Amazon Virtual Private Cloud

(1)

Amazon Virtual Private Cloud

VPC Peering

(2)

Amazon Virtual Private Cloud: VPC Peering

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What is VPC peering?

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've deﬁned.

A VPC peering connection is a networking connection between two VPCs that enables you to route traﬃc between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in diﬀerent regions (also known as an inter-region VPC peering connection).

AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware. There is no single point of failure for communication or a bandwidth bottleneck.

A VPC peering connection helps you to facilitate the transfer of data. For example, if you have more than one AWS account, you can peer the VPCs across those accounts to create a ﬁle sharing network. You can also use a VPC peering connection to allow other VPCs to access resources you have in one of your VPCs.

You can establish peering relationships between VPCs across different AWS Regions (also called inter- Region VPC peering). This allows VPC resources including EC2 instances, Amazon RDS databases and Lambda functions that run in different AWS Regions to communicate with each other using private IP addresses, without requiring gateways, VPN connections, or separate network appliances. The traffic remains in the private IP space. All inter-region traffic is encrypted with no single point of failure, or bandwidth bottleneck. Traffic always stays on the global AWS backbone, and never traverses the public internet, which reduces threats, such as common exploits, and DDoS attacks. Inter-Region VPC Peering provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy.

Pricing for a VPC peering connection

There is no charge to create a VPC peering connection. There is a charge for data transfer across peering connections. For more information, see Amazon EC2 Pricing.

(5)

VPC peering basics

To establish a VPC peering connection, you do the following:

1. The owner of the requester VPC sends a request to the owner of the accepter VPC to create the VPC peering connection. The accepter VPC can be owned by you, or another AWS account, and cannot have a CIDR block that overlaps with the CIDR block of the requester VPC.

2. The owner of the accepter VPC accepts the VPC peering connection request to activate the VPC peering connection.

3. To enable the ﬂow of traﬃc between the VPCs using private IP addresses, the owner of each VPC in the VPC peering connection must manually add a route to one or more of their VPC route tables that points to the IP address range of the other VPC (the peer VPC).

4. If required, update the security group rules that are associated with your instance to ensure that traﬃc to and from the peer VPC is not restricted. If both VPCs are in the same region, you can reference a security group from the peer VPC as a source or destination for ingress or egress rules in your security group rules.

5. With the default VPC peering connection options, if EC2 instances on either side of a VPC peering connection address each other using a public DNS hostname, the hostname resolves to the public IP address of the instance. To change this behavior, enable DNS hostname resolution for your VPC connection. After enabling DNS hostname resolution, if instances on either side of the VPC peering connection address each other using a public DNS hostname, the hostname resolves to the private IP address of the instance.

For more information, see Work with VPC peering connections (p. 6).

VPC peering connection lifecycle

A VPC peering connection goes through various stages starting from when the request is initiated.

At each stage, there may be actions that you can take, and at the end of its lifecycle, the VPC peering connection remains visible in the Amazon VPC console and API or command line output for a period of time.

(6)

VPC peering connection lifecycle

• Initiating-request: A request for a VPC peering connection has been initiated. At this stage, the peering connection can fail, or can go to pending-acceptance.

• Failed: The request for the VPC peering connection has failed. While in this state, it cannot be

accepted, rejected, or deleted. The failed VPC peering connection remains visible to the requester for 2 hours.

• Pending-acceptance: The VPC peering connection request is awaiting acceptance from the owner of the accepter VPC. During this state, the owner of the requester VPC can delete the request, and the owner of the accepter VPC can accept or reject the request. If no action is taken on the request, it expires after 7 days.

• Expired: The VPC peering connection request has expired, and no action can be taken on it by either VPC owner. The expired VPC peering connection remains visible to both VPC owners for 2 days.

• Rejected: The owner of the accepter VPC has rejected a pending-acceptance VPC peering connection request. While in this state, the request cannot be accepted. The rejected VPC peering connection remains visible to the owner of the requester VPC for 2 days, and visible to the owner of the accepter VPC for 2 hours. If the request was created within the same AWS account, the rejected request remains visible for 2 hours.

• Provisioning: The VPC peering connection request has been accepted, and will soon be in the active state.

• Active: The VPC peering connection is active, and traffic can flow between the VPCs (provided that your security groups and route tables allow the flow of traffic). While in this state, either of the VPC owners can delete the VPC peering connection, but cannot reject it.

Note

If an event in a region in which a VPC resides prevents the ﬂow of traﬃc, the status of the VPC peering connection remains Active.

• Deleting: Applies to an inter-region VPC peering connection that is in the process of being deleted.

The owner of either VPC has submitted a request to delete an active VPC peering connection, or the owner of the requester VPC has submitted a request to delete a pending-acceptance VPC peering connection request.

(7)

Multiple VPC peering connections

• Deleted: An active VPC peering connection has been deleted by either of the VPC owners, or a pending-acceptance VPC peering connection request has been deleted by the owner of the requester VPC. While in this state, the VPC peering connection cannot be accepted or rejected. The VPC peering connection remains visible to the party that deleted it for 2 hours, and visible to the other party for 2 days. If the VPC peering connection was created within the same AWS account, the deleted request remains visible for 2 hours.

Multiple VPC peering connections

A VPC peering connection is a one to one relationship between two VPCs. You can create multiple VPC peering connections for each VPC that you own, but transitive peering relationships are not supported.

You do not have any peering relationship with VPCs that your VPC is not directly peered with.

The following diagram is an example of one VPC peered to two diﬀerent VPCs. There are two VPC peering connections: VPC A is peered with both VPC B and VPC C. VPC B and VPC C are not peered, and you cannot use VPC A as a transit point for peering between VPC B and VPC C. If you want to enable routing of traﬃc between VPC B and VPC C, you must create a unique VPC peering connection between them.

VPC peering limitations

To create a VPC peering connection with another VPC, be aware of the following limitations and rules:

• You cannot create a VPC peering connection between VPCs that have matching or overlapping IPv4 or IPv6 CIDR blocks. Amazon always assigns your VPC a unique IPv6 CIDR block. If your IPv6 CIDR blocks are unique but your IPv4 blocks are not, you cannot create the peering connection.

• You have a quota on the number of active and pending VPC peering connections that you can have per VPC. For more information, see Amazon VPC Quotas in the Amazon VPC User Guide

• VPC peering does not support transitive peering relationships. In a VPC peering connection, your VPC does not have access to any other VPCs with which the peer VPC may be peered. This includes VPC peering connections that are established entirely within your own AWS account. For more information about unsupported peering relationships, see Unsupported VPC peering conﬁgurations (p. 58). For examples of supported peering relationships, see VPC peering scenarios (p. 17).

• You cannot have more than one VPC peering connection between the same two VPCs at the same time.

• Unicast reverse path forwarding in VPC peering connections is not supported. For more information, see Routing for response traﬃc (p. 44).

(8)

VPC peering limitations

• You can enable resources on either side of a VPC peering connection to communicate with each other over IPv6; however, IPv6 communication is not automatic. You must associate an IPv6 CIDR block with each VPC, enable the instances in the VPCs for IPv6 communication, and add routes to your route tables that route IPv6 traﬃc intended for the peer VPC to the VPC peering connection. For more information, see Your VPC and Subnets in the Amazon VPC User Guide.

• Any tags that you create for your VPC peering connection are only applied in the account or region in which you create them.

