VPC Peering or Virtual Private Cloud Peering in AWS is a connection between two/{or more} VPCs which allows the resources of one VPC to communicate with the resources of other VPC without using internet. It enables the traffic to be routed privately inside an AWS network. Which also means the instances in these VPCs does not need Public IPs to communicate to each other, the communication can happen using Private IPs. Going forward we will understand the concept with the help of various diagrams.

And this is also true for the case: if one VPCs is in Mumbai and the other is in London.

Can you believe that two EC2 Instances are communicating with each other from London to Mumbai and with the help of Private IPs only. This is incredible. We will see this case in the section Types of VPC Peering.

What you should know already to understand VPC Peering

You must have an AWS account which you create from here if you don’t have already.

To understand Peering you should already have the basic knowledge of VPCs, Route Tables, EC2 instances (OS does not matter much here), and Security Groups of EC2.

What if VPC Peering not there

If VPC1 wants to talk to VPC2 but it has no way to communicate which means Neither these VPCs are connected to internet Nor Peering is implemented then it will look something like this. Vice versa is also true.

No VPC Peering implemented

If we don’t implement this in an AWS account, and a VPC want to communicate to other VPC then the communication between two VPCs will happen something like this:

  1. The request goes to Internet Gateway of VPC1
  2. Then it reaches to Internet
  3. It reaches to Internet Gateway of VPC2
  4. Which brings it to VPC2
  5. VPC2 replies and via same root and reply reaches back to VPC1
No VPC Peering implemented; its file name is NoVPC-Peering2-1024x563.png
Data communication between two VPCs via internet

This above communication may not seems odd as of now, but think of scenario where VPC1 have web server and VPC2 have Database (RDS). It is something like:

Be careful who you share your weakness with. Some people can’t wait for the opportunity to use them against you.

Believe me, the moment data goes to internet, hackers immediately get active to hack it. Sending data from one VPC to another VPC via internet is very insecure.

Application VPC communicate to its data Server via internet

The solution to this issue is VPC Peering.

After VPC Peering

Once we implement the Peering between two VPCs the diagram looks like this.

VPC Peering implemented; its file name is VPC-Peering.png
VPC peering between VPC1 and VPC2

Just by looking at above diagram we can see that a connection is established between the two VPCs and they can communicate to each other without the requirement of Internet. So this is a game changer in security perspective on Cloud/AWS. And keep in mind this does not require any VPN connection or NAT gateway or any special hardware. And obviously it is clear from the diagram that it does not require Internet gateway as well. At least I am amazed by the beauty of VPC Peering here.

Tough there can be many categories of VPC Peering but we categories in two Types

Types of VPC Peering

  1. Region Based
    1. Intra-Region VPC Peering
    2. Inter-Region VPC Peering
  2. Account Based
    1. Intra-Account VPC Peering
    2. Inter-Account VPC Peering

VPC Peering Types

VPC Peering Limitations

We are going to discuss some scenarios where we can not implement Peering:

  • You cannot create a peering connection between VPCs that have matching or overlapping IPv4 or IPv6 CIDR blocks. To implement peering both the VPCs should have different CIDR blocks, otherwise AWS will not be able to determine in which network the traffic should be sent. It does not matter in which account your VPCs are, you just can’t have same CIDRs for both the VPCs
  • You have a limit on the number active and pending peering connections that you can have per VPC.
  • VPC peering does not support transitive peering relationships. Which means if VPC1 is peered with VPC2 and also with VPC3, it does not establish Peering between VPC2 and VPC3. Which means though VPC1 is peered with both VPC2 and VPC3 but it does not mean that VPC2 can access VPC3 network or vice versa.
Transitive VPC Peering is not supported
Transitive VPC Peering not allowed
  • If the VPCs are in the same region, you can enable the resources on either side of a peering connection to communicate with each other over IPv6.
  • Inter-region peering connections are supported in all public regions except Asia Pacific (Seoul).

To understand what is VPC and how to create one, please go to below article

To know how to create a Peering connection go to below article: