Monday, May 14, 2018

VPC Peering across accounts

                                           

VPC Peering across accounts


A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account ( same AWS Region ).The following diagram illustrates all of the different components that are involved in peering your Databricks deployment/Account A to your other AWS infrastructure receding in other accounts / Account B.



For example, Databricks is deployed in one AWS account and the RDS/instance is deployed into another. A peering connection is established to link the two VPCs across both AWS accounts. This helps in the EC2 instances to talk to RDS/instance without going to internet .


As we move through this process it helps to keep a table of information to refer back to.

  1. ID and CIDR Range of your AbizerVPC VPC (VPC A).
  2. ID and CIDR Range of your other infrastructure (AbizerDatabricksVPC) i.e  VPC B
  3. ID of the main route table of your AbizerVPC (rtb-ec023794).

AWS ServiceNameIDCIDR Range
VPCAbizerVPCvpc-29e2ca5010.0.0.0/16
VPCAbizerDatabricksVPCvpc-bba395c2172.78.0.0/16
Route TableCusttestmainroutertb-ec023794


Step 1: Create a peering connection


  1. Navigate to the VPC Dashboard.
  2. Select Peering Connections.
  3. Click Create Peering Connection
  4. Set the VPC Requester to the Databricks VPC ID (vpc-29e2ca50).
  5. Set the VPC Acceptor to the AbizerDatabricksVPC VPC ID (vpc-bba395c2).
  6. Click Create Peering Connection.

Once all the correct info is passed VPC peering succeeds with below message . 



The Peering ID is pcx-bb31d0d3 .

Step 2: Accept the peering connection request

The VPC with the account B (Account 997819012307) will need to have its owner approve the request. The status on Peering Connections indicates Pending Acceptance until this is done as seen in fig below. (Select Actions > Accept Request)


Step 3: Add DNS resolution to peering connection


  1. Log into the AWS Account that hosts the AbizerVPC.
  2. Navigate to the VPC Dashboard.
  3. Select Peering Connections.
  4. From the Actions menu, select Edit DNS Settings.
  5. Click to enable DNS resolution.

Note :-  Incase if you hit error as below and enabling DNS resolution fails .

"Public Hostnames are disabled for: vpc-29e2ca50"

Go to the VPC tab and after selecting the VPC in question click on action --> Edit DNS Hostname (enable Public hostnames)



Similarly enable DNS resolution for Account B .


Step 4: Add destination to AbizerVPC main route table (This is the route the instance will use to communicate with account B)


  1. Select Route Tables in the VPC Dashboard.
  2. Search for the AbizerVPC ID.
  3. Click the Edit button under the Routes tab.
  4. Click Add another route.
  5. Enter the CIDR range of the Aurora VPC for the Destination
  6. Enter the ID of the peering connection for the Target. 


Step 5: Add destination to AbizerDatabricksVPC main route table (This is the route the instance will use to communicate with account A).


  1. Select Route Tables in the VPC Dashboard.
  2. Search for the AbizerDatabricksVPC ID.
  3. Click the Edit button under the Routes tab.
  4. Click Add another route.
  5. Enter the CIDR range of the Databricks VPC for the Destination.
  6. Enter the ID of the peering connection for the Target.


Once saved VPC peering should work and for resources to reach from Subnet A to Subnet B shouldn't need Internet access (Traffic should go through private amazon g/w)

NOTE : -   In this blog its assumed security group for both VPC are wide open and allow traffic flow between the VPC's, incase its not the case we would have to set security rules to allow them .

Below Table has all the info related to VPC which are peered/ID etc , along with main route and peering connection ID .


AWS ServiceNameIDCIDR Range
VPCAbizerVPCvpc-29e2ca5010.0.0.0/16
VPCAbizerDatabricksVPCvpc-bba395c2172.78.0.0/16
Route TableCusttestmainroutertb-ec023794
Peering ConnectionAbizerVPC --> AbizerDatabricksVPCpcx-bb31d0d3
Security GroupDefault Groupsg-df2d17a1

No comments:

Post a Comment