Understanding Inter-Region VPC Peering with Hands-On!
On November The 29th, 2017 — Amazon Web Services Announced Support for Inter-Region VPC Peering. Inter-Region VPC Peering allows VPC resources like EC2 instances, RDS databases and Lambda functions running in different AWS regions to communicate with each other using private IP addresses, without requiring gateways, VPN connections or separate network appliances.
In this article, I’m intending to talk about the fundamentals of VPC Peering and some hands-on exercise using AWS CLI commands. So let’s get going!!
Now that we know the purpose of having VPC Peering, it’s time to do some theory and facts check.
VPC Peering:
- Allows to connect two VPC’s from same or different regions (inter-region VPC peering),
- 1-to-1 connection (only one connections between two VPC’s), VPC peering connection are not transitive,
- Make sure you do not overlap CIDR blocks.
- Enable communication using private IP’s.
- Work across different AWS accounts.
- VPC Peering object (PCX) is highly available and high performance.
- Caution: Never blindly accept the peering request in real world, it could be devastating !
Alright! Enough with theory and that’s honestly enough theory to get going. :)
I’m a big believer of having an architecture diagram if not then at least the block diagram in front of me. Having diagram handy always helps you understand what you’re implementing and how the overall flow going.
So here’s a quick-n-dirty VPC Peering architecture diagram of us.
Let’s also do a quick checklist about what we need to make the VPC Peering working. We must:
- Create VPC in N-Virginia with CIDR 10.100.0.0/16 and then deploy two subnets, one public (10.100.0.0/24) and private subnet (10.100.1.0/24). Additionally, we must need Internet Gateway (IGW), Routing Tables with apt routes, Security Group with inbound access to SSH/ICMP requests and lastly 2 EC2 instances, each in public and private instance.
- Create VPC in Singapore region with CIDR 10.200.0.0/16 and create one private subnet with 10.200.0.0/24. Within this region we need, Routing Table, an EC2 Instance (in private subnet) with security group with restrictive inbound access to SSH/ICMP.
- Lastly, create VPC Peering between both the VPC’s and validate if we able to talk to EC2 instance residing in ap-southeast-1 region from EC2 instance sitting in us-east-1 region.
Fine, we have everything what we need to start implementing. I will go ahead and create both the VPC’s, Subnets, IGW, update routing table, launch EC2 instances with apt security groups.
Let’s prepare Infrastructure at region US-EAST-1 (Northern Virginia)
Let’s prepare Infrastructure at region AP-SOUTHEAST-1 (Singapore)
Alright, now we have necessary infrastructure ready at both the regions and it’s time to do VPC Peering so that we can talk to services (deployed under private subnets) in cross region over private IP range.
Awesome!
This is end of the VPC Peering exercise.
I hope this will help you to understand how VPC peering works across two regions. There could be various combination of VPC peering, like peering among three or more VPC’s (VPC peering is always one-to-one relation and not transitive in nature by default). VPC peering has its own limitations in terms of scalability hence there are ways to simplify networking using Transit VPC, it’s not a service from AWS but a reference architecture, implementing hub-n-spoke topology on VPCs, so that they can have Centralized edge connectivity. Transit VPC can be implemented leveraging various products/solutions out there in market or now you can better choose AWS Transit Gateway or the recent AWS PrivateLink solution.
There are several solutions out there and each solution have their own benefits and drawbacks, also choosing right solution is mostly depends on what use-case is on the table.
Nevertheless, this article is solely based on inter region VPC Peering and may be later I’ll write on Transit VPC, Transit Gateway (TGW) and VPC PrivateLink.
Hope you enjoyed reading the article. Please feel free to provide your feedback.
