Menu
Amazon Virtual Private Cloud
VPC Peering Guide

Working with VPC Peering Connections

You can use the Amazon VPC console to create and work with VPC peering connections.

Creating a VPC Peering Connection

To create a VPC peering connection, first create a request to peer with another VPC. You can request a VPC peering connection with another VPC in your account, or with a VPC in a different AWS account. To activate the request, the owner of the peer VPC must accept the request.

Creating a VPC Peering Connection with Another VPC in Your Account

To request a VPC peering connection with a VPC in your account, ensure that you have the IDs of the VPCs with which you are creating the VPC peering connection. You must both create and accept the VPC peering connection request yourself to activate it.

To create a VPC peering connection in your account

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Peering Connections, Create VPC Peering Connection.

  3. In the dialog, configure the following information, and choose Create VPC Peering Connection when you are done:

    • Name tag: You can optionally name your VPC peering connection. Doing so creates a tag with a key of Name and a value that you specify.

    • Local VPC to peer: Select the VPC in your account with which you want to create the VPC peering connection.

    • Select a VPC to peer with: Ensure My account is selected, and select another of your VPCs from VPC. Only VPCs in the current region are displayed.

      Important

      Ensure that your VPCs do not have overlapping IPv4 CIDR blocks. If they do, the status of the VPC peering connection immediately goes to failed. This limitation applies even if the VPCs have unique IPv6 CIDR blocks.

  4. In the confirmation dialog box, choose OK.

  5. Select the VPC peering connection that you've created, and choose Actions, Accept Request.

  6. In the confirmation dialog, choose Yes, Accept. A second confirmation dialog displays; choose Modify my route tables now to go directly to the route tables page, or choose Close to do this later.

Now that your VPC peering connection is active, you must add an entry to your VPC route tables to enable traffic to be directed between the peered VPCs. For more information, see Updating Route Tables for Your VPC Peering Connection.

Creating a VPC Peering Connection with a VPC in Another AWS Account

You can request a VPC peering connection with a VPC that's in another AWS account. Before you begin, ensure that you have the AWS account number and VPC ID of the VPC to peer with. After you've created the request, the owner of the peer VPC must accept the VPC peering connection to activate it.

To create a VPC peering connection with a remote VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Peering Connections, Create VPC Peering Connection.

  3. In the dialog, configure the information as follows, and choose Create VPC Peering Connection when you are done:

    • Name: You can optionally name your VPC peering connection. Doing so creates a tag with a key of Name and a value that you specify. This tag is only visible to you; the owner of the peer VPC can create their own tags for the VPC peering connection.

    • Local VPC to peer: Select the VPC in your account with which to create the VPC peering connection.

    • Select a VPC to peer with: Choose Another account, and enter the AWS account ID and the ID of the VPC with which to create the VPC peering connection.

      Important

      If your VPC and the peer VPC have overlapping IPv4 CIDR blocks, or if the account ID and VPC ID are incorrect or do not correspond with each other, the status of the VPC peering connection immediately goes to failed.

  4. In the confirmation dialog box, choose OK.

The VPC peering connection that you've created is not active. To activate it, the owner of the peer VPC must accept the VPC peering connection request. To enable traffic to be directed to the peer VPC, update your VPC route table. For more information, see Updating Route Tables for Your VPC Peering Connection.

Accepting a VPC Peering Connection

A VPC peering connection that's in the pending-acceptance state must be accepted by the owner of the peer VPC to be activated. You cannot accept a VPC peering connection request that you've sent to another AWS account. If you are creating a VPC peering connection in the same AWS account, you must both create and accept the request yourself.

Important

Do not accept VPC peering connections from AWS accounts that you do not know. A malicious user may have sent you a VPC peering connection request to gain unauthorized network access to your VPC. This is known as peer phishing. You can safely reject unwanted VPC peering connection requests without any risk of the requester gaining access to any information about your AWS account or your VPC. For more information, see Rejecting a VPC Peering Connection. You can also ignore the request and let it expire; by default, requests expire after 7 days.

To accept a VPC peering connection

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Peering Connections.

  3. Select a pending VPC peering connection (the status is pending-acceptance), and choose Actions, Accept Request.

  4. In the confirmation dialog box, choose Yes, Accept. A second confirmation dialog displays; choose Modify my route tables now to go directly to the route tables page, or choose Close to do this later.

Now that your VPC peering connection is active, you must add an entry to your VPC route table to enable traffic to be directed to the peer VPC. For more information, see Updating Route Tables for Your VPC Peering Connection.

