Menu
Amazon Virtual Private Cloud
VPC Peering Guide

Configurations with Routes to an Entire CIDR Block

This section demonstrates the configuration for VPC peering connections in which you configure your route tables to access to the entire CIDR block of the peer VPC. For more information about scenarios in which you might need a specific VPC peering connection configuration, see VPC Peering Scenarios. For more information about creating and working with VPC peering connections in the Amazon VPC console, see Working with VPC Peering Connections.

Two VPCs Peered Together

You have a VPC peering connection (pcx-11112222) between VPC A and VPC B, which are in the same AWS account, and do not have overlapping CIDR blocks.


          Two VPCs peered together

You may want to use this kind of configuration when you have a two VPCs that require access to each others' resources. For example, you set up VPC A for your accounting records, and VPC B for your financial records, and now you want each VPC to be able to access each others' resources without restriction.

The route tables for each VPC point to the relevant VPC peering connection to access the entire CIDR block of the peer VPC.

Route table Destination Target
VPC A 172.16.0.0/16 Local
10.0.0.0/16 pcx-11112222
VPC B 10.0.0.0/16 Local
172.16.0.0/16 pcx-11112222

For more information about updating your route tables, see Updating Your Route Tables for a VPC Peering Connection.

Two VPCs Peered Together for IPv6

You have the same two VPCs in the VPC peering configuration as above. In this example, VPC A and VPC B both have associated IPv6 CIDR blocks.


            Two VPCs with IPv6 blocks peered

The route tables for each VPC point to the VPC peering connection to access the entire IPv6 CIDR block of the peer VPC.

Route table Destination Target
VPC A 172.16.0.0/16 Local
2001:db8:1234:aa00::/56 Local
10.0.0.0/16 pcx-11112222
2001:db8:5678:bb00::/56 pcx-11112222
VPC B 10.0.0.0/16 Local
2001:db8:5678:bb00::/56 Local
172.16.0.0/16 pcx-11112222
2001:db8:1234:aa00::/56 pcx-11112222

For more information about IPv6 in your VPC, see Your VPC and Subnets in the Amazon VPC User Guide.

One VPC Peered with Two VPCs

You have a central VPC (VPC A), and you have a VPC peering connection between VPC A and VPC B (pcx-12121212), and between VPC A and VPC C (pcx-23232323). The VPCs are in the same AWS account, and do not have overlapping CIDR blocks.


          One VPC peered with two VPCs

You may want to use this 'flying V' configuration when you have resources on a central VPC, such as a repository of services, that other VPCs need to access. The other VPCs do not need access to each others' resources; they only need access to resources on the central VPC.

Note

VPC B and VPC C cannot send traffic directly to each other through VPC A. VPC peering does not support transitive peering relationships, nor edge to edge routing. You must create a VPC peering connection between VPC B and VPC C in order to route traffic directly between them. For more information, see Three VPCs Peered Together. For more information about unsupported peering scenarios, see Invalid VPC Peering Connection Configurations.

The route tables for each VPC point to the relevant VPC peering connection to access the entire CIDR block of the peer VPC.

Route Table Destination Target
VPC A 172.16.0.0/16 Local
10.0.0.0/16 pcx-12121212
192.168.0.0/16 pcx-23232323
VPC B 10.0.0.0/16 Local
172.16.0.0/16 pcx-12121212
VPC C 192.168.0.0/16 Local
172.16.0.0/16 pcx-23232323

For more information about updating your route tables, see Updating Your Route Tables for a VPC Peering Connection.

One VPC Peered with Two VPCs for IPv6

You have the same three VPCs in the VPC peering configuration as above. In this example, all three VPCs have associated IPv6 CIDR blocks.


            One VPC peered to two

The route tables for each VPC point to the VPC peering connection to access the entire IPv6 CIDR block of the peer VPC.

Route Table Destination Target
VPC A 172.16.0.0/16 Local
2001:db8:1234:aa00::/56 Local
10.0.0.0/16 pcx-12121212
192.168.0.0/16 pcx-23232323
2001:db8:1234:bb00::/56 pcx-12121212
2001:db8:1234:cc00::/56 pcx-23232323
VPC B 10.0.0.0/16 Local
2001:db8:1234:bb00::/56 Local
172.16.0.0/16 pcx-12121212
2001:db8:1234:aa00::/56 pcx-12121212
VPC C 192.168.0.0/16 Local
2001:db8:1234:cc00::/56 Local
172.16.0.0/16 pcx-23232323
2001:db8:1234:aa00::/56 pcx-23232323

Three VPCs Peered Together

You have peered three VPCs together in a full mesh configuration. The VPCs are in the same AWS account and do not have overlapping CIDR blocks:

  • VPC A is peered to VPC B through VPC peering connection pcx-aaaabbbb

  • VPC A is peered to VPC C through VPC peering connection pcx-aaaacccc

  • VPC B is peered to VPC C through VPC peering connection pcx-bbbbcccc


          Three VPCs peered together

You may want to use this full mesh configuration when you have separate VPCs that need to share resources with each other without restriction; for example, as a file sharing system.

