VPC Peering explained
What is VPC Peering?
- A VPC Peering is a network connection between two VPCs that allows traffic routing between the VPCs using private IPv4 or IPv6 addresses.
- A VPC peering connection helps you to facilitate the transfer of data privately between two peered VPC.
- We can establish peering between the same AWS account with the different regions or different AWS account across different AWS Regions.
- VPC Peering does not require any gateways, VPN connections, or separate network appliances.
How to create VPC Peering between two VPC in AWS.
Step1: The owner of the VPC, says VPC A, sends a connection request to VPC B. In this case, VPC A will be the requester VPC, and VPC B will be the accepter VPC.
VPC Requester
Step2: The owner of the accepter VPC must accept the connection request in order to make the connection active. Once accepted, the peering connection is active.
VPC Accepter
Step3: Now, we need to make an entry in route tables in both the VPC’s route table. For example, the CIDR block of the peer VPC is 10.0.0.0/16, you can specify a portion 10.0.0.0/16and in target, select the VPC peering connection id
Peered VPC
VPC Peering with different VPC.
- Two VPC peered together:
VPC peering connection (pcx-11112222) between VPC A and VPC B.
Two VPC peered together:
Route table entry for above peered VPC.
2. Two VPC peered together with multiple CIDR
VPC A and VPC B have multiple IPv4 CIDR blocks.
Route table entry for above peered VPC.
Two VPC peered together with multiple CIDR
3. Three VPCs peered together
- VPC A is peered to VPC B through VPC peering connection
pcx-aaaabbbb - VPC A is peered to VPC C through VPC peering connection
pcx-aaaacccc - VPC B is peered to VPC C through VPC peering connection
pcx-bbbbcccc
Route table entry for above peered VPC.
Three VPCs peered together
4. Multiple VPC Peered together:
You can use this full mesh configuration when you have multiple VPC Peered.
VPC Peering limitation:
Overlapping CIDR blocks:
- You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks.
- If the VPCs have multiple IPv4 CIDR blocks, you cannot create a VPC peering connection if any of the CIDR blocks overlap.
This limitation also applies to VPCs that have non-overlapping IPv6 CIDR blocks.
Transitive peering
- If there is no VPC peering connection between VPC B and VPC C. You cannot route packets directly from VPC B to VPC C through VPC A.
Transitive peering
Edge to edge routing through a gateway or private connection
- You have a VPC peering connection between VPC A and VPC B. VPC A also has a Site-to-Site VPN connection or an AWS Direct Connect connection to a corporate network. Edge to edge routing is not supported.
Edge to edge routing through a gateway or private connection
Traffic from the corporate network can’t directly access VPC B by using the VPN connection or the AWS Direct Connect connection to VPC A.
- Edge to edge routing through an internet gateway
You have a VPC peering connection between VPC A and VPC B (pcx-abababab). VPC A has an internet gateway; VPC B does not. Edge to edge routing is not supported; traffic from the internet can’t directly access VPC B by using the internet gateway connection to VPC A.
Edge to edge routing through an internet gateway
Similarly, if VPC A has a NAT device that provides internet access to instances in private subnets in VPC A, instances in VPC B cannot use the NAT device to access the internet.
- Edge to edge routing through a VPC gateway endpoint
You have a VPC peering connection between VPC A and VPC B (pcx-aaaabbbb). VPC A has a VPC gateway endpoint that connects it to Amazon S3. Edge to edge routing is not supported.
Edge to edge routing through a VPC gateway endpoint
VPC B can’t directly access Amazon S3 using the VPC gateway endpoint connection to VPC A.
