VPC Peering Connection Configuration

The Soracom Canal VPC peering connects a Type-F or Type-G VPG to your Amazon VPC. This connection enables a one-way connection with Carrier Grade NAT (CGNAT) from devices using IoT SIMs to instances such as EC2 in your Amazon VPC over a private network. If you need bidirectional communication with Canal VPC peering, you also need Soracom Gate.

Requirements

To configure Canal with an Amazon VPC Peering Connection, you will need the following information:

Your AWS account number
The ID of the AWS VPC you want to connect to, such as vpc-12345678
The AWS Region where your VPC is located
The CIDR block of your VPC, which should comply with RFC 1918

The CIDR block of your VPC must be within one of the following IP address ranges:

10.0.0.0/8 (excluding 10.21.0.0/16; see Limitations below)
172.16.0.0/12
192.168.0.0/16

If you don't have a VPC yet, follow the instructions in the Creating a VPC section in this document.

In addition, you will need to create a Type-F or Type-G Virtual Private Gateway.

Limitations

If you have created a VPG in Japan coverage, your VPC cannot include the 10.21.0.0/16 IP address range. If your AWS VPC uses a CIDR block that includes this range, you will need to create a new VPC with a CIDR block that does not include this range.

Configuration

Creating a VPG

Creating a VPG will incur fees. Refer to the Pricing & Fee Schedule for more information.

Follow the instructions from the Virtual Private Gateway Configuration documentation to create a new VPG with the following options:

Name - Any name to identify this VPG
Type - Select Type-F or Type-G (other VPG types do not support Peering Connections).
Use internet gateway - ON or OFF
Rendezvous Point - When creating a Type-F or Type-G VPG, you can select the region where your VPG will be located in, in order to maximize the Peering Connection performance. When creating a Type-C VPG, this will be set automatically to Frankfurt (Germany).
CIDR Range for device subnet (optional) - The CIDR block of IP addresses assigned to Air and Arc devices that connect to this VPG. If left blank, a default block of 10.128.0.0/9 will be used. Manually specified Device Subnets must be within the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 CIDR ranges and have a subnet mask of /24 or larger.

For more information on each option, refer to the VPG Configuration documentation.

Add a Peering Connection

While your first VPC peering connection is included with your cost of your VPG, adding additional peering connections will incur additional fees. Refer to the Pricing & Fee Schedule for more information.

With a VPG created, we can now add an AWS Peering Connection in order to connect it to our AWS VPC.

Login to the User Console. From the Menu, open the VPG screen.
From the list of VPGs, click the name of the VPG you want to configure to open its settings page.

https://console.soracom.io
From the Basic settings tab, VPC Peering Connections panel, click the Add button.
Enter your AWS Account ID, the AWS VPC ID, the AWS Region, and the VPC CIDR Block:

Then click the Save button.

This will initiate a Peering Connection request with your AWS account. Next, we'll accept the connection request to complete the Peering Connection setup.

Accept the Peering Connection Request

Login to the AWS Management Console. From the Services menu, open the VPC dashboard.
Click the Peering Connections section.

https://console.aws.amazon.com
Select the Peering Connection request in the list. Its Status should appear as pending-acceptance.
Click the Actions menu, then select Accept Request.

https://console.aws.amazon.com

A dialog will appear asking if you want to update your VPC's routing table. In order to route traffic correctly between the Soracom VPG and your AWS VPC, we need to add a new routing rule.

Click the Modify my route tables now link.

https://console.aws.amazon.com
From the list of route tables, select the route table that is attached to your VPC. The Explicitly Associated column should indicate that it is associated with 1 Subnet.
Click the Routes tab. Then add a new destination with the following values:

https://console.aws.amazon.com
- Destination - The CIDR range of your VPG. If not previously noted, this range can be found in the VPG overview table under VPG IP Address Range. For example: 100.64.0.0/10.
- Target - pcx-xxxxxxxx. The Target option tells the VPC that traffic returning to the VPG should be routed using the selected Peering Connection. As you type pcx, the approved Peering Connection should appear automatically.
Then click the Save button.

Canal is now configured, and IoT SIM devices that are attached to the VPG will be able to connect to network resources within your VPC.

Testing Canal

To test the Canal connection, simply create a network resource within your VPC.

For example, you can create a basic EC2 instance, making sure that it belongs to your VPC, and is assigned a static IP address within your VPC's CIDR block range.

Then connect to the EC2 instance to install and start an Apache webserver with its default welcome page.

Configure your EC2 instance's Security Group to allow inbound HTTP traffic on port 80 from 0.0.0.0/0 any source.

Finally, test that your IoT SIM device is able to view or curl the default Apache webpage using the EC2 instance's private IP address.

Configuring your EC2 instance to allow inbound traffic from 0.0.0.0/0 (any source) is intended only to simplify testing. Leaving this configuration as-is will expose your EC2 instance to external access.

Once you have verified that your devices are able to reach your EC2 instance, you should update this configuration to, for example, only allow traffic from your VPG by changing the source CIDR block to match the Requester CIDRs found in your list of VPC Peering connections, or remove this configuration altogether if you plan on using a different protocol.

Reference

Creating a VPC

Login to the AWS Management Console. From the Services menu, open the VPC dashboard. Then click the Create VPC button.

https://console.aws.amazon.com
In the Select a VPC Configuration screen, choose VPC with a Single Public Subnet and click the Select button.

https://console.aws.amazon.com
Enter a VPC name for this VPC. You can leave the other settings with their default values, or configure a different IPv4 CIDR block and other settings if desired.

https://console.aws.amazon.com

Note: If you have created a VPG in Japan coverage, ensure that your VPC's IPv4 CIDR block does not include the 10.21.0.0/16 IP address range. Soracom allocates internal resources within this IP address range. If you specify a CIDR block that includes this IP address range, you will have to create a new VPC.

Then click the Create VPC button.
Once the VPC has been created, it will appear in the list of VPCs:

https://console.aws.amazon.com
To enable the Internet gateway for the VPC, select the VPC from the list. Then click the Overview tab, and click the item listed next to Route table:

https://console.aws.amazon.com
Set the Internet gateway igw-xxxxxxxx for the 0.0.0.0/0 target.

https://console.aws.amazon.com

Then click the Save button.

Finding the Requirements

You can find your AWS account number by logging into the AWS Management Console. On the upper right corner of the console, click the ? support menu, then select Support Center. Your AWS account number will be displayed at the top of the navigation menu on the left side:

https://console.aws.amazon.com

Account Number

To find the ID and CIDR block of a VPC, click the Services menu and open the VPC dashboard. Then click the Your VPCs section. The VPC ID and CIDR block will be listed:

https://console.aws.amazon.com

VPC List

Terminating Canal Connections

If you no longer need a closed network connection using Canal you may delete the VPG associated with the Canal connection. If you would like to keep using your VPG but remove the Canal connection, please contact Soracom support for assistance.