Connect AWS VPCs using VPC peering

In the world of cloud computing, Amazon Web Services (AWS) offers a powerful feature known as a Virtual Private Cloud (VPC). A VPC is a virtual network dedicated to your AWS account, providing logical isolation from other virtual networks in the AWS Cloud. This isolation allows you to launch AWS resources, such as Amazon EC2 instances, into your VPC, ensuring a secure and customizable environment.

What is VPC Peering?
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses. This means that instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs or with a VPC in another AWS account, even if the VPCs are in different Regions (known as an inter-Region VPC peering connection).

How Does VPC Peering Work?
AWS uses the existing infrastructure of a VPC to create a VPC peering connection. It is neither a gateway nor a VPN connection and does not rely on a separate piece of physical hardware. This design ensures there is no single point of failure for communication or a bandwidth bottleneck.

A VPC peering connection facilitates the transfer of data. For example, if you have more than one AWS account, you can peer the VPCs across those accounts to create a file-sharing network. You can also use a VPC peering connection to allow other VPCs to access resources you have in one of your VPCs.

Benefits of Inter-Region VPC Peering
When you establish peering relationships between VPCs across different AWS Regions, resources in the VPCs (such as EC2 instances and Lambda functions) can communicate with each other using private IP addresses, without using a gateway, VPN connection, or network appliance. The traffic remains in the private IP address space, and all inter-Region traffic is encrypted with no single point of failure or bandwidth bottleneck. Traffic always stays on the global AWS backbone and never traverses the public internet, reducing threats such as common exploits and DDoS attacks. Inter-Region VPC peering provides a simple and cost-effective way to share resources between Regions or replicate data for geographic redundancy.

Pricing for VPC Peering Connections
There is no charge to create a VPC peering connection. All data transfer over a VPC peering connection that stays within an Availability Zone is free, even if it’s between different accounts. Charges apply for data transfer over VPC peering connections that cross Availability Zones and Regions.

How to Establish a VPC Peering Connection
To establish a VPC peering connection, follow these steps:

1. The owner of the requester VPC sends a request to the owner of the accepter VPC to create the VPC peering connection. The accepter VPC can be owned by you or another AWS account and cannot have a CIDR block that overlaps with the CIDR block of the requester VPC.
2. The owner of the accepter VPC accepts the VPC peering connection request to activate the VPC peering connection.
3. To enable the flow of traffic between the VPCs using private IP addresses, the owner of each VPC in the VPC peering connection must manually add a route to one or more of their VPC route tables that points to the IP address range of the other VPC (the peer VPC).
4. If required, update the security group rules associated with your EC2 instance to ensure that traffic to and from the peer VPC is not restricted. If both VPCs are in the same Region, you can reference a security group from the peer VPC as a source or destination for inbound or outbound rules in your security group.
5. With the default VPC peering connection options, if EC2 instances on either side of a VPC peering connection address each other using a public DNS hostname, the hostname resolves to the public IP address of the EC2 instance. To change this behavior, enable DNS hostname resolution for your VPC connection. After enabling DNS hostname resolution, if EC2 instances on either side of the VPC peering connection address each other using a public DNS hostname, the hostname resolves to the private IP address of the EC2 instance.

Multiple VPC Peering Connections
A VPC peering connection is a one-to-one relationship between two VPCs. You can create multiple VPC peering connections for each VPC that you own, but transitive peering relationships are not supported. You do not have any peering relationship with VPCs that your VPC is not directly peered with.

For example, if VPC A is peered with both VPC B and VPC C, VPC B and VPC C are not peered, and you cannot use VPC A as a transit point for peering between VPC B and VPC C. To enable routing of traffic between VPC B and VPC C, you must create a unique VPC peering connection between them.

VPC Peering Limitations

• Connections: There is a quota on the number of active and pending VPC peering connections per VPC. You cannot have more than one VPC peering connection between two VPCs at the same time.
• Tags: Any tags that you create for your VPC peering connection are only applied in the account or Region in which you create them.
• DNS: You cannot connect to or query the Amazon DNS server in a peer VPC.
• IPv4 CIDR Blocks: If the IPv4 CIDR block of a VPC in a VPC peering connection falls outside of the private IPv4 address ranges specified by RFC 1918, private DNS hostnames for that VPC cannot be resolved to private IP addresses. To resolve private DNS hostnames to private IP addresses, you can enable DNS resolution support for the VPC peering connection.
• IPv6 Communication: You can enable resources on either side of a VPC peering connection to communicate over IPv6. You must associate an IPv6 CIDR block with each VPC, enable the instances in the VPCs for IPv6 communication, and route IPv6 traffic intended for the peer VPC to the VPC peering connection.
• Unicast Reverse Path Forwarding: Unicast reverse path forwarding in VPC peering connections is not supported.

Overlapping CIDR Blocks
You cannot create a VPC peering connection between VPCs that have matching or overlapping IPv4 or IPv6 CIDR blocks. If you have multiple IPv4 CIDR blocks, you can’t create a VPC peering connection if any of the CIDR blocks overlap, even if you intend to use only the non-overlapping CIDR blocks or only IPv6 CIDR blocks.

Transitive Peering
VPC peering does not support transitive peering relationships. For example, if there are VPC peering connections between VPC A and VPC B, and between VPC A and VPC C, you can’t route traffic from VPC B to VPC C through VPC A. To route traffic between VPC B and VPC C, you must create a VPC peering connection between them.

Edge to Edge Routing Through a Gateway or Private Connection

• If VPC A has an internet gateway, resources in VPC B can’t use the internet gateway in VPC A to access the internet.
• If VPC A has a NAT device that provides internet access to subnets in VPC A, resources in VPC B can’t use the NAT device in VPC A to access the internet.
• If VPC A has a VPN connection to a corporate network, resources in VPC B can’t use the VPN connection to communicate with the corporate network.
• If VPC A has an AWS Direct Connect connection to a corporate network, resources in VPC B can’t use the AWS Direct Connect connection to communicate with the corporate network.
• If VPC A has a gateway endpoint that provides connectivity to Amazon S3 to private subnets in VPC A, resources in VPC B can’t use the gateway endpoint to access Amazon S3.

Inter-Region VPC Peering Connections
The Maximum Transmission Unit (MTU) across the VPC peering connection over Regions is 1500 bytes. Jumbo frames (MTUs up to 9001 bytes) are not supported for inter-Region VPC peering connections. They are, however, supported for VPC peering connections in the same Region. You must enable DNS resolution support for the VPC peering connection to resolve private DNS hostnames of the peered VPC to private IP addresses, even if the IPv4 CIDR for the VPC falls into the private IPv4 address ranges specified by RFC 1918.