Using VPC Peering (AWS)

For an overview on VPC Peering see the AWS VPC Peering Guide. Instaclustr supports VPC peering as a mechanism for connecting directly to your Instaclustr managed cluster. VPC Peering allows you to access your cluster via private IP and makes for a much more secure network setup.

Note: If you only intend to connect to your cluster from a peered VPC, then choose Use private IP addresses for node discovery under Cassandra Options when you create a new cluster. If you're peering to an existing cluster, contact support to change the nodes' broadcast address. If you intend to connect from both the peered VPC and other sources then see this blog post to understand your options (https://www.instaclustr.com/apache-cassandra-deployed-on-private-and-public-networks/).

1. Once your cluster has been provisioned you can create a VPC Peering request through the Instaclustr dashboard. Click Cluster Settings from the Manage Cluster menu.

01_pix.png

2. Once you are on the Cluster Settings page, click the VPC Peering Settings button.

02_pix.png 

3. Fill in the required information on the VPC Peering Connections and click Submit VPC Peering Request button.

03.png

4. Once you have submitted the peering request, you will need to login to your AWS console to accept the request and add a route in your VPC to our VPC.

Note: You will need to explicitly assign the route you created to the subnet of the instances that need to access the peering connection. You can do this by:

  • Checking the instance details to find its subnet
  • Copying the subnet ID
  • Navigating to the VPC section and filtering the Subnets for the copied ID
  • Click on the "Route Table" tab and change the assigned route table to the new route table

vpc-peering-route-table.png

Once the new route table has been assigned to your subnet, the "Main" column will change to "Yes".

We automatically generate the routes within our VPC to ensure traffic is routed correctly to your VPC.  

5. Once you have accepted the peering request, the VPC peering connection will show up as active in your Instaclustr dashboard.

active_status.png

Note: To test the peering, you may try netcat or telnet. Port 9042 is the exposed port for CQL:

nc -z <node_private_address> 9042; echo $?

  • A result of 0 indicates success

telnet <node_private_address> 9042

  • A telnet prompt indicates success, enter quit to close the connection.
The same test can be run using port 7077 to test Spark connectivity.

 

Troubleshooting

A duplicate request for this VPC Peering Connection already exists.

This indicates that an existing peering request for this Account, VPC and network combination already exists.  Check the Peering Connection table at the bottom of the page to verify.

If you still cannot connect to the cluster via your Peered VPC connection, confirm that you have accepted the peering request, through the AWS Console.

Peering Request status is "Failed"

The most common causes of a failed peering request are:

  • The VPC ID or the account ID of the peering VPC are incorrect
  • The CIDR ranges of the two VPCs overlap
    For example, your cluster network is 10.0.0.0/16 and you are trying to peer it with a VPC in the range 10.0.0.0/18.  Because AWS will need to route traffic for 10.0.0.0/18 to the peered VPC, the overlap will conflict with addresses in the cluster network and is therefore rejected.
  • The cluster VPC and the client VPC are in different regions
    For example, your cluster is in US-EAST-1 and you are attempting to peer it with US-WEST-2.  AWS does not currently support cross-region VPC Peering connections.

Further details are available on the AWS site.

Last updated:
If you have questions regarding this article, feel free to add it to the comments below.

0 Comments

Please sign in to leave a comment.