AWS Virtual Private Cloud instances (VPC’s) allow you to run workloads and store data in the cloud.
Sometimes you may need to share access between two separate VPCs so applications or workloads in one VPC can access data or resources in another.
This is where a VPC peering connection comes into play. A VPC peering connection will connect 2 separate VPCs. The VPCs can be in the same AWS account or in completely separate accounts.
The network connection between the VPCs is established using private IPv4 or IPv6 addresses so that instances in either VPC can communicate with each other as if they were in the same VPC. The connected VPCs can be in different regions and well as different AWS accounts. If the connected VPCs are in separate regions, this is referred to as inter-region peering.
The connection is made via private IP addresses to allow the connectivity. You can use VPC peering at it’s simplest level to enable file sharing, or to enable EC2 instances to communicate with each other, make Amazon RDS databases available to both VPCs or to make lambda functions available across the peering connection.
The VPC peering connection stands alone and does not require a gateway connection, VPN connection or dedicated network appliance as the connection is via private IP within the AWS ecosystem on the AWS global backbone. A peering connection never uses the public internet so is a lot less susceptible to exploits and DDoS attacks.
Inter regional VPC peering is a cost effective way to share resources and implement geographic redundancy mitigation via data replication.
There is no charge to establish a VPC peering connection, however there is a charge for data transfer across the connection.
VPC Peering Connection Lifecycle
When you initiate a VPC peering connection, it goes through a number of lifecycle stages.
The first stage is initiating request.
Once initiated the peering request can either fail, or move to pending acceptance.
If the request is accepted, the VPC Peering connection will move to an active status.
If the request is not accepted or the request expires due to no response or the initiator deletes the request, then the connection is deleted and no longer appears in the AWS VPC console.
If you are peering two VPCs in the same account, you will perform both the request and accept actions. If you are peering to another AWS account, you will initiate the peering request and wait for the other account owner to action the acceptance.
Multiple VPC Peering Connections.
It is possible to create multiple VPC peering connections on a VPC. This would connect the VPC on a one-to-one relationship. If you connect VPC 1 to VPC 2 and VPC 3, that does not enable VPC2 and VPC 3 to directly communicate with each other.
To connect VPC 2 & VPC together, another VPC peering connection is required.
VPC Peering Limitations
There are some limitations on VPC peering connections. As a default, you can add 50 VPC peering connections to a single VPC which will cover most use cases. This number is adjustable however and you can scale this up to 125 connections per VPC.
You cannot create a VPC peering connection between two VPCs that have the same or overlapping CIDR blocks (either IPv4 or IPv6), so if your IPv4 CIDR address ranges are unique but your IPv6 CIDR blocks overlap, then you cannot create the peer.
When you create a peering connection it issues a peering request. You can have up to 25 outstanding peering requests at any one time. This may be adjustable.
You cannot have more than one VPC peering connection between the same two VPCs, although that seems pretty pointless.
If you intend to use IPv6 to communicate between resources over the peering connection, you will need to associate a CIDR block to each VPC as this is not automatically set up. You would then need to enable IPv6 on the individual resources and add IPv6 routing information to the route tables to associate each VPC with the peering connection.
Create a VPC peering connection with another VPC in your account.
In this scenario, you will both request and accept the connection request.
From the AWS console, open the VPC console and open the VPC peering connections
Create a Peering Connection and fill in the Requester VPC, select My Account & region and then choose the Accepter VPC:
This will then move the process into “Pending Acceptance”
Then from the “Actions” menu, you can accept the request and the peering connection will be live.
Create a VPC peering connection with another AWS account
The process to create a peering connection to a VPC in another AWS account is almost identical to the previous example, only this time when prompted to select another VPC to peer to, you select “Another Account”
Adding VPC peering to route tables
The next crucial step after you have created your peering connection is to make sure your vpc can route traffic to the peering connection.
To do this open Route Tables from the VPC Console, select the VPC you would like to be able to route traffic through the peering connection and from the actions menu, select edit routes:
Then you can add a route, specify the CIDR block, a portion of a CIDR block or an individual IP address in the destination VPC as the destination. Then select the VPC peering connection as the target and save the route table.
The owner of the target VPC will need to repeat the process to route traffic from the destination VPC back through the peering connection to your VPC using a CIDR block, range or specific resource instance IP address.
So that’s a quick look at VPC peering connections and what they are used for.
VPC peering connections are just one of hundreds of AWS resources automatically discovered by Hava when automatically generating AWS network topology diagrams.
You can see for yourself, by taking a free 14 day trial using the button below.