[AWS Architect] (13) VPC Peering

VPC Peering allows direct communication between VPCs using OSI Layer 3 (Network). Once the VPCs are connected, 2 VPCs can communicate using private IP addresses.

  • VPC Peers can span AWS accounts and even regions with some limitations.
  • Data is encrypted and transits via the AWS global backbone.

VPC Peering Limitations

  • VPC CIDR blocks cannot overlap, and IPv6 support is not available cross-region.
  • The transitive routing is not supported. VPC Peering always connects 2 VPCs (Requester and Accepter). The connection cannot be chained. When A + B and B + C, A cannot connect to C. The mesh network is required to connect all VPCs.

Setting VPC Peering

  • You need to start from one VPC (Requester) and request another VPC (Accepter) – in the same account or different account – for the connection.
  • The request should be accepted by the account user of the accepter.

Configuring VPC Peering

  • To allow traffic, you need to create a route to the VPC Peering connection in the route table of each VPC.
  • You can use NACLs and security groups from both VPCs to restrict access.
  • In order to resolve public DNS to private IPs, you need to enable and edit DNS settings in the “Peer Connections” menu.

Uses cases

  • Company mergers, shared services, company and vendor, auditing.

Inter-Region VPC Peering

  • Traffic is encrypted. Encrypt keys are managed by AWS.
  • By default, a query for a public hostname of an instance in a peered VPC in a different region will resolve to a public IP address. Route 53 private DNS can be used to resolve to a private IP address with Inter-Region VPC Peering.
  • Security groups cannot be referenced across the Inter-Region VPC Peering connection.
  • Inter-Region VPC Peering supports IPv6 but cannot be used with EC2-Classic Link.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s