A Simple VPC Peering Tutorial

A Simple VPC Peering Tutorial

Introduction

AWS VPC Peering is a point-to-point network connection between two VPCs that leverages AWS networking infrastructure. With VPC Peering, you can connect VPCs belonging to the same or different accounts, residing in the same or different regions within the AWS Global infrastructure except for China.

For example, your company's IT department might have a VPC for file sharing. Since this is a shared resource, you may want to peer other VPCs to that central VPC, but you do not intend to enable direct communication between the other spoke VPCs.

In this blog post, we would look at the following;

  1. Typical connectivity scenarios suitable for setting up VPC peering connections
  2. How to set up a VPC peering connection between two VPCs in the same AWS account
  3. Some limitations of VPC peering connections

Typical use cases

As customers continue to move and deploy workloads to AWS, the need for separation of function such as different departments, applications, trust zones becomes inevitable and using VPCs to achieve this becomes reasonable. There are 2 main scenarios where VPC peering is an ideal solution;

  1. Your company might be part of a merger or acquisition, and existing VPCs running the same business functions might need to be connected, for example, the accounting or legal departments. If both VPCs are in the same trust zone and you require broad access to resources within the VPCs, then VPC peering is the ideal solution for you.
  2. You might have central resources that need to be accessed by some departments or VPCs. In this scenario, the centralized services can be set up in a VPC with multiple VPC peering connections to all other departments and their VPCs.

How it works

Firstly, one of the VPCs (the requester) must initiate the VPC peering process, while the other VPC (the accepter) must accept the request for the peering connection to be established. The owner of the requester VPC sends a request to the owner of the accepter VPC. When the owner of the accepter VPC accepts the peering connection, the VPC peering becomes established. Very simple, isn't it.

Next, you need to configure routes in the routing tables of both VPCs to enable traffic to flow via the new VPC peering connection. The owner of each VPC peering connection must manually add the static route to their route tables that points the CIDR of the other VPC to the VPC peering connection target.

Finally, the requester and the accepter VPCs must also update their security groups and NACLs rules to allow traffic flow via the peering connection. Very simple, isn't it. Let's try it out then.


Setting it up

We would set up a VPC peering connection between two VPCs in the same account within the same region for simplicity sake. This would permit one user account with administrative permissions to perform all the tasks smoothly.

Prerequisites

  1. You must have an AWS account. If not, click here to create a free-tier account.
  2. You must have two VPCs with non-overlapping CIDRs within the same account. In our example, our VPCs are named VPC-A with a CIDR range of 10.1.0.0/16 and VPC-B with a CIDR range of 10.2.0.0/16.
  3. Both VPCs must be in the same AWS Region.

Step 1

Go to https://console.aws.amazon.com/vpc/. You might need to sign in first.

Step 2

In the navigation pane, choose Peering Connections, Create Peering Connection.

Untitled.png

Untitled 1.png

Step 3

Configure the following information, and choose Create Peering Connection when you are done:

  • Peering connection name tag: You can optionally name your VPC peering connection.
  • VPC (Requester): Select the VPC in your account with which you want to create the VPC peering connection.

5.png

  • Under Select another VPC to peer with: Ensure My account is selected,
  • Select another of your VPCs.

6.png

  • The CIDR for VPC-B is automatically populated when selected in the VPC (Accepter)* field.

Untitled 2.png

  • You may add an optional Tag, but you need to click on Create Peering Connection.

Untitled 3.png

Step 4

  • In the confirmation dialogue box, choose OK.

9.png

Step 5

  • Select the VPC peering connection that you've created.
  • Click on the Actions dropdown menu.
  • Select Accept Request.

Untitled 4.png

Step 6

  • In the confirmation dialogue, choose Yes, Accept.

Untitled 5.png

  • A second confirmation dialogue displays; choose to Modify my route tables now to go directly to the route tables page, or choose Close to do this later.

Untitled 6.png

Step 7

Modify the routing tables of VPC-A and VPC-B to permit routing between the VPCs via the peering connection.

  • Select the routing table for VPC-A.
  • Click on the Routes tab.
  • Click on Edit routes.

Untitled 7.png

  • Click on Add router.
  • Input the CIDR for VPC-B.
  • Select the peering connection ID as the target for the route.
  • Click on Save routes.

Untitled 8.png

Step 8

Modify the routing tables of VPC-A and VPC-B to permit routing between the VPCs via the peering connection.

  • Select the routing table for VPC-B.
  • Click on the Routes tab.
  • Click on Edit routes.

Untitled 9.png

  • Click on Add router.
  • Input the CIDR for VPC-A.
  • Select the peering connection ID as the target for the route.
  • Click on Save routes.

Untitled 10.png

Untitled 11.png

Step 9

Some final verifications to make sure everything looks good;

  • On VPC-A's routing table, you can see a local route for its CIDR range as well as a route for VPC-B's CIDR of 10.2.0.0/16 with the peering connection as the target.

Untitled 12.png

  • On VPC-B's routing table, you can see a local route for its CIDR range as well as a route for VPC-A's CIDR of 10.1.0.0/16 with the same peering connection as the target.

Untitled 13.png

  • We can see all the information regarding the VPC peering connection and associated peers.

20.png


Some important things to know

  • VPC Peering does not support overlapping IPv4 addressing. As part of the VPC setup process, the subnets of both VPCs must be unique before the peering relation can be established.
  • VPC Peering does not support transitive peering relationships. This means that if VPC A is connected to VPC B, and VPC B is connected to VPC C, but VPC A and VPC C are not directly connected, VPC A and VPC C would not be able to make use of their connections to VPC B to establish a peering relationship. Furthermore, you cannot access other networks like the internet, AWS Direct Connect and VPN connections to on-premise networks via a VPC peering connection.
  • You can only have one VPC peering relationship between two VPCs. VPC A and VPC B cannot have multiple peering connections.
  • You can have a maximum of 125 VPC peering connections in your account.
  • For security reasons, IAM users do not have permissions to create or modify VPC peering connections by default. So you must configure and attach an IAM policy permitting the creation of the VPC peering to the IAM user or group of IAM users.
  • VPC peering is best used when many resources in one VPC must communicate with many resources in another VPC, and the environments of both VPCs are controlled and secured. But once the number of connected VPCs is above 10, you may want to look into another solution like the AWS Transit Gateway for inter-VPC communication.

Summary

VPC peering connections are a simple and straightforward way to enable communication between two VPCs within or between two different AWS accounts and/or regions.

It is ideal for situations that require broad access between a couple of VPCs in the same trust zone, making it suitable for central resource access scenarios. This can work fine for a few VPCs, but you should consider using the AWS Transit Gateway for connecting over 10 VPCs. It allows transitive routing and has many traffic engineering capabilities.

Before setting up a VPC peering connection, you need to ensure that the peers' CIDR ranges do not overlap. The user setting up the peering connection must also have the necessary permissions. The VPC peering connection is established when the requester VPC sends a request to the accepter VPC, and the accepter VPC accepts it. Traffic will only flow via the VPC peering connection if the appropriate routes are manually added to the peers' routing tables.

Hope this has been informative to you. I will be writing more posts on AWS VPC and networking related subjects in the coming months. But if you are in a hurry, you can enjoy little snippets of information on my AWS For People In A Hurry series which is coming soon.

Thanks for reading 👊🏽


Further Reading

What is VPC peeering

Advanced VPC Design and new capabilities for Amazon VPC

Transit Gateway vs VPC peering

Unsupported VPC peering configurations