A VPC peering connection is used to establish a connection between two VPCs over the global AWS backbone network without the requirement for a VPN. Peered VPCs can be in different regions and can even belong to different AWS accounts. The owner of one of the accounts sends a VPC peering request to the other account, which must be accepted for the peering connection to work. After the connection is created, you can update your route table to send specific traffic over the VPC peering connection. The CIDR ranges of peered VPCs must not overlap. In Figure 11.12, you can see an example of the route table configuration of two peered VPCs. Each VPC has a route to the other VPC that points to the peering connection (pcx-nnnnn).
FIGURE 11.12 VPC peering route table
You can create multiple VPC peering connections; however, transitive peering is not supported. For example, in Figure 11.13, VPC 3 is configured with VPC peering connections to VPC 1 and VPC 2. This does not allow VPC 1 and VPC 2 to communicate through VPC 3.
FIGURE 11.13 Transitive peering
As you add more VPCs, this architecture can become very complex. For example, Figure 11.14 shows many VPCs. Each has a Direct Connect VIF and VPN connections to a datacenter. (Note that the datacenter has only a single Direct Connect circuit but uses multiple VIFs to communicate with different VPCs.) There might also be VPC peering connections from each VPC to all the other VPCs. For VPC A, that would mean managing five VPC peering connections, one VPN, and one Direct Connect circuit. Multiply that by many VPCs, and it becomes an administrative nightmare.
FIGURE 11.14 Many VPCs
The transit gateway can resolve this issue by allowing many VPCs to connect to it in a hub-and-spoke topology. You can also terminate VPNs or Direct Connect circuits on a transit gateway, allowing many VPCs to utilize these shared connections. Traffic that is sent via the transit gateway stays on the private AWS backbone and is automatically encrypted. A VPC connection to a transit gateway can use up to 50 Gbps of bandwidth.
FIGURE 11.15 Transit gateway
VPC Peering does not have an aggregate bandwidth limitation. Transit gateway connections to a VPC provide up to 50 Gbps of bandwidth. A VPN connection provides a maximum throughput of 1.25 Gbps.
Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.
1. Which types of connections are supported by a transit gateway? (Choose three.)
A. VPN to a physical datacenter
B. Direct Connect gateway
C. Internet gateway
D. Transitive connections between multiple VPCs
E. NAT gateway
2. You must create a VPC peering connection between your VPC and a customer’s VPC. Your VPC has a CIDR range of 10.1.0.0/16. The customer VPC has a CIDR range of 10.2.0.0/16. What must be configured to allow EC2 instances in these VPCs to communicate? (Choose three.)
A. Configure a route in each VPC pointing to the CIDR range of the other VPC.
B. Configure a NAT gateway to present a public IP address for the instances that must communicate.
C. Configure an Internet gateway on each of the VPCs.
D. Configure the appropriate entries in NACLs and security groups.
E. A VPC peering connection request must be sent to the customer, and the customer AWS account must accept the request.
1. Answer: A, B, and D are correct. A transit gateway allows the connected VPCs to communicate and allows attachments to an on-premises datacenter through either a VPC or Direct Connect.
2. Answer: A, D, and E are correct. A VPC peering connection must be established by sending a request to the customer account. After that request has been accepted, configure the necessary routes to send traffic over the VPC peering connection. Finally, open the necessary holes in the firewall to allow the desired traffic through.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
