How-To
Create a VPC Peering Connection Between AWS Regions
One of the most fundamental constructs in the Amazon cloud is the Virtual Private Cloud, or VPC as it is usually called. For those who might not be familiar with a VPC, it is a mechanism that provides a logical isolation layer for AWS resources. To put it another way, a VPC is essentially a virtual network. You can create subnets within a VPC and even link a VPC to a gateway in order to allow internet access.
Over time, organizations often end up with multiple VPCs. An organization might for instance, create a different VPC for each AWS region that they use. Similarly, an organization might create separate VPCs for each business unit. VPCs work really well for these types of use cases because they create an isolation layer. Resources in one VPC generally cannot see any of the resources residing in a different VPC unless you have given them a way to do so.
Herein lies the problem. Whereas an organization might initially group resources into two separate VPCs for the specific purpose of creating an isolation boundary, changing business needs may eventually require that resources in the two VPCs be able to communicate with one another.
While it might initially seem as though the easy solution to this problem would be to move everything to a single VPC, this isn't usually a viable option. Most resources cannot be moved between VPCs and must instead be deleted and then recreated, which would obviously create problems of its own. A better solution is to create a VPC peering connection between the two VPCs. This will allow the resources in one VPC to communicate with the resources in another as though they were a part of the same virtual network. You can create a peering connection between any two VPCs, regardless of whether or not those VPCs are in the same region.
Let's take a look at how to create a peering connection between VPCs in two different regions. The reason why I want to examine this particular configuration is because organizations often design their disaster recovery strategies around regional boundaries. Setting up a peering connection between VPCs in two different regions can help to simplify your disaster recovery efforts.
Creating a Peering Connection
To create a peering connection, open the VPC dashboard and make note of the two VPCs between which you want to create a peering connection. You will need to know the VPC IDs, not just the VPC names.
Next, click the Peering Connection tab, and then click New Peering Connection. At this point, you will be taken to the Create Peering Connection screen, shown in Figure 1.
[Click on image for larger view.] Figure 1: This is the screen used to create a VPC peering connection.
As you can see in the figure, setting up a peering connection is a relatively simple process. To get started, enter a descriptive name for the connection that you are creating and then select the local VPC from which to establish the connection. This VPC must exist in your current region.
Next, verify the account that you want to use and then specify whether the VPC that you are connecting to exists in the current region or in a different region, and then specify the destination region if necessary. Now, just type the VPC ID for the VPC that you want to connect to and then click the Create Peering Connection button.
Once you have created the peering connection, be sure to switch to the secondary region and accept the request to form the peering connection. This request will be displayed on the VPC Dashboard and you can accept the request by selecting the Accept Request option from the Actions menu, as shown in Figure 2.
[Click on image for larger view.] Figure 2: You will need to accept the VPC peering request.
Upon accepting the request, it will take some time for the connection to be fully provisioned. As such, the peering connection won't initially work, even though the console shows the peering connection as being active. The easiest way to find out whether or not your peering connection is ready to use is to check its status. From the VPC Dashboard, click on the Peering Connections tab to see a list of the peering connections that exist in the current region. Now, click on the peering connection that you just created and then check its status on the Details screen. The peering connection shown in Figure 3 for example, is still being provisioned even though the list of peering connections indicates that the connection is active. It normally only takes about 10 minutes for the provisioning process to complete.
[Click on image for larger view.] Figure 3: It takes a bit of time for the provisioning process to complete.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.