kyma-project · vandjelk · Oct 10, 2024 · Sep 9, 2024 · Sep 9, 2024 · Sep 9, 2024
@@ -67,6 +67,11 @@ The `gcpvpcpeering.cloud-resources.kyma-project.io` CRD describes the VPC Peerin
 that you can use to peer the Kyma cluster with your Google Cloud project VPC.
 To learn more, read the [GcpVpcPeering Custom Resource](./resources/04-50-gcp-vpc-peering.md) documentation.
 
+### AwsVpcPeering CR
+
+The `awsvpcpeering.cloud-resources.kyma-project.io` CRD describes the AWS peering connection
+between Kyma and the remote AWS Virtual Network. To learn more, read the [AwsVpcPeering Custom Resource](./resources/04-70-10-aws-vpc-peering.md) documentation.
+
 ### GcpRedisInstance CR
 The `gcpredisinstance.cloud-resources.kyma-project.io` CRD describes the Redis instance provisioned inside Google Memorystore.
 To learn more, read the [GcpRedisInstance Custom Resource](./resources/04-60-gcp-redis-instance.md) documentation.

@@ -9,15 +9,18 @@
   * [GcpNfsBackupSchedule](/cloud-manager/user/resources/04-30-30-gcp-nfs-backup-schedule.md)
   * [GcpNfsVolumeRestore](/cloud-manager/user/resources/04-90-10-gcp-nfs-volume-restore.md)
   * [AzureVpcPeering](/cloud-manager/user/resources/04-40-10-azure-vpc-peering.md)
+  * [AwsVpcPeering](/cloud-manager/user/resources/04-70-10-aws-vpc-peering.md)
   * [GcpVpcPeering](/cloud-manager/user/resources/04-50-gcp-vpc-peering.md)
   * [GcpRedisInstance](/cloud-manager/user/resources/04-60-gcp-redis-instance.md)
 * [Tutorials](/cloud-manager/user/tutorials/README.md)
   * [Use RWX Volumes in AWS](/cloud-manager/user/tutorials/01-10-aws-nfs-volume.md)
   * [Use RWX Volumes in GCP](/cloud-manager/user/tutorials/01-20-gcp-nfs-volume.md)
+  * [Create VPC Peering in Azure](/cloud-manager/user/tutorials/01-30-azure-vpc-peering.md)
   * [Backup RWX Volumes in GCP](/cloud-manager/user/tutorials/01-70-gcp-nfs-volume-backup.md)
   * [Create Scheduled Automatic RWX Volume Backups in Google Cloud](/cloud-manager/user/tutorials/01-80-gcp-scheduled-nfs-backup.md)
   * [Restore RWX Volume Backups in GCP](/cloud-manager/user/tutorials/01-90-gcp-nfs-volume-restore.md)
   * [Use VPC Peering in Azure](/cloud-manager/user/tutorials/01-30-azure-vpc-peering.md)
   * [Create VPC Peering in GCP](/cloud-manager/user/tutorials/01-30-gcp-vpc-peering.md)
+  * [Create VPC Peering in AWS](/cloud-manager/user/tutorials/01-40-aws-vpc-peering.md)
 * [Glossary](/cloud-manager/user/00-10-glossary.md)
 <!-- markdown-link-check-enable -->
@@ -1,4 +1,4 @@
-## Azure Vpc Peering
+# AzureVpcPeering Custom Resource
 
 
 The `azurevpcpeering.cloud-resources.kyma-project.io` custom resource (CR) specifies the virtual network peering between 
@@ -34,6 +34,7 @@ This table lists the parameters of the given resource together with their descri
 | Parameter                         | Type       | Description                                                                                 |
 |-----------------------------------|------------|---------------------------------------------------------------------------------------------|
 | **id**                            | string     | Represents the VPC peering name on the Kyma cluster underlying cloud provider subscription. |
+| **state**                         | string     | Signifies the current state of CustomObject.                                                |
 | **conditions**                    | \[\]object | Represents the current state of the CR's conditions.                                        |
 | **conditions.lastTransitionTime** | string     | Defines the date of the last condition status change.                                       |
 | **conditions.message**            | string     | Provides more details about the condition status change.                                    |

@@ -0,0 +1,105 @@
+# AwsVpcPeering Custom Resource
+
+
+The `awsvpcpeering.cloud-resources.kyma-project.io` custom resource (CR) specifies the virtual network peering between
+Kyma and the remote AWS Virtual Private Cloud (VPC) network. Virtual network peering is only possible within the networks
+of the same cloud provider.
