Cross Account VPC to VPC Peering
Amazon engineers built the AWS Virtual Private Cloud (VPC) feature to offer users their own private section of the AWS cloud. With an AWS VPC, users can create a whole virtual network where users can run their applications securely. When you create a new VPC in your AWS account, you can decide who gets access, how data flows, and set up security measures, just like managing a network in a physical data center—except it’s all virtual and scalable in the AWS cloud.
Sometimes one VPC on a single AWS account is not enough. There are multiple use cases for why AWS users create multiple VPCs using multiple AWS accounts:
- Security and Isolation: By using separate VPCs, users can isolate different environments (usually your dev, test, and prod) or different applications to enhance security. This isolation helps in minimizing the potential damage to your broader organization from a security breach.
- Cost Allocation: Using multiple accounts helps in tracking and allocating costs more accurately. Unless you already have a managed FinOps team to manage cloud costs, separate AWS accounts enable you to track billing across these multiple clouds.
- Compliance and Governance: Different VPCs and accounts can be configured to meet specific compliance requirements. This setup allows for tailored security policies and governance controls for different parts of the organization.
- Scalability and Flexibility: As the organization grows, it can easily add more VPCs and accounts to accommodate new projects, teams, or regions without affecting existing setups. This enables different teams or departments to manage their own VPCs within their respective accounts, allowing for more granular control over resources and easier management of permissions and policies.
- Network Performance: By distributing workloads across multiple VPCs, users can optimize network performance and reduce latency. This is particularly useful for applications that require high availability and low latency.
When using multiple AWS virtual private clouds (VPCs) and multiple accounts in a testing lab or production setting, IT managers, cloud architects, and computer science students often have a need for connecting VPCs to each other that aren’t in the same account.
How to set up AWS VPC to VPC connectivity
This is the step-by-step process for establishing VPC peering connectivity across multiple accounts. Before you begin, ensure that you have the AWS account number and VPC ID of the VPCs between which you are creating this private network connection.
Important
All the IP addresses for your VPC are represented using Classless Inter-Domain Routing (CIDR) notation. If you have VPCs with overlapping IPv4 CIDR blocks, if the account ID and VPC ID are incorrect, then the status of the VPC peering connection will show as “failed” during this process. For more information on associating an IPv4 CIDR block to your AWS VPC, see IP addressing for your VPCs and subnets.
To request a VPC peering connection with a VPC in another account in the same region
1. Open the Amazon VPC console for the account initiating the peering request
2. In the navigation pane, choose Peering Connections > Create Peering Connection:
3. Configure the information as follows, and choose Create Peering Connection when you are done:
- Peering connection name tag: Naming your connection creates a tag with a key of Name and a value that you specify.
- VPC (Requester): Select the VPC in your account with which to create the VPC peering connection.
- Account: Choose Another account.
- Account ID: Enter the AWS account ID of the owner of the VPC to which you are peering.
- VPC (Accepter): Enter the ID of the VPC with which to create the VPC peering connection.
4. A confirmation dialog box will appear, now choose OK:
Important! The VPC peering connection that you’ve created is not active. To activate it, the owner of the accepter VPC must accept the VPC peering connection request.
To enable traffic to be directed to the peer VPC, make sure you update your VPC route table using these steps:
5. Open the Amazon VPC console for the account that is accepting the peering connection request.
6. Go to VPC > Peering Connections and you will see the Peering Connection Request that is in a state of “Pending Acceptance”:
7. After confirming that the information matches for requester Owner (always taking care you maintain good security hygiene and only accept requests from known users) Choose Actions > Accept Request:
8. Now click the Yes, Accept button:
9. Then click Close:
Now you’ll need to establish routing between the two newly connected VPCs. Rather than get into the details of that process, just know that once you’ve pointed both VPCs to each other for their respective CIDR blocks and modified your Security Groups to accommodate the new traffic, you’ll be able to communicate from one VPC to another. Here’s an example of a successful VPC-to-VPC peering connection as seen from a Windows Server in our testing lab:
Blue Mantis delivers secure AWS Solutions at scale
If you enjoyed this blog post and want to learn more about AWS cloud architecture best practices for your business, then we’d like to hear from you. Blue Mantis is a security-first IT solutions provider and AWS Partner that helps organizations large and small to assess, modernize, and manage AWS Cloud solutions at scale for your unique desired business outcomes.
Connect with us to discuss what you need from a secure AWS that meets your industry-specific needs and how we can exceed your operational expectations.
