Set up an AWS VPC peering connection

Uses: Kong Gateway

Deployment Platform:

Prerequisites

Dedicated Cloud Gateway

This is a Konnect tutorial that requires Dedicated Cloud Gateways access.

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
- Dedicated Cloud Gateway Control Plane Dedicated Cloud Gateway: You can use an existing Dedicated Cloud Gateway or create a new one to use for this tutorial.
- Network ID: The default Dedicated Cloud Gateway network ID can be found in Gateway Manager > Network

Set these values as environment variables:

 export KONNECT_TOKEN='YOUR KONNECT TOKEN'
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_NETWORK_ID='KONNECT NETWORK ID'

AWS credentials and VPC

You’ll need:

An AWS account with permission to accept VPC peering requests and update route tables
A target AWS VPC ID
The AWS region of your VPC
The VPC’s CIDR block

Save these values:

export AWS_ACCOUNT_ID='123456789012'
export AWS_VPC_ID='vpc-0f1e2d3c4b5a67890'
export AWS_REGION='us-east-2'
export AWS_VPC_CIDR='10.1.0.0/16'

Initiate the VPC peering connection

Send the following request to the Cloud Gateways API:

curl -X POST "https://global.api.konghq.com/v2/cloud-gateways/networks/$KONNECT_NETWORK_ID/transit-gateways" \
     -H "Authorization: Bearer $KONNECT_TOKEN"\
     -H "Accept: application/json"\
     -H "Content-Type: application/json" \
     --json '{
       "name": "us-east-2 vpc peering",
       "cidr_blocks": [
         "'$AWS_VPC_CIDR'"
       ],
       "transit_gateway_attachment_config": {
         "kind": "aws-vpc-peering-attachment",
         "peer_account_id": "'$AWS_ACCOUNT_ID'",
         "peer_vpc_id": "'$AWS_VPC_ID'",
         "peer_vpc_region": "'$AWS_REGION'"
       }
     }'

Accept the peering request in AWS

Go to the AWS Console → VPC → VPC Peering Connections.
Locate the pending request from Konnect.
Select the request and from the Actions menu, select Accept request.

Update your AWS route table

In the AWS Console, go to VPC → Route Tables.
Select the route table for your VPC’s subnet.
Select Edit routes from the Actions menu.
Click Add route, and enter the following:
- Destination: The CIDR block of the Konnect network.
- Target: The accepted VPC peering connection.
Save your changes.

This ensures private traffic routing between your VPC and the Dedicated Cloud Gateway.

Validation

To validate that everything was configured correctly, issue a GET request to the /transit-gateways endpoint to retrieve VPC peering information:

curl -X GET "https://global.api.konghq.com/v2/cloud-gateways/networks/$KONNECT_NETWORK_ID/transit-gateways" \
     -H "Authorization: Bearer $KONNECT_TOKEN"