Introduction to AWS VPC Peering
A VPC Peering connection is a networking connection between two VPCs that enables you to route traffic between them privately (using private IPv4 or IPv6 addresses). Instances in either VPC can communicate with each other as if they are within the same network.
VPCs can be in different regions (known as inter-region VPC peering connection).
VPC Peering Key points
- You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account or with a VPC in a different AWS Region.
- VPC peering connection is a one to one relationship between two VPCs.
- You can create multiple VPC peering connections for each VPC, but transitive peering relationships are not supported.
- You can modify a VPC peering connection to enable instances in their VPC to communicate with linked EC2-Classic instances in the peer VPC.
- AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware.
- There is no single point of failure for communication or a bandwidth bottleneck.
VPC Peering Limitations
- VPC peering connection cannot be created between VPCs that have matching or overlapping CIDR blocks.
- VPC peering does not support transitive peering relationships.
If A is peered with B, B is peered with C, A is not peered with C.
- VPC does not have access to any other connection that the peer VPC may have and vice versa. Connections that the peer VPC can include:
– VPN connection
– AWS Direct Connect connection
– Internet connection through an Internet gateway
– Internet connection in a private subnet through a NAT device
– VPC endpoint to an AWS service
- VPC peering does not support Edge to Edge Routing through a Gateway or Private Connection.
- You cannot have more than one VPC peering connection between the same two VPCs at the same time.
- Unicast reverse path forwarding (RPF) in VPC peering connections is not supported.
- VPC peering connection are limited on the number active and pending VPC peering connections that you can have per VPC.
Establishing VPC Peering Connection
- To enable the flow of traffic between the VPCs, the owner of each VPC in the VPC peering connection must manually add a route to one or more of their VPC route tables that points to the IP address range of the other VPC (the peer VPC).
- Update the security group rules that are associated with your instance to ensure that traffic to and from the peer VPC is not restricted.
- Peering two or more VPCs to provide full access to resources — you have two or more VPCs that you want to peer to enable full sharing of resources between all VPCs.
- Peering to one VPC to access centralized resources — you have a central VPC that contains resources that you want to share with other VPCs. Your central VPC may require full or partial access to peer VPCs, and similarly, peer VPCs may require full or partial access to central VPC.
- VPC peering connection helps you to facilitate transfer of data — if you have more than one AWS account, you can peer VPCs across those accounts to create a file sharing network. You can also use a VPC peering connection to allow other VPCs to access resources you have in one of your VPCs.
- A specific security need that requires separation of function using a VPC construct, but that also requires private connectivity to other environments.
- Common server or services (e.g. an account with a deploy VPC or a separate deploy VPC in the same account, that controls the build/deployment across different AWS accounts).