• If the IPv4 CIDR block of a VPC in a VPC peering connection falls outside of the private IPv4 address ranges speciﬁed by RFC 1918, private DNS hostnames for that VPC cannot be resolved to private IP addresses. To resolve private DNS hostnames to private IP addresses, you can enable DNS resolution support for the VPC peering connection. For more information, see Enable DNS resolution for a VPC peering connection (p. 15).

• You cannot connect to or query the Amazon DNS server in a peer VPC.

An inter-region VPC peering connection has additional limitations:

• You cannot create a security group rule that references a peer VPC security group.

• You cannot enable support for an EC2-Classic instance that's linked to a VPC via ClassicLink to communicate with the peer VPC.

• The Maximum Transmission Unit (MTU) across the VPC peering connection is 1500 bytes (jumbo frames are not supported).

• You must enable DNS resolution support for the VPC peering connection to resolve private DNS hostnames of the peered VPC to private IP addresses, even if the IPv4 CIDR for the VPC falls into the private IPv4 address ranges speciﬁed by RFC 1918.

(9)

Create and accept

Work with VPC peering connections

You can use the Amazon VPC console to create and work with VPC peering connections.

Tasks

• Create and accept VPC peering connections (p. 6)

• Reject a VPC peering connection (p. 10)

• Update your route tables for a VPC peering connection (p. 10)

• Update your security groups to reference peer VPC groups (p. 12)

• Modify VPC peering connection options (p. 14)

• Delete a VPC peering connection (p. 16)

Create and accept VPC peering connections

To create a VPC peering connection, first create a request to peer with another VPC. You can request a VPC peering connection with another VPC in your account, or with a VPC in a different AWS account. For an inter-Region VPC peering connection where the VPCs are in different Regions, the request must be made from the Region of the requester VPC.

To activate the request, the owner of the accepter VPC must accept the request. For an inter-Region VPC peering connection, the request must be accepted in the Region of the accepter VPC.

Before you begin, ensure that you are aware of the limitations and rules (p. 4) for a VPC peering connection.

Tasks

• Create a VPC peering connection with another VPC in your account (p. 6)

• Create a VPC peering connection with a VPC in another AWS account (p. 7)

• Accept a VPC peering connection (p. 8)

• View your VPC peering connections (p. 9)

Create a VPC peering connection with another VPC in your account

To request a VPC peering connection with a VPC in your account, ensure that you have the IDs of the VPCs with which you are creating the VPC peering connection. You must both create and accept the VPC peering connection request yourself to activate it.

You can create a VPC peering connection with a VPC in the same Region, or a diﬀerent Region.

Important

Ensure that your VPCs do not have overlapping IPv4 CIDR blocks. If they do, the status of the VPC peering connection immediately goes to failed. This limitation applies even if the VPCs have unique IPv6 CIDR blocks.

To create a VPC peering connection with a VPC in the same Region

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, choose Peering Connections, Create Peering Connection.

(10)

Create a VPC peering connection with a VPC in another AWS account

3. Conﬁgure the following information, and choose Create Peering Connection when you are done:

• Peering connection name tag: You can optionally name your VPC peering connection.

• VPC (Requester): Select the VPC in your account with which you want to create the VPC peering connection.

• Under Select another VPC to peer with: Ensure My account is selected, and select another of your VPCs.

• (Optionally add or remove a tag.

[Add a tag] Choose Add tag and do the following:

• For Key, enter the key name.

• For Value, enter the key value.

[Remove a tag] Choose the Delete button ("X") to the right of the tag’s Key and Value.

4. In the conﬁrmation dialog box, choose OK.

5. Select the VPC peering connection that you've created, and choose Actions, Accept Request.

6. In the conﬁrmation dialog, choose Yes, Accept. A second conﬁrmation dialog displays; choose Modify my route tables now to go directly to the route tables page, or choose Close to do this later.

To create a VPC peering connection with a VPC in a diﬀerent Region

3. Conﬁgure the following information, and choose Create Peering Connection when you are done:

• Peering connection name tag: You can optionally name your VPC peering connection. Doing so creates a tag with a key of Name and a value that you specify.

• VPC (Requester): Select the requester VPC in your account with which to request the VPC peering connection.

• Account: Ensure My account is selected.

• Region: Choose Another region, select the Region in which the accepter VPC resides.

• VPC (Accepter): Enter the ID of the accepter VPC.

5. In the Region selector, select the Region of the accepter VPC.

6. In the navigation pane, choose Peering Connections. Select the VPC peering connection that you've created, and choose Actions, Accept Request.

7. In the conﬁrmation dialog, choose Yes, Accept. A second conﬁrmation dialog displays; choose Modify my route tables now to go directly to the route tables page, or choose Close to do this later.

Now that your VPC peering connection is active, you must add an entry to your VPC route tables to enable traﬃc to be directed between the peered VPCs. For more information, see Update your route tables for a VPC peering connection (p. 10).

Create a VPC peering connection with a VPC in another AWS account

You can request a VPC peering connection with a VPC that's in another AWS account. Before you begin, ensure that you have the AWS account number and VPC ID of the VPC to peer with. After you've created the request, the owner of the accepter VPC must accept the VPC peering connection to activate it.

You can create a VPC peering connection with a VPC in the same Region, or a diﬀerent Region.

(11)

Accept a VPC peering connection

Important

If the VPCs have overlapping IPv4 CIDR blocks, or if the account ID and VPC ID are incorrect or do not correspond with each other, the status of the VPC peering connection immediately goes to failed.

To request a VPC peering connection with a VPC in another account in the same Region

3. Conﬁgure the information as follows, and choose Create Peering Connection when you are done:

• Peering connection name tag: You can optionally name your VPC peering connection. Doing so creates a tag with a key of Name and a value that you specify. This tag is only visible to you; the owner of the peer VPC can create their own tags for the VPC peering connection.

• VPC (Requester): Select the VPC in your account with which to create the VPC peering connection.

• Account: Choose Another account.

• Account ID: Enter the AWS account ID of the owner of the accepter VPC.

• VPC (Accepter): Enter the ID of the VPC with which to create the VPC peering connection.

To request a VPC peering connection with a VPC in another account in a diﬀerent Region

3. Conﬁgure the information as follows, and choose Create Peering Connection when you are done:

• Peering connection name tag: You can optionally name your VPC peering connection. Doing so creates a tag with a key of Name and a value that you specify. This tag is only visible to you; the owner of the peer VPC can create their own tags for the VPC peering connection.

• VPC (Requester): Select the VPC in your account with which to create the VPC peering connection.

• Account: Choose Another account.

• Account ID: Enter the AWS account ID of the owner of the accepter VPC.

• Region: Choose Another region, select the Region in which the accepter VPC resides.

• VPC (Accepter): Enter the ID of the VPC with which to create the VPC peering connection.

The VPC peering connection that you've created is not active. To activate it, the owner of the accepter VPC must accept the VPC peering connection request. To enable traﬃc to be directed to the peer VPC, update your VPC route table. For more information, see Update your route tables for a VPC peering connection (p. 10).

