AWS VPC Peering comes in quite handy when you need to allow access to RDS instances or other workloads that are located inside separate VPCs, from the Porter cluster. This doc is meant to serve as a checklist for setting up AWS VPC peering connections between a Porter cluster’s VPC and an existing VPC on your AWS account. Note that this can work across separate regions too.
The first step is to create a peering connection, which can be accomplished by navigating to the
Peering Connections section on the VPC dashboard. Whilst creating a connection, note that the requester VPC should be the Porter VPC, and the accepter VPC should be the VPC you wish to create a peering tunnel towards. Note that this is purely for consistency’s sake.
Once done, you’ll need to “accept” the request for the connection. Do ensure that the peering connection is set up between VPCs that have different CIDRs.
The next step is to ensure that each VPC’s subnets have routing tables that are updated with entries telling each subnet where to throw traffic for the other VPC’s CIDR. As an example, assume that VPC
10.99.0.0/16 as its CIDR and VPC
172.31.0.0/16. In this case, the routing table for each subnet inside
k8s-upgrade-test needs to have an entry specifying that traffic for
172.31.0.0/16 is sent to the peering connection, and the routing table for each subnet inside
default needs to have an entry that routes traffic for
10.99.0.0/16 to the peering connection.
Finally, it’s important to ensure that if the Porter VPC needs to access a resource in a second VPC over a peering connection, the security group(s) for that resource in the second VPC have entries allowing traffic from the Porter VPC’s CIDR - typically 10.99.0.0/16 - for the port the resource is supposed to be available at.