CloudFormationでAWSアカウント間の既存VPCのPeering接続を作成してみました。

小林　剛

2年前

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので十分ご注意ください。

前提

・リクエストVPCとアクセプターVPCがすでに存在していること
・各VPCが２AZ（Private Subnet：２個、Public Subnet：２個）で構成されて、２個のPrivate SubnetだけのルールにPeering接続を追加すること
・CloudFormationのテンプレートをyaml形式とする

構成図と手順概要

各手順のCloudFormationテンプレートとパラメーター

1、Peeringを許可するIAMロールの作成（アカウントA）

テンプレート

ファイル名：VPC_PeeringRole_CrossAccount_AccountA.yaml

AWSTemplateFormatVersion: '2010-09-09'
Description: 'VPC Peering CrossAccount'
Parameters:
# ----------------------------------------------------------------------------#
# Environment Parameters
# ----------------------------------------------------------------------------#
  Environment:
    Type: String
    Description: "Environment"

# ----------------------------------------------------------------------------#
# VPCPeeringConnection Parameters
# ----------------------------------------------------------------------------#
  PeerRequesterAccountId:
    Type: String
    Description: "The AWS account ID of the requester the accepter VPC."

# ----------------------------------------------------------------------------#
# IAM Role Parameters
# ----------------------------------------------------------------------------#
  Description:
    Type: String
    Description: "IAM Role Description"
  RoleName:
    Type: String
    Description: RoleName. The name is created that will be 'RoleName-Region'"

Resources:
# ----------------------------------------------------------------------------#
# VPCPeeringConnection
# ----------------------------------------------------------------------------#
  peerRole:
    Type: AWS::IAM::Role
    Properties:
      Description: !Ref Description
# RoleName must be set considering multiple regions.
# https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-rolename
      RoleName:
        !Join 
          - '-'
          -
            - !Ref RoleName
            - !Ref AWS::Region
      AssumeRolePolicyDocument:
        Statement:
          - Principal:
              AWS: !Ref PeerRequesterAccountId
            Action:
              - 'sts:AssumeRole'
            Effect: Allow
      Path: /
      Tags:
        - Key: Name
          Value:
            !Join 
              - '-'
              -
                - !Ref RoleName
                - !Ref  AWS::Region
        - Key: Env
          Value: !Ref Environment     
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: 'ec2:AcceptVpcPeeringConnection'
                Resource: '*'

Outputs:
# ----------------------------------------------------------------------------#
# IAM Role Outputs
# ----------------------------------------------------------------------------#
  IAMGroup:
    Value: !Ref peerRole
    Export:
      Name:
        !Join 
          - '-'
          -
            - !Ref RoleName
            - !Ref AWS::Region

パラメーター

ファイル名：Kby-IamRole-FromAccountBOsa-ToThisAccountATyo.yaml

StackName: 'Kby-IamRole-FromAccountBOsa-ToThisAccountATyo'
Parameters:
# ----------------------------------------------------------------------------#
# Environment Parameters
# ----------------------------------------------------------------------------#
- ParameterKey: 'Environment'
  ParameterValue: 'KbyDev3'

# ----------------------------------------------------------------------------#
# IAM Role Parameters
# ----------------------------------------------------------------------------#
- ParameterKey: 'PeerRequesterAccountId'
  ParameterValue: '268673644828'
- ParameterKey: 'Description'
  ParameterValue: 'Kby-IamRole-FromAccountBOsa-ToThisAccountATyo'
- ParameterKey: 'RoleName'
  ParameterValue: 'Kby-IamRole-FromAccountBOsa-ToThisAccountATyo'

Tags: 
- Key: 'Name'
  Value: 'Kby-IamRole-FromAccountBOsa-ToThisAccountATyo'
- Key: 'Env'
  Value: 'KbyDev3'

2、Peering接続を作成（Route更新を含む）（アカウントB）

テンプレート

ファイル名：VPC_PeeringConnect_CrossAccount_AccountB.yaml

AWSTemplateFormatVersion: '2010-09-09'
Description: 'VPC Peering Connect CrossAccount'
Parameters:
# ----------------------------------------------------------------------------#
# Environment Parameters
# ----------------------------------------------------------------------------#
  Environment:
    Type: String
    Description: "Environment"

