AUTHOR: http://aws.typepad.com/aws/2014/03/new-vpc-peering-for-the-amazon-virtual-private-cloud.html LINK!

Recent AWS Customer Success Stories & Videos

More AWS Customer Success Stories...

« Amazon WorkSpaces is Now Available | Main | AWS Price Reduction #42 - EC2, S3, RDS, ElastiCache, and Elastic MapReduce »

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Daniel

We've been looking forward for such a feature for quite a while, but would appreciate if we would be able to connect VPCs in different AWS regions too.

Evgeny Goldin

Hello Jeff,

The timing of this feature couldn't be better - we may use it for splitting a monolithic VPC into stateless and stateful CloudFormation Stacks, each one running in its own VPC. It also allows using a CloudHSM service parked in its own VPC and peered with others. Previously, we were establishing a VPC-to-VPC connectivity manually and it was one of the major pain points in the project. Awesome!

Hendri Morris

Is VPC peering between regions on the horizon?

AnttiSiiskonen

This is amazing. We've been looking into spreading our services over multiple aws accounts but they were all problematic in various ways. Mainly the shared resources were a big problem as we didn't want to end up maintaining a mesh of openvpn connections or something similar. I only wish we had this feature six months ago or at least that we had known this was coming at some point. Anyway great stuff again! Keep 'em coming!

Rusty

I understand that VPC peering is designed as non-transitive (ie: "VPC A trusts VPC B & VPC C" does not mean "VPC B trusts VPC C").

However, with VPC peering is it possible route additional traffic over the peering connection? For example, if VPC A and VPC B are peered, would it be possible to add a route for 0.0.0.0/0 in VPC B which directs to the PCX and sends internet traffic out over a NAT instance residing in VPC A?

If VPC A is linked to another private network residing in external infrastructure (ie: via IPSec), could traffic for that external infrastructure be potentially reached from VPC B, by routing it through the PCX to VPC A and then onward across the external IPSec link?

Robert Leverington

How does this work in relation to Direct Connect? I.e. Will a peered VPC be able to utilise a Direct Connect attached to another VPC?

Milan Musec

Hi Jeff,

Great feature. However downsize is that edge to edge routing is not possible. I could understand the technical reasons for that but is there a way how to enable Edge to Edge routing using some NAT server or so? Would be great if we would be able to reach out the peered VPC.

Maf

There is nothing stopping you from forwarding on connections, but from AWS perspective (IGW etc) it's non-transitive. For example VPC A cannot use an IGW in VPC B to get to the internet. You'd need to terminate the connection in the target VPC and then forward it on. Make sense?

Roy Feintuch

Great stuff. Is there any encryption implemented behind the scenes? I guess that would be critical for the inter-region peering.

Bob

Is there a way to use this for route VPN traffic ?

If I peer with a VPC that connects back home (VPG-CGW), can i route traffic to this peered VPC from my customer end?

Amr

1) How does traffic get routed when it hits VPC B (sent from VPC A), which routing table in VPC B will be used (if at all)?
2) if the target IP address is not part of VPC B CIDR block (for example if VPC B has a VPN GW that connects to a remote private subnet) how will the packets be routed, will they go into the VPN GW? what if it's a proprietary (opensource based) VPN GW and not AWS VPN GW?

Mike Wedderburn-Clarke

Excellent addition. Thank you!
3 obvious use cases for me:
1) Connect already existing VPCs together without having to route back through on-prem or through software VPN endpoints in each VPC
2) Easily work around VPC limitations (particularly security groups) and address space limitations
3) The big one for us - brand new architectural patterns are made possible including a much better 'DMZ' model. We will be designing a separate VPC which will act as the DMZ and host the Internet facing assets and the web proxies. Everything else will be in fully private VPCs peered with that one.

Feature request: please allow us to reference security groups across VPCs as that will allow for proper isolation of services in this new model.
E.g.
Public facing web site of App1 is in App1-public security group in the DMZ VPC
Public facing web site forwards requests to internal web site for the same app
Internal web site of App1 is in App1-web security group in the 'private' VPC which is now peered with the DMZ VPC
I want to be able to allow port 80/443 from App1-public to App1-web security group directly without having to group things into subnets because I don't know how large this might need to scale and I don't want to limit the ability of other apps in the same VPCs to be able to scale themselves. Security group references are ideal for this.

Thanks again,
Mike

Tom

How instance in VPC peering connect internet? when config with igw or eni, the peering could not connect to each other.

satyendra

Thank you for releasing this. It validates our VPC design of isolating client deployments to separate VPCs. We deploy health insurance products for our clients, and need to have complete isolation of data and configuration between clients while still being able to communicate with a "support services" VPC.

Cliff Wakefield

This feature came just in time for us and allows us to deliver a "Shared Services" VPC which can be utilised by our other VPCs. Such as a shared bastion (SSH gateway) that can be used across all VPCs rather than one per VPC.

Any indication when VPC Peering will be available to use in CloudFormation templates?

We have our VPC creation all done via templates but at present we are required to jump into the AWS console or AWS cli to add in the peering relationship components.

The comments to this entry are closed.

Featured Events

The AWS Report


Brought to You By

Jeff Barr (@jeffbarr):



Jinesh Varia (@jinman):


Email Subscription

Enter your email address:

Delivered by FeedBurner

April 2014

Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30