+
+Once an `AwsVpcPeering` CR is created and reconciled, the Cloud Manager controller creates a VPC peering connection in 
+the Kyma cluster underlying cloud provider account and accepts VPC peering connection in the remote cloud provider account.
+
+### Authorization
+
+Cloud Manager must be authorized in the remote cloud provider account to accept VPC peering connection. 
+
+For cross-account access, Cloud Manager uses [`AssumeRole`](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html). 
+
+To authorize Cloud Manager in the remote cloud provider account, create a new role named **CloudManagerPeeringRole** with a trust
+policy that allows Cloud Manager principal `arn:aws:iam::{194230256199}:user/cloud-manager-peering-ENV` to assume the role.
+
+**ENV** corresponds to **dev**, **stage**, or **prod**.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+	    {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::194230256199:user/cloud-manager-peering-ENV"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+
+```
+
+Create a new managed policy **CloudManagerPeeringAccess** with the following permissions:
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Statement1",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AcceptVpcPeeringConnection",
+                "ec2:DescribeVpcs",
+                "ec2:DescribeVpcPeeringConnections",
+                "ec2:DescribeRouteTables",
+                "ec2:CreateRoute",
+                "ec2:CreateTags"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+Attach the **CloudManagerPeeringAccess** policy to the **CloudManagerPeeringRole**.
+
+### Deleting `AwsVpcPeering`
+
+Kyma's underlying cloud provider VPC peering connection is deleted as a part of AwsVpcPeering deletion. The remote VPC 
+peering connection is left hanging, and must be deleted manually.
+
+## Specification <!-- {docsify-ignore} -->
+
+This table lists the parameters of the given resource together with their descriptions:
+
+**Spec:**
+
+| Parameter           | Type   | Description                                                                                  |
+|---------------------|--------|----------------------------------------------------------------------------------------------|
+| **remoteAccountId** | string | Required. Specifies the the Amazon Web Services account ID of the owner of the accepter VPC. |
+| **remoteRegion**    | string | Required. Specifies the Region code for the accepter VPC.                                    |
+| **remoteVpcId**     | string | Required. Specifies the ID of the VPC with which you are creating the VPC peering connection |
+
+**Status:**
+
+| Parameter                         | Type       | Description                                                                                 |
+|-----------------------------------|------------|---------------------------------------------------------------------------------------------|
+| **id**                            | string     | Represents the VPC peering name on the Kyma cluster underlying cloud provider subscription. |
+| **state**                         | string     | Signifies the current state of CustomObject.                                                |
+| **conditions**                    | \[\]object | Represents the current state of the CR's conditions.                                        |
+| **conditions.lastTransitionTime** | string     | Defines the date of the last condition status change.                                       |
+| **conditions.message**            | string     | Provides more details about the condition status change.                                    |
+| **conditions.reason**             | string     | Defines the reason for the condition status change.                                         |
