Peering and testing Connections of two separated VPCS on AWS using Terraform
My name is Joseph Mbatchou, and I am grateful for the opportunity to introduce myself to you.
I have been in the Tech industry for about 8 years, and I am currently performing as Cloud Engineer at CloudSpace Consulting, LLC Manassas, VA.
My journey began as a Computer Science Teacher and Computer Technician at Biopharcam, a computer sales company in my home country. Upon relocating to the United States, I joined Allied Universal, gradually advancing from an officer to a shift lead position. In this role, I oversaw various applications for training and operational tasks, collaborating closely with engineers and developers from Digital Realty, a data center provider.
Observing these professionals at work sparked my interest in cloud computing, leading me to pursue cloud classes, attend boot camps, and conduct in-depth research across various domains, including training at CloudSpace Academy. This exposure deepened my passion for IT and motivated me to transition into the industry to further my personal growth and contribute to organizational success.
As a Cloud Consultant, I have been privileged to collaborate with Cloud Solution Architects and DevOps teams on numerous projects, consistently exceeding customer expectations through our dedication and innovative solutions. My tenure in this role has enriched my skill set and broadened my professional experience.
Now, equipped with a wealth of knowledge in cloud computing and DevOps practices, I am eager to apply my expertise to new challenges and opportunities. I am confident in my ability to contribute effectively to your knowledge
Thank you for considering my hard work. I look forward to have you on board of the learning process.
Peering and testing Connections of two separated VPCS on AWS using Terraform
π Overview:
VPC peering across two AWS regions is a network connection that allows Virtual Private Clouds (VPCs) in different geographic locations to communicate securely and directly with each other, enabling seamless data transfer and resource access while maintaining the isolation and security of each VPC. This inter-region connectivity facilitates distributed application architectures, disaster recovery setups, and data replication scenarios, enhancing the versatility and global reach of AWS infrastructure for businesses and organizations. This project utilizes Terraform, an Infrastructure as Code (IaC) tool, to provision and manage the infrastructure components, enabling automation, repeatability, and scalability. The primary objective of this project is to design and deploy two virtual Private Cloud on AWS in two separated region βus-west-2β and βus-east-1β then we will create a VPC peering to link both VPCs and finally launch two EC2 instances in both private subnets then test connectivity between them.
π§ Problem Statement
Terraform is an IaC software tool that provides a consistent command line interface (CLI) workflow to manage hundreds of cloud services. Terraform codifies cloud APIs into declarative configuration files. In this specific case you need to create VPC peering across two AWS regions. It is a network connection that allows Virtual Private Clouds (VPCs) in different geographic locations to communicate securely and directly with each other, enabling seamless data transfer and resource access while maintaining the isolation and security of each VPC. This inter-region connectivity facilitates distributed application architectures, disaster recovery setups, and data replication scenarios, enhancing the versatility and global reach of AWS infrastructure for businesses and organizations. Terraform will use his deployment to provide all AWS needed elements avoiding us to use the console and it will automate the setup, ensuring consistency and reducing human error.
π½ Techonology Stack
The architecture consists of the following services tiers:
VPC: AWS VPC
Subnets: AWS Subnets
Route table: AWS route table
NACL: AWS NACL
Internet Gateway: AWS IGW
NatGateway : AWS NATGATEWAY
SSM Role: AWS IAM
EC2 Instance: AWS EC2
Peering Connection: AWS VPC Peering
π Architecture Diagram
π Project Requirements
Before you get started, make sure you have the following prerequisites in place:
Terraform installed on your local machine.
AWS IAM credentials configured in your text editor. In this case we will use VSCODE.
Git installed on your local machine and Github account set up Github
Git for cloning the repository.
AWS VPC services
You must know the goal of the peering connection:
To achieve VPC peering across regions, first, create the necessary VPCs in each region, ensuring they have unique CIDR blocks. Next, create VPC peering connections in both regions, accepting the peer requests. Update the route tables in each VPC to include routes for the peer VPC's CIDR block, pointing to the peering connection. Finally, configure security groups and network ACLs to allow the required traffic between the peered VPCs. This setup enables seamless and secure communication between resources in the US East and US west regions while maintaining network isolation. We will skip the completion of these manual steps and we will use Terraform where cade with all those steps were wrote and now will just be run and deploy.
π Table of Contents
I - Terraform Configuration files
Step 1: Providers Configuration
Step 2: Variables Configuration
II - Instructions of Deployment
Step 8: Testing Connectivity
β¨Terraform Configuration files
You need to write different files generating resources
Step 1: Provider Configuration
Here we declare our cloud provider and we specify the regions where we will be launching resources. The regions us-east-1 and us-west-2 are the two to be precise.
Step 2: Variables Configuration
This is where we declare all variables and their value. It includes
Variables: List of element that can vary or change. They can be reuse values throughout our code without repeating ourselves and help make the code dynamic. We can de declare stuff like CIDR blocks, ports numbers, key name, instance type, count VPCs and subnets name.
Value: Declare different default value of each variables
We have
Step 3: VPCs Configuration
This is where you create the basement, foundation and networking where all the resources will be launch. It includes VPC, Subnets, IGW, NatGateway, EIP, NCAL and Route tables
We have here
VPC: Virtual Private Cloud the main and private environment where all resources will be launch
Subnets: is a segmented portion of a virtual private cloud (VPC) that allows you to partition your network resources. Subnets are used to organize and manage your cloud resources more effectively by providing isolation and control over network traffic. We will be having two public and private in each VPCs
Internet Gateway: it plays a crucial role in enabling internet connectivity for resources within a VPC, allowing instances to access services, applications, and data hosted on the public internet while providing scalability, redundancy, and security features. One for the each will allow access to internet for each VPCs.
