Implementing VPC Peering on AWS
In this live environment you will learn how to create and configure VPC peering within AWS. VPC peering is a feature of AWS which allows cross-VPC communication without additional hardware or software solutions. VPC peering is a feature you will use daily in production environments, and it's useful to know for all of the AWS exams. The environment is split into three stages. There is an architectural overview first, followed by the creation and configuration of a VPC peer, and finally the live environment will finish by demonstrating the limitations of VPC peering and some advanced features. By the end of the learning activity you will be able to comfortably implement VPC peering, know it's limitations and perhaps more importantly understand when and why you would use the feature.
Implementing VPC Peering on AWS
By default, AWS VPCs cannot communicate with one another. VPC peering is a feature of AWS that allows cross-VPC communication without additional hardware or software solutions. VPC peering enables software-defined communications between VPCs in a highly available, highly performant, and fault-tolerant way.
In this hands-on lab, you will learn how to set up and configure VPC peering within AWS.
Setting Up the Environment
Log in to the AWS console using the login credentials provided on the lab instructions page. Make sure you're in the US East (N. Virginia) region.
Next, locate the EC2 service, right-click on it, and open it in a new browser tab. Then, open the VPC service in five new browser tabs.
We're going to open a different part of the VPC dashboard in each of our five VPC browser tabs:
- Your VPCs
- Route Tables
- Network ACLs
- Peering Connections
Next, open either two instances of your terminal, or two tabs in a single instance. I recommend opening two instances and keeping them both open on your screen at the same time. Log in to the first instance.
yes at the authorization prompt, press Enter, and then enter your password.
Next, use the
clear command to clear your screen and switch to the second instance. Repeat the steps we took to log in to the first instance.
Once again, type
yes at the authorization prompt, press Enter, and then enter your password. Enter the
clear command to clear the screen. We're now logged in to both instances.
Create and Configure a Peering Connection
In your Instance1 terminal tab, enter the following:
Press Enter. You should see multiple responses, which demonstrates that Instance2 is currently exposed to the public internet. Right now, this is the only way we can ping Instance2 from Instance1.
Now let's try pinging Instance2 using its private IP address.
This time, we don't get a response. That's because there's no private connectivity between Instance1 and Instance2.
Before we set that up, let's tighten up the security of Instance2. We need to configure it so that only IP addresses from VPC1, VPC2, and VPC3 can ping it. This will prevent pings from the open internet and ensure that the only way to ping Instance2 is if there are active and configured VPC peers.
Go back to the AWS console in your web browser, and navigate to the Network ACLs tab we opened earlier. Select the Public2-NACL by clicking the checkbox on the left. Next, click the Inbound Rules tab at the bottom of the screen, and click Edit. We're going to make changes to Rule # 104. Under Source, change "0.0.0.0/0" to "10.0.0.0/13". Click Save.
Switch back to your terminal application, and let's try pinging the Instance2 public IP address again.
It doesn't return any data, which means we've successfully updated the NACL.
Create a VPC Peering Connection Between VPC1 and VPC2
In the AWS console, navigate to your Peering Connections browser tab. Click Create Peering Connection. Click into the VPC (Requestor) field, and select VPC1 from the dropdown. For VPC (Accepter), select VPC2. Leave all the other settings on this page as their defaults, and click Create Peering Connection. Then click OK to close out of the success message.
We've created the request for VPC1 to peer with VPC2. The next step is to accept this request. Click Actions, then Accept Request. Click Yes, Accept then Close.
We have now established a VPC peer between VPC1 and VPC2. Let's verify that it's working by pinging VPC2's internal IP address. Go back to your terminal window, and enter the following in your Instance1 window:
We'll see that it fails again. This is because while we have set up an active VPC peering connection between VPC1 and VPC2, we haven't yet configured the VPC router to route traffic between the two VPCs. Let's fix that now.
Navigate to the Route Tables browser tab we opened earlier. Select the Public1-RT route table, and click the Routes tab at the bottom of the screen. Click Edit, then Add another route. For Destination, enter "10.2.0.0/16". For Target, select the VPC peer; it should begin with pcx. Click Save.
Next, we need to repeat this process for the Private1 subnet. Uncheck the box next to Public1-RT, and select Private1-RT. Open the Routes tab, and click Edit. Click Add another route, and paste in the CIDR block for VPC2 ("10.2.0.0/16") under Destination. Under Target, select the VPC peer beginning with pcx. Then click Save.
Next, follow the same steps for Public2-RT and Private2-RT. This time, make sure to enter the CIDR for VPC1 ("10.1.0.0/16") for the Destination in each rule.