+| **conditions.status** (required)  | string     | Represents the status of the condition. The value is either `True`, `False`, or `Unknown`.  |
+| **conditions.type**               | string     | Provides a short description of the condition.                                              |
+
+## Sample Custom Resource <!-- {docsify-ignore} -->
+
+See an exemplary `AwsVpcPeering` custom resource:
+
+```yaml
+apiVersion: cloud-resources.kyma-project.io/v1beta1
+kind: AwsVpcPeering
+metadata:
+  name: peering-to-vpc-11122233
+spec:
+  remoteVpcId: vpc-11122233
+  remoteRegion: us-west-2
+  remoteAccountId: 123456789012
+```
@@ -8,6 +8,7 @@ Cloud Manager custom resources:
 * [GcpNfsBackupSchedule Custom Resource](./04-30-30-gcp-nfs-backup-schedule.md)
 * [GcpNfsVolumeRestore Custom Resource](./04-90-10-gcp-nfs-volume-restore.md)
 * [AzureVpcPeering Custom Resource](./04-40-10-azure-vpc-peering.md)
+* [AwsVpcPeering Custom Resource](./04-70-10-aws-vpc-peering.md)
 * [GcpVpcPeering Custom Resource](./04-50-gcp-vpc-peering.md)
 * [GcpRedisInstance Custom Resource](./04-60-gcp-redis-instance.md)
 * [AwsRedisInstance Custom Resource](./04-70-aws-redis-instance.md)
@@ -0,0 +1,231 @@
+# Create VPC Peering in AWS
+
+This tutorial explains how to create a VPC peering connection between a remote VPC network and Kyma in AWS. Follow the 
+steps from this tutorial to create a new VPC network, and VM, and assign required permissions to the provided Kyma account and role in your AWS account. If you want to
+use the existing resources instead of creating new ones, adjust variable names accordingly and skip the steps that 
+create those resources.
+
+## Prerequisites
+
+* The Cloud Manager module enabled in your Kyma cluster
+* The AWS CLI configured. For instructions, see the [AWS documentation] (https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-configure.html).
+
+## Steps <!-- {docsify-ignore} -->
+
+1.  Set the default AWS CLI profile.
+    ```shell
+    export AWS_PROFILE={PROFILE_NAME}
+    export AWS_DEFAULT_REGION={REGION}
+    ```
+
+2.  Create a trust policy document.
+    ```shell
+    export PRINCIPAL_PROFILE_AWS_ACCOUNT_ID=194230256199
+    export USER_NAME=cloud-manager-peering-dev
+    cat > trust_policy.json <<- EOF
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "arn:aws:iam::$PRINCIPAL_PROFILE_AWS_ACCOUNT_ID:user/$USER_NAME"
+                },
+                "Action": "sts:AssumeRole"
+            }
+        ]
+    }
+    EOF
+    ```
+3. Create **CloudManagerPeeringRole** and attach a trust policy document.
+    ```shell
+    export AWS_ROLE_NAME=CloudManagerPeeringRole
+    aws iam create-role --role-name $AWS_ROLE_NAME --assume-role-policy-document file://./trust_policy.json 
+    ```
+4.  Create a policy document that is used to create the policy.
+    ```shell
+    cat > accept_policy.json <<- EOF
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "ec2:AcceptVpcPeeringConnection",
+                    "ec2:DescribeVpcs",
+                    "ec2:DescribeVpcPeeringConnections",
+                    "ec2:DescribeRouteTables",
+                    "ec2:CreateRoute",
+                    "ec2:CreateTags"
+                ],
+                "Resource": "*"
+            }
+        ]
+    }
+    EOF
+    ```
+
+5.  Create a new managed policy for your Amazon Web Services account.
+    ```shell
+    aws iam create-policy --policy-name CloudManagerPeeringAccess --policy-document file://./accept_policy.json
+    ```
+6.  Attach the specified managed policy to the specified IAM role.
+    ```shell
+    aws iam attach-role-policy --role-name $AWS_ROLE_NAME --policy-arn arn:aws:iam::$REMOTE_ACCOUNT_ID:policy/CloudManagerPeeringAccess
+    ```
+7.  Create a VPC and tag it with a Kyma shoot name.
