VPC peering configurations with ClassicLink - Amazon Virtual Private Cloud

VPC peering configurations with ClassicLink

We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC.

If you have a VPC peering connection between two VPCs, and there are one or more EC2-Classic instances that are linked to one or both of the VPCs using ClassicLink, you can extend the VPC peering connection to enable communication between the EC2-Classic instances and the instances in the VPC on the other side of the VPC peering connection. This enables the EC2-Classic instances and the instances in the VPC to communicate using private IP addresses. To do this, you enable a local VPC to communicate with a linked EC2-Classic instance in a peer VPC, or you enable a local linked EC2-Classic instance to communicate with VPC instances in a peer VPC.

Communication over ClassicLink only works if both VPCs in the VPC peering connection are in the same Region.

Important

EC2-Classic instances cannot be enabled for IPv6 communication. You can enable VPC instances on either side of a VPC peering connection to communicate with each other over IPv6; however, an EC2-Classic instance that's ClassicLinked with a VPC can communicate with VPC instances on either side of the VPC peering connection over IPv4 only.

To enable your VPC peering connection for communication with linked EC2-Classic instances, you must modify the requester VPC peering options if you are the requester of the VPC peering connection, and you must modify the accepter VPC peering options if you are the accepter of the VPC peering connection. You can use the describe-vpc-peering-connections command to verify which VPC is the accepter and the requester for a VPC peering connection.

You can modify the VPC peering connection options as follows:

  • Enable a local linked EC2-Classic instance to communicate with instances in a peer VPC

    In this case, you modify the VPC peering connection options to enable outbound communication from the local ClassicLink connection to the peer VPC on the other side of the VPC peering connection. The owner of the peer VPC modifies the VPC peering connection options to enable outbound communication from their local VPC to the remote ClassicLink connection.

  • Enable a local VPC to communicate with a linked EC2-Classic instance in a peer VPC

    In this case, you modify the VPC peering connection options to enable outbound communication from your local VPC to the remote ClassicLink connection on the other side of the VPC peering connection. The owner of the peer VPC with the linked EC2-Classic instance modifies the VPC peering connection options to enable outbound communication from their local ClassicLink connection to the remote VPC.

When you enable a local linked EC2-Classic instance to communicate with instances in a peer VPC, you must manually add a route to the main route table of your local VPC with a destination of the peer VPC CIDR block, and a target of the VPC peering connection. The linked EC2-Classic instance is not associated with any subnet in the VPC; it relies on the main route table for communication with the peer VPC.

Important

The route for the VPC peering connection must be added to the main route table, regardless of any custom route tables with existing routes to the peering connection. If not, the EC2-Classic instance cannot communicate with the peer VPC.

When you enable a local VPC for communication with a remote ClassicLink connection, a route is automatically added to all the local VPC route tables with a destination of 10.0.0.0/8 and a target of Local. This enables communication with the remote linked EC2-Classic instance. If your route table has an existing static route in the 10.0.0.0/8 IP address range (including VPC peering connection routes), you cannot enable the local VPC for communication with the remote ClassicLink connection.

Region Support

You can modify the VPC peering connection options in the following Regions:

  • US East (N. Virginia)

  • US West (N. California)

  • US West (Oregon)

  • Europe (Ireland)

  • Asia Pacific (Tokyo)

  • Asia Pacific (Singapore)

  • South America (São Paulo)

  • Asia Pacific (Sydney)

In this scenario, we have the following:

  • VPC A is enabled for ClassicLink, and EC2-Classic instance A is linked to VPC A using ClassicLink.

  • VPC B is in a different AWS account, and is peered to VPC A using VPC peering connection pcx-aaaabbbb. The VPC peering connection was requested by VPC A and accepted by VPC B.

  • VPC B can either be a VPC in an account that supports EC2-Classic, or an account that supports EC2-VPC only.

Use the following route tables so that instance A can communicate with instances in VPC B, and instances in VPC B can communicate with instance A.

