通过CloudFormation跨AWS账户创建VPCPeeringConnection

Question

在AWS中,我试图通过CloudFormation在不同帐户中的两个VPC之间创建VPC对等连接.

我可以通过UI手动创建对等连接,包含4个字段:

Name
Local VPC

Target Account ID
Target VPC ID

似乎CLI也支持目标帐户.

当使用AWS::EC2::VPCPeeringConnection对象尝试通过CloudFormation做同样的事情时出现问题,问题是该对象似乎只支持3个字段,目标帐户不是其中之一 -

PeerVpcId
VpcId
Tags

用我的代码导致

AttributeError: AWS::EC2::VPCPeeringConnection object does not support attribute PeerVpcOwner

如何通过CloudFormation在另一个帐户中为VPC创建VPCPeeringConnection？

Answer 1

是的您可以在两个AWS账户之间配置VPC对等与云形成.

您可以使用AWS :: EC2 :: VPCPeeringConnection与另一个AWS账户中的虚拟私有云(VPC)进行对等.这将在两个VPC之间创建网络连接,使您能够在它们之间路由流量,以便它们可以像在同一网络中一样进行通信.VPC对等连接有助于促进数据访问和数据传输.

要建立VPC对等连接,您需要在单个AWS CloudFormation堆栈中授权两个单独的AWS账户.

来源:演练:与另一个AWS账户中的Amazon VPC对等

第1步:创建VPC和跨账户角色

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create a VPC and an assumable role for cross account VPC peering.",
  "Parameters": {
    "PeerRequesterAccountId": {
      "Type": "String"
    }
  },
  "Resources": {
    "vpc": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.1.0.0/16",
        "EnableDnsSupport": false,
        "EnableDnsHostnames": false,
        "InstanceTenancy": "default"
      }
    },
    "peerRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Principal": {
                "AWS": {
                  "Ref": "PeerRequesterAccountId"
                }
              },
              "Action": [
                "sts:AssumeRole"
              ],
              "Effect": "Allow"
            }
          ]
        },
        "Path": "/",
        "Policies": [
          {
            "PolicyName": "root",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "ec2:AcceptVpcPeeringConnection",
                  "Resource": "*"
                }
              ]
            }
          }
        ]
      }
    }
  },
  "Outputs": {
    "VPCId": {
      "Value": {
        "Ref": "vpc"
      }
    },
    "RoleARN": {
      "Value": {
        "Fn::GetAtt": [
          "peerRole",
          "Arn"
        ]
      }
    }
  }
}

第2步:创建包含AWS :: EC2 :: VPCPeeringConnection的模板

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create a VPC and a VPC Peering connection using the PeerRole to accept.",
  "Parameters": {
    "PeerVPCAccountId": {
      "Type": "String"
    },
    "PeerVPCId": {
      "Type": "String"
    },
    "PeerRoleArn": {
      "Type": "String"
    }
  },
  "Resources": {
    "vpc": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.2.0.0/16",
        "EnableDnsSupport": false,
        "EnableDnsHostnames": false,
        "InstanceTenancy": "default"
      }
    },
    "vpcPeeringConnection": {
      "Type": "AWS::EC2::VPCPeeringConnection",
      "Properties": {
        "VpcId": {
          "Ref": "vpc"
        },
        "PeerVpcId": {
          "Ref": "PeerVPCId"
        },
        "PeerOwnerId": {
          "Ref": "PeerVPCAccountId"
        },
        "PeerRoleArn": {
          "Ref": "PeerRoleArn"
        }
      }
    }
  },
  "Outputs": {
    "VPCId": {
      "Value": {
        "Ref": "vpc"
      }
    },
    "VPCPeeringConnectionId": {
      "Value": {
        "Ref": "vpcPeeringConnection"
      }
    }
  }
}