-
Notifications
You must be signed in to change notification settings - Fork 0
AWS ‐ VPC
read
✅ Amazon VPC (Virtual Private Cloud) is region-specific.
This means:
- A VPC exists only in a single AWS region.
- It cannot span multiple regions.
- If you need a VPC in different regions, you must create separate VPCs in each region.
Feature | Scope |
---|---|
VPC | Regional (specific to one AWS region) |
Subnets | Availability Zone (AZ) specific |
Security Groups | VPC-specific (cannot span VPCs) |
Route Tables | VPC-specific |
Internet Gateway (IGW) | VPC-specific |
Elastic IP (EIP) | Regional |
Yes! AWS offers inter-region connectivity via:
- AWS VPC Peering – Direct link between VPCs in different regions.
- AWS Transit Gateway – Scalable option for connecting multiple VPCs across regions.
- AWS PrivateLink – Secure service-to-service communication.
- Deploy separate VPCs in different AWS regions.
- Use VPC Peering or Transit Gateway to connect multi-region VPCs.
- Ensure VPC CIDR blocks do not overlap to avoid conflicts.
read
Since VPCs are region-specific, you need a way to connect them if your services span multiple regions. Here are the best options:
- Best for simple and low-latency connections between two VPCs.
- Not transitive (VPC A ↔ VPC B, but not VPC A ↔ VPC C via B).
- Supports cross-region connectivity.
-
Create a VPC Peering Connection
- Go to AWS VPC Console → Peering Connections → Create Peering Connection.
- Select two VPCs (different regions are supported).
-
Update Route Tables
- Add routes in both VPCs' route tables to direct traffic via the peering connection.
-
Modify Security Groups
- Ensure security groups allow traffic from the peered VPC.
- Best for connecting multiple VPCs across multiple regions.
- Transitive connectivity (VPC A ↔ VPC B ↔ VPC C).
- Supports centralized control and scalability.
- Create a Transit Gateway in your primary region.
- Attach VPCs from multiple regions to the Transit Gateway.
- Update route tables to send traffic via the Transit Gateway.
- Modify security groups to allow inter-VPC communication.
🚀 Best Choice:
- VPC Peering → Best for small, direct VPC-to-VPC connections.
- Transit Gateway → Best for multi-VPC, multi-region architectures.
read
I’ll provide Terraform and AWS CLI approaches for VPC Peering and AWS Transit Gateway.
- Create two VPCs in different AWS regions.
- Establish a VPC Peering Connection between them.
- Update Route Tables to allow traffic flow.
- Modify Security Groups to allow communication.
provider "aws" {
alias = "primary"
region = "us-east-1"
}
provider "aws" {
alias = "secondary"
region = "us-west-2"
}
VPC 1 in us-east-1
resource "aws_vpc" "primary_vpc" {
provider = aws.primary
cidr_block = "10.0.0.0/16"
}
VPC 2 in us-west-2
resource "aws_vpc" "secondary_vpc" {
provider = aws.secondary
cidr_block = "10.1.0.0/16"
}
Create VPC Peering
resource "aws_vpc_peering_connection" "peer" {
provider = aws.primary
vpc_id = aws_vpc.primary_vpc.id
peer_vpc_id = aws_vpc.secondary_vpc.id
peer_region = "us-west-2"
auto_accept = false
}
Accept VPC Peering from Secondary Region
resource "aws_vpc_peering_connection_accepter" "peer_accept" {
provider = aws.secondary
vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
auto_accept = true
}
Route Table for Primary VPC
resource "aws_route" "primary_route" {
route_table_id = aws_vpc.primary_vpc.default_route_table_id
destination_cidr_block = "10.1.0.0/16"
vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
}
Route Table for Secondary VPC
resource "aws_route" "secondary_route" {
route_table_id = aws_vpc.secondary_vpc.default_route_table_id
destination_cidr_block = "10.0.0.0/16"
vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
}
terraform init
terraform apply -auto-approve
- Create a Transit Gateway in a primary region.
- Attach VPCs in different regions to the Transit Gateway.
- Configure Transit Gateway Route Tables.
- Modify Security Groups.
