``,
+(instead of all services) to be re-broadcasted, use the following command:
+
+.. code-block:: none
+
+  set service mdns repeater allow-service '_airplay._tcp'
+  set service mdns repeater allow-service '_ipp._tcp'
+
+To allow listing additional custom domain, for example
+``openthread.thread.home.arpa``, so that it can reflected in addition to the
+default ``local``, use the following command:
+
+.. code-block:: none
+
+   set service mdns repeater browse-domain 'openthread.thread.home.arpa'
+
 .. _`Multicast DNS`: https://en.wikipedia.org/wiki/Multicast_DNS
+
+Operation
+=========
+
+.. opcmd:: restart mdns repeater
+
+  Restart mDNS repeater service.
+
+.. opcmd:: show log mdns repeater
+
+  Show logs for mDNS repeater service.
+
+.. opcmd:: monitor log mdns repeater
+
+  Follow the logs for mDNS repeater service.

docs/installation/cloud/aws-to-azure.rst

@@ -0,0 +1,189 @@
+##########
+VyOS Deployment on AWS and Azure for Secure Cloud-to-Cloud Connectivity
+##########
+
+This document provides step-by-step guidance for deploying VyOS routers on both AWS and Azure. 
+It describes how to establish secure inter-cloud connectivity using IPsec tunnels with BGP, 
+automated through Terraform. Example workloads (Amazon Linux EC2 on AWS and Ubuntu VM on Azure) 
+are also deployed for connectivity validation.
+
+Why Cloud-to-Cloud Connectivity?
+--------------------------------
+
+Cloud-to-cloud connectivity is needed in modern multi-cloud environments for several reasons:
+
+- **Inter-Cloud Connectivity**
+
+  Enable secure and reliable communication between workloads in different clouds  
+  (for example, AWS applications connecting to Azure-hosted identity services).
+
+- **Cloud-to-Cloud Migration**
+
+  During migration projects, workloads may temporarily run in both clouds.  
+  Direct tunnels ensure smooth transition and synchronization.
+
+- **Testing and Validation**
+
+  Labs and proof-of-concepts often simulate multi-cloud architectures.  
+  A VyOS-based tunnel lets teams test routing, encryption, and failover before production rollout.
+
+Architecture
+------------
+
+The architecture consists of VyOS routers deployed in both AWS and Azure, connected via secure IPsec tunnels.  
+BGP is used for dynamic routing between the clouds, allowing for seamless communication.
+
+.. figure:: /_static/images/cloud-aws-to-azure.png
+   :alt: VyOS Cloud-to-Cloud topology diagram
+
+Terraform Automation
+--------------------
+
+To streamline and standardize the deployment process, a set of **Terraform projects** has been developed.  
+These projects automate the provisioning of **VyOS instances** and the required networking resources across **AWS** and **Azure**.
+
+In addition to deploying VyOS, these projects also provision an **Amazon Linux EC2 instance** on AWS and an **Ubuntu VM** on Azure.  
+These serve as test endpoints to validate connectivity between the cloud environments.
+
+Prerequisites
+-------------
+
+AWS Environment
+^^^^^^^^^^^^^^^
+
+- Active AWS account with permissions for EC2, VPC, Transit Gateway, Route Server, and IAM (for keypair and role management).
+
+Local Environment:
+
+- AWS CLI installed: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
+
+- Terraform installed: https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli
+
+Set AWS credentials in your shell:
+
+.. code-block:: none
+
+   export AWS_ACCESS_KEY_ID="<AWS_ACCESS_KEY_ID>"
+   export AWS_SECRET_ACCESS_KEY="<AWS_SECRET_ACCESS_KEY>"
+   export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"
+   export AWS_DEFAULT_REGION="<AWS_REGION>"  # e.g., us-east-1
+
+Obtain VyOS AMI ID and Owner ID:
+
+Subscribe to VyOS via AWS Marketplace. Then run:
+
+.. code-block:: none
+
+   aws ec2 describe-images \
+     --owners aws-marketplace \
+     --filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" \
+     --query 'Images[*].[ImageId,OwnerId,Name]' \
+     --output table
+
+Alternatively, set the ``vyos_ami_id`` variable directly in ``variables.tf``.
+
+Generate an SSH keypair (or use the included demo key):
+
+.. code-block:: none
+
+   ssh-keygen -b 2048 -t rsa -m PEM -f keys/vyos_custom_key.pem
+   chmod 400 keys/vyos_custom_key.pem
+
+Azure Environment
+^^^^^^^^^^^^^^^^^
+
+- Active Azure subscription:
+
+.. code-block:: none
+
+   az account set --subscription "<subscription ID or name>"
+
+- Azure CLI installed:
+
+  https://learn.microsoft.com/en-us/cli/azure/install-azure-cli
+
+- Logged in with Azure credentials:
+
+.. code-block:: none
+
+   az version
+   az login
+
+- Azure Resource Group (RG) created:
+
+.. code-block:: none
+
+   az group create --name demoResourceGroup --location westus
+   az group list
+   az group show --name demoResourceGroup
+
+- Terraform installed:
+
+  https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli
+
+- SSH key generated:
+
+.. code-block:: none
+
+   ssh-keygen -t rsa -b 4096 -f keys/id_rsa
+   chmod 400 keys/id_rsa
+
+Usage
+-----
+
+AWS
+^^^
+
+All variables needed for customization are defined in ``variables.tf``.  
+Adjust them according to your requirements, such as EC2 instance type and networking configurations.  
+
+Before deployment, ensure you check ``aws_region``, ``availability_zone``, and update ``vyos_ami_id`` as necessary.
+
+Azure
+^^^^^
+
+All variables needed for customization are defined in ``variables.tf``.  
+Adjust them according to your requirements, such as VM size and networking configurations.  
+
+Before deployment, ensure you check ``azure_region``, ``availability_zone``, and update ``subscription_id`` and ``resource_group_name`` as necessary.
+
+Terraform Workflow
+^^^^^^^^^^^^^^^^^^
+
+.. code-block:: none
+
+   terraform init
+   terraform fmt
+   terraform validate
+   terraform plan
+   terraform apply
+
+On completion, run:
+
+.. code-block:: none
+
+   terraform output
+
+This displays the public IP addresses of the VyOS instances.
+
+To clean up:
+
+.. code-block:: none
+
+   terraform destroy
+
+Management
+----------
+
+SSH into VyOS:
+
+.. code-block:: none
+
+   ssh vyos@<vyos_public_ip> -i keys/vyos_custom_key.pem
+
+GitHub Repository
+-----------------
+
+You can clone or download the Terraform projects and use them in your environment:
+
+https://github.com/vyos/vyos-automation/tree/main/Terraform/Cloud-to-Cloud

docs/installation/cloud/index.rst

@@ -11,5 +11,6 @@ Running VyOS in Cloud Environments
    aws-ha
    azure
    azure-ha
+   aws-to-azure
    gcp
    oracle