Theme

DigitalOcean: VPC Peering

Written by

in

In DigitalOcean, each of the projects is organized with two separate VPCs:

  • Public VPC: Hosts resources accessible from the internet (e.g., Docker Swarm nodes, load balancers).

  • Private VPC: Hosts internal resources (e.g., databases, internal load balancers).

To enable secure communication between the public and private VPCs within the same project, we use VPC Peering. This setup ensures private, low-latency communication without exposing private resources to the internet.

Name

Source VPC

Target VPC

Source CIDR block

Target CIDR block

Firewall Rules

rocken-private-vpc-prod-to-rocken-public-vpc-prod

rocken-private-vpc-prod

rocken-public-vpc-prod

10.10.1.0/24

10.10.2.0/24

rocken-public-vpc-staging-to-rocken-private-vpc-staging

rocken-private-vpc-staging

rocken-public-vpc-staging

10.10.3.0/24

10.10.4.0/24

rocken-public-vpc-qa-to-rocken-private-vpc-qa

rocken-private-vpc-qa

rocken-public-vpc-qa

10.10.5.0/24

10.10.6.0/24

Steps to Add a New Peering Connection

Step 1: Create the VPC Peering Connection

  1. Go to the Networking section in the DigitalOcean Control Panel.

  2. Click on the VPC tab.

  3. Click Create Peering Connection.

  4. In the configuration form:

    • VPC Network: Choose source VPC for peering.

    • Peer to VPC Network: Select the destination VPC from the dropdown.

    • Add a descriptive name for the peering connection (e.g., public-to-private-peering-prod).

  5. Confirm and save the configuration.

Step 2: Configure Firewall Rules

  1. Go to the Networking section in the DigitalOcean Control Panel.

  2. Click on the Firewalls tab.

  3. Іelect the required firewall.

  4. Update the rules to allow traffic from the source or destination VPC.

Step 3: Update Route Tables on Droplets

  1. Login to the target Droplet

  2. Use the following commands to restart network stack

    sudo systemctl restart systemd-networkd

  3. On Droplets created before 2 October 2024, or Droplets using custom base images, VPC peering routes must be added manually

    VPC_GATEWAY_IP=$(curl -s 169.254.169.254/metadata/v1/interfaces/private/0/ipv4/gateway)

ip route replace 10.0.0.0/8 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 172.16.0.0/12 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 192.168.0.0/16 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101

Refer to the official DigitalOcean documentation for more info – https://docs.digitalocean.com/products/networking/vpc/how-to/update-peering-routes/

Step 6: Document the Peering Connection

  1. Record the following details for future reference:

    • Source VPC and Target VPC IDs.

    • The CIDR blocks of both VPCs.

    • Name of the peering connection.

    • Any updated firewall rules or routes.

Comments

Leave a Reply

More posts