The route tables for each VPC point to the relevant VPC peering connection to access the entire CIDR block of the peer VPCs.

Route Tables Destination Target
VPC A 172.16.0.0/16 Local
10.0.0.0/16 pcx-aaaabbbb
192.168.0.0/16 pcx-aaaacccc
VPC B 10.0.0.0/16 Local
172.16.0.0/16 pcx-aaaabbbb
192.168.0.0/16 pcx-bbbbcccc
VPC C 192.168.0.0/16 Local
172.16.0.0/16 pcx-aaaacccc
10.0.0.0/16 pcx-bbbbcccc

For more information about updating your route tables, see Updating Your Route Tables for a VPC Peering Connection.

Three VPCs Peered for IPv6

You have the same three VPCs in the VPC peering configuration as above. In this example, VPC A and VPC B both have associated IPv6 CIDR blocks. VPC C does not have an associated IPv6 CIDR block.


            Three VPCs peered with IPv6

The route tables for VPC A and VPC B include routes that point to VPC peering connection pcx-aaaabbbb to access the entire IPv6 CIDR block of the peer VPC. VPC A and VPC B can communicate using IPv6 over the VPC peering connection. VPC C cannot communicate using IPv6 with either VPC A or VPC B.

Route Tables Destination Target
VPC A 172.16.0.0/16 Local
2001:db8:1234:aa00::/56 Local
10.0.0.0/16 pcx-aaaabbbb
192.168.0.0/16 pcx-aaaacccc
2001:db8:1234:bb00::/56 pcx-aaaabbbb
VPC B 10.0.0.0/16 Local
2001:db8:1234:bb00::/56 Local
172.16.0.0/16 pcx-aaaabbbb
192.168.0.0/16 pcx-bbbbcccc
2001:db8:1234:aa00::/56 pcx-aaaabbbb
VPC C 192.168.0.0/16 Local
172.16.0.0/16 pcx-aaaacccc
10.0.0.0/16 pcx-bbbbcccc

The owner of VPC C associates an IPv6 CIDR block with the VPC (2001:db8:1234:cc00::/56). VPC C can now communicate over IPv6 with both VPC A and VPC B using the existing VPC peering connection. To enable this, the following routes must be added to the existing route tables:

Route Tables Destination Target
VPC A 2001:db8:1234:cc00::/56 pcx-aaaacccc
VPC B 2001:db8:1234:cc00::/56 pcx-bbbbcccc
VPC C 2001:db8:1234:aa00::/56 pcx-aaaaacccc
2001:db8:1234:bb00::/56 pcx-bbbbcccc

For more information about IPv6 in your VPC, see Your VPC and Subnets in the Amazon VPC User Guide.

One VPC Peered with Multiple VPCs

You have a central VPC (VPC A) that's peered to the following VPCs:

  • VPC B through pcx-aaaabbbb

  • VPC C through pcx-aaaacccc

  • VPC D through pcx-aaaadddd

  • VPC E through pcx-aaaaeeee

  • VPC F through pcx-aaaaffff

  • VPC G through pcx-aaaagggg

VPC A is peered with all other VPCs, but the other VPCs are not peered to each other. The VPCs are in the same AWS account and do not have overlapping CIDR blocks.

Note

None of the other VPCs can send traffic directly to each other through VPC A. VPC peering does not support transitive peering relationships, nor edge to edge routing. You must create a VPC peering connection between the other VPCs in order to route traffic between them. For more information, see Multiple VPCs Peered Together. For more information about unsupported peering scenarios, see Invalid VPC Peering Connection Configurations.


          One VPC peered to many VPCs

You may want to use this spoke configuration when you have resources on a central VPC, such as a repository of services, that other VPCs need to access. The other VPCs do not need access to each others' resources; they only need access to resources on the central VPC.

The route tables for each VPC point to the relevant VPC peering connection to access the entire CIDR block of the peer VPC.