# ----------------------------------------------------------------------------#
# VPCPeeringConnection Parameters
# ----------------------------------------------------------------------------#
  AccepterAccountId:
    Type: String
    Description: "The AWS account ID of the owner the accepter VPC."
  PeerRoleArn:
    Type: String
    Description: "The Role ARN of the cross account."
  VpcId:
    Type: String
    Description: "VpcId. The ID of Source VPC"
  PeerVpcId:
    Type: String
    Description: "PeerVpcId. The ID of Target VPC"
  PeerRegion:
    Type: String
    Description:
     "The Rgion code for the accepter VPC, if the accepter VPC is located
     in a Region other than the Region in which you make the request."
  VpcPeeringName:
    Type: String
    Description: "VpcPeeringName"

# ----------------------------------------------------------------------------#
# Route Parameters
# ----------------------------------------------------------------------------#
# Common
  DestinationCidrBlock:
    Type: String
    Description: "The IPv4 CIDR block used for the destination match."
# PeeringRoute Back01
  Back01RouteTableId:
    Type: String
    Description: "Back01 RouteTable Id"
# PeeringRoute Back02
  Back02RouteTableId:
    Type: String
    Description: "Back02 RouteTable Id"

Resources:
# ----------------------------------------------------------------------------#
# VPCPeeringConnection
# ----------------------------------------------------------------------------#
  VPCPeeringConnection:
    Type: AWS::EC2::VPCPeeringConnection
    Properties:
      PeerOwnerId: !Ref AccepterAccountId
      VpcId: !Ref VpcId
      PeerVpcId: !Ref PeerVpcId
      PeerRegion: !Ref PeerRegion
      PeerRoleArn: !Ref PeerRoleArn
      Tags:
      - Key: Name
        Value: !Ref VpcPeeringName
      - Key: Env
        Value: !Ref Environment

# ----------------------------------------------------------------------------#
# Route
# ----------------------------------------------------------------------------#
# PeeringRouteBack01
  PeeringRouteBack01:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref Back01RouteTableId
      DestinationCidrBlock: !Ref DestinationCidrBlock
      VpcPeeringConnectionId: !Ref VPCPeeringConnection
# PeeringRouteBack02
  PeeringRouteBack02:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref Back02RouteTableId
      DestinationCidrBlock: !Ref DestinationCidrBlock
      VpcPeeringConnectionId: !Ref VPCPeeringConnection

パラメーター

ファイル名：InfraDev3-Osa-PeeringConnection-From-AccountBOsa-To-AccountATyo.yaml

StackName: 'InfraDev3-Osa-PeeringConnection-From-AccountBOsa-To-AccountATyo'
Parameters:
# ----------------------------------------------------------------------------#
# Environment Parameters
# ----------------------------------------------------------------------------#
- ParameterKey: 'Environment'
  ParameterValue: 'KbyDev3'

# ----------------------------------------------------------------------------#
# VPCPeeringConnection Parameters
# ----------------------------------------------------------------------------#
- ParameterKey: 'AccepterAccountId'
  ParameterValue: '717076937412'
- ParameterKey: 'PeerRoleArn'
  ParameterValue: 'arn:aws:iam::717076937412:role/Kby-IamRole-FromAccountBOsa-ToThisAccountATyo'
- ParameterKey: 'VpcId'
  ParameterValue: 'vpc-072748ed11bec21c5'
- ParameterKey: 'PeerVpcId'
  ParameterValue: 'vpc-0b596f99dd09cab46'
- ParameterKey: 'PeerRegion'
  ParameterValue: 'ap-northeast-1'
- ParameterKey: 'VpcPeeringName'
  ParameterValue: 'InfraDev3-Osa-PeeringConnection-From-AccountBOsa-To-AccountATyo'

