Multi-Region Peering mesh with Terraform and VNS3

Creating a dynamic routing mesh network involves the following steps:

  1. Build AWS VPC’s in desired regions
  2. Launch VNS3 controllers in your VPC’s
  3. Configure the VNS3 controllers
  4. Peer VNS3 controllers with VNS3 API

Steps 1 and 2 are accomplished with terraform and steps 3 and 4 via the VNS3 API. Here we use the Cohesive Networks Python SDK to work with the VNS3 API.


This tutorial makes use of Terraform and the Cohesive Networks Python SDK to build out the cloud virtual networks and the mesh network with VNS3.

Building your Cloud with Terraform

Launching VNS3 in AWS and Azure is simple with terraform. The terraform code used for this example can be found in our templates repository. The multi-cloud topology code can be found here.

The following files are included:

  • - Builds two AWS VPC’s in different regions: us-east-1 and us-west-2
  • - Launches VNS3 in the VPCs created by Here we launch a VNS3 controller in each subnet in each VPC, which sums to 4. So we will have a 4-way peered mesh. The VNS3 controllers are assigned public IP addresses and the security group only provides access to the network range defined by the variable access_cidr in
  • - This creates a peering connection between the two VPCs. This allows us to build an entirely private mesh network. It also adds the required routes and security group rules. VNS3 peering occurs over UDP ports 1195-1205.
  • - this defines the input variables required for this infrastructure
  • - defines terraform outputs for the topology.

You can build the infrastructure by running the following:

cd vns3-peering-aws-tf
terraform init 
# Create a terraform plan with a timestamp
terraform plan -out "build__$(date -u +"%Y-%m-%dT%H-%M-%SZ").tfplan"
terraform apply build__2020-05-22T21-29-32Z.tfplan

After about 10 minutes you will get your outputs:

Apply complete! Resources: 40 added, 0 changed, 0 destroyed.


vpc1_cidr =
vpc1_controller_dns_hostnames = [
vpc1_controller_public_ips = [
vpc1_default_security_group_id = sg-0e93ea1debcb3f42d
vpc1_id = vpc-0eb964047205b5d9a
vpc1_route_table_id = rtb-00074d5903cc7a07c
vpc1_subnet_ids = [
vpc1_subnets = [
vpc1_vns3_instance_ids = [
vpc2_cidr =
vpc2_controller_dns_hostnames = [
vpc2_controller_public_ips = [
vpc2_default_security_group_id = sg-027d3bf6e6dd6454e
vpc2_id = vpc-0a0c2d4823a307c63
vpc2_route_table_id = rtb-081749c2a1af2399a
vpc2_subnet_ids = [
vpc2_subnets = [
vpc2_vns3_instance_ids = [

Configuring VNS3 Controllers

Configuring the VNS3 controllers involves generating the topology keyset on controller 1 and then fetching that configuration from the other controllers.

  1. Upload a license with PUT /license to controller 1
  2. Configuring and accepting the license parameters with PUT /license/parameters
  3. Generating a keyset with PUT /keyset
  4. For each other controller, fetch the licensed configuration from controller 1

Here’s some code with all of the API calls using the Python SDK:

# Poll on the keyset until it is available

for client in peer_clients:
    client.config.put_keyset(source=root_client_ip_address, token=shared_token)

Now, VNS3 does take some time to configure itself during licensing and so requires some polling on responses. We tend to do this a lot for our topologies so we added a helper function to the SDK that will idempotently configure your controller. Also, the fetch performed by each peer controller in step 4 will trigger background tasks as the controller fetches and sets the configuration. This requires polling on the state of the controller. These tasks require some polling code. We added some functionality to the python SDK to make this easier:

from cohesivenet.macros import config, state

# Root client = controller 1
        license_parameters={"default": True},
        keyset_parameters={"token": keyset_token},

# peer_clients = List[VNS3Clients] for controllers 2-4
# state.get_primary_private_ip fetches the private IP address of the root client.
    peer_clients, state.get_primary_private_ip(root_client), keyset_token

This will configure your VNS3 controller with the provided parameters if not already configured and fetch keysets will configure controllers 2-4.

