Introduction
AWS VPC Peering is a point-to-point network connection between two VPCs that leverages AWS networking infrastructure. With VPC Peering, you can connect VPCs belonging to the same or different accounts, residing in the same or different regions within the AWS Global infrastructure except for China.
For example, your company's IT department might have a VPC for file sharing. Since this is a shared resource, you may want to peer other VPCs to that central VPC, but you do not intend to enable direct communication between the other spoke VPCs.
In this blog post, we would look at the following;
- Typical connectivity scenarios suitable for setting up VPC peering connections
- How to set up a VPC peering connection between two VPCs in the same AWS account
- Some limitations of VPC peering connections
Typical use cases
As customers continue to move and deploy workloads to AWS, the need for separation of function such as different departments, applications, trust zones becomes inevitable and using VPCs to achieve this becomes reasonable. There are 2 main scenarios where VPC peering is an ideal solution;
- Your company might be part of a merger or acquisition, and existing VPCs running the same business functions might need to be connected, for example, the accounting or legal departments. If both VPCs are in the same trust zone and you require broad access to resources within the VPCs, then VPC peering is the ideal solution for you.
- You might have central resources that need to be accessed by some departments or VPCs. In this scenario, the centralized services can be set up in a VPC with multiple VPC peering connections to all other departments and their VPCs.
How it works
Firstly, one of the VPCs (the requester) must initiate the VPC peering process, while the other VPC (the accepter) must accept the request for the peering connection to be established. The owner of the requester VPC sends a request to the owner of the accepter VPC. When the owner of the accepter VPC accepts the peering connection, the VPC peering becomes established. Very simple, isn't it.
Next, you need to configure routes in the routing tables of both VPCs to enable traffic to flow via the new VPC peering connection. The owner of each VPC peering connection must manually add the static route to their route tables that points the CIDR of the other VPC to the VPC peering connection target.
Finally, the requester and the accepter VPCs must also update their security groups and NACLs rules to allow traffic flow via the peering connection. Very simple, isn't it. Let's try it out then.
Setting it up
We would set up a VPC peering connection between two VPCs in the same account within the same region for simplicity sake. This would permit one user account with administrative permissions to perform all the tasks smoothly.
Prerequisites
- You must have an AWS account. If not, click here to create a free-tier account.
- You must have two VPCs with non-overlapping CIDRs within the same account. In our example, our VPCs are named VPC-A with a CIDR range of 10.1.0.0/16 and VPC-B with a CIDR range of 10.2.0.0/16.
- Both VPCs must be in the same AWS Region.
Step 1
Go to https://console.aws.amazon.com/vpc/. You might need to sign in first.
Step 2
In the navigation pane, choose Peering Connections, Create Peering Connection.
Step 3
Configure the following information, and choose Create Peering Connection when you are done:
- Peering connection name tag: You can optionally name your VPC peering connection.
- VPC (Requester): Select the VPC in your account with which you want to create the VPC peering connection.
- Under Select another VPC to peer with: Ensure My account is selected,
- Select another of your VPCs.
- The CIDR for VPC-B is automatically populated when selected in the VPC (Accepter)* field.
- You may add an optional Tag, but you need to click on Create Peering Connection.
Step 4
- In the confirmation dialogue box, choose OK.
Step 5
- Select the VPC peering connection that you've created.
- Click on the Actions dropdown menu.
- Select Accept Request.
Step 6
- In the confirmation dialogue, choose Yes, Accept.
- A second confirmation dialogue displays; choose to Modify my route tables now to go directly to the route tables page, or choose Close to do this later.
Step 7
Modify the routing tables of VPC-A and VPC-B to permit routing between the VPCs via the peering connection.
- Select the routing table for VPC-A.
- Click on the Routes tab.
- Click on Edit routes.
- Click on Add router.
- Input the CIDR for VPC-B.
- Select the peering connection ID as the target for the route.
- Click on Save routes.
Step 8
Modify the routing tables of VPC-A and VPC-B to permit routing between the VPCs via the peering connection.
- Select the routing table for VPC-B.
- Click on the Routes tab.
- Click on Edit routes.
- Click on Add router.
- Input the CIDR for VPC-A.
- Select the peering connection ID as the target for the route.
- Click on Save routes.
Step 9
Some final verifications to make sure everything looks good;
- On VPC-A's routing table, you can see a local route for its CIDR range as well as a route for VPC-B's CIDR of 10.2.0.0/16 with the peering connection as the target.
- On VPC-B's routing table, you can see a local route for its CIDR range as well as a route for VPC-A's CIDR of 10.1.0.0/16 with the same peering connection as the target.
- We can see all the information regarding the VPC peering connection and associated peers.
Some important things to know
- VPC Peering does not support overlapping IPv4 addressing. As part of the VPC setup process, the subnets of both VPCs must be unique before the peering relation can be established.
- VPC Peering does not support transitive peering relationships. This means that if VPC A is connected to VPC B, and VPC B is connected to VPC C, but VPC A and VPC C are not directly connected, VPC A and VPC C would not be able to make use of their connections to VPC B to establish a peering relationship. Furthermore, you cannot access other networks like the internet, AWS Direct Connect and VPN connections to on-premise networks via a VPC peering connection.
- You can only have one VPC peering relationship between two VPCs. VPC A and VPC B cannot have multiple peering connections.
- You can have a maximum of 125 VPC peering connections in your account.
- For security reasons, IAM users do not have permissions to create or modify VPC peering connections by default. So you must configure and attach an IAM policy permitting the creation of the VPC peering to the IAM user or group of IAM users.
- VPC peering is best used when many resources in one VPC must communicate with many resources in another VPC, and the environments of both VPCs are controlled and secured. But once the number of connected VPCs is above 10, you may want to look into another solution like the AWS Transit Gateway for inter-VPC communication.
Summary
VPC peering connections are a simple and straightforward way to enable communication between two VPCs within or between two different AWS accounts and/or regions.
It is ideal for situations that require broad access between a couple of VPCs in the same trust zone, making it suitable for central resource access scenarios. This can work fine for a few VPCs, but you should consider using the AWS Transit Gateway for connecting over 10 VPCs. It allows transitive routing and has many traffic engineering capabilities.
Before setting up a VPC peering connection, you need to ensure that the peers' CIDR ranges do not overlap. The user setting up the peering connection must also have the necessary permissions. The VPC peering connection is established when the requester VPC sends a request to the accepter VPC, and the accepter VPC accepts it. Traffic will only flow via the VPC peering connection if the appropriate routes are manually added to the peers' routing tables.
Hope this has been informative to you. I will be writing more posts on AWS VPC and networking related subjects in the coming months. But if you are in a hurry, you can enjoy little snippets of information on my AWS For People In A Hurry series which is coming soon.
Thanks for reading 👊🏽
Further Reading
Advanced VPC Design and new capabilities for Amazon VPC
Transit Gateway vs VPC peering
Unsupported VPC peering configurations