Working with Amazon VPC across AWS Regions - AWS Device Farm
VPC peering overviewPrerequisitesStep 1: Establish a peering connection between two VPCsStep 2: Update the route tables for VPC-1 and VPC-2Step 3: Creating target groupsStep 4: Create a Network Load BalancerStep 5: Create a VPC endpoint serviceStep 6: Create a VPC endpoint configuration in applicationStep 7: Create a test runCreating scalable VPC systems

Working with Amazon VPC across AWS Regions

Device Farm services are located only in the US West (Oregon) (us-west-2) Region. You can use Amazon Virtual Private Cloud (Amazon VPC) to reach a service in your Amazon Virtual Private Cloud in another AWS Region using Device Farm. If Device Farm and your service are in the same Region, see Using Amazon VPC endpoint services with Device Farm.

There are two ways to access your private services located in a different Region. If you have services located in one other Region that's not us-west-2, you can use VPC Peering in order to peer that Region’s VPC to another VPC that is interfacing with Device Farm in us-west-2. However, if you have services in multiple Regions, a Transit Gateway will allow you to access those services with a simpler network configuration.

For more information, see VPC peering scenarios in the Amazon VPC Peering Guide.

VPC peering

You can peer any two VPCs in different Regions, as long as they have distinct, non-overlapping CIDR blocks. This ensures that all of the private IP addresses are unique, and it allows all of the resources in the VPCs to address each other without the need for any form of network address translation (NAT). For more information about CIDR notation, see RFC 4632.

This topic includes a cross-Region example scenario in which Device Farm (referred to as VPC-1) is located in the US West (Oregon) (us-west-2) Region. The second VPC in this example (referred to as VPC-2) is in another Region.

Device Farm VPC cross-Region example
VPC Component VPC-1 VPC-2
CIDR 10.0.0.0/16 172.16.0.0/16
Important

Establishing a peering connection between two VPCs can change the security posture of the VPCs. In addition, adding new entries to their route tables can change the security posture of the resources within the VPCs. It is your responsibility to implement these configurations in a way that meets your organization's security requirements. For more information, please see the Shared responsibility model.

The following diagram shows the components in the example and the interactions between these components.

Work with private devices across AWS Regions.

Prerequisites

This example requires the following:

  • Two VPCs that are configured with subnets containing non-overlapping CIDR blocks.

  • VPC-1 must be in the us-west-2 Region and contain subnets for Availability Zones us-west-2a, us-west-2b, and us-west-2c.

For more information on creating VPCs and configuring subnets, see Working with VPCs and subnets in the Amazon VPC Peering Guide.

Step 1: Set up a peering connection between VPC-1 and VPC-2

Establish a peering connection between the two VPCs containing non-overlapping CIDR blocks. To do this, see Create and accept VPC peering connections in the Amazon VPC Peering Guide. Using this topic's cross-Region scenario and the Amazon VPC Peering Guide, the following example peering connection configuration is created:

Name

Device-Farm-Peering-Connection-1

VPC ID (Requester)

vpc-0987654321gfedcba (VPC-2)

Account

My account

Region

US West (Oregon) (us-west-2)

VPC ID (Accepter)

vpc-1234567890abcdefg (VPC-1)

Note

Ensure that you consult your VPC peering connection quotas when establishing any new peering connections. For more information, please see Amazon VPC quotas in the Amazon VPC Peering Guide.

Step 2: Update the route tables in VPC-1 and VPC-2

After setting up a peering connection, you must establish a destination route between the two VPCs to transfer data between them. To establish this route, you can manually update the route table of VPC-1 to point to the subnet of VPC-2 and vice versa. To do this, see Update your route tables for a VPC peering connection in the Amazon VPC Peering Guide. Using this topic's cross-Region scenario and the Amazon VPC Peering Guide, the following example route table configuration is created:

Device Farm VPC route table example
VPC component VPC-1 VPC-2
Route table ID rtb-1234567890abcdefg rtb-0987654321gfedcba
Local address range 10.0.0.0/16 172.16.0.0/16
Destination address range 172.16.0.0/16 10.0.0.0/16

Step 3: Create a target group

After you set up your destination routes, you can configure a Network Load Balancer in VPC-1 to route requests to VPC-2.