Creating the Peering Mesh

Creating the peering mesh requires a few steps such that our network is configured properly:

  1. Create explicit routes for VNS3 peer IP addresses
  2. Create the peering map on each VNS3
  3. Create route advertisements for each VNS3’s subnet

Creating explicit VNS3 peer routes

By default, VNS3 will only have a route for its local subnet. Our VPC’s are peered together and each subnet’s cloud route table contains a route properly routing the peer VPC’s subnet to the peering connection. This was created with terraform in Now we need to tell each VNS3 controller how to reach their peers. Here’s a table of our VNS3 mesh:


So controller 1 needs a route to controllers 2,3 and 4 at,, And likewise for each other controller. You can create a route with the POST /routes call. Here’s an example with the SDK:

    description="Peer VNS3 cloud route",

How did we get the gateway of This is the default router for AWS VPC’s. Each AWS subnet has a router located at the subnet cidr + 1.

This involves creating 12 routes: 3 for each of the 4 controllers. Having explicit and specific routes makes for a more secure and robust network. We wrote a function in the python SDK to make this a little easier:

import os
from cohesivenet.macros import routing, connect

controller_password = os.environ.get("VNS3_MASTER_PASSWORD")
ordered_subnets = ["", ""]
# Connect to all controllers
# hosts_connection_params=List[dict{host=str, password=str}]
# connecting via public IPs returned by terraform outputs
hosts_connection_params = [
  {"host": "", "password": controller_password},
  {"host": "", "password": controller_password}
vns3_clients = connect.get_clients(hosts_connection_params)
routing.create_peer_mesh_local_gw_routes(vns3_clients, ordered_subnets)

Creating the peering connection map

VNS3 peering connections are fully encrypted TLS connections using x509 certificates. Creating a mesh network requires configuring your peering “map”. Each VNS3 controller in the mesh will have an ID and maintains a map to their peers. We will use the map provided above with peer 1 at

We are using the private IP addresses here for the peering connection as the VPCs’ private networks are peered. We could also the the AWS DNS names such as for the peering connection.

Tip: It is a good idea to use AWS DNS names when configuring your peering mesh along with elastic IPs. DNS will handle the case when your instance fails and you failover to a new instance that might have a different primary IP address. Amazon DNS will resolve to the local private IP address.

Each VNS3 controller requires the following 2 API calls:

  1. Set VNS3 peering ID with PUT /peering/self
  2. Set the VNS3 peering map with POST /peering/peers

Setting VNS3 peering for controller 1:

resp = vns3_client.peering.put_self_peering_id(id=1)
peer_map = [
    {"id": 2, "ip": ""},
    {"id": 3, "ip": ""},
    {"id": 4, "ip": ""},
for peer in peer_map:
        id=peer["id"], name=peer["ip"]

We create peering maps a lot so to make this a little easier we created an API “macro” to set and peer your VNS3 clients together:

from cohesivenet.macros import peering, connect

# host_connection_params are ordered according to above map!
#  e.g. hosts_connection_params[0] == 
vns3_clients = connect.get_clients(hosts_connection_params)

# Sets IDs based on order of list. client at vns3_clients[0] gets ID=1.
# defaults to using primary private IPs for peering mesh\

Creating Route Advertisements

Now that all VNS3 controllers are meshed together we can take advantage of the dynamic routing running over the mesh. Each controller can advertise which networks it has connectivity to, informing each network peered into the mesh. In our somewhat contrived topology we have the following subnets for each controller:

  1. VNS3 Peer 1 in subnet
  2. VNS3 Peer 2 in subnet
  3. VNS3 Peer 3 in subnet
  4. VNS3 Peer 4 in subnet

So each VNS3 controller can create a route advertisement with the POST /routes endpoint, advertising the subnet to the mesh. With the Python SDK, the call looks like this:

    description="Local subnet advertisement",

Creating route advertisements is pretty common so we provide a parallelized “macro” for creating this route advertisements across a mesh:

from cohesivenet.macros import routing

ordered_subnets = [
routing.create_route_advertisements(vns3_clients, ordered_subnets)

Putting it all together

So to wrap up, here we configured a highly available mesh network with dynamic routing in a private cloud environment. Building network topologies with VNS3 can be fully automated and reproducible with frameworks like terraform and the VNS3 API.

If you’d like to see a final version of a working python script that builds this peering mesh, you can check it out here, as one of the python SDK examples.

Any questions on how to automate your network? Email us at or open a ticket directly on our support site.