Overview of Amazon VPC Peering

VPC Peering enables connectivity between two VPCs, allowing you to access resources within either of the VPC from the other one using private IP addresses (IPv4 or IPv6).

 

VPC Peering Architecture

Image courtesy of AWS

 

Features and Functionality

  • The two connecting VPCs can be within the same account, or two different accounts
  • VPC Peering is done over existing AWS infrastructure (which is already redundant and highly available) and does not install a new hardware. There is no single point of failure for communication.
    • This is true for inter-Region VPC Peering as well
  • Either VPC’s can translate the other VPC’s public DNS to private IP addresses, so long the DNS  resolution for private IP is enabled in target VPC
  • All inter-Region traffic is encrypted, and stays on the global AWS infrastructure backbone

 

Limits and Constraints

  • The CIDR ranges of the two VPCs cannot be overlapping
    • Amazon always assigns a unique IPv6 range for each of your VPC. So the limitation is more on IPv4 CIDR
  • Routes are to be setup on both sides to enable traffic flow. You can configure NACLs and Security Groups to control the access
    • Note: Security Group references are only allowed within the same Region
  • Routing is not transitive – that is – if VPC-1 and VPC-2 are connected (via Peering), and VPC-2 and VPC-3 are connected (via Peering), that does not connect VPC-1 to VPC-3. If VPC-1 and VPC-3 are to be connected, they must be explicitly done so by VPC Peering between the two
  • Jumbo frames are not supported for inter-Region VPC Peering. Maximum Transmission Unit (MTU) is 1,500 bytes

 


Pricing

You are charged for data transferred through VPC Peering. For intra-Region, it’s the same as the charges for data transfer between Availability Zones. For inter-Region VPC Peering, the inter-Region data transfer cost applies.

 


External Resources