To create a VPC peering connection using the command line or an API

• create-vpc-peering-connection (AWS CLI)

• New-EC2VpcPeeringConnection (AWS Tools for Windows PowerShell)

• CreateVpcPeeringConnection (Amazon EC2 Query API)

Accept a VPC peering connection

A VPC peering connection that's in the pending-acceptance state must be accepted by the owner of the accepter VPC to be activated. You cannot accept a VPC peering connection request that you've sent

(12)

View your VPC peering connections

to another AWS account. If you are creating a VPC peering connection in the same AWS account, you must both create and accept the request yourself.

If the VPCs are in diﬀerent Regions, the request must be accepted in the Region of the accepter VPC.

Important

Do not accept VPC peering connections from unknown AWS accounts. A malicious user may have sent you a VPC peering connection request to gain unauthorized network access to your VPC. This is known as peer phishing. You can safely reject unwanted VPC peering connection requests without any risk of the requester gaining access to any information about your AWS account or your VPC. For more information, see Reject a VPC peering connection (p. 10). You can also ignore the request and let it expire; by default, requests expire after 7 days.

To accept a VPC peering connection

2. Use the Region selector to choose the Region of the accepter VPC.

3. In the navigation pane, choose Peering Connections.

4. Select the pending VPC peering connection (the status is pending-acceptance), and choose Actions, Accept Request.

Note

If you cannot see the pending VPC peering connection, check the Region. An inter-Region peering request must be accepted in the Region of the accepter VPC.

5. In the conﬁrmation dialog box, choose Yes, Accept. A second conﬁrmation dialog displays; choose Modify my route tables now to go directly to the route tables page, or choose Close to do this later.

Now that your VPC peering connection is active, you must add an entry to your VPC route table to enable traﬃc to be directed to the peer VPC. For more information, see Update your route tables for a VPC peering connection (p. 10).

To accept a VPC peering connection using the command line or an API

• accept-vpc-peering-connection (AWS CLI)

• Approve-EC2VpcPeeringConnection (AWS Tools for Windows PowerShell)

• AcceptVpcPeeringConnection (Amazon EC2 Query API)

View your VPC peering connections

You can view all of your VPC peering connections in the Amazon VPC console. By default, the console displays all VPC peering connections in diﬀerent states, including those that may have been recently deleted or rejected. For more information about the lifecycle of a VPC peering connection, see VPC peering connection lifecycle (p. 2).

To view your VPC peering connections

3. All of your VPC peering connections are listed. Use the ﬁlter search bar to narrow your results.

To describe a VPC peering connection using the command line or an API

• describe-vpc-peering-connections (AWS CLI)

• Get-EC2VpcPeeringConnections (AWS Tools for Windows PowerShell)

(13)

Reject

• DescribeVpcPeeringConnections (Amazon EC2 Query API)

Reject a VPC peering connection

You can reject any VPC peering connection request that you've received that's in the pending-

acceptance state. You should only accept VPC peering connections from AWS accounts that you know and trust; you can reject any unwanted requests.

To reject a VPC peering connection

3. Select the VPC peering connection, and choose Actions, Reject Request.

4. In the conﬁrmation dialog box, choose Yes, Reject.

To reject a VPC peering connection using the command line or an API

• reject-vpc-peering-connection (AWS CLI)

• Deny-EC2VpcPeeringConnection (AWS Tools for Windows PowerShell)

• RejectVpcPeeringConnection (Amazon EC2 Query API)

Update your route tables for a VPC peering connection

To send private IPv4 traﬃc from your instance to an instance in a peer VPC, you must add a route to the route table that's associated with your subnet in which your instance resides. The route points to the CIDR block (or portion of the CIDR block) of the peer VPC in the VPC peering connection, and speciﬁes the VPC peering connection as the target.

Similarly, if the VPCs in the VPC peering connection have associated IPv6 CIDR blocks, you can add a route to your route table to enable communication with the peer VPC over IPv6.

If a subnet is not explicitly associated with a route table, it uses the main route table by default. For more information, see Route Tables in the Amazon VPC User Guide.

You have a quota on the number of entries you can add per route table. If the number of VPC peering connections in your VPC exceeds the route table entry quota for a single route table, consider using multiple subnets that are each associated with a custom route table.

For more information about supported route table conﬁgurations for VPC peering connections, see VPC peering conﬁgurations (p. 19).

You can add a route for a VPC peering connection that's in the pending-acceptance state. However, the route will have a state of blackhole and have no eﬀect until the VPC peering connection is in the active state.

Warning

If you have a VPC peered with multiple VPCs that have overlapping or matching IPv4 CIDR blocks, ensure that your route tables are configured to avoid sending response traffic from your VPC to the incorrect VPC. AWS currently does not support unicast reverse path forwarding in VPC peering connections that checks the source IP of packets and routes reply packets back to the source. For more information, see Routing for response traffic (p. 44).

(14)

Update route tables

To add an IPv4 route for a VPC peering connection

2. In the navigation pane, choose Route Tables.

3. Select the check box next to the route table that's associated with the subnet in which your instance resides.

Note

If you do not have a route table associated with that subnet, select the main route table for the VPC, as the subnet then uses this route table by default.

4. Choose Actions, Edit routes.

5. Choose Add route.

6. For Destination, enter the IPv4 address range to which the network traffic in the VPC peering connection must be directed. You can specify the entire IPv4 CIDR block of the peer VPC, a specific range, or an individual IPv4 address, such as the IP address of the instance with which to communicate. For example, if the CIDR block of the peer VPC is 10.0.0.0/16, you can specify a portion 10.0.0.0/24, or a specific IP address 10.0.0.7/32.

7. For Target, select the VPC peering connection, and then choose Save changes.

The owner of the peer VPC must also complete these steps to add a route to direct traﬃc back to your VPC through the VPC peering connection.

If you have resources in diﬀerent AWS Regions that use IPv6 addresses, you can create an inter-Region peering connection. You can then add an IPv6 route for communication between the resources.

To add an IPv6 route for a VPC peering connection

2. In the navigation pane, choose Route Tables.

3. Select the check box next to the route table that's associated with the subnet in which your instance resides.

Note

If you do not have a route table associated with that subnet, select the main route table for the VPC, as the subnet then uses this route table by default.

4. Choose Actions, Edit routes.

5. Choose Add route.

6. For Destination, enter the IPv6 address range for the peer VPC. You can specify the entire IPv6 CIDR block of the peer VPC, a speciﬁc range, or an individual IPv6 address. For example, if the CIDR block of the peer VPC is 2001:db8:1234:1a00::/56, you can specify a portion 2001:db8:1234:1a00::/64, or a speciﬁc IP address 2001:db8:1234:1a00::123/128.

7. For Target, select the VPC peering connection, and then choose Save changes.

For more information, see Route Tables in the Amazon VPC User Guide.

To add or replace a route using the command line or an API

• create-route (AWS CLI)

• New-EC2Route (AWS Tools for Windows PowerShell)

• CreateRoute (Amazon EC2 Query API)

• replace-route (AWS CLI)

• Set-EC2Route (AWS Tools for Windows PowerShell)

(15)

Reference peer VPC security groups

• ReplaceRoute (Amazon EC2 Query API)

Update your security groups to reference peer VPC groups

You can update the inbound or outbound rules for your VPC security groups to reference security groups in the peered VPC. Doing so allows traﬃc to ﬂow to and from instances that are associated with the referenced security group in the peered VPC.

Requirements

• The peer VPC can be a VPC in your account, or a VPC in another AWS account. To reference a security group in another AWS account, include the account number in Source or Destination ﬁeld; for example, 123456789012/sg-1a2b3c4d.

