Creating VPC Peering in Amazon Web Services ​
This tutorial explains how to create a Virtual Private Cloud (VPC) peering connection between a remote VPC network and SAP BTP, Kyma runtime in Amazon Web Services. Learn how to create a new VPC network, and a virtual machine (VM), and assign required permissions to the provided Kyma account and role in your AWS account.
Prerequisites ​
- You have the Cloud Manager module added. See Add and Delete a Kyma Module.
- You have the AWS CLI configured. For more information, see the AWS documentation.
Steps ​
Set the default AWS CLI profile.
export AWS_PROFILE={PROFILE_NAME}
export AWS_REGION={REGION}Authorize Cloud Manager in the Remote Account ​
Create a trust policy document. See Authorizing Cloud Manager in the Remote Cloud Provider to identify the Cloud Manager principal.
shellexport CLOUD_MANAGER_PRINCIPAL={CLOUD_MANAGER_PRINCIPAL} cat > trust_policy.json <<- EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "$CLOUD_MANAGER_PRINCIPAL" }, "Action": "sts:AssumeRole" } ] } EOFCreate a new CloudManagerPeeringRole role and attach the trust policy document to the role.
shellexport AWS_ROLE_NAME=CloudManagerPeeringRole aws iam create-role --role-name $AWS_ROLE_NAME --assume-role-policy-document file://./trust_policy.jsonCreate a policy document.
shellcat > accept_policy.json <<- EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AcceptVpcPeeringConnection", "ec2:DescribeVpcs", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateTags" ], "Resource": "*" } ] } EOFUse the policy document to create a new managed CloudManagerPeeringAccess policy for your Amazon Web Services account.
shellaws iam create-policy --policy-name CloudManagerPeeringAccess --policy-document file://./accept_policy.jsonAttach the managed policy to the CloudManagerPeeringRole role.
shellaws iam attach-role-policy --role-name $AWS_ROLE_NAME --policy-arn arn:aws:iam::$REMOTE_ACCOUNT_ID:policy/CloudManagerPeeringAccess
Set Up a Test Environment in the Remote Account ​
Create a VPC network.
shellexport CIDR_BLOCK=10.3.0.0/16 export SHOOT_NAME=$(kubectl get cm -n kube-system shoot-info -o jsonpath='{.data.shootName}') export NODE_NETWORK=$(kubectl get cm -n kube-system shoot-info -o jsonpath='{.data.nodeNetwork}') export VPC_NAME=my-vpc export VPC_ID=$(aws ec2 create-vpc --cidr-block $CIDR_BLOCK --tag-specifications "ResourceType=vpc,Tags=[{Key=Name,Value=$VPC_NAME}]" --query Vpc.VpcId --output text)Find an availability zone that supports the instance type compatible with the specified image.
shellexport IMAGE_ID=$(aws ec2 describe-images --owners amazon --filters "Name=name,Values=ubuntu/images/hvm-ssd-gp3/ubuntu-noble*" "Name=architecture,Values=arm64" --query 'sort_by(Images, &CreationDate)[-1].ImageId' --output text) export INSTANCE_TYPE=$(aws ec2 describe-instance-types --filter "Name=instance-type,Values=*.micro" "Name=processor-info.supported-architecture,Values=arm64" --query 'InstanceTypes[0].InstanceType' | tr -d '"') export AVAILABILITY_ZONE=$(aws ec2 describe-instance-type-offerings --location-type availability-zone --filters "Name=instance-type,Values=$INSTANCE_TYPE" --query 'InstanceTypeOfferings[0].Location' --output text)Create a subnet.
shellexport SUBNET_ID=$(aws ec2 create-subnet --vpc-id $VPC_ID --availability-zone $AVAILABILITY_ZONE --cidr-block $CIDR_BLOCK --query Subnet.SubnetId --output text)Run an instance.
shellexport INSTANCE_ID=$(aws ec2 run-instances --image-id $IMAGE_ID --instance-type $INSTANCE_TYPE --subnet-id $SUBNET_ID --query "Instances[0].InstanceId" --output text) export IP_ADDRESS=$(aws ec2 describe-instances --instance-ids $INSTANCE_ID --query "Reservations[0].Instances[0].PrivateIpAddress" --output text)Allow ICMP traffic from Kyma Pods.
shellexport SG_ID=$(aws ec2 describe-security-groups --filters Name=vpc-id,Values=$VPC_ID --query "SecurityGroups[0].GroupId" --output text) aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=icmp,FromPort=-1,ToPort=-1,IpRanges="[{CidrIp=$NODE_NETWORK}]"
Allow SAP BTP, Kyma Runtime to Peer with Your Network ​
Tag the VPC network with a Kyma shoot name.
aws ec2 create-tags --resources $VPC_ID --tags Key=$SHOOT_NAME,Value=''Create VPC Peering ​
Create an AwsVpcPeering resource.
