AWS VPC Peering - Overview & Hands-On.
Scope:
- The concept of VPC
Peering
- Architecture
Overview (simple peering setup),
- VPC
Peering Characteristics & Description,
- Traffic Flow for two instances in different VPCs communicate,
- Configuration
Steps,
- Security
& Access Control,
- Limitations & Description,
- Inter-Region
VPC Peering,
- Pricing,
- Alternatives / When to Use What (Best Options),
- Validation Commands On EC2 instances (Linux),
- VPC Peering Architecture,
- Project: Hands-On.
The
concept of VPC Peering
- VPC Peering is a network
connection between two Virtual Private Clouds (VPCs)
that enables traffic routing using private IP addresses, as if they
were part of the same network.
- VPC Peering is non-transitive, point-to-point, and region-specific (though inter-region peering is supported).
- Think of VPC Peering as a private tunnel between two VPCs for seamless communication.
- Seamless communication happens between the VPCs without going through the public internet.
Architecture Overview (simple peering setup):
VPC Peering Characteristics & Description
|
Feature |
Description |
|
Connection
Type |
One-to-one (non-transitive) |
|
Traffic
Type |
Private IP only (no
public internet routing) |
|
Cross-Region
Support |
Yes (Inter-Region
Peering) |
|
Cross-Account
Support |
Yes |
|
Bandwidth |
Same as ENI bandwidth limits |
|
DNS
Resolution |
Optional ( |
|
No
Overlapping CIDRs |
Required |
|
No
Transitive Peering |
Must create explicit connections between all pairs |
Traffic Flow for two instances in different VPCs communicate:
1. VPC Peering connection is established and active.
2. Each VPC’s route table has an entry for the peer VPC’s CIDR block.
3. Security Groups and Network ACLs allow the traffic.
4. Packets traverse the AWS backbone, not the internet.
Configuration
Steps
1.
Create a VPC Peering connection
- Initiator: creates the request.
- Acceptor: accepts the request (same or different account/region).
2.
Update Route Tables
- Add routes in each VPC pointing to the peer’s CIDR block via the peering connection.
3.
Update Security Groups
- Allow inbound/outbound traffic between peered VPC CIDR ranges.
4.
Enable DNS Resolution (Optional)
- Allows private DNS names to resolve across peered VPCs.
Security
& Access Control
|
Layer |
Control |
|
VPC
Route Tables |
Controls allowed CIDR destinations. |
|
Security
Groups |
Must explicitly allow traffic from peer CIDR. |
|
NACLs |
Optional network layer filtering. |
|
IAM
Policies |
Controls who can create/accept/delete peering connections. |
Limitations & Description
|
Limitation |
Description |
|
No
Transitive Routing |
If A↔B and B↔C, A cannot reach C automatically. |
|
No
Overlapping CIDRs |
Peering
fails if CIDRs overlap. |
|
No
Shared Security Groups |
SGs
are scoped to their VPC. |
|
No
Edge-to-Edge Routing |
Cannot
route traffic from peered VPC to VPN or Direct Connect. |
Inter-Region
VPC Peering
- Supported between many AWS regions.
- Uses AWS global backbone (not
public internet).
- Lower latency than internet VPN tunnels.
- No additional gateway (like NAT or Transit Gateway) needed.
Pricing
- Same-Region: Charged for
data transfer between Availability Zones (same
as intra-AZ data pricing).
- Inter-Region: Billed per GB of data transferred across regions.
- No hourly charge for the peering connection itself.
Alternatives
/ When to Use What (Best Options)
|
Scenario |
Best Option |
|
Simple 1:1 connection |
VPC Peering |
|
Many-to-many or transitive routing |
Transit
Gateway |
|
Connect on-prem to AWS |
VPN /
Direct Connect |
|
Hybrid multi-account network |
AWS
PrivateLink or TGW |
Validation Commands On EC2 instances (Linux):
# bashping 10.1.1.10traceroute 10.1.1.10
Use AWS CLI:
# bashaws ec2 describe-vpc-peering-connectionsaws ec2 describe-route-tables --filters"Name=vpc-id,Values=vpc-xxxx"
Project: Hands-On
- How twtech creates Peering connection betwteen VPC Across its Environments.
