I have several pre-prod VPC's for dev, qa, etc. So far everything is managed via CloudFormation + Lambda and is very clean.
Since none of the VPC's talk to each other, I can launch and tear down environments, all from one single set of templates and it is very idempotent.
Now I have a requirement to add a management VPC for some common things between the environments. I have used VPC peering through the UI before and it's easy to manage.
However I like the flexibility of tearing down and launching new environments, especially since prod will end up being blue/green.
So to avoid having to use the UI I was thinking of adding two Lambda functions:
1. on the mngmt VPC, list all VPC's and if there's not an existing VPC peering connection with one, request it
2. on pre-prod VPC's poll for VPC connection peering requests and accept if from a trusted owner
This way I can tear down the stack and re-launch them without any manual intervention.
Is this a wasteful design? Are there any problems that I am not foreseeing? What is a better way to accomplish this?
The AWS documentation states that only the owner of an account can accept a VPC peering connection. You could create a Lambda for each account and then use DescribeVpcPeeringConnections to detect pending-acceptance state. Then call AcceptVpcPeeringConnection. To create a VPC peering connection call AcceptVpCPeeringConnection.
Notes:
I do not like polling designs. In your case you would need to constantly poll to detect a new peering connection request. A better solution would be to invoke (or trigger via SNS) the Lambda functions via a script (program) after creating the VPCs.
This link is to the API Reference. From here you can select the language that you will be using at the bottom of the page.
AcceptVpcPeeringConnection
Related
The way my set-up works is that I have a 'development', 'staging' and 'production' environment all sitting in separate VPCs and I want to create a client VPN endpoint to allow engineers access to the internals of all these environments (the database mostly).
However, I can't decide how to approach this issue, my first idea was to create a single VPC which peers into all the other VPCs. This would make building the resource in terraform easier as the VPN can be completely separated out.
My other option would be to just have the VPN connection to the development VPC for example and then from there the development VPC peers into the production & staging VPCs however I really don't like this approach
As Steve mentioned from the comment, if you want to centralize your networking setup, for example:
A single or multi AWS VPN S2S with many VPCs
A single or multi DX connection with many VPCs
A single AWS Client VPN to many VPCs
and more
The answer is AWS Transit Gateway. This service also helps you if you have your VPCs placing under different AWS accounts.
For your use-case, AWS has published a blog post with detailed architecture with use-cases for your reference.
https://aws.amazon.com/blogs/networking-and-content-delivery/using-aws-client-vpn-to-scale-your-work-from-home-capacity/
I have two AWS accounts, which I will call prod and dev.
prod has an Aurora Serverless cluster (not instance!), perfectly connectable within its own VPC in the prod account. To save time and money, I would like to use this cluster in dev (obviously with read-only permissions, etc) instead of spinning up a new cluster, mostly due to volume of data and the need for parity during development.
I have set up dev exactly the same as prod, minus the Aurora cluster and with a different CIDR block for the VPC. I have set up a VPC peering connection between the VPCs in dev and prod with DNS resolution on both VPCs and enabled in the peering connection. I have added this peering connection to the route tables for each VPC, with the affected subnets explicitly associated. I have added both CIDR and SGs (including the VPC default SG, as I read recommended on SO in a tangentially related answer) to all affected SGs (Aurora cluster SG, SG for Lambda that is calling out to Aurora, default SG for VPC in both accounts). I also added the CIDR blocks to the ACL explicitly.
I can't get any kind of connection whatsoever. Documentation on whether this is even possible leads me in a recursive loop of not-quite-useful information, though it does seem the intra-region peering should be possible. I am no network expert, so it's entirely possible I have just horribly misconfigured something along the way, but I can't find any guides or useful documentation for this particular situation.
Is this even possible? Is there a checklist somewhere of changes to be made to allow connections like this (outside of the severely lacking AWS docs on VPC peering)? Route tables, subnets, security groups, ACLs, VPC peering connections...it's a lot of pieces and I feel like at this point I have just missed something, despite having torn down/reconfigured this setup via several guides.
I am trying to build a graphQL API with Serverless Framework on AWS-Lambda using Apollo-Server-Lambda etc. I need to use a not publicly available PostgreSQL RDS instance.
I can get lambdas up and running and sending back requests when not in VPC. I can get a Postgres RDS Database up and running and connected to PgAdmin (when in publicly available mode).
The problem is once I make the RDS Postgres 'non public' and try to get all these pieces talking together I fail.
I have tried multitude of different approaches.