Route Table Destination Target
VPC A 172.16.0.0/16 Local
10.0.0.0/16 pcx-aaaabbbb
192.168.0.0/16 pcx-aaaacccc
10.2.0.0/16 pcx-aaaadddd
10.3.0.0/16 pcx-aaaaeeee
172.17.0.0/16 pcx-aaaaffff
10.4.0.0/16 pcx-aaaagggg
VPC B 10.0.0.0/16 Local
172.16.0.0/16 pcx-aaaabbbb
VPC C 192.168.0.0/16 Local
172.16.0.0/16 pcx-aaaacccc
VPC D 10.2.0.0/16 Local
172.16.0.0/16 pcx-aaaadddd
VPC E 10.3.0.0/16 Local
172.16.0.0/16 pcx-aaaaeeee
VPC F 172.17.0.0/16 Local
172.16.0.0/16 pcx-aaaaffff
VPC G 10.4.0.0/16 Local
172.16.0.0/16 pcx-aaaagggg

For more information about updating your route tables, see Updating Your Route Tables for a VPC Peering Connection.

One VPC Peered with Multiple VPCs for IPv6

You have the same VPCs in the VPC peering configuration as above. All VPCs have associated IPv6 CIDR blocks.


            One VPC peered to many

The route tables for each VPC point to the relevant VPC peering connection to access the entire IPv6 CIDR block of the peer VPC.

Route Table Destination Target
VPC A 172.16.0.0/16 Local
2001:db8:1234:aa00::/56 Local
10.0.0.0/16 pcx-aaaabbbb
2001:db8:1234:bb00::/56 pcx-aaaabbbb
192.168.0.0/16 pcx-aaaacccc
2001:db8:1234:cc00::/56 pcx-aaaacccc
10.2.0.0/16 pcx-aaaadddd
2001:db8:1234:dd00::/56 pcx-aaaadddd
10.3.0.0/16 pcx-aaaaeeee
2001:db8:1234:ee00::/56 pcx-aaaaeeee
172.17.0.0/16 pcx-aaaaffff
2001:db8:1234:ff00::/56 pcx-aaaaffff
10.4.0.0/16 pcx-aaaagggg
2001:db8:1234:7700::/56 pcx-aaaagggg
VPC B 10.0.0.0/16 Local
2001:db8:1234:bb00::/56 Local
172.16.0.0/16 pcx-aaaabbbb
2001:db8:1234:aa00::/56 pcx-aaaabbbb
VPC C 192.168.0.0/16 Local
2001:db8:1234:cc00::/56 Local
172.16.0.0/16 pcx-aaaacccc
2001:db8:1234:aa00::/56 pcx-aaaacccc
VPC D 10.2.0.0/16 Local
2001:db8:1234:dd00::/56 Local
172.16.0.0/16 pcx-aaaadddd
2001:db8:1234:aa00::/56 pcx-aaaadddd
VPC E 10.3.0.0/16 Local
2001:db8:1234:ee00::/56 Local
172.16.0.0/16 pcx-aaaaeeee
2001:db8:1234:aa00::/56 pcx-aaaaeeee
VPC F 172.17.0.0/16 Local
2001:db8:1234:ff00::/56 Local
172.16.0.0/16 pcx-aaaaffff
2001:db8:1234:aa00::/56 pcx-aaaaffff
VPC G 10.4.0.0/16 Local
2001:db8:1234:7700::/56 Local
172.16.0.0/16 pcx-aaaagggg
2001:db8:1234:aa00::/56 pcx-aaaagggg

Multiple VPCs Peered Together

You have peered seven VPCs together in a full mesh configuration:

VPCs VPC Peering Connection
A and B pcx-aaaabbbb
A and C pcx-aaaacccc
A and D pcx-aaaadddd
A and E pcx-aaaaeeee
A and F pcx-aaaaffff
A and G pcx-aaaagggg
B and C pcx-bbbbcccc
B and D pcx-bbbbdddd
B and E pcx-bbbbeeee
B and F pcx-bbbbffff
B and G pcx-bbbbgggg
C and D pcx-ccccdddd
C and E pcx-cccceeee
C and F pcx-ccccffff
C and G pcx-ccccgggg
D and E pcx-ddddeeee
D and F pcx-ddddffff
D and G pcx-ddddgggg
E and F pcx-eeeeffff
E and G pcx-eeeegggg
F and G pcx-ffffgggg

The VPCs are in the same AWS account and do not have overlapping CIDR blocks.