+    ```shell
+    export CIDR_BLOCK=10.3.0.0/16
+    export SHOOT_NAME=$(kubectl get cm -n kube-system shoot-info -o jsonpath='{.data.shootName}')
+    export NODE_NETWORK=$(kubectl get cm -n kube-system shoot-info -o jsonpath='{.data.nodeNetwork}')
+    export VPC_NAME=my-vpc
+    export VPC_ID=$(aws ec2 create-vpc --cidr-block $CIDR_BLOCK --tag-specifications ResourceType=vpc,Tags=[{Key=$SHOOT_NAME,Value=""},{Key=Name,Value=$VPC_NAME}] --query Vpc.VpcId --output text)  
+    ```
+8.  Create a subnet.
+    ```shell
+    export SUBNET_ID=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block $CIDR_BLOCK --query Subnet.SubnetId --output text) 
+    ```
+
+9.  Run an instance.
+    ```shell
+    export INSTANCE_ID=$(aws ec2 run-instances --image-id ami-0c38b837cd80f13bb --instance-type t2.micro --subnet-id $SUBNET_ID --query "Instances[0].InstanceId" --output text)
+    export IP_ADDRESS=$(aws ec2 describe-instances --instance-ids $INSTANCE_ID --query "Reservations[0].Instances[0].PrivateIpAddress" --output text)
+    ```
+10. Allow ICMP traffic from Kyma Pods.
+    ```shell
+     export SG_ID=$(aws ec2 describe-security-groups --filters Name=vpc-id,Values=$VPC_ID --query "SecurityGroups[0].GroupId" --output text) 
+     aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=icmp,FromPort=-1,ToPort=-1,IpRanges="[{CidrIp=$NODE_NETWORK}]"
+    ```
+
+11. Create an AwsVpcPeering resource.
+    ```shell
+    export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+    kubectl apply -f - <<EOF
+    apiVersion: cloud-resources.kyma-project.io/v1beta1
+    kind: AwsVpcPeering
+    metadata:
+      name: peering-to-my-vpc
+    spec:
+      remoteAccount: $ACCOUNT_ID
+      remoteRegion: $AWS_DEFAULT_REGION
+      remoteVnet: $VPC_ID
+    EOF
+    ```
+
+12. Wait for the AwsVpcPeering to be in the `Ready` state.
+    ```shell
+    kubectl wait --for=condition=Ready awsvpcpeering/peering-to-my-vpc --timeout=300s
+    ```
+
+    Once the newly created AwsVpcPeering is provisioned, you should see the following message:
+
+    ```
+    awsvpcpeering.cloud-resources.kyma-project.io/peering-to-my-vpc condition met
+    ```
+
+13. Create a namespace and export its value as an environment variable. Run:
+    ```shell
+    export NAMESPACE={NAMESPACE_NAME}
+    kubectl create ns $NAMESPACE
+    ```
+
+14. Create a workload that pings the VM in the remote network.
+    ```shell
+    kubectl apply -n $NAMESPACE -f - <<EOF
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: awsvpcpeering-demo
+    spec:
+      selector:
+        matchLabels:
+          app: awsvpcpeering-demo
+      template:
+        metadata:
+          labels:
+            app: awsvpcpeering-demo
+        spec:
+          containers:
+          - name: my-container
+            resources:
+              limits:
+                memory: 512Mi
+                cpu: "1"
+              requests:
+                memory: 256Mi
+                cpu: "0.2"
+            image: ubuntu
+            command:
+              - "/bin/bash"
+              - "-c"
+              - "--"
+            args:
+             - "apt update; apt install iputils-ping -y; ping -c 20 $IP_ADDRESS"
+    EOF
+    ```
+
+    This workload should print a sequence of 20 echo replies to stdout.
+
+15. To print the logs of one of the workloads, run:
+    ```shell
+    kubectl logs -n $NAMESPACE `kubectl get pod -n $NAMESPACE -l app=awsvpcpeering-demo -o=jsonpath='{.items[0].metadata.name}'`
+    ```
+
+    The command should print an output similar to the following:
+    ```
+    ...
+    PING 172.0.0.4 (172.0.0.4) 56(84) bytes of data.
