通过 cloudformation 在 2 个 AWS 区域 VPC 之间建立 VPC 对等
VPC peering between 2 AWS Regions VPC via cloudformation
我正在尝试两个不同区域之间的 vpc 对等互连。
在这里,我已经创建了资源,现在我只想将它们的 ID 作为参数传递。在同一地区,我能够在两个 VPC 之间进行对等。但是我在两个不同的区域出现错误,因为 route_id 不存在。
我的模板如下:
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Parameters:
PeerVPCAccountId:
Type: String
Description: "Peer VPC Account ID"
Default: (Acc_id)
PeerVPCRegion:
Type: String
Description: "Peer Region"
Default: (region)
VPC1:
Description: VPC Id of DataPipeline
Type: AWS::EC2::VPC::Id
Default: (vpc_id)
VPC1CIDRRange:
Description: The IP address range of DataPipeline VPC.
Type: String
MinLength: '9'
MaxLength: '18'
Default: (vpc_range)
AllowedPattern: "(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
VPC1PrivateSubnet1CIDRRange:
Description: The IP address range for Private Subnet 1 in DataPipeline.
Type: String
MinLength: '9'
MaxLength: '18'
Default: (vpc_subnet_range)
AllowedPattern: "(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
VPC1Private1Route:
Description: RouteTableId of Private Subnet 1 for DataPipeline
Type: String
Default: (vpc_subnet_route_id)
VPC2:
Description: VPC Id of PII-Isolation Pipeline
Type: String
Default: (vpc_id)
VPC2CIDRRange:
Description: The IP address range of PII Pipeline VPC.
Type: String
MinLength: '9'
MaxLength: '18'
AllowedPattern: "(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Default: (vpc_range)
VPC2PrivateSubnet1CIDRRange:
Description: The IP address range for Private Subnet 1 in PII Pipeline.
Type: String
MinLength: '9'
MaxLength: '18'
AllowedPattern: "(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Default: (vpc_subnet_range)
VPC2Private1Route:
Description: RouteTableId of Private Subnet 1 for PII Pipeline
Type: String
Default: (vpc_subnet_route_id)
Resources:
peerRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Principal:
AWS: !Ref PeerVPCAccountId
Action:
- 'sts:AssumeRole'
Effect: Allow
Path: /
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 'ec2:AcceptVpcPeeringConnection'
Resource: '*'
VPC1Private1PeeringRoute1:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock:
Ref: VPC2PrivateSubnet1CIDRRange
RouteTableId:
Ref: VPC1Private1Route
VpcPeeringConnectionId:
Ref: myVPCPeeringConnection
VPC2Private1PeeringRoute1:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock:
Ref: VPC1PrivateSubnet1CIDRRange
RouteTableId:
Ref: VPC2Private1Route
VpcPeeringConnectionId:
Ref: myVPCPeeringConnection
myVPCPeeringConnection:
Type: AWS::EC2::VPCPeeringConnection
Properties:
VpcId:
Ref: VPC1
PeerVpcId:
Ref: VPC2
PeerOwnerId:
Ref: PeerVPCAccountId
PeerRegion:
Ref: PeerVPCRegion
PeerRoleArn: !GetAtt
- peerRole
- Arn
我已经给了模板想要的一切,仍然显示这个错误。
谁能帮忙修改或指出错误?
