Lab 05: Peering Between OKS and a VM Network

Lab Objectives

Configure peering between an OKS cluster and a VM network (another NET/VPC)
Update routes and Security Groups to allow private traffic
Test private connectivity between an OKS pod and a VM

Peering allows both networks to communicate using their private IP addresses. This is the foundation for hybrid architectures where OKS services interact with resources in other VPCs.

Prerequisites

A running Kubernetes cluster provided by OKS
A VM in a private network (another NET/VPC), in the same region
Access to the kubectl, oks-cli, and osc-cli CLIs
Non-overlapping CIDR ranges between the two networks
The required permissions to accept the peering on the VM network side (and/or an appropriate OSC profile)

Retrieve the kubeconfig file

oks-cli cluster kubeconfig --cluster-name my-cluster --project-name my-project > kubeconfig.yaml
export KUBECONFIG=./kubeconfig.yaml

Test the cluster

kubectl get nodes

Create the peering request from OKS

Create a peering-request.yaml file:

apiVersion: oks.dev/v1beta
kind: NetPeeringRequest
metadata:
  name: peering-request
spec:
  accepterNetId: vpc-xxxxxxxx       # ID of the VM VPC
  accepterOwnerId: "123456789012"   # Account ID of the target network

Apply the resource:

kubectl apply -f peering-request.yaml

Check the peering status

After applying it, verify that the request has been processed correctly and that it generated a NetPeeringId:

kubectl get npr

Example output:

NAME              SOURCE NET ID   ACCEPTER NET ID   NET PEERING ID   STATE NAME              STATE MESSAGE
peering-request   vpc-oks123456   vpc-a9321987      pcx-0123abcd     pending-acceptance      Pending acceptance by 123904561278

Note the NET PEERING ID (for example pcx-0123abcd) for the acceptance step.

Accept the peering on the VM network side

Use osc-cli (or Cockpit) to accept the request:

osc-cli api AcceptNetPeering \
  --profile "<profile_name>" \
  --NetPeeringId "pcx-0123abcd"

Add the route on the VM VPC side

Add a route to the OKS project CIDR through the peering connection:

osc-cli api CreateRoute \
  --profile "<profile_name>" \
  --RouteTableId "rtb-xxxxxxxx" \    # route table associated with the VM subnet
  --DestinationIpRange "10.50.0.0/16" \  # replace with the exact CIDR of your OKS project
  --NetPeeringId "pcx-0123abcd"

In most cases, routing on the OKS side is handled automatically. If needed, contact OKS support for advanced configuration.

Allow traffic in the Security Groups

Modify the VM Security Group to allow inbound traffic from the OKS CIDR (for example 10.50.0.0/16) on the required ports:

ICMP (for ping tests)
SSH/HTTP/HTTPS depending on your needs

Test connectivity

Launch a temporary pod from the OKS cluster:

kubectl run -it peeringtest-pod --image=alpine --restart=Never -- sh

From the pod, test connectivity to the VM private IP:

ping <VM_PRIVATE_IP>

✅ Expected: if the configuration is correct (active peering, updated routes, open Security Groups), the ping reply is displayed.

You can also test an application (HTTP) if it is exposed on the VM:

apk add --no-cache curl
curl -m 5 http://<VM_PRIVATE_IP>:80

Example of expected output:

PING 10.0.1.49 (10.0.1.49): 56 data bytes
64 bytes from 10.0.1.49: seq=110 ttl=60 time=1.39 ms
64 bytes from 10.0.1.49: seq=111 ttl=60 time=1.29 ms
...

Cleanup

Delete the resource on the OKS side:

kubectl delete -f peering-request.yaml

Delete the route and the peering on the VM VPC side (adjust the IDs as needed):

osc-cli api DeleteRoute \
  --profile "<profile_name>" \
  --RouteTableId "rtb-xxxxxxxx" \
  --DestinationIpRange "10.50.0.0/16"

osc-cli api DeleteNetPeering \
  --profile "<profile_name>" \
  --NetPeeringId "pcx-0123abcd"

Conclusion

Peering enables private communication between OKS and a VM VPC
Routes and Security Groups are required to allow traffic
Tests from an OKS pod validate end-to-end connectivity