通过 CloudFormation 跨 AWS 账户创建 VPCPeeringConnection
Create VPCPeeringConnection across AWS accounts via CloudFormation
在 AWS 中,我正在尝试通过 CloudFormation 在不同账户中的两个 VPC 之间创建 VPC 对等连接。
我可以通过 UI 使用 4 个字段手动创建对等连接:
Name
Local VPC
Target Account ID
Target VPC ID
好像CLI also supports a target Account.
当尝试通过 CloudFormation 使用 AWS::EC2::VPCPeeringConnection object, the problem being that this object seems to only support 3 fields, Target Account not being one of them -
做同样的事情时,问题就来了
PeerVpcId
VpcId
Tags
我的代码导致
AttributeError: AWS::EC2::VPCPeeringConnection object does not support attribute PeerVpcOwner
How can I go about creating a VPCPeeringConnection to a VPC in another account via CloudFormation?
是的,您可以在两个 AWS 账户之间使用 cloudformation 配置 VPC 对等。
You can peer with a virtual private cloud (VPC) in another AWS account
by using AWS::EC2::VPCPeeringConnection. This creates a networking
connection between two VPCs that enables you to route traffic between
them so they can communicate as if they were within the same network.
A VPC peering connection can help facilitate data access and data
transfer.
To establish a VPC peering connection, you need to authorize two
separate AWS accounts within a single AWS CloudFormation stack.
来源:Walkthrough: Peer with an Amazon VPC in Another AWS Account
第 1 步:创建 VPC 和跨账户角色
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a VPC and an assumable role for cross account VPC peering.",
"Parameters": {
"PeerRequesterAccountId": {
"Type": "String"
}
},
"Resources": {
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.1.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"peerRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Principal": {
"AWS": {
"Ref": "PeerRequesterAccountId"
}
},
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow"
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:AcceptVpcPeeringConnection",
"Resource": "*"
}
]
}
}
]
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"RoleARN": {
"Value": {
"Fn::GetAtt": [
"peerRole",
"Arn"
]
}
}
}
}
第 2 步:创建包含 AWS::EC2::VPCPeeringConnection
的模板
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a VPC and a VPC Peering connection using the PeerRole to accept.",
"Parameters": {
"PeerVPCAccountId": {
"Type": "String"
},
"PeerVPCId": {
"Type": "String"
},
"PeerRoleArn": {
"Type": "String"
}
},
"Resources": {
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.2.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"vpcPeeringConnection": {
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties": {
"VpcId": {
"Ref": "vpc"
},
"PeerVpcId": {
"Ref": "PeerVPCId"
},
"PeerOwnerId": {
"Ref": "PeerVPCAccountId"
},
"PeerRoleArn": {
"Ref": "PeerRoleArn"
}
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"VPCPeeringConnectionId": {
"Value": {
"Ref": "vpcPeeringConnection"
}
}
}
}
在 AWS 中,我正在尝试通过 CloudFormation 在不同账户中的两个 VPC 之间创建 VPC 对等连接。
我可以通过 UI 使用 4 个字段手动创建对等连接:
Name
Local VPC
Target Account ID
Target VPC ID
好像CLI also supports a target Account.
当尝试通过 CloudFormation 使用 AWS::EC2::VPCPeeringConnection object, the problem being that this object seems to only support 3 fields, Target Account not being one of them -
PeerVpcId
VpcId
Tags
我的代码导致
AttributeError: AWS::EC2::VPCPeeringConnection object does not support attribute PeerVpcOwner
How can I go about creating a VPCPeeringConnection to a VPC in another account via CloudFormation?
是的,您可以在两个 AWS 账户之间使用 cloudformation 配置 VPC 对等。
You can peer with a virtual private cloud (VPC) in another AWS account by using AWS::EC2::VPCPeeringConnection. This creates a networking connection between two VPCs that enables you to route traffic between them so they can communicate as if they were within the same network. A VPC peering connection can help facilitate data access and data transfer.
To establish a VPC peering connection, you need to authorize two separate AWS accounts within a single AWS CloudFormation stack.
来源:Walkthrough: Peer with an Amazon VPC in Another AWS Account
第 1 步:创建 VPC 和跨账户角色
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a VPC and an assumable role for cross account VPC peering.",
"Parameters": {
"PeerRequesterAccountId": {
"Type": "String"
}
},
"Resources": {
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.1.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"peerRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Principal": {
"AWS": {
"Ref": "PeerRequesterAccountId"
}
},
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow"
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:AcceptVpcPeeringConnection",
"Resource": "*"
}
]
}
}
]
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"RoleARN": {
"Value": {
"Fn::GetAtt": [
"peerRole",
"Arn"
]
}
}
}
}
第 2 步:创建包含 AWS::EC2::VPCPeeringConnection
的模板{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a VPC and a VPC Peering connection using the PeerRole to accept.",
"Parameters": {
"PeerVPCAccountId": {
"Type": "String"
},
"PeerVPCId": {
"Type": "String"
},
"PeerRoleArn": {
"Type": "String"
}
},
"Resources": {
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.2.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"vpcPeeringConnection": {
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties": {
"VpcId": {
"Ref": "vpc"
},
"PeerVpcId": {
"Ref": "PeerVPCId"
},
"PeerOwnerId": {
"Ref": "PeerVPCAccountId"
},
"PeerRoleArn": {
"Ref": "PeerRoleArn"
}
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"VPCPeeringConnectionId": {
"Value": {
"Ref": "vpcPeeringConnection"
}
}
}
}