AWS Cross-Region Cross-VPC deploy

Prerequisites

  • Setup Akto in a VPC. We’ll call this Security VPC.

  • Vpc where runtime will be deployed. We’ll call this Application VPC.

Case 1 - Account and region both are same

Step 1: Creating a Target Group For Mongo Instance present in Central VPC

  • Go to Aws Console and search for target groups. Click on create target group

  • In the Basic Configuration section, select IP addresses option.

  • Add a target group name of your choice, and select TCP protocol and add port 27017. Post that, select Application VPC, and click on next.

  • On the next screen, choose “Other private IP address” under Network section. Select the availability zone under Availability zone section

  • Enter the private ip of mongo instance present in region 1. Modify the port value to 27017 and click on include as pending below.

  • Click on Create target group at the bottom to create the target group

Step 2: Creating Load Balancer

  • Go to Aws Console and search for load balancer. Click on create load balancer.

  • On the next page, select Network Load Balancer.

  • Add a lb name of your choice, and mark it as Internal in the Scheme section.

  • In the VPC section, select Application VPC and select the appropriate availability zones.

  • Create a new security group with the below inbound rule

  • In the listener section, select the target group created in the above step and add the correct port

  • Click on Create Load Balancer at the bottom to create the load balancer.

Step 3: Setting Up Endpoint Service

  • Go to Aws Console and search for endpoint service. Click on create endpoint service.

  • Add a name for your endpoint service and select “Network” Load balancer type. In the available load balancers section below select the load balancer created in previous step.

  • Click on create at the bottom.

  • Go to Allow Principals tab and add the below principal value.

Step 4: Setting Up Endpoint

  • Go to Aws console and search for endpoints. Click on create endpoint

  • Add a name for your endpoint and select other endpoint services in the service category. Also mention the service name in the Service Settings section by copying it as mentioned in step 3.

  • Copy the service name from the endpoint service created earlier.

  • Select Application VPC and select appropriate subnets

  • Create a security group and add cidr blocks of Application VPC

  • Click on Create Endpoint.

Step 5:

  • Copy endpoint url from the above created Endpoint. Append /admini at the end of this url.

  • While setting up runtime for your application, use this url as Mongo_IP.

In case there are multiple applications -

  • Scenario 1 - All Applications are in same region

No extra steps are required. Use the same Endpoint link as mentioned in Step 5.

  • Scenario 2 - 1 or more Application in different regions

Refer to Case 2

Case 2 - Account or region are different

Prerequisites

  • Setup Akto in a VPC. We’ll call this Security VPC.

  • Vpc where runtime will be deployed. We’ll call this Application VPC.:

  • Create/reuse a separate VPC in a different region in the same account as step 1. We’ll call this Relay VPC.

Step 1:

  • Peering Setup - Peer Central And Relay VPC.

Step 2: Creating a Target Group For Mongo Instance present in Central VPC

  • Go to Aws Console and search for target groups. Click on create target group

  • In the Basic Configuration section, select IP addresses option.

  • Add a target group name of your choice, and select TCP protocol and add port 27017. Post that, select the vpc which was used for peering connection in region 2, and click on next.

  • On the next screen, choose “Other private IP address” under Network section. Select the availability zone under Availability zone section

  • Enter the private ip of mongo instance present in region 1. Modify the port value to 27017 and click on include as pending below.

  • Click on Create target group at the bottom to create the target group

Step 2: Creating Load Balancer

  • Go to Aws Console and search for load balancer. Click on create load balancer.

  • On the next page, select Network Load Balancer.

  • Add a lb name of your choice, and mark it as Internal in the Scheme section.

  • In the VPC section, select Relay VPC and select the appropriate availability zones.

  • Create a new security group with the below inbound rule

  • In the listener section, select the target group created in the above step and add the correct port

  • Click on Create Load Balancer at the bottom to create the load balancer.

Step 3: Setting Up Endpoint Service

  • Go to Aws Console and search for endpoint service. Click on create endpoint service.

  • Add a name for your endpoint service and select “Network” Load balancer type. In the available load balancers section below select the load balancer created in previous step.

  • Click on create at the bottom.

  • Go to Allow Principals tab and add the below principal value.

Step 4: Setting Up Endpoint

  • Go to Aws console and search for endpoints. Click on create endpoint

  • Add a name for your endpoint and select other endpoint services in the service category. Also mention the service name in the Service Settings section by copying it as mentioned in step 3.

  • Copy the service name from the endpoint service created earlier.

  • Select Application VPC and select appropriate subnets

  • Create a security group and add cidr blocks of Relay Vpc and Application VPC

  • Click on Create Endpoint.

Step 5:

  • Copy endpoint url from the above created Endpoint. Append /admini at the end of this url.

  • While setting up runtime for your application, use this url as Mongo_IP.

In case there are multiple applications -

  • Scenario 1 - All Applications are in same region

No extra steps are required. Use the same Endpoint link as mentioned in Step 5.

  • Scenario 2 - 1 or more Application in different regions

  1. Create a new Relay VPC in the different region

  2. Repeat all the steps of Case 2

Last updated