Route Tables: is a fundamental networking component that controls the routing of network traffic within a Virtual Private Cloud (VPC). Route tables define the rules for directing traffic from one subnet to another or to external networks, such as the internet or on-premises networks. As we need to are peering tow VPCs we will need to route the traffic from local to internet and the private link between the two close environment.
NCAL: Network Access Control Lists (NACLs) are a security layer in AWS that act as a firewall for controlling traffic in and out of one or more subnets within a Virtual Private Cloud (VPC).
Security Groups: a security group acts as a virtual firewall for controlling inbound and outbound traffic to AWS resources, such as EC2 instances, RDS databases, and other services within a Virtual Private Cloud (VPC). Security groups allow you to define rules that specify the type of traffic allowed or denied based on protocols, ports, and IP addresses.
Step 4: Main Configuration
This is where we declare the file for the peering which is the main file. The main file is the one containing the goal of the project which is the peering of both VPCs. This is where the link and the attachment and connectivity of the VPCs is done.
. main
The SSM file will be the role because we will connect to the instance using the private IP and as we will connect to the instance securely. The easier way will be by SSM connect
. ssm-role
The both instances will bee launched in the private subnets of each VPCs. Here are the contains of each files that will launch the instances
. ec2-east
. ec2-west
Step 5: Output Configuration
Know as Output Value : it is a convenient way to get useful information about your infrastructure printed on the CLI. It is showing the ARN, name or ID of a resource. In this case we are bringing out the both VPCs Id and both EC2 private IP. we gonna us those private IPs to test the connectivity
πΌ Instructions of Deployment
Follow these steps to deploy the architecture:
Step 1: Clone Repository:
Clone the repository in your local machine using the command "git clone"
git clone https://github.com/Joebaho/VPC-PEERING
Step 2: Initialize Folder
Initialize the folder containing configuration files that were clone to Terraform and apply the configuration by typing the following command
terraform init
You must see this image
Step 3: Format Files
Apply any changes on files and Review the changes and confirm the good format with command:
terraform fmt
Step 4: Validate Files
Ensure that every files are syntactically valid and ready to go with the command:
terraform validate
If everything is good you will have something like this
Step 5: Plan
Create an execution plan to provide the achievement of the desired state. It Check and confirm the numbers of resources that will be create. Use command:
terraform plan
The list of all resources in stage of creation will appear and you can see all properties(arguments and attributs) of each resources
Step 6: Apply
Bring all desired state resources on life. It Launch and create all resources listed in the configuration files. The command to perform the task is:
terraform apply -auto-approve
Now, the creation will start and you will be able to see which resources is on the way to be create and the time it taking to create.
At the end you will receive a prompt message showing all resources status: created, changed and the numbers of them.
Here are the outputs :
Step 7: Review of resources
Go back on the console and check all actual state resources one by one to see. You will have
- VPC-EAST
In the VPC option, we can see here the VPC, subnets( Public & Private) routes tables ( public & Private), Internet Gateway , Nat Gateway deployed in the us-east-1 region.
This shows route for the connectivity. Every communication from the CDIR block of the other VPC will have as target the VPC peering, for local one use the CDIR block of the requester VPC. If you want to access internet the Internet Gateway or the Nat Gateway will be the way to go.
- VPC_WEST
We can see here the VPC, subnets( Public & Private) routes tables ( public & Private), Internet Gateway , Nat Gateway deployed in the us-west-2 region.
This shows route for the connectivity. Every communication from the CDIR block of the other VPC will have as target the VPC peering, for local one use the CDIR block of the requester VPC. If you want to access internet the Internet Gateway or the Nat Gateway will be the way to go.
- Peering Connection east
VPC peering connects two VPCs privately. The requester VPC-west initiates the connection, and the accepter VPC-east approves it. Both configure route tables for traffic flow between the VPCs. Manually this process needs acceptance confirmation of the accepter but in this case we placed that automatically in the code.
- Peering Connection west
VPC peering connects two VPCs privately. The requester VPC-west initiates the connection, and the accepter VPC-east approves it.
- EC2-WEST
- EC2-EAST
- Server-west connect
After selecting the instance, we may now look for a way to connect to it. As we added the SSM role we will have to select it and hit on βConnectβ that will land us directly in the server.
- Server-east connect
Step 8: Testing Connectivity
The testing process will require to use the ping command to see if there is any response from the server. We need to grab the private IP of ec2-east server and test it the ec2-west server. As you can see on the both Screenshots each ping return a response this mean the connectivity is perfect and going through
- Ping server west
- Ping server east
Step 9: Destroy
Destroy the terraform managed infrastructure meaning all resources created will be shut down. This action can be done with the command "terraform destroy"
terraform destroy -auto-approve
At the end you will receive a prompt message showing all resources has been destroyed. The 53 resources created for the purpose of this project will all be destroyed and instances terminated. After typing the command the process of deleting resources will be launch and at the end there will be a confirmation message. See screenshot bellow:
π€ Contributing
Your perspective is valuable! Whether you see potential for improvement or appreciate what's already here, your contributions are welcomed and appreciated. Thank you for considering joining us in making this project even better. Feel free to follow me for updates on this project and others, and to explore opportunities for collaboration. Together, we can create something amazing!
π License
This project is licensed under the JoebahoCloud License
