AWS VPC Peering

VPC Peering

  • A VPC peering connection is a networking connection between two VPCs that enables routing of traffic between them using private IPv4 addresses or IPv6 addresses.
  • VPC peering connection
    • can be established between your own VPCs, or with a VPC in another AWS account in the same or different region.
    • is a one-to-one relationship between two VPCs.
    • supports intra and inter-region peering connections.
  • With VPC peering,
    • Instances in either VPC can communicate with each other as if they are within the same network 
    • AWS uses the existing infrastructure of a VPC to create a peering connection; it is neither a gateway nor a VPN connection and does not rely on a separate piece of physical hardware. 
    • There is no single point of failure for communication or a bandwidth bottleneck
    • All inter-region traffic is encrypted with no single point of failure, or bandwidth bottleneck. Traffic always stays on the global AWS backbone, and never traverses the public internet, which reduces threats, such as common exploits, and DDoS attacks.
  • VPC peering does not have any separate charges. However, there are data transfer charges.

AWS VPC Peering

VPC Peering Connectivity

  • To create a VPC peering connection, the owner of the requester VPC sends a request to the owner of the accepted VPC.
  • Accepter VPC can be owned by the same account or a different AWS account.
  • Once the Accepter VPC accepts the peering connection request, the peering connection is activated.
  • Route tables on both the VPCs should be manually updated to allow traffic
  • Security groups on the instances should allow traffic to and from the peered VPCs.

VPC Peering Limitations & Rules

  1. Does not support Overlapping or matching IPv4 or IPv6 CIDR blocks.
  2. Does not support transitive peering relationships i.e. the VPC does not have access to any other VPCs that the peer VPC may be peered with even if established entirely within your own AWS account
  3. Does not support Edge to Edge Routing Through a Gateway or Private Connection
  4. In a VPC peering connection, the VPC does not have access to any other connection that the peer VPC may have and vice versa. Connections that the peer VPC can include
    1. A VPN connection or an AWS Direct Connect connection to a corporate network
    2. An Internet connection through an Internet gateway
    3. An Internet connection in a private subnet through a NAT device
    4. A ClassicLink connection to an EC2-Classic instance
    5. A VPC endpoint to an AWS service; for example, an endpoint to S3.
  5. VPC peering connections are limited on the number of active and pending peering connections that you can have per VPC.
  6. Only one peering connection can be established between the same two VPCs at the same time.
  7. Jumbo frames are supported for peering connections within the same region.
  8. A placement group can span peered VPCs that are in the same region; however, you do not get full-bisection bandwidth between instances in peered VPCs
  9. Inter-region VPC peering connections
    1. The Maximum Transmission Unit (MTU) across an inter-region peering connection is 1500 bytes. Jumbo frames are not supported.
    2. Security group rule that references a peer VPC security group cannot be created.
  10. Any tags created for the peering connection are only applied in the account or region in which they were created
  11. Unicast reverse path forwarding in peering connections is not supported
  12. Circa July 2016, Instance’s Public DNS can now be resolved to its private IP address across peered VPCs. The instance’s public DNS hostname does not resolve to its private IP address across peered VPCs.

VPC Peering Troubleshooting

  • Verify that the VPC peering connection is in the Active state.
  • Be sure to update the route tables for the peering connection. Verify that the correct routes exist for connections to the IP address range of the peered VPCs through the appropriate gateway.
  • Verify that an ALLOW rule exists in the network access control (NACL) table for the required traffic.
  • Verify that the security group rules allow network traffic between the peered VPCs.
  • Verify using VPC flow logs that the required traffic isn’t rejected at the source or destination. This rejection might occur due to the permissions associated with security groups or network ACLs.
  • Be sure that no firewall rules block network traffic between the peered VPCs. Use network utilities such as traceroute (Linux) or tracert (Windows) to check rules for firewalls such as iptables (Linux) or Windows Firewall (Windows).