Rejecting a VPC Peering Connection

You can reject any VPC peering connection request that you've received that's in the pending-acceptance state. You should only accept VPC peering connections from AWS accounts that you know and trust; you can reject any unwanted requests.

To reject a VPC peering connection

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Peering Connections.

  3. Select the VPC peering connection, and choose Actions, Reject Request.

  4. In the confirmation dialog box, choose Yes, Reject.

Updating Route Tables for Your VPC Peering Connection

To send traffic from your instance to an instance in a peer VPC using private IPv4 addresses, you must add a route to the route table that's associated with the subnet in which the instance resides. The route points to the CIDR block (or portion of the CIDR block) of the other VPC in the VPC peering connection.

Similarly, if the VPCs in the VPC peering connection have associated IPv6 CIDR blocks, you can add a route to your route table to enable communication with the peer VPC over IPv6.

Note

If a subnet is not explicitly associated with a route table, it uses the main route table by default.

The owner of the other VPC in the peering connection must also add a route to their subnet's route table to direct traffic back to your VPC. For more information about supported route table configurations for VPC peering connections, see VPC Peering Configurations.

You can add a route for a VPC peering connection that's in the pending-acceptance state; however, the route will have a state of blackhole and have no effect until the VPC peering connection is in the active state.

For more information, see Route Tables in the Amazon VPC User Guide.

Warning

If you have a VPC peered with multiple VPCs that have overlapping or matching IPv4 CIDR blocks, ensure that your route tables are configured to avoid sending response traffic from your VPC to the incorrect VPC. AWS currently does not support unicast reverse path forwarding in VPC peering connections that checks the source IP of packets and routes reply packets back to the source. For more information, see Routing for Response Traffic.

To add an IPv4 route for a VPC peering connection

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Route Tables.

  3. Select the route table that's associated with the subnet in which your instance resides.

    Note

    If you do not have a route table associated with that subnet, select the main route table for the VPC, as the subnet then uses this route table by default.

  4. Choose Routes, Edit, Add Route.

  5. For Destination, enter the IPv4 address range to which the network traffic in the VPC peering connection must be directed. You can specify the entire IPv4 CIDR block of the peer VPC, a specific range, or an individual IPv4 address, such as the IP address of the instance with which to communicate. For example, if the CIDR block of the peer VPC is 10.0.0.0/16, you can specify a portion 10.0.0.0/28, or a specific IP address 10.0.0.7/32.

  6. Select the VPC peering connection from Target, and then choose Save.

    Create VPC peering connection dialog

If both VPCs in the VPC peering connection have IPv6 CIDR blocks, and the resources in the VPC are enabled to use IPv6, you can also add a route for IPv6 communication.

To add an IPv6 route for a VPC peering connection

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Route Tables and select the route table that's associated with your subnet.

  3. On the Routes tab, choose Edit, Add another route.

  4. For Destination, enter the IPv6 address range for the peer VPC. You can specify the entire IPv6 CIDR block of the peer VPC, a specific range, or an individual IPv6 address. For example, if the CIDR block of the peer VPC is 2001:db8:1234:1a00::/56, you can specify a portion 2001:db8:1234:1a00::/64, or a specific IP address 2001:db8:1234:1a00::123/128.

  5. Select the VPC peering connection from Target and choose Save.

Updating Your Security Groups to Reference Peered VPC Security Groups

You can update the inbound or outbound rules for your VPC security groups to reference security groups in the peered VPC. Doing so allows traffic to flow to and from instances that are associated with the referenced security group in the peered VPC.

To update your security group rules

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups.

  3. Select the security group, and choose Inbound Rules. If you're modifying the outbound rules, choose Outbound Rules.

  4. Choose Edit, Add another rule.

  5. Specify the type, protocol, and port range as required. For Source (or Destination for an outbound rule), enter the ID of the security group in the peer VPC.

  6. Choose Save.

Alternatively, you can use the following AWS CLI commands: authorize-security-group-ingress, authorize-security-group-egress, revoke-security-group-ingress, and revoke-security-group-egress. For example, to update your security group sg-aaaa111 to allow inbound access over HTTP from sg-bbbb2222 that's in a peer VPC, you can use the following command:

aws ec2 authorize-security-group-ingress --group-id sg-aaaa1111 --protocol tcp --port 80 --source-group sg-bbbb2222 

After you've updated the security group rules, you can use the describe-security-groups command to view the referenced security group in your security group rules.

