Skip to content

AWS ‐ VPC

Full Stack edited this page Mar 15, 2025 · 2 revisions

🌍 Is VPC Global or Regional?

read

Amazon VPC (Virtual Private Cloud) is region-specific.
This means:

  • A VPC exists only in a single AWS region.
  • It cannot span multiple regions.
  • If you need a VPC in different regions, you must create separate VPCs in each region.

🌍 Key Facts About VPC Scope

Feature Scope
VPC Regional (specific to one AWS region)
Subnets Availability Zone (AZ) specific
Security Groups VPC-specific (cannot span VPCs)
Route Tables VPC-specific
Internet Gateway (IGW) VPC-specific
Elastic IP (EIP) Regional

📍 Can You Connect VPCs in Different Regions?

Yes! AWS offers inter-region connectivity via:

  1. AWS VPC Peering – Direct link between VPCs in different regions.
  2. AWS Transit Gateway – Scalable option for connecting multiple VPCs across regions.
  3. AWS PrivateLink – Secure service-to-service communication.

✅ Best Practices

  • Deploy separate VPCs in different AWS regions.
  • Use VPC Peering or Transit Gateway to connect multi-region VPCs.
  • Ensure VPC CIDR blocks do not overlap to avoid conflicts.

🌍 How to Connect VPCs in Different AWS Regions

read

Since VPCs are region-specific, you need a way to connect them if your services span multiple regions. Here are the best options:


✅ Option 1: AWS VPC Peering (For Direct Connectivity)

  • Best for simple and low-latency connections between two VPCs.
  • Not transitive (VPC A ↔ VPC B, but not VPC A ↔ VPC C via B).
  • Supports cross-region connectivity.

🔹 Steps to Set Up VPC Peering

  1. Create a VPC Peering Connection

    • Go to AWS VPC ConsolePeering ConnectionsCreate Peering Connection.
    • Select two VPCs (different regions are supported).
  2. Update Route Tables

    • Add routes in both VPCs' route tables to direct traffic via the peering connection.
  3. Modify Security Groups

    • Ensure security groups allow traffic from the peered VPC.

✅ Option 2: AWS Transit Gateway (For Scalable Multi-VPC Networks)

  • Best for connecting multiple VPCs across multiple regions.
  • Transitive connectivity (VPC A ↔ VPC B ↔ VPC C).
  • Supports centralized control and scalability.

🔹 Steps to Set Up Transit Gateway

  1. Create a Transit Gateway in your primary region.
  2. Attach VPCs from multiple regions to the Transit Gateway.
  3. Update route tables to send traffic via the Transit Gateway.
  4. Modify security groups to allow inter-VPC communication.

🚀 Best Choice:

  • VPC Peering → Best for small, direct VPC-to-VPC connections.
  • Transit Gateway → Best for multi-VPC, multi-region architectures.

🚀 Setting Up Multi-Region VPC Connectivity

read

I’ll provide Terraform and AWS CLI approaches for VPC Peering and AWS Transit Gateway.


✅ 1. VPC Peering (Terraform)

🔹 Steps

  1. Create two VPCs in different AWS regions.
  2. Establish a VPC Peering Connection between them.
  3. Update Route Tables to allow traffic flow.
  4. Modify Security Groups to allow communication.

📌 Terraform Code for VPC Peering

provider "aws" {
  alias  = "primary"
  region = "us-east-1"
}

provider "aws" { alias = "secondary" region = "us-west-2" }

VPC 1 in us-east-1

resource "aws_vpc" "primary_vpc" { provider = aws.primary cidr_block = "10.0.0.0/16" }

VPC 2 in us-west-2

resource "aws_vpc" "secondary_vpc" { provider = aws.secondary cidr_block = "10.1.0.0/16" }

Create VPC Peering

resource "aws_vpc_peering_connection" "peer" { provider = aws.primary vpc_id = aws_vpc.primary_vpc.id peer_vpc_id = aws_vpc.secondary_vpc.id peer_region = "us-west-2" auto_accept = false }

