VPC peering connections are a networking feature in AWS that enables you to establish private connectivity between two Virtual Private Clouds (VPCs). This connection allows resources in different VPCs to communicate using private IP addresses as if they were within the same network.
Key characteri…VPC peering connections are a networking feature in AWS that enables you to establish private connectivity between two Virtual Private Clouds (VPCs). This connection allows resources in different VPCs to communicate using private IP addresses as if they were within the same network.
Key characteristics of VPC peering include:
**Cross-Account and Cross-Region Support**: VPC peering works between VPCs in the same AWS account or different accounts, and can span across different AWS regions (inter-region peering).
**Non-Transitive Nature**: VPC peering connections are non-transitive, meaning if VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A cannot communicate with VPC C through VPC B. Each connection must be established separately.
**No Overlapping CIDR Blocks**: The CIDR blocks of peered VPCs cannot overlap. This requirement necessitates careful IP address planning in complex organizational architectures.
**Route Table Configuration**: After establishing a peering connection, you must update route tables in both VPCs to enable traffic flow. Routes must point to the peering connection for the destination CIDR range.
**Security Group References**: You can reference security groups from peered VPCs within the same region, simplifying security management across connected networks.
**Bandwidth and Latency**: VPC peering provides high bandwidth with no single point of failure. Inter-region peering uses AWS backbone infrastructure, ensuring encrypted traffic.
**Limitations for Organizational Complexity**: For large-scale architectures requiring connectivity among many VPCs, VPC peering can become challenging to manage due to its non-transitive nature. In such scenarios, AWS Transit Gateway offers a more scalable hub-and-spoke model.
**Cost Considerations**: Data transfer within the same Availability Zone is free, while cross-AZ and cross-region transfers incur standard data transfer charges.
VPC peering is ideal for scenarios requiring simple, secure connectivity between a limited number of VPCs while maintaining network isolation from the public internet.
VPC Peering Connections
Why VPC Peering is Important
VPC Peering is a fundamental networking concept for AWS Solutions Architects because it enables private connectivity between two VPCs. In complex organizational environments, you often need to connect multiple VPCs across different accounts, regions, or business units while maintaining security and low latency. Understanding VPC peering is essential for designing scalable, secure, and cost-effective multi-VPC architectures.
What is VPC Peering?
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. VPC peering connections can be established between:
• VPCs in the same AWS account • VPCs in different AWS accounts • VPCs in different AWS regions (inter-region peering)
How VPC Peering Works
Key Characteristics:
• Non-transitive: If VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A cannot communicate with VPC C through VPC B. Each connection must be established separately.
• No overlapping CIDR blocks: The CIDR blocks of peered VPCs cannot overlap. This is a hard requirement.
• One peering connection per VPC pair: You can only have one peering connection between any two VPCs.
• Route table configuration required: After creating a peering connection, you must update route tables in both VPCs to direct traffic to the peering connection.
• Security group references: You can reference security groups from a peered VPC (same region only) for inbound rules.
Setup Process:
1. Create a peering connection request from the requester VPC 2. Accept the peering connection in the accepter VPC 3. Update route tables in both VPCs to include routes to the peer VPC CIDR 4. Update security groups and NACLs to allow appropriate traffic
Limitations to Remember
• Maximum MTU for inter-region peering is 1500 bytes (no jumbo frames) • Intra-region peering supports jumbo frames (9001 bytes MTU) • No edge-to-edge routing through gateways (Internet Gateway, NAT Gateway, VPN, etc.) • DNS resolution across peered VPCs requires enabling DNS hostname resolution on both VPCs
VPC Peering vs. Transit Gateway
• VPC Peering is ideal for connecting a small number of VPCs with low latency requirements • Transit Gateway is better for hub-and-spoke architectures with many VPCs • VPC Peering has no bandwidth limits and lower data transfer costs • Transit Gateway simplifies management when connecting many VPCs
Exam Tips: Answering Questions on VPC Peering Connections
Look for these keywords in questions:
• Private connectivity between VPCs • Cross-account VPC communication • Cross-region private networking • Non-overlapping CIDR requirements
Common exam scenarios:
1. Overlapping CIDRs: If a question mentions overlapping IP ranges, VPC peering is NOT the answer. Consider using PrivateLink or NAT instances.
2. Transitive routing needs: If the scenario requires VPC A to reach VPC C through VPC B, VPC peering alone will not work. Consider Transit Gateway.
3. Many-to-many connections: For scenarios with more than 4-5 VPCs needing full mesh connectivity, Transit Gateway is usually the better choice due to simplified management.
4. Low latency requirements: VPC peering provides lower latency than Transit Gateway, making it preferred for latency-sensitive applications.
5. Edge routing questions: Remember that you cannot route through a peered VPCs Internet Gateway, NAT Gateway, or VPN connection.
Red flags that indicate VPC peering is NOT the answer:
• Overlapping IP address ranges mentioned • Need for transitive routing • Requirement to share internet access across VPCs • Complex hub-and-spoke topology with many VPCs
Pro tip: Always verify that both route tables AND security groups are configured correctly in scenario-based troubleshooting questions. Missing routes are a common cause of connectivity issues in exam scenarios.