Route table Destination Target Notes
VPC A VPC A CIDR Local Default local route for VPC A.
VPC B CIDR pcx-aaaabbbb Route manually added for the peering connection between VPC A and VPC B.
10.0.0.0/8 Local Route automatically added to enable ClassicLink communication (added when you linked the instance to VPC A).
VPC B VPC B CIDR Local Default local route for VPC B.
VPC A CIDR pcx-aaaabbbb Route manually added for the peering connection between VPC A and VPC B.

The owner of VPC A must modify the VPC peering connection to enable instance A to communicate with VPC B, and update the main route table. The owner of VPC B must modify the VPC peering connection to enable VPC B to communicate with instance A.

For more information about adding routes, see Adding and Removing Routes from a Route Table in the Amazon VPC User Guide.

Modify the VPC peering connection for VPC A

To enable communication from the EC2-Classic instance to VPC B, the AWS account owner of VPC A must modify the VPC peering connection options to enable the local ClassicLink connection to send traffic to instances in the peer VPC.

To modify the VPC peering connection using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    The owner of VPC A must sign in to the console.

  2. In the navigation pane, choose Peering Connections.

  3. Select the VPC peering connection, and choose Actions, Edit ClassicLink Settings.

  4. Choose the option to allow local linked EC2-Classic instances to communicate with the peer VPC, and choose Save.

To modify the VPC peering connection using the AWS CLI

You can use the modify-vpc-peering-connection-options command. In this case, VPC A was the requester of the VPC peering connection; therefore, modify the requester options as follows:

aws ec2 modify-vpc-peering-connection-options --vpc-peering-connection-id pcx-aaaabbbb --requester-peering-connection-options AllowEgressFromLocalClassicLinkToRemoteVpc=true

Modify the VPC peering connection for VPC B

Next, the AWS account owner of VPC B must modify the VPC peering connection options to enable VPC B to send traffic to EC2-Classic instance A.

To modify the VPC peering connection using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    The owner of VPC B must sign in to the console.

  2. In the navigation pane, choose Peering Connections.

  3. Select the VPC peering connection, and choose Actions, Edit ClassicLink Settings.

  4. Choose the option to allow local VPC instances to communicate with EC2-Classic instances in the peer VPC, and choose Save.

To modify the VPC peering connection using the AWS CLI

VPC B accepted the VPC peering connection; therefore, modify the accepter options as follows:

aws ec2 modify-vpc-peering-connection-options --vpc-peering-connection-id pcx-aaaabbbb --accepter-peering-connection-options AllowEgressFromLocalVpcToRemoteClassicLink=true

View VPC peering connection options

You can view the VPC peering connection options for the accepter VPC and requester VPC using the Amazon VPC console or the AWS CLI.

To view VPC peering connection options using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Peering Connections.

  3. Select the VPC peering connection, and choose ClassicLink. Information about the enabled or disabled VPC peering connection options is displayed.

To view VPC peering connection options using the AWS CLI

You can use the describe-vpc-peering-connections command:

aws ec2 describe-vpc-peering-connections --vpc-peering-connection-id pcx-aaaabbbb
{ "VpcPeeringConnections": [ { "Status": { "Message": "Active", "Code": "active" }, "Tags": [ { "Value": "MyPeeringConnection", "Key": "Name" } ], "AccepterVpcInfo": { "PeeringOptions": { "AllowEgressFromLocalVpcToRemoteClassicLink": true, "AllowEgressFromLocalClassicLinkToRemoteVpc": false, "AllowDnsResolutionFromRemoteVpc": false }, "OwnerId": "123456789101", "VpcId": "vpc-80cb52e4", "CidrBlock": "172.31.0.0/16" }, "VpcPeeringConnectionId": "pcx-aaaabbbb", "RequesterVpcInfo": { "PeeringOptions": { "AllowEgressFromLocalVpcToRemoteClassicLink": false, "AllowEgressFromLocalClassicLinkToRemoteVpc": true, "AllowDnsResolutionFromRemoteVpc": false }, "OwnerId": "111222333444", "VpcId": "vpc-f527be91", "CidrBlock": "192.168.0.0/16" } } ] }