View a markdown version of this page

Configuring VPC connectivity - Amazon GameLift Streams
Step 1: Create a stream group with VPC configurationStep 2: Accept the RAM resource shareStep 3: Create a VPC attachmentStep 4: Configure routing(Optional) Step 5: Update security groups(Optional) Step 6: Update CIDR blocks

Configuring VPC connectivity

This section walks you through configuring VPC connectivity for a Amazon GameLift Streams stream group using the AWS CLI.

Step 1: Create a stream group with VPC configuration

When creating a stream group, include the VpcTransitConfiguration parameter in your location configuration. Specify your VPC ID and the CIDR blocks that your streaming application needs to access.

aws gameliftstreams create-stream-group \
    --description "Stream group with VPC connectivity" \
    --stream-class gen5n_high \
    --default-application-identifier arn:aws:gameliftstreams:us-west-2:123456789012:application/a-ABC123def \
    --location-configurations '[{
        "LocationName": "us-west-2",
        "AlwaysOnCapacity": 1,
        "VpcTransitConfiguration": {
            "VpcId": "vpc-0123456789abcdef0",
            "Ipv4CidrBlocks": ["10.0.0.0/16"]
        }
    }]'

Wait for the stream group to become active:

aws gameliftstreams wait stream-group-active \
    --identifier sg-1AB2C3De4

When the stream group status is ACTIVE, get stream group details and note the following values from the response:

aws gameliftstreams get-stream-group \
              --identifier sg-1AB2C3De4

  • TransitGatewayId – The ID of the transit gateway created by Amazon GameLift Streams.

  • TransitGatewayResourceShareArn – The ARN of the RAM resource share.

  • InternalVpcIpv4CidrBlock – The CIDR block of the service VPC that you need to add to your route tables.

Step 2: Accept the RAM resource share

Accept the resource share invitation to gain access to the transit gateway:

# Get the resource share invitation
aws ram get-resource-share-invitations \
    --resource-share-arns arn:aws:ram:us-west-2:123456789012:resource-share/abc12345-1234-1234-1234-abc123456789

# Accept the invitation
aws ram accept-resource-share-invitation \
    --resource-share-invitation-arn arn:aws:ram:us-west-2:123456789012:resource-share-invitation/abc12345-1234-1234-1234-abc123456789

Step 3: Create a VPC attachment

Attach your VPC to the transit gateway. You need to specify at least one subnet from your VPC:

# Get your subnet IDs
aws ec2 describe-subnets \
    --filters "Name=vpc-id,Values=vpc-0123456789abcdef0" \
    --query "Subnets[*].SubnetId"

# Create the VPC attachment
aws ec2 create-transit-gateway-vpc-attachment \
    --transit-gateway-id tgw-0123456789abcdef0 \
    --vpc-id vpc-0123456789abcdef0 \
    --subnet-ids subnet-0123456789abcdef0 subnet-0123456789abcdef1

Wait for the attachment to become available:

aws ec2 describe-transit-gateway-vpc-attachments \
    --transit-gateway-attachment-ids tgw-attach-0123456789abcdef0 \
    --query "TransitGatewayVpcAttachments[0].State"

Step 4: Configure routing

Add a route to your VPC route table to direct traffic destined for the service VPC through the transit gateway. Use the InternalVpcIpv4CidrBlock value from the stream group response:

# Get your route table ID
aws ec2 describe-route-tables \
    --filters "Name=vpc-id,Values=vpc-0123456789abcdef0" \
    --query "RouteTables[*].RouteTableId"

# Add the route
aws ec2 create-route \
    --route-table-id rtb-0123456789abcdef0 \
    --destination-cidr-block 10.1.0.0/16 \
    --transit-gateway-id tgw-0123456789abcdef0
Note

Replace 10.1.0.0/16 with the actual InternalVpcIpv4CidrBlock value from your stream group.

(Optional) Step 5: Update security groups

When connecting to EC2 instances in your VPC, update the security groups of your EC2 instances to allow inbound traffic from the service VPC CIDR block so your applications can send traffic to your EC2 instances:

aws ec2 authorize-security-group-ingress \
    --group-id sg-0123456789abcdef0 \
    --protocol tcp \
    --port 443 \
    --cidr 10.1.0.0/16
Note

Replace the following values with your actual configuration:

  • sg-0123456789abcdef0 – The security group ID of your private resource.

  • tcp – The protocol your application uses (tcp or udp).

  • 443 – The port number your application listens on.

  • 10.1.0.0/16 – The InternalVpcIpv4CidrBlock value from your stream group.

(Optional) Step 6: Update CIDR blocks

You can update the CIDR blocks for a stream group location's VPC connectivity configuration without recreating the stream group. This is useful when you need to expand or modify the IP address ranges that your streaming application can access in your VPC.

To update the CIDR blocks, use the UpdateStreamGroup API:

aws gameliftstreams update-stream-group \
    --identifier sg-1AB2C3De4 \
    --location-configurations '[{
        "LocationName": "us-west-2",
        "VpcTransitConfiguration": {
            "VpcId": "vpc-0123456789abcdef0",
            "Ipv4CidrBlocks": ["10.0.0.0/16", "10.2.0.0/16"]
        }
    }]'

After updating the CIDR blocks, Amazon GameLift Streams automatically updates the routing configuration in the service-managed VPC.

Note

The VPC ID cannot be changed when updating CIDR blocks. To connect to a different VPC, you must delete and recreate the stream group location (for streaming locations other than the primary) or create a new stream group (for the primary location).