Continuent Blog: How To Deploy Peering Between AWS Regions

Blog

Our team of MySQL database experts regularly blogs on topics that range from MySQL availability, MySQL replication, multi-master MySQL, and MySQL-aware proxies, all the way through to ‘how to’ content for our solutions: Tungsten Clustering, Tungsten Replicator and Tungsten Proxy.

Summary

Recently we needed to expand our QA tests across more regions worldwide to ensure we simulated the most demanding use-cases for geo-distributed MySQL on Tungsten Cluster.

This blog post details the steps taken to add the Frankfurt region (eu-central-1) into our AWS environment using VPC Peering Connections for network traffic routing. This would allow an instance in us-west-1 10.14.1.101 to route to 10.15.1.201 in eu-central-1 without going out over the public network.

Peering Connections are defined by Amazon this way:

“A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. The VPCs can be in different regions (also known as an inter-region VPC peering connection).”

https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

Existing Regions

For our example, we will use two existing regions and add a third for clarity. At Continuent, we have six regions tied together in this manner.

To begin, here are the example regions:

Status	Region	Name	CIDR	VPC	SG	Subnet 1 (eth0)	Subnet 2 (eth1)
Existing	sa-east-1	South America (Sao Paolo)	10.11.0.0/16	4	4	10.11.1.0/24	10.11.2.0/24
Existing	us-west-1	USA (N. California)	10.14.0.0/16	5	5	10.14.1.0/24	10.14.2.0/24
New	eu-central-1	Europe (Frankfurt)	10.15.0.0/16	demo	demo	10.15.1.0/24	10.15.2.0/24

Procedure to Add Frankfurt

Basic Steps

These are the basic steps to create the VPC, subnet, and basic routing to the internet:

Create VPC
AWS Console -> VPC -> Your VPCs -> change region to eu-central-1 -> Create VPC 'vpc-demo' and use 10.15.0.0/16 CIDR; Note the new VPC ID for use later!
Rename new security group
AWS Console -> VPC -> Security Groups -> Filter by the VPC ID created in the previous step, then rename to 'demo-sg'
Create subnet
AWS Console -> VPC -> Subnets -> Create Subnet -> Select vpc-demo -> demo-subnet-eth0, Select AZ, 10.15.1.0/24 CIDR
Enable public IP at boot for the new subnet
AWS Console -> VPC -> Subnets -> select demo-subnet-eth0 -> Actions menu -> Modify auto-assign IP settings -> Check 'Enable auto-assign public IPv4 address' and click Save
Rename the new route table
AWS Console -> VPC -> Route tables -> Filter by the vpc id created in the first step, then rename to 'peer-routing'
Create new Internet Gateway
AWS Console -> VPC -> Route tables -> Subnet associations tab -> Edit subnet associations -> select new subnet and click "save associations"
Attach new Internet Gateway to the created VPC
AWS Console -> VPC -> Internet gateways -> Create internet gateway -> "demo-igw" then click "create internet gateway" -> Actions menu -> Attach to VPC -> select vpc-demo then click "attach internet gateway"
Add new default route to the Internet Gateway
AWS Console -> VPC -> Route tables -> Select 'peer-routing' -> Routes tab -> Edit routes -> Add route -> 0.0.0.0/0 -> Internet gateway -> select 'demo-igw' then click save

Establish Peering

We need to create one new peering connection for each existing region/network using the /16 CIDR address for each:

AWS Console -> VPC -> Peering Connections -> Create peering connection -> Create peering connection -> eu-central-1-sa-east-1-Peering, vpc-demo, Another region, sa-east-1, vpc-4 -> Create
AWS Console -> VPC -> Peering Connections -> Create peering connection -> Create peering connection -> eu-central-1-us-west-1-Peering, vpc-demo, Another region, us-west-1, vpc-5 -> Create

All new peering connections require an request acceptance step in the target region, so that must be done twice, once per existing region:

AWS Console -> VPC -> Peering Connections -> change region to sa-east-1 -> search for Status:pending -> rename to eu-central-1-sa-east-1-Peering -> Actions menu -> Accept request -> Click Accept request button
AWS Console -> VPC -> Peering Connections -> change region to us-west-1 -> search for Status:pending -> rename to eu-central-1-us-west-1-Peering -> Actions menu -> Accept request -> Click Accept request button

Create Network Routes

The instances in the existing regions need to be able to route packets to the new region via private address, so we add a route across the peer connection twice, once per existing region:

AWS Console -> VPC -> Route tables -> change region to sa-east-1 -> Select 'peer-routing' -> Routes tab -> Edit routes -> Add route -> 10.15.0.0/16, Peering connection->eu-central-1-sa-east-1-Peering -> Save
AWS Console -> VPC -> Route tables -> change region to us-west-1 -> Select 'peer-routing' -> Routes tab -> Edit routes -> Add route -> 10.15.0.0/16, Peering connection->eu-central-1-us-west-1-Peering -> Save

Routes from the new region to the existing two regions also need to be created:

AWS Console -> VPC -> Route tables -> change region to eu-central-1 -> Select 'peer-routing' -> Routes tab -> Edit routes ->
Add route -> 10.11.0.0/16, Peering connection->eu-central-1-sa-east-1-Peering
Add route -> 10.14.0.0/16, Peering connection->eu-central-1-us-west-1-Peering
-> Click Save

Create Security Rules

Allow traffic from the new region to the existing regions:

AWS Console -> VPC -> Security groups -> change region to sa-east-1 -> Select 'demo-sg' -> Inbound rules tab -> Edit inbound rules -> Add rule -> All traffic, 10.15.1.0/24, eu-central-1 demo VPC Subnet 1 eth0 -> Save
AWS Console -> VPC -> Security groups -> change region to us-west-1 -> Select 'demo-sg' -> Inbound rules tab -> Edit inbound rules -> Add rule -> All traffic, 10.15.1.0/24, eu-central-1 demo VPC Subnet 1 eth0 -> Save

Lastly, we need to allow traffic from the existing two regions to the new region:

AWS Console -> VPC -> Security groups -> change region to eu-central-1 -> Select 'demo-sg' -> Inbound rules tab -> Edit inbound rules ->
Add rule -> All traffic, My IP, Home
Add rule -> All traffic, 10.11.1.0/24, sa-east-1 Subnet 1 VPC
Add rule -> All traffic, 10.14.1.0/24, us-west-1 Subnet 1 VPC
-> Click Save rules

Done!

You are now able to route using private IP addresses from the new region to the existing regions and the other way around.

Published In

Categories:

Cloud, Multi-Cloud, Hybrid-Cloud, Geographic Distribution and Geo-Scale

Series:

Tungsten University

Tags:

AWS, multi-region, wan, global, cloud infrastructure

Author

Eric M. Stone

COO and VP of Product Management

Eric is a veteran of fast-paced, large-scale enterprise environments with 40 years of Information Technology experience. With a focus on HA/DR, from building data centers and trading floors to world-wide deployments, Eric has architected, coded, deployed and administered systems for a wide variety of disparate customers, from Fortune 500 financial institutions to SMB’s.

View All Eric M.’s Posts

How To Deploy Peering Between AWS Regions