Bird
Raised Fist0
AWScloud~5 mins

VPC peering concept in AWS - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Sometimes you have two separate private networks in the cloud and you want them to talk to each other securely without using the internet. VPC peering connects these networks so resources in one can reach resources in the other as if they were in the same network.
When you have two applications running in different VPCs that need to share data privately.
When you want to connect a database in one VPC to an application server in another VPC without exposing it publicly.
When your company has multiple teams managing separate VPCs but they need to collaborate on shared services.
When you want to reduce internet traffic costs by routing traffic directly between VPCs.
When you want to keep network traffic secure and isolated within the cloud provider's network.
Config File - vpc-peering.yaml
vpc-peering.yaml
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template to create a VPC peering connection
Resources:
  VPCPeeringConnection:
    Type: AWS::EC2::VPCPeeringConnection
    Properties:
      PeerVpcId: vpc-0a1b2c3d4e5f67890
      VpcId: vpc-0123456789abcdef0
      Tags:
        - Key: Name
          Value: example-vpc-peering

This CloudFormation template creates a VPC peering connection between two existing VPCs.

VpcId is the ID of your VPC.

PeerVpcId is the ID of the other VPC you want to connect to.

The Tags section names the peering connection for easy identification.

Commands
This command creates a VPC peering connection between your VPC and the peer VPC in the us-east-1 region.
Terminal
aws ec2 create-vpc-peering-connection --vpc-id vpc-0123456789abcdef0 --peer-vpc-id vpc-0a1b2c3d4e5f67890 --region us-east-1
Expected OutputExpected
{ "VpcPeeringConnection": { "VpcPeeringConnectionId": "pcx-0abc123def456ghij", "Status": { "Code": "pending-acceptance", "Message": "Pending Acceptance by peer" }, "RequesterVpcInfo": { "VpcId": "vpc-0123456789abcdef0", "OwnerId": "123456789012", "Region": "us-east-1" }, "AccepterVpcInfo": { "VpcId": "vpc-0a1b2c3d4e5f67890", "OwnerId": "123456789012", "Region": "us-east-1" } } }
--vpc-id - Specifies your VPC ID to connect from
--peer-vpc-id - Specifies the peer VPC ID to connect to
--region - Specifies the AWS region where the VPCs exist
This command accepts the VPC peering connection request from the peer VPC side to establish the connection.
Terminal
aws ec2 accept-vpc-peering-connection --vpc-peering-connection-id pcx-0abc123def456ghij --region us-east-1
Expected OutputExpected
{ "VpcPeeringConnection": { "VpcPeeringConnectionId": "pcx-0abc123def456ghij", "Status": { "Code": "active", "Message": "Active" }, "RequesterVpcInfo": { "VpcId": "vpc-0123456789abcdef0", "OwnerId": "123456789012", "Region": "us-east-1" }, "AccepterVpcInfo": { "VpcId": "vpc-0a1b2c3d4e5f67890", "OwnerId": "123456789012", "Region": "us-east-1" } } }
--vpc-peering-connection-id - Specifies the ID of the peering connection to accept
--region - Specifies the AWS region where the VPC peering connection exists
This command checks the status of the VPC peering connection to confirm it is active and ready to use.
Terminal
aws ec2 describe-vpc-peering-connections --vpc-peering-connection-ids pcx-0abc123def456ghij --region us-east-1
Expected OutputExpected
{ "VpcPeeringConnections": [ { "VpcPeeringConnectionId": "pcx-0abc123def456ghij", "Status": { "Code": "active", "Message": "Active" }, "RequesterVpcInfo": { "VpcId": "vpc-0123456789abcdef0", "OwnerId": "123456789012", "Region": "us-east-1" }, "AccepterVpcInfo": { "VpcId": "vpc-0a1b2c3d4e5f67890", "OwnerId": "123456789012", "Region": "us-east-1" } } ] }
--vpc-peering-connection-ids - Filters the output to show only the specified peering connection
--region - Specifies the AWS region to query
Key Concept

If you remember nothing else from this pattern, remember: VPC peering lets two private networks connect directly and securely inside the cloud without using the internet.

Common Mistakes
Trying to create a VPC peering connection between VPCs in different AWS regions without enabling inter-region peering.
VPC peering connections by default only work within the same region unless inter-region peering is explicitly supported and enabled.
Use inter-region VPC peering by specifying the correct region and ensuring both VPCs support it.
Not updating route tables in both VPCs after creating the peering connection.
Without route table updates, traffic won't know to use the peering connection to reach the other VPC.
Add routes in each VPC's route table pointing to the peering connection for the other VPC's CIDR block.
Not accepting the peering connection request from the peer VPC side.
The peering connection stays in pending state and is not usable until accepted.
Run the accept command from the peer VPC account or region to activate the connection.
Summary
Create a VPC peering connection request between two VPCs using the AWS CLI.
Accept the peering connection from the peer VPC to establish the link.
Verify the peering connection status is active before using it.

Practice

(1/5)
1. What is the main purpose of VPC peering in AWS?
easy
A. To connect two private networks securely within AWS
B. To provide public internet access to a VPC
C. To create a backup of a VPC in another region
D. To launch virtual machines automatically

Solution

  1. Step 1: Understand VPC peering concept

    VPC peering connects two private networks (VPCs) securely inside AWS without using the public internet.

