Inter Region Aws VPC Peering
What is Vpc?
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
Concepts of VPC
- VPCs and Subnets:
A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. You can specify an IP address range for the VPC, add subnets, associate security groups, and configure route tables.
A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a specified subnet. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that won’t be connected to the internet. For more information about public and private subnets.
To protect the AWS resources in each subnet, you can use multiple layers of security, including security groups and network access control lists (ACL).
2. Accessing the Internet:
You control how the instances that you launch into a VPC access resources outside the VPC.
Your default VPC includes an internet gateway, and each default subnet is a public subnet. Each instance that you launch into a default subnet has a private IPv4 address and a public IPv4 address. These instances can communicate with the internet through the internet gateway. An internet gateway enables your instances to connect to the internet through the Amazon EC2 network.
Adding IPv4 CIDR Blocks to a VPC
You can associate secondary IPv4 CIDR blocks with your VPC. When you associate a CIDR block with your VPC, a route is automatically added to your VPC route tables to enable routing within the VPC (the destination is the CIDR block and the target is local).
In the following example, the VPC on the left has a single CIDR block (10.0.0.0/16) and two subnets. The VPC on the right represents the architecture of the same VPC after you’ve added a second CIDR block (10.2.0.0/16) and created a new subnet from the range of the second CIDR.
What is VPC peering..?
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network.
Implementation of VPC Peering:
Let’s follow the below steps to see how VPC Peering can be implemented.
The first few steps will involve creating 2 VPC’s first before peering them together.
Step 1) Log into your AWS Console. Choose the relevant region and go to the VPC section under Networking and Content Delivery section.
Step 2) Create one VPC with a name tag of VPCA and CIDR block of 10.0.0.0/16
Step 3) Create another VPC with a name tag of VPCB and CIDR block of 20.0.0.0/16
Step 4) Now let’s create subnets in each of these VPC’s. In VPCA let’s create a subnet with a Name tag of SubnetA with a CIDR block of 20.0.1.0/24
Step 5) Nowlet’s create a subnet in VPCB. In VPCA let’s create a subnet with a Name tag of SubnetB with a CIDR block of 10.0.1.0/24
Step 6) Now we are going to launch instances in both of the subnets. We want to ensure that both subnets get Public IP addresses, so enable them for the each subnet accordingly.
Ensure the Auto-assign IP settings is enabled for both subnets
Step 7) Now let’s create a VPC Peering connection between both of the VPC’s
Step 8)In the next screen go ahead and click on Creating a new peering connection.For the peering connection, give a name tag for the connection. And then put the requester of the VPC as VPCA
Then choose the other VPC as the VPC to Peer with and then click on Create Peering connection.
Step 9) Now the VPC Peering connection you can see that the Status is Pending Acceptance.
Choose the connection, click on Actions->Accept Request
And then accept the request
Once done, the connection will be in the Active State
Step 10) Now we need to modify the route tables of both the VPC’s to ensure that communication can flow via the VPC Peering connection.
So in the Route Table for VPC B, we need to add the destination for the CIDR of VPC A as the destination and the VPC Peering connection as the target.
We need to do the same thing for the Route table of VPC A
If you want to connect to anyone of the instances in the VPC via the internet, ensure that the internet gateway is attached to the Route table as well.
Step 11) Now it’s time to launch instances in each VPC.
So here we have 2 servers, one is ServerA which is launched in VPCA and ServerB launched in VPCB
Now we are going to connect to ServerA in VPCA and then ping ServerB. The private IP of ServerB is 10.0.1.138.
Since we are going to use the ping command , ensure that the Security Group for both instances have the security group modified to allow the ICMP protocol.
Once all of this is in place, you will be able to ping ServerB from ServerA.
Main Points to Remember:
VPC and Subnet Sizing for IPv4
When you create a VPC, you must specify an IPv4 CIDR block for the VPC. The allowed block size is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses). After you’ve created your VPC, you can associate secondary CIDR blocks with the VPC. For more information, see Adding IPv4 CIDR Blocks to a VPC.
When you create a VPC, we recommend that you specify a CIDR block (of /16 or smaller) from the private IPv4 address ranges as specified in RFC 1918:
10.0.0.0–10.255.255.255 (10/8 prefix)
172.16.0.0–172.31.255.255 (172.16/12 prefix)
192.168.0.0–192.168.255.255 (192.168/16 prefix)
You can create a VPC with a publicly routable CIDR block that falls outside of the private IPv4 address ranges specified in RFC 1918; however, for the purposes of this documentation, we refer to private IP addresses as the IPv4 addresses that are within the CIDR range of your VPC.
So here we have VPCA peered to VPCB and VPCB peered to VPCC. This does not mean that VPCA can communicate with VPCC through VPCB.
For VPCA to communicate with VPCC, there has to be one explicit VPC Peering connection from VPCA to VPCC as shown below.
- You are not allowed to create a VPC peering connection between VPCs with overlapping or matching IPv6 or IPv4 CIDR blocks
- It is not possible to create a VPC peering connection between VPCs present in different regions
- Only one VPC peering connection is possible between two VPCs at a time
- In case of following VPC peering connections, it is not allowed to extend the peering
(a) If corporate network have VPN or AWS Direct connection
(b) If internet is connected through a NAT device in a private subnet
© If internet is connected via an internet gateway
(d) VPC endpoint to an AWS service, such as an endpoint to Amazon S3.
Conclusion:
VPC peering should be carefully planned, taking into account the limitations and considerations, and, it’s not always the most flexible solution in the long run.
