Menu
Amazon Virtual Private Cloud
VPC Peering Guide

Configurations with Specific Routes

This section demonstrates the configurations for VPC peering connections in which you provide access to part of the CIDR block, a specific CIDR block (if the VPC has multiple CIDR blocks) or a specific instance within the peer VPC. In these examples, a central VPC is peered to two or more VPCs that have overlapping CIDR blocks. For examples of scenarios in which you might need a specific VPC peering connection configuration, see VPC Peering Scenarios. For more information about creating and working with VPC peering connections in the Amazon VPC console, see Working with VPC Peering Connections. For more information about updating your route tables, see Updating Your Route Tables for a VPC Peering Connection.

Two VPCs Peered to Two Subnets in One VPC

You have a central VPC (VPC A), and you have a VPC peering connection between VPC A and VPC B (pcx-aaaabbbb), and between VPC A and VPC C (pcx-aaaacccc). VPC A has two subnets: one for each VPC peering connection.


                    Two VPCs peered to two subnets

You may want to use this kind of configuration when you have a central VPC with separate sets of resources in different subnets. Other VPCs may require access to some of the resources, but not all of them.

The route table for subnet X points to VPC peering connection pcx-aaaabbbb to access the entire CIDR block of VPC B. VPC B's route table points to pcx-aaaabbbb to access the CIDR block of only subnet X in VPC A. Similarly, the route table for subnet Y points to VPC peering connection pcx-aaaacccc to access the entire CIDR block of VPC C. VPC C's route table points to pcx-aaaacccc to access the CIDR block of only subnet Y in VPC A.

Route Table Destination Target
Subnet X in VPC A 172.16.0.0/16 Local
10.0.0.0/16 pcx-aaaabbbb
Subnet Y in VPC A 172.16.0.0/16 Local
10.0.0.0/16 pcx-aaaacccc
VPC B 10.0.0.0/16 Local
172.16.0.0/24 pcx-aaaabbbb
VPC C 10.0.0.0/16 Local
172.16.1.0/24 pcx-aaaacccc

Similarly, the central VPC (VPC A) can have multiple CIDR blocks, and VPC B and VPC C can have a VPC peering connection to a subnet in each CIDR block.


    			Two VPCs peered to one CIDR block
Route Table Destination Target
Subnet X in VPC A 10.2.0.0/16 Local
10.3.0.0/16 Local
10.0.0.0/16 pcx-aaaabbbb
Subnet Y in VPC A 10.2.0.0/16 Local
10.3.0.0/16 Local
10.0.0.0/16 pcx-aaaacccc
VPC B 10.0.0.0/16 Local
10.2.0.0/24 pcx-aaaabbbb
VPC C 10.0.0.0/16 Local
10.3.0.0/24 pcx-aaaacccc

For more information, see Adding IPv4 CIDR Blocks to a VPC in the Amazon VPC User Guide.

Two VPCs Peered to Two Subnets in One VPC for IPv6

You have the same VPC peering configuration as above. VPC A and VPC B are enabled for IPv6—both VPCs have associated IPv6 CIDR blocks, and subnet X in VPC A has an associated IPv6 CIDR block.


                        Two VPCs peered to two subnets

You can enable VPC B to communicate with subnet X in VPC A over IPv6 using the VPC peering connection. To do this, add a route to the route table for VPC A with a destination of the IPv6 CIDR block for VPC B, and a route to the route table for VPC B with a destination of the IPv6 CIDR of subnet X in VPC A.

