AWS VPC peering using security groups

amazon-web-servicessecurity-groupsvpc-peering

I setup a VPC peering connection between two regions (us-west-2, eu-central-1) in a single AWS account. In the documentation I see:

You cannot reference the security group of a peer VPC that's in a different region.

Let's say I want to create a security group in us-west-2 to allow port 3306 from both regions.

Am I supposed to make the new security group ALLOW the entire eu-central-1 VPC CIDR range and then the us-west-2 3306 security group id? This means any instance that is created in eu-central-1 can communicate with port 3306 in us-west-2 even though it may not need to.

Best Answer

Yes, but you don't need to allow the entire CIDR of the foreign VPC... you will, however, need to allow the relevant remote IP addresses, whatever they are. If they aren't static, you'll need to allow the relevant subnets, by CIDR. This means you may need more subnets, if you need to restrict traffic and not include the entire remote VPC.

Related Solutions

AWS CloudFormation: VPC default security group

Referencing the default security group is possible using:

{ "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] }

Where "VPC" is your VPC resource name.

With AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress, you can augment the permissions of this default security group.

I think this is what you want:

"VPCDefaultSecurityGroupIngress": {
  "Type" : "AWS::EC2::SecurityGroupIngress",
  "Properties" : {
    "GroupId": { "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] },
    "IpProtocol":"tcp",
    "FromPort":"22",
    "ToPort":"22",
    "CidrIp":"0.0.0.0/0"
  }
},

As mentioned by @artbristol and @gabriel, this allows Ingress/Egress rules to be added to the default security group for the VPC in a single stack deployment.

I'm pretty sure that the self-referential problem still impacts any attempts at changing any of the other properties on the default security group of the VPC. A good example of this would be adding Tags, or a Description. If you wish to change these things, you'll have to deal with extraneous security groups laying around.

Using AWS Nat Gateway from diferrent VPC across VPC peering

This type of configuration is not supported by AWS. VPC Peering does not support "multiple hop" routing. The following configurations are not supported through VPC Peering.

VPC A -> VPC B -> Internet
VPC A -> VPC B -> VPC C

Reference: Invalid VPC Peering Connection Configurations

Best Answer

Related Solutions

AWS CloudFormation: VPC default security group

Using AWS Nat Gateway from diferrent VPC across VPC peering

Related Topic