CloudWiki
Resource
Get a free AWS Well-Architected Assessment ->

VPC Peering

Amazon Web Services
Network
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. Instances in either VPC can communicate with each other as if they were within the same network.
Terraform Name
terraform
aws_vpc_peering_connection
VPC Peering
attributes:
  • peer_owner_id - (Optional) The AWS account ID of the owner of the peer VPC. Defaults to the account ID the AWS provider is currently connected to.
  • peer_vpc_id - (Required) The ID of the VPC with which you are creating the VPC Peering Connection.
  • vpc_id - (Required) The ID of the requester VPC.
  • auto_accept - (Optional) Accept the peering (both VPCs need to be in the same AWS account and region).
  • peer_region - (Optional) The region of the accepter VPC of the VPC Peering Connection. auto_accept must be false, and use the aws_vpc_peering_connection_accepter to manage the accepter side.
  • accepter (Optional) - An optional configuration block that allows for VPC Peering Connection options to be set for the VPC that accepts the peering connection (a maximum of one).
  • requester (Optional) - A optional configuration block that allows for VPC Peering Connection options to be set for the VPC that requests the peering connection (a maximum of one).
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Accepter and Requester Arguments

Note:

When enabled, the DNS resolution feature requires that VPCs participating in the peering must have support for the DNS hostnames enabled. This can be done using the enable_dns_hostnames attribute in the aws_vpc resource. See Using DNS with Your VPC user guide for more information.

  • allow_remote_vpc_dns_resolution - (Optional) Allow a local VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the peer VPC.
  • allow_classic_link_to_remote_vpc - (Optional) Allow a local linked EC2-Classic instance to communicate with instances in a peer VPC. This enables an outbound communication from the local ClassicLink connection to the remote VPC.
  • allow_vpc_to_remote_classic_link - (Optional) Allow a local VPC to communicate with a linked EC2-Classic instance in a peer VPC. This enables an outbound communication from the local VPC to the remote ClassicLink connection.

Associating resources with a
VPC Peering
Resources do not "belong" to a
VPC Peering
Rather, one or more Security Groups are associated to a resource.
Create
VPC Peering
via Terraform:
The following HCL requests a peering connection between a VPC in region us-east-1 and a VPC in region us-west-2
Syntax:

resource "aws_vpc_peering_connection" "foo" {
 peer_owner_id = var.peer_owner_id
 peer_vpc_id   = aws_vpc.bar.id
 vpc_id        = aws_vpc.foo.id
 peer_region   = "us-east-1"
}

resource "aws_vpc" "foo" {
 provider   = aws.us-west-2
 cidr_block = "10.1.0.0/16"
}

resource "aws_vpc" "bar" {
 provider   = aws.us-east-1
 cidr_block = "10.2.0.0/16"
}

Create
VPC Peering
via CLI:
Parametres:

create-vpc-peering-connection
[--dry-run | --no-dry-run]
[--peer-owner-id <value>]
[--peer-vpc-id <value>]
[--vpc-id <value>]
[--peer-region <value>]
[--tag-specifications <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws ec2 create-vpc-peering-connection --vpc-id vpc-1a2b3c4d --peer-vpc-id vpc-11122233 --peer-region us-west-2

aws cost
Costs
The cost of using VPC Peering is determined by the amount of data transferred between peered VPCs. Basic data transfer costs for VPC Peering start at $0.01 per GB and decrease as the amount of data transferred increases.
Direct Cost

--

Indirect Cost
No items found.
Best Practices for
VPC Peering

Categorized by Availability, Security & Compliance and Cost

Low
Access allowed from VPN
No items found.
Low
Auto Scaling Group not in use
No items found.
Medium
Connections towards DynamoDB should be via VPC endpoints
No items found.
Medium
Container in CrashLoopBackOff state
No items found.
Low
EC2 with GPU capabilities
No items found.
Medium
EC2 with high privileged policies
No items found.
Medium
ECS cluster delete alarm
No items found.
Critical
ECS task with Admin access (*:*)
Medium
ECS task with high privileged policies
No items found.
Critical
EKS cluster delete alarm
No items found.
Medium
ElastiCache cluster delete alarm
No items found.
Medium
Ensure Container liveness probe is configured
No items found.
Medium
Ensure ECS task definition has memory limit
No items found.
Critical
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Amazon Web Services