Route Table Destination Target Notes
Subnet X in VPC A 172.16.0.0/16 Local
2001:db8:abcd:aa00::/56 Local Local route that's automatically added for IPv6 communication within the VPC.
10.0.0.0/16 pcx-aaaabbbb
2001:db8:1234:bb00::/56 pcx-aaaabbbb Route to the IPv6 CIDR block of VPC B.
Subnet Y in VPC A 172.16.0.0/16 Local
2001:db8:abcd:aa00::/56 Local Local route that's automatically added for IPv6 communication within the VPC.
10.0.0.0/16 pcx-aaaacccc
VPC B 10.0.0.0/16 Local
2001:db8:1234:bb00::/56 Local Local route that's automatically added for IPv6 communication within the VPC.
172.16.0.0/24 pcx-aaaabbbb
2001:db8:abcd:aa00::/64 pcx-aaaabbbb Route to the IPv6 CIDR block of VPC A.
VPC C 10.0.0.0/16 Local
172.16.1.0/24 pcx-aaaacccc

Two VPCs Peered to a Specific CIDR Block in One VPC

You have a central VPC (VPC A), and you have a VPC peering connection between VPC A and VPC B (pcx-aaaabbbb), and between VPC A and VPC C (pcx-aaaacccc). VPC A has two CIDR blocks; one for each VPC peering connection.

Route Table Destination Target Notes
Subnet X in VPC A 172.16.0.0/16 Local
2001:db8:abcd:aa00::/56 Local Local route that's automatically added for IPv6 communication within the VPC.
10.0.0.0/16 pcx-aaaabbbb
2001:db8:1234:bb00::/56 pcx-aaaabbbb Route to the IPv6 CIDR block of VPC B.
Subnet Y in VPC A 172.16.0.0/16 Local
2001:db8:abcd:aa00::/56 Local Local route that's automatically added for IPv6 communication within the VPC.
10.0.0.0/16 pcx-aaaacccc
VPC B 10.0.0.0/16 Local
2001:db8:1234:bb00::/56 Local Local route that's automatically added for IPv6 communication within the VPC.
172.16.0.0/24 pcx-aaaabbbb
2001:db8:abcd:aa00::/64 pcx-aaaabbbb Route to the IPv6 CIDR block of VPC A.
VPC C 10.0.0.0/16 Local
172.16.1.0/24 pcx-aaaacccc

For more information, see Adding IPv4 CIDR Blocks to a VPC in the Amazon VPC User Guide.

One VPC Peered to Specific Subnets in Two VPCs

You have a central VPC (VPC A) with one subnet, and you have a VPC peering connection between VPC A and VPC B (pcx-aaaabbbb), and between VPC A and VPC C (pcx-aaaacccc). VPC B and VPC C each have two subnets, and only one in each is used for the peering connection with VPC A.


          One VPC peered with two subnets

You may want to use this kind of configuration when you have a central VPC that has a single set of resources, such as Active Directory services, that other VPCs need to access. The central VPC does not require full access to the VPCs that it's peered with.

The route table for VPC A points to both VPC peering connections to access only specific subnets in VPC B and VPC C. The route tables for the subnets in VPC B and VPC C point to their VPC peering connections to access the VPC A subnet.

Route Table Destination Target
VPC A 172.16.0.0/16 Local
10.0.0.0/24 pcx-aaaabbbb
10.0.1.0/24 pcx-aaaacccc
Subnet A in VPC B 10.0.0.0/16 Local
172.16.0.0/24 pcx-aaaabbbb
Subnet B in VPC C 10.0.0.0/16 Local
172.16.0.0/24 pcx-aaaacccc

Routing for Response Traffic

If you have a VPC peered with multiple VPCs that have overlapping or matching CIDR blocks, ensure that your route tables are configured to avoid sending response traffic from your VPC to the incorrect VPC. AWS currently does not support unicast reverse path forwarding in VPC peering connections that checks the source IP of packets and routes reply packets back to the source.

For example, VPC A is peered with VPC B and VPC C. VPC B and VPC C have matching CIDR blocks, and their subnets have matching CIDR blocks. The route table for subnet B in VPC B points to the VPC peering connection pcx-aaaabbbb to access the VPC A subnet. The VPC A route table is configured to send 10.0.0.0/16 traffic to peering connection pcx-aaaaccccc.

