AWS VPC Peering: SAA-C03 Study Guide
VPC Peering is a fundamental networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses. Instances in either VPC can communicate as if they are within the same network.
The Real-World Analogy
Imagine two separate office buildings (VPCs) in the same city. Instead of employees walking out the front door, onto the public highway (the Internet), and into the other building, the owners build a private enclosed sky-bridge directly between the two buildings. It’s faster, more secure, and the public never sees the traffic.
Core Concepts & Configuration
To establish a peering connection, the owner of the requester VPC sends a request to the owner of the accepter VPC. The connection is not active until the accepter VPC owner accepts the request.
- Cross-Account & Cross-Region: You can peer VPCs across different AWS accounts and different AWS regions (Inter-Region VPC Peering).
- Routing: You must manually update the Route Tables in both VPCs to point to the Peering Connection ID (
pcx-xxxxxx). - Security Groups: You can reference Security Groups from a peered VPC (within the same region) to allow specific traffic.
The Non-Transitive Rule
This is the most critical concept for the SAA-C03 exam. VPC Peering is NOT transitive. If VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A cannot communicate with VPC C through VPC B. You must create a direct peering connection between A and C.
Comparison: VPC Peering vs. Alternatives
| Feature | VPC Peering | Transit Gateway | AWS PrivateLink |
|---|---|---|---|
| Architecture | Point-to-Point (Mesh) | Hub-and-Spoke | Service-to-Service |
| Transitive? | No | Yes | No |
| Complexity | High at scale (N²) | Low at scale (Centralized) | Low (Unidirectional) |
| Cost | No hourly fee; Data transfer only | Hourly fee + Data processing fee | Hourly fee + Data processing fee |
Decision Matrix: If–Then Guide
- If you need to connect two VPCs with the lowest possible latency and no extra hourly costs, Then choose VPC Peering.
- If you have tens or hundreds of VPCs that need to communicate with each other, Then choose AWS Transit Gateway.
- If you want to expose a specific service to thousands of other VPCs without allowing full network access, Then choose AWS PrivateLink.
- If you have overlapping CIDR blocks, Then VPC Peering is impossible.
Exam Tips and Gotchas
- No Overlapping CIDRs: You cannot peer VPCs if their primary or secondary CIDR blocks overlap. This is a common “distractor” in exam questions.
- Edge-to-Edge Routing: You cannot use a VPC peering connection to “hop” to a VPN or Direct Connect on the other side. (e.g., On-prem -> VPN -> VPC A -> Peering -> VPC B is NOT allowed).
- DNS Resolution: By default, peered VPCs resolve public hostnames to public IPs. You must explicitly enable “DNS Resolution Support” in the peering connection settings to resolve to private IPs.
- Update Both Sides: A peering connection is useless without route table entries in both VPCs.
Topics covered:
Summary of key subtopics covered in this guide:
- Requester/Accepter workflow.
- Inter-Region and Cross-Account capabilities.
- The “No Transitive Routing” constraint.
- Route table and Security Group integration.
- Comparison with Transit Gateway and PrivateLink.
- CIDR overlap restrictions.
VPC Peering Architecture Infographic
Diagram: VPC A can talk to B, B can talk to C, but A cannot talk to C through B.
Service Ecosystem
Connectivity- IAM: Control who can create/accept peering.
- VPC Flow Logs: Capture IP traffic on the peering link.
- CloudWatch: Monitor peering connection status.
Performance & Scaling
High Speed- No single point of failure.
- No bandwidth bottleneck (limited only by instance size).
- Inter-region traffic is encrypted by AWS.
Cost Optimization
Economy- $0 Setup or Hourly fees.
- Standard Data Transfer rates apply.
- Cheapest option for connecting a small number of VPCs.
Production Use Case
Scenario: A company has a “Shared Services” VPC containing a centralized Active Directory and Logging server. They peer 3 other application VPCs to this Shared VPC.
Benefit: The applications can reach the AD server securely over private IPs without the cost of a Transit Gateway or the exposure of a Public Internet Gateway.