An AWS VPC peering connection is a networking connection between two AWS VPCs that enables communication between them using private IP addresses.
A peering connection can help facilitate a network migration by allowing services to be migrated from the old VPC to the new VPC individually over time while maintaining network connectivity, as opposed to a riskier all-at-once migration.
By peering VPCs between two regions, they can both communicate privately and effectively act as a single multi-region private network.
Peering connections can go accross AWS accounts, offering many benefits such as workload isolation, simplified account migration and enterprise capabilities (communicate across accounts without cloud account access).
This bundle is designed for two scenarios:
- Peering two VPCs, both of which are provisioned by Massdriver and in the same account
- Peering two VPCs, only one of which is provisioned and managed by Massdriver
Both VPCs in Same Account Provisioned by Massdriver
In the first case, where both VPCs are managed by Massdriver and exist in the same AWS account, the user should connect both VPCs to the connection ports on the bundle (one to
requester the other to
accepter). The fields in the bundle configuration (“Remote VPC ARN” and “Remote VPC CIDR”) can be ignored since these values can be pulled from the accepter VPC. It doesn’t matter which VPC is the requester or accepter, they are functionally equivalent. In this scenario, the bundle will handle all the proper configuration for the peering connection, including establishing the connection, accepting it, and updating the route tables of both VPCs to enable communication across the VPCs.
VPCs in Separate Accounts, or Only One VPC Managed by Massdriver
In the second case, where one VPC isn’t managed by Massdriver, or the VPCs exist in a different account, only one of the connections is used: the
requester connection. In this case, the bundle won’t be able to “accept” the peering connection on behalf of the “accepter” VPC. Additionally, the fields in the bundle configuration (“Remote VPC ARN” and “Remote VPC CIDR”) will need to be specified so the bundle can properly initiate the peering connection, and update the route tables of the Massdriver-managed requester VPC. Additional steps will need to be performed by the user in the AWS console to complete the peering connection.
Steps to Manually Accept Peering Connection
- Log into the AWS console for the “Accepter” account
- Navigate to the VPC configuration screen
- In the navigation pane, choose “Peering Connections”
- Select the pending VPC peering connection and choose “Actions” -> “Accept request”
- Choose “Modify route tables now”, or select “Route Tables” in the left side navigation pane
- Filter by the VPC ID of accepter
- For every route table associated with the VPC perform the following steps:
- Select the route table, and choose “Actions” -> “Edit Routes”
- Select Add Route
- For Destination, use the CIDR of the Requester VPC (the one managed by Massdriver)
- For Target, select “Peering Connection” and select the peering connection that was just created
- Select “Save changes”
- (Optional) If you would like DNS resolution across the peering connection, select the peering connection and choose “Actions” -> “Edit DNS settings” and select both “Allow accepter VPC” and “Allow requester VPC”.
Remote DNS Resolution
If both VPCs are managed by Massdriver, the peering connection will be configured to allow DNS resolution across the connection, allowing services to use private DNS names instead of IP addresses.
Route Table Management
Route tables will automatically be updated to allow proper routing across the peering connection (the requester VPC will always be updated, the accepter will only be updated if the VPC is in the same account and managed by Massdriver - see above)
| accepter_vpc_arn | string | IMPORTANT: Only set this value if you haven’t connected a remote “accepter” VPC to the bundle!!! If an accepter VPC is connected, this field is ignored and the value will be extracted from the connection artifact. Use this field if the remote VPC isn’t managed by Massdriver or exists in different AWS account than the requester VPC. This will require you to accept the peering connection and update the route tables of the accepter VPC manually! | | accepter_vpc_cidr | string | IMPORTANT: Only set this value if you haven’t connected a remote “accepter” VPC to the bundle!!! If an accepter VPC is connected, this field is ignored and the value will be extracted from the connection artifact. Use this field if the remote VPC isn’t managed by Massdriver or exists in different AWS account than the requester VPC. This will require you to accept the peering connection and update the route tables of the accepter VPC manually! |