Route Table Destination Target
Subnet B in VPC B 10.0.0.0/16 Local
172.16.0.0/24 pcx-aaaabbbb
VPC A 172.16.0.0/24 Local
10.0.0.0/16 pcx-aaaacccc

            Incorrect response routing in peering

An instance in subnet B in VPC B with a private IP address of 10.0.1.66/32 sends traffic to the Active Directory server in VPC A using VPC peering connection pcx-aaaabbbb. VPC A sends the response traffic to 10.0.1.66/32. However, the VPC A route table is configured to send all traffic within the 10.0.0.0/16 range of IP addresses to VPC peering connection pcx-aaaacccc. If subnet B in VPC C has an instance with an IP address of 10.0.1.66/32, it receives the response traffic from VPC A. The instance in subnet B in VPC B does not receive a response to its request to VPC A.

To prevent this, you can add a specific route to VPC A's route table with a destination of 10.0.1.0/24 and a target of pcx-aaaabbbb. The route for 10.0.1.0/24 traffic is more specific, therefore traffic destined for the 10.0.1.0/24 IP address range goes via VPC peering connection pcx-aaaabbbb

Alternatively, in the following example, VPC A's route table has a route for each subnet for each VPC peering connection. VPC A can communicate with subnet B in VPC B and with subnet A in VPC C. This scenario is useful if you need to add another VPC peering connection with another subnet that falls within the 10.0.0.0/16 IP address range —you can simply add another route for that specific subnet.

Destination Target
172.16.0.0/16 Local
10.0.1.0/24 pcx-aaaabbbb
10.0.0.0/24 pcx-aaaacccc

Alternatively, depending on your use case, you can create a route to a specific IP address in VPC B to ensure that traffic routed back to the correct server (the route table uses longest prefix match to prioritize the routes):

Destination Target
172.16.0.0/16 Local
10.0.1.66/32 pcx-aaaabbbb
10.0.0.0/16 pcx-aaaacccc

Instances in One VPC Peered to Instances in Two VPCs

You have a central VPC (VPC A) with one subnet, and you have a VPC peering connection between VPC A and VPC B (pcx-aaaabbbb), and between VPC A and VPC C (pcx-aaaacccc). VPC A has one subnet that has multiple instances; one for each of the VPCs that it's peered with. You may want to use this kind of configuration to limit peering traffic to specific instances.


                    Instances in a VPC peered to instances in two VPCs

Each VPC route table points to the relevant VPC peering connection to access a single IP address (and therefore a specific instance) in the peer VPC.

Route Table Destination Target
VPC A 172.16.0.0/16 Local
10.0.0.44/32 pcx-aaaabbbb
10.0.0.55/32 pcx-aaaacccc
VPC B 10.0.0.0/16 Local
172.16.0.88/32 pcx-aaaabbbb
VPC C 10.0.0.0/16 Local
172.16.0.99/32 pcx-aaaacccc

One VPC Peered with Two VPCs Using Longest Prefix Match

You have a central VPC (VPC A) with one subnet, and you have a VPC peering connection between VPC A and VPC B (pcx-aaaabbbb), and between VPC A and VPC C (pcx-aaaacccc). VPC B and VPC C have matching CIDR blocks. You want to use VPC peering connection pcx-aaaabbbb to route traffic between VPC A and specific instance in VPC B. All other traffic destined for the 10.0.0.0/16 IP address range is routed through pcx-aaaacccc between VPC A and VPC C.


                    Peering using longest prefix match

VPC route tables use longest prefix match to select the most specific route across the intended VPC peering connection. All other traffic is routed through the next matching route, in this case, across the VPC peering connection pcx-aaaacccc.

Route Table Destination Target
VPC A 172.16.0.0/16 Local
10.0.0.77/32 pcx-aaaabbbb
10.0.0.0/16 pcx-aaaacccc
VPC B 10.0.0.0/16 Local
172.16.0.0/16 pcx-aaaabbbb
VPC C 10.0.0.0/16 Local
172.16.0.0/16 pcx-aaaacccc

Important

If an instance other than 10.0.0.77/32 in VPC B sends traffic to VPC A, the response traffic may be routed to VPC C instead of VPC B. For more information, see Routing for Response Traffic.

