What is VPC Peering?
Its a networking connection between two different VPCs in same or different AWS account that enables routes traffic between them using IPv4 or IPv6 addresses. With this, Instances between two VPC’s could communicate with each other. The VPC peering supports VPC for different regions as well which is called inter-region VPC peering connection.
VPC peering makes easier to establish the connection without any need of VPN or gateway. AWS resources like EC2, RDS instances, Lambda function could connect with each other in different regions using private IPv4 addresses.
How to setup VPC peering?
In order two setup peering, you need to have two non-default VPC created in your AWS account. In following article we would setup the peering based on below architecture diagram.
Create VPC & Subnets
We would create two non-default VPC and corresponding subnets for the peering connection.
Create Primay VPC & Subnets
Create Primary VPC with CIDR 192.168.0.0/24
In primary VPC, we would create two subnets (public & private)
Create Public Subnet
Create a public subnet with CIDR 192.168.0.0/25
Create Private Subnet
Create a private subnet with CIDR 192.168.0.128/25
Create Internet gateway
Now we would create an internet gateway and would attach it to primary VPC
Create Custom Route Table
Create a Custom route table and associated it with public subnet.
Now update the route to add internet gateway in the target.
Further, you need to associate private subnet with main route table of your VPC
Create Secondary VPC & Subnet
Here, we would crate a Secondary VPC with CIDR 172.16.0.0/24 followed by a private subnet.
Create Private Subnet
Create one private subnet with CIDR 172.16.0.0/25
Route Table Association
By default, your main route table of secondary VPC would not be associated with any subnets. Now associate your private subnet with main route table
You’re all set with your VPC configuration. Now we would proceed with VPC peering creation.
Configure VPC peering
1. Go to VPC console and create VPC peering
2. Configure peering connection
Here, you need to Requestor and Accepter details.
- VPC (Requester) – VPC from where you are requesting the peering connection.
- VPC (Accepter) – VPC where you would accept the peering connection.
Within a same AWS account, you’re the Requestor as well as Accepter. However, lets say if you are creating a peering connection with your customer AWS account. In that case, you would be Requester and your Customer would be Accepter and vice versa.
Here, Primary VPC is the Requester from there the request is originating and Secondary VPC is the Accepter.
Once you created the peering connection, it would display you the AWS Account owner ID of the Requester as well as Accepter.
3. Accept Peering Request
Also the status of the peering connection would Pending Acceptance upon the connection creation. As an Accepter, you’re authorize to accept or reject the request.
Here, we would click on Accept Request to proceed further. The status would be changed to Active once the request is accepted.
Now if we would try to connect from Private subnet of Primary VPC to private subnet of Secondary VPC, then the connection would timeout. As we have not updated the route table yet.
4. Update Route Table
First, we would update the main route table of Primary VPC first where the private subnet has been associated.
During route table update, you could either specify the CIDR of private subnet of secondary VPC or any specific server IP addresses with peering connection details at the target.
Now, update the main route table of secondary VPC to allow peering connection from primary VPC.
With these route table update, we should be able to connect from primary VPC to secondary VPC. Lets test that out
Launch EC2 in Primary VPC
Here, we would launch two EC2 one in public subnet as bastion host and secondly in private subnet. Refer How to Launch an Amazon EC2 to create EC2 in AWS
Launch EC2 in public subnet
Launch EC2 in private subnet
Launch EC2 in private subnet of secondary VPC
Connect to Bastion Host using SSH
Connect to EC2 in private subnet
Now, ping the EC2 resides in secondary VPC private subnet from here.
As we saw the timeout issues, lets update the security group to allow ping from primary VPC subnet.
Now, lets try pinging to EC2 server again
That’s great. We are able to connect from Primary VPC to Secondary VPC using peering connection. You could also connect in the same way from Secondary to Primary VPC.
I hope this blog helps you. Please comment below for any concerns related to this blog.