  2. Step 2: Compare options

    Only To connect two private networks securely within AWS describes secure connection of private networks. Other options describe unrelated AWS features.

  3. Final Answer:

    To connect two private networks securely within AWS -> Option A

  4. Quick Check:

    VPC peering = secure private network connection [OK]
Hint: VPC peering links private networks, not public access [OK]
Common Mistakes:
  • Confusing VPC peering with internet gateway
  • Thinking VPC peering creates backups
  • Assuming it launches virtual machines
2. Which of the following is the correct way to create a VPC peering connection using AWS CLI?
easy
A. aws ec2 create-route-table --vpc-id vpc-123abc
B. aws ec2 create-vpc-peering-connection --vpc-id vpc-123abc --peer-vpc-id vpc-456def
C. aws ec2 create-subnet --vpc-id vpc-123abc --cidr-block 10.0.0.0/24
D. aws ec2 create-internet-gateway --vpc-id vpc-123abc

Solution

  1. Step 1: Identify the correct AWS CLI command for VPC peering

    The command to create a VPC peering connection is create-vpc-peering-connection with source and peer VPC IDs.

  2. Step 2: Check options

    aws ec2 create-vpc-peering-connection --vpc-id vpc-123abc --peer-vpc-id vpc-456def uses the correct command and parameters. Other options create unrelated resources like internet gateway, subnet, or route table.

  3. Final Answer:

    aws ec2 create-vpc-peering-connection --vpc-id vpc-123abc --peer-vpc-id vpc-456def -> Option B

  4. Quick Check:

    VPC peering CLI = create-vpc-peering-connection [OK]
Hint: Look for 'create-vpc-peering-connection' command [OK]
Common Mistakes:
  • Using internet gateway or subnet commands instead
  • Confusing route table creation with peering
  • Missing peer VPC ID parameter
3. After establishing a VPC peering connection between VPC A and VPC B, which step is necessary to enable communication between instances in both VPCs?
medium
A. Attach a NAT gateway to both VPCs
B. Create an internet gateway in both VPCs
C. Enable public IP addresses on all instances
D. Update route tables in both VPCs to include routes to each other's CIDR blocks

Solution

  1. Step 1: Understand VPC peering communication requirements

    VPC peering connects networks but does not automatically update routing. You must add routes to route tables for traffic to flow.

  2. Step 2: Analyze options

    Only Update route tables in both VPCs to include routes to each other's CIDR blocks correctly describes updating route tables with routes to the peer VPC's CIDR block. Other options relate to internet or NAT, not peering.

  3. Final Answer:

    Update route tables in both VPCs to include routes to each other's CIDR blocks -> Option D

  4. Quick Check:

    Route tables must include peer CIDR for communication [OK]
Hint: Always update route tables after peering [OK]
Common Mistakes:
  • Assuming internet gateway is needed for peering
  • Thinking public IPs are required
  • Confusing NAT gateway with peering setup
4. You created a VPC peering connection but instances in VPC A cannot reach instances in VPC B. What is the most likely cause?
medium
A. Instances need public IP addresses to communicate over peering
B. The VPC peering connection is automatically rejected after creation
C. Route tables in VPC A or VPC B do not have routes to the peer VPC's CIDR block
D. Security groups do not allow internet traffic

Solution

  1. Step 1: Check common VPC peering issues

    Communication fails often because route tables lack routes to the peer VPC's CIDR block.

  2. Step 2: Evaluate other options

    The VPC peering connection is automatically rejected after creation is false; peering is not auto-rejected. Instances need public IP addresses to communicate over peering is wrong; public IPs are not needed. Security groups do not allow internet traffic is unrelated to peering communication.

  3. Final Answer:

    Route tables in VPC A or VPC B do not have routes to the peer VPC's CIDR block -> Option C

  4. Quick Check:

    Missing routes cause peering communication failure [OK]
Hint: Check route tables first when peering fails [OK]
Common Mistakes:
  • Assuming peering rejects automatically
  • Thinking public IPs are required for peering
  • Confusing security group rules with internet traffic
5. You have two VPCs in different AWS regions and want to connect them using VPC peering. What is the correct approach?
hard
A. Create an inter-region VPC peering connection and update route tables accordingly
B. Create a standard VPC peering connection; region does not matter
C. Use an internet gateway to connect the two VPCs
D. Launch VPN instances in both VPCs and connect them manually

Solution

  1. Step 1: Understand VPC peering across regions

    A special inter-region VPC peering connection is required to connect VPCs in different AWS regions.

  2. Step 2: Analyze options

    Create an inter-region VPC peering connection and update route tables accordingly correctly states creating an inter-region peering and updating routes. Create a standard VPC peering connection; region does not matter is wrong because standard peering is regional. Use an internet gateway to connect the two VPCs and D describe unrelated or complex alternatives.

  3. Final Answer:

    Create an inter-region VPC peering connection and update route tables accordingly -> Option A

  4. Quick Check:

    Inter-region peering requires special connection and routing [OK]
Hint: Use inter-region peering for different AWS regions [OK]
Common Mistakes:
  • Trying standard peering across regions
  • Using internet gateway for private VPC connection
  • Ignoring route table updates after peering