[英]Create VPCPeeringConnection across AWS accounts via CloudFormation
Within AWS, I am trying to create a VPC peering connection between two VPC's in different accounts via CloudFormation. 在AWS中,我试图通过CloudFormation在不同帐户中的两个VPC之间创建VPC对等连接。
I can create the peering connections manually via the UI, with the 4 fields: 我可以通过UI手动创建对等连接,包含4个字段:
Name
Local VPC
Target Account ID
Target VPC ID
It seems as if the CLI also supports a target Account . 似乎CLI也支持目标帐户 。
The problem comes when trying to do this same thing via CloudFormation, using the AWS::EC2::VPCPeeringConnection
object, the problem being that this object seems to only support 3 fields, Target Account not being one of them - 当尝试使用AWS::EC2::VPCPeeringConnection
对象通过AWS::EC2::VPCPeeringConnection
做同样的事情时,问题出现了,问题是这个对象似乎只支持3个字段, 目标帐户不是其中之一 -
PeerVpcId
VpcId
Tags
With my code resulting in 用我的代码导致
AttributeError: AWS::EC2::VPCPeeringConnection object does not support attribute PeerVpcOwner
How can I go about creating a VPCPeeringConnection to a VPC in another account via CloudFormation? 如何通过CloudFormation在另一个帐户中为VPC创建VPCPeeringConnection?
YES YOU CAN configure VPC peering with cloudformation between two AWS accounts. 是的您可以在两个AWS账户之间配置VPC对等与云形成。
You can peer with a virtual private cloud (VPC) in another AWS account by using AWS::EC2::VPCPeeringConnection. 您可以使用AWS :: EC2 :: VPCPeeringConnection与另一个AWS账户中的虚拟私有云(VPC)进行对等。 This creates a networking connection between two VPCs that enables you to route traffic between them so they can communicate as if they were within the same network. 这将在两个VPC之间创建网络连接,使您能够在它们之间路由流量,以便它们可以像在同一网络中一样进行通信。 A VPC peering connection can help facilitate data access and data transfer. VPC对等连接有助于促进数据访问和数据传输。
To establish a VPC peering connection, you need to authorize two separate AWS accounts within a single AWS CloudFormation stack. 要建立VPC对等连接,您需要在单个AWS CloudFormation堆栈中授权两个单独的AWS账户。
Source: Walkthrough: Peer with an Amazon VPC in Another AWS Account 来源: 演练:与另一个AWS账户中的Amazon VPC对等
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a VPC and an assumable role for cross account VPC peering.",
"Parameters": {
"PeerRequesterAccountId": {
"Type": "String"
}
},
"Resources": {
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.1.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"peerRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Principal": {
"AWS": {
"Ref": "PeerRequesterAccountId"
}
},
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow"
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:AcceptVpcPeeringConnection",
"Resource": "*"
}
]
}
}
]
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"RoleARN": {
"Value": {
"Fn::GetAtt": [
"peerRole",
"Arn"
]
}
}
}
}
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a VPC and a VPC Peering connection using the PeerRole to accept.",
"Parameters": {
"PeerVPCAccountId": {
"Type": "String"
},
"PeerVPCId": {
"Type": "String"
},
"PeerRoleArn": {
"Type": "String"
}
},
"Resources": {
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.2.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"vpcPeeringConnection": {
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties": {
"VpcId": {
"Ref": "vpc"
},
"PeerVpcId": {
"Ref": "PeerVPCId"
},
"PeerOwnerId": {
"Ref": "PeerVPCAccountId"
},
"PeerRoleArn": {
"Ref": "PeerRoleArn"
}
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"VPCPeeringConnectionId": {
"Value": {
"Ref": "vpcPeeringConnection"
}
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.