+    64 bytes from 172.0.0.4: icmp_seq=1 ttl=63 time=8.10 ms
+    64 bytes from 172.0.0.4: icmp_seq=2 ttl=63 time=2.01 ms
+    64 bytes from 172.0.0.4: icmp_seq=3 ttl=63 time=7.02 ms
+    64 bytes from 172.0.0.4: icmp_seq=4 ttl=63 time=1.87 ms
+    64 bytes from 172.0.0.4: icmp_seq=5 ttl=63 time=1.89 ms
+    64 bytes from 172.0.0.4: icmp_seq=6 ttl=63 time=4.75 ms
+    64 bytes from 172.0.0.4: icmp_seq=7 ttl=63 time=2.01 ms
+    64 bytes from 172.0.0.4: icmp_seq=8 ttl=63 time=4.26 ms
+    64 bytes from 172.0.0.4: icmp_seq=9 ttl=63 time=1.89 ms
+    64 bytes from 172.0.0.4: icmp_seq=10 ttl=63 time=2.08 ms
+    64 bytes from 172.0.0.4: icmp_seq=11 ttl=63 time=2.01 ms
+    64 bytes from 172.0.0.4: icmp_seq=12 ttl=63 time=2.24 ms
+    64 bytes from 172.0.0.4: icmp_seq=13 ttl=63 time=1.80 ms
+    64 bytes from 172.0.0.4: icmp_seq=14 ttl=63 time=4.32 ms
+    64 bytes from 172.0.0.4: icmp_seq=15 ttl=63 time=2.03 ms
+    64 bytes from 172.0.0.4: icmp_seq=16 ttl=63 time=2.03 ms
+    64 bytes from 172.0.0.4: icmp_seq=17 ttl=63 time=5.19 ms
+    64 bytes from 172.0.0.4: icmp_seq=18 ttl=63 time=1.86 ms
+    64 bytes from 172.0.0.4: icmp_seq=19 ttl=63 time=1.92 ms
+    64 bytes from 172.0.0.4: icmp_seq=20 ttl=63 time=1.92 ms
+
+    === 172.0.0.4 ping statistics ===
+    20 packets transmitted, 20 received, 0% packet loss, time 19024ms
+    rtt min/avg/max/mdev = 1.800/3.060/8.096/1.847 ms
+    ...
+    ```
+
+16. Clean up the Kubernetes resources.
+    1. Remove the created workloads:
+       ```shell
+       kubectl delete -n $NAMESPACE deployment awsvpcpeering-demo
+       ```
+    2. Remove the created `awsvpcpeering`:
+       ```shell
+       kubectl delete -n $NAMESPACE awsvpcpeering peering-to-my-vpc
+       ```
+    3. Remove the created namespace:
+       ```shell
+       kubectl delete namespace $NAMESPACE
+       ```
+
+17. Clean up the resources in your AWS account.
+    1. Terminate the instance.
+       ```shell
+       aws ec2 terminate-instances --instance-ids $INSTANCE_ID
+       ```
+    2. Delete the subnet.
+       ```shell
+       aws ec2 delete-subnet --subnet-id $SUBNET_ID
+       ```
+    3. Delete the VPC.
+       ```shell
+       aws ec2 delete-vpc --vpc-id  $VPC_ID
+       ```
@@ -9,5 +9,6 @@ Browse the Cloud Manager tutorials to learn how to create and use cloud resource
 * [Restore RWX Volume Backups in GCP](./01-90-gcp-nfs-volume-restore.md)
 * [Create VPC Peering in Azure](./01-30-azure-vpc-peering.md)
 * [Create VPC Peering in GCP](./01-30-gcp-vpc-peering.md)
+* [Create VPC Peering in AWS](./01-40-aws-vpc-peering.md)
 * [Create Redis Instance in GCP](./01-60-gcp-redis-instance.md)
 * [Create Redis Instance in AWS](./01-70-aws-redis-instance.md)