Multiple VPC Configurations

In this example, a central VPC (VPC A) is peered with multiple VPCs in a spoke configuration. For more information about this type of configuration, see One VPC Peered with Multiple VPCs. You also have three VPCs (VPCs M, N, and P) peered together in a full mesh configuration. For more information about this type of configuration, see Three VPCs Peered Together.

VPC C also has a VPC peering connection with VPC M (pcx-ccccmmmm). VPC A and VPC M have overlapping CIDR blocks. This means that peering traffic between VPC A and VPC C is limited to a specific subnet (subnet A) in VPC C. This is to ensure that if VPC C receives a request from VPC A or VPC M, it sends the response traffic to the correct VPC. AWS currently does not support unicast reverse path forwarding in VPC peering connections that checks the source IP of packets and routes reply packets back to the source. For more information, see Routing for Response Traffic.

Similarly, VPC C and VPC P have overlapping CIDR blocks. Peering traffic between VPC M and VPC C is limited to subnet B in VPC C, and peering traffic between VPC M and VPC P is limited to subnet A in VPC P. This is to ensure that if VPC M receives peering traffic from VPC C or VPC P, it sends the response traffic back to the correct VPC.


                    Multiple peering configurations

The route tables for VPCs B, D, E, F, and G point to the relevant peering connections to access the full CIDR block for VPC A, and the VPC A route table points to the relevant peering connections for VPCs B, D, E, F, and G to access their full CIDR blocks. For peering connection pcx-aaaacccc, the VPC A route table routes traffic only to subnet A in VPC C (192.168.0.0/24) and the subnet A route table in VPC C points to the full CIDR block of VPC A.

The VPC N route table points to the relevant peering connections to access the full CIDR blocks of VPC M and VPC P, and the VPC P route table points to the relevant peering connection to access the full CIDR block of VPC N. The subnet A route table in VPC P points to the relevant peering connection to access the full CIDR block of VPC M. The VPC M route table points to the relevant peering connection to access subnet B in VPC C, and subnet A in VPC P.

Route Table Destination Target
VPC A 172.16.0.0/16 Local
10.0.0.0/16 pcx-aaaabbbb
192.168.0.0/24 pcx-aaaacccc
10.2.0.0/16 pcx-aaaadddd
10.3.0.0/16 pcx-aaaaeeee
172.17.0.0/16 pcx-aaaaffff
10.4.0.0/16 pcx-aaaagggg
VPC B 10.0.0.0/16 Local
172.16.0.0/16 pcx-aaaabbbb
Subnet Ain VPC C 192.168.0.0/16 Local
172.16.0.0/16 pcx-aaaacccc
Subnet B in VPC C 192.168.0.0/16 Local
172.16.0.0/16 pcx-ccccmmmm
VPC D 10.2.0.0/16 Local
172.16.0.0/16 pcx-aaaadddd
VPC E 10.3.0.0/16 Local
172.16.0.0/16 pcx-aaaaeeee
VPC F 172.17.0.0/16 Local
172.16.0.0/16 pcx-aaaaaffff
VPC G 10.4.0.0/16 Local
172.16.0.0/16 pcx-aaaagggg
VPC M 172.16.0.0/16 Local
192.168.1.0/24 pcx-ccccmmmm
10.0.0.0/16 pcx-mmmmnnnn
192.168.0.0/24 pcx-mmmmpppp
VPC N 10.0.0.0/16 Local
172.16.0.0/16 pcx-mmmmnnnn
192.168.0.0/16 pcx-nnnnpppp
VPC P 192.168.0.0/16 Local
10.0.0.0/16 pcx-nnnnpppp
172.16.0.0/16 pcx-mmmmpppp