This demo showcases AWS VPC Peering by creating two VPCs in different AWS regions and establishing a peering connection between them. This allows resources in both VPCs to communicate with each other using private IP addresses.
┌─────────────────────────────────────┐ ┌─────────────────────────────────────┐
│ Primary VPC (us-east-1) │ │ Secondary VPC (us-west-2) │
│ CIDR: 10.0.0.0/16 │ │ CIDR: 10.1.0.0/16 │
│ │ │ │
│ ┌───────────────────────────────┐ │ │ ┌───────────────────────────────┐ │
│ │ Subnet: 10.0.1.0/24 │ │ │ │ Subnet: 10.1.1.0/24 │ │
│ │ ┌─────────────────────────┐ │ │ │ │ ┌─────────────────────────┐ │ │
│ │ │ EC2 Instance │ │ │ │ │ │ EC2 Instance │ │ │
│ │ │ Private IP: 10.0.1.x │ │ │ │ │ │ Private IP: 10.1.1.x │ │ │
│ │ └─────────────────────────┘ │ │ │ │ └─────────────────────────┘ │ │
│ └───────────────────────────────┘ │ │ └───────────────────────────────┘ │
│ │ │ │
│ Internet Gateway │ │ Internet Gateway │
└─────────────────┬───────────────────┘ └─────────────────┬───────────────────┘
│ │
└───────────────VPC Peering──────────────────┘
-
Two VPCs:
- Primary VPC in us-east-1 (10.0.0.0/16)
- Secondary VPC in us-west-2 (10.1.0.0/16)
-
Subnets:
- One public subnet in each VPC
- Configured with auto-assign public IP
-
Internet Gateways:
- One for each VPC to allow internet access
-
Route Tables:
- Custom route tables with routes to internet and peered VPC
- Routes for VPC peering traffic
-
VPC Peering Connection:
- Cross-region peering between the two VPCs
- Automatic acceptance configured
-
EC2 Instances:
- One t2.micro instance in each VPC
- Running Amazon Linux 2
- Apache web server installed
- Custom web page showing VPC information
-
Security Groups:
- SSH access from anywhere (port 22)
- ICMP (ping) allowed from peered VPC
- All TCP traffic allowed between VPCs
- AWS Account with appropriate permissions
- AWS CLI configured with credentials
- Terraform installed (version >= 1.0)
- SSH Key Pair created in both regions (use the same name)
# For us-east-1
aws ec2 create-key-pair --key-name vpc-peering-demo --region us-east-1 --query 'KeyMaterial' --output text > vpc-peering-demo.pem
# For us-west-2
aws ec2 create-key-pair --key-name vpc-peering-demo --region us-west-2 --query 'KeyMaterial' --output text > vpc-peering-demo-west.pem
# Set permissions (on Linux/Mac)
chmod 400 vpc-peering-demo.pemcd lessons/day15Copy the example tfvars file and update it:
cp terraform.tfvars.example terraform.tfvarsEdit terraform.tfvars and add your key pair name:
key_name = "vpc-peering-demo"terraform initterraform planterraform applyType yes when prompted.
After the infrastructure is created, you can test the VPC peering connection:
terraform output# SSH into Primary instance
ssh -i vpc-peering-demo.pem ec2-user@<PRIMARY_PUBLIC_IP>
# Ping the Secondary instance using its private IP
ping <SECONDARY_PRIVATE_IP>
# Test HTTP connectivity
curl http://<SECONDARY_PRIVATE_IP># SSH into Secondary instance
ssh -i vpc-peering-demo.pem ec2-user@<SECONDARY_PUBLIC_IP>
# Ping the Primary instance using its private IP
ping <PRIMARY_PRIVATE_IP>
# Test HTTP connectivity
curl http://<PRIMARY_PRIVATE_IP>- Cross-region VPC peering connection
- Peering connection requester and accepter
- Automatic acceptance configuration
- Route tables with peering routes
- Traffic routing between VPCs
- Internet gateway routes
- Security groups allowing cross-VPC traffic
- ICMP and TCP rules
- Proper egress rules
- Using provider aliases for different regions
- Cross-region resource dependencies
- Regional AMI selection
- VPC CIDR blocks must not overlap for peering to work
- Primary VPC: 10.0.0.0/16
- Secondary VPC: 10.1.0.0/16
This demo creates resources that incur AWS charges:
- EC2 instances (t2.micro)
- Data transfer between regions
- VPC peering data transfer
Remember to destroy resources when done:
terraform destroy- VPC peering is not transitive (if A peers with B, and B peers with C, A cannot communicate with C)
- VPC peering does not support edge-to-edge routing
- Maximum of 125 peering connections per VPC
- Check security groups allow traffic from the peered VPC CIDR
- Verify route tables have routes to the peered VPC
- Ensure VPC peering connection is in "active" state
- Check NACL rules (if configured)
- Ensure auto_accept is set to true in accepter resource
- Check IAM permissions for cross-region operations
- Verify VPC CIDR blocks don't overlap
- Verify key pair exists in the correct region
- Check security group allows SSH (port 22)
- Ensure instance has a public IP address
- Verify internet gateway and route table configuration
To avoid ongoing charges, destroy all resources:
terraform destroyType yes when prompted. This will remove:
- EC2 instances
- VPC peering connection
- Security groups
- Route tables
- Subnets
- Internet gateways
- VPCs
After completing this demo, you will understand:
- How to create VPC peering connections between regions
- How to configure routing for VPC peering
- How to set up security groups for cross-VPC communication
- How to use Terraform provider aliases for multi-region deployments
- How to test and verify VPC peering connectivity
To extend this demo, you could:
- Add more subnets (private subnets)
- Implement NAT gateways
- Add VPC Flow Logs for traffic analysis
- Create additional EC2 instances
- Set up a VPN connection
- Implement Transit Gateway for complex topologies