VPC Peering

• A VPC peering connection is a networking connection between two VPCs that enables routing of traffic between them using private IPv4 addresses or IPv6 addresses.
• VPC peering connection
  • can be established between your own VPCs, or with a VPC in another AWS account in the same or different region.
  • is a one-to-one relationship between two VPCs.
  • supports intra and inter-region peering connections.
• With VPC peering,
  • Instances in either VPC can communicate with each other as if they are within the same network
  • AWS uses the existing infrastructure of a VPC to create a peering connection; it is neither a gateway nor a VPN connection and does not rely on a separate piece of physical hardware.
  • There is no single point of failure for communication or a bandwidth bottleneck
  • All inter-region traffic is encrypted with no single point of failure, or bandwidth bottleneck. Traffic always stays on the global AWS backbone, and never traverses the public internet, which reduces threats, such as common exploits, and DDoS attacks.
  • EC2 instances can use full instance bandwidth for inter-region VPC peering traffic (previously limited to 50% for instances with 32+ vCPUs, or 5 Gbps for smaller instances).
• VPC peering pricing
  • There is no charge to create a VPC peering connection.
  • All data transfer over a VPC peering connection that stays within an Availability Zone (AZ) is free, even if it’s between different accounts.
  • Charges apply for data transfer over VPC peering connections that cross Availability Zones and Regions.
  • Since April 2025, VPC Peering billing uses a dedicated usage type (Region-Name-VpcPeering-In/Out-Bytes) for easier cost tracking in Cost Explorer and Cost and Usage Reports.

VPC Peering Connectivity

• To create a VPC peering connection, the owner of the requester VPC sends a request to the owner of the accepted VPC.
• Accepter VPC can be owned by the same account or a different AWS account.
• Once the Accepter VPC accepts the peering connection request, the peering connection is activated.
• Route tables on both the VPCs should be manually updated to allow traffic
• Security groups on the instances should allow traffic to and from the peered VPCs.

VPC Peering Limitations & Rules

1. Does not support Overlapping or matching IPv4 or IPv6 CIDR blocks.
2. Does not support transitive peering relationships i.e. the VPC does not have access to any other VPCs that the peer VPC may be peered with even if established entirely within your own AWS account
3. Does not support Edge to Edge Routing Through a Gateway or Private Connection
4. In a VPC peering connection, the VPC does not have access to any other connection that the peer VPC may have and vice versa. Connections that the peer VPC can include
   1. A VPN connection or an AWS Direct Connect connection to a corporate network
   2. An Internet connection through an Internet gateway
   3. An Internet connection in a private subnet through a NAT device
   4. A VPC endpoint to an AWS service; for example, an endpoint to S3.
5. VPC peering connections quotas
   • Default limit of 50 active VPC peering connections per VPC, which can be increased up to a maximum of 125.
   • Default limit of 25 outstanding VPC peering connection requests.
   • Unaccepted VPC peering connection requests expire after 1 week (168 hours).
6. Only one peering connection can be established between the same two VPCs at the same time.
7. Jumbo frames (MTU up to 8500 bytes) are supported for peering connections both within the same region and across regions.
8. A placement group can span peered VPCs that are in the same region; however, you do not get full-bisection bandwidth between instances in peered VPCs
9. Inter-region VPC peering connections
   1. Updated March 2025: The Maximum Transmission Unit (MTU) across an inter-region peering connection is now 8500 bytes (jumbo frames supported). Previously limited to 1500 bytes.
   2. Security group rule that references a peer VPC security group cannot be created for cross-region peering.
   3. EC2 instances can use full instance bandwidth for inter-region peering (no longer limited to 50% or 5 Gbps).
10. Any tags created for the peering connection are only applied in the account or region in which they were created
11. Unicast reverse path forwarding in peering connections is not supported
12. Instance’s Public DNS can be resolved to its private IP address across peered VPCs when DNS resolution is enabled for the VPC peering connection.

VPC Peering Encryption

• All inter-region VPC peering traffic is encrypted with AES-256 before leaving AWS data centers.
• Intra-region traffic between Nitro-based EC2 instances is also encrypted transparently.
• VPC Encryption Controls (November 2025):
  • Provides ability to monitor, audit, and enforce encryption in transit within and across VPCs.
  • Automatically applies hardware-based AES-256 encryption on traffic between VPC resources including Fargate, NLB, and ALB.
  • Helps demonstrate compliance with encryption standards (HIPAA, PCI DSS).
  • Can identify VPC resources unintentionally allowing plaintext traffic.
  • Generates audit logs for compliance and reporting.

VPC Peering Troubleshooting

• Verify that the VPC peering connection is in the Active state.
• Be sure to update the route tables for the peering connection. Verify that the correct routes exist for connections to the IP address range of the peered VPCs through the appropriate gateway.
• Verify that an ALLOW rule exists in the network access control (NACL) table for the required traffic.
• Verify that the security group rules allow network traffic between the peered VPCs.
• Verify using VPC flow logs that the required traffic isn’t rejected at the source or destination. This rejection might occur due to the permissions associated with security groups or network ACLs.
• Be sure that no firewall rules block network traffic between the peered VPCs. Use network utilities such as traceroute (Linux) or tracert (Windows) to check rules for firewalls such as iptables (Linux) or Windows Firewall (Windows).
• For DNS resolution issues, ensure that DNS resolution is enabled for the VPC peering connection to resolve public DNS hostnames to private IP addresses.