• You cannot reference the security group of a peer VPC that's in a diﬀerent Region. Instead, use the CIDR block of the peer VPC.

• To reference a security group in a peer VPC, the VPC peering connection must be in the active state.

• If you configure routes to forward the traffic between two instances in different subnets through a middlebox appliance, you must ensure that the security groups for both instances allow traffic to flow between the instances. The security group for each instance must reference the private IP address of the other instance, or the the CIDR range of the subnet that contains the other instance, as the source.

If you reference the security group of the other instance as the source, this does not allow traﬃc to ﬂow between the instances.

To update your security group rules using the console

2. In the navigation pane, choose Security Groups.

3. Select the security group, and choose Inbound Rules to modify the inbound rules or Outbound Rules to modify the outbound rules.

4. Choose Edit, Add another rule.

5. Specify the type, protocol, and port range as required. For Source (or Destination for an outbound rule), type the ID of the security group in the peer VPC if it is in the same Region or the CIDR block of the peer VPC if it is in a diﬀerent Region.

Note

Security groups in a peer VPC are not automatically displayed.

6. Choose Save.

To update inbound rules using the command line

• authorize-security-group-ingress (AWS CLI)

• Grant-EC2SecurityGroupIngress (AWS Tools for Windows PowerShell)

• Revoke-EC2SecurityGroupIngress (AWS Tools for Windows PowerShell)

• revoke-security-group-ingress (AWS CLI)

To update outbound rules using the command line

• authorize-security-group-egress (AWS CLI)

• Grant-EC2SecurityGroupEgress (AWS Tools for Windows PowerShell)

(16)

Identify your referenced security groups

• Revoke-EC2SecurityGroupEgress (AWS Tools for Windows PowerShell)

• revoke-security-group-egress (AWS CLI)

For example, to update your security group sg-aaaa1111 to allow inbound access over HTTP from sg- bbbb2222 that's in a peer VPC, you can use the following AWS CLI command:

aws ec2 authorize-security-group-ingress --group-id sg-aaaa1111 --protocol tcp --port 80 -- source-group sg-bbbb2222

After you've updated the security group rules, use the describe-security-groups command to view the referenced security group in your security group rules.

Identify your referenced security groups

To determine if your security group is being referenced in the rules of a security group in a peer VPC, use one of the following commands for one or more security groups in your account.

• describe-security-group-references (AWS CLI)

• Get-EC2SecurityGroupReference (AWS Tools for Windows PowerShell)

• DescribeSecurityGroupReferences (Amazon EC2 Query API)

In the following example, the response indicates that security group sg-bbbb2222 is being referenced by a security group in VPC vpc-aaaaaaaa:

aws ec2 describe-security-group-references --group-id sg-bbbb2222

{

"SecurityGroupsReferenceSet": [ {

"ReferencingVpcId": "vpc-aaaaaaaa", "GroupId": "sg-bbbb2222",

"VpcPeeringConnectionId": "pcx-b04deed9"

} ] }

If the VPC peering connection is deleted, or if the owner of the peer VPC deletes the referenced security group, the security group rule becomes stale.

Work with stale security group rules

A stale security group rule is a rule that references a deleted security group in the same VPC or in a peer VPC, or that references a security group in a peer VPC for which the VPC peering connection has been deleted. When a security group rule becomes stale, it's not automatically removed from your security group—you must manually remove it. If a security group rule is stale because the VPC peering connection was deleted, the rule will no longer be marked as stale if you create a new VPC peering connection with the same VPCs.

You can view and delete the stale security group rules for a VPC using the Amazon VPC console.

To view and delete stale security group rules

(17)

Modify peering options

2. In the navigation pane, choose Security Groups.

3. Choose Actions, Manage stale rules.

4. For VPC, choose the VPC with the stale rules.

5. Choose Edit.

6. Choose the Delete button next to the rule that you want to delete. Choose Preview changes, Save rules.

To describe your stale security group rules using the command line or an API

• describe-stale-security-groups (AWS CLI)

• Get-EC2StaleSecurityGroup (AWS Tools for Windows PowerShell)

• DescribeStaleSecurityGroups (Amazon EC2 Query API)

In the following example, VPC A (vpc-aaaaaaaa) and VPC B were peered, and the VPC peering connection was deleted. Your security group sg-aaaa1111 in VPC A references sg-bbbb2222 in VPC B. When you run the describe-stale-security-groups command for your VPC, the response indicates that security group sg-aaaa1111 has a stale SSH rule that references sg-bbbb2222.

aws ec2 describe-stale-security-groups --vpc-id vpc-aaaaaaaa

{ "StaleSecurityGroupSet": [ {

"VpcId": "vpc-aaaaaaaa", "StaleIpPermissionsEgress": [], "GroupName": "Access1",

"StaleIpPermissions": [ {

"ToPort": 22, "FromPort": 22, "UserIdGroupPairs": [ {

"VpcId": "vpc-bbbbbbbb", "PeeringStatus": "deleted", "UserId": "123456789101", "GroupName": "Prod1",

"VpcPeeringConnectionId": "pcx-b04deed9", "GroupId": "sg-bbbb2222"

} ],

"IpProtocol": "tcp"

} ],

"GroupId": "sg-aaaa1111",

"Description": "Reference remote SG"

} ] }

After you've identiﬁed the stale security group rules, you can delete them using the revoke-security- group-ingress or revoke-security-group-egress commands.

Modify VPC peering connection options

You can modify a VPC peering connection to do the following:

(18)

Enable DNS resolution for a VPC peering connection

• Enable one or more EC2-Classic instances that are linked to your VPC via ClassicLink to communicate with instances in the peer VPC, or to enable instances in your VPC to communicate with linked EC2- Classic instances in the peer VPC. For more information, see Conﬁgurations with ClassicLink (p. 51).

You cannot enable EC2-Classic instances to communicate with instances in a peer VPC over IPv6.

• Enable a VPC to resolve public IPv4 DNS hostnames to private IPv4 addresses when queried from instances in the peer VPC. For more information, see Enable DNS resolution for a VPC peering connection (p. 15).

Enable DNS resolution for a VPC peering connection

To enable a VPC to resolve public IPv4 DNS hostnames to private IPv4 addresses when queried from instances in the peer VPC, you must modify your existing peering connection.

Both VPCs must be enabled for DNS hostnames and DNS resolution.

You cannot enable DNS resolution support when you create a new peering connection. You can enable DNS resolution support for an existing peering connection that's in the active state.

To enable DNS resolution for a peering connection

3. Select the VPC peering connection, and choose Actions, Edit DNS Settings.

4. To ensure that queries from the peer VPC resolve to private IP addresses in your local VPC, choose the option to enable DNS resolution for queries from the peer VPC. This option is Requester DNS resolution or Accepter DNS resolution, depending on whether the VPC is the requester or accepter VPC.

5. If the peer VPC is in the same AWS account, you can enable DNS resolution for both VPCs in the peering connection.

6. Choose Save.

7. If the peer VPC is in a diﬀerent AWS account or a diﬀerent Region, the owner of the peer VPC must sign into the VPC console, perform steps 2 through 4, and choose Save.

