How To Deploy Peering Between AWS Regions

Summary

Recently we needed to expand our QA tests across more regions worldwide to ensure we simulated the most demanding use-cases for geo-distributed MySQL on Tungsten Cluster.

This blog post details the steps taken to add the Frankfurt region (eu-central-1) into our AWS environment using VPC Peering Connections for network traffic routing. This would allow an instance in us-west-1 10.14.1.101 to route to 10.15.1.201 in eu-central-1 without going out over the public network.

Peering Connections are defined by Amazon this way:

“A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. The VPCs can be in different regions (also known as an inter-region VPC peering connection).”

https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

Existing Regions

For our example, we will use two existing regions and add a third for clarity. At Continuent, we have six regions tied together in this manner.

To begin, here are the example regions:

Status Region Name CIDR VPC SG Subnet 1 (eth0) Subnet 2 (eth1)
Existing sa-east-1 South America (Sao Paolo) 10.11.0.0/16 4 4 10.11.1.0/24 10.11.2.0/24
Existing us-west-1 USA (N. California) 10.14.0.0/16 5 5 10.14.1.0/24 10.14.2.0/24
New eu-central-1 Europe (Frankfurt) 10.15.0.0/16 demo demo 10.15.1.0/24 10.15.2.0/24

Procedure to Add Frankfurt

Basic Steps

These are the basic steps to create the VPC, subnet, and basic routing to the internet:

  • Create VPC
    AWS Console -> VPC -> Your VPCs -> change region to eu-central-1 -> Create VPC 'vpc-demo' and use 10.15.0.0/16 CIDR; Note the new VPC ID for use later!
  • Rename new security group
    AWS Console -> VPC -> Security Groups -> Filter by the VPC ID created in the previous step, then rename to 'demo-sg'
  • Create subnet
    AWS Console -> VPC -> Subnets -> Create Subnet -> Select vpc-demo -> demo-subnet-eth0, Select AZ, 10.15.1.0/24 CIDR
  • Enable public IP at boot for the new subnet
    AWS Console -> VPC -> Subnets -> select demo-subnet-eth0 -> Actions menu -> Modify auto-assign IP settings -> Check 'Enable auto-assign public IPv4 address' and click Save
  • Rename the new route table
    AWS Console -> VPC -> Route tables -> Filter by the vpc id created in the first step, then rename to 'peer-routing'
  • Create new Internet Gateway
    AWS Console -> VPC -> Route tables -> Subnet associations tab -> Edit subnet associations -> select new subnet and click "save associations"
  • Attach new Internet Gateway to the created VPC
    AWS Console -> VPC -> Internet gateways -> Create internet gateway -> "demo-igw" then click "create internet gateway" -> Actions menu -> Attach to VPC -> select vpc-demo then click "attach internet gateway"
  • Add new default route to the Internet Gateway
    AWS Console -> VPC -> Route tables -> Select 'peer-routing' -> Routes tab -> Edit routes -> Add route -> 0.0.0.0/0 -> Internet gateway -> select 'demo-igw' then click save

Establish Peering

We need to create one new peering connection for each existing region/network using the /16 CIDR address for each:

  • AWS Console -> VPC -> Peering Connections -> Create peering connection -> Create peering connection -> eu-central-1-sa-east-1-Peering, vpc-demo, Another region, sa-east-1, vpc-4 -> Create
  • AWS Console -> VPC -> Peering Connections -> Create peering connection -> Create peering connection -> eu-central-1-us-west-1-Peering, vpc-demo, Another region, us-west-1, vpc-5 -> Create

All new peering connections require an request acceptance step in the target region, so that must be done twice, once per existing region:

  • AWS Console -> VPC -> Peering Connections -> change region to sa-east-1 -> search for Status:pending -> rename to eu-central-1-sa-east-1-Peering -> Actions menu -> Accept request -> Click Accept request button
  • AWS Console -> VPC -> Peering Connections -> change region to us-west-1 -> search for Status:pending -> rename to eu-central-1-us-west-1-Peering -> Actions menu -> Accept request -> Click Accept request button

Create Network Routes

The instances in the existing regions need to be able to route packets to the new region via private address, so we add a route across the peer connection twice, once per existing region:

  • AWS Console -> VPC -> Route tables -> change region to sa-east-1 -> Select 'peer-routing' -> Routes tab -> Edit routes -> Add route -> 10.15.0.0/16, Peering connection->eu-central-1-sa-east-1-Peering -> Save
  • AWS Console -> VPC -> Route tables -> change region to us-west-1 -> Select 'peer-routing' -> Routes tab -> Edit routes -> Add route -> 10.15.0.0/16, Peering connection->eu-central-1-us-west-1-Peering -> Save

Routes from the new region to the existing two regions also need to be created:

  • AWS Console -> VPC -> Route tables -> change region to eu-central-1 -> Select 'peer-routing' -> Routes tab -> Edit routes -> 
  • Add route -> 10.11.0.0/16, Peering connection->eu-central-1-sa-east-1-Peering
  • Add route -> 10.14.0.0/16, Peering connection->eu-central-1-us-west-1-Peering
  • -> Click Save

Create Security Rules

Allow traffic from the new region to the existing regions:

  • AWS Console -> VPC -> Security groups -> change region to sa-east-1 -> Select 'demo-sg' -> Inbound rules tab -> Edit inbound rules -> Add rule -> All traffic, 10.15.1.0/24, eu-central-1 demo VPC Subnet 1 eth0 -> Save
  • AWS Console -> VPC -> Security groups -> change region to us-west-1 -> Select 'demo-sg' -> Inbound rules tab -> Edit inbound rules -> Add rule -> All traffic, 10.15.1.0/24, eu-central-1 demo VPC Subnet 1 eth0 -> Save

Lastly, we need to allow traffic from the existing two regions to the new region:

  • AWS Console -> VPC -> Security groups -> change region to eu-central-1 -> Select 'demo-sg' -> Inbound rules tab -> Edit inbound rules -> 
  • Add rule -> All traffic, My IP, Home
  • Add rule -> All traffic, 10.11.1.0/24, sa-east-1 Subnet 1 VPC
  • Add rule -> All traffic, 10.14.1.0/24, us-west-1 Subnet 1 VPC
  • -> Click Save rules

Done!

You are now able to route using private IP addresses from the new region to the existing regions and the other way around.

About the Author

Eric M. Stone
COO and VP of Product Management

Eric is a veteran of fast-paced, large-scale enterprise environments with 35 years of Information Technology experience. With a focus on HA/DR, from building data centers and trading floors to world-wide deployments, Eric has architected, coded, deployed and administered systems for a wide variety of disparate customers, from Fortune 500 financial institutions to SMB’s.

Add new comment