VPCs Together – Configuring Infrastructure Security – SCS-C02 Study Guide

VPCs Together

There are several different techniques that you can use to network VPCs together. Which method you use depends mainly on your requirements. The most common are shown in the following list:

  • VPC peering: This lets you connect two VPCs via a direct, private network connection. VPC peering enables traffic flow between VPCs as if they were part of the same network. This approach suits scenarios that require a connection between VPCs in the same Region or across Regions within the same AWS account.
  • Transit Gateway: This fully managed service allows you to connect multiple VPCs in a hub-and-spoke model, making it easier to manage network traffic between VPCs. Transit Gateway acts as a centralized hub to connect multiple VPCs, simplifying network routing and security configuration. This approach is suitable for scenarios that require connections between multiple VPCs within the same Region or across multiple Regions within the same AWS account.
  • VPN connections: This allows you to establish a secure, encrypted connection between your VPC and an external network, such as your on-premises data center or another VPC. VPN connections can be used to connect VPCs utilizing the internet as a transport medium. This approach suits scenarios that require connections between VPCs in different AWS accounts or Regions or from your VPC to an on-premises network.
  • AWS Direct Connect: This allows you to establish a dedicated, private network connection between your VPC and your on-premises data center or co-location facility. Direct Connect provides a more reliable and consistent network connection compared to a VPN connection. This approach suits scenarios that require connections between VPCs in different AWS accounts or Regions with high bandwidth and low latency.

Having gone through an overview of the techniques used to network VPCs together, you can proceed to take a deeper look at peering two or more VPCs together.

What Is Peering When It Comes to VPCs?

Suppose you need to create a direct, private network connection between one or two VPCs. In that case, you can use VPC peering. It is a networking solution that allows you to connect two Amazon VPCs together so that they can communicate using private IP addresses. VPC peering can span multiple VPCs within the same Region or multiple Regions and can even connect VPCs in different accounts.

The following are some scenarios where VPC peering may be helpful:

  • Connecting VPCs within the same account or different accounts
  • Connecting VPCs in different Regions
  • Simplifying network management by avoiding the need for VPN connections or multiple VPC gateways
  • Transferring data between VPCs without incurring data transfer costs

When you create a VPC peering connection, you establish a direct network connection between the VPCs. This connection is private and secure; traffic between the VPCs doesn’t leave the AWS network. VPC peering supports communication between VPCs using IPv4 and IPv6 addresses with the same security and networking features that you use within a single VPC, such as security groups, NACLs, and routing tables.

Figure 10.25: VPC peering across three VPCs

As you can see in Figure 10.25, VPC 1 is the primary network being peered by two other networks, VPC2 and VPC3. When requesting the peering connection, each VPC must accept the peering connection individually. Once the peering connection has been established, and as long as entries are placed in the routing tables to allow network traffic flow, the other VPCs can connect. As shown in Figure 10.25, any instance located in VPC 2 could not contact VPC 3 unless a separate peering connection was made between those VPCs. Even though VPC 1 seemingly acts as a bridge between VPC 2 and VPC 3, each connection is distinct on its own.

VPC peering is useful if you need to quickly connect one or two VPCs, even if they are not in the same account. There are limitations when using VPC peering; the next section will explain them.