Learn DevOps

Connection between Lightsail and VPC

Hải Yến Trịnh's photo
Hải Yến Trịnh
·

5 min read

When you enable VPC peering in Lightsail, only the default VPC can be peered for each region and suppose you enable VPC peering for the region then all the resources existing in lightsail in the region will be able to communicate with all the resources existing in the default VPC of that regionvia private IP addresses irrespective of the environment or resource type. You can refer to the below documentation to get a better idea about VPC peering in Lightsail:

[+] https://lightsail.aws.amazon.com/ls/docs/en_us/articles/lightsail-how-to-set-up-vpc-peering-with-aws-resources

\=> For example, in the Tokyo zone, if you want to peer with another VPC (non-default, because there is only one default VPC), you cannot peering.

Question:

You can think of workaround way such as:

Option 1: Create snapshots and use defaut VPC of another region as VPC for staging environment:
Step 1: Create a snapshot of the Lightsail instance, copy that snapshot to another region according to the document [2], and create a new Lightsail instance from the document snapshot [3]

Step 2: I will not be able to copy snapshot of Lightsail database [4], so I have to create RDS instance, then migrate from Lightsail database to RDS according to documentation [5]

Step 3: Take a snapshot of the RDS instance containing the data of the Lightsail database created in step 2, and copy the RDS snapshot to the second region according to the document [6]

Option 2: Export Lightsail snapshot according to documentation [7] and create EC2 instance from Lightsail snapshot according to document [8]. Note that with this option,I still need to migrate data from Lightsail database to RDS to use.

Note that snapshots of cPanel & WHM, Django, and Ghost instances cannot currently be exported to EC2. (Refer to document [4])

However, as you see, it is pretty hard and give overhead for operation cost

\=> Can I set up Client Side VPN instead of peering to access resources?

Answer from AWS:

Hello,

Thank you for your immense patience in this case.

From the case correspondence I understand that you are looking for a way to connect Lightsail instances with resources existing in non default VPC. I have been exploring almost all the options available from AWS side since the past few days.

Firstly VPC peering can only help in connecting Lightsail resources to the resources existing in the default VPC.

Then I moved on to explore VPC Client Endpoint as you suggested and using that I was able to connect from Lightsail instances to the instances existing in the non default VPC, however since the VPN client endpoint uses Network Address Translation so we cannot communicate from resources existing in non default VPC to the Lightsail instances.

However if in your use-case you require to setup communication only from Lightsail instances to the resources existing in non default VPC and not the other way around then we can setup VPN client endpoint in the non default VPC. Here are brief steps that I followed to create the setup:

  1. Firstly I followed the steps mentioned in the below documentation to create the server and client certificates in the Lightsail instances:

[+] docs.aws.amazon.com/vpn/latest/clientvpn-ad..

  1. After the certificates were uploaded to ACM, I went ahead to create a Client Side VPN by following the steps mentioned in the documentation:

[+] docs.aws.amazon.com/vpn/latest/clientvpn-ad..

  1. Once the Client VPN endpoint was created I went ahead to create a network association for the corresponding subnet by following the steps mentioned in the documentation:

[+] docs.aws.amazon.com/vpn/latest/clientvpn-ad..

  1. After this I applied the security groups to the target group:

[+] docs.aws.amazon.com/vpn/latest/clientvpn-ad..

  1. Then I went ahead to add the authorization rules:

[+] docs.aws.amazon.com/vpn/latest/clientvpn-ad..

  1. After this I ensured that the route tables were configured properly to route the traffics to the required subnets.

  2. Then I downloaded the configuration file for the client, now we needed to edit this file accordingly, so firstly in the remote line I added a random string before the endpoint so if the endpoint was cvpn-endpoint-08121a12512c36815.prod.client.. 443 then I added abcde before this and it became: abcde.cvpn-endpoint-08121a12512c36815.prod...

Then at the end of the file I added two more fields first:
cert <path of the client certificate in the lightsail instance as created in the first step>

key <path of the client private key in the lightsail instance as created in the first step>

After this I copied the contents of this file.

  1. Now we moved ahead to install openvpn client in the Lightsail instance, if the instance is of Debian then you can follow the below steps:

firstly run the below commands:

$ sudo apt-get update && apt-get upgrade && apt-get install curl openvpn unzip

Once the openvpn package has been installed, we will create a new config file with the name config.ovpn, in this config.ovpn file we will paste the contents of the file created in step 7.

Then in order to initiate a connection we used the command:

$ openvpn –config config.ovpn

After running the above command the VPN connection will be initiated and we will be able to communicate from this lightsail instances to the resources in the non default VPC but we won’t be able to communicate from the non default VPC to the lightsail instance and this is the disadvantage of this whole setup.

Please let me know if you have any queries regarding this. I will be delighted to help you as always.

Have a nice day ahead and stay safe !

We value your feedback. Please share your experience by rating this correspondence using the AWS Support Center link at the end of this correspondence. Each correspondence can also be rated by selecting the stars in top right corner of each correspondence within the AWS Support Center.

Best regards,
Mayank K.
Amazon Web Services

AWS