Go back to your terminal windows, and you'll see that our ping is now successfully returning information since we configured the route tables.
At this point, we have a VPC peering connection between VPC1 and VPC2, but VPC3 is still isolated. Let's fix that now.
Create a VPC Peering Connection Between VPC2 and VPC3
Open the Peering Connections browser tab we opened earlier, and click Create Peering Connection. This time, select VPC2 for VPC (Requester) and VPC3 for VPC (Accepter). Then click Create Peering Connection and close out of the success message.
On the VPC Dashboard page, select the peering connection with the Pending Acceptance status. Click Actions, Accept Request, and Yes, Create. Then, copy the ID for the peering connection we just created.
Now we need to configure the public and private route tables for VPC2 and VPC3. Let's start with VPC2. Go back to the Route Tables browser tab, and select Public2-RT. Click the Routes tab at the bottom of the screen. Click Edit, then Add another route. For Destination, enter "10.3.0.0/16". For Target, paste in the ID for the most recently created peering connection (it should be copied to your clipboard). Click Save.
Next, uncheck the box next to Public2-RT, and select Private2-RT. Open the Routes tab, and click Edit. Click Add another route, and paste in the CIDR block for VPC3 ("10.3.0.0/16") under Destination. Under Target, paste in the VPC peering connection ID we copied earlier. Then click Save.
Then, repeat these steps for Public3-RT and Private3-RT. This time, make sure to enter the CIDR for VPC2 ("10.2.0.0/16") for the Destination in each rule. Remember to use the ID of the most recently created VPC peering connection for the Target in each rule.
Go back to your terminals, and let's try to ping the private IP of Instance3 from Instance1.
Press Ctrl+C to cancel our previous ping, and then enter the following:
We'll see that it doesn't work. This is because VPC peering is not transitive, which means that VPCs that are not directly connected via a VPC peering connection cannot communicate with one another, even if they're both connected to a third VPC.
Let's try accessing Instance3 from Instance2. Before we can get a successful ping, we have to update the NACL for Instance3. Let's do that now.
Navigate to your Network ACLs browser tab, and select Private3-NACL. Next, select the Inbound Rules tab, and click Edit, then Add another rule. Enter the following for the rule:
- Rule #: 100
- Type: All ICMP - IPv4
- Source: 10.0.0.0/13
- Allow / Deny: ALLOW
Click Save. Next, select the Outbound Rules tab and repeat the above steps to set up a new outbound rule.
Return to the terminals, and let's try pinging Instance3 from Instance2. In the Instance2 window, enter:
The ping between VPC2 and VPC3 should now be successful.
Create a VPC Peering Connection Between VPC1 and VPC3
Now let's set up a VPC peering connection between VPC1 and VPC3. Go back to the Peering Connections browser tab, and click Create Peering Connection. For VPC (Requester), select VPC1. For VPC (Accepter), select VPC3. Click Create Peering Connection, and then click OK.
Select the peering connection with the Pending Acceptance status. Next, click Actions, Accept Request, then Yes, Accept. Click Close. Next, copy the ID of the most recent VPC peering connection to your clipboard.
Switch to the Route Tables browser tab, and select Public1-RT. Click Edit and Add another route. Paste in the VPC peer ID we just copied, and enter the CIDR for VPC3 ("10.3.0.0/16") for Destination. Click Save. Repeat these steps for Private1-RT.
Next, select Public3-RT. Click Edit and Add another route. Paste in the VPC peer ID we copied earlier, and enter the CIDR for VPC1 ("10.1.0.0/16") for Destination. Click Save. Repeat these steps for Private3-RT.
Return to the terminal windows, and you should now see the ping between VPC1 and VPC3 is working.
Cross-Peer DNS Resolution
As a final step, let's take a look at the role of DNS in VPC peering. Go back to your EC2 browser tab, and select Instance2. In the Description tab at the bottom of the page, locate the Public DNS (IPv4). Select it, and copy it to your clipboard.
Go back to your Instance1 terminal screen, and enter the following:
This fails because we updated the NACL for the Instance2 subnet to prevent public IP addresses from pinging Instance2; we only allowed internal IP addresses of our VPCs to do so.
Go back to the AWS console, and open the VPC Peering Connections browser tab. Select the VPC peering connection between VPC1 and VPC2. Click Actions, then Edit DNS Settings. Next to DNS resolution, check both checkboxes. Click Save then Close.
Go back to your terminal windows, and if necessary, cancel any commands running in Instance1, then use
clear to clear the screen. Then ping the public DNS name of Instance2.
This may take a few minutes, but we should now be successfully pinging the private IP address of Instance2.
Congratulations, you've successfully completed this lab!