This page describes the steps to successfully create and provision a Partner Cross-Cloud Interconnect for Amazon Web Services (AWS) connection.
You can initiate connectivity from either Google Cloud or from
Amazon Web Services. To achieve a successful connection, you must
create the transport resource. After a resource is created
and connectivity is up, the flow is identical regardless of where the
provisioning is initiated. You can manage the resource from either side to
enable, disable, or change the bandwidth on the resources.
Before you start the Partner Cross-Cloud Interconnect for AWS provisioning process, ensure that the following conditions are met:
- You must already have an AWS account.
- You must also create a Virtual Private Cloud (VPC) network, if it doesn't already exist, to connect your transport to.
- If you are a VPC Service Controls user, you must set up ingress and egress rules
using the
networkconnectivity-transportmanager-clh@system.gserviceaccount.comservice account that is associated with Partner Cross-Cloud Interconnect for AWS.
Set up ingress and egress rules (for VPC Service Controls users)
If you are a VPC Service Controls user, follow the instructions to Update ingress and egress policies for a service perimeter.
Google recommends that you set up rules to allow the account to access all resources and operations within the VPC Service Controls security perimeter.
Use the networkconnectivity-transportmanager-clh@system.gserviceaccount.com
service account to set up the ingress and egress rules.
The following example shows an ingress rule YAML that you can apply.
- ingressFrom:
identities:
- serviceAccount:networkconnectivity-transportmanager-clh@system.gserviceaccount.com
sources:
- accessLevel: '*'
ingressTo:
operations:
- serviceName: '*'
methodSelectors:
- method: '*'
resources:
- '*'
The following is an example of an egress rule YAML.
- egressTo:
operations:
- serviceName: '*'
methodSelectors:
- method: '*'
resources:
- '*'
egressFrom:
identities:
- serviceAccount:networkconnectivity-transportmanager-clh@system.gserviceaccount.com
For information about ingress and egress rules, see Ingress and egress rules.
Your workflow might differ based on whether you have an activation key from AWS or not. For details, see the following sections.
Initiate connection from Google Cloud if you don't have an activation key
If you don't have an activation key from AWS, you can initiate and provision a Partner Cross-Cloud Interconnect for AWS connection from Google Cloud. To do so, follow these steps.
-
Google Cloud regions are paired with specific AWS regions. When you choose a specific Google Cloud region to create your resources in, you must choose the corresponding AWS region.
Select the correct profile and create the transport resource.
Use the generated activation key to create the connection in your AWS account.
Verify the connection by listing the peered VPC networks and route tables.
Initiate a connection from AWS if you have an activation key
If you already have an activation key from AWS, you can initiate and provision a Partner Cross-Cloud Interconnect for AWS connection from AWS. To do so, follow these steps.
Activate your key by using the AWS Console.
Follow instructions to create a connection from the AWS Console. You must provide the project and region where you want the connection to land in Google Cloud. For a list of paired locations, see Choose a paired location.
After the resource is created on the AWS side, create the Google Cloud resource with the provided activation key.
Peer your VPC network to the transport's peering VPC network.