To determine if your security group is being referenced in the rules of a security group in a peer VPC, you can use the describe-security-group-references AWS CLI command for one or more security groups in your account. In the following example, the response indicates that security group sg-bbbb2222 is being referenced by a security group in VPC vpc-aaaaaaaa:

aws ec2 describe-security-group-references --group-id sg-bbbb2222 

{    
  "SecurityGroupsReferenceSet": [
    {
      "ReferencingVpcId": "vpc-aaaaaaaa ",
      "GroupId": "sg-bbbbb22222",
      "VpcPeeringConnectionId": "pcx-b04deed9"       
    }   
  ]
}

Note

Currently, you can identify security group references using the Amazon EC2 Query API, an AWS SDK, or the AWS CLI only.

If the VPC peering connection is deleted, or if the owner of the peer VPC deletes the referenced security group, the security group rule becomes stale.

Working with Stale Security Group Rules

A stale security group rule is a rule that references a security group in a peer VPC where the VPC peering connection has been deleted or the peer security group has been deleted. When a security group rule becomes stale, it's not automatically removed from your security group—you must manually remove it. If a security group rule is stale because the VPC peering connection was deleted, it will no longer be marked as stale if you create a new VPC peering connection with the same VPCs.

You can view and delete the stale security group rules for a VPC using the Amazon VPC console.

To view and delete stale security group rules

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups.

  3. Choose View your stale rules in the notification icon on the right (this icon only displays if you have stale security group rules).

  4. To delete a stale rule, choose Edit, and then delete the rule. Choose Save Rules. You can check for stale rules in another VPC by entering the VPC ID in the VPC field.

  5. When you are done, choose Close.

Alternatively, you can use the describe-stale-security-groups AWS CLI command for a specific VPC. In the following example, VPC A (vpc-aaaaaaaa) and VPC B were peered, and the VPC peering connection was deleted. Your security group sg-aaaa1111 in VPC A references sg-bbbb2222 in VPC B. When you run the describe-stale-security-group-references command for your VPC, the response indicates that security group sg-aaaa1111 has a stale SSH rule that references sg-bbbb2222.

aws ec2 describe-stale-security-groups --vpc-id vpc-aaaaaaaa
{
    "StaleSecurityGroupSet": [
        {
            "VpcId": "vpc-aaaaaaaa", 
            "StaleIpPermissionsEgress": [], 
            "GroupName": "Access1", 
            "StaleIpPermissions": [
                {
                    "ToPort": 22, 
                    "FromPort": 22, 
                    "UserIdGroupPairs": [
                        {
                            "VpcId": "vpc-bbbbbbbb", 
                            "PeeringStatus": "deleted", 
                            "UserId": "123456789101", 
                            "GroupName": "Prod1", 
                            "VpcPeeringConnectionId": "pcx-b04deed9", 
                            "GroupId": "sg-bbbb2222"
                        }
                    ], 
                    "IpProtocol": "tcp"
                }
            ], 
            "GroupId": "sg-aaaa1111", 
            "Description": "Reference remote SG"
        }
    ]
}

After you've identified the stale security group rules, you can delete them using the revoke-security-group-ingress or revoke-security-group-egress commands.

Modifying Your VPC Peering Connection

You can modify a VPC peering connection to do the following:

  • Enable one or more EC2-Classic instances that are linked to your VPC via ClassicLink to communicate with instances in the peer VPC, or to enable instances in your VPC to communicate with linked EC2-Classic instances in the peer VPC. For more information, see Configurations with ClassicLink. You cannot enable EC2-Classic instances to communicate with instances in a peer VPC over IPv6.

  • Enable a local VPC to resolve public IPv4 DNS hostnames to private IPv4 addresses when queried from instances in the peer VPC. For more information, see Enabling DNS Resolution Support for a VPC Peering Connection.

Enabling DNS Resolution Support for a VPC Peering Connection

To enable a VPC to resolve public IPv4 DNS hostnames to private IPv4 addresses when queried from instances in the peer VPC, you must modify the peering connection. For this feature to work, both VPCs must be enabled for DNS hostnames and DNS resolution.

To enable DNS resolution support for the peering connection

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Peering Connections.

  3. Select the VPC peering connection, and choose Actions, Edit DNS Settings.

  4. To ensure that queries from the peer VPC resolve to private IP addresses in the local VPC, choose the option to enable DNS resolution for queries from the peer VPC.

  5. If the peer VPC is in the same AWS account, you can choose the option to enable DNS resolution for queries from the local VPC. This ensures that queries from the local VPC resolve to private IP addresses in the peer VPC. This option is not available if the peer VPC is in a different AWS account.

  6. Choose Save.

  7. If the peer VPC is in a different AWS account, the owner of the peer VPC must sign into the VPC console, perform steps 2 through 4, and choose Save.

