-
Notifications
You must be signed in to change notification settings - Fork 0
Customer Actions
Jeffrey Bian edited this page Dec 15, 2025
·
1 revision
This document outlines the necessary actions that a customer must perform in their AWS account to enable connectivity between their VPC and the Springtail services hosted in our AWS account. These actions include accepting VPC peering connections, updating route tables, and configuring security groups to allow traffic to the primary database instance.
Note: This step must be completed on all customer VPCs that are peered with us.
-
With AWS Web Console
- Navigate to the VPC details page.
- Click the "Actions" button and select "Edit VPC settings".
- In the "DNS settings" section, check both "Enable DNS resolution" and "Enable DNS hostnames" options.
-
With AWS CLI
$ aws ec2 modify-vpc-attribute --vpc-id {{customer_vpc_id}} --enable-dns-support $ aws ec2 modify-vpc-attribute --vpc-id {{customer_vpc_id}} --enable-dns-hostnames
Note: This step must be completed on all customer VPCs that are peered with us.
-
With AWS Web Console
- Go to the VPC dashboard and select "Peering connections" from the left navigation.
- In the main list view, select the peering connection with the ID equal to
{{vpc_peering_connection_id}}. - Click "Actions" and select "Accept Request".
- On the VPC Peering Connection Details page, on the DNS tab, click on "Edit DNS Settings";
- Check the "Accepter / Requester DNS resolution", this make sure that the primary DB hostname is always resolved to a private IP address on Springtail side;
-
With AWS CLI
$ aws ec2 accept-vpc-peering-connection --vpc-peering-connection-id {{database_vpc_peering_connection_id}} $ aws ec2 modify-vpc-peering-connection-options \ --vpc-peering-connection-id {{database_vpc_peering_connection_id}} \ --accepter-peering-connection-options 'AllowDnsResolutionFromRemoteVpc=true'
-
With AWS Web Console
- Go to the RDS console and click on the database instance details. In the "Connectivity & security" tab, note all subnet IDs or click into the subnets.
- For each subnet listed in the "Subnet" section under the VPC dashboard, select the subnet, click the "Route Table" tab, and then click the Route Table ID.
- In the Route Table list view, select the route table.
- In the "Routes" tab, click "Edit routes".
- Add a new route with the destination CIDR block equal to
{{transit_vpc_cidr_block}}and the target as the VPC Peering Connection ID,{{database_vpc_peering_connection_id}}.
-
With AWS CLI
$ aws rds describe-db-instances --db-instance-identifier {{db_instance_identifier}} --query "DBInstances[0].[DBSubnetGroup.VpcId, DBSubnetGroup.Subnets]" # Note the VPC ID and Subnet IDs $ aws ec2 describe-route-tables --filters "Name=vpc-id,Values={{customer_vpc_id}}" "Name=association.subnet-id,Values={{subnet_ids}}" --query "RouteTables[*].RouteTableId" # Note the Route Table IDs $ aws ec2 create-route --route-table-id {{route_table_id}} --destination-cidr-block {{transit_vpc_cidr_block}} --vpc-peering-connection-id {{database_vpc_peering_connection_id}}
-
With AWS Web Console
- Go to the RDS console and click on the database instance details.
- In the "Connectivity & security" tab, note the security group ID.
- Navigate to the EC2 console, select "Security Groups" from the left navigation.
- In the main list view, select the security group with the ID equal to the noted security group ID.
- In the "Inbound rules" tab, click "Edit inbound rules".
- Add a new rule with the following settings:
- Type: PostgreSQL
- Protocol: TCP
-
Port Range:
{{db_port}} -
Source:
{{st_inbound_nlb_security_group_id}} -
Security Group ID:
{{database_security_group_id}}
-
With AWS CLI
Add an ingress rule to allow connections from
{{inbound_nlb_security_group_short_id}}and{{provider_account_id}}to the primary database instance security group.$ aws ec2 authorize-security-group-ingress --group-id {{database_security_group_id}} --protocol tcp --port {{db_port}} --source-group {{inbound_nlb_security_group_short_id}} --group-owner {{provider_account_id}}
Note: This step must be done for all application VPCs that are peered.
