Set up a VPC Peering Connection
VPC peering provides a secure network connection between two VPCs. A common use case to configure a VPC peering connection between your Ahana Compute Plane VPC and data sources that are in a different VPC. This article provides instructions on creating a VPC peering connection between your Ahana Compute Plane VPC and your target VPC. The reader should be familiar with the basics of VPC and route tables. See the Amazon VPC Peering Guide more comprehensive information around VPC peering. Figure 1 illustrates a VPC peering scenario, where we want to provide a secure connection between Service A and Service B, which reside in different VPCs.
Figure 1: VPC peering connection example
Step 0: Identify your VPCs
To make it easier to configure the VPC peering connection, it helps to have the various IDs readily available. Here's an example:
Name | Service | Region | ID | CIDR Block |
---|---|---|---|---|
Ahana Compute Plane VPC | VPC | us-east-1 | vpc-0ad58711b9209da6c | 10.128.0.0/18 |
Target VPC | VPC | us-east-2 | vpc-06d54f61931bfced8 | 172.31.0.0/16 |
Ahana Compute Plane VPC Route Table | Route Table | us-east-1 | rtb-00d85083ae20dc265 |
The Ahana Compute Plane VPC and your Target VPC cannot have overlapping CIDR blocks. If a conflict exists or you are unsure, please contact Ahana support to help you resolve this conflict.
Step 1: Create the VPC peering connection
- Go to the VPC service for your Ahana Compute Plane VPC.
- Select Peering Connections from the left navigation.
- Create Peering Connection.
Set the VPC (Requester) to the Ahana Compute Plane VPC.
Set the VPC ID (Accepter) to your Target VPC.
Create Peering Connection.
- Make note of the VPC peering connection ID, for example
pcx-0552751e4d0f7ebb
Step 2: Accept the VPC peering connection
Notice that VPC peering connection is in a Pending Acceptance state when created.
Ahana Compute Plane VPC Peering Connections:
Target VPC Peering Connections:
- Go to the VPC service for your Target VPC.
- Select Peering Connections from the left navigation.
- Select Accept Request under the Actions in the main panel.
- Confirm the request by clicking Yes, Accept from the confirmation modal that appears.
You should notice that peering connection status is now Active.
Step 3: Update the Ahana Compute Plane DNS and route tables
Go to the VPC service for your Ahana Compute Plane VPC.
Select Peering Connections from the left navigation.
Select Edit DNS Settings under the Actions in the main panel.
- Click the checkbox next to Requester DNS resolution to resolve Target (accepter) DNS to private IP.
- Verify the DNS resolution from accepter VPC to private IP is Enabled in the DNS tab.
You need to update the route tables associated with your compute plane subnets to route traffic to your Target VPC through the peering connection.
Select Route Tables from the left navigation.
Select the route table that is associated with the compute plane subnets.
Click Edit routes.
Click Add route.
For the Destination, enter the Target VPC CIDR.
For the Target, enter the VPC peering connection ID.
Click Save changes.
You now see your new route entry in the route table with an Active status.
Step 4: Allow Ahana Compute Plane connection for target service
You need to ensure that your target service, whether it be a data source or server, allow for the appropriate network connections from the Ahana Compute Plane, such as the appropriate ports.
As a mock example, we have a target instance in the Target VPC we'd like to reach from the Ahana Compute Plane. In this case, we updated the Security Group to allow for TCP traffic from the Ahana Compute Plane CIDR. We are also using the SSH port (22). You should use the ports for your data sources. For example, the default port for MySQL is 3306, and the default port for PostgreSQL is 5432.
Step 5: Verify the VPC peering connection
You can verify your peering connection by testing with a service in the Ahana Compute Plane VPC can communicate with the desired service in the target VPC. For example, if the target service is a data source, you can attempt to reach that data source from your Presto cluster.
Another way to test the connection is setup a test EC2 instance in your Ahana Compute Plane VPC and attempt to reach the target service. In this example, we set up a free t2.micro
instance in the Ahana Compute Plane, logged in via secure shell (SSH), and made a curl connection to the target service (another test EC2 instance in this case). Note, it does not matter that the curl was not allowed; the point is communication between two services in distinct VPCs were able to communicate and they did so via only private IPs.
$ ssh -i ~/mykey.pem ec2-user@54.211.86.231
Last login: Wed Apr 28 21:21:26 2021 from 76.102.85.192
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
$ curl -L 172.31.0.13:22
SSH-2.0-OpenSSH_7.4
curl: (56) Recv failure: Connection reset by peer
Step 6: Deleting a VPC peering connection
If you no longer require a VPC peering connection, you can delete it.
Go to the VPC service for your Ahana Compute Plane VPC.
Select Peering Connections from the left navigation.
Select Delete VPC Peering Connection under the Actions in the main panel.
Confirm the deletion by clicking Yes, Delete from the confirmation modal that appears.