Alternatively, you can use the modify-vpc-peering-connection-options AWS CLI command. You must modify the requester VPC peering options if you are the requester of the VPC peering connection, and you must modify the accepter VPC peering options if you are the accepter of the VPC peering connection. You can use the describe-vpc-peering-connections command to verify which VPC is the accepter and the requester for a VPC peering connection.

In this example, you are the requester of the VPC peering connection, therefore modify the peering connection options as follows:

aws ec2 modify-vpc-peering-connection-options --vpc-peering-connection-id pcx-aaaabbbb --requester-peering-connection-options AllowDnsResolutionFromRemoteVpc=true

Describing Your VPC Peering Connections

You can view all of your VPC peering connections in the Amazon VPC console. By default, the console displays all VPC peering connections in different states, including those that may have been recently deleted or rejected. For more information about the lifecycle of a VPC peering connection, see VPC Peering Connection Lifecycle.

To view your VPC peering connections

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Peering Connections.

  3. All of your VPC peering connections are listed. Use the filter search bar to narrow your results.

Deleting a VPC Peering Connection

Either owner of a VPC in a peering connection can delete the VPC peering connection at any time. You can also delete a VPC peering connection that you've requested that is still in the pending-acceptance state.

Note

Deleting a VPC in the Amazon VPC console that's part of an active VPC peering connection also deletes the VPC peering connection. If you have requested a VPC peering connection with a VPC in another account, and you delete your VPC before the other party has accepted the request, the VPC peering connection is also deleted. You cannot delete a VPC for which you have a pending-acceptance request from a VPC in another account. You must first reject the VPC peering connection request.

To delete a VPC peering connection

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Peering Connections.

  3. Select the VPC peering connection, and choose Actions, Delete VPC Peering Connection.

  4. In the confirmation dialog box, choose Yes, Delete.

API and CLI Overview

You can perform the tasks described on this page using the command line or API. For more information about the command line interfaces and a list of available API operations, see Accessing Amazon VPC in the Amazon VPC User Guide.

ActionCommands
Create a VPC peering connection

create-vpc-peering-connection (AWS CLI)

New-EC2VpcPeeringConnection (AWS Tools for Windows PowerShell)

CreateVpcPeeringConnection (Amazon EC2 Query API)

Accept a VPC peering connection

accept-vpc-peering-connection (AWS CLI)

Approve-EC2VpcPeeringConnection (AWS Tools for Windows PowerShell)

AcceptVpcPeeringConnection (Amazon EC2 Query API)

Describe VPC peering connections

describe-vpc-peering-connections (AWS CLI)

Get-EC2VpcPeeringConnections (AWS Tools for Windows PowerShell)

DescribeVpcPeeringConnections (Amazon EC2 Query API)

Reject VPC peering connections

reject-vpc-peering-connection (AWS CLI)

Deny-EC2VpcPeeringConnection (AWS Tools for Windows PowerShell)

RejectVpcPeeringConnection (Amazon EC2 Query API)

Modify a VPC peering connection

modify-vpc-peering-connection-options (AWS CLI)

Edit-EC2VpcPeeringConnectionOption (AWS Tools for Windows PowerShell)

ModifyVpcPeeringConnectionOptions (Amazon EC2 Query API)

Delete a VPC peering connection

delete-vpc-peering-connection (AWS CLI)

Remove-EC2VpcPeeringConnection (AWS Tools for Windows PowerShell)

DeleteVpcPeeringConnection (Amazon EC2 Query API)

Add a route to a route table

create-route (AWS CLI)

New-EC2Route (AWS Tools for Windows PowerShell)

CreateRoute (Amazon EC2 Query API)

Replace a route in a route table

replace-route (AWS CLI)

Set-EC2Route (AWS Tools for Windows PowerShell)

ReplaceRoute (Amazon EC2 Query API)

Describe security groups that have stale rules

describe-stale-security-groups (AWS CLI)

Get-EC2StaleSecurityGroup (AWS Tools for Windows PowerShell)

DescribeStaleSecurityGroups (Amazon EC2 Query API)

Describe security groups in a peer VPC that have referenced your security groups

describe-security-group-references (AWS CLI)

Get-EC2SecurityGroupReference (AWS Tools for Windows PowerShell)

DescribeSecurityGroupReferences (Amazon EC2 Query API)

Controlling Access to VPC Peering Connections

By default, IAM users cannot create or modify VPC peering connections. You can create an IAM policy that grants users permission to work with VPC peering connections, and you can control which resources users have access to during those requests. For example policies for working with VPC peering connections, see Controlling Access to Amazon VPC Resources in the Amazon VPC User Guide. For more information about IAM policies for Amazon EC2, see IAM Policies for Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.