          Many VPCs peered together

You may want to use this full mesh configuration when you have multiple VPCs that must be able to access each others' resources without restriction; for example, as a file sharing network.

The route tables for each VPC point to the relevant VPC peering connection to access the entire CIDR block of the peer VPC.

Route Table Destination Target
VPC A 172.16.0.0/16 Local
10.0.0.0/16 pcx-aaaabbbb
192.168.0.0/16 pcx-aaaacccc
10.2.0.0/16 pcx-aaaadddd
10.3.0.0/16 pcx-aaaaeeee
172.17.0.0/16 pcx-aaaaffff
10.4.0.0/16 pcx-aaaagggg
VPC B 10.0.0.0/16 Local
172.16.0.0/16 pcx-aaaabbbb
192.168.0.0/16 pcx-bbbbcccc
10.2.0.0/16 pcx-bbbbdddd
10.3.0.0/16 pcx-bbbbeeee
172.17.0.0/16 pcx-bbbbffff
10.4.0.0/16 pcx-bbbbgggg
VPC C 192.168.0.0/16 Local
172.16.0.0/16 pcx-aaaacccc
10.0.0.0/16 pcx-bbbbcccc
10.2.0.0/16 pcx-ccccdddd
10.3.0.0/16 pcx-cccceeee
172.17.0.0/16 pcx-ccccffff
10.4.0.0/16 pcx-ccccgggg
VPC D 10.2.0.0/16 Local
172.16.0.0/16 pcx-aaaadddd
10.0.0.0/16 pcx-bbbbdddd
192.168.0.0/16 pcx-ccccdddd
10.3.0.0/16 pcx-ddddeeee
172.17.0.0/16 pcx-ddddffff
10.4.0.0/16 pcx-ddddgggg
VPC E 10.3.0.0/16 Local
172.16.0.0/16 pcx-aaaaeeee
10.0.0.0/16 pcx-bbbbeeee
192.168.0.0/16 pcx-cccceeee
10.2.0.0/16 pcx-ddddeeee
172.17.0.0/16 pcx-eeeeffff
10.4.0.0/16 pcx-eeeegggg
VPC F 172.17.0.0/16 Local
172.16.0.0/16 pcx-aaaaffff
10.0.0.0/16 pcx-bbbbffff
192.168.0.0/16 pcx-ccccffff
10.2.0.0/16 pcx-ddddffff
10.3.0.0/16 pcx-eeeeffff
10.4.0.0/16 pcx-ffffgggg
VPC G 10.4.0.0/16 Local
172.16.0.0/16 pcx-aaaagggg
10.0.0.0/16 pcx-bbbbgggg
192.168.0.0/16 pcx-ccccgggg
10.2.0.0/16 pcx-ddddgggg
10.3.0.0/16 pcx-eeeegggg
172.17.0.0/16 pcx-ffffgggg

For more information about updating route tables, see Updating Your Route Tables for a VPC Peering Connection.

Multiple VPCs Peered Together for IPv6

You have the same VPCs in the VPC peering configuration as above. All VPCs have associated IPv6 CIDR blocks.


            Many VPCs peered together

The route tables for each VPC point to the VPC peering connection to access the entire IPv6 CIDR block of the peer VPC.

