How to enable Private Networking across AWS Accounts?

We used to have a web application and associated database running in a single AWS account. We had a need to migrate the web application to another AWS account as per organization policies. To connect the web application in one account with the database running in another account in a private network mode for security purposes, we enabled VPC (Virtual Private Cloud) Peering across AWS Accounts.

Let us look into how we enabled VPC Peering across two distinct AWS accounts.

What is VPC Peering?

VPC Peering connection is a networking connection between two VPCs that enables you to route traffic between them privately (using private IPv4 or IPv6 addresses). Instances in either VPC can communicate with each other as if they are within the same network.

VPC Peering Connection A & B Account

Our use case

We have got an application running in instance IA of AWS account A, this application has to connect with a Database running in instance IB of AWS account B in a secure private network.

VPC Peering can be used in shared services, such as:

• Remote Administration.
• Monitoring
• Logging
• Authentication/Directory Service

1. Create VPCs in two Accounts

Create VPCs in two accounts if they do not exist with different IP CIDR blocks. Let us assume AWS Account A is having web application instance and the database instance in AWS Account B needs to be connected.

Create VPC ‘vpc_A’ with 10.0.0.0/16 CIDR Block as below.

AWS Console ( Account A )-> Services -> VPC -> Create VPC.

Create VPC ‘vpc_B’ with 172.31.0.0/16 CIDR Block in Account B.

AWS Console ( Account B ) -> Services -> VPC -> Create VPC.

Creating vpc-B with IPV4 172.31.0.0/16 CIDR block

2. Create VPC Peering Connection in Account A.

AWS Console -> Services -> VPC -> Peering Connection -> Create Peering Connection

Accept VPC Peering Request in Account B which is requested from Account A

AWS Console -> Services -> VPC -> Peering Connections -> Select Peering Connection -> Click Actions -> Accept Request .

Now Enable DNS Hostnames of Private IP as below.

AWS Console -> Services -> VPC -> Peering Connections -> Select Peering Connection -> Click Actions -> Edit DNS Settings -> Enable Requester VPC -> Save.

Enabling DNS resolution of Private IP

Establishing VPC Peering Connection

1. To enable the flow of traffic between the VPCs, the owner of each VPC in the VPC peering connection must manually add a route to one or more of their VPC route tables that points to the IP address range of the other VPC (the peer VPC).
2. Update the security group rules that are associated with your instance to ensure that traffic to and from the peer VPC is not restricted.

VPC peering connections can be created between your own VPCs or with a VPC in another AWS account

VPC peering connections can be created across regions, referred to as inter-region VPC peering connection

VPC peering uses existing underlying AWS infrastructure; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware.

VPC Peering does not have a single point of failure for communication or a bandwidth bottleneck.

VPC Peering connections are not without limitations, some of them are:

• Cannot be used with Overlapping CIDR blocks
• Does not provide Transitive peering
• Does not support Edge to Edge routing through Gateway or private connection

Happy Networking !!