Amazon GameLift
Developer Guide (Version )

Set Up VPC Peering

Use Amazon Virtual Private Cloud (VPC) peering connections to enable your game servers to communicate directly and privately with your other AWS resources, such as a web service or a repository. This topic provides guidance on setting up a peering connection between the VPC for your Amazon GameLift game servers and a VPC for non-Amazon GameLift resources. For more information on how VPC peering works with Amazon GameLift, see Networking With AWS Resources.

If you’re already familiar with Amazon VPCs and VPC peering, please note that setting up peering with Amazon GameLift game servers is somewhat different. Since you don’t have access to the VPC for your game server processes (it is controlled by the Amazon GameLift service), you can't create a VPC peering connection request for it. Instead, you first pre-authorize a VPC with non-Amazon GameLift resources to accept a peering request from Amazon GameLift. You then have Amazon GameLift request the VPC peering that you just authorized. Amazon GameLift automatically creates the peering connection, sets up the route tables, and configures the connection as needed.

To set up a VPC peering connection:

  1. Get identifiers for each VPC.

    Get the following information for the two VPCs to be peered:

    • VPC for your Amazon GameLift game servers – Your game server processes are deployed in Amazon GameLift as a fleet of EC2 instances. Each fleet is automatically placed in its own VPC, which is managed by the Amazon GameLift service. Since you don’t have access to the VPC for your game server processes, you identify a VPC by it's associated fleet. To identify the set of game server processes you want to establish a VPC peering for, you need the Amazon GameLift fleet ID.

    • VPC for your non-Amazon GameLift AWS resources – You can establish a VPC peering with any resources that run on AWS and are managed by an AWS account that you have access to. If you haven’t already created a VPC for these resources, see Getting Started with Amazon VPC for help creating a VPC and adding resources to it. Once you have created a VPC, you can find the VPC ID by signing into the AWS Management Console for Amazon VPC and viewing your VPCs.

    Note

    When requesting a peering, both VPCs must exist in the same region. The VPC for your Amazon GameLift fleet game server processes is in the same region as the fleet.

  2. Get AWS Account ID(s) and credentials.

    You need an ID and sign-in credentials for the following two AWS accounts. You can find AWS account IDs by signing into the AWS Management Console and viewing your account settings. To get credentials, go to the IAM console.

    • AWS account that is used to manage your Amazon GameLift game servers.

    • AWS account that is used to manage your non-Amazon GameLift resources.

    If you’re using the same account for Amazon GameLift and non-Amazon GameLift resources, you’ll need the ID and credentials for only one account.

  3. Authorize a VPC peering with non-Amazon GameLift resources.

    In this step, you are accepting a future request from Amazon GameLift to peer to your VPC for non-Amazon GameLift resources. For this action, use credentials for the account that manages your non-Amazon GameLift resources.

    To authorize the VPC peering, call the Amazon GameLift service API CreateVpcPeeringAuthorization() or use the AWS CLI command create-vpc-peering-authorization. Identify the following information:

    • Peer VPC ID – This is for the VPC with the non-Amazon GameLift resources.

    • Amazon GameLift AWS account ID – This is for the account that you use to manage your Amazon GameLift fleet.

    Once you’ve authorized a VPC peering, the authorization remains valid for 24 hours unless revoked. You can manage your VPC peering authorizations using the following operations:

  4. Request a peering between VPCs for an Amazon GameLift fleet and the non-Amazon GameLift resources.

    Once you have a valid authorization for a VPC peering, you can trigger Amazon GameLift to request the peering. For this action, use credentials for the account that manages your Amazon GameLift game servers.

    To request a VPC peering, call the Amazon GameLift service API CreateVpcPeeringConnection() or use the AWS CLI command create-vpc-peering-connection. Identify the following information, which identifies the two VPCs to peer:

    • Peer VPC ID and AWS account ID – This is the VPC for your non-Amazon GameLift resources and the account that you use to manage them. The VPC ID used must match one on a valid authorization.

    • Fleet ID – This identifies the VPC for your Amazon GameLift game server processes.

    You can manage your VPC peering connections using the following operations:

    You can request a VPC peering connection when you create a new fleet. For more information, see Create a Fleet and VPC Peering Connection.

  5. Track your VPC peering connections.

    Requesting a VPC peering connection is an asynchronous operation. To track the status of a peering request and handle success or failure cases, use one of the following options:

    • Continuously poll with DescribeVpcPeeringConnections(). This operation retrieves the VPC peering connection record, including the status of the request. If a peering connection is successfully created, the connection record also contains a CIDR block of private IP addresses that is assigned to the VPC.

    • Handle fleet events associated with VPC peering connections with DescribeFleetEvents(), including success and failure events.

    Common reasons a connection request fails:

    • An authorization for the requested connection was not found. This may mean an existing authorization is no longer valid, or never existed. A common cause for this issue is a region mix-up. Verify that your authorization and your request are using the same region.

    • Overlapping CIDR blocks (see Invalid VPC Peering Connection Configurations). The IPv4 CIDR blocks that are assigned to peered VPCs cannot overlap. The CIDR block of the VPC for your Amazon GameLift fleet is automatically assigned and can’t be changed. You can look up this CIDR block by calling DescribeVpcPeeringConnections(). To resolve this issue, you'll need to change the CIDR block of the VPC for your non-Amazon GameLift resources to a non-overlapping range.

    • The fleet did not activate. If you requested a VPC peering connection as part of a CreateFleet() request, the new fleet may have failed to progress to Active status. In this scenario, the peering connection cannot succeed.