Skip to content

VPC peering

VPC peering allows you to connect two networks in different accounts or regions. This can be useful when you want to allow connectivity to resources from another account, without exposing them to public internet.

It can be established from a network in the customer account to a network where customer resources are located. Because of that, this feature is limited only to BYOA hosting model, or Service provider hosting model with "Customer Provided Networks" feature enabled. In both those cases, network is dedicated to a single customer.

The VPC peering process can only be initiated by the customer, and the owner of the cloud network needs to accept the peering request. In the case of the Service Provider hosting model, that owner is the service provider. VPC peering for BYOA can be done solely by the customer.

Warning

In order to make peering possible, CIDR blocks of source and target networks cannot overlap. This needs to be considered by the customer as they are the ones owning the source network and can also define the target network (which can either be imported existing network, created as a custom network with CIDR specified, or created as a default network by Omnistrate with default CIDR for a hosting cloud provider region).

Step by Step instruction to configure VPC peering

The following sections present the step-by-step guide to setting up VPC peering for AWS and GCP:

AWS

  1. Customer locates the network and collects details
    1. On SaaS UI, navigate to "Manage Account" -> "Custom Networks".
    2. Locate the custom network you plan to peer. If it's not present, then such a network doesn't support VPC peering.
    3. Note the following values:
      1. Native ID - VPC ID of the network.
      2. CIDR - CIDR range of the network (customer picked this value, but it can help with configuration).
      3. AWS Account ID - AWS account ID that hosts the network (this will be one of your accounts).
      4. AWS Region - AWS region of the network.
    4. Share these values with your customer.
  2. Customer uses the provided details to create a peering request. This can be done from within the AWS Console, CLI, or API. The next steps present an example of how to configure it using AWS Console:
    1. In the AWS console navigate to: VPC -> Peering connections -> Create peering connection.
    2. Select source VPC from the current account "VPC ID (Requester)".
    3. Use AWS Account ID as a value for the "Another account" field.
    4. Use AWS Region as a value for the "Another region" field (can be skipped if the region is matching).
    5. Use Native ID as a value for the "VPC ID (Accepter)" field.
    6. Configure the route table to route traffic to peered VPC. Configuration depends on CIDR of the target network (Accepter). For details, please see AWS documentation.
    7. Make sure "ACLs" on your VPC will not block outbound traffic.
  3. Owner accepts a peering request (Service Provider or Customer, based on the hosting model)
    1. In AWS console navigate to: VPC -> Peering connections.
    2. Locate peering request.
    3. Accept it.
    4. Configure the VPC security group to allow traffic from peered VPC. For details, please see AWS documentation.

GCP

  1. Customer locates the network and collects details
    1. On SaaS UI, navigate to "Manage Account" -> "Custom Networks".
    2. Locate the custom network you plan to peer. If it's not present, then such a network doesn't support VPC peering.
    3. Note the following values:
      1. Native ID - GPC network identifier
      2. CIDR - CIDR range of the network (customer picked this value, but it can help with configuration)
      3. GCP Project ID - GCP project ID that hosts the network (this will be one of your projects)
    4. Share these values with your customer
  2. Customer uses the provided details to create a peering request. This can be done from within the GCP UI, CLI, or API. The next steps present an example of how to configure it using GCP UI:
    1. On the GCP console navigate to: VPC Network -> VPC network details (of the network that will be peered) -> VPC network peering -> Add peering.
    2. Pick a name for the peering connection that will help you identify it.
    3. Select "In another project" and use GCP Project ID as a value for the "Project" field.
    4. Use Native ID as a value for the "VPC network name" field.
    5. Select "Import custom routes" and "Export custom routes".
  3. Owner accepts a peering request (Service Provider or Customer, based on the hosting model)
    1. On the GCP console navigate to: VPC Network -> VPC network details (of the Native ID network).
    2. You should see the peering request.
    3. Accept it.
    4. Create firewall rules to allow traffic from the peered network. For details, please see GCP documentation.

Retrieve Network Information for VPC Peering from a Deployment Instance

  1. Install the Omnistrate CLI from the here
  2. Identify the deployment cell associated with the deployment instance. 
    omnistrate-ctl instance describe <instance-id> -o json | jq '.DeploymentCellID'
  3. Obtain network details for the deployment cell identified in the previous step. 
    omnistrate-ctl custom-network list -f host_cluster_id:<deployment-cell-id>