Route Table Destination Target
VPC A 172.16.0.0/16 Local
2001:db8:1234:aa00::/56 Local
10.0.0.0/16 pcx-aaaabbbb
2001:db8:1234:bb00::/56 pcx-aaaabbbb
192.168.0.0/16 pcx-aaaacccc
2001:db8:1234:cc00::/56 pcx-aaaacccc
10.2.0.0/16 pcx-aaaadddd
2001:db8:1234:dd00::/56 pcx-aaaadddd
10.3.0.0/16 pcx-aaaaeeee
2001:db8:1234:ee00::/56 pcx-aaaaeeee
172.17.0.0/16 pcx-aaaaffff
2001:db8:1234:ff00::/56 pcx-aaaaffff
10.4.0.0/16 pcx-aaaagggg
2001:db8:1234:7700::/56 pcx-aaaagggg
VPC B 10.0.0.0/16 Local
2001:db8:1234:bb00::/56 Local
172.16.0.0/16 pcx-aaaabbbb
2001:db8:1234:aa00::/56 pcx-aaaabbbb
192.168.0.0/16 pcx-bbbbcccc
2001:db8:1234:cc00::/56 pcx-bbbbcccc
10.2.0.0/16 pcx-bbbbdddd
2001:db8:1234:dd00::/56 pcx-bbbbdddd
10.3.0.0/16 pcx-bbbbeeee
2001:db8:1234:ee00::/56 pcx-bbbbeeee
172.17.0.0/16 pcx-bbbbffff
2001:db8:1234:ff00::/56 pcx-bbbbffff
10.4.0.0/16 pcx-bbbbgggg
2001:db8:1234:7700::/56 pcx-bbbbgggg
VPC C 192.168.0.0/16 Local
2001:db8:1234:cc00::/56 Local
172.16.0.0/16 pcx-aaaacccc
2001:db8:1234:aa00::/56 pcx-aaaacccc
10.0.0.0/16 pcx-bbbbcccc
2001:db8:1234:bb00::/56 pcx-bbbbcccc
10.2.0.0/16 pcx-ccccdddd
2001:db8:1234:dd00::/56 pcx-ccccdddd
10.3.0.0/16 pcx-cccceeee
2001:db8:1234:ee00::/56 pcx-cccceeee
172.17.0.0/16 pcx-ccccffff
2001:db8:1234:ff00::/56 pcx-ccccffff
10.4.0.0/16 pcx-ccccgggg
2001:db8:1234:7700::/56 pcx-ccccgggg
VPC D 10.2.0.0/16 Local
2001:db8:1234:dd00::/56 Local
172.16.0.0/16 pcx-aaaadddd
2001:db8:1234:aa00::/56 pcx-aaaadddd
10.0.0.0/16 pcx-bbbbdddd
2001:db8:1234:bb00::/56 pcx-bbbbdddd
192.168.0.0/16 pcx-ccccdddd
2001:db8:1234:cc00::/56 pcx-ccccdddd
10.3.0.0/16 pcx-ddddeeee
2001:db8:1234:ee00::/56 pcx-ddddeeee
172.17.0.0/16 pcx-ddddffff
2001:db8:1234:ff00::/56 pcx-ddddffff
10.4.0.0/16 pcx-ddddgggg
2001:db8:1234:7700::/56 pcx-ddddgggg
VPC E 10.3.0.0/16 Local
2001:db8:1234:ee00::/56 Local
172.16.0.0/16 pcx-aaaaeeee
2001:db8:1234:aa00::/56 pcx-aaaaeeee
10.0.0.0/16 pcx-bbbbeeee
2001:db8:1234:bb00::/56 pcx-bbbbeeee
192.168.0.0/16 pcx-cccceeee
2001:db8:1234:cc00::/56 pcx-cccceeee
10.2.0.0/16 pcx-ddddeeee
2001:db8:1234:dd00::/56 pcx-ddddeeee
172.17.0.0/16 pcx-eeeeffff
2001:db8:1234:ff00::/56 pcx-eeeeffff
10.4.0.0/16 pcx-eeeegggg
2001:db8:1234:7700::/56 pcx-eeeegggg
VPC F 172.17.0.0/16 Local
2001:db8:1234:ff00::/56 Local
172.16.0.0/16 pcx-aaaaffff
2001:db8:1234:aa00::/56 pcx-aaaaffff
10.0.0.0/16 pcx-bbbbffff
2001:db8:1234:bb00::/56 pcx-bbbbffff
192.168.0.0/16 pcx-ccccffff
2001:db8:1234:cc00::/56 pcx-ccccffff
10.2.0.0/16 pcx-ddddffff
2001:db8:1234:dd00::/56 pcx-ddddffff
10.3.0.0/16 pcx-eeeeffff
2001:db8:1234:ee00::/56 pcx-eeeeffff
10.4.0.0/16 pcx-ffffgggg
2001:db8:1234:7700::/56 pcx-ffffgggg
VPC G 10.4.0.0/16 Local
2001:db8:1234:7700::/56 Local
172.16.0.0/16 pcx-aaaagggg
2001:db8:1234:aa00::/56 pcx-aaaagggg
10.0.0.0/16 pcx-bbbbgggg
2001:db8:1234:bb00::/56 pcx-bbbbgggg
192.168.0.0/16 pcx-ccccgggg
2001:db8:1234:cc00::/56 pcx-ccccgggg
10.2.0.0/16 pcx-ddddgggg
2001:db8:1234:dd00::/56 pcx-ddddgggg
10.3.0.0/16 pcx-eeeegggg
2001:db8:1234:ee00::/56 pcx-eeeegggg
172.17.0.0/16 pcx-ffffgggg
2001:db8:1234:ff00::/56 pcx-ffffgggg