The Network Load Balancer must first contain a target group that contains the IP addresses to which requests are sent.

To create a target group

  1. Identify the IP addresses of the service that you want to target in VPC-2.

    • These IP addresses must be members of the subnet used in the peering connection.

    • The targeted IP addresses must be static and immutable. If your service has dynamic IP addresses, consider targeting a static resource (such as a Network Load Balancer) and having that static resource route requests to your true target.

      Note

      • If you're targeting one or more stand-alone Amazon Elastic Compute Cloud (Amazon EC2) instances, open the Amazon EC2 console at https://console.aws.amazon.com/ec2/, then choose Instances.

      • If you're targeting an Amazon EC2 Auto Scaling group of Amazon EC2 instances, you must associate the Amazon EC2 Auto Scaling group to a Network Load Balancer. For more information, see Attaching a load balancer to your Auto Scaling group in the Amazon EC2 Auto Scaling User Guide.

        Then, you can open the Amazon EC2 console at https://console.aws.amazon.com/ec2/, and then choose Network Interfaces. From there you can view the IP addresses for each of the Network Load Balancer's network interfaces in each Availability Zone.

  2. Create a target group in VPC-1. To do this, see Create a target group for your Network Load Balancer in the User Guide for Network Load Balancers.

    Target groups for services in a different VPC require the following configuration:

    • For Choose a target type, choose IP addresses.

    • For VPC, choose the VPC that will host the load balancer. For the topic example, this will be VPC-1.

    • On the Register targets page, register a target for each IP address in VPC-2.

      For Network, choose Other private IP address.

      For Availability Zone, choose your desired zones in VPC-1.

      For IPv4 address, choose the VPC-2 IP address.

      For Ports, choose your ports.

    • Choose Include as pending below. When you're finished specifying addresses, choose Register pending targets.

Using this topic's cross-Region scenario and the User Guide for Network Load Balancers, the following values are used in the target group configuration:

Target type

IP addresses

Target group name

my-target-group

Protocol/Port

TCP : 80

VPC

vpc-1234567890abcdefg (VPC-1)

Network

Other private IP address

Availability Zone

all

IPv4 address

172.16.100.60

Ports

80

Step 4: Create a Network Load Balancer

Create a Network Load Balancer using the target group described in step 3. To do this, see Creating a Network Load Balancer.

Using this topic's cross-Region scenario, the following values are used in an example Network Load Balancer configuration:

Load balancer name

my-nlb

Scheme

Internal

VPC

vpc-1234567890abcdefg (VPC-1)

Mapping

us-west-2a - subnet-4i23iuufkdiufsloi

us-west-2b - subnet-7x989pkjj78nmn23j

us-west-2c - subnet-0231ndmas12bnnsds

Protocol/Port

TCP : 80

Target Group

my-target-group

Step 5: Create a VPC endpoint service

You can use the Network Load Balancer to create a VPC endpoint service. Through this VPC endpoint service, Device Farm can connect to your service in VPC-2 without any additional infrastructure, such as an internet gateway, NAT instance, or VPN connection.

To do this, see Creating an Amazon VPC endpoint service.

Step 6: Create a VPC endpoint configuration in Device Farm

Now you can establish a private connection between your VPC and Device Farm. You can use Device Farm to test private services without exposing them through the public internet. To do this, see Creating a VPC endpoint configuration in Device Farm.

Using this topic's cross-Region scenario, the following values are used in an example VPC endpoint configuration:

Name

My VPCE Configuration

VPCE service name

com.amazonaws.vpce.us-west-2.vpce-svc-1234567890abcdefg

Service DNS name

devicefarm.com

Step 7: Create a test run

You can create test runs that use the VPC endpoint configuration described in step 6. For more information, see Create a test run in Device Farm or Create a session.

Create a scalable network with Transit Gateway

To create a scalable network using more than two VPCs, you can use Transit Gateway to act as a network transit hub to interconnect your VPCs and on-premises networks. To configure a VPC in the same region as Device Farm to use a Transit Gateway, you can follow the Amazon VPC endpoint services with Device Farm guide to target resources in another region based on their private IP addresses.

For more information about Transit Gateway, see What is a transit gateway? in the Amazon VPC Transit Gateways Guide.