AWS VPC Peering
VPC peering enables Firetiger agents to connect to resources hosted in your AWS VPC, such as RDS databases, Elasticsearch clusters, or other private services.
VPC peering is only available for BYOC (Bring Your Own Cloud) deployments. SaaS deployments use public endpoints or AWS connections instead.
How It Works
A VPC peering connection creates a private network link between the Firetiger deployment VPC and your VPC. Traffic between the two VPCs stays within the AWS network and does not traverse the public internet.
Prerequisites
- A BYOC AWS deployment provisioned by Firetiger
- Your VPC must be in the same AWS region as the Firetiger deployment
- VPC CIDR ranges must not overlap (Firetiger deployments typically use
10.0.0.0/16)
Setup
1. Create the VPC Peering Connection
From your AWS account, create a VPC peering connection request:
- Requester VPC: Your VPC (where your resources live)
- Accepter VPC: The Firetiger deployment VPC (ID provided by Firetiger)
- Accepter AWS Account ID: Provided by Firetiger
- Region: Must match the Firetiger deployment region
2. Accept the Peering Connection
Firetiger will accept the peering request from the deployment AWS account.
3. Enable DNS Resolution (if needed)
If your resources use private DNS hostnames (e.g., RDS endpoints like mydb.abc123.us-east-1.rds.amazonaws.com), enable DNS resolution on both sides of the peering connection.
4. Configure Your Side
In your AWS account, add:
- Route table entry: Route the Firetiger VPC CIDR (e.g.,
10.0.0.0/16) to the peering connection - Security group rule: Allow inbound traffic from the Firetiger VPC CIDR on the required port (e.g., PostgreSQL 5432, MySQL 3306)
5. Provide Peering Details to Firetiger
Send the following information to your Firetiger contact:
| Field | Example | Description |
|---|---|---|
| VPC Peering Connection ID | pcx-034daeb7643728bd9 |
The peering connection ID after acceptance |
| Your VPC CIDR | 172.30.0.0/16 |
The CIDR range of your VPC that needs to be routable |
| DNS resolution needed | Yes / No | Whether private DNS hostnames need to resolve across the peering |
Firetiger will add the peering route to the deployment’s Terraform configuration and apply it.
Verification
Once both sides are configured, test the connection from the Firetiger UI by running an agent that connects to your resource. If the agent can reach the target endpoint, the peering is working correctly.
Troubleshooting
Connection to your resource times out (but other agent functions work)
- Verify your security group allows inbound traffic from the Firetiger VPC CIDR
- Verify your route table has a return route to the Firetiger VPC CIDR via the peering connection
- Check that the peering connection status is Active in the AWS console
DNS resolution fails for RDS or other private endpoints
- Ensure DNS resolution is enabled on the peering connection (both requester and accepter sides)
- This setting is found under the peering connection’s DNS tab in the AWS console
All agent invocations time out
This is not a peering issue. Contact Firetiger support - the deployment’s NAT gateway route may need attention.
Important Notes
- Do not modify Firetiger networking directly. The Firetiger VPC’s route tables, subnet associations, and NAT gateways are managed by Terraform. Manually modifying these resources will break Lambda internet connectivity and cause all agent invocations to fail.
- Always coordinate through Firetiger to add peering routes to the deployment infrastructure.