VPC Peering Overview
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region.
AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware. There is no single point of failure for communication or a bandwidth bottleneck.
A VPC peering connection can help you to facilitate the transfer of data; for example, if you have more than one AWS account, you can peer the VPCs across those accounts to create a file sharing network. You can also use a VPC peering connection to allow other VPCs to access resources you have in one of your VPCs.
VPC Peering Basics
To establish a VPC peering connection, the owner of the requester VPC (or local VPC) sends a request to the owner of the peer VPC to create the VPC peering connection. The peer VPC can be owned by you, or another AWS account, and cannot have a CIDR block that overlaps with the requester VPCs CIDR block. The owner of the peer VPC has to accept the VPC peering connection request to activate the VPC peering connection. To enable the flow of traffic between the peer VPCs using private IP addresses, add a route to one or more of your VPCs route tables that points to the IP address range of the peer VPC. The owner of the peer VPC adds a route to one of their VPC route tables that points to the IP address range of your VPC.
You may also need to update the security group rules that are associated with your instance to ensure that traffic to and from the peer VPC is not restricted. You can reference a security group from the peer VPC as a source or destination for ingress or egress rules in your security group rules. If the VPC peering connection is deleted, or if the owner of the peer VPC deletes the referenced security group, the security group rule becomes stale.
By default, if an instance in a peer VPC addresses an instance in the local VPC using a public DNS hostname, the hostname resolves to the instance's public IP address. If you want the public DNS hostname to resolve to the private IP address, you can modify your VPC connection to enable DNS hostname resolution. For more information, see Enabling DNS Resolution Support for a VPC Peering Connection.
A VPC peering connection is a one to one relationship between two VPCs. You can create multiple VPC peering connections for each VPC that you own, but transitive peering relationships are not supported: you do not have any peering relationship with VPCs that your VPC is not directly peered with.
The following diagram is an example of one VPC peered to two different VPCs. There are two VPC peering connections: VPC A is peered with both VPC B and VPC C. VPC B and VPC C are not peered, and you cannot use VPC A as a transit point for peering between VPC B and VPC C. If you want to enable routing of traffic between VPC B and VPC C, you must create a unique VPC peering connection between them.
For more information about creating and working with VPC peering connections in the Amazon VPC console, see Working with VPC Peering Connections.
The charges for transferring data within a VPC peering connection are the same as the charges for transferring data across Availability Zones. For more information, see Amazon EC2 Pricing.
VPC Peering Connection Lifecycle
A VPC peering connection goes through various stages starting from when the request is initiated. At each stage, there may be actions that you can take, and at the end of its lifecycle, the VPC peering connection remains visible in the Amazon VPC console and API or command line output for a period of time.
Initiating-request: A request for a VPC peering connection has been initiated. At this stage, the peering connection may fail or may go to
Failed: The request for the VPC peering connection has failed. During this state, it cannot be accepted or rejected. The failed VPC peering connection remains visible to the requester for 2 hours.
Pending-acceptance: The VPC peering connection request is awaiting acceptance from the owner of the peer VPC. During this state, the owner of the requester VPC can delete the request, and the owner of the peer VPC can accept or reject the request. If no action is taken on the request, it expires after 7 days.
Expired: The VPC peering connection request has expired, and no action can be taken on it by either VPC owner. The expired VPC peering connection remains visible to both VPC owners for 2 days.
Rejected: The owner of the peer VPC has rejected a
pending-acceptanceVPC peering connection request. During this state, the request cannot be accepted. The rejected VPC peering connection remains visible to the owner of the requester VPC for 2 days, and visible to the owner of the peer VPC for 2 hours. If the request was created within the same AWS account, the rejected request remains visible for 2 hours.
Provisioning: The VPC peering connection request has been accepted, and will soon be in the
Active: The VPC peering connection is active. During this state, either of the VPC owners can delete the VPC peering connection, but cannot reject it.
activeVPC peering connection has been deleted by either of the VPC owners, or a
pending-acceptanceVPC peering connection request has been deleted by the owner of the requester VPC. During this state, the VPC peering connection cannot be accepted or rejected. The VPC peering connection remains visible to the party that deleted it for 2 hours, and visible to the other party for 2 days. If the VPC peering connection was created within the same AWS account, the deleted request remains visible for 2 hours.
VPC Peering Limitations
To create a VPC peering connection with another VPC, you need to be aware of the following limitations and rules:
You cannot create a VPC peering connection between VPCs that have matching or overlapping IPv4 or IPv6 CIDR blocks. Amazon always assigns your VPC a unique IPv6 CIDR block. If your IPv6 CIDR blocks are unique but your IPv4 blocks are not, you cannot create the peering connection.
You cannot create a VPC peering connection between VPCs in different regions.
You have a limit on the number active and pending VPC peering connections that you can have per VPC. For more information, see Amazon VPC Limits in the Amazon VPC User Guide.
VPC peering does not support transitive peering relationships; in a VPC peering connection, your VPC does not have access to any other VPCs that the peer VPC may be peered with. This includes VPC peering connections that are established entirely within your own AWS account. For more information about unsupported peering relationships, see Invalid VPC Peering Connection Configurations. For examples of supported peering relationships, see VPC Peering Scenarios.
You cannot have more than one VPC peering connection between the same two VPCs at the same time.
A placement group can span peered VPCs; however, you do not get full-bisection bandwidth between instances in peered VPCs. For more information about placement groups, see Placement Groups in the Amazon EC2 User Guide for Linux Instances.
Unicast reverse path forwarding in VPC peering connections is not supported. For more information, see Routing for Response Traffic.
You can enable resources on either side of a VPC peering connection to communicate with each other over IPv6; however, IPv6 communication is not automatic. You must associate an IPv6 CIDR block with each VPC, enable the instances in the VPCs for IPv6 communication, and add routes to your route tables that route IPv6 traffic intended for the peer VPC to the VPC peering connection. For more information, see Your VPC and Subnets in the Amazon VPC User Guide.