provider "aws" {
alias = "primary"
region = "us-east-1"
}
provider "aws" {
alias = "secondary"
region = "us-west-2"
}
Transit Gateway in us-east-1
resource "aws_ec2_transit_gateway" "tgw" {
provider = aws.primary
description = "Transit Gateway for Multi-Region VPCs"
}
Attach Primary VPC to TGW
resource "aws_ec2_transit_gateway_vpc_attachment" "primary_vpc_attach" {
provider = aws.primary
transit_gateway_id = aws_ec2_transit_gateway.tgw.id
vpc_id = aws_vpc.primary_vpc.id
subnet_ids = aws_subnet.primary[*].id
}
Attach Secondary VPC to TGW
resource "aws_ec2_transit_gateway_vpc_attachment" "secondary_vpc_attach" {
provider = aws.secondary
transit_gateway_id = aws_ec2_transit_gateway.tgw.id
vpc_id = aws_vpc.secondary_vpc.id
subnet_ids = aws_subnet.secondary[*].id
}
Transit Gateway Route Table
resource "aws_ec2_transit_gateway_route_table" "tgw_route_table" {
provider = aws.primary
transit_gateway_id = aws_ec2_transit_gateway.tgw.id
}
Associate VPC Attachments with TGW Route Table
resource "aws_ec2_transit_gateway_route_table_association" "primary_tgw_assoc" {
provider = aws.primary
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.primary_vpc_attach.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_route_table.id
}
resource "aws_ec2_transit_gateway_route_table_association" "secondary_tgw_assoc" {
provider = aws.secondary
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.secondary_vpc_attach.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_route_table.id
}
terraform init
terraform apply -auto-approve
- Create a Peering Connection
aws ec2 create-vpc-peering-connection \
--vpc-id vpc-abc123 \
--peer-vpc-id vpc-xyz456 \
--peer-region us-west-2
- Accept the Peering Connection
aws ec2 accept-vpc-peering-connection \
--vpc-peering-connection-id pcx-123abc
- Modify Route Tables
aws ec2 create-route \
--route-table-id rtb-abc123 \
--destination-cidr-block 10.1.0.0/16 \
--vpc-peering-connection-id pcx-123abc
Option | Pros | Cons |
---|---|---|
VPC Peering | Simple, low-latency, direct | Not scalable for multiple VPCs |
Transit Gateway | Scalable, transitive routing | Higher cost, more complex setup |
AWS CLI | Quick manual setup | Not recommended for large deployments |
- Use VPC Peering for two VPCs.
- Use Transit Gateway if you have multiple regions/VPCs.
read
This CloudFormation template:
- Creates two VPCs in different AWS regions.
- Establishes a VPC Peering Connection.
- Updates Route Tables to allow traffic between VPCs.
- Modifies Security Groups to permit communication.
AWSTemplateFormatVersion: "2010-09-09"
Description: "Multi-Region VPC Peering Setup"
Parameters:
PrimaryRegion:
Type: String
Default: "us-east-1"
Description: "Primary AWS Region"
SecondaryRegion:
Type: String
Default: "us-west-2"
Description: "Secondary AWS Region"
PrimaryVpcCidr:
Type: String
Default: "10.0.0.0/16"
Description: "CIDR block for Primary VPC"
SecondaryVpcCidr:
Type: String
Default: "10.1.0.0/16"
Description: "CIDR block for Secondary VPC"
Resources:
# ✅ Primary VPC
PrimaryVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref PrimaryVpcCidr
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: PrimaryVPC
# ✅ Secondary VPC (Created in another region manually)
SecondaryVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref SecondaryVpcCidr
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: SecondaryVPC
# ✅ VPC Peering Connection
VpcPeeringConnection:
Type: AWS::EC2::VPCPeeringConnection
Properties:
VpcId: !Ref PrimaryVPC
PeerVpcId: !Ref SecondaryVPC
PeerRegion: !Ref SecondaryRegion
Tags:
- Key: Name
Value: "PrimaryToSecondaryVPCPeering"
# ✅ Route Table for Primary VPC
PrimaryRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref PrimaryVPC
Tags:
- Key: Name
Value: "PrimaryVPC-RouteTable"
PrimaryRoute:
Type: AWS::EC2::Route
DependsOn: VpcPeeringConnection
Properties:
RouteTableId: !Ref PrimaryRouteTable
DestinationCidrBlock: !Ref SecondaryVpcCidr
VpcPeeringConnectionId: !Ref VpcPeeringConnection
# ✅ Route Table for Secondary VPC
SecondaryRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref SecondaryVPC
Tags:
- Key: Name
Value: "SecondaryVPC-RouteTable"
SecondaryRoute:
Type: AWS::EC2::Route
DependsOn: VpcPeeringConnection
Properties:
RouteTableId: !Ref SecondaryRouteTable
DestinationCidrBlock: !Ref PrimaryVpcCidr
VpcPeeringConnectionId: !Ref VpcPeeringConnection
# ✅ Security Group for Inter-VPC Traffic
PrimarySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Allow inbound traffic from secondary VPC"
VpcId: !Ref PrimaryVPC
SecurityGroupIngress:
- IpProtocol: "-1"
CidrIp: !Ref SecondaryVpcCidr
Tags:
- Key: Name
Value: "PrimaryVPC-SG"
SecondarySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Allow inbound traffic from primary VPC"
VpcId: !Ref SecondaryVPC
SecurityGroupIngress:
- IpProtocol: "-1"
CidrIp: !Ref PrimaryVpcCidr
Tags:
- Key: Name
Value: "SecondaryVPC-SG"
Outputs:
PrimaryVPCId:
Description: "Primary VPC ID"
Value: !Ref PrimaryVPC
SecondaryVPCId:
Description: "Secondary VPC ID"
Value: !Ref SecondaryVPC
VpcPeeringConnectionId:
Description: "VPC Peering Connection ID"
Value: !Ref VpcPeeringConnection
- Deploy in Primary Region (
us-east-1
)
aws cloudformation create-stack --stack-name MultiRegionVPCPeering --template-body file://vpc-peering.yaml --region us-east-1
-
Deploy in Secondary Region (
us-west-2
)
Repeat the command but change the region:
aws cloudformation create-stack --stack-name MultiRegionVPCPeering --template-body file://vpc-peering.yaml --region us-west-2
- 🔹 Need AWS Transit Gateway setup?
- 🔹 Want to automate this with AWS SAM?
- 🔹 Require NAT Gateway for internet access?