VPC Peering Between Organisations

Setting up VPC Peering Between Organisations

This guide provides comprehensive instructions for setting up VPC peering connections between VPCs owned by different organisations in Thalassa Cloud. VPC peering enables secure network connectivity between VPCs, allowing resources in different organisations to communicate as if they were in the same network.

Prerequisites

Before setting up VPC peering, ensure you have:

Access to both organisations (requester and accepter)
Two VPCs with non-overlapping CIDR blocks
Appropriate permissions to create and accept peering connections
Knowledge of the VPC IDs and organisation IDs for both sides

Overview

The VPC peering process involves:

Create Peering Connection: The requester organisation creates a peering connection request
Accept Peering Connection: The accepter organisation accepts the peering request
Configure Routes: Both organisations configure route tables to enable traffic flow

Step 1: Create the Peering Connection (Requester)

Step 1: Gather Required Information

Collect the following information:

Requester VPC ID: The ID of your VPC that will initiate the peering request
Accepter VPC ID: The ID of the VPC in the other organisation that will accept the peering
Accepter Organisation ID: The ID of the organisation that owns the accepter VPC
VPC CIDR Blocks: Ensure the CIDR blocks do not overlap

Step 2: Create the Peering Connection

Create the VPC peering connection with the following configuration:

Name: Choose a descriptive name (e.g., peering-org-a-to-org-b)
Description: Optional description of the peering connection’s purpose
Requester VPC ID: Your VPC’s ID
Accepter VPC ID: The target VPC’s ID
Accepter Organisation ID: The target organisation’s ID
Auto Accept: Set to false (cross-organisation peering requires manual acceptance)

Step 3: Wait for Acceptance

After creating the peering connection, it will be in a pending status. The connection must be accepted by the accepter organisation before it becomes active.

Step 2: Accept the Peering Connection (Accepter)

Step 1: View Pending Requests

Navigate to IaaS → Networking → VPC Peering in the Thalassa Cloud Console
View pending peering requests in your organisation
Review the peering connection details, including the requester organisation and VPC information

Step 2: Verify the Request

Before accepting, verify:

The requester organisation and VPC details
The CIDR blocks do not overlap with your VPC
The peering connection serves a legitimate business purpose

Step 3: Accept the Connection

Accept the peering connection. The connection status will change from pending to active once accepted.

Step 3: Configure Route Tables

After the peering connection becomes active, both organisations must configure route tables to enable traffic flow. Routes can only be created after the peering connection is in an active status.

Requester Organisation Route Configuration

Configure a route in the requester VPC’s route table:

Destination CIDR: The accepter VPC’s CIDR block
Target: The VPC peering connection ID
Route Table: Associate with the appropriate route table(s) in your VPC

Accepter Organisation Route Configuration

Configure a route in the accepter VPC’s route table:

Destination CIDR: The requester VPC’s CIDR block
Target: The VPC peering connection ID
Route Table: Associate with the appropriate route table(s) in your VPC

Terraform Example

Here’s a complete Terraform example for setting up VPC peering between organisations:

# Requester Organisation Configuration

# Create VPCs for peering
resource "thalassa_vpc" "requester_vpc" {
  name   = "requester-vpc"
  region = "nl-01"
  cidrs  = ["10.0.0.0/16"]
}

resource "thalassa_vpc" "accepter_vpc" {
  name   = "accepter-vpc"
  region = "nl-01"
  cidrs  = ["10.1.0.0/16"]
}

# Create VPC peering connection
resource "thalassa_vpc_peering_connection" "example" {
  name                    = "peering-connection-example"
  description             = "Peering connection between two VPCs in different organisations"
  requester_vpc_id        = thalassa_vpc.requester_vpc.id
  accepter_vpc_id         = thalassa_vpc.accepter_vpc.id
  accepter_organisation_id = "accepter-org-id-here"
  auto_accept             = false
}

# Accept the peering connection
resource "thalassa_vpc_peering_connection_acceptance" "accept_by_id" {
  peering_connection_id    = thalassa_vpc_peering_connection.example.id
  wait_for_active          = true
  wait_for_active_timeout   = 1
}

# Configure route tables
data "thalassa_vpc_default_route_table" "requester_vpc" {
  vpc_id = thalassa_vpc.requester_vpc.id
}

data "thalassa_vpc_default_route_table" "accepter_vpc" {
  vpc_id = thalassa_vpc.accepter_vpc.id
}

# Configure route table routes
# Important: routes can only be created after the peering connection has been accepted and has become active
resource "thalassa_route_table_route" "requester_vpc" {
  route_table_id                = data.thalassa_vpc_default_route_table.requester_vpc.id
  destination_cidr              = thalassa_vpc.accepter_vpc.cidrs[0]
  target_vpc_peering_connection = thalassa_vpc_peering_connection_acceptance.accept_by_id.peering_connection_id
}

resource "thalassa_route_table_route" "accepter_vpc" {
  route_table_id                = data.thalassa_vpc_default_route_table.accepter_vpc.id
  destination_cidr              = thalassa_vpc.requester_vpc.cidrs[0]
  target_vpc_peering_connection = thalassa_vpc_peering_connection_acceptance.accept_by_id.peering_connection_id
}

Same Organisation Peering

When peering VPCs within the same organisation and same region, you can use automatic acceptance:

resource "thalassa_vpc_peering_connection" "same_org_example" {
  name             = "peering-connection-same-org"
  description      = "Peering connection between two VPCs in the same organisation"
  requester_vpc_id = thalassa_vpc.requester_vpc.id
  accepter_vpc_id  = thalassa_vpc.accepter_vpc.id
  auto_accept      = true  # Only allowed for same org, same region
}

Security Considerations

When setting up VPC peering, make sure to configure firewall rules in both VPCs to control what traffic can pass through the peering connection. Use security groups on your compute resources to enforce granular access restrictions and apply the principle of least privilege by permitting only the necessary traffic between VPCs.