Setup #AWS Inter-Region VPC Peering

Last week, AWS announced support for Inter-Region VPC Peering:

Amazon EC2 now allows peering relationships to be established between Virtual Private Clouds (VPCs) across different AWS regions. Inter-Region VPC Peering allows VPC resources like EC2 instances, RDS databases and Lambda functions running in different AWS regions to communicate with each other using private IP addresses, without requiring gateways, VPN connections or separate network appliances.

Inter-Region VPC Peering provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy. Built on the same horizontally scaled, redundant, and highly available technology that powers VPC today, Inter-Region VPC Peering encrypts inter-region traffic with no single point of failure or bandwidth bottleneck. Traffic using Inter-Region VPC Peering always stays on the global AWS backbone and never traverses the public internet, thereby reducing threat vectors, such as common exploits and DDoS attacks.

Data transferred across Inter-Region VPC Peering connections is charged at the standard inter-region data transfer rates.

Inter-Region VPC Peering is available in AWS US East (N. Virginia), US East (Ohio), US West (Oregon) and EU (Ireland) with support for other regions coming soon.

This announcement really excited me in that I believe it really opens up continuity and DR options for those customers (yes, likely the smaller ones) who don’t necessarily have the resources to setup transit VPCs with Cisco CSRs.

The basic steps to setup VPC peering are shown below….and they really don’t change all that much to support inter-region VPC peering:

To establish a VPC peering connection, you do the following:

  1. The owner of the requester VPC sends a request to the owner of the accepter VPC to create the VPC peering connection. The accepter VPC can be owned by you, or another AWS account, and cannot have a CIDR block that overlaps with the requester VPC’s CIDR block.
  2. The owner of the accepter VPC accepts the VPC peering connection request to activate the VPC peering connection.
  3. To enable the flow of traffic between the VPCs using private IP addresses, the owner of each VPC in the VPC peering connection must manually add a route to one or more of their VPC route tables that points to the IP address range of the other VPC (the peer VPC).
  4. If required, update the security group rules that are associated with your instance to ensure that traffic to and from the peer VPC is not restricted. If both VPCs are in the same region, you can reference a security group from the peer VPC as a source or destination for ingress or egress rules in your security group rules.
  5. If both VPCs are in the same region, you can modify your VPC connection to enable DNS hostname resolution. By default, if instances on either side of a VPC peering connection address each other using a public DNS hostname, the hostname resolves to the instance’s public IP address.

However, to expand it out a little more just in case, the more specific steps using the AWS management console are:

  1. On the Services page, click VPC
  1. On the VPC Dashboard, click Peering Connections under the Virtual Private Cloud heading.
  1. Click Create Peering Connection 
  1. On the Create Peering Connection page, enter the following and click Create Peering Connection:
  • Peering connection name tag
    • enter a name of the peering connection
  • VPC (Requester)
    • select the local VPC that will be peered with the remote VPC
  • Account
    • specify the account that has access to the remote VPC
  • Region
    • specify the region containing the remote VPC
  • VPC (Accepter)
    • specify the VPC ID of the remote VPC. It will not “auto-fill” like the VPC (requester).  Connect to the remote VPC, notate the VPC ID, and then manually enter that value into this box.

1-PeeringConnection

  1. Assuming all information on the Create Peering Connection page is correct, you should see a dialog box indicating success and that the remote VPC must be configured to accept the peering connection. Click OK.
  1. Open the remote site in the AWS management console and open the Peering Connections page.
  1. You should see a peering connection with the Status of Pending Acceptance. Select that connection and then click Actions | Accept Request.

2-AcceptConnection

  1. On the Accept VPC Peering Connection Request page, click Yes, Accept.
  1. When prompted that the VPC Peering Connection has been established, click Close.
  1. The peering connection Status should now read Active.
  1. To allow traffic to route between the peered VPCs, create a route table entry for the remote VPC on any relevant route tables.

3-RouteTable

  1. Adjust any network ACLs or Security Groups to allow the necessary traffic. Ping likely isn’t necessary but provides for an easy screenshot….

4-pingtest

Again, I’m really quite excited about this new capability….what do you think you’ll do with it?  We’d love to hear from you!

Leave a Reply

Your email address will not be published. Required fields are marked *