AWS VPC Peering for dummies

Yros Aguiar
DevOps for Zombies
Published in
8 min readJul 12, 2020

understanding a little bit about VPC Peering

What’s the problem to solve?

Developers need to delivery the applications, few times think deep about operations, network and security layer on infrastructure, I worked in some companies that Developers cared of the cloud environment and a common mistake was created servers and databases and publish these servers using the Internet, when you create a backend server(Database, Mongo, ElasticSearch) published trough the Public IP address, open a security risk and if the application that consumes these services connect to it using the public IP will have high latency because the communication is through the limited internet bandwidth. A Common case of this problem is when the servers are distributed in multiples regions or the same region using different VPCs.

In the image below, we can see the wrong way to connect to another service, because the package out to the Internet and going again to the Internal network.

Wrong-way

Why do we need to create VPC peerings?

The AWS VPC peering as other services like VPC Endpoint and Transit Gateway solve this problem, in this post I will talk about VPC Peering, as soon will create articles about VPC Endpoints and Transit Gateway. The VPC peering create a connection between two VPCs, this connection is private, so all traffic is through the internal AWS network, using VPC peering we can pair different VPCs in the same or another region. The requirement to create this connection is, these VPCs can’t use the same network address because is not possible to route the packages between to different network that use the same IP range.

VPC Peering way:

Using the VPC peering we can create an internal and more secure communication between two VPCs on the same or different regions and same or different AWS Account, we can close a connection between your VPC and the Partner or Customer VPC for example.

Use Cases:

  • Connect two different VPCs in the same regions
  • Connect two VPCs on different regions (Inter-Region)
  • Connect two VPCs on different accounts (Cross Accounts)

The costs:

There is no charge for setting up or running a VPC peering connection. Data transferred across peering connections is charged at $0.01/GB for send and receive, regardless of the Availability Zones involved

How we can create a VPC Peering?

  • We need a requester VPC
  • We need an accepter VPC
  • We need to configure the Route Table for the Accepter VPC
  • We need to configure the Route Table for the Requester VPC
  • We need to configure the Security Group for the service that will allow the communications from another VPC

To request a VPC peering connection with a VPC in another account in the same region

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Peering Connections, Create Peering Connection.
  3. Configure the information as follows, and choose to Create Peering Connection when you are done:
  • Peering connection name tag: You can optionally name your VPC peering connection. Doing so creates a tag with a key and a value that you specify. This tag is only visible to you; the owner of the peer VPC can create their own tags for the VPC peering connection.
  • VPC (Requester): Select the VPC in your account with which to create the VPC peering connection.
  • Account: Choose Another account.
  • Account ID: Enter the AWS account ID of the owner of the accepter VPC.
  • VPC (Accepter): Enter the ID of the VPC with which to create the VP peering connection.

4. In the confirmation dialog box, choose OK.

To request a VPC peering connection with a VPC in another account in a different region

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Peering Connections, Create Peering Connection.
  3. Configure the information as follows, and choose Create Peering Connection when you are done:
  • Peering connection name tag: You can optionally name your VPC peering connection. Doing so creates a tag with a key of Name and a value that you specify. This tag is only visible to you; the owner of the peer VPC can create their own tags for the VPC peering connection.
  • VPC (Requester): Select the VPC in your account with which to create the VPC peering connection.
  • Account: Choose Another account.
  • Account ID: Enter the AWS account ID of the owner of the accepter VPC.
  • Region: Choose Another region, select the region in which the accepter VPC resides.
  • VPC (Accepter): Enter the ID of the VPC with which to create the VPC peering connection

Accepting a VPC peering connection

A VPC peering connection that’s in the pending-acceptance state must be accepted by the owner of the accepter VPC to be activated. You cannot accept a VPC peering connection request that you've sent to another AWS account. If you are creating a VPC peering connection in the same AWS account, you must both create and accept the request yourself.

If the VPCs are in different regions, the request must be accepted in the region of the accepter VPC.

Important

Do not accept VPC peering connections from unknown AWS accounts. A malicious user may have sent you a VPC peering connection request to gain unauthorized network access to your VPC. This is known as peer phishing. You can safely reject unwanted VPC peering connection requests without any risk of the requester gaining access to any information about your AWS account or your VPC. For more information, see Rejecting a VPC peering connection. You can also ignore the request and let it expire; by default, requests expire after 7 days.

