Chat on Slack
GitHub followers

Follow @ruanbekker

In this tutorial I will demonstrate how to create a VPC Peering Connection between Two AWS Accounts and how to route traffic between them and then show you how we create Two EC2 Instances and demonstrate how to SSH to each other via it's Private IP Address.

Scenario Information

We will have Two AWS Accounts in this demonstration, a "Green AWS Account" and a "Blue AWS Account".

In this scenario, we will have two teams, both teams manage their own account and in this scenario the two teams need to be able to communicate to each other. To keep it simple, each team has a EC2 instance and the two EC2 instances need to be able to communicate with each other.

Therefore we will setup a VPC Peering Connection between the two accounts. Both accounts will be operating in the eu-west-2 (London) region.

Account, CIDR
green: 10.1.0.0/16
blue:  10.2.0.0/16

Getting Started

This will be our Green AWS Account:

140424C7-6FD5-4D74-AD26-AA1077D3DA92

This will be our Blue AWS Account:

AAFBF715-897D-4D54-BDF2-9A5282A60165

Creating the VPCs

From our green account, head over to VPC and create a new VPC with a CIDR of 10.1.0.0/16:

55FB3F87-9F73-4CDD-845B-8748700B0981

Then head over to the blue account, head over to VPC and create a new VPC with CIDR of 10.2.0.0/16:

854DC039-7F83-4E6F-BD28-6843BE417EEB

So in summary we have the following resources:

Green: vpc-0af4b247a1353b78b | 10.1.0.0/16
Blue: vpc-031c4ce3f56660c30 | 10.2.0.0/16

Creating the Subnets

Now we need to create subnets for the VPC's that we created. We will create the following subnets in our VPC, each subnet in its own availability zone:

10.1.0.0/20 (az-2a)
10.1.16.0/20 (az-2b)
10.1.32.0/20 (az-2c)

Let's go ahead and do this, head over to your green account, from the VPC section select "Subnets":

BBB38DDB-D9CF-4BD4-AEA0-C30B6998F016

Go ahead and create a subnet where you will need to specify the VPC that you created, slect the first CIDR block, in my case 10.1.0.0/20 and select the first AZ:

BB1627EE-A92D-4274-BF97-40AE4E01A9A4

Do this for the other two subnets as well and then when you are done, it may look more or less like this:

051767FD-2D52-48BD-B495-01ACB431B358

Repeat this process that you have three subnets for your blue account as well:

881A973C-7C9A-423C-B6F4-555CE78E0A16

Setup VPC Peering Connection

Now that we've created our VPC's and subnets for each VPC we want to peer our two VPC's with each other so that we have a direct connection between our VPC's so that our EC2 instances from our green account is able to connect with our EC2 instances in our blue account.

Head over to your green account's VPC section and select "Peering Connections":

21972956-D24A-4C45-94C5-10A6FC742D98

Create a new peering connection, we will first need to name our peering connection, select the source VPC which will be our green account's VPC, since the VPC that we want to peer with is in another account, get the AWS Account ID from the blue account, and select "Another account" and provide the account id that we want to peer with, select the AWS Region and provide the VPC ID of the blue account:

1BDCB500-7BF0-4C5F-B171-9E09463A956A

Once you create the peering connection, you will find the peering request details:

C74BAE40-9C78-45FE-BE7F-3AC495E93A41

Now let's head over to our blue Account, head over to VPC, select Peering connections and you will find the peering request from our green account:

05DB8A16-6CF4-48F1-920C-20AE7492E381

From the top, hit "Actions" and accept the request:

0FF04F44-F5B7-4AAF-9D66-89396EC2AA06

You should see that the VPC Peering connection has been established:

2D1D101F-3574-4A40-A1A6-F2F875B29158

From the blue account you should see that the VPC Peering Connection is active:

A2070A8B-6247-4D75-BFF8-D5AE152EFA42

If you head back to the green account, you will see under Peering Connections that the connection has been established:

1A50F913-9C6E-4F6D-A61C-5954617EBE5B

We have now successfully created our VPC peering connection and the two VPC's from different accounts has been peered. Now we would like to launch our EC2 instances in our VPC, we will connect to our EC2 instance in our green account via the internet and then SSH to our EC2 instance in our blue account via the VPC peering connection via the Private IP Address.

Setup Internet Gateway

In order to connect to a Public Elastic IP, we first need to create a Internet Gateway on our VPC and add a route to route all public traffic via our Internet Gateway. This allows our resources in that VPC to be able to connect to the Internet.

