VPC Peering and Transit Gateway - Master AWS Certified Solutions Architect Associate SAA-C03 Exam

Press + to interact

It is important to note that VPC peering does not require any additional physical hardware because it uses AWS’s existing infrastructure for connection, and therefore, no single point of failure or bandwidth bottleneck occurs in the communication.

Press + to interact

VPC peering in AWS Regions

VPC peering allows to connect VPCs in the same and different AWS Regions.

Intra-region connection: When configuring a VPC peering connection between VPCs within the same region, we can use security groups to allow traffic to and from the security group of the peering VPCs.
Inter-region connection: If we connect the VPCs from different regions, we must use the CIDR address of the connecting VPC as the source or destination in the security group to control traffic. Resources use private IP addresses to communicate with each other and never use public IP addresses. Therefore, the data transferred over the network is encrypted.

VPC peering connection cost

There are no additional charges to use VPC peering connections. However, the data transfer charges are applied when data is transferred from one AZ to another AZ or AWS Region. Data transferred through VPC peering connections within the same AZ does not cost any charges. The illustration below shows the VPC peering between single and multiple AZs and AWS Regions.

Press + to interact

Important pointers

The following points should be kept in mind when working with VPC peering:

VPC peering connection works on friendship principle. We can’t create a VPC peering connection from our VPC to any random VPC. The owner of the accepter VPC must accept the connection request.
Once the connection is established, we must update the route tables and security groups (if required) of each VPC to allow the traffic to flow between them.
VPC peering between two VPCs is a one-to-one relationship, meaning a VPC can’t have multiple VPC peering connections with another VPC.
VPC peering is not transitive peering; four VPCs in a region connected together to create a closed network doesn’t mean that the VPCs not connected directly can communicate with each other. In this case, we need a full mesh topology network.
VPC peering doesn’t allow querying or connection to the Amazon DNS server.
VPCs involved in a peering connection should not have overlapping IPv4 or IPv6 CIDR blocks.
In inter-region VPC peering connections, a maximum of 1500 bytes of the transmission unit (MTU) is allowed. MTU more than 9001 (jumbo frames) are not supported.

Example: Connecting VPCs using VPC peering

There can be scenarios where we have resources provisioned in different VPCs in one AWS Region, different Regions, or even different AWS accounts. We might want to establish a secure connection between these VPCs to allow the resources to share data over private IPv4 or IPv6 addresses.

Assume an organization has offices worldwide and its infrastructure is spread in different AWS Regions to facilitate the business. The resources deployed in each region are performing different tasks, and they might need to communicate with each other at some time to share data. The illustration below shows four VPCs from one AWS Region peered together with six peer connections.

Press + to interact

VPC peering helped VPCs communicate and share information, but this is just a small demonstration of the network in an organization. Consider a network of 100 VPCs; then, the number of connections to create a full mesh peering will be [n(n-1)/2]. Managing this huge number of connections is a problem, and we need a solution.

AWS Transit Gateway

AWS Transit Gateway is a regional resource used to connect thousands of VPCs and on-premises resources. It acts as a hub-and-spoke in the middle of the VPCs and routes traffic to them. It can manage connections to Direct Connect, Site-to-Site VPNs, and even a custom gateway.

Press + to interact

Introduction

AWS Fundamentals

Understanding Cloud Computing Essentials— From Zero to Hero

Identity and Access Management

Securing AWS Resources: Managing Access with IAM

AWS IAM Permission Boundaries

Using AWS IAM Access Analyzer

Compute Services

Understanding AWS Compute Services — From Zero to Hero

Amazon EC2: Elastic Compute Cloud

Working with Instances: An Amazon EC2 Walkthrough

Managing Instance Volumes Using EBS

Networking

Understanding Networking Services in AWS—From Zero to Hero

Controlling VPC Traffic Using Network ACLs

Managing Peer Connections between Amazon Virtual Private Clouds

Accessing AWS Services over AWS PrivateLink Using VPC Endpoints

Monitoring IP Traffic Using VPC Flow Logs

Route 53

Serverless Computing

Getting to Know AWS Lambda

Building and Deploying Serverless Applications with AWS SAM

Developing RESTful Microservices with API Gateway and DynamoDB

Building a WebSocket-Based Chat Application Using API Gateway

Mastering AWS AppSync Lambda Resolvers

Application Integration

Getting Started with Amazon Simple Queue Service (SQS)

Handling Amazon SNS Notifications with AWS Lambda

Build a Fanout Serverless Architecture using SNS, SQS, and Lambda

Decoupling Serverless Applications with Amazon EventBridge

Getting Started with AWS Step Functions

Containers

Getting Started with Amazon ECS

Create an EKS Cluster and Deploy an Application

High Availability and Scalability

Managing Application Traffic Using Elastic Load Balancers

Understanding Auto Scaling Group (ASG) in AWS

Mastering Amazon EC2 Dynamic Scaling Policies

Storage

Understanding AWS Storage Options—From Zero to Hero

Simple Storage Service (S3)

Working with AWS S3 Cross-Region Replication

Resizing Images with S3 Batch Operations and AWS Lambda

Managing Data Access with Amazon S3 Access Points

File Storage and Transfer

Getting Started with Amazon FSx for Windows File Server

Databases

Working with Relational Databases: A Beginner's Guide to AWS RDS

Getting Started with Amazon Aurora Database Engine

Working with NoSQL Databases: A Beginner's Guide to AWS DynamoDB

Exploring Graphs with Amazon Neptune

Getting Started with Amazon Keyspaces

Achieving Ultra-Fast Performance Using Amazon MemoryDB for Redis

Improving Database Performance with Amazon ElastiCache for Redis

Migration and Transfer

Use of AWS Database Migration Service from Aurora MySQL to S3

Security and Compliance

Getting Started with AWS Key Management Service (KMS)

Encrypting S3 Buckets and EBS Volumes Using KMS

Protecting Web Applications Using AWS WAF

Managing Aurora DB Credentials and API Keys Using Secrets Manager

Finding Vulnerabilities on EC2 Instances Using AWS Inspector

Deployment Services

Mastering AWS Deployment Services—From Zero to Hero

CloudFormation

Getting to Know AWS CloudFormation

AWS CloudFormation Updates: Change Sets and Stack Policies

Mastering AWS CloudFormation Helper Scripts

Machine Learning

Understanding Machine Learning Services on AWS—From Zero to Hero

Deploying a Machine Learning Model with Amazon SageMaker

Getting Started with Amazon Fraud Detector

Build an Educative Chatbot with Conversational AI Using AWS Lex

Content Delivery and Optimization

Analytics

Analyzing S3 Data and CloudTrail Logs Using Amazon Athena

Getting Started with Amazon EMR

Getting Started with Amazon Redshift

Building ETL Pipelines on AWS

Create a Data Lake with Lake Formation and Analyze It with Athena