AWS VPC- Peering

Abimuktheeswaran Chidambaram
4 min readJul 31, 2023

--

VPC peering Connection connects two VPCs within the region using private IPv4 and IPV6 addresses. It allows you to route traffic between them privately. Instances in VPC can communicate with each other as if they are in the same or different AWS accounts within the region. VPC peering connection is not a gateway or an AWS Site-to-Site VPN connection, and it does not rely on a separate piece of physical hardware.

VPC Peering connection

Table of contents are

  1. Inter region VPC peering
  2. VPC Peering connection lifecycle
  3. Working with VPC Peering Connections
  4. VPC peering configurations
Inter-region VPC peering

Inter-region VPC peering connection is used to connect VPCs in different regions. It uses a private IPV4 and IPV6 addresses. It provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy. So There is no single point of failure for communication or a bandwidth bottleneck.

2. VPC Peering connection lifecycle means the lifecycle of connecting two VPC connections. Here is the life cycle of various stages in peering connections.

Courtesy AWS

Initiating — request means a request for VPC has been created or initiated. In this stage, the request can move to the next stage (pending Acceptance) or it may be failed.

Failed means the request is failed. We cannot accept, reject, or delete the failed request. The failed request remains visible to the requester for 2 hours.

Pending-Acceptance In this state the request is waiting for the acceptance from the acceptor side. The Requester may delete the request. The Acceptor may accept or reject the request. If no action is taken, the request expires after 7 days.

In the Expired state, the expired connection is visible to both the requestor and the acceptor for 2 days.

Rejected means, the acceptor rejected the pending request from the requester. After the rejection, it remains visible to the requester for 2 days and to the acceptor for 2 hours.

Provisioning means the acceptor accepted the request, the request comes soon in active state.

Deleting means In this state one of the owners may submit the request to delete the active connection (or) the requester may submit the request to delete the pending — acceptance request. It applies to inter-region VPC peering connection in the process of being deleted.

Deleted: After deleting the active or pending — acceptance request, it remains visible to those who deleted the request for 2 hours and to the other party for 2 hours.

Active: The connection becomes active and traffic flows between these VPCs. Both owners can delete the peering connection. But not reject the request.

3. Working with VPC Peering Connections

Creation of VPC Peering Connection The requester requests the VPC Peering connection to the acceptor. It may be another VPC in the same account or a different account within the region. If the acceptor is in a different region, the requestor requests from his region only.

Accept the VPC Peering Connection It is in a Pending — Acceptance state, till the acceptor accepts the request. If the request is from a different region, the acceptor accepts the request from his region only. After accepting the request, the acceptor should manually add a route to their route tables.

Note: Don’t accept requests from unknown or unauthorized persons. It can lead to a malicious attack to gain unauthorized network access to your VPC. This is known as peer phishing. You can avoid these by rejecting or ignoring the request.

Reject the VPC Peering Connection The acceptor rejected the pending request from the requester.

View your VPC Peering Connection By default the AWS VPC peering console displays all the VPC peering connections that are in different states. You can view all the peering connections.

4. VPC peering configurations describe different types of VPC configurations. They are

4.1 Two VPC Peered together means two VPCs ( VPC A and VPC B) peered together and they can access each other resources without restriction.

two vpc peered

The route table for 2 VPC

4.2 One VPC peered with two VPCs In this VPC A acts as central, VPC B is peered with VPC A, and VPC C is peered with VPC A. There is no direct connection from VPC B to VPC C. VPC peering does not support a transitive peering relationship.

one vpc peered with 2 vpc

4.3 Multiple VPC Peering Connection is used to connect a one-to-one peering connection. It does not support a transitive peering relationship. Transitive Peering Connection means we can connect two VPCs using a peering connection only.

multiple vpc

6. Update your route table for VPC Peering Configuration To enable private IPV4 addresses between instances and peered VPCs.

Route table

--

--