This is a cache of https://docs.openshift.com/rosa/rosa_cluster_admin/cloud_infrastructure_access/dedicated-aws-peering.html. It is a snapshot of the page at 2024-11-24T03:08:36.434+0000.
Configuring AWS VPC peering - Configuring private connections | Cluster administration | Red Hat OpenShift Service on AWS
×

This sample process configures an Amazon Web Services (AWS) VPC containing an Red Hat OpenShift Service on AWS cluster to peer with another AWS VPC network. For more information about creating an AWS VPC Peering connection or for other possible configurations, see the AWS VPC Peering guide.

VPC peering terms

When setting up a VPC peering connection between two VPCs on two separate AWS accounts, the following terms are used:

Red Hat OpenShift Service on AWS AWS Account

The AWS account that contains the Red Hat OpenShift Service on AWS cluster.

Red Hat OpenShift Service on AWS Cluster VPC

The VPC that contains the Red Hat OpenShift Service on AWS cluster.

Customer AWS Account

Your non-Red Hat OpenShift Service on AWS AWS Account that you would like to peer with.

Customer VPC

The VPC in your AWS Account that you would like to peer with.

Customer VPC Region

The region where the customer’s VPC resides.

As of July 2018, AWS supports inter-region VPC peering between all commercial regions excluding China.

Initiating the VPC peer request

You can send a VPC peering connection request from the Red Hat OpenShift Service on AWS AWS Account to the Customer AWS Account.

Prerequisites
  • Gather the following information about the Customer VPC required to initiate the peering request:

    • Customer AWS account number

    • Customer VPC ID

    • Customer VPC Region

    • Customer VPC CIDR

  • Check the CIDR block used by the Red Hat OpenShift Service on AWS Cluster VPC. If it overlaps or matches the CIDR block for the Customer VPC, then peering between these two VPCs is not possible; see the Amazon VPC Unsupported VPC Peering Configurations documentation for details. If the CIDR blocks do not overlap, you can continue with the procedure.

Procedure
  1. Log in to the Web Console for the Red Hat OpenShift Service on AWS AWS Account and navigate to the VPC Dashboard in the region where the cluster is being hosted.

  2. Go to the Peering Connections page and click the Create Peering Connection button.

  3. Verify the details of the account you are logged in to and the details of the account and VPC you are connecting to:

    1. Peering connection name tag: Set a descriptive name for the VPC Peering Connection.

    2. VPC (Requester): Select the Red Hat OpenShift Service on AWS Cluster VPC ID from the dropdown *list.

    3. Account: Select Another account and provide the Customer AWS Account number *(without dashes).

    4. Region: If the Customer VPC Region differs from the current region, select Another Region and select the customer VPC Region from the dropdown list.

    5. VPC (Accepter): Set the Customer VPC ID.

  4. Click Create Peering Connection.

  5. Confirm that the request enters a Pending state. If it enters a Failed state, confirm the details and repeat the process.

Accepting the VPC peer request

After you create the VPC peering connection, you must accept the request in the Customer AWS Account.

Prerequisites
  • Initiate the VPC peer request.

Procedure
  1. Log in to the AWS Web Console.

  2. Navigate to VPC Service.

  3. Go to Peering Connections.

  4. Click on Pending peering connection.

  5. Confirm the AWS Account and VPC ID that the request originated from. This should be from the Red Hat OpenShift Service on AWS AWS Account and Red Hat OpenShift Service on AWS Cluster VPC.

  6. Click Accept Request.

Configuring the routing tables

After you accept the VPC peering request, both VPCs must configure their routes to communicate across the peering connection.

Prerequisites
  • Initiate and accept the VPC peer request.

Procedure
  1. Log in to the AWS Web Console for the Red Hat OpenShift Service on AWS AWS Account.

  2. Navigate to the VPC Service, then route Tables.

  3. Select the route Table for the Red Hat OpenShift Service on AWS Cluster VPC.

    On some clusters, there may be more than one route table for a particular VPC. Select the private one that has a number of explicitly associated subnets.

  4. Select the routes tab, then Edit.

  5. Enter the Customer VPC CIDR block in the Destination text box.

  6. Enter the Peering Connection ID in the Target text box.

  7. Click Save.

  8. You must complete the same process with the other VPC’s CIDR block:

    1. Log into the Customer AWS Web Console → VPC Serviceroute Tables.

    2. Select the route Table for your VPC.

    3. Select the routes tab, then Edit.

    4. Enter the Red Hat OpenShift Service on AWS Cluster VPC CIDR block in the Destination text box.

    5. Enter the Peering Connection ID in the Target text box.

    6. Click Save.

The VPC peering connection is now complete. Follow the verification procedure to ensure connectivity across the peering connection is working.

Verifying and troubleshooting VPC peering

After you set up a VPC peering connection, it is best to confirm it has been configured and is working correctly.

Prerequisites
  • Initiate and accept the VPC peer request.

  • Configure the routing tables.

Procedure
  • In the AWS console, look at the route table for the cluster VPC that is peered. Ensure that the steps for configuring the routing tables were followed and that there is a route table entry pointing the VPC CIDR range destination to the peering connection target.

    If the routes look correct on both the Red Hat OpenShift Service on AWS Cluster VPC route table and Customer VPC route table, then the connection should be tested using the netcat method below. If the test calls are successful, then VPC peering is working correctly.

  • To test network connectivity to an endpoint device, nc (or netcat) is a helpful troubleshooting tool. It is included in the default image and provides quick and clear output if a connection can be established:

    1. Create a temporary pod using the busybox image, which cleans up after itself:

      $ oc run netcat-test \
          --image=busybox -i -t \
          --restart=Never --rm \
          -- /bin/sh
    2. Check the connection using nc.

      • Example successful connection results:

        / nc -zvv 192.168.1.1 8080
        10.181.3.180 (10.181.3.180:8080) open
        sent 0, rcvd 0
      • Example failed connection results:

        / nc -zvv 192.168.1.2 8080
        nc: 10.181.3.180 (10.181.3.180:8081): Connection refused
        sent 0, rcvd 0
    3. Exit the container, which automatically deletes the Pod:

      / exit