AWS VPC Peering Made Easy

by · Published · Updated

Most users in AWS have multiple VPCs in their environment, sometimes spanning more than one account, so it’s not very common to have all of your resources in a single VPC in a single account. A VPC is an isolated network, and resources can only communicate from inside each VPC. So, what do you do when you want your AWS resources to communicate with each other? That’s where a VPC Peering Connection comes into play – and best of all, you can create and manage it with CDK!

What is a VPC?

An Amazon Virtual Private Cloud (VPC) is a secure and isolated section of the AWS cloud where you can launch AWS resources. It acts as your virtual network, providing control over your environment. With VPC, you can define your IP address range, create subnets, and configure routing tables. This allows you to customize network settings, ensuring private and controlled space for your applications in the AWS infrastructure.

VPC Peering Connection

VPC peering enables seamless and private connectivity between two Amazon Virtual Private Clouds (VPCs) within AWS. It facilitates direct communication between resources in separate VPCs as if they were on the same network.

Key Considerations:

  • Connection Establishment: You need to create a VPC Peering Connection between two VPCs. The VPCs can be in the same or different AWS accounts.
  • Routing: Configure route tables on both sides of the VPC Peering Connection to direct traffic between the VPCs.
  • CIDR Blocks: VPCs with overlapping CIDR blocks cannot be peered.
  • Transitive Peering: VPC peering is not transitive.
  • Security: Maintain strong security boundaries with security groups and network ACLs, even with peering in place.

Use Cases for VPC Peering

VPC peering is valuable in various scenarios, including:

  • Shared Services: Centralize services like security appliances (firewalls, intrusion detection systems) in one VPC and share them with other VPCs.
  • Data Sharing: Enable applications in different VPCs to access and share data securely.
  • Application Migration: Migrate applications between VPCs with minimal downtime by establishing peering connections.
  • Disaster Recovery: Set up VPCs in different regions for disaster recovery and use peering for replication or failover.

How to Create a VPC Peering Connection

Imagine two AWS accounts (Account A and Account B), each with a VPC containing two subnets.

This is a very basic VPC Peering connection setup. We have 2 AWS accounts; each has a single VPC. Inside the VPC are two subnets. You can see the route table on each side of the VPC Peering Connection. If you are familiar with networking concepts, VPC Peering is basically setting up a WAN link between your VPCs. We don’t care how AWS route the traffic inside the Peered connection, that is their job not ours.

Step 1 – Create A VPC Peering Connection Request

In Account A (Requester Account):

  • Sign in to AWS Console: Log in to the AWS Management Console using the credentials for Account A.
  • Navigate to VPC Dashboard: Access the VPC dashboard from the AWS Management Console.
  • Create Peering Connection: Click on “Peering Connections” in the left-hand navigation pane and then choose “Create Peering Connection.”
VPC Peering Connection
  • Fill in Details:
    • Peering Connection Name: Give it a meaningful name.
    • Your VPC: Select the VPC in Account A.
    • Account ID: Enter the AWS account ID of Account B.
    • Peer VPC: Specify the VPC in Account B.
  • Configure Options:
    • Set any additional options as needed (e.g., enable DNS resolution).
    • Choose whether to automatically accept the peering connection.
  • Review and Create: Review the details and click “Create Peering Connection.”

Step 2 – Accept the VPC Request

In Account B (Accepter Account):

  • Share Peering Connection Request:
    • Navigate to the VPC dashboard.
    • Go to “Peering Connections” and find the pending peering connection request from Account A.
    • Click on it and choose “Actions” > “Accept Request.”
  • Update Route Tables:
    • In the route tables of both the VPCs involved, add routes for the CIDR block of the other VPC, pointing to the peering connection.

Back in Account A:

  • Accept the Peering Connection:
    • Go to the VPC dashboard and navigate to “Peering Connections.”
    • Find the peering connection and confirm that its status is “Active.”
  • Update Route Tables:
    • Update the route tables in both VPCs to include routes for the CIDR block of the other VPC, pointing to the peering connection.

Verification:

  • Confirm Peering Status:
    • Check the peering connection status in both Account A and Account B. It should be “Active.”
  • Test Connectivity:
    • Deploy resources in both VPCs.
    • Ensure that security groups and network ACLs allow the necessary traffic.
    • Test connectivity between resources in different VPCs using private IP addresses.

Want to do it in CDK? Heres how you do it!!

Here’s how to create a VPC peering connection using CDK typescript:

There are two approaches to creating a VPC peering connection:

TypeScript
Using CfnVPCPeeringConnection:

This approach uses the lower-level CloudFormation construct to define the peering connection.
TypeScript

TypeScript
import * as ec2 from 'aws-cdk-lib/aws-ec2';

const vpc1 = new ec2.Vpc(this, 'Vpc1', { /* VPC configuration */ });
const vpc2 = new ec2.Vpc(this, 'Vpc2', { /* VPC configuration */ });

new ec2.VpcPeeringConnection(this, 'VpcPeeringConnection', {
  peerVpc: vpc2,
  vpc: vpc1, 
  // Optional: Add more configuration options here if needed
});

// Remember to add routes to the route tables in both VPCs
// to allow traffic to flow through the peering connection.

Use code with caution.

Using higher-level constructs (preferred):

This approach leverages the helper functions provided by the CDK library for a cleaner implementation.
TypeScript

TypeScript
const vpc1 = new ec2.Vpc(this, 'Vpc1', { /* VPC configuration / }); const vpc2 = new ec2.Vpc(this, 'Vpc2', { / VPC configuration */ });

vpc1.peer(vpc2);

Important points:

Make sure both VPCs are defined before creating the peering connection.
The peer method automatically creates a peering connection where the current VPC acts as the requester VPC and the provided VPC acts as the accepter VPC.


You can also explicitly define who initiates the peering connection using the peer method with additional options:

Elsewhere On TurboGeek:  How to Migrate DynamoDB tables between AWS Accounts

TypeScript
vpc1.peer(vpc2, {<br>allowVpcRoutePropagationFromPeer: true, // Optional configuration});

This code defines two VPCs and establishes a peering connection between them. Remember to configure the route tables in both VPCs to allow traffic flow through the peering connection. You can add routes using the ec2.CfnRoute construct or by using the addRoute() method on the ec2.RouteTable object.

Post Views: 515

Tags:

Richard.Bailey

Richard Bailey, a seasoned tech enthusiast, combines a passion for innovation with a knack for simplifying complex concepts. With over a decade in the industry, he's pioneered transformative solutions, blending creativity with technical prowess. An avid writer, Richard's articles resonate with readers, offering insightful perspectives that bridge the gap between technology and everyday life. His commitment to excellence and tireless pursuit of knowledge continues to inspire and shape the tech landscape.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate ยป