Accept VPC Peering from Secondary Region

resource "aws_vpc_peering_connection_accepter" "peer_accept" { provider = aws.secondary vpc_peering_connection_id = aws_vpc_peering_connection.peer.id auto_accept = true }

Route Table for Primary VPC

resource "aws_route" "primary_route" { route_table_id = aws_vpc.primary_vpc.default_route_table_id destination_cidr_block = "10.1.0.0/16" vpc_peering_connection_id = aws_vpc_peering_connection.peer.id }

Route Table for Secondary VPC

resource "aws_route" "secondary_route" { route_table_id = aws_vpc.secondary_vpc.default_route_table_id destination_cidr_block = "10.0.0.0/16" vpc_peering_connection_id = aws_vpc_peering_connection.peer.id }

🔹 Run the Terraform Deployment

terraform init
terraform apply -auto-approve

✅ 2. AWS Transit Gateway (Terraform)

🔹 Steps

  1. Create a Transit Gateway in a primary region.
  2. Attach VPCs in different regions to the Transit Gateway.
  3. Configure Transit Gateway Route Tables.
  4. Modify Security Groups.

📌 Terraform Code for Transit Gateway

provider "aws" {
  alias  = "primary"
  region = "us-east-1"
}

provider "aws" { alias = "secondary" region = "us-west-2" }

Transit Gateway in us-east-1

resource "aws_ec2_transit_gateway" "tgw" { provider = aws.primary description = "Transit Gateway for Multi-Region VPCs" }

Attach Primary VPC to TGW

resource "aws_ec2_transit_gateway_vpc_attachment" "primary_vpc_attach" { provider = aws.primary transit_gateway_id = aws_ec2_transit_gateway.tgw.id vpc_id = aws_vpc.primary_vpc.id subnet_ids = aws_subnet.primary[*].id }

Attach Secondary VPC to TGW

resource "aws_ec2_transit_gateway_vpc_attachment" "secondary_vpc_attach" { provider = aws.secondary transit_gateway_id = aws_ec2_transit_gateway.tgw.id vpc_id = aws_vpc.secondary_vpc.id subnet_ids = aws_subnet.secondary[*].id }

Transit Gateway Route Table

resource "aws_ec2_transit_gateway_route_table" "tgw_route_table" { provider = aws.primary transit_gateway_id = aws_ec2_transit_gateway.tgw.id }

Associate VPC Attachments with TGW Route Table

resource "aws_ec2_transit_gateway_route_table_association" "primary_tgw_assoc" { provider = aws.primary transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.primary_vpc_attach.id transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_route_table.id }

resource "aws_ec2_transit_gateway_route_table_association" "secondary_tgw_assoc" { provider = aws.secondary transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.secondary_vpc_attach.id transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgw_route_table.id }

🔹 Run the Terraform Deployment

terraform init
terraform apply -auto-approve

✅ 3. AWS CLI Approach (Manual)

🔹 Steps

  1. Create a Peering Connection
aws ec2 create-vpc-peering-connection \
    --vpc-id vpc-abc123 \
    --peer-vpc-id vpc-xyz456 \
    --peer-region us-west-2
  1. Accept the Peering Connection
aws ec2 accept-vpc-peering-connection \
    --vpc-peering-connection-id pcx-123abc
  1. Modify Route Tables
aws ec2 create-route \
    --route-table-id rtb-abc123 \
    --destination-cidr-block 10.1.0.0/16 \
    --vpc-peering-connection-id pcx-123abc

🚀 Which One to Choose?

Option Pros Cons
VPC Peering Simple, low-latency, direct Not scalable for multiple VPCs
Transit Gateway Scalable, transitive routing Higher cost, more complex setup
AWS CLI Quick manual setup Not recommended for large deployments

Best Choice:

  • Use VPC Peering for two VPCs.
  • Use Transit Gateway if you have multiple regions/VPCs.

CloudFormation template for multi-region VPC connectivity.

read

✅ VPC Peering (CloudFormation)

This CloudFormation template:

  1. Creates two VPCs in different AWS regions.
  2. Establishes a VPC Peering Connection.
  3. Updates Route Tables to allow traffic between VPCs.
  4. Modifies Security Groups to permit communication.

📌 CloudFormation YAML Template

AWSTemplateFormatVersion: "2010-09-09"
Description: "Multi-Region VPC Peering Setup"

Parameters:
  PrimaryRegion:
    Type: String
    Default: "us-east-1"
    Description: "Primary AWS Region"

  SecondaryRegion:
    Type: String
    Default: "us-west-2"
    Description: "Secondary AWS Region"

  PrimaryVpcCidr:
    Type: String
    Default: "10.0.0.0/16"
    Description: "CIDR block for Primary VPC"

  SecondaryVpcCidr:
    Type: String
    Default: "10.1.0.0/16"
    Description: "CIDR block for Secondary VPC"

Resources:
  # ✅ Primary VPC
  PrimaryVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref PrimaryVpcCidr
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: PrimaryVPC

  # ✅ Secondary VPC (Created in another region manually)
  SecondaryVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref SecondaryVpcCidr
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: SecondaryVPC

  # ✅ VPC Peering Connection
  VpcPeeringConnection:
    Type: AWS::EC2::VPCPeeringConnection
    Properties:
      VpcId: !Ref PrimaryVPC
      PeerVpcId: !Ref SecondaryVPC
      PeerRegion: !Ref SecondaryRegion
      Tags:
        - Key: Name
          Value: "PrimaryToSecondaryVPCPeering"

  # ✅ Route Table for Primary VPC
  PrimaryRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref PrimaryVPC
      Tags:
        - Key: Name
          Value: "PrimaryVPC-RouteTable"

  PrimaryRoute:
    Type: AWS::EC2::Route
    DependsOn: VpcPeeringConnection
    Properties:
      RouteTableId: !Ref PrimaryRouteTable
      DestinationCidrBlock: !Ref SecondaryVpcCidr
      VpcPeeringConnectionId: !Ref VpcPeeringConnection

  # ✅ Route Table for Secondary VPC
  SecondaryRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref SecondaryVPC
      Tags:
        - Key: Name
          Value: "SecondaryVPC-RouteTable"

  SecondaryRoute:
    Type: AWS::EC2::Route
    DependsOn: VpcPeeringConnection
    Properties:
      RouteTableId: !Ref SecondaryRouteTable
      DestinationCidrBlock: !Ref PrimaryVpcCidr
      VpcPeeringConnectionId: !Ref VpcPeeringConnection

  # ✅ Security Group for Inter-VPC Traffic
  PrimarySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Allow inbound traffic from secondary VPC"
      VpcId: !Ref PrimaryVPC
      SecurityGroupIngress:
        - IpProtocol: "-1"
          CidrIp: !Ref SecondaryVpcCidr
      Tags:
        - Key: Name
          Value: "PrimaryVPC-SG"

  SecondarySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Allow inbound traffic from primary VPC"
      VpcId: !Ref SecondaryVPC
      SecurityGroupIngress:
        - IpProtocol: "-1"
          CidrIp: !Ref PrimaryVpcCidr
      Tags:
        - Key: Name
          Value: "SecondaryVPC-SG"

Outputs:
  PrimaryVPCId:
    Description: "Primary VPC ID"
    Value: !Ref PrimaryVPC

  SecondaryVPCId:
    Description: "Secondary VPC ID"
    Value: !Ref SecondaryVPC

  VpcPeeringConnectionId:
    Description: "VPC Peering Connection ID"
    Value: !Ref VpcPeeringConnection

🚀 Steps to Deploy in AWS

  1. Deploy in Primary Region (us-east-1)
aws cloudformation create-stack --stack-name MultiRegionVPCPeering --template-body file://vpc-peering.yaml --region us-east-1
  1. Deploy in Secondary Region (us-west-2)
    Repeat the command but change the region:
aws cloudformation create-stack --stack-name MultiRegionVPCPeering --template-body file://vpc-peering.yaml --region us-west-2

✅ Next Steps

  • 🔹 Need AWS Transit Gateway setup?
  • 🔹 Want to automate this with AWS SAM?
  • 🔹 Require NAT Gateway for internet access?
Clone this wiki locally