Version: 0.7

Configuring AWS network peering

Pre-requisites#

You must configure IP address range assignments before the steps included in this guide can work.

Overview#

Configuring AWS network peering allows Kore to manage automatic peering of team cluster networks with defined external AWS VPCs, such as the VPC in which Kore itself is running, to allow for private clusters, on-premise network connectivity, etc. To enable this, we tell Kore about an external VPC to peer using an ExternalVPC structure and ensure that Kore has appropriate credentials to accept the peering connection on this external VPC.

1. Add CloudAccount to accept VPC peering requests#

Create a cloud account (Configure > Cloud > Amazon Web Services > Shared Accounts on the UI or kore create cloudaccount aws-kore-management -c aws --type shared from the CLI).

This cloud account must reference the AWS account in which the external VPC you wish to peer with is located, and have the NetworkManager role enabled. It should not be allocated to any teams.

2. Create the ExternalVPC object#

The ExternalVPC resource provides a means to represent an externally managed VPC network in Kore (or one not yet imported into Kore).

One of the primary use cases (assuming Kore is deployed into AWS) is to represent the VPC network which the Kore management cluster itself lives in, allowing for private clusters to be created and peered into this network.

It is vital to give this resource the special name kore if it represents the Kore management network. This enables Kore to manage the automatic peering process required for private clusters.

At the moment, this must be prepared and applied using kore apply -f.

Breakdown of the ExternalVPC resource#

apiVersion: aws.kore.appvia.io/v1beta1
kind: ExternalVPC
metadata:
name: kore
namespace: kore-admin
spec:
description: Kore Management Network
region: <AWS REGION>
accountID: "<AWS ACCOUNT ID>"
vpcID: vpc-09f2735efc61aca09
# The route which will be added to the remote VPC
routes:
- 10.120.0.0/22
# One or more AWS tag selectors used to filter and find
# the routing tables which we should add the routes to
routeTableSelector:
tag:Name: kore-peering
# A reference to the cloud account which provides
# the permissions to accept peering connections
providerSourceRef:
namespace: kore-admin
name: aws-kore-management
kind: CloudAccount
group: cloudaccess.kore.appvia.io
version: v1alpha1

The ExternalVPC resource provides Kore with the following details:

  • The AWS region the external network exists in.
  • The AWS account ID in which the external network resides.
  • The routes which, when connected to, will be added to the requestor network.
  • A selector which allows Kore to find the routing table(s) in AWS we should add routes to.
  • An optional reference to a cloud account which allows Kore to accept and add routing on the ExternalVPC end. Note, if the reference is missing, Kore will request peering but cannot accept it, so manual intervention would be required to accept the peering for every cluster built.