5 Tips for Troubleshooting an AWS VPC Peering Connection
source link: https://spin.atomicobject.com/2022/03/10/aws-vpc-peering/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
5 Tips for Troubleshooting an AWS VPC Peering Connection
If you're using Virtual Private Clouds (VPCs) in Amazon Web Services, you may one day find the need to allow two of these virtual networks to talk with each other. This is especially likely if you need to have protected communication between services in different AWS regions. To facilitate this, AWS provides a feature they call "VPC Peering."
VPCs by themselves are complex because you need a strong grasp of the networking layer. Without an understanding of subnets, subnet masks, network address translation, DNS, and routing, it's not likely you'll have a good time. Even with that background, AWS layers its own complexity on top.
If you're pretty sure you've done things correctly at the networking layer but find that your VPC Peering connection isn't working, here are some areas you can double-check.
1. Check both sides.
Start with the basics. Does the peering connection exist for both VPCs? Has it been fully accepted?
Beyond that, this is a reminder for the subsequent checks. If something is incorrectly configured on either side of the peering connection, things won't work.
Make sure you check both sides, and that everything is compatible internally and with the other VPC.
2. Check the routing table.
If the VPC peering connection is fully accepted, the next thing to check is the VPCs' main routing tables.
On each side, the routing table should have a route entry for the other VPC's subnet. The subnet and its mask must exactly match the VPC on the other side of the peering connection. The routes should both target the peering connection.
Without these entries in the routing table, no packets will be able to cross.
3. Check the _other_ routing tables.
If your VPC has multiple subnets defined, they may have their own routing tables. In that case, the main routing table of the VPC will be ignored. Editing the VPC's main routing table will have no effect.
Identify a service that can't be reached (or reach out), and then find its subnet. Ensure that subnet's routing table has an appropriate entry for the VPC peering connection.
4. Check the security groups.
If you're reading a blog post on VPC peering, it's likely you already have some familiarity with AWS's "security groups." If not, they're essentially firewall rules that can only accept (not deny) traffic, and they can stack together.
The concept is fairly straightforward, but it still merits mention. One way or another, all services that need to communicate across the peering connection will need to have an attached security group granting permission to send (or receive) to the appropriate IPs or subnets of the remote VPC.
You'll need to ensure everything is configured correctly on both sides of the peering connection and for each service-to-service line of communication. This, by far, is the most time-consuming step.
5. Check for private DNS resolution.
Perhaps all of the above steps have been verified and appear to be correct. In this case, the fix may be easy. You may simply need to enable the resolution of domain names to their private IPs. This is a setting on each side of the peering connection, and it applies to the other side.
For example, if it is enabled on the requester side, then the acceptor side will be able to resolve domains to the private IP of services within the requester.
This will only matter if you are referring to services by their domain name, such as my-aoeuid123-east-1.rds.amazonaws.com.
Speed up your peering connection trouble-shooting.
There's a lot that can go wrong when attempting to set up a VPC peering connection, and it can take a long time to troubleshoot.
Hopefully, armed with this list, your troubleshooting can go much more quickly.
Recommend
-
17
Any time you have a VPC, you’ll likely need some way to gain access to the resources within the VPC from your local box. Typically, the way to do that is to run a bastion (or jumpbox) which you and your team can SSH into....
-
17
AWS VPC for Software EngineersFebruary 02, 2020I’ve been working with AWS for about 3 years now. Going to the cloud can be extremely overwhelming and stressful. I jumped head first on a company that wanted to setup a brand new...
-
16
Connecting to Kibana Within an AWS VPC When you use the managed Elasticsearch service on AWS, you usually choose an encrypted connection (via KMS-managed keys), which means you can’t use just any t...
-
17
AWS 同一區的 VPC Peering 流量不收費了 AWS 在同一個 AZ 裡面的流量是不收費的,但如果是跨帳號的話,還是要當作 inter-AZ 流量 (收 USD$0.01/GB 的費用),現在則是宣佈不用了:「
-
10
How to create a VPC Peering between 2 VPCs on AWS A VPC peering connection is a connection between two VPCs that enables you to route traffic between them. We can create a VPC peering connection between our VPCs, or with a VPC in an...
-
4
<?xml encoding="utf-8" ??>This article explains how to route traffic between Vultr VPCs. This feature is called
-
7
In this post, we share our experiences with adopting AWS VPC Endpoints at Square. We want strong security guarantees in our communication with managed AWS servi...
-
7
AWS VPC with AWS VPN Client vs. OpenVPN Access Server Using a VPN is the best solution to provide encrypted traffic between a remote client and a remote workload, systems, and data. You have se...
-
10
Create a VPC Connection between Azure and Timescale Posted Aug 14, 2022 by By Wolfgang Ofner 19 min readThis week, I was helping a customer of mine to migrate from an on-prem databas...
-
7
AWS Previews VPC Lattice for Service-to-Service Communication Dec 18, 2022...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK