VPC peering for Amazon GameLift
This topic provides guidance on how to set up a VPC peering connection between your Amazon GameLift-hosted game servers and your other non-Amazon GameLift resources. Use Amazon Virtual Private Cloud (VPC) peering connections to enable your game servers to communicate directly and privately with your other Amazon resources, such as a web service or a repository. You can establish VPC peering with any resources that run on Amazon and are managed by an Amazon account that you have access to.
Note
VPC peering is an advanced feature. To learn about preferred options for enabling your game servers to communicate directly and privately with your other Amazon resources, see Communicate with other Amazon resources from your fleets.
If you're already familiar with Amazon VPCs and VPC peering, understand that setting up peering with Amazon GameLift game servers is somewhat different. You don't have access to the VPC that contains your game servers—it is controlled by the Amazon GameLift service—so you can't directly request VPC peering for it. Instead, you first pre-authorize the VPC with your non-Amazon GameLift resources to accept a peering request from the Amazon GameLift service. Then you trigger Amazon GameLift to request the VPC peering that you just authorized. Amazon GameLift handles the tasks of creating the peering connection, setting up the route tables, and configuring the connection.
To set up VPC peering for an existing fleet
-
Get Amazon account ID(s) and credentials.
You need an ID and sign-in credentials for the following Amazon accounts. You can find Amazon account IDs by signing into the Amazon Web Services Management Console
and viewing your account settings. To get credentials, go to the IAM console. -
Amazon account that you use to manage your Amazon GameLift game servers.
-
Amazon account that you use to manage your non-Amazon GameLift resources.
If you're using the same account for Amazon GameLift and non-Amazon GameLift resources, you need ID and credentials for that account only.
-
-
Get identifiers for each VPC.
Get the following information for the two VPCs to be peered:
-
VPC for your Amazon GameLift game servers – This is your Amazon GameLift fleet ID. Your game servers are deployed in Amazon GameLift on a fleet of EC2 instances. A fleet is automatically placed in its own VPC, which is managed by the Amazon GameLift service. You don't have direct access to the VPC, so it is identified by the fleet ID.
-
VPC for your non-Amazon GameLift Amazon resources – You can establish a VPC peering with any resources that run on Amazon and are managed by an Amazon account that you have access to. If you haven't already created a VPC for these resources, see Getting started with Amazon VPC. Once you have created a VPC, you can find the VPC ID by signing into the Amazon Web Services Management Console
for Amazon VPC and viewing your VPCs.
Note
When setting up a peering, both VPCs must exist in the same region. The VPC for your Amazon GameLift fleet game servers is in the same region as the fleet.
-
-
Authorize a VPC peering.
In this step, you are pre-authorizing a future request from Amazon GameLift to peer the VPC with your game servers with your VPC for non-Amazon GameLift resources. This action updates the security group for your VPC.
To authorize the VPC peering, call the Amazon GameLift service API CreateVpcPeeringAuthorization() or use the Amazon CLI command
create-vpc-peering-authorization
. Make this call using the account that manages your non-Amazon GameLift resources. Identify the following information:-
Peer VPC ID – This is for the VPC with your non-Amazon GameLift resources.
-
Amazon GameLift Amazon account ID – This is the account that you use to manage your Amazon GameLift fleet.
Once you've authorized a VPC peering, the authorization remains valid for 24 hours unless revoked. You can manage your VPC peering authorizations using the following operations:
-
DescribeVpcPeeringAuthorizations() (Amazon CLI
describe-vpc-peering-authorizations
). -
DeleteVpcPeeringAuthorization() (Amazon CLI
delete-vpc-peering-authorization
).
-
-
Request a peering connection.
With a valid authorization, you can request that Amazon GameLift establish a peering connection.
To request a VPC peering, call the Amazon GameLift service API CreateVpcPeeringConnection() or use the Amazon CLI command
create-vpc-peering-connection
. Make this call using the account that manages your Amazon GameLift game servers. Use the following information to identify the two VPCs that you want to peer:-
Peer VPC ID and Amazon account ID – This is the VPC for your non-Amazon GameLift resources and the account that you use to manage them. The VPC ID must match the ID on a valid peering authorization.
-
Fleet ID – This identifies the VPC for your Amazon GameLift game servers.
-
-
Track the peering connection status.
Requesting a VPC peering connection is an asynchronous operation. To track the status of a peering request and handle success or failure cases, use one of the following options:
-
Continuously poll with
DescribeVpcPeeringConnections()
. This operation retrieves the VPC peering connection record, including the status of the request. If a peering connection is successfully created, the connection record also contains a CIDR block of private IP addresses that is assigned to the VPC. -
Handle fleet events associated with VPC peering connections with DescribeFleetEvents(), including success and failure events.
-
Once the peering connection is established, you can manage it using the following operations:
-
DescribeVpcPeeringConnections() (Amazon CLI
describe-vpc-peering-connections
). -
DeleteVpcPeeringConnection() (Amazon CLI
delete-vpc-peering-connection
).
To set up VPC peering with a new fleet
You can create a new Amazon GameLift fleet and request a VPC peering connection at the same time.
-
Get Amazon account ID(s) and credentials.
You need an ID and sign-in credentials for the following two Amazon accounts. You can find Amazon account IDs by signing into the Amazon Web Services Management Console
and viewing your account settings. To get credentials, go to the IAM console. -
Amazon account that you use to manage your Amazon GameLift game servers.
-
Amazon account that you use to manage your non-Amazon GameLift resources.
If you're using the same account for Amazon GameLift and non-Amazon GameLift resources, you need ID and credentials for that account only.
-
-
Get the VPC ID for your non-Amazon GameLift Amazon resources.
If you haven't already created a VPC for these resources, do so now (see Getting started with Amazon VPC). Be sure that you create the new VPC in the same region where you plan to create your new fleet. If your non-Amazon GameLift resources are managed under a different Amazon account or user/user group than the one you use with Amazon GameLift, you'll need to use these account credentials when requesting authorization in the next step.
Once you have created a VPC, you can locate the VPC ID in Amazon VPC console by viewing your VPCs.
-
Authorize a VPC peering with non-Amazon GameLift resources.
When Amazon GameLift creates the new fleet and a corresponding VPC, it also sends a request to peer with the VPC for your non-Amazon GameLift resources. You need to pre-authorize that request. This step updates the security group for your VPC.
Using the account credentials that manage your non-Amazon GameLift resources, call the Amazon GameLift service API CreateVpcPeeringAuthorization() or use the Amazon CLI command
create-vpc-peering-authorization
. Identify the following information:-
Peer VPC ID – ID of the VPC with your non-Amazon GameLift resources.
-
Amazon GameLift Amazon account ID – ID of the account that you use to manage your Amazon GameLift fleet.
Once you've authorized a VPC peering, the authorization remains valid for 24 hours unless revoked. You can manage your VPC peering authorizations using the following operations:
-
DescribeVpcPeeringAuthorizations() (Amazon CLI
describe-vpc-peering-authorizations
). -
DeleteVpcPeeringAuthorization() (Amazon CLI
delete-vpc-peering-authorization
).
-
-
Follow the instructions for creating a new fleet using the Amazon CLI. Include the following additional parameters:
-
peer-vpc-aws-account-id – ID for the account that you use to manage the VPC with your non-Amazon GameLift resources.
-
peer-vpc-id – ID of the VPC with your non-GameLift account.
-
A successful call to create-fleet with the VPC peering parameters generates both a new fleet and a new VPC peering request. The fleet's status is set to New and the fleet activation process is initiated. The peering connection request's status is set to initiating-request. You can track the success or failure of the peering request by calling describe-vpc-peering-connections.
When requesting both a new fleet and a VPC peering connection, both actions either succeed or fail. If a fleet fails during the creation process, the VPC peering connection will not be established. Likewise, if a VPC peering connection fails for any reason, the new fleet will fail to move from status Activating to Active.
Note
The new VPC peering connection is not completed until the fleet is ready to become active. This means that the connection is not available and can't be used during the game server build installation process.
The following example creates both a new fleet and a peering connection between a pre-established VPC and the VPC for the new fleet. The pre-established VPC is uniquely identified by the combination of your non-Amazon GameLift Amazon account ID and the VPC ID.
$ Amazon gamelift create-fleet --name "My_Fleet_1" --description "The sample test fleet" --ec2-instance-type "c5.large" --fleet-type "ON_DEMAND" --build-id "build-1111aaaa-22bb-33cc-44dd-5555eeee66ff" --runtime-configuration "GameSessionActivationTimeoutSeconds=300, MaxConcurrentGameSessionActivations=2, ServerProcesses=[{LaunchPath=C:\game\Bin64.dedicated\MultiplayerSampleProjectLauncher_Server.exe, Parameters=+sv_port 33435 +start_lobby, ConcurrentExecutions=10}]" --new-game-session-protection-policy "FullProtection" --resource-creation-limit-policy "NewGameSessionsPerCreator=3, PolicyPeriodInMinutes=15" --ec2-inbound-permissions "FromPort=33435,ToPort=33435,IpRange=0.0.0.0/0,Protocol=UDP" "FromPort=33235,ToPort=33235,IpRange=0.0.0.0/0,Protocol=UDP" --metric-groups "EMEAfleets" --peer-vpc-aws-account-id "111122223333" --peer-vpc-id "vpc-a11a11a"
Copyable version:
Amazon gamelift create-fleet --name "My_Fleet_1" --description "The sample test fleet" --fleet-type "ON_DEMAND" --metric-groups "EMEAfleets" --build-id "build-1111aaaa-22bb-33cc-44dd-5555eeee66ff" --ec2-instance-type "c5.large" --runtime-configuration "GameSessionActivationTimeoutSeconds=300,MaxConcurrentGameSessionActivations=2,ServerProcesses=[{LaunchPath=C:\game\Bin64.dedicated\MultiplayerSampleProjectLauncher_Server.exe,Parameters=+sv_port 33435 +start_lobby,ConcurrentExecutions=10}]" --new-game-session-protection-policy "FullProtection" --resource-creation-limit-policy "NewGameSessionsPerCreator=3,PolicyPeriodInMinutes=15" --ec2-inbound-permissions "FromPort=33435,ToPort=33435,IpRange=0.0.0.0/0,Protocol=UDP" "FromPort=33235,ToPort=33235,IpRange=0.0.0.0/0,Protocol=UDP" --peer-vpc-aws-account-id "111122223333" --peer-vpc-id "vpc-a11a11a"
Troubleshooting VPC peering issues
If you're having trouble establishing a VPC peering connection for your Amazon GameLift game servers, consider these common root causes:
-
An authorization for the requested connection was not found:
-
Check the status of a VPC authorization for the non-Amazon GameLift VPC. It might not exist or it might have expired.
-
Check the regions of the two VPCs you're trying to peer. If they're not in the same region, they can't be peered.
-
-
The CIDR blocks (see Invalid VPC peering connection configurations) of your two VPCs are overlapping. The IPv4 CIDR blocks that are assigned to peered VPCs cannot overlap. The CIDR block of the VPC for your Amazon GameLift fleet is automatically assigned and can't be changed, so you'll need to change the CIDR block for of the VPC for your non-Amazon GameLift resources. To resolve this issue:
-
Look up this CIDR block for your Amazon GameLift fleet by calling
DescribeVpcPeeringConnections()
. -
Go to the Amazon VPC console, find the VPC for your non-Amazon GameLift resources, and change the CIDR block so that they don't overlap.
-
-
The new fleet did not activate (when requesting VPC peering with a new fleet). If the new fleet failed to progress to Active status, there is no VPC to peer with, so the peering connection cannot succeed.