This page describes the steps to successfully create and provision a Partner Cross-Cloud Interconnect for Amazon Web Services (AWS) connection initiated from Cloud de Confiance by S3NS.
If you don't have an activation key from AWS, you can initiate and provision a Partner Cross-Cloud Interconnect for AWS connection from Cloud de Confiance.
Before you start the Partner Cross-Cloud Interconnect for AWS provisioning process, ensure that the following conditions are met:
- You must already have an Amazon Web Services account.
- You must also create a Virtual Private Cloud (VPC) network, if it doesn't already exist, to connect your transport to.
To achieve a successful connection, you must create the transport resource.
Follow these instructions to create the transport.
Before you begin
Before you get started, review the following sections.
Create or select a project
To make it easier to configure Network Connectivity Center, start by identifying a valid project.
-
In the Cloud de Confiance console, on the project selector page, select or create a Cloud de Confiance project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Cloud de Confiance project.
-
Install the Google Cloud CLI.
-
Configure the gcloud CLI to use your federated identity.
For more information, see Sign in to the gcloud CLI with your federated identity.
-
To initialize the gcloud CLI, run the following command:
gcloud init If you are using the Google Cloud CLI, set your project ID by using the
gcloud config setcommand.gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your unique project ID.The gcloud CLI instructions on this page assume that you have set your project ID.
To confirm that you set the project ID correctly, use the
gcloud config listcommand.gcloud config list --format='text(core.project)'
Enable the Network Connectivity API
Before you can perform any tasks using Network Connectivity Center, you must enable the Network Connectivity API.
Console
To enable the Network Connectivity API, do the following:
In the Cloud de Confiance console, go to the Network Connectivity Center page.
Click Enable.
Alternatively, you can enable the API by using the Cloud de Confiance console API Library, as described in Enabling APIs.
List available profiles
To list the available profiles in a specific project in the region where you want to provision connectivity, follow these steps.
API
Use the networkconnectivity.remoteTransportProfiles.list
method with an empty request body.
$ curl -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://networkconnectivity.googleapis.com/v1beta/projects/PROJECT/locations/LOCATION/remoteTransportProfiles"
Replace the following values:
PROJECT: the name of the projectLOCATION: the name of the Cloud de Confiance region where you want to provision connectivity, such asus-west1
Create the transport resource
During the transport resource creation process, you must specify the bandwidth, network,
remoteProfile and remoteAccountId fields. advertisedRoutes is an optional
field, however, in order to ensure connectivity from AWS,
you must specify this field. This field can be a list of IPv4 and IPv6 subnets.
If your network uses automatic subnet creation, use the 10.128.0.0/9
value from Cloud de Confiance.
To create a transport resource, follow these steps.
API
Use the networkconnectivity.transports.create
method
specifying the TRANSPORT_ID, similar to the following example:
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" "https://networkconnectivity.googleapis.com/v1beta/projects/PROJECT/locations/LOCATION/transports?="TRANSPORT_ID" --data '{
"network": "NETWORK",
"remoteProfile": "REMOTE_PROFILE",
"bandwidth": "BANDWIDTH",
"remoteAccountId": "AWS_ACCOUNT_ID",
"advertisedRoutes": ["IP_RANGE_1","IP_RANGE_2"],
"stackType": "STACK_TYPE
}'
Replace the following values:
PROJECT: the name of the project in which you want to create the transportLOCATION: the name of the Cloud de Confiance region where you want to provision connectivity, such asus-west1TRANSPORT_ID: a name for the transport resourceNETWORK: the network in which you want to create the transportREMOTE_PROFILE: the profile where you want to provision connectivityBANDWIDTH: the chosen bandwidth for your connection, such as,BPS_1GAWS_ACCOUNT_ID: the ID of your AWS accountIP_RANGE: a comma-separated list of IP address rangesSTACK_TYPE(optional): IP address version stack type. Must beIPV4_ONLYorIPV4_IPV6. Defaults toIPV4_ONLY
In the output, find the value of the name field. It has the format
projects/PROJECT/locations/LOCATION/operations/OPERATION_ID,
where OPERATION_ID is the ID of your operation.
To check the status of the operation, use the networkconnectivity.operations.get method.