CloudFormation 仅在特定区域部署资源。要在不同区域部署相同的资源,您可以使用 CloudFormation StackSet。
关于您的场景,id 建议使用 CloudFormation 在一个区域中创建必要的资源,并部署一个 lambda,该 lambda 将在第二个区域中部署资源并执行对等 - 请求、接受和更改 RouteTable。
除了 Lambda,您还需要部署自定义资源来执行 Lambda 和 Lambda 的角色+策略(它将执行的操作的权限)
Impurshu,我认为在理解 Cloudformation 模板只能应用于单个区域时肯定存在一些混淆。但是,Cloudformation Stacksets 可以应用于多个区域,我什至找到了一个适用于您的问题的示例 VPC Peering across regions
我正在尝试两个不同区域之间的 vpc 对等互连。 在这里,我已经创建了资源,现在我只想将它们的 ID 作为参数传递。在同一地区,我能够在两个 VPC 之间进行对等。但是我在两个不同的区域出现错误,因为 route_id 不存在。
我的模板如下:
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Parameters:
PeerVPCAccountId:
Type: String
Description: "Peer VPC Account ID"
Default: (Acc_id)
PeerVPCRegion:
Type: String
Description: "Peer Region"
Default: (region)
VPC1:
Description: VPC Id of DataPipeline
Type: AWS::EC2::VPC::Id
Default: (vpc_id)
VPC1CIDRRange:
Description: The IP address range of DataPipeline VPC.
Type: String
MinLength: '9'
MaxLength: '18'
Default: (vpc_range)
AllowedPattern: "(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
VPC1PrivateSubnet1CIDRRange:
Description: The IP address range for Private Subnet 1 in DataPipeline.
Type: String
MinLength: '9'
MaxLength: '18'
Default: (vpc_subnet_range)
AllowedPattern: "(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
VPC1Private1Route:
Description: RouteTableId of Private Subnet 1 for DataPipeline
Type: String
Default: (vpc_subnet_route_id)
VPC2:
Description: VPC Id of PII-Isolation Pipeline
Type: String
Default: (vpc_id)
VPC2CIDRRange:
Description: The IP address range of PII Pipeline VPC.
Type: String
MinLength: '9'
MaxLength: '18'
AllowedPattern: "(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Default: (vpc_range)
VPC2PrivateSubnet1CIDRRange:
Description: The IP address range for Private Subnet 1 in PII Pipeline.
Type: String
MinLength: '9'
MaxLength: '18'
AllowedPattern: "(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Default: (vpc_subnet_range)
VPC2Private1Route:
Description: RouteTableId of Private Subnet 1 for PII Pipeline
Type: String
Default: (vpc_subnet_route_id)
Resources:
peerRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Principal:
AWS: !Ref PeerVPCAccountId
Action:
- 'sts:AssumeRole'
Effect: Allow
Path: /
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 'ec2:AcceptVpcPeeringConnection'
Resource: '*'
VPC1Private1PeeringRoute1:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock:
Ref: VPC2PrivateSubnet1CIDRRange
RouteTableId:
Ref: VPC1Private1Route
VpcPeeringConnectionId:
Ref: myVPCPeeringConnection
VPC2Private1PeeringRoute1:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock:
Ref: VPC1PrivateSubnet1CIDRRange
RouteTableId:
Ref: VPC2Private1Route
VpcPeeringConnectionId:
Ref: myVPCPeeringConnection
myVPCPeeringConnection:
Type: AWS::EC2::VPCPeeringConnection
Properties:
VpcId:
Ref: VPC1
PeerVpcId:
Ref: VPC2
PeerOwnerId:
Ref: PeerVPCAccountId
PeerRegion:
Ref: PeerVPCRegion
PeerRoleArn: !GetAtt
- peerRole
- Arn
我已经给了模板想要的一切,仍然显示这个错误。 谁能帮忙修改或指出错误?
CloudFormation 仅在特定区域部署资源。要在不同区域部署相同的资源,您可以使用 CloudFormation StackSet。 关于您的场景,id 建议使用 CloudFormation 在一个区域中创建必要的资源,并部署一个 lambda,该 lambda 将在第二个区域中部署资源并执行对等 - 请求、接受和更改 RouteTable。 除了 Lambda,您还需要部署自定义资源来执行 Lambda 和 Lambda 的角色+策略(它将执行的操作的权限)
Impurshu,我认为在理解 Cloudformation 模板只能应用于单个区域时肯定存在一些混淆。但是,Cloudformation Stacksets 可以应用于多个区域,我什至找到了一个适用于您的问题的示例 VPC Peering across regions