To enable DNS resolution using the command line or an API

• modify-vpc-peering-connection-options (AWS CLI)

• Edit-EC2VpcPeeringConnectionOption (AWS Tools for Windows PowerShell)

• ModifyVpcPeeringConnectionOptions (Amazon EC2 Query API)

You must modify the requester VPC peering options if you are the requester of the VPC peering connection, and you must modify the accepter VPC peering options if you are the accepter of the VPC peering connection. You can use the describe-vpc-peering-connections or Get-

EC2VpcPeeringConnections commands to verify which VPC is the accepter and the requester for a VPC peering connection. For inter-Region peering connections, you must use the Region for the requester VPC to modify the requester VPC peering options and the Region for the accepter VPC to modify the accepter VPC peering options.

In this example, you are the requester of the VPC peering connection, therefore modify the peering connection options using the AWS CLI as follows:

aws ec2 modify-vpc-peering-connection-options --vpc-peering-connection-id pcx-aaaabbbb -- requester-peering-connection-options AllowDnsResolutionFromRemoteVpc=true

(19)

Delete

Delete a VPC peering connection

Either owner of a VPC in a peering connection can delete the VPC peering connection at any time.

You can also delete a VPC peering connection that you've requested that is still in the pending- acceptance state.

You cannot delete the VPC peering connection when the VPC peering connection is in the rejected state. We automatically delete the connection for you.

Deleting a VPC in the Amazon VPC console that's part of an active VPC peering connection also deletes the VPC peering connection. If you have requested a VPC peering connection with a VPC in another account, and you delete your VPC before the other party has accepted the request, the VPC peering connection is also deleted. You cannot delete a VPC for which you have a pending-acceptance request from a VPC in another account. You must ﬁrst reject the VPC peering connection request.

When you delete a peering connection, the status is set to Deleted. When the connection is in this state, you cannot accept, reject, or edit the DNS settings.

To delete a VPC peering connection

3. Select the VPC peering connection, and choose Actions, Delete VPC Peering Connection.

4. In the conﬁrmation dialog box, choose Yes, Delete.

To delete a VPC peering connection using the command line or an API

• delete-vpc-peering-connection (AWS CLI)

• Remove-EC2VpcPeeringConnection (AWS Tools for Windows PowerShell)

• DeleteVpcPeeringConnection (Amazon EC2 Query API)

(20)

Peering two or more VPCs to provide full access to resources

VPC peering scenarios

There are a number of reasons you might need to set up a VPC peering connection between your VPCs, or between a VPC that you own and a VPC in a diﬀerent AWS account. The following scenarios can help you determine which conﬁguration is best suited to your networking requirements.

Scenarios

• Peering two or more VPCs to provide full access to resources (p. 17)

• Peering to one VPC to access centralized resources (p. 17)

• Peering with ClassicLink (p. 18)

Peering two or more VPCs to provide full access to resources

In this scenario, you have two or more VPCs that you want to peer to enable full sharing of resources between all VPCs. The following are some examples:

• Your company has a VPC for the ﬁnance department, and another VPC for the accounting department.

The ﬁnance department requires access to all resources that are in the accounting department, and the accounting department requires access to all resources in the ﬁnance department.

• Your company has multiple IT departments, each with their own VPC. Some VPCs are located within the same AWS account, and others in a diﬀerent AWS account. You want to peer together all VPCs to enable the IT departments to have full access to each others' resources.

For more information about how to set up the VPC peering connection conﬁguration and route tables for this scenario, see the following documentation:

• Two VPCs peered together (p. 19)

• Three VPCs peered together (p. 23)

• Multiple VPCs peered together (p. 29)

For more information about creating and working with VPC peering connections in the Amazon VPC console, see Work with VPC peering connections (p. 6).

Peering to one VPC to access centralized resources

In this scenario, you have a central VPC that contains resources that you want to share with other VPCs.

Your central VPC may require full or partial access to the peer VPCs, and similarly, the peer VPCs may require full or partial access to the central VPC. The following are some examples:

• Your company's IT department has a VPC for ﬁle sharing. You want to peer other VPCs to that central VPC, however, you do not want the other VPCs to send traﬃc to each other.

• Your company has a VPC that you want to share with your customers. Each customer can create a VPC peering connection with your VPC, however, your customers cannot route traﬃc to other VPCs that are peered to yours, nor are they aware of the other customers' routes.

(21)

Peering with ClassicLink

• You have a central VPC that is used for Active Directory services. Specific instances in peer VPCs send requests to the Active Directory servers and require full access to the central VPC. The central VPC does not require full access to the peer VPCs; it only needs to route response traffic to the specific instances.

For more information about how to set up the VPC peering connection conﬁguration and route tables for this scenario, see the following topics:

• One VPC peered with two VPCs (p. 21)

• One VPC peered with multiple VPCs (p. 25)

• Two VPCs peered to two subnets in one VPC (p. 38)

• One VPC peered to speciﬁc subnets in two VPCs (p. 43)

• Instances in one VPC peered to instances in two VPCs (p. 46)

• One VPC peered with two VPCs using longest preﬁx match (p. 48)

For more information about creating and working with VPC peering connections in the Amazon VPC console, see Work with VPC peering connections (p. 6).

Peering with ClassicLink

You can modify a VPC peering connection to enable one or more EC2-Classic instances that are linked to your VPC via ClassicLink to communicate with instances in the peer VPC. Similarly, you can modify a VPC peering connection to enable instances in your VPC to communicate with linked EC2-Classic instances in the peer VPC.

For more information about how to set up the VPC peering connection conﬁguration and route tables for this scenario, see Conﬁgurations with ClassicLink (p. 51).

(22)

Conﬁgurations with routes to an entire CIDR block

VPC peering conﬁgurations

The following documentation describes the supported VPC peering configurations. You might require a configuration that allows routing between the entire CIDR block of each VPC, or a configuration that limits routing to specific subnets or IP addresses.

Conﬁgurations

• Conﬁgurations with routes to an entire CIDR block (p. 19)

• Conﬁgurations with speciﬁc routes (p. 37)

• Conﬁgurations with ClassicLink (p. 51)

Conﬁgurations with routes to an entire CIDR block

You can configure VPC peering connections so that your route tables have access to the entire CIDR block of the peer VPC. For more information about scenarios in which you might need a specific VPC peering connection configuration, see VPC peering scenarios (p. 17). For more information about creating and working with VPC peering connections in the Amazon VPC console, see Work with VPC peering connections (p. 6).

Conﬁgurations

• Two VPCs peered together (p. 19)

• One VPC peered with two VPCs (p. 21)

• Three VPCs peered together (p. 23)

• One VPC peered with multiple VPCs (p. 25)

• Multiple VPCs peered together (p. 29)

Two VPCs peered together

You have a VPC peering connection (pcx-11112222) between VPC A and VPC B, which are in the same AWS account, and do not have overlapping CIDR blocks.

You may want to use this kind of conﬁguration when you have two VPCs that require access to each others' resources. For example, you set up VPC A for your accounting records, and VPC B for your ﬁnancial records, and now you want each VPC to be able to access each others' resources without restriction.

The route tables for each VPC point to the relevant VPC peering connection to access the entire CIDR block of the peer VPC.

(23)

Two VPCs peered together

Route table Destination Target

172.16.0.0/16 Local

VPC A

10.0.0.0/16 pcx-11112222

10.0.0.0/16 Local

VPC B

172.16.0.0/16 pcx-11112222

For more information about updating your route tables, see Update your route tables for a VPC peering connection (p. 10).

