Skip to main content

Set up a VPC Peering Connection

VPC peering provides a secure network connection between two VPCs. A common use case to configure a VPC peering connection between your Ahana Compute Plane VPC and data sources that are in a different VPC. This article provides instructions on creating a VPC peering connection between your Ahana Compute Plane VPC and your target VPC. The reader should be familiar with the basics of VPC and route tables. See the Amazon VPC Peering Guide more comprehensive information around VPC peering. Figure 1 illustrates a VPC peering scenario, where we want to provide a secure connection between Service A and Service B, which reside in different VPCs.

../static/img/vpc-peering.png

Figure 1: VPC peering connection example

Step 0: Identify your VPCs

To make it easier to configure the VPC peering connection, it helps to have the various IDs readily available. Here's an example:

NameServiceRegionIDCIDR Block
Ahana Compute Plane VPCVPCus-east-1vpc-0ad58711b9209da6c10.128.0.0/18
Target VPCVPCus-east-2vpc-06d54f61931bfced8172.31.0.0/16
Ahana Compute Plane VPC Route TableRoute Tableus-east-1rtb-00d85083ae20dc265

The Ahana Compute Plane VPC and your Target VPC cannot have overlapping CIDR blocks. If a conflict exists or you are unsure, please contact Ahana support to help you resolve this conflict.

Step 1: Create the VPC peering connection

  1. Go to the VPC service for your Ahana Compute Plane VPC.
  2. Select Peering Connections from the left navigation.
  3. Create Peering Connection.

../static/img/create-peering-connection.png

  1. Set the VPC (Requester) to the Ahana Compute Plane VPC.

  2. Set the VPC ID (Accepter) to your Target VPC.

  3. Create Peering Connection.

../static/img/create-peering-connection-filled.png

  1. Make note of the VPC peering connection ID, for example pcx-0552751e4d0f7ebb

../static/img/create-peering-connection-success-redacted.png

Step 2: Accept the VPC peering connection

Notice that VPC peering connection is in a Pending Acceptance state when created.

Ahana Compute Plane VPC Peering Connections:

../static/img/pending-peering-ahana-redacted.png

Target VPC Peering Connections:

../static/img/pending-peering-target-redacted.png

  1. Go to the VPC service for your Target VPC.
  2. Select Peering Connections from the left navigation.
  3. Select Accept Request under the Actions in the main panel.

../static/img/pending-peering-accept-request.png

  1. Confirm the request by clicking Yes, Accept from the confirmation modal that appears.

../static/img/pending-peering-accept-request-confirm-redacted.png

You should notice that peering connection status is now Active.

../static/img/accepted-peering-redacted.png

Step 3: Update the Ahana Compute Plane DNS and route tables

  1. Go to the VPC service for your Ahana Compute Plane VPC.

  2. Select Peering Connections from the left navigation.

  3. Select Edit DNS Settings under the Actions in the main panel.

../static/img/peering-dns-settings-edit-redacted.png

  1. Click the checkbox next to Requester DNS resolution to resolve Target (accepter) DNS to private IP.

../static/img/peering-dns-settings-update.png

  1. Verify the DNS resolution from accepter VPC to private IP is Enabled in the DNS tab.

../static/img/peering-dns-settings-updated.png

You need to update the route tables associated with your compute plane subnets to route traffic to your Target VPC through the peering connection.

  1. Select Route Tables from the left navigation.

  2. Select the route table that is associated with the compute plane subnets.

../static/img/route-table-ahana-redacted.png

  1. Click Edit routes.

  2. Click Add route.

  3. For the Destination, enter the Target VPC CIDR.

  4. For the Target, enter the VPC peering connection ID.

  5. Click Save changes.

../static/img/route-table-ahana-update.png

You now see your new route entry in the route table with an Active status.

../static/img/route-table-ahana-update-success-redacted.png

Step 4: Allow Ahana Compute Plane connection for target service

You need to ensure that your target service, whether it be a data source or server, allow for the appropriate network connections from the Ahana Compute Plane, such as the appropriate ports.

As a mock example, we have a target instance in the Target VPC we'd like to reach from the Ahana Compute Plane. In this case, we updated the Security Group to allow for TCP traffic from the Ahana Compute Plane CIDR. We are also using the SSH port (22). You should use the ports for your data sources. For example, the default port for MySQL is 3306, and the default port for PostgreSQL is 5432.

../static/img/test-target-instance-redacted.png

Step 5: Verify the VPC peering connection

You can verify your peering connection by testing with a service in the Ahana Compute Plane VPC can communicate with the desired service in the target VPC. For example, if the target service is a data source, you can attempt to reach that data source from your Presto cluster.

Another way to test the connection is setup a test EC2 instance in your Ahana Compute Plane VPC and attempt to reach the target service. In this example, we set up a free t2.micro instance in the Ahana Compute Plane, logged in via secure shell (SSH), and made a curl connection to the target service (another test EC2 instance in this case). Note, it does not matter that the curl was not allowed; the point is communication between two services in distinct VPCs were able to communicate and they did so via only private IPs.

$ ssh -i ~/mykey.pem ec2-user@54.211.86.231
Last login: Wed Apr 28 21:21:26 2021 from 76.102.85.192

__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|

https://aws.amazon.com/amazon-linux-2/

$ curl -L 172.31.0.13:22
SSH-2.0-OpenSSH_7.4
curl: (56) Recv failure: Connection reset by peer

Step 6: Deleting a VPC peering connection

If you no longer require a VPC peering connection, you can delete it.

  1. Go to the VPC service for your Ahana Compute Plane VPC.

  2. Select Peering Connections from the left navigation.

  3. Select Delete VPC Peering Connection under the Actions in the main panel.

    ../static/img/delete-peering-redacted.png

  4. Confirm the deletion by clicking Yes, Delete from the confirmation modal that appears.

../static/img/delete-peering-confirm-redacted.png