VPC Peering allows direct communication between VPCs using OSI Layer 3 (Network). Once the VPCs are connected, 2 VPCs can communicate using private IP addresses.
- Instances can connect each other as if they are in the same private network.
- VPC Peers can span AWS accounts and even regions with some limitations.
- Data is encrypted and transits via the AWS global backbone.
VPC Peering Limitations
- VPC CIDR blocks cannot overlap, and IPv6 support is not available cross-region.
- The transitive routing is not supported. VPC Peering always connects 2 VPCs (Requester and Accepter). The connection cannot be chained.
- ex) When A + B and B + C, A cannot connect to C. The mesh network is required to connect all VPCs.
Setting VPC Peering
- You need to start from one VPC (Requester) and request another VPC (Accepter) – in the same account or different account – for the connection.
- The request should be accepted by the account user of the accepter.
Configuring VPC Peering
- To allow traffic, you need to create a route to the VPC Peering connection in the route table of each VPC.
- You can use NACLs and security groups from both VPCs to restrict access.
- In order to resolve public DNS to private IPs, you need to enable and edit DNS settings in the “Peer Connections” menu.
- Company mergers, shared services, company and vendor, auditing.
Inter-Region VPC Peering
- Traffic is encrypted. Encrypt keys are managed by AWS.
- By default, a query for a public hostname of an instance in a peered VPC in a different region will resolve to a public IP address. Route 53 private DNS can be used to resolve to a private IP address with Inter-Region VPC Peering.
- Security groups cannot be referenced across the Inter-Region VPC Peering connection.
- Inter-Region VPC Peering supports IPv6 but cannot be used with EC2-Classic Link.