There are a number of reasons you might need to set up a VPC peering connection between your VPCs, or between a VPC that you own and a VPC in a different AWS account. The following scenarios can help you determine which configuration is best suited to your networking requirements.
1) Peering two or more VPCs to provide full access to resources
In this scenario, you have two or more VPCs that you want to peer to enable full sharing of resources between all VPCs. The following are some examples:
Your company has a VPC for the finance department, and another VPC for the accounting department. The finance department requires access to all resources that are in the accounting department, and the accounting department requires access to all resources in the finance department.
Your company has multiple IT departments, each with their own VPC. Some VPCs are located within the same AWS account, and others in a different AWS account. You want to peer together all VPCs to enable the IT departments to have full access to each others’ resources.
2) Peering to one VPC to access centralized resources
In this scenario, you have a central VPC that contains resources that you want to share with other VPCs. Your central VPC may require full or partial access to the peer VPCs, and similarly, the peer VPCs may require full or partial access to the central VPC. The following are some examples:
Your company’s IT department has a VPC for file sharing. You want to peer other VPCs to that central VPC, however, you do not want the other VPCs to send traffic to each other.
Your company has a VPC that you want to share with your customers. Each customer can create a VPC peering connection with your VPC, however, your customers cannot route traffic to other VPCs that are peered to yours, nor are they aware of the other customers’ routes.
You have a central VPC that is used for Active Directory services. Specific instances in peer VPCs send requests to the Active Directory servers and require full access to the central VPC. The central VPC does not require full access to the peer VPCs; it only needs to route response traffic to the specific instances.
VPC peering limitations
Connections
You cannot have more than one VPC peering connection between two VPCs at the same time.
Overlapping CIDR blocks
You cannot create a VPC peering connection between VPCs that have matching or overlapping IPv4 or IPv6 CIDR blocks.
Transitive peering
VPC peering does not support transitive peering relationships. For example, if there are VPC peering connections between VPC A and VPC B, and between VPC A and VPC C, you can’t route traffic from VPC B to VPC C through VPC A. To route traffic between VPC B and VPC C, you must create a VPC peering connection between them.
Edge to edge routing through a gateway or private connection
If VPC A has an internet gateway, resources in VPC B can’t use the internet gateway in VPC A to access the internet.
If VPC A has an NAT device that provides internet access to subnets in VPC A, resources in VPC B can’t use the NAT device in VPC A to access the internet.
If VPC A has a VPN connection to a corporate network, resources in VPC B can’t use the VPN connection to communicate with the corporate network.
If VPC A has an AWS Direct Connect connection to a corporate network, resources in VPC B can’t use the AWS Direct Connect connection to communicate with the corporate network.
If VPC A has a gateway endpoint that provides connectivity to Amazon S3 to private subnets in VPC A, resources in VPC B can’t use the gateway endpoint to access Amazon S3.
Inter-Region VPC peering connections
You cannot create a security group rule that references a peer VPC security group. The Maximum Transmission Unit (MTU) across the VPC peering connection over Regions is 1500 bytes. Jumbo frames (MTUs up to 9001 bytes) are not supported for inter-Region VPC peering connections. They are, however, supported for VPC peering connections in the same Region.
You must enable DNS resolution support for the VPC peering connection to resolve private DNS hostnames of the peered VPC to private IP addresses, even if the IPv4 CIDR for the VPC falls into the private IPv4 address ranges specified by RFC 1918.
Identity and access management for VPC peering
By default, users cannot create or modify VPC peering connections. To grant access to VPC peering resources, attach an IAM policy to an IAM identity, such as a role.