GET https://networkconnectivity.googleapis.com/v1/locations/LOCATION/operations/OPERATION_ID
Replace the following:
LOCATION: the name of the Cloud de Confiance region where you want to provision connectivity, such asus-west1OPERATION_ID: the ID of the operation
If the transport resource has finished creation, the output has the line
"done": true. Copy the following values from the output to use in later
steps:
- The value of the
generatedActivationKeyfield - The value of the
peeringNetworkfield
Complete the steps on the AWS API
Use the activation key that you generated in the previous step to complete setup by using the AWS Console.
Establish VPC Network Peering
You can proactively establish VPC Network Peering at the
Cloud de Confiance end. To do this, use the peeringNetwork returned from the
previous created transport resource and ensure that you create a peering with
the same stack type. The default stack type matches the transport resource
using IPV4_ONLY.
To receive the AWS routes, you must enable the
Import custom routes field.
The MTU in the peering VPC network is explicitly set to the
maximum in order to avoid MTU issues in the connectivity. If you're using an
MTU less than 8896, you might get a warning WARNING: Some requests generated
warnings: - Network MTU 1460B does not match the peer's MTU 8896B. In that
case, you must ensure that you're using matching MTU configurations between
your Cloud de Confiance VPC network and the
AWS VPC network. If these are mismatched, you might
need to override MTU values to the lowest common denominator. For example, if
you're using 8896 in Cloud de Confiance and 8800 in AWS,
everything in Cloud de Confiance must be configured as 8800.
gcloud
To establish VPC Network Peering, use the
gcloud compute networks peerings create command.
gcloud compute networks peerings create "TRANSPORT_NAME" \
--network="VPC_NETWORK"
--peer-network="PEERING_NETWORK" \
--import-custom-routes
--export-custom-routes
Replace the following values:
TRANSPORT_NAME: the name of the transport that you createdVPC_NETWORK: the name of the VPC network that you want to list the routes forPEERING_NETWORK: the name of the VPC network provided by theTransportresource that you copied from thetransportresource'speeringNetworkfield
If the command is successful, the output's state field has the value
ACTIVE.
API
To establish VPC Network Peering, use the
compute.networks.addPeering method.
POST https://compute.googleapis.com/compute/v1/projects/PROJECT/global/networks/NETWORK/addPeering
Replace the following values:
PROJECT: the name of the project that you are peeringNETWORK: the name of the network resource to add peering to
Verify your connection
You can verify that connectivity has been established by listing the peered VPC networks and the route tables. After the AWS configuration is complete, you can see your AWS routes in the list.
gcloud
To list the peered VPC networks, use the
gcloud compute networks peerings list command.
gcloud compute networks peerings list
The output is similar to the following:
DEST_RANGE TYPE NEXT_HOP_REGION PRIORITY STATUS 10.0.0.0/16 DYNAMIC_PEERING_ROUTE us-east4 0 accepted 10.0.0.0/16 DYNAMIC_PEERING_ROUTE us-east4 0 accepted
To list routes for a specific transport, use the
gcloud compute networks peerings list-routes command.
gcloud compute networks peerings list-routes TRANSPORT_ID\
--direction=INCOMING \
--network=NETWORK \
--region=LOCATION
Replace the following values:
TRANSPORT_ID: the name of the transport resourceNETWORK: the name of the VPC network that you want to list the route tables forLOCATION: the location of the transport resource
API
To list peered networks, use the
compute.networks.list method.
GET https://compute.googleapis.com/compute/v1/projects/PROJECT/global/networks
Replace PROJECT with the name of the project that you
want to list the networks for.
To list routes, use the
compute.routes.listPeeringRoutes method
GET https://compute.googleapis.com/compute/v1/projects/PROJECT/global/networks/NETWORK/listPeeringRoutes
Replace the following values:
PROJECTwith the name of the project that you want to list the routes forNETWORK: the name of the VPC network that you want to list the route tables for
What's next
- To find answers to common questions about Cloud Interconnect architecture and features, see the Cloud Interconnect FAQ.
- To find out more about Cloud Interconnect, see the Cloud Interconnect overview.
- To learn about best practices when planning for and configuring Cloud Interconnect, see Best practices.
- To find Cloud de Confiance by S3NS resource names, see the Cloud Interconnect APIs.