To accept a VPC peering connection

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. Use the region selector to choose the region of the accepter VPC.
  3. In the navigation pane, choose Peering Connections.
  4. Select the pending VPC peering connection (the status is pending-acceptance), and choose Actions, Accept Request.
  5. Note: If you cannot see the pending VPC peering connection, check the region. An inter-region peering request must be accepted in the region of the accepter VPC.
  6. In the confirmation dialog box, choose Yes, Accept. A second confirmation dialog displays; choose to Modify my route tables now to go directly to the route tables page.

Now that your VPC peering connection is active, you must add an entry to your VPC route table to enable traffic to be directed to the peer VPC. For more information.

Configuring routes for a VPC peering connection

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Route Tables.
  3. Select the route table that’s associated with the subnet in which your instance resides.
  4. Note: If you do not have a route table associated with that subnet, select the main route table for the VPC, as the subnet then uses this route table by default.
  5. Choose Routes, Edit, Add Route.
  6. For Destination, enter the IPv4 address range to which the network traffic in the VPC peering connection must be directed. You can specify the entire IPv4 CIDR block of the peer VPC, a specific range, or an individual IPv4 address, such as the IP address of the instance with which to communicate. For example, if the CIDR block of the peer VPC is 10.0.0.0/16, you can specify a portion10.0.0.0/28, or a specific IP address 10.0.0.7/32.
  7. Select the VPC peering (pcx) connection from Target, and then choose Save.

Allow access from the source communication VPC on the Security Group of the Service

We need to add the entry for the new network address on the security group of the services that you permit access from another VPC.

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. In the navigation pane, choose Security Groups.
  3. In the list, select the security group and choose Actions, Edit inbound rules.
  4. Choose Add rule and do the following.
  5. For Type, choose the type of protocol to allow.
  • If you choose a custom TCP or UDP protocol, you must manually enter the port range to allow.
  • If you choose a custom ICMP protocol, you must choose the ICMP type name from Protocol, and, if applicable, the code name from Port range.
  • If you choose any other type, the protocol and port range are configured automatically.

6. For Source, do one of the following.

  • Choose Custom and then enter an IP address in CIDR notation, a CIDR block, another security group, or a prefix list from which to allow inbound traffic.
  • Choose Anywhere to allow all inbound traffic of the specified protocol to reach your instance. This option automatically adds the 0.0.0.0/0 IPv4 CIDR block as an allowed source. This is acceptable for a short time in a test environment, but it's unsafe for production environments. In production, authorize only a specific IP address or range of addresses to access your instance.
  • If your security group is in a VPC that’s enabled for IPv6, this option automatically adds a second rule for IPv6 traffic (::/0).
  • Choose custom address, add VPC network address to allow inbound traffic from the other VPC.

7. For Description, optionally specify a brief description for the rule.

8. Choose Preview changes, Save rules.

Okay, now you can already create peering connections, I hope I helped, in the next articles I will talk about VPC Endpoints and VPC transit gateways that are methods of connections between different VPCs and VPC services.

Terraform:

Example Usage

resource "aws_vpc_peering_connection" "foo" {
peer_owner_id = "${var.peer_owner_id}"
peer_vpc_id = "${aws_vpc.bar.id}"
vpc_id = "${aws_vpc.foo.id}"
}

Basic usage with connection options:

resource "aws_vpc_peering_connection" "foo" {
peer_owner_id = "${var.peer_owner_id}"
peer_vpc_id = "${aws_vpc.bar.id}"
vpc_id = "${aws_vpc.foo.id}"
accepter {
allow_remote_vpc_dns_resolution = true
}
requester {
allow_remote_vpc_dns_resolution = true
}
}

Basic usage with tags:

resource "aws_vpc_peering_connection" "foo" {
peer_owner_id = "${var.peer_owner_id}"
peer_vpc_id = "${aws_vpc.bar.id}"
vpc_id = "${aws_vpc.foo.id}"
auto_accept = true
tags = {
Name = "VPC Peering between foo and bar"
}
}
resource "aws_vpc" "foo" {
cidr_block = "10.1.0.0/16"
}
resource "aws_vpc" "bar" {
cidr_block = "10.2.0.0/16"
}

Basic usage with region:

resource "aws_vpc_peering_connection" "foo" {
peer_owner_id = "${var.peer_owner_id}"
peer_vpc_id = "${aws_vpc.bar.id}"
vpc_id = "${aws_vpc.foo.id}"
peer_region = "us-east-1"
}
resource "aws_vpc" "foo" {
provider = "aws.us-west-2"
cidr_block = "10.1.0.0/16"
}
resource "aws_vpc" "bar" {
provider = "aws.us-east-1"
cidr_block = "10.2.0.0/16"
}

References:

--

--