Two VPCs peered together for IPv6

You have the same two VPCs in the VPC peering conﬁguration as above. In this example, VPC A and VPC B both have associated IPv6 CIDR blocks.

The route tables for each VPC point to the VPC peering connection to access the entire IPv6 CIDR block of the peer VPC.

172.16.0.0/16 Local

2001:db8:1234:aa00::/56 Local

10.0.0.0/16 pcx-11112222

VPC A

2001:db8:5678:bb00::/56 pcx-11112222

10.0.0.0/16 Local

2001:db8:5678:bb00::/56 Local

172.16.0.0/16 pcx-11112222

VPC B

2001:db8:1234:aa00::/56 pcx-11112222

For more information about IPv6 in your VPC, see Your VPC and Subnets in the Amazon VPC User Guide.

Two VPCs with multiple CIDRs peered together

You can add IPv4 CIDR blocks to your VPC. In this example, VPC A and VPC B have multiple IPv4 CIDR blocks.

(24)

One VPC peered with two VPCs

The route tables for each VPC point to the VPC peering connection to access all the IPv4 CIDR blocks of the peer VPC.

10.2.0.0/16 Local

10.4.0.0/16 Local

10.0.0.0/16 pcx-11112222

VPC A

10.3.0.0/16 pcx-11112222

10.0.0.0/16 Local

10.3.0.0/16 Local

10.2.0.0/16 pcx-11112222

VPC B

10.4.0.0/16 pcx-11112222

For more information, see Adding IPv4 CIDR Blocks to a VPC in the Amazon VPC User Guide.

One VPC peered with two VPCs

You have a central VPC (VPC A), and you have a VPC peering connection between VPC A and VPC B (pcx-12121212), and between VPC A and VPC C (pcx-23232323). The VPCs are in the same AWS account, and do not have overlapping CIDR blocks.

(25)

One VPC peered with two VPCs

You may want to use this 'ﬂying V' conﬁguration when you have resources on a central VPC, such as a repository of services, that other VPCs need to access. The other VPCs do not need access to each others' resources; they only need access to resources on the central VPC.

Note

VPC B and VPC C cannot send traﬃc directly to each other through VPC A. VPC peering does not support transitive peering relationships, nor edge to edge routing. You must create a VPC peering connection between VPC B and VPC C in order to route traﬃc directly between them.

For more information, see Three VPCs peered together (p. 23). For more information about unsupported peering scenarios, see Unsupported VPC peering conﬁgurations (p. 58).

172.16.0.0/16 Local

10.0.0.0/16 pcx-12121212

VPC A

192.168.0.0/16 pcx-23232323

10.0.0.0/16 Local

VPC B

172.16.0.0/16 pcx-12121212

192.168.0.0/16 Local

VPC C

172.16.0.0/16 pcx-23232323

One VPC peered with two VPCs for IPv6

You have the same three VPCs in the VPC peering conﬁguration as above. In this example, all three VPCs have associated IPv6 CIDR blocks.

(26)

Three VPCs peered together

172.16.0.0/16 Local

2001:db8:1234:aa00::/56 Local

10.0.0.0/16 pcx-12121212

192.168.0.0/16 pcx-23232323

2001:db8:1234:bb00::/56 pcx-12121212 VPC A

2001:db8:1234:cc00::/56 pcx-23232323

10.0.0.0/16 Local

2001:db8:1234:bb00::/56 Local

172.16.0.0/16 pcx-12121212

VPC B

2001:db8:1234:aa00::/56 pcx-12121212

192.168.0.0/16 Local

2001:db8:1234:cc00::/56 Local

172.16.0.0/16 pcx-23232323

VPC C

2001:db8:1234:aa00::/56 pcx-23232323

Three VPCs peered together

You have peered three VPCs together in a full mesh conﬁguration. The VPCs are in the same AWS account and do not have overlapping CIDR blocks:

• VPC A is peered to VPC B through VPC peering connection pcx-aaaabbbb

• VPC A is peered to VPC C through VPC peering connection pcx-aaaacccc

• VPC B is peered to VPC C through VPC peering connection pcx-bbbbcccc

(27)

Three VPCs peered together

You may want to use this full mesh conﬁguration when you have separate VPCs that need to share resources with each other without restriction; for example, as a ﬁle sharing system.

The route tables for each VPC point to the relevant VPC peering connection to access the entire CIDR block of the peer VPCs.

Route tables Destination Target

172.16.0.0/16 Local

10.0.0.0/16 pcx-aaaabbbb

VPC A

192.168.0.0/16 pcx-aaaacccc

10.0.0.0/16 Local

VPC B

192.168.0.0/16 pcx-bbbbcccc

192.168.0.0/16 Local

VPC C

Three VPCs peered for IPv6

You have the same three VPCs in the VPC peering conﬁguration as above. In this example, VPC A and VPC B both have associated IPv6 CIDR blocks. VPC C does not have an associated IPv6 CIDR block.

The route tables for VPC A and VPC B include routes that point to VPC peering connection pcx- aaaabbbb to access the entire IPv6 CIDR block of the peer VPC. VPC A and VPC B can communicate using IPv6 over the VPC peering connection. VPC C cannot communicate using IPv6 with either VPC A or VPC B.

(28)

One VPC peered with multiple VPCs

172.16.0.0/16 Local

2001:db8:1234:aa00::/56 Local

VPC A

2001:db8:1234:bb00::/56 pcx-aaaabbbb

10.0.0.0/16 Local

2001:db8:1234:bb00::/56 Local

VPC B

2001:db8:1234:aa00::/56 pcx-aaaabbbb

192.168.0.0/16 Local

VPC C

The owner of VPC C associates an IPv6 CIDR block with the VPC (2001:db8:1234:cc00::/56). VPC C can now communicate over IPv6 with both VPC A and VPC B using the existing VPC peering connection.

To enable this, the following routes must be added to the existing route tables:

VPC A 2001:db8:1234:cc00::/56 pcx-aaaacccc

VPC B 2001:db8:1234:cc00::/56 pcx-bbbbcccc

2001:db8:1234:aa00::/56 pcx-aaaaacccc VPC C

2001:db8:1234:bb00::/56 pcx-bbbbcccc

For more information about IPv6 in your VPC, see Your VPC and Subnets in the Amazon VPC User Guide.

One VPC peered with multiple VPCs

You have a central VPC (VPC A) that's peered to the following VPCs:

• VPC B through pcx-aaaabbbb

• VPC C through pcx-aaaacccc

• VPC D through pcx-aaaadddd

• VPC E through pcx-aaaaeeee

• VPC F through pcx-aaaaffff

• VPC G through pcx-aaaagggg

(29)

VPC A is peered with all other VPCs, but the other VPCs are not peered to each other. The VPCs are in the same AWS account and do not have overlapping CIDR blocks.

Note

None of the other VPCs can send traffic directly to each other through VPC A. VPC peering does not support transitive peering relationships, nor edge to edge routing. You must create a VPC peering connection between the other VPCs in order to route traffic between them. For more information, see Multiple VPCs peered together (p. 29). For more information about unsupported peering scenarios, see Unsupported VPC peering configurations (p. 58).

You may want to use this spoke conﬁguration when you have resources on a central VPC, such as a repository of services, that other VPCs need to access. The other VPCs do not need access to each others' resources; they only need access to resources on the central VPC.

