File Sharing VPC
IT department VPC for file sharing. Peer other VPCs to central VPC, but prevent other VPCs from sending traffic to each other.
Vpc Peering
Connecting VPCs in AWS with VPC peering
Section titled “Connecting VPCs in AWS with VPC peering”VPC Peering Overview
Section titled “VPC Peering Overview”When you have a small number of VPCs or networking budget is constrained by paying for transit gateway, use VPC peering feature to establish one-to-one network connection between two VPCs.
Key Characteristics
Section titled “Key Characteristics”- Feature of Amazon VPC service - creating VPC peering connection incurs no costs
- Point-to-point peer with very small network overhead and low network latency
- Lets EC2 instances in two VPCs communicate using private IP addresses as if in same network
- Can create peering between:
- Your own VPCs
- VPC in another AWS account
- VPC in different AWS Region
Security and Performance Benefits
Section titled “Security and Performance Benefits”- VPC peering connections do not share traffic with other VPC peering connections
- Traffic remains in private IP address space
- Traffic always stays on global AWS backbone, never traverses public internet
- Reduces threats such as common exploits and DDoS attacks
- All inter-Region traffic is encrypted
- No single point of failure or bandwidth bottlenecks
Establishing VPC Peering
Section titled “Establishing VPC Peering”- Send peering request from VPC A owner to VPC B owner
- Accept peering request - VPC B owner must accept VPC A peering connection request
- Configure route tables for both VPCs to enable traffic flow
- Update security groups as needed to allow traffic between VPCs
Route Table Configuration Requirements
Section titled “Route Table Configuration Requirements”Each VPC owner must add routes to their VPC route table:
VPC A route table:
- Destination: IP address range of VPC B (e.g., 10.2.0.0/16)
- Target: VPC A-B peering connection ID
VPC B route table:
- Destination: IP address range of VPC A (e.g., 10.1.0.0/16)
- Target: VPC A-B peering connection ID
Practical Use Case
Section titled “Practical Use Case”Two startups collaborating on project can establish VPC peering to share resources securely. This setup enables communication over AWS private network infrastructure, ensuring faster and more secure data exchange without exposing resources to public internet.
VPC Peering Limitations
Section titled “VPC Peering Limitations”Transitive Peering Not Supported
Section titled “Transitive Peering Not Supported”Transitive peering is not supported by VPC peering, making it secure and manageable to isolate errors and limit blast radius for network attacks.
Example: If VPC A peers with VPC B, and VPC B peers with VPC C, this does not mean VPC A connects to VPC C. VPC peering does not let VPC A connect to VPC C unless explicitly established as peers.
This provides control over which VPCs can communicate and which should be isolated with minimal access.
Additional Limitations
Section titled “Additional Limitations”- Overlapping CIDR blocks: VPC peering not possible between VPCs with matching or overlapping CIDR blocks
- Internet/NAT gateway access: If either VPC has internet or NAT gateway in peering connection, the VPC does not have access to internet or NAT gateway in other VPC
- Ownership restriction: Only VPC owners can work with their VPC peering connections
Specific Route Configurations
Section titled “Specific Route Configurations”You can configure route tables for VPC peering connection to restrict access to:
- Subnet CIDR block
- Specific CIDR block if VPC has multiple CIDR blocks
- Specific resource IP address in peer VPC
Example Restricted Routing
Section titled “Example Restricted Routing”VPC A subnet route table:
- Destination: Private IP of EC2 instance in VPC B (10.2.1.18/32)
- Target: VPC A-B peering connection
VPC B subnet route table:
- Destination: VPC A subnet CIDR block (10.1.1.0/20)
- Target: VPC A-B peering connection
Use Cases for Centralized Resources
Section titled “Use Cases for Centralized Resources”Common Centralized VPC Scenarios
Section titled “Common Centralized VPC Scenarios”Customer Shared VPC
Company VPC shared with customers. Each customer creates peering with your VPC, but customers cannot route to other customer VPCs.
Active Directory VPC
Central VPC for Active Directory services. Specific instances in peer VPCs send requests to AD servers requiring full central VPC access.
AWS PrivateLink Alternative
Section titled “AWS PrivateLink Alternative”When connecting VPCs with overlapping IP address ranges or wanting application-level connections, use AWS PrivateLink instead of VPC peering.
PrivateLink Benefits
Section titled “PrivateLink Benefits”- No peering connection needed when using AWS PrivateLink with Network Load Balancer
- Privately connect to service/application in service provider VPC from consumer VPCs within AWS Region
- Only consumer VPCs initiate connections to service provider VPC
- Overlapping IP ranges supported - consumer and service provider VPCs can have same CIDR blocks
Architecture
Section titled “Architecture”Service provider VPC has Network Load Balancer with EC2 instances as targets. Consumer VPC owner creates VPC elastic network interface endpoint to network load balancer endpoint.
VPC peering establishes direct one-to-one networking connections for private traffic routes between VPCs, with no costs for peering itself but data transfer charges apply. It provides secure, low-latency connections while maintaining traffic isolation and control over VPC-to-VPC access patterns.