Displaying present location in the site.

Building an HA Cluster Using AWS Transit Gateway: Accessing AWS Virtual IP Resource from different VPCs (Windows/Linux)

EXPRESSCLUSTER Official Blog

July 28th, 2022

Machine translation is used partially for this article. See the Japanese version for the original article.

Introduction

Using AWS Transit Gateway (hereinafter called “Transit Gateway”), we tried connecting to an HA cluster based on VIP control, which was built on Amazon Web Services (hereinafter called “AWS”).

In the popupprevious blog, we introduced the procedure for accessing to AWS Virtual IP Resource (hereinafter called "VIP") of an HA cluster in the VPC on AWS from on-premises (pseudo-environment).
Similarly, it is also possible to connect between client machines and an HA cluster located in different VPCs on AWS with VIP.

This time, assuming the following cases, we will introduce the procedure for connecting to the VIP of an HA cluster from client machines located in a VPC different from an HA cluster.

  • - Placing client machines and an HA cluster in different VPCs on AWS and exchanging data.
  • - Accessing an HA cluster directly using VIP from client machines.

Contents

1. HA Cluster Configuration

We will build an "HA Cluster Based on VIP Control" in the VPC environment in the N. Virginia region.
Also, build client machines accessing an HA cluster in a separate VPC and use Transit Gateway to connect the VPCs to each other.

Note: There is an Amazon VPC Peering Connection (hereinafter called "VPC Peering Connection") as a method of connecting between VPCs, but in an environment connected by VPC Peering, you can not connect to VIP.
By connecting between VPCs using Transit Gateway, you can connect to VIP.


The configuration is as follows.

2. HA Cluster Building Procedure

2.1 Building HA Cluster Based on VIP Control

2.1.1 Preparation for HA Cluster Building

Create VPCs in advance. The configuration of the VPCs is as follows.

HA cluster side:
  • VPC-10(VPC ID : vpc-1234abcd)
  • ■ CIDR : 10.0.0.0/16
  • Subnets
  • Subnet-A1 (Subnet ID : sub-1111aaaa) : 10.0.10.0/24
  • Subnet-A2 (Subnet ID : sub-2222aaaa) : 10.0.110.0/24
  • Subnet-B1 (Subnet ID : sub-1111bbbb) : 10.0.20.0/24
  • Subnet-B2 (Subnet ID : sub-2222bbbb) : 10.0.120.0/24
Client machines side:
  • VPC-11(VPC ID : vpc-5678cdef)
  • ■ CIDR : 11.0.0.0/16
  • Subnets
  • Subnet-A1 (Subnet ID : sub-1111abcd) : 11.0.10.0/24
 

2.1.2 Building HA Cluster Based on VIP Control

Build an "HA cluster based on VIP control". 
About the EXPRESSCLUSTER configuration, refer to "4.1.2 Building HA Cluster Based on VIP Control" in the popupprevious blog.

2.2 Creating Transit Gateway

Create a Transit Gateway and connect the VPC on the client machines side with the VPC on the HA cluster side.
The flow of the settings, refer to "4.2 Creating Transit Gateway" in the popupprevious blog.

The Transit Gateway Attachments must be created by selecting "VPC" as Attachment Type for connecting to the client machines side VPC and the HA cluster side VPC.

After creating Transit Gateway, configure the security groups to allow connections from different VPCs.
For outbound, no need to add or remove rules from default.

HA cluster side:
  • Security group
    - Inboud rules
  •      Type : All traffic
  •      Protocol : All
  •      Port range : All
  •      Source : 11.0.0.0/16
Client machines side:
  • Security group
    - Inboud rules
  •      Type : All traffic
  •      Protocol : All
  •      Port range : All
  •      Source : 10.0.0.0/16

Also, create routes for communication to reach Transit Gateway from each VPC.

HA cluster side:
  • Route table
  • - Route-A2 (Route table ID : rtb-0000000a)
        > 11.0.0.0/16 -> tgw-1234abcd (Transit Gateway ID)
  • - Route-B2 (Route table ID : rtb-0000000b)
        > 11.0.0.0/16 -> tgw-1234abcd (Transit Gateway ID)
Client machines side:
  • Route table
  • - Route-A1 (Route table ID : rtb-0000001a)
        > 172.16.0.1/32 (VIP address) -> tgw-1234abcd (Transit Gateway ID)

3. Checking the Operation

Verify that the client machine can access the active EC2 instance using VIP (172.16.0.1).

  • 1.Start the failover group on the active EC2 instance.
  • 2.Verify that you can access the VIP (172.16.0.1) from a client machine and connect to the active EC2 instance.
  • 3.By using Cluster WebUI, manually move the failover group from the active EC2 instance to the standby EC2 instance.
  • 4.Verify that you can access the VIP (172.16.0.1) from the client machine and connect to the standby EC2 instance.
We were able to confirm that we could connect to the HA cluster using VIP from the client machine.

Conclusion

This time, we tried connecting to an HA cluster based on VIP control built on AWS from a client machine in the different VPC using Transit Gateway.
If you have a request to directly access VIP of an HA cluster from a client machine located in a VPC different from the HA cluster, try this configuration.

If you consider introducing the configuration described in this article, you can perform a validation with the popuptrial module of EXPRESSCLUSTER. Please do not hesitate to contact us if you have any questions.