3

AWS VPC peering is created for VPCs in single region by referring to aws docs.

The diagram below explains the same.

enter image description here

Both the VPC peering connections are active and their route tables adjusted for subnets. But when tried to establish http connection to VPC-A from other two VPCs (kubernetes) it fails.

VPC-B and VPC-C runs microservices based application deployed on kubernetes(docker). So, it's not guaranteed that a micorservice pod will run exactly from specific instance. On re-deployment of the microservice, it jumps to any available instance in VPC.

Only when public IP of any instance from VPC-B or VPC-C added to security group of VPC-A instance , http request to VPC-A instance works from that specific instance of other VPCs. This can't be permanent solution due to possible instance expiry(and hence the IP) and nature of the application.

It was expected that setup will make it possible to access service running on instance in VPC-A from both of the other VPCs. Please point out what is missing or ill configured.

sap
  • 331
  • 2
  • 4
  • 16
  • What is the `host` in your `http` request? Is it a DNS name or a private ip or a public ip? – helloV Apr 13 '18 at 21:06
  • The request uses public (elastic) IP. Telnet with private IP or dns doesn't work. – sap Apr 16 '18 at 07:03
  • That means there is no route. Did you modify the subnet's routing table after successfully creating the peering connection? – helloV Apr 16 '18 at 15:11
  • Yes. subnet's route table is modified to add destination as 172.31.0.0/16 and target as peering connection id (pcx -xxxx) .Reading aws docs online and doing a demo vpc peering with totally different CIDR (10.11.0.0/16) revealed that the issue most likely is of overlapping CIDR (172.20.0.0/16). VPC -B AND VPC-C are using the same CIDR. – sap Apr 17 '18 at 09:49
  • No overlapping CIDR is a basic requirement. I didn't notice that in the attached image. Is the problem resolved now? – helloV Apr 17 '18 at 14:29
  • Yes, atleast stated problem is resolved but another one pops up. Changing CIDR for existing cluster is Herculian task. I used kops tool to create k8s cluster and it doesn't facilitates CIDR change as of v1.8 – sap Apr 18 '18 at 05:54
  • You can't change the VPC CIDR after VPC creation. You have to recreate the VPC with a different CIDR. – helloV Apr 18 '18 at 06:07
  • I am having a similar problem. Trying to connect to an RDS instance in one VPC from my kubernetes cluster in another (the CIDR blocks are coincidentally the same as yours - one is 172.31.0.0 and one is 172.20.0.0). But those are not overlapping CIDR blocks and I can't figure out what else I'm missing. What did you end up doing? – szeitlin Sep 21 '18 at 16:02

0 Answers0