When designing a secure and scalable architecture in AWS, Virtual Private Clouds (VPCs) play a pivotal role in isolating resources. However, there are scenarios where resources across different VPCs need to communicate securely. This is where VPC Peering comes into play. VPC peering enables you to establish a direct network route between two VPCs, allowing instances in either VPC to communicate with each other. In this guide, we’ll walk you through the steps to set up a VPC peering connection between two VPCs in AWS, and demonstrate how to verify that the peering is working correctly.
Setting Up Your VPCs
Before creating a peering connection, you need two VPCs. Let’s start by creating Creating VPC A
- Log in to your AWS Management Console and navigate to the VPC Dashboard.
- Click on Create VPC.
- Enter the following details:
- Name tag: VPC-A
- IPv4 CIDR block: 10.0.0.0/16
- IPv6 CIDR block: No IPv6 CIDR block
- Tenancy: Default
- Click Create VPC.
- Name tag: VPC-A
- IPv4 CIDR block: 10.0.0.0/16
- IPv6 CIDR block: No IPv6 CIDR block
- Tenancy: Default
With VPC-A created, let’s move on to creating the second VPC which is VPC B
Repeat the process to create the second VPC:
1.Name tag: VPC-B
2.IPv4 CIDR block: 10.1.0.0/16
3.IPv6 CIDR block: No IPv6 CIDR block
4.Tenancy: Default
With both VPCs created, we can now move on to creating subnets within each VPC.
Creating Subnets
Subnets are essential as they allow you to launch resources such as EC2 instances within your VPCs. Let’s create a subnet in VPC-A and VPC-B. Creating a subnet in VPC-A:
- In the VPC Dashboard, go to Subnets and click Create Subnet.
- Input the following:
- Name tag: Subnet-A
- VPC: Select VPC-A
- Availability Zone: Choose an availability zone (e.g., us-east-1a)
- IPv4 CIDR block: 10.0.1.0/24
- Click Create Subnet.
Repeat the process to create a subnet in VPC-B:
- Name tag: Subnet-B
- VPC: Select VPC-B
- Availability Zone: Choose an availability zone (e.g., us-east-1b)
- IPv4 CIDR block: 10.1.1.0/24
- Name tag: Subnet-A
- VPC: Select VPC-A
- Availability Zone: Choose an availability zone (e.g., us-east-1a)
- IPv4 CIDR block: 10.0.1.0/24
Your VPCs are now ready with subnets in place, and we can move forward to establishing the VPC peering connection.
Setting Up VPC Peering
VPC peering allows traffic to route between the two VPCs as if they were on the same network.
- Go to the Peering Connections section in the VPC Dashboard.
- Click Create Peering Connection and provide the following:
- Name tag: VPC-A-to-VPC-B
- VPC Requester: Select VPC-A
- VPC Accepter: Select VPC-B
- Click Create Peering Connection.
- Name tag: VPC-A-to-VPC-B
- VPC Requester: Select VPC-A
- VPC Accepter: Select VPC-B
With the peering connection created, you need to accept the connection on the VPC-B side. To do this:
- Go to the Peering Connections section in the VPC Dashboard.
- Select the peering connection you created.
- Click Actions > Accept Request.
Configuring Route Tables
To enable traffic to flow between the two VPCs, you need to update the route tables in each VPC.
- Go to the Route Tables section in the VPC Dashboard.
- Click on the route table associated with VPC-A.
- Click on the Routes tab and then Edit routes.
- Add a new route with the following details:
- Destination: 10.1.0.0/16 (VPC-B’s CIDR block)
- Target: Peering Connection (select the peering connection you created)
- Click Save routes.
Repeat the process for VPC-B’s route table:
- Destination: 10.0.0.0/16 (VPC-A’s CIDR block)
- Target: Select the Peering Connection ID
- Destination: 10.1.0.0/16 (VPC-B’s CIDR block)
- Target: Peering Connection (select the peering connection you created)
Your route tables are now configured to direct traffic between the VPCs through the peering connection.
Modifying Security Groups
To allow traffic between instances in the peered VPCs, you need to update the security group rules.
- Go to the Security Groups section in the VPC Dashboard.
- Click on the security group associated with the instances in VPC-A.
- Click on the Inbound Rules tab and then Edit inbound rules.
- Add a new rule with the following details:
- Type: All traffic
- Source: 10.1.0.0/16 (VPC-B’s CIDR block)
- Click Save rules.
- Type: All traffic
- Source: 10.1.0.0/16 (VPC-B’s CIDR block)
Repeat the process for the security group associated with VPC-B’s instances:
- Type: All traffic
- Source: 10.0.0.0/16 (VPC-A’s CIDR block)
Your security groups are now configured to allow traffic between instances in the peered VPCs.