172.16.0.0/16 Local

10.2.0.0/16 pcx-aaaadddd

VPC A

10.3.0.0/16 pcx-aaaaeeee

(30)

172.17.0.0/16 pcx-aaaaﬀﬀ

10.4.0.0/16 pcx-aaaagggg

10.0.0.0/16 Local

VPC B

192.168.0.0/16 Local

VPC C

10.2.0.0/16 Local

VPC D

10.3.0.0/16 Local

VPC E

172.17.0.0/16 Local

VPC F

172.16.0.0/16 pcx-aaaaﬀﬀ

10.4.0.0/16 Local

VPC G

One VPC peered with multiple VPCs for IPv6

You have the same VPCs in the VPC peering conﬁguration as above. All VPCs have associated IPv6 CIDR blocks.

(31)

The route tables for each VPC point to the relevant VPC peering connection to access the entire IPv6 CIDR block of the peer VPC.

172.16.0.0/16 Local

2001:db8:1234:aa00::/56 Local

2001:db8:1234:cc00::/56 pcx-aaaacccc

2001:db8:1234:dd00::/56 pcx-aaaadddd

VPC A

2001:db8:1234:ee00::/56 pcx-aaaaeeee

(32)

Multiple VPCs peered together

172.17.0.0/16 pcx-aaaaﬀﬀ

2001:db8:1234:ff00::/56 pcx-aaaaffff

2001:db8:1234:7700::/56 pcx-aaaagggg

10.0.0.0/16 Local

2001:db8:1234:bb00::/56 Local

VPC B

192.168.0.0/16 Local

2001:db8:1234:cc00::/56 Local

VPC C

2001:db8:1234:aa00::/56 pcx-aaaacccc

10.2.0.0/16 Local

2001:db8:1234:dd00::/56 Local

VPC D

2001:db8:1234:aa00::/56 pcx-aaaadddd

10.3.0.0/16 Local

2001:db8:1234:ee00::/56 Local

VPC E

2001:db8:1234:aa00::/56 pcx-aaaaeeee

172.17.0.0/16 Local

2001:db8:1234:ﬀ00::/56 Local

172.16.0.0/16 pcx-aaaaﬀﬀ

VPC F

2001:db8:1234:aa00::/56 pcx-aaaaﬀﬀ

10.4.0.0/16 Local

2001:db8:1234:7700::/56 Local

VPC G

2001:db8:1234:aa00::/56 pcx-aaaagggg

Multiple VPCs peered together

You have peered seven VPCs together in a full mesh conﬁguration:

(33)

VPCs VPC peering connection

A and B pcx-aaaabbbb

A and C pcx-aaaacccc

A and D pcx-aaaadddd

A and E pcx-aaaaeeee

A and F pcx-aaaaﬀﬀ

A and G pcx-aaaagggg

B and C pcx-bbbbcccc

B and D pcx-bbbbdddd

B and E pcx-bbbbeeee

B and F pcx-bbbbﬀﬀ

B and G pcx-bbbbgggg

C and D pcx-ccccdddd

C and E pcx-cccceeee

C and F pcx-ccccﬀﬀ

C and G pcx-ccccgggg

D and E pcx-ddddeeee

D and F pcx-ddddﬀﬀ

D and G pcx-ddddgggg

E and F pcx-eeeeﬀﬀ

E and G pcx-eeeegggg

F and G pcx-ﬀﬀgggg

The VPCs are in the same AWS account and do not have overlapping CIDR blocks.

(34)

You may want to use this full mesh conﬁguration when you have multiple VPCs that must be able to access each others' resources without restriction; for example, as a ﬁle sharing network.

172.16.0.0/16 Local

172.17.0.0/16 pcx-aaaaﬀﬀ

VPC A

10.0.0.0/16 Local

VPC B

(35)

10.2.0.0/16 pcx-bbbbdddd

10.3.0.0/16 pcx-bbbbeeee

172.17.0.0/16 pcx-bbbbﬀﬀ

10.4.0.0/16 pcx-bbbbgggg

192.168.0.0/16 Local

10.2.0.0/16 pcx-ccccdddd

10.3.0.0/16 pcx-cccceeee

172.17.0.0/16 pcx-ccccﬀﬀ

VPC C

10.4.0.0/16 pcx-ccccgggg

10.2.0.0/16 Local

10.3.0.0/16 pcx-ddddeeee

172.17.0.0/16 pcx-ddddﬀﬀ

VPC D

10.4.0.0/16 pcx-ddddgggg

10.3.0.0/16 Local

172.17.0.0/16 pcx-eeeeﬀﬀ

VPC E

10.4.0.0/16 pcx-eeeegggg

172.17.0.0/16 Local

172.16.0.0/16 pcx-aaaaﬀﬀ

10.0.0.0/16 pcx-bbbbﬀﬀ

192.168.0.0/16 pcx-ccccﬀﬀ

10.2.0.0/16 pcx-ddddﬀﬀ

VPC F

10.3.0.0/16 pcx-eeeeﬀﬀ

(36)

10.4.0.0/16 pcx-ﬀﬀgggg

10.4.0.0/16 Local

VPC G

172.17.0.0/16 pcx-ﬀﬀgggg

For more information about updating route tables, see Update your route tables for a VPC peering connection (p. 10).

Multiple VPCs peered together for IPv6

You have the same VPCs in the VPC peering conﬁguration as above. All VPCs have associated IPv6 CIDR blocks.

(37)

172.16.0.0/16 Local

2001:db8:1234:aa00::/56 Local

2001:db8:1234:cc00::/56 pcx-aaaacccc

2001:db8:1234:dd00::/56 pcx-aaaadddd VPC A

(38)

2001:db8:1234:ee00::/56 pcx-aaaaeeee

172.17.0.0/16 pcx-aaaaﬀﬀ

2001:db8:1234:ff00::/56 pcx-aaaaffff

2001:db8:1234:7700::/56 pcx-aaaagggg

10.0.0.0/16 Local

2001:db8:1234:bb00::/56 Local

2001:db8:1234:cc00::/56 pcx-bbbbcccc

2001:db8:1234:dd00::/56 pcx-bbbbdddd

2001:db8:1234:ee00::/56 pcx-bbbbeeee

172.17.0.0/16 pcx-bbbbﬀﬀ

2001:db8:1234:ff00::/56 pcx-bbbbffff

VPC B

2001:db8:1234:7700::/56 pcx-bbbbgggg

192.168.0.0/16 Local

2001:db8:1234:cc00::/56 Local

2001:db8:1234:aa00::/56 pcx-aaaacccc

2001:db8:1234:bb00::/56 pcx-bbbbcccc

2001:db8:1234:dd00::/56 pcx-ccccdddd

2001:db8:1234:ee00::/56 pcx-cccceeee

172.17.0.0/16 pcx-ccccﬀﬀ

VPC C

2001:db8:1234:ff00::/56 pcx-ccccffff

(39)