# ----------------------------------------------------------------------------#
# Route Parameters
# ----------------------------------------------------------------------------#
- ParameterKey: 'DestinationCidrBlock'
  ParameterValue: '10.30.0.0/16'
- ParameterKey: 'Back01RouteTableId'
  ParameterValue: 'rtb-08a158494a2a7e526'
- ParameterKey: 'Back02RouteTableId'
  ParameterValue: 'rtb-0be9eaf7bdccdc76f'

Tags: 
- Key: 'Name'
  Value: 'InfraDev3-Osa-PeeringConnection-From-AccountBOsa-To-AccountATyo'
- Key: 'Env'
  Value: 'KbyDev3'

３、Peering接続のRouteを追加（アカウントA）

テンプレート

ファイル名：VPC_PeeringRoute_CrossAccount_AccountA.yaml

AWSTemplateFormatVersion: '2010-09-09'
Description: 'VPC Peering Route'
Parameters:
# ----------------------------------------------------------------------------#
# Route Parameters
# ----------------------------------------------------------------------------#
# Common
  PeeringConnectionId:
    Type: String
    Description: "VPC Peering Connection Id."
  DesinationCidrBlock:
    Type: String
    Description: "The IPv4 CIDR block used for the destination match."
# PeeringRoute Back01
  Back01RouteTableId:
    Type: String
    Description: "Back01 RouteTable Id"
# PeeringRoute Back02
  Back02RouteTableId:
    Type: String
    Description: "Back02 RouteTable Id"

Resources:
# ----------------------------------------------------------------------------#
# Route
# ----------------------------------------------------------------------------#
# PeeringRouteBack01
  PeeringRouteBack01:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref Back01RouteTableId
      DestinationCidrBlock: !Ref DesinationCidrBlock
      VpcPeeringConnectionId: !Ref PeeringConnectionId
# PeeringRouteBack02
  PeeringRouteBack02:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref Back02RouteTableId
      DestinationCidrBlock: !Ref DesinationCidrBlock
      VpcPeeringConnectionId: !Ref PeeringConnectionId

パラメーター

ファイル名：KbyDev3-Tyo-VpcPeeringRoute-CrossAccount-AccountA.yaml

StackName: 'KbyDev3-Tyo-VpcPeeringRoute-CrossAccount-AccountA'
Parameters:
# ----------------------------------------------------------------------------#
# Route Parameters
# ----------------------------------------------------------------------------#
- ParameterKey: 'PeeringConnectionId'
  ParameterValue: 'pcx-098b638434bfa8370'
- ParameterKey: 'DesinationCidrBlock'
  ParameterValue: '10.40.0.0/16'
- ParameterKey: 'Back01RouteTableId'
  ParameterValue: 'rtb-0f3165e16e2641601'
- ParameterKey: 'Back02RouteTableId'
  ParameterValue: 'rtb-07530bf1b3d8fb3b9'

Tags: 
- Key: 'Name'
  Value: 'KbyDev3-Tyo-VpcPeeringRoute-CrossAccount-AccountA'
- Key: 'Env'
  Value: 'KbyDev3'

4、セキュリティグループで通信を許可する（Ｐingテスト用）

セキュリティグループの追加方法を紹介しませんが、下記のように追加されます。

作成後AWSコンソール上で確認

下記の赤枠のようにTagの見え方が少し違います。

アカウントA

アカウントB

動作確認（Ｐingテスト）

[ec2-user@ip-10-30-103-36 ~]$ ping 10.40.102.153
PING 10.40.102.153 (10.40.102.153) 56(84) bytes of data.
64 bytes from 10.40.102.153: icmp_seq=1 ttl=64 time=8.89 ms
64 bytes from 10.40.102.153: icmp_seq=2 ttl=64 time=9.07 ms
64 bytes from 10.40.102.153: icmp_seq=3 ttl=64 time=8.99 ms
64 bytes from 10.40.102.153: icmp_seq=4 ttl=64 time=8.99 ms
^C
--- 10.40.102.153 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 8.889/8.984/9.065/0.091 ms
[ec2-user@ip-10-30-103-36 ~]$

参考

AWS CloudFormation で「VpcPeeringConnection を安定化できませんでした」というエラーを解決する方法を教えてください。

チュートリアル: 別の AWS アカウントで Amazon VPC とピア接続する