Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

cross account vpc peering

-1

Need to establish connection between 2 vpc living in 2 different account

vpc A is in 1st account vpc B is ins 2nd account

how to achieve using cdk please provide cdk code and also explain steps

Topics
DevOpsNetworking & Content Delivery
Tags
Amazon VPCDevOps
Language
English
asked 3 months ago52 views
1 Answer
0

To establish cross-account VPC peering using AWS CDK, you need to follow a two-step process involving both the acceptor and requestor accounts.

Step 1: Create an IAM Role in the Acceptor Account (Account with VPC A)

First, in the acceptor account, you need to create an IAM role that allows the requestor account to create the peering connection. Here's the CDK code:

const stack = new Stack();

const acceptorVpc = new VpcV2(this, 'VpcA', {
primaryAddressBlock: IpAddresses.ipv4('10.0.0.0/16'),
});

// Create the acceptor role, passing the requestor account ID
const acceptorRoleArn = acceptorVpc.createAcceptorVpcRole('000000000000'); // Replace with actual requestor account ID

This creates an IAM role in the acceptor account that grants permissions to the requestor account.

Step 2: Create the Peering Connection in the Requestor Account (Account with VPC B)

In the requestor account, you need to import the acceptor VPC and create the peering connection using the role ARN from Step 1:

const stack = new Stack();

// Import the acceptor VPC from the other account
const acceptorVpc = VpcV2.fromVpcV2Attributes(this, 'acceptorVpc', {
vpcId: 'vpc-XXXX', // Replace with actual VPC ID from Account 1
vpcCidrBlock: '10.0.0.0/16',
region: 'us-east-2', // Specify if in different region
ownerAccountId: '111111111111', // Acceptor account ID
});

// The role ARN created in Step 1
const acceptorRoleArn = 'arn:aws:iam::111111111111:role/VpcPeeringRole';

// Create the requestor VPC
const requestorVpc = new VpcV2(this, 'VpcB', {
primaryAddressBlock: IpAddresses.ipv4('10.1.0.0/16'),
});

// Create the peering connection
const peeringConnection = requestorVpc.createPeeringConnection('crossAccountPeering', {
acceptorVpc: acceptorVpc,
peerRoleArn: acceptorRoleArn,
});

Key Points:

  • The acceptor account must create an IAM role first and provide its ARN to the requestor
  • When importing the acceptor VPC, it's recommended to specify the owner account ID for cross-account scenarios
  • If the VPCs are in different regions, specify the region parameter when importing the acceptor VPC
  • After the peering connection is created, you'll need to add routes in both VPCs' route tables to enable traffic flow between them
    Sources
    @aws-cdk/aws-ec2-alpha module · AWS CDK
    class VPCPeeringConnection (construct) · AWS CDK
answered 3 months ago
EXPERT
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content