-
With AWS CLI
Note: This step requires the use of AWS CLI, as there is no Web Console support.
Associate the VPC with the private hosted zone created in the Provider Account. The private hosted zone ID is output as
{{private_hosted_zone_id}}.$ aws route53 associate-vpc-with-hosted-zone --hosted-zone-id {{private_hosted_zone_id}} --vpc VPCRegion={{customer_vpc_region}},VPCId={{customer_vpc_id}} --region {{region}}
Note: This step must be done on all application VPCs on the customer side that are peered, to allow applications within those VPCs to access the Springtail services.
-
With AWS Web Console
- Go to the EC2 console and select "Security Groups" from the left navigation.
- In the main list view, select the security group used for EC2 instances or other resources that will access Springtail's endpoint.
- In the "Outbound rules" tab, click "Edit outbound rules".
- Add a new rule with the following settings:
- Type: All traffic
- Protocol: All
- Port Range: All
-
Destination:
{{transit_vpc_cidr_block}}
-
With AWS CLI
$ aws ec2 authorize-security-group-egress --group-id {{application_security_group_id}} --protocol all --port all --cidr {{transit_vpc_cidr_block}}
Below listed an example policy the customer can use to grant the necessary permissions to their IAM role/user to perform the above actions.
AWS IAM Policy required for customer actions is below,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AcceptVpcPeeringConnection",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcAttribute",
"ec2:ModifyVpcAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:DeleteRoute"
"route53:AssociateVPCWithHostedZone",
"rds:DescribeDBInstances",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeSecurityGroups",
],
"Resource": [
"arn:aws:ec2:{{region}}:{{customer-account-id}}:vpc-peering-connection/{{database_vpc_peering_connection_id}}", # repeat this for for each customer database for each VPC peering connection
"arn:aws:ec2:{{region}}:{{customer-account-id}}:vpc/{{vpc-id}}", # repeat this for for each customer database / application VPC
"arn:aws:ec2:{{region}}:{{customer-account-id}}:subnet/*",
"arn:aws:ec2:{{region}}:{{customer-account-id}}:route-table/*",
"arn:aws:rds:{{region}}:{{customer-account-id}}:db:{{db-instance-id}}",
"arn:aws:ec2:{{region}}:{{customer-account-id}}:security-group/*",
"arn:aws:route53::{{service-account-id}}:hostedzone/{{hosted-zone-id}}",
]
}
]
-
{{customer_vpc_id}}: VPC ID of the customer's VPC. -
{{database_vpc_peering_connection_id}}: ID of the VPC Peering Connection between the customer VPC and the provider VPC. -
{{db_instance_identifier}}: Database instance identifier in the RDS service. -
{{subnet_ids}}: Comma-separated list of subnet IDs associated with the VPC. -
{{route_table_id}}: Route Table ID in the customer VPC. -
{{transit_vpc_cidr_block}}: CIDR block of the Transit VPC in the provider account. -
{{db_port}}: Port on which the database is listening. -
{{database_security_group_id}}: Security group ID of the primary database instance. -
{{inbound_nlb_security_group_id}}: Security group ID for the inbound NLB in long format<account_id>/<security_group_id>. -
{{inbound_nlb_security_group_short_id}}: The Security group ID part of{{inbound_nlb_security_group_id}}. -
{{provider_account_id}}: The AWS Account part of{{inbound_nlb_security_group_id}}. -
{{private_hosted_zone_id}}: ID of the private hosted zone returned in the VPC Config. -
{{region}}: AWS region where the VPC or hosted zone is located. -
{{customer_vpc_region}}: AWS region where the customer VPC for applications is located. -
{{application_security_group_id}}: Security group ID of the customer applications.