2001:db8:1234:7700::/56 pcx-ccccgggg

10.2.0.0/16 Local

2001:db8:1234:dd00::/56 Local

2001:db8:1234:aa00::/56 pcx-aaaadddd

2001:db8:1234:bb00::/56 pcx-bbbbdddd

2001:db8:1234:cc00::/56 pcx-ccccdddd

2001:db8:1234:ee00::/56 pcx-ddddeeee

172.17.0.0/16 pcx-ddddﬀﬀ

2001:db8:1234:ff00::/56 pcx-ddddffff

VPC D

2001:db8:1234:7700::/56 pcx-ddddgggg

10.3.0.0/16 Local

2001:db8:1234:ee00::/56 Local

2001:db8:1234:aa00::/56 pcx-aaaaeeee

2001:db8:1234:bb00::/56 pcx-bbbbeeee

2001:db8:1234:cc00::/56 pcx-cccceeee

2001:db8:1234:dd00::/56 pcx-ddddeeee

172.17.0.0/16 pcx-eeeeﬀﬀ

2001:db8:1234:ff00::/56 pcx-eeeeffff

VPC E

2001:db8:1234:7700::/56 pcx-eeeegggg

VPC F 172.17.0.0/16 Local

(40)

Conﬁgurations with speciﬁc routes

2001:db8:1234:ﬀ00::/56 Local

172.16.0.0/16 pcx-aaaaﬀﬀ

2001:db8:1234:aa00::/56 pcx-aaaaﬀﬀ

10.0.0.0/16 pcx-bbbbﬀﬀ

2001:db8:1234:bb00::/56 pcx-bbbbﬀﬀ

192.168.0.0/16 pcx-ccccﬀﬀ

2001:db8:1234:cc00::/56 pcx-ccccﬀﬀ

10.2.0.0/16 pcx-ddddﬀﬀ

2001:db8:1234:dd00::/56 pcx-ddddﬀﬀ

10.3.0.0/16 pcx-eeeeﬀﬀ

2001:db8:1234:ee00::/56 pcx-eeeeﬀﬀ

10.4.0.0/16 pcx-ﬀﬀgggg

2001:db8:1234:7700::/56 pcx-ﬀﬀgggg

10.4.0.0/16 Local

2001:db8:1234:7700::/56 Local

2001:db8:1234:aa00::/56 pcx-aaaagggg

2001:db8:1234:bb00::/56 pcx-bbbbgggg

2001:db8:1234:cc00::/56 pcx-ccccgggg

2001:db8:1234:dd00::/56 pcx-ddddgggg

2001:db8:1234:ee00::/56 pcx-eeeegggg

172.17.0.0/16 pcx-ﬀﬀgggg

VPC G

2001:db8:1234:ff00::/56 pcx-ffffgggg

Conﬁgurations with speciﬁc routes

You can configure a VPC peering connections to provide access to part of the CIDR block, a specific CIDR block (if the VPC has multiple CIDR blocks) or a specific instance within the peer VPC. In these examples, a central VPC is peered to two or more VPCs that have overlapping CIDR blocks. For examples

(41)

Two VPCs peered to two subnets in one VPC

of scenarios in which you might need a speciﬁc VPC peering connection conﬁguration, see VPC peering scenarios (p. 17). For more information about creating and working with VPC peering connections, see Work with VPC peering connections (p. 6). For more information about updating your route tables, see Update your route tables for a VPC peering connection (p. 10).

Conﬁgurations

• Two VPCs peered to two subnets in one VPC (p. 38)

• Two VPCs peered to two diﬀerent CIDR blocks in one VPC (p. 42)

• One VPC peered to speciﬁc subnets in two VPCs (p. 43)

• Instances in one VPC peered to instances in two VPCs (p. 46)

• One VPC peered with two VPCs using longest preﬁx match (p. 48)

• Multiple VPC conﬁgurations (p. 49)

Two VPCs peered to two subnets in one VPC

You have a central VPC (VPC A), and you have a VPC peering connection between VPC A and VPC B (pcx- aaaabbbb), and between VPC A and VPC C (pcx-aaaacccc). VPC A has two subnets: one for each VPC peering connection.

You may want to use this kind of conﬁguration when you have a central VPC with separate sets of resources in diﬀerent subnets. Other VPCs may require access to some of the resources, but not all of them.

The route table for subnet X points to VPC peering connection pcx-aaaabbbb to access the entire CIDR block of VPC B. VPC B's route table points to pcx-aaaabbbb to access the CIDR block of only subnet X in

(42)

Two VPCs peered to two subnets in one VPC

VPC A. Similarly, the route table for subnet Y points to VPC peering connection pcx-aaaacccc to access the entire CIDR block of VPC C. VPC C's route table points to pcx-aaaacccc to access the CIDR block of only subnet Y in VPC A.

172.16.0.0/16 Local

Subnet X in VPC A

172.16.0.0/16 Local

Subnet Y in VPC A

10.0.0.0/16 Local

VPC B

10.0.0.0/16 Local

VPC C

Similarly, the central VPC (VPC A) can have multiple CIDR blocks, and VPC B and VPC C can have a VPC peering connection to a subnet in each CIDR block.

Amazon Virtual Private Cloud

Amazon Virtual Private Cloud

VPC Peering

Amazon Virtual Private Cloud: VPC Peering

Table of Contents

What is VPC peering?

Pricing for a VPC peering connection

VPC peering basics

VPC peering connection lifecycle

Note

Multiple VPC peering connections

VPC peering limitations

Work with VPC peering connections

Create and accept VPC peering connections

Create a VPC peering connection with another VPC in your account

Important

To create a VPC peering connection with a VPC in the same Region

To create a VPC peering connection with a VPC in a diﬀerent Region

Create a VPC peering connection with a VPC in another AWS account

Important

To request a VPC peering connection with a VPC in another account in the same Region

To request a VPC peering connection with a VPC in another account in a diﬀerent Region

To create a VPC peering connection using the command line or an API

Accept a VPC peering connection

Important

To accept a VPC peering connection

Note

To accept a VPC peering connection using the command line or an API

View your VPC peering connections

To view your VPC peering connections

To describe a VPC peering connection using the command line or an API

Reject a VPC peering connection

To reject a VPC peering connection

To reject a VPC peering connection using the command line or an API

Update your route tables for a VPC peering connection

Warning

To add an IPv4 route for a VPC peering connection

Note

To add an IPv6 route for a VPC peering connection

Note

To add or replace a route using the command line or an API

Update your security groups to reference peer VPC groups

Requirements

To update your security group rules using the console

Note

To update inbound rules using the command line

To update outbound rules using the command line

Identify your referenced security groups

Work with stale security group rules

To view and delete stale security group rules

To describe your stale security group rules using the command line or an API

Modify VPC peering connection options

Enable DNS resolution for a VPC peering connection

To enable DNS resolution for a peering connection

To enable DNS resolution using the command line or an API

Delete a VPC peering connection

To delete a VPC peering connection

To delete a VPC peering connection using the command line or an API

VPC peering scenarios

Peering two or more VPCs to provide full access to resources

Peering to one VPC to access centralized resources

Peering with ClassicLink

VPC peering conﬁgurations

Conﬁgurations with routes to an entire CIDR block

Two VPCs peered together

Two VPCs peered together for IPv6

Two VPCs with multiple CIDRs peered together

One VPC peered with two VPCs

Note

One VPC peered with two VPCs for IPv6

Three VPCs peered together

Three VPCs peered for IPv6

One VPC peered with multiple VPCs

Note

One VPC peered with multiple VPCs for IPv6

Multiple VPCs peered together

Multiple VPCs peered together for IPv6

Conﬁgurations with speciﬁc routes

Two VPCs peered to two subnets in one VPC