Creating a cross-account VPC peering using Terraform

Creating a cross-account VPC peering using Terraform

iac

Cross-account VPC peering is a networking connection between two Virtual Private Clouds (VPCs) that reside in different AWS accounts. This connection allows for the routing of traffic between the VPCs using private IP addresses, effectively enabling direct network communication across AWS accounts as if the resources were within the same network.

Use Cases of Cross-Account VPC Peering:

  1. Multi-Account Strategy: Organizations often use multiple AWS accounts for various teams or projects to enhance security and resource management. Cross-account VPC peering facilitates seamless network connectivity among these accounts.
  2. Shared Services Model: Companies can maintain common services (like authentication, logging, or directory services) in one account and allow access from different VPCs in other accounts, reducing redundancy and centralizing management.
  3. Disaster Recovery and Backup: It enables setting up disaster recovery and backup solutions across different accounts, providing an additional layer of isolation and protection against account-level issues.
  4. Collaboration Between Different Departments or Companies: Cross-account VPC peering supports scenarios where different departments within an organization or different companies need to securely share resources or data without exposing them to the public internet.
  5. Regulatory Compliance and Data Sovereignty: In cases where data needs to remain within specific geographic or jurisdictional boundaries, cross-account VPC peering can help in creating compliant architectures across diverse accounts.

Overall, cross-account VPC peering is crucial for complex AWS architectures, allowing for enhanced network connectivity while maintaining account-level separation for security and organizational purposes.

lets see how to setup up cross-account VPC peering using Terraform. We'll need to configure VPCs in both AWS accounts and then establish a VPC peering connection between them. Here's a step-by-step guide with example Terraform code:

Prerequisites

  • Two AWS accounts (Account A and Account B) with VPCs set up in each.
  • Terraform installed on your local machine.

Step 1: Define Providers for Both Accounts

In Terraform, define providers for both AWS accounts. You'll need to authenticate with AWS using either AWS Access Keys or other methods like shared credentials files or environment variables.

providers.tf

provider "aws" {
  alias  = "account_a"
  region = "us-west-1" # Replace with your region
  # Authentication details for Account A
}

provider "aws" {
  alias  = "account_b"
  region = "us-west-1" # Replace with your region
  # Authentication details for Account B
}

Step 2: Define VPCs in Both Accounts

If you haven't already set up VPCs in both accounts, you can define them in Terraform. Here, we assume you already have existing VPCs.

vpcs.tf

# Define your VPCs or fetch existing ones
data "aws_vpc" "account_a_vpc" {
  provider = aws.account_a
  # VPC ID of Account A
}

data "aws_vpc" "account_b_vpc" {
  provider = aws.account_b
  # VPC ID of Account B
}

Step 3: Request VPC Peering Connection

In Account A, request a VPC peering connection to Account B.

vpc_peering.tf

resource "aws_vpc_peering_connection" "peer" {
  provider = aws.account_a

  peer_owner_id = var.account_b_owner_id # AWS Account ID of Account B
  peer_vpc_id   = data.aws_vpc.account_b_vpc.id
  vpc_id        = data.aws_vpc.account_a_vpc.id
  auto_accept   = false

  tags = {
    Name = "cross-account-vpc-peering"
  }
}

Step 4: Accept VPC Peering Connection in Account B

In Account B, automatically accept the VPC peering connection request.

resource "aws_vpc_peering_connection_accepter" "peer_accept" {
  provider = aws.account_b

  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
  auto_accept               = true

  tags = {
    Name = "accept-cross-account-vpc-peering"
  }

  depends_on = [
    aws_vpc_peering_connection.peer
  ]
}

Step 5: Configure Route Tables

Update route tables in both VPCs to allow traffic to and from the peered VPC.

# Add routes in Account A's route tables
resource "aws_route" "route_to_b" {
  provider = aws.account_a
  # for each route table in Account A
  route_table_id            = "your-route-table-id-account-a"
  destination_cidr_block    = data.aws_vpc.account_b_vpc.cidr_block
  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
}

# Add routes in Account B's route tables
resource "aws_route" "route_to_a" {
  provider = aws.account_b
  # for each route table in Account B
  route_table_id            = "your-route-table-id-account-b"
  destination_cidr_block    = data.aws_vpc.account_a_vpc.cidr_block
  vpc_peering_connection_id = aws_vpc_peering_connection_accepter.peer_accept.id
}

Additional Steps:

  • Replace placeholder values like VPC IDs and AWS account IDs with actual values.
  • You may need to adjust security groups in both VPCs to allow traffic from the peered VPC.

This Terraform setup creates a cross-account VPC peering connection between two AWS accounts, allowing network traffic to flow between VPCs in different accounts. Always test in a development environment before applying to production.