AWS CloudFormation
User Guide (API Version 2010-05-15)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

演练:与另一个 AWS 账户中的 Amazon VPC 对等

通过使用 AWS::EC2::VPCPeeringConnection 可以与另一个 AWS 账户中的 Virtual Private Cloud (VPC) 进行对等。这会在两个 VPC 之间创建网络连接,使您能够在它们之间路由流量,它们可以像在同一网络中那样进行通信。VPC 对等连接有助于简化数据访问和数据传输。

要建立 VPC 对等连接,您需要向位于同一个 AWS CloudFormation 堆栈中的两个独立的 AWS 账户授权。

有关 VPC 对等及其限制的更多信息,请参阅 Amazon VPC Peering Guide 中的 VPC 对等概述

先决条件

  1. 要创建对等连接,您需要对等 VPC ID、对等 AWS 账户 ID 以及跨账户访问角色

    注意

    本演练涉及两个账户:第一个是允许跨账户对等的账户 (接受方账户)。第二个是请求对等连接的账户 (请求者账户)。

  2. 要接受 VPC 对等连接,您必须能够代入跨账户访问角色。该资源的行为方式与同一账户中的 VPC 对等连接资源相同。

步骤 1:创建 VPC 和跨账户角色

创建 VPC 和跨账户访问角色 (示例)

在该步骤中,您需要在接受方账户 中创建 VPC 和角色。

  1. 在 AWS 管理控制台中,选择 AWS CloudFormation

  2. 选择 Create Stack

  3. 您有多种选择。要使用 AWS CloudFormation Designer 创建新的空白模板,请选择 Design template

    若要在其他文本编辑器中创建模板,请根据情况选择 Upload a template to Amazon S3Specify an Amazon S3 template URL

  4. 使用下面的示例模板创建 VPC 和跨账户角色,以允许其他账户实现对等。

    例 JSON

    { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Create a VPC and an assumable role for cross account VPC peering.", "Parameters": { "PeerRequesterAccountId": { "Type": "String" } }, "Resources": { "vpc": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.1.0.0/16", "EnableDnsSupport": false, "EnableDnsHostnames": false, "InstanceTenancy": "default" } }, "peerRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Principal": { "AWS": { "Ref": "PeerRequesterAccountId" } }, "Action": [ "sts:AssumeRole" ], "Effect": "Allow" } ] }, "Path": "/", "Policies": [ { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:AcceptVpcPeeringConnection", "Resource": "*" } ] } } ] } } }, "Outputs": { "VPCId": { "Value": { "Ref": "vpc" } }, "RoleARN": { "Value": { "Fn::GetAtt": [ "peerRole", "Arn" ] } } } }

    例 YAML

    AWSTemplateFormatVersion: 2010-09-09 Description: Create a VPC and an assumable role for cross account VPC peering. Parameters: PeerRequesterAccountId: Type: String Resources: vpc: Type: 'AWS::EC2::VPC' Properties: CidrBlock: 10.1.0.0/16 EnableDnsSupport: false EnableDnsHostnames: false InstanceTenancy: default peerRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Principal: AWS: !Ref PeerRequesterAccountId Action: - 'sts:AssumeRole' Effect: Allow Path: / Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: 'ec2:AcceptVpcPeeringConnection' Resource: '*' Outputs: VPCId: Value: !Ref vpc RoleARN: Value: !GetAtt - peerRole - Arn
  5. 选择 Next

  6. 为堆栈提供一个名称 (例如 VPC-owner),然后在 PeerRequesterAccountId 字段中键入 requester account 的 AWS 账户 ID。

  7. 接受默认值,然后选择 Next

  8. 依次选择 I acknowledge that AWS CloudFormation might create IAM resourcesCreate

步骤 2:创建包含 AWS::EC2::VPCPeeringConnection 的模板

现在,已创建了 VPC 和跨账户角色,可以使用另一个 AWS 账户 (请求者账户) 与该 VPC 进行对等了。

创建包含 AWS::EC2::VPCPeeringConnection 资源的模板 (示例)

  1. 返回 AWS CloudFormation 控制台主页。

  2. 选择 Create Stack

  3. 选择 Design template 以使用 AWS CloudFormation Designer 新建一个空白模板。

    若要在其他文本编辑器中创建模板,请根据情况选择 Upload a template to Amazon S3Specify an Amazon S3 template URL

  4. 使用下面的示例模板及在步骤 1 中创建的对等角色创建 VPC 和 VPC 对等连接。

    例 JSON

    { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Create a VPC and a VPC Peering connection using the PeerRole to accept.", "Parameters": { "PeerVPCAccountId": { "Type": "String" }, "PeerVPCId": { "Type": "String" }, "PeerRoleArn": { "Type": "String" } }, "Resources": { "vpc": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.2.0.0/16", "EnableDnsSupport": false, "EnableDnsHostnames": false, "InstanceTenancy": "default" } }, "vpcPeeringConnection": { "Type": "AWS::EC2::VPCPeeringConnection", "Properties": { "VpcId": { "Ref": "vpc" }, "PeerVpcId": { "Ref": "PeerVPCId" }, "PeerOwnerId": { "Ref": "PeerVPCAccountId" }, "PeerRoleArn": { "Ref": "PeerRoleArn" } } } }, "Outputs": { "VPCId": { "Value": { "Ref": "vpc" } }, "VPCPeeringConnectionId": { "Value": { "Ref": "vpcPeeringConnection" } } } }

    例 YAML

    AWSTemplateFormatVersion: 2010-09-09 Description: Create a VPC and a VPC Peering connection using the PeerRole to accept. Parameters: PeerVPCAccountId: Type: String PeerVPCId: Type: String PeerRoleArn: Type: String Resources: vpc: Type: 'AWS::EC2::VPC' Properties: CidrBlock: 10.2.0.0/16 EnableDnsSupport: false EnableDnsHostnames: false InstanceTenancy: default vpcPeeringConnection: Type: 'AWS::EC2::VPCPeeringConnection' Properties: VpcId: !Ref vpc PeerVpcId: !Ref PeerVPCId PeerOwnerId: !Ref PeerVPCAccountId PeerRoleArn: !Ref PeerRoleArn Outputs: VPCId: Value: !Ref vpc VPCPeeringConnectionId: Value: !Ref vpcPeeringConnection
  5. 选择 Next

  6. 为堆栈提供一个名称 (例如 VPC-peering-connection)。

  7. 接受默认值,然后选择 Next

  8. 依次选择 I acknowledge that AWS CloudFormation might create IAM resourcesCreate

创建具有高度限制策略的模板

在将您的 VPC 与另一个 AWS 账户对等时,您可能需要创建一个高度限制的策略。

下面的示例模板显示如何更改 VPC 对等所有者模板 (上面步骤 1 中创建的 接受方账户),以加强对它的限制。

例 JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Create a VPC and an assumable role for cross account VPC peering.", "Parameters": { "PeerRequesterAccountId": { "Type": "String" } }, "Resources": { "peerRole": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "AWS": { "Ref": "PeerRequesterAccountId" } } } ] }, "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": "ec2:acceptVpcPeeringConnection", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}" } }, { "Action": "ec2:acceptVpcPeeringConnection", "Condition": { "StringEquals": { "ec2:AccepterVpc": { "Fn::Sub": "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}" } } }, "Effect": "Allow", "Resource": { "Fn::Sub": "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc-peering-connection/*" } } ], "Version": "2012-10-17" }, "PolicyName": "root" } ] }, "Type": "AWS::IAM::Role" }, "vpc": { "Properties": { "CidrBlock": "10.1.0.0/16", "EnableDnsHostnames": false, "EnableDnsSupport": false, "InstanceTenancy": "default" }, "Type": "AWS::EC2::VPC" } }, "Outputs": { "RoleARN": { "Value": { "Fn::GetAtt": [ "peerRole", "Arn" ] } }, "VPCId": { "Value": { "Ref": "vpc" } } } }

例 YAML

AWSTemplateFormatVersion: 2010-09-09 Description: Create a VPC and an assumable role for cross account VPC peering. Parameters: PeerRequesterAccountId: Type: String Resources: peerRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Effect: Allow Principal: AWS: Ref: PeerRequesterAccountId Path: / Policies: - PolicyDocument: Statement: - Action: 'ec2:acceptVpcPeeringConnection' Effect: Allow Resource: 'Fn::Sub': 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}' - Action: 'ec2:acceptVpcPeeringConnection' Condition: StringEquals: 'ec2:AccepterVpc': 'Fn::Sub': 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}' Effect: Allow Resource: 'Fn::Sub': >- arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc-peering-connection/* Version: 2012-10-17 PolicyName: root Type: 'AWS::IAM::Role' vpc: Properties: CidrBlock: 10.1.0.0/16 EnableDnsHostnames: false EnableDnsSupport: false InstanceTenancy: default Type: 'AWS::EC2::VPC' Outputs: RoleARN: Value: 'Fn::GetAtt': - peerRole - Arn VPCId: Value: Ref: vpc

要访问 VPC,您可以使用上面步骤 2 中使用的请求者模板。