通过CloudFormation跨AWS账户创建VPCPeeringConnection

时间:2017-02-16 17:20:50

标签: amazon-web-services amazon-ec2 amazon-vpc

在AWS中,我尝试通过CloudFormation在不同帐户中的两个VPC之间创建VPC对等连接。

我可以通过UI手动创建对等连接,包含4个字段:

Name
Local VPC

Target Account ID
Target VPC ID

好像是CLI also supports a target Account

当尝试使用AWS::EC2::VPCPeeringConnection对象通过CloudFormation做同样的事情时出现问题,问题是这个对象似乎只支持3个字段,Target Account not being one of them - 

PeerVpcId
VpcId
Tags

我的代码导致

AttributeError: AWS::EC2::VPCPeeringConnection object does not support attribute PeerVpcOwner
  

如何通过CloudFormation在另一个帐户中为VPC创建VPCPeeringConnection?

1 个答案:

答案 0 :(得分:10)

是的,您可以使用两个AWS账户之间的云形成配置VPC对等。

  

您可以与另一个AWS账户中的虚拟私有云(VPC)进行对等   使用AWS :: EC2 :: VPCPeeringConnection。这创建了一个网络   两个VPC之间的连接,使您能够在两者之间路由流量   他们可以像在同一个网络中那样进行通信。   VPC对等连接有助于促进数据访问和数据   传输。

     

要建立VPC对等连接,您需要授权两个   单个AWS CloudFormation堆栈中的单独AWS账户。

来源:Walkthrough: Peer with an Amazon VPC in Another AWS Account

步骤1:创建VPC和跨账户角色

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create a VPC and an assumable role for cross account VPC peering.",
  "Parameters": {
    "PeerRequesterAccountId": {
      "Type": "String"
    }
  },
  "Resources": {
    "vpc": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.1.0.0/16",
        "EnableDnsSupport": false,
        "EnableDnsHostnames": false,
        "InstanceTenancy": "default"
      }
    },
    "peerRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Principal": {
                "AWS": {
                  "Ref": "PeerRequesterAccountId"
                }
              },
              "Action": [
                "sts:AssumeRole"
              ],
              "Effect": "Allow"
            }
          ]
        },
        "Path": "/",
        "Policies": [
          {
            "PolicyName": "root",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "ec2:AcceptVpcPeeringConnection",
                  "Resource": "*"
                }
              ]
            }
          }
        ]
      }
    }
  },
  "Outputs": {
    "VPCId": {
      "Value": {
        "Ref": "vpc"
      }
    },
    "RoleARN": {
      "Value": {
        "Fn::GetAtt": [
          "peerRole",
          "Arn"
        ]
      }
    }
  }
}

步骤2:创建包含AWS :: EC2 :: VPCPeeringConnection

的模板 
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create a VPC and a VPC Peering connection using the PeerRole to accept.",
  "Parameters": {
    "PeerVPCAccountId": {
      "Type": "String"
    },
    "PeerVPCId": {
      "Type": "String"
    },
    "PeerRoleArn": {
      "Type": "String"
    }
  },
  "Resources": {
    "vpc": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.2.0.0/16",
        "EnableDnsSupport": false,
        "EnableDnsHostnames": false,
        "InstanceTenancy": "default"
      }
    },
    "vpcPeeringConnection": {
      "Type": "AWS::EC2::VPCPeeringConnection",
      "Properties": {
        "VpcId": {
          "Ref": "vpc"
        },
        "PeerVpcId": {
          "Ref": "PeerVPCId"
        },
        "PeerOwnerId": {
          "Ref": "PeerVPCAccountId"
        },
        "PeerRoleArn": {
          "Ref": "PeerRoleArn"
        }
      }
    }
  },
  "Outputs": {
    "VPCId": {
      "Value": {
        "Ref": "vpc"
      }
    },
    "VPCPeeringConnectionId": {
      "Value": {
        "Ref": "vpcPeeringConnection"
      }
    }
  }
}
相关问题
最新问题