Can't establish VPC peering connection from Amazon Lightsail

amazon-web-services amazon-vpc amazon-lightsail

Apparently, you don't actually get to choose which VPC Lightsail will try to peer with -- it wants to peer with your Default VPC.

Once VPC peering is enabled, you can address other AWS resources in your default AWS VPC by using their private IPs.

https://amazonlightsail.com/docs/#faq

I don't know if I overlooked this originally, or if it was subsequently added to the documentation. It's the last sentence of a paragraph and I may have simply overlooked it. In regions where I do have a default VPC, I don't use it, preferring to "roll my own" from scratch.

Default VPC is not simply a VPC you've selected as "the default," but rather refers to a specific VPC in each region that is initially created by the VPC infrastructure, pre-provisioned.

The problem is, you may not have one of these in every region... and you'll encounter exactly the problem described here, if you don't have a Default VPC in the Lightsail region in question (when this was originally written, LightSail was only available in us-east-1; it has subsequently been launched in many of the other AWS regions). If that describes your situation, you may be able to remedy it yourself, or you may need to contact support. Either way, the Default VPC appears to be the only VPC that Lightsail will peer with.

Not having a Default VPC shouldn't be an issue with a relatively new AWS account:

If you created your AWS account after 2013-12-04, it supports only EC2-VPC. In this case, you'll have a default VPC in each AWS region.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html

Both of the accounts I initially tested with a quite a bit older than that.

I created a new AWS account today, and, not surprisingly, Lightsail VPC peering worked on the first attempt.

After selecting the appropriate region, if your "EC2 Dashboard" page in the AWS console, at the top right of the screen, says...

Supported Platforms

EC2

VPC

...and there's no mention of a Default VPC there, then that's what you're missing. You might (as of 2017-07-27) be able to create a Default VPC yourself. Failing that, you may need to contact AWS support to request that they reconfigure your account so that you have a Default VPC, which was the standard process that was required before the ability to create your own was made available. Once you have a Default VPC in the region, all should be well.

But there's a bit of a catch, so you'll need to take additional steps to prepare your account, before trying to create a Default VPC or contacting support.

Q. I really want a default VPC for my existing EC2 account. Is that possible?

Yes, however, we can only enable an existing account for a default VPC if you have no EC2-Classic resources for that account in that region. Additionally, you must terminate all non-VPC provisioned Elastic Load Balancers, Amazon RDS, Amazon ElastiCache, and Amazon Redshift resources in that region. After your account has been configured for a default VPC, all future resource launches, including instances launched via Auto Scaling, will be placed in your default VPC. To request your existing account be setup with a default VPC, contact AWS Support. We will review your request and your existing AWS services and EC2-Classic presence to determine if you are eligible for a default VPC.

https://aws.amazon.com/vpc/faqs/#Default_VPCs

That's the catch -- you permanently lose access to EC2-Classic -- but if you ask me, that isn't really much of a sacrifice.

So if your account still has "EC2 Classic" access and the default VPC is conspicuously absent, then the solution is to migrate away from, and terminate, any old EC2 Classic (non-VPC) instances, along with any services that are running on top of EC2 Classic (such as RDS running outside of VPC), and it would probably not be a bad idea to remove supporting entities like non-VPC Elastic IPs, Security Groups, etc. Then you can contact AWS and have your account reconfigured to "EC2-VPC"-only in the region, and your peering connection from Lightsail should succeed.

I say "should succeed" because I am still waiting for AWS Support to "approve" my requested account change. That last note on the ticket says my request is "still open" and this process is...

usually pretty quick but on some occasions it can take 24 - 48 hours for our Service Team to review and approve this type of request

Success. After a couple of days, AWS support reconfigured my account. I now have a default VPC in the us-east-1 region, and clicking the box next to "Enable VPC Peering" now works as expected. In the VPC console, I can now see that my default VPC is peered with the "stealth" VPC allocated for Lightsail.

Note that you don't need a paid support plan in order to request that AWS update your account as I've described above. You aren't actually asking for technical support. You can submit this as an account support request.

If you want to access resources in other VPCs in the region other than the Default VPC, that's not natively supported, at least at the moment. This would be more complicated for AWS to offer as a managed service, since they control the basic provisioning of your Default VPC and Lightsail VPC, but not any others.

VPC Peering connections do not support transit traffic, so it's not just a matter of peering the other VPCs to your Default VPC and connecting that way. For now, you'd need to deploy TCP or HTTP proxy servers (e.g. HAProxy, similar to this configuration, but pointing to services or a similar proxy in the target VPC as backends) or instances providing private-to-private source and destination network address translation (NAT) in the Default VPC in order to bridge the gap and cross over into any other VPC through an additonal peering connection. Performance should be excellent, but be sure to familiarize yourself with the pricing for peered VPC traffic. The Lightsail docs and EC2 docs seem inconsistent with each other, with regard to bandwidth costs for peering traffic.

Related

Benefits of using a subdomain for sending email?
GoDaddy SSL Certificate Issues With Safari
What happens when I change a Name Server record or an A record in the Zone file or the DNS settings?
RemoteApp .rdp embed creds?
Using tsconfig/tsadmin in Windows Server 2012 locally
Anonymous file sharing without login window, from Windows 7 server to XP clients
How can I backup multi-gigabyte databases in MySQL? Bonus points for speedier restores
Is it a security risk to run my crontab jobs as root?
Nginx redirect all old domain subdomains to new one
Using a self-signed SSL cert for an HTTPS-based internal APT repository
Remote Desktop Connection Screen is totally black but server is working perfectly
Is it ethical to hack real systems? [closed]