In this post we going to learn how to connect two VPC across the same Region, inter-region and AWS accounts, this will allow to route traffic between IPv4 and IPv6 addresses.
A VPC Peering uses the AWS infrastructure, the traffic always stays on the global AWS backbone, never traverses the public internet, it is not a VPN or a Gateway, it does not have any point of failure and all the inter-region traffic is encrypted.
- A AWS Account
We going to create a VPC peering and we going to test the connectivity between the VPC launching two instances, one in each AWS Region.
As requisite to create a VPC Peering connection, is that we need to know that are the VPC ID from the two VPC, we need to know the CIDR block as the two VPC can't share the same CIDR block.
- Check on what region is your account currently, mine is on Ohio Region
2. On the AWS Managemend Console go to VPC
3. Click on Your VPC's
4. On the VPC we are interested in what is your VPC ID, mine is vpc-2cc07c47
5. Click on the VPC ID to check the CIDR Block, in this case I have 172.31.0.0/16
6. Go to another AWS Region, I choose N. California
7. Return to your first Region and go to VPC you will need to know the VPC ID to connect the two Regions
8. Click on the VPC ID to check what is the CIDR block, I have the same CIDR block as Ohio 172.31.0.0/16
9. As they have the same CIDR block the we need to create a new VPC to the CIDR not overlap, go back to VPC and click on Create a VPC.
10. Give it a name, put a different CIDR block, I'm going to use 184.108.40.206/16
Once it is created, you will get the VPC ID, for me is vpc-019fc46061b260f32
11. Go to Subnets
12. Click on Create subnet
13. Give it a name, and put the CIDR block inside a block in the VPC, and click on Create subnet
14. Launch an instance in the N.California, on EC2
15. Go to Instances
16. Click on launch instance
17. Select Amazon Linux 2 AMI - 64 bits
18. Select t2.micro and click on Next
19. Launch 1 instance, and select the VPC and subnetwork of the new VPC and subnetwork we created
As this instance is going to be accessed from Ohio thought the AWS backbone it doest not need Public IP or internet access.
20. Click on Review and Launch, review the configuration, and click on launch
21. Create a new keypair in the next window, download it and Launch the instance.
22. Go to instances, once the instance is running click on the Instance ID, to get the IP
I get the 220.127.116.11, we going to need it later.
23. Now lets change the Region to Ohio, and launch an instance
Go to EC2
24. Click on Launch instances
25. Select Amazon Linux 2 - 64 bits
26. Select the t2.micro and click Next
27. This time select the default VPC and select Auto-Allocate Public IP, and click on Review and Launch
28. Review the configuration and click on Launch
29. Create a new keypair, give it a name, download and Launch the instance
Go to view instances, and once it is running click on the Instance ID to view the public IP and private IP
We got the private IP address of 172.31.38.176 and the public IP of 18.104.22.168, lets test the connectivity between the two Regions
connect to the ohio instance using a SSH client and the keypair.
chmod 400 ohio-keypair.pem ssh -i "ohio-keypair.pem" email@example.com __| __|_ ) _| ( / Amazon Linux 2 AMI ___|\___|___| https://aws.amazon.com/amazon-linux-2/
and try to connect to the other instance in N.California.
ssh firstname.lastname@example.org ^C
And we can't so now lets make the VPC Peering connection from Ohio to N.California
30. On the AWS Management Console, go to VPC
31. Go to Peering Connections
32. Click on Create Peering Connection.
33. Give it a name, on the VPC (Requester) is for the VPC Id from Ohio, select the other Region, and put the VPC ID
34. One you confirm the configuration, click on Create Peering Connection
35. If everything is ok, you will see a Success message, click on ok, and you will see that the status is on Pending Acceptance
36. Now to accept the request, go to N.California, go to VPC
37. Go to Peering Connections
38. And select the Peering connection and click on Actions, and then select Accept Request
39. In the next window, click on Modify my route tables now
41. And the peering connections is going to pass from pending to Active
42. Lets modify the Route tables, Go to Ohio, VPC
Go to Route tables
Select the route table associated with the VPC, and click on Actions, Edit routes
Add a route and add the CIDR Block from the other VPC and As Target select the peer connection
Save the routes and now try to connect to the host in N.California
ssh email@example.com The authenticity of host '22.214.171.124 (126.96.36.199)' can't be established. ECDSA key fingerprint is SHA256:W15PQM/YYhzeCqZD66EAOD8VoonQv0yEgu4tUp9Om4s. ECDSA key fingerprint is MD5:7c:72:3c:8f:3a:cd:ea:db:74:31:78:d3:57:d4:41:dd. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '188.8.131.52' (ECDSA) to the list of known hosts. Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Now the host is responding
If you want to connect to the N.California instance, copy the keypair to the Ohio instance first and used to connect to the N.California.
Great, with this we finish this lab, in further post we going to go deeper in AWS and they services.
- Go to each Region, go to EC2, select Instances and select the instance we launch and terminate.
2. Go to VPC, Peering connections, select the connection and click on Delete VPC Peering Connection
3. In the first Region (Requester) go to Routes, edit the route, and Delete the entry to the VPC Peering connection, and save changes
4. In the Second location, go to VPC, Select the VPC we create for the lab and Clock on Actions, Delete VPC
5. Go in each Region to EC2, Key Pairs and select and delete the Key pairs we create for the lab