11

AWS has a new barebones VPS offering, Lightsail, which is sort of an EC2-Lite -- extremely light -- offering with just a few fixed-size instance classes, simplified pricing, and very few options, along with] its own very minimalistic console, as I discussed in What is the difference between Lightsail and EC2?.

Everything about this service is simplified, and it's postured as somewhat separate from AWS, but not really. It's part of your AWS account, if you sign up for it, and...

Amazon Lightsail can see and connect to other AWS resources, such as an Amazon RDS database or Amazon Aurora. On this page, you can attempt to peer your Lightsail VPC with your AWS VPC. For example, you might want to separate your data tier from your app.

https://lightsail.aws.amazon.com/ls/webapp/account

Notice the pessimism. "You can attempt to peer." It's almost as if they anticipated this issue.

By the way, the Lightsail instances do have the usual EC2 metadata endpoint and are in fact t2 instances, inside a "stealth" VPC that you can't see in your AWS console. And I'm going to this trouble because they do have some interesting use cases in spite of their limitations (such as a surprisingly reasonable allowance for Internet-bound bandwidth). So, how do you enable peering with your existing VPC?

It's a checkbox. No options, just click "Enable VPC Peering."

Your VPC peering connection failed.

You can attempt to enable peering again. If you still can't peer your VPC with Lightsail resources, contact Customer Support.

I tried again, several times over the course of several hours, and still... no dice, no diagnostic output, nothing.

Checking the obvious things, like verifying the fact that none of the CIDR blocks of the existing VPCs in the region conflict with the CIDR block of the VPC that my test Lightsail instance appears to be in, and trying to peer the VPCs while logged in as the root user instead of an IAM user, turns up nothing... I even tried it on a second (existing) AWS account, and it didn't work there, either. Same error.

Why does this not work? Is there something else I need to do on the AWS side before trying to set up VPC peering from Lightsail?

Also, if I have multiple VPCs in the region, how do I choose which one(s) the hidden Lightsail VPC will be peered with? There appears to be very little documentation on this... which seems consistent with the apparent design philosophy of Lightsail -- it has so few options that there's very little that should need documentation.

Michael - sqlbot
  • 21,988
  • 1
  • 57
  • 81
  • Suppose I have 3 light sail instances (also knows as vps - virtual private server), then, can they by default talk to each other? That is - do all light sail instances in a region belong to the same VPC? – variable Jan 14 '22 at 10:52

1 Answers1

13

Apparently, you don't actually get to choose which VPC Lightsail will try to peer with -- it wants to peer with your Default VPC.

Once VPC peering is enabled, you can address other AWS resources in your default AWS VPC by using their private IPs.

https://amazonlightsail.com/docs/#faq

I don't know if I overlooked this originally, or if it was subsequently added to the documentation. It's the last sentence of a paragraph and I may have simply overlooked it. In regions where I do have a default VPC, I don't use it, preferring to "roll my own" from scratch.

Default VPC is not simply a VPC you've selected as "the default," but rather refers to a specific VPC in each region that is initially created by the VPC infrastructure, pre-provisioned.

The problem is, you may not have one of these in every region... and you'll encounter exactly the problem described here, if you don't have a Default VPC in the Lightsail region in question (when this was originally written, LightSail was only available in us-east-1; it has subsequently been launched in many of the other AWS regions). If that describes your situation, you may be able to remedy it yourself, or you may need to contact support. Either way, the Default VPC appears to be the only VPC that Lightsail will peer with.

Not having a Default VPC shouldn't be an issue with a relatively new AWS account:

If you created your AWS account after 2013-12-04, it supports only EC2-VPC. In this case, you'll have a default VPC in each AWS region.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html

Both of the accounts I initially tested with a quite a bit older than that.

I created a new AWS account today, and, not surprisingly, Lightsail VPC peering worked on the first attempt.

After selecting the appropriate region, if your "EC2 Dashboard" page in the AWS console, at the top right of the screen, says...

Supported Platforms

EC2

VPC

...and there's no mention of a Default VPC there, then that's what you're missing. You might (as of 2017-07-27) be able to create a Default VPC yourself. Failing that, you may need to contact AWS support to request that they reconfigure your account so that you have a Default VPC, which was the standard process that was required before the ability to create your own was made available. Once you have a Default VPC in the region, all should be well.

But there's a bit of a catch, so you'll need to take additional steps to prepare your account, before trying to create a Default VPC or contacting support.

Q. I really want a default VPC for my existing EC2 account. Is that possible?

Yes, however, we can only enable an existing account for a default VPC if you have no EC2-Classic resources for that account in that region. Additionally, you must terminate all non-VPC provisioned Elastic Load Balancers, Amazon RDS, Amazon ElastiCache, and Amazon Redshift resources in that region. After your account has been configured for a default VPC, all future resource launches, including instances launched via Auto Scaling, will be placed in your default VPC. To request your existing account be setup with a default VPC, contact AWS Support. We will review your request and your existing AWS services and EC2-Classic presence to determine if you are eligible for a default VPC.

https://aws.amazon.com/vpc/faqs/#Default_VPCs

That's the catch -- you permanently lose access to EC2-Classic -- but if you ask me, that isn't really much of a sacrifice.

So if your account still has "EC2 Classic" access and the default VPC is conspicuously absent, then the solution is to migrate away from, and terminate, any old EC2 Classic (non-VPC) instances, along with any services that are running on top of EC2 Classic (such as RDS running outside of VPC), and it would probably not be a bad idea to remove supporting entities like non-VPC Elastic IPs, Security Groups, etc. Then you can contact AWS and have your account reconfigured to "EC2-VPC"-only in the region, and your peering connection from Lightsail should succeed.

I say "should succeed" because I am still waiting for AWS Support to "approve" my requested account change. That last note on the ticket says my request is "still open" and this process is...

usually pretty quick but on some occasions it can take 24 - 48 hours for our Service Team to review and approve this type of request

Success. After a couple of days, AWS support reconfigured my account. I now have a default VPC in the us-east-1 region, and clicking the box next to "Enable VPC Peering" now works as expected. In the VPC console, I can now see that my default VPC is peered with the "stealth" VPC allocated for Lightsail.

Note that you don't need a paid support plan in order to request that AWS update your account as I've described above. You aren't actually asking for technical support. You can submit this as an account support request.

If you want to access resources in other VPCs in the region other than the Default VPC, that's not natively supported, at least at the moment. This would be more complicated for AWS to offer as a managed service, since they control the basic provisioning of your Default VPC and Lightsail VPC, but not any others.

VPC Peering connections do not support transit traffic, so it's not just a matter of peering the other VPCs to your Default VPC and connecting that way. For now, you'd need to deploy TCP or HTTP proxy servers (e.g. HAProxy, similar to this configuration, but pointing to services or a similar proxy in the target VPC as backends) or instances providing private-to-private source and destination network address translation (NAT) in the Default VPC in order to bridge the gap and cross over into any other VPC through an additonal peering connection. Performance should be excellent, but be sure to familiarize yourself with the pricing for peered VPC traffic. The Lightsail docs and EC2 docs seem inconsistent with each other, with regard to bandwidth costs for peering traffic.

Michael - sqlbot
  • 21,988
  • 1
  • 57
  • 81