VPC Peering Architecture

• VPC Peering can be applied to create shared services or perform authentication with an on-premises instance
• This would help create a single point of contact, as well limiting the VPN connections to a single account or VPC

VPC Peering vs Transit Gateway vs PrivateLink vs VPC Lattice

When to Use Each Solution

• VPC Peering
  • Best for: Simple, direct connections between a small number of VPCs (typically less than 10)
  • Advantages: No additional cost for the connection itself, low latency, simple setup, full instance bandwidth inter-region
  • Limitations: Does not support transitive routing, becomes complex at scale (mesh topology), limited to 125 peering connections per VPC
• AWS Transit Gateway
  • Best for: Hub-and-spoke architecture with many VPCs (10+), centralized routing, hybrid connectivity
  • Advantages: Supports transitive routing, centralized management, scales to thousands of VPCs, integrates with Direct Connect and VPN
  • Limitations: Additional cost per attachment and data processing, slightly higher latency than direct peering
• AWS PrivateLink
  • Best for: Service-to-service connectivity, exposing services to multiple consumers, SaaS applications
  • Advantages: Unidirectional access, no VPC CIDR overlap issues, enhanced security, supports cross-account and cross-region access
  • Limitations: Requires Network Load Balancer or Gateway Load Balancer, additional cost, one-way communication by default
• Amazon VPC Lattice
  • Best for: Application-layer service-to-service networking across VPCs and accounts
  • Advantages: No NLB required (unlike PrivateLink), built-in service discovery, IAM-based authorization, cross-VPC/cross-account without CIDR coordination, TLS termination at data plane
  • Limitations: Application-layer (L7) only, newer service with evolving feature set
  • Note: AWS App Mesh is being discontinued (EOL September 30, 2026); VPC Lattice is the recommended migration path

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. You currently have 2 development environments hosted in 2 different VPCs in an AWS account in the same region. There is now a need for resources from one VPC to access another. How can this be accomplished?
   
   1. Establish a Direct Connect connection.
   2. Establish a VPN connection.
   3. Establish VPC Peering.
   4. Establish Subnet Peering.
2. A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same region. Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks. The company wants to push minor code releases from Dev to Prod to speed up the time to market. Which of the following options helps the company accomplish this?
   1. Create a new peering connection Between Prod and Dev along with appropriate routes.
   2. Create a new entry to Prod in the Dev route table using the peering connection as the target.
   3. Attach a second gateway to Dev. Add a new entry in the Prod route table identifying the gateway as the target.
   4. The VPCs have non-overlapping CIDR blocks in the same account. The route tables contain local routes for all VPCs.
3. A company has 2 AWS accounts that have individual VPCs. The VPCs are in different AWS regions and need to communicate with each other. The VPCs have non-overlapping CIDR blocks. Which of the following would be a cost-effective connectivity option?
   
   1. Use VPN connections
   2. Use VPC peering between the 2 VPC’s
   3. Use AWS Direct Connect
   4. Use a NAT gateway
4. A company needs to connect 15 VPCs across multiple AWS accounts and regions with centralized routing and management. Which solution is most appropriate?
   1. Create VPC peering connections between all VPCs
   2. Use AWS Transit Gateway with a hub-and-spoke architecture
   3. Use AWS PrivateLink for all connections
   4. Use multiple VPN connections
5. A SaaS provider wants to expose their application running in their VPC to multiple customer VPCs without requiring VPC peering or overlapping CIDR concerns. Which solution should they use?
   1. VPC Peering with each customer VPC
   2. AWS Transit Gateway
   3. AWS PrivateLink with VPC endpoint service
   4. Internet Gateway with security groups
6. A company needs to transfer large amounts of data between VPCs in different AWS regions with maximum throughput. Which statement about inter-region VPC peering is correct? (Updated 2025)
   1. Inter-region VPC peering is limited to 1500 bytes MTU and 5 Gbps bandwidth
   2. Inter-region VPC peering does not support encryption
   3. Inter-region VPC peering supports jumbo frames (8500 bytes MTU) and full EC2 instance bandwidth
   4. Inter-region VPC peering requires a Transit Gateway attachment
7. A company wants to audit and enforce encryption on all traffic flowing through their VPC peering connections to meet PCI DSS compliance. Which AWS feature should they use?
   1. AWS CloudTrail encryption logging
   2. VPC Flow Logs with encryption filter
   3. VPC Encryption Controls
   4. AWS Network Firewall with TLS inspection

References

AWS VPC Peering

VPC Peering Connection Quotas

EC2 Bandwidth and Jumbo Frames for Inter-Region Peering (March 2025)

VPC Peering Billing Simplification (April 2025)

VPC Encryption Controls (November 2025)