VPC Peering Architecture

AWS VPC Architecture

  • VPC Peering can be applied to create shared services or perform authentication with an on-premises instance
  • This would help create a single point of contact, as well limiting the VPN connections to a single account or VPC

VPC Peering vs Transit Gateway

VPC Peering vs Transit VPC vs Transit Gateway

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You currently have 2 development environments hosted in 2 different VPCs in an AWS account in the same region. There is now a need for resources from one VPC to access another. How can this be accomplished?
    1. Establish a Direct Connect connection.
    2. Establish a VPN connection.
    3. Establish VPC Peering.
    4. Establish Subnet Peering.
  2. A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same region. Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks. The company wants to push minor code releases from Dev to Prod to speed up the time to market. Which of the following options helps the company accomplish this?
    1. Create a new peering connection Between Prod and Dev along with appropriate routes.
    2. Create a new entry to Prod in the Dev route table using the peering connection as the target.
    3. Attach a second gateway to Dev. Add a new entry in the Prod route table identifying the gateway as the target.
    4. The VPCs have non-overlapping CIDR blocks in the same account. The route tables contain local routes for all VPCs.
  3. A company has 2 AWS accounts that have individual VPCs. The VPCs are in different AWS regions and need to communicate with each other. The VPCs have non-overlapping CIDR blocks. Which of the following would be a cost-effective connectivity option?
    1. Use VPN connections
    2. Use VPC peering between the 2 VPC’s
    3. Use AWS Direct Connect
    4. Use a NAT gateway

References

AWS_VPC_Peering

32 thoughts on “AWS VPC Peering

  1. hi Jayendra..going through this blog and CLOUDGURU Course is enough
    for the certification???

    1. Hi Veeresha, frankly speaking from my experience it might just be enough to clear as it covers most of the stuff for Associate exams.

  2. Hi jayendra,
    Thanks for wonderful blog…. it helping…..
    What are the certifications u cleared??
    Hi Veeresha,
    Have u cleared the exam??

    1. Hi Amit, i have cleared AWS Solution Architect and Sysops – Associate certifications

    1. All the best for the exams, be sure to go through the questions on the blog. Let me know the result.

      1. Hi Jayendra, Thanks first of all and appreciate your efforts to put in the AWS knowledge on this nicely organized portal. Just would like to check if your block contents are constantly updated now a days ( Jan 18 ) ?

        1. Most of the contents are updated and they are constantly updated as well.
          Key points to remember – AWS have enhancements every other day and the exams do not reflect the same.

  3. thanks jay….
    Going through the same right now…will sure let u know the result tomo……

    Regards….

      1. Congrts Amit !!!. Amit, I am also planning to appear SA exam in near future. could you please help me what questions were appeared in the exam ? cloud guru is sufficient to clear exam ?

        Your response will be really helpful to me

        My email is octoberman3@gmail.com

        Thanks
        K.Senthilkumar

        1. Thank u Senthil…
          I dont remembered all the questions. But more were from EBS and S3. and few from VPC… exam was looks very easy…
          Cloud guru course is good.. but not enough… u need to read all faqs and this blogs…

  4. Can you help with this q?

    A company has configured and peered two VPCs: VPC-1 and VPC-2. VPC-1 contains only private subnets, and VPC-2 contains only public subnets. The company uses a single AWS Direct Connect connection and private virtual interface to connect their on-premises network with VPC-1. Which two methods increases the fault tolerance of the connection to VPC-1? Choose 2 answers:

    A.Establish a hardware VPN over the internet between VPC-2 ana the on-premises network.

    B.Establish a hardware VPN over the internet between VPC-1 and the on-premises network.

    C.Establish a new AWS Direct Connect connection and private virtual interface in the same region as VPC-2.

    D.Establish a new AWS Direct Connect connection and private virtual interface in a different AWS region than VPC-1.

    E.Establish a new AWS Direct Connect connection and private virtual interface in the same AWS region as VPC-1

    1. Would go for B & E as Direct Connect connections are not redundant and you need to provide fault tolerance either by setting up a second Direct Connect connection or using VPN. Also, the connection should be to the same VPC as even though the VPC are peered, you cannot connect from one VPC to other.

  5. Thanks Jay for this wonderful website. I just passed my AWS CSA-A. Your content helped a lot.

  6. Hi Jayendra, can you please explain answer to Q1? What to understand why option b is incorrect.

    1. As the connections are non transitive, a route table entry would not work and you would need to set a new peering connection between prod and dev.

      1. Hello Jayendra,

        The answer “a” also tends to transitive peering i.e. test prod and test dev so ideally we should not be doing transitive peering between prod dev .
        Could you please explain how “a” option suits the best .

        1. A is a direction connection between Prod and Dev. Its not transitive i.e. not via QA.

  7. Using shared VPCs, you can mount an Amazon EFS file system that is owned by one account from Amazon EC2 instances that are owned by a different account.

  8. hi Jayendra..going through this blog and CLOUDGURU Course and cloud guru mentioned whitepapers is enough for the certification???

    1. Tharks Marek, yup Public DNS resolution within VPC peering seems to be supported now. Will update the blog.

Comments are closed.