Head over to "Internet Gateways", and create a new Internet Gateway:

9750329C-E89E-425E-9DCC-D420D092C5E6

Our IGW (Internet Gateway) will now be in a detached state, we now need to attach our IGW to our VPC. Hit "Actions", then select "Attach to VPC", and select your VPC:

0BF7CB7A-C40A-483C-8083-410DBFFBA171

You should now see that your IGW has been attached to your VPC:

B6C3094F-233C-4A6C-A6FC-C5FD7727FBBD

Now that we have created an IGW and associated it to our VPC, we now need to configure our routing table so that it knows how to route non-local traffic via the IGW.

Configure Routing Table

Head over to VPC, select your VPC, select the "Route Tables" section from the left and you should see the following when you select the "Routes" section:

FF7E141E-2C8D-4D87-BE67-513AB44784F2

Select "Edit Routes" and add a route with the destination 0.0.0.0/0 select the Internet Gateway as a target and it will filter through your available IGW's and select the IGW that you created earlier, then select save. (If your blue account needs internet access, repeat these steps on the blue account as well.)

E223A267-1A4F-4DA4-B23A-37CE6EDAFEF5

While we are at our routing tables configuration, we should also inform our VPC how to reach the subnet from the VPC from the other account. So that our Green App (10.1.0.0/16) can reach our blue app (10.2.0.0/16) via the Peering Connection.

We do this by adding a route to our routing table. From the green account's VPC's routing table add a new route with the destination of 10.2.0.0/16, select "Peering Connection" as the target and it should resolve to the peering connection resource that we created, then select save:

B5E8CF35-0C06-4261-9668-6C091BA19E2A

Now our green Account knows how to route traffic to our blue account and also knows which network traffic to route. But we also need to route traffic back. Head over to your blue Account and add a route 10.1.0.0/16 to the peering connection so that we can route traffic back to our green Account:

885DCDE3-ACA5-4136-851D-3DF9D2D9D62D

Launch EC2 Instances

Now we want to launch a EC2 instance in each account and ensure to launch them into the VPC's that we created, I will also be creating two new SSH keys (blue-keypair + green-keypair) And I have created a Security Group that allows ICMP and SSH from anywhere, this is purely for demonstration (always review the sources that you want to allow).

For our green account:

C60E3DAD-DD12-4670-97CD-AC524269C20E

For our blue account:

1BFBF8B9-D090-4883-8E2B-92F29B19AEDE

Once the EC2 instances are deployed, you should see something like this. For my green account:

image

And for my blue account:

74F20740-17EE-46C9-9A51-D3ACAB8937B5

Public IP Addressing

Now that our EC2 instances are provisioned, we will be connecting to our green EC2 instances using a Public IP, therefore we need to create a Elastic IP. From EC2, select Elastic IPs and allocate a New Address:

C4B9AC94-7AFC-465D-8D51-0497ABA475B3

Select the IP, hit "Actions" and select "Associate Address", then select the EC2 instance to which you want to associate the Elastic IP to:

E3AA99D6-CD59-4530-B818-422E1D584932

You should know see that the EC2 instance has a Public IP assigned to it:

FE545350-0A45-453C-9855-4F65CC0783C6

Test Network Connectivity

From the downloaded SSH keypairs:

$ ls | grep keyp
blue-keypair.pem.txt
green-keypair.pem.txt

Apply the correct permissions to our keypairs so that we can use them to SSH:

$ chmod 0400 blue-keypair.pem.txt green-keypair.pem.txt

We will want to add both SSH keys to our agent so we can include them when we SSH:

$ eval $(ssh-agent -t 36000)
Agent pid 6613

Add both keys to your ssh-agent:

$ ssh-add blue-keypair.pem.txt
Identity added: blue-keypair.pem.txt (blue-keypair.pem.txt)

$ ssh-add green-keypair.pem.txt
Identity added: green-keypair.pem.txt (green-keypair.pem.txt)

SSH to our Green EC2 instance:

$ ssh -A [email protected]

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
[[email protected] ~]$

Now lets ping our Blue EC2 Instance which will be accessible via our VPC Peering Connection:

[[email protected] ~]$ ping 10.2.1.167
PING 10.2.1.167 (10.2.1.167) 56(84) bytes of data.
64 bytes from 10.2.1.167: icmp_seq=1 ttl=255 time=0.754 ms
64 bytes from 10.2.1.167: icmp_seq=2 ttl=255 time=0.854 ms

And since we've allowed SSH traffic, we should be able to SSH to our instance via its Private IP Address:

[[email protected] ~]$ ssh 10.2.1.167

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
[[email protected] ~]$

Now we have successfully created a VPC Peering Connection between Two AWS Accounts and demonstrated how to communicate to and from resources in those VPC's.

Thank You

Let me know what you think. If you liked my content, feel free to checkout my content on ruan.dev or follow me on twitter at @ruanbekker

Feel free to have a look at my Developer T-Shirt Range: