Peer VPCs in different AWS Regions by using AWS Transit Gateway
Created by Durga Prasad Cheepuri (AWS) and Armin Gradascevic (AWS)
Environment: PoC or pilot | Technologies: Networking | AWS services: Amazon VPC |
Summary
A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch AWS resources, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, into your VPCs. When you create a peering connection between two VPCs, resources in those VPCs can communicate with each other as if they are within the same network.
There are two primary means of creating peering connections between VPCs in the AWS Cloud:
VPC peering – This type of connection is created in Amazon Virtual Private Cloud (Amazon VPC). It directly connects VPCs without requiring any additional resources or attachments. If you need to connect more than two VPCs, then the peering connections between each of the VPCs establishes a mesh network. This peering approach is suitable for connecting a small number of VPCs.
Transit gateway peering attachments – This is an AWS Transit Gateway connection, and it is also managed through Amazon VPC. Transit Gateway uses a hub-and-spoke model to connect multiple VPCs and on-premises networks. This approach supports transitive routing between VPCs, even if they're not directly peered. This peering approach is suitable if you need to connect a large number of VPCs or other networks because it requires less network maintenance. Unlike VPC peering, transit gateways can seamlessly integrate with a virtual private network (VPN), and for hybrid networks, they can integrate with AWS Direct Connect.
This pattern provides instructions for manually creating a transit gateway peering connection between two VPCs that are in the same AWS account but are in different AWS Regions. You can reuse this pattern to create a hub-and-spoke network model to connect hybrid networks within a single AWS account or across multiple accounts. This solution creates a transit gateway in each Region and then configures the transit gateways and route tables to support inter-Region communication between the target VPCs, which are in the same account. To automatically set up inter-Region peering, see Automate the setup of inter-Region peering with AWS Transit Gateway.
Prerequisites and limitations
Prerequisites
Limitations
Architecture
The following image shows how a transit gateway peering attachment is used to connect VPC in different AWS Regions. This connection supports communication between resources in the VPCs, such as between Amazon EC2 instances.
AWS Transit Gateway is a central hub that connects VPCs and on-premises networks.
Amazon Virtual Private Cloud (Amazon VPC) helps you launch AWS resources into a virtual network that you’ve defined. This virtual network resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
Epics
| Task | Description | Skills required |
|---|
Create a transit gateway in each Region. | In Region 1, create a transit gateway. For instructions, see Create a transit gateway. Repeat the previous step to create a transit gateway in Region 2. Make note of the new transit gateway IDs. You need these values later.
| General AWS |
Create an attachment for each VPC. | In Region 1, create a VPC attachment to the transit gateway. Select all of the subnets in the VPC. For instructions, see Attach your VPCs to your transit gateway. Repeat the previous step to create a VPC attachment for the transit gateway in Region 2. Select all of the subnets in the VPC.
| General AWS |
Create a peering attachment. | Open the Amazon VPC console. In the Region selector, choose Region 1. In the navigation pane, choose Transit Gateway Attachments. Choose Create transit gateway attachment. For Transit gateway ID, choose the transit gateway that you created in Region 1. For Attachment type, choose Peering Connection. For Account, choose My account. For Region, choose Region 2. For Transit gateway (accepter), enter the ID of the transit gateway in Region 2. Choose Create transit gateway attachment.
| General AWS |
Accept the peering attachment request. | Open the Amazon VPC console. In the Region selector, choose Region 2. In the navigation pane, choose Transit Gateway Attachments. Select the transit gateway peering attachment that is pending acceptance. Choose Actions, and then choose Accept transit gateway attachment.
| General AWS |
| Task | Description | Skills required |
|---|
Configure the VPC route table in Region 1. | Open the Amazon VPC console. In the Region selector, choose Region 1. In the navigation pane, choose Route tables. Select the route table used by the VPC in this Region. Choose Actions, and then choose Edit routes. Choose Add route. For Destination, enter the CIDR block of the VPC in Region 2. For Target, choose Transit Gateway, and then enter the ID of the transit gateway in Region 1. Choose Save changes.
| General AWS |
Configure the VPC route table in Region 2. | Open the Amazon VPC console. In the Region selector, choose Region 2. In the navigation pane, choose Route tables. Select the route table used by the VPC in this Region. Choose Actions, and then choose Edit routes. Choose Add route. For Destination, enter the CIDR block of the VPC in Region 1. For Target, choose Transit Gateway, and then enter the ID of the transit gateway in Region 2. Choose Save changes.
| General AWS |
Attach the transit gateway in Region 1 to the VPC in Region 2. | Open the Amazon VPC console. In the Region selector, choose Region 1. In the navigation pane, choose Transit Gateway Attachments. Choose Create transit gateway attachment. For Transit gateway ID, choose the transit gateway that you created in Region 1. For Attachment type, choose VPC. For VPC ID, enter the ID of the VPC in Region 2. For Subnet IDs, select one subnet for each Availability Zone to be used by the transit gateway to route traffic. Choose Create transit gateway attachment.
| General AWS |
Attach the transit gateway in Region 2 to the VPC in Region 1. | Open the Amazon VPC console. In the Region selector, choose Region 2. In the navigation pane, choose Transit Gateway Attachments. Choose Create transit gateway attachment. For Transit gateway ID, choose the transit gateway that you created in Region 2. For Attachment type, choose VPC. For VPC ID, enter the ID of the VPC in Region 1. For Subnet IDs, select one subnet for each Availability Zone to be used by the transit gateway to route traffic. Choose Create transit gateway attachment.
| General AWS |
Configure the transit gateway route table in Region 1. | Open the Amazon VPC console. In the Region selector, choose Region 1. In the navigation pane, choose Transit gateway route tables. Select the route table used by the transit gateway in Region 1. Choose Actions, and then choose Create static route. On the Create static route page, enter the CIDR block for the VPC in Region 2. For attachment, choose the attachment created for the VPC in Region 2. Choose Create static route. Repeat the previous steps to create another route. Provide the following values:
| General AWS |
Configure the transit gateway route table in Region 2. | Open the Amazon VPC console. In the Region selector, choose Region 2. In the navigation pane, choose Transit gateway route tables. Select the route table used by the transit gateway in Region 2. Choose Actions, and then choose Create static route. On the Create static route page, enter the CIDR block for the VPC in Region 1. For attachment, choose the attachment created for the VPC in Region 1. Choose Create static route. Repeat the previous steps to create another route. Provide the following values:
| General AWS |
| Task | Description | Skills required |
|---|
Create EC2 instances. | In the VPC in Region 1, create an EC2 instance. For instructions, see Launch an instance. Create the instance in any subnet that has an inbound security group rule that accepts ICMP traffic from the CIDR block of the VPC in Region 2. Repeat the previous step to create an EC2 instance in the VPC in Region 2. Create the instance in any subnet that has an inbound security group rule that accepts ICMP traffic from the CIDR block of the VPC in Region 1.
| General AWS |
Test the peering connection. | Use Session Manager, a capability of AWS Systems Manager, to connect to one of the EC2 instances. For instructions, see Connect using Session Manager. Enter the following command to initiate a ping to the other EC2 instance, where <targetname> is the host name or IP address of the other EC2 instance. $ ping [options] <targetname>
Confirm that the ping was successful. This validates that the peering connection has been established between the two VPCs in different Regions.
| General AWS |
Troubleshooting
| Issue | Solution |
|---|
Ping between EC2 instances does not return a reply. | Verify that the security groups attached to the instances allow ICMPv4 inbound pings from the appropriate CIDR blocks. For more information, see Control traffic to your AWS resources using security groups. Verify that the VPC route table has a route to the other CIDR block. The route should point toward the transit gateway as the next-hop. For more information, see Work with route tables. Verify that the transit gateway route table has a route to the other CIDR block. The route should point toward the peering attachment as the next-hop. For more information, see Transit gateway route tables.
|
Related resources