This is regularly portrayed as magic. It is wonderfully written https://gist.github.com/reggi/dc5f2620b7b4f515e68e46255ac042a7
I could not get access to Postgres with my lambdas using this. So my first question.
Do I need a NAT gateway for incoming (ingress) api calls to lambdas in a VPC?
My current understanding is that maybe I only need a NAT gateway for my lambdas to make outgoing calls to other api's out of aws or things like S3. Is this correct?
Next up. I have made a security group for my lambdas and have added this security group to the inbound list for the security group that was created for RDS. My understanding is this is how the lambdas should gain access to RDS. I have not had such luck. Maybe this is related to public or non public subnets? Maybe this is related to my understanding of the necessity of a NAT?
Basically the only visibility I have been able to get is Lambdas timing out after 20 or 30 seconds depending on my limit when they are trying to connect to postgres in private. Cloudwatch logs reveal nothing else.
Lastly, for now 😂, what is the best way to connect my dev machine to Postgres once it is 'not public'? I have my machines IP listed for inbound TCP/IP to port 5432 to postgres in the RDS security group but that does not seem to give me the access I was hoping for. Do I really need a VPN connected to VPC? Whats the simplest way?
I have done this tutorial with basic alterations for Postgres https://docs.aws.amazon.com/lambda/latest/dg/vpc-rds.html
I have read and considered answers from this question & more
Allow AWS Lambda to access RDS Database
I have had many success-full deployments with serverless framework with many variations on serverless.yml config to try these options or else I would show a specific one I thought was failing but this is more broadly that I cant seem to grasp exactly how all these VPC, security groups, routing tables etc are supposed to interact.
Any help greatly appreciated!
Obviously, Lambda needs to be setup to run inside the same VPC, but I'm assuming you already got that.
You need to:
Create a security group (SG) and associate it with the Lambda function.
Now, open the SG associated with the RDS instance (not the one you created above).
Inside the RDS SG, go to "Inbound" tab and click "Edit"
Select "PostgreSQL" in the Type column. In the Source column, select "Custom" in the select dropdown and enter the Lambda SG ID in the input text (if you start typing "sg-", it will show you all your SGs).
Does it work?
Make sure your Lambda function is in the VPC, and the security group allows connections from IP addresses within the subnet of the VPC. The amount of available IP addresses is going to affect how many lambda functions can be run concurrently. Also make sure that the Lambda function's role has the ability to describe the VPC (the AWSLambdaVPCAccessExecutionRole policy should do the job for you).
I have two VPCs:
VPC1 which holds our RDS instance.
VPC2 which holds our cluster of EC2 instances.
We have successfully setup a VPC peering connection, routes and security groups to allow appropriate communication.
In order to resolve the RDS instance AZ-appropriate local IP address from it's hostname, we need to follow these instructions and set --requester-peering-connection-options AllowDnsResolutionFromRemoteVpc=true.
If I do this manually through the AWS Console or the AWS CLI it all works fine, however I'm creating the cluster of EC2 instances through CloudFormation and the option is missing from the CloudFormation documentation.
The effect of this is that my stack starts up and fails because the services themselves cannot connect to the database.
Am I doing something obvious wrong, or is this just Amazon being incomplete?
Thanks!
Due to the frequency of updates, there are many times where an AWS feature isn't available in CloudFormation (ALB targeting Lambda used to be) - you end up having to create a custom resource to manage it. It's not too bad, just make sure that your lambda responds with success or failure in all scenarios, including exceptions, otherwise your stack will be 'in progress' for hours.
I have one VPC with an RDS instance in it. They are both located in the same region.
I want to use the RDS instance in another VPC, that is in another region on another AWS account (we have multiple AWS accounts). If that's not complicated enough the 2nd VPC comes up via CloudFormation (i.e. dynamic). Whenever I am bringing up a CloudFormation stack I want to attach the RDS instance automatically.
I have looked at:
exposing the RDS instance on the public internet :(
an ELB w/ TCP transport to put the database instance behind
VPC peering but the different regions and the approval workflow in the AWS console make little sense in the case we are using CloudFormation
All of these seem suboptimal to me and was wondering if somebody already did this before. If yes, please share what you did and what the though process behind it was.
Use a VPN tunnel from one VPC to the other. You could build your own or look at Vyatta. Ideally the two VPCs do not have overlapping CIDRs. Note that you cannot use VPC peering inter-region.
For anyone who stumbles around here, it looks like AWS VPC Peering can now be done cross region: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html