Part 1: Guidelines for Virtual Private Cloud Peering with AWS

  • Part 2: The Setup

In some of my recent columns, I have been discussing virtual private clouds (VPCs), within Amazon Web Services (AWS). You can find those columns here and here. This column will be about VPC peering. It is basically a way to enable IP communications between two VPCs. VPC peering functions in a similar way to site-to-site VPN. It allows communication between two isolated environments. VPC peering is not required to connect to a VPN. This is the biggest difference between VPC peering, site-to-site VPN and VPC peering. VPC peering is able to allow communication between VPCs that are part of a single AWS subscription. VPC peering is more useful when communicating between two AWS accounts. This is useful if you have separate VPCs for each department, and need to allow inter-department communication. AWS allows you set up a VPC peering link between a VPC associated with an AWS account and another VPC associated with another AWS account. Next week, I will show you how to setup VPC peering. But for now, I want to talk about what you can do with VPC peering. VPC peering is restricted to a specific region. This is something you should be aware of. You may be familiar with the requirement that a VPC must be created in a specific region. VPC peering between VPCs is only possible if the VPCs are located in the same region. VPC peering requires that instances within a VPC communicate using either the IPv4 protocol or the IPv6 protocol with peers in a peer VPC. You are basically establishing network connectivity between peers when you enable VPC peering. The same rules that apply to other IP networks apply to VPC peers because they are essentially establishing network connectivity. VPCs cannot be peer-reviewed together and contain duplicate IP addresses, or overlapped IP address scopes. Another important point is this: VPC peering supports both IPv4 as well as IPv6. You will need to manually configure the network resources if you wish to use IPv6. According to AWS documentation, you must associate an IPv6 bloc with both VPCs. You will also need to configure instances within the VPCs for IPv6 communications. You will also need to update your routing tables to allow AWS to route IPv6 traffic to an instance within a peer VPC. These configuration steps are only required for IPv6 communications. VPC peering relies on the establishment of connectivity between two VPCs. There are some architectural limitations you should be aware of. AWS allows only one peering relationship between two VPCs. This limitation is obvious, as there is no real benefit to creating multiple peer relationships between the same set VPCs. Peer relationships are not transitive, which is a second architectural limitation. Sometimes, administrators may have to do more work because there is not enough transitive peering. However, it is often a good thing to have no support for transitive peering. There are two reasons why this is so. Let’s say you have three VPCs. Now imagine that you have created a series peer relationships so that all your VPCs can communicate. To make things more interesting, let’s pretend that each VPC is associated to a specific department. Imagine your boss telling you that you must establish a peer relationship with the VPC responsible for marketing and the VPC of a partner organization. This is the case of transitive peeri.