shellexport ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) kubectl apply -f - <<EOF apiVersion: cloud-resources.kyma-project.io/v1beta1 kind: AwsVpcPeering metadata: name: peering-to-my-vpc spec: remoteAccountId: "$ACCOUNT_ID" remoteRegion: "$AWS_REGION" remoteVpcId: "$VPC_ID" EOFWait for the AwsVpcPeering CR to be in the
Readystate.shellkubectl wait --for=condition=Ready awsvpcpeering/peering-to-my-vpc --timeout=300sOnce the newly created AwsVpcPeering is provisioned, you should see the following message:
txtawsvpcpeering.cloud-resources.kyma-project.io/peering-to-my-vpc condition metCreate a namespace and export its value as an environment variable. Run:
shellexport NAMESPACE={NAMESPACE_NAME} kubectl create ns $NAMESPACECreate a workload that pings the VM in the remote network.
shellkubectl apply -n $NAMESPACE -f - <<EOF apiVersion: apps/v1 kind: Deployment metadata: name: awsvpcpeering-demo spec: selector: matchLabels: app: awsvpcpeering-demo template: metadata: labels: app: awsvpcpeering-demo spec: containers: - name: my-container resources: limits: memory: 512Mi cpu: "1" requests: memory: 256Mi cpu: "0.2" image: ubuntu command: - "/bin/bash" - "-c" - "--" args: - "apt update; apt install iputils-ping -y; ping -c 20 $IP_ADDRESS" EOFThis workload should print a sequence of 20 echo replies to stdout.
To print the logs of one of the workloads, run:
shellkubectl logs -n $NAMESPACE `kubectl get pod -n $NAMESPACE -l app=awsvpcpeering-demo -o=jsonpath='{.items[0].metadata.name}'`The command should print an output similar to the following:
txt... PING 172.0.0.4 (172.0.0.4) 56(84) bytes of data. 64 bytes from 172.0.0.4: icmp_seq=1 ttl=63 time=8.10 ms 64 bytes from 172.0.0.4: icmp_seq=2 ttl=63 time=2.01 ms 64 bytes from 172.0.0.4: icmp_seq=3 ttl=63 time=7.02 ms 64 bytes from 172.0.0.4: icmp_seq=4 ttl=63 time=1.87 ms 64 bytes from 172.0.0.4: icmp_seq=5 ttl=63 time=1.89 ms 64 bytes from 172.0.0.4: icmp_seq=6 ttl=63 time=4.75 ms 64 bytes from 172.0.0.4: icmp_seq=7 ttl=63 time=2.01 ms 64 bytes from 172.0.0.4: icmp_seq=8 ttl=63 time=4.26 ms 64 bytes from 172.0.0.4: icmp_seq=9 ttl=63 time=1.89 ms 64 bytes from 172.0.0.4: icmp_seq=10 ttl=63 time=2.08 ms 64 bytes from 172.0.0.4: icmp_seq=11 ttl=63 time=2.01 ms 64 bytes from 172.0.0.4: icmp_seq=12 ttl=63 time=2.24 ms 64 bytes from 172.0.0.4: icmp_seq=13 ttl=63 time=1.80 ms 64 bytes from 172.0.0.4: icmp_seq=14 ttl=63 time=4.32 ms 64 bytes from 172.0.0.4: icmp_seq=15 ttl=63 time=2.03 ms 64 bytes from 172.0.0.4: icmp_seq=16 ttl=63 time=2.03 ms 64 bytes from 172.0.0.4: icmp_seq=17 ttl=63 time=5.19 ms 64 bytes from 172.0.0.4: icmp_seq=18 ttl=63 time=1.86 ms 64 bytes from 172.0.0.4: icmp_seq=19 ttl=63 time=1.92 ms 64 bytes from 172.0.0.4: icmp_seq=20 ttl=63 time=1.92 ms === 172.0.0.4 ping statistics === 20 packets transmitted, 20 received, 0% packet loss, time 19024ms rtt min/avg/max/mdev = 1.800/3.060/8.096/1.847 ms ...
Next Steps ​
To clean up the Kubernetes resources and your AWS account resources, follow these steps:
Remove the created workloads.
shellkubectl delete -n $NAMESPACE deployment awsvpcpeering-demoRemove the created AwsVpcPeering CR.
shellkubectl delete awsvpcpeering peering-to-my-vpcRemove the created namespace.
shellkubectl delete namespace $NAMESPACEGo to your Amazon Web Services account and terminate the instance.
shellaws ec2 terminate-instances --instance-ids $INSTANCE_ID aws ec2 wait instance-terminated --instance-ids $INSTANCE_IDDelete the subnet.
shellaws ec2 delete-subnet --subnet-id $SUBNET_IDDelete the VPC.
shellaws ec2 delete-vpc --vpc-id $VPC_ID