Search for AWS service: VPC
Step-1:
- Launch two instances in two VPCs
- VPCs may be Same Region (SR) or Different Regions (CR)
Network settings
- Launch the first instance in: twtechDefaultVPC
Launch instance:
twtech now has two instances running in it environment as follow:
- Bastion Host to access instance in the private subnet of twtechvpc
- twtech instance installed in the twtechDefaultvpc
Purpose:
- twtech wants to connect instances in two different VPCs via:Peering
Bastio Host:
Step-2:
- Determine that the VPCs are not yet connected.
- Go to EC2 Console and Provision an instace
NB:
- If the Private IPv4 addresses are different, that is an indication, that the two instances are located in different VPCs.
twtechDefaultVPCinstance
twtechVPCPrivateinstance:
- Contect (ssh) to the instance in defaultVPC (twtechDefaultVPCInstance)
- twtech can SSH from any terminal configured to connect to instance.
Step-3:
- From another terminal, also connect (SSH) from Bastion Host (instance) to other Instance in another VPC (twtechvpc)
Step-4:
- How twtech verifies that the instance is working as expectedby (seamlesslY) by Printing the text that was put in the httpd file with: curl <IPaddress:80/>
curl 10.xx.xx.215:80/ # where xx.xx are ip address numbers
Step-5:
- From the other terminal of instance in twtechvpc, try to conncect to the defaultvpc by running the curl command:
curl 10.xx.xx.215:80/
- where xx.xx is the ip address numbers
Step-6:
- How twtech eventually connect the two instances in both VPCs to to query data via: Peering
- twtech needs to create (request) a peering connection between the two VPCs (twtechvpc & twtechDefaultvpc)
- From another windows, open: vpc console to create a peering connection request.
Two key components work here:
- Requester VPC (that sends the peering request)
- Accepter VPC (that accepts the peering request)
Tags: (auto-generated)
NB:
- The CIDR must not overlap, else the VPCs won’t be able to connect
Create the peering connection:
NB:
- Peering connection is created (requested) but waiting Pending acceptance from: Acceptor (twtechvpc)
Step-7:
- Accepter need to go to its VPC console (peering
connection menu tab) and accept peering request as follow:
Step-8:
- twtech must add a route to the peering VPCs in one or more of its VPCs route tables.
- The route table (RT) sends and receive traffic across the VPC peering connection (To-and-fro-communication betweent VPCs)
- twtech needs to Edit the route table to connect the Default route table with the Public route table
First:
- Edit the Public Route Table (twtechPublicRT) that conrresponds to the first VPC (twtechDefaultvpc)
From:
To:
- Add Routes with a CIDR which corresponds to the Default VPC
- Verify the CIDR for default VPC (twtechDefaultVPC) from console
- Copy the CIDR from VPC (twtecDefaultVPC) to add route:
Explanation:
- Any traffic going through this route
should be sent to the peering connection called,
pcx-xxxxxxxxxxtwtechpeering connection.
- Then, Safe changes.
Second:
- Also Modify (edit) the route table that corresponds to the other VPC: twtechvpc
From:
To:
- Add route of CIDR from the other VPC (twtechvpc)
- Verify the CIDR for the other VPC (twtechvpc) from console:
To: Add route
- Copy CIDR and paste to configure route.
Explanation:
- Again, any traffic going through this route should be sent to the peering connection: pcx-xxxxxxxxxxtwtechpeering connection.
- Then, Safe changes.
Step-9:
- twtech needs to Verify, that the routes are at this point perfectly
going both ways of the VPCs:
- Go back to the EC2 console and run the same curl commad from both terminals.
- Instance in Default VPC: DefaultVPC
- Instance in Coustom VPC: twtecvpc
Successfully, twtech has:
- Created VPCs in different AZ / accounts,
- Verified that the VPCs are not yet connect (due to peering limitation)
- Initiated (Created) a peering request for Requester & Accepter,
- Added (edited) the route tables of both VPC
to add CIDR,
- Verified that both VPC can route
traffic (communicate) to each other.
No comments:
Post a Comment