Limitations of VPC PeeringĀ – Configuring Infrastructure Security – SCS-C02 Study Guide

Limitations of VPC Peering

Although VPC peering is relatively easy to understand and implement, there are some limitations that you must be aware of as well:

  • You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks. Similarly, you cannot create a VPC peering connection between VPCs with matching or overlapping IPv6 CIDR blocks.
  • You cannot have more than one VPC peering connection between two VPCs at the same time.
  • If VPC 1 has an IGW, neither VPC 2 nor VPC 3 could use that IGW to access the internet via the peering connection.
  • If VPC 1 has a gateway endpoint for either S3 or DynamoDB, neither VPC 2 nor VPC 3 can use that gateway endpoint to access those services.
  • Unlike in a regular VPC, you cannot create a security group rule referencing a peer VPC security group. Instead, you must reference the IPv4 ranges.

The preceding list was of the most prevalent rules. For a complete list of VPC peering limitations, visit the following URL: https://packt.link/Jkkhv.

Using Transit Gateway to Connect VPCs

Transit Gateway can be thought of as a router in the cloud that works on a per-Region basis. Transit Gateway can also centralize your AWS Direct Connect connection as well as a VPN connection coming into Transit Gateway.

It can scale with your organization as you grow since each Transit Gateway hub can support 5,000 attachments. From a network security perspective, Transit Gateway is able to segment traffic based on route tables to ensure that specific segments of traffic do not talk to each other.

Figure 10.26: Transit Gateway connecting to multiple VPCs in a Region

Figure 10.26 shows how Transit Gateway can help you either connect multiple VPCs to each other or segment them from each other based on the values in the Routing Table. Based on the initial Routing Table, VPC 1 allows inbound and outbound connections associated with the Direct Connect IP range. It does not allow data to connect to VPCs 2 or 3. VPCs 2 and 3 enable data and connections between those VPCs, along with ingress and egress connections associated with the VPN connection.

After examining how to connect multiple VPCs using Transit Gateway so that various segmented VPCs can talk to each other, you will explore the various options for securely connecting your facilities and locations to your AWS cloud network.

Connecting Your On-Premises Network to Your VPC

Even as you look to build your footprint in the AWS cloud, there will often be cases in which you need to connect directly to the network that you have established for your on-premises locations. These might be locations where several employees are located or where you have data and compute resources that you have either not moved to the cloud yet or do not plan on moving. Whichever one of these cases that might be, this presents an opportunity for you to use some of the services provided by AWS to create a secure connection for data to be transported to and from the resources allocated there.

You are presented here with how to connect to a single VPC, and that VPC becomes the entry point to your AWS account, AWS organization, or both.