In this post we going to learn how to connect two VPC across the same Region, inter-region and AWS accounts, this will allow to route traffic between IPv4 and IPv6 addresses.

A VPC Peering uses the AWS infrastructure, the traffic always stays on the global AWS backbone, never traverses the public internet, it is not a VPN or a Gateway, it does not have any point of failure and all the inter-region traffic is encrypted.

Requirements

  • A AWS Account

Hands-On

We going to create a VPC peering and we going to test the connectivity between the VPC launching two instances, one in each AWS Region.

As requisite to create a VPC Peering connection, is that we need to know that are the VPC ID from the two VPC, we need to know the CIDR block as the two VPC can't share the same CIDR block.

  1. Check on what region is your account currently, mine is on Ohio Region

2. On the AWS Managemend Console go to VPC

3. Click on Your VPC's

4. On the VPC we are interested in what is your VPC ID, mine is vpc-2cc07c47

5. Click on the VPC ID to check the CIDR Block, in this case I have 172.31.0.0/16

6. Go to another AWS Region, I choose N. California

7. Return to your first Region and go to VPC you will need to know the VPC ID to connect the two Regions

8. Click on the VPC ID to check what is the CIDR block, I have the same CIDR block as Ohio 172.31.0.0/16

9. As they have the same CIDR block the we need to create a new VPC to the CIDR not overlap, go back to VPC and click on Create a VPC.

10. Give it a name, put a different CIDR block, I'm going to use 172.32.0.0/16

Once it is created, you will get the VPC ID, for me is vpc-019fc46061b260f32

11. Go to Subnets

12. Click on Create subnet

13. Give it a name, and put the CIDR block inside a block in the VPC, and click on Create subnet

14. Launch an instance in the N.California, on EC2

15. Go to Instances

16. Click on launch instance

17. Select Amazon Linux 2 AMI - 64 bits

18. Select t2.micro and click on Next

19. Launch 1 instance, and select the VPC and subnetwork of the new VPC and subnetwork we created

As this instance is going to be accessed from Ohio thought the AWS backbone it doest not need Public IP or internet access.

20. Click on Review and Launch, review the configuration, and click on launch

21. Create a new keypair in the next window, download it and Launch the instance.

22. Go to instances, once the instance is running click on the Instance ID, to get the IP

I get the 172.32.0.74, we going to need it later.

23. Now lets change the Region to Ohio, and launch an instance

Go to EC2

24. Click on Launch instances

25. Select Amazon Linux 2 - 64 bits

26. Select the t2.micro and click Next

27. This time select the default VPC and select Auto-Allocate Public IP, and click on Review and Launch

28. Review the configuration and click on Launch

29. Create a new keypair, give it a name, download and Launch the instance

Go to view instances, and once it is running click on the Instance ID to view the public IP and private IP

We got the private IP address of 172.31.38.176 and the public IP of 3.134.92.10, lets test the connectivity between the two Regions

connect to the ohio instance using a SSH client and the keypair.

chmod 400 ohio-keypair.pem
ssh -i "ohio-keypair.pem" ec2-user@3.134.92.10

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/

and try to connect to the other instance in N.California.

ssh ec2-user@172.32.0.74
^C

And we can't so now lets make the VPC Peering connection from Ohio to N.California

30. On the AWS Management Console, go to VPC

31. Go to Peering Connections

32. Click on Create Peering Connection.

33. Give it a name, on the VPC (Requester) is for the VPC Id from Ohio, select the other Region, and put the VPC ID

34. One you confirm the configuration, click on Create Peering Connection

35. If everything is ok, you will see a Success message, click on ok, and you will see that the status is on Pending Acceptance

36. Now to accept the request, go to N.California, go to VPC

37. Go to Peering Connections

38. And select the Peering connection and click on Actions, and then select Accept Request

39. In the next window, click on Modify my route tables now

40. Confirm

41. And the peering connections is going to pass from pending to Active

42. Lets modify the Route tables, Go to Ohio, VPC

Go to Route tables

Select the route table associated with the VPC, and click on Actions, Edit routes

Add a route and add the CIDR Block from the other VPC and As Target select the peer connection

Save the routes and now try to connect to the host in N.California

ssh ec2-user@172.32.0.74
The authenticity of host '172.32.0.74 (172.32.0.74)' can't be established.
ECDSA key fingerprint is SHA256:W15PQM/YYhzeCqZD66EAOD8VoonQv0yEgu4tUp9Om4s.
ECDSA key fingerprint is MD5:7c:72:3c:8f:3a:cd:ea:db:74:31:78:d3:57:d4:41:dd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.32.0.74' (ECDSA) to the list of known hosts.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Now the host is responding

If you want to connect to the N.California instance, copy the keypair to the Ohio instance first and used to connect to the N.California.

Great, with this we finish this lab, in further post we going to go deeper in AWS and they services.

Clean-UP

  1. Go to each Region, go to EC2, select Instances and select the instance we launch and terminate.

2. Go to VPC, Peering connections, select the connection and click on Delete VPC Peering Connection

3. In the first Region (Requester) go to Routes, edit the route, and Delete the entry to the VPC Peering connection, and save changes

4. In the Second location, go to VPC, Select the VPC we create for the lab and Clock on Actions, Delete VPC

5. Go in each Region to EC2, Key Pairs and select and delete the Key pairs we create for the lab