AWSGlossary

VPC Peering: What It Is and When to Use It

Definition

Amazon VPC Peering is a networking feature that creates a direct, private connection between two Virtual Private Clouds (VPCs). This connection allows resources in either VPC, such as Amazon EC2 instances, to communicate with each other using private IPv4 or IPv6 addresses as if they were part of the same network, without traversing the public internet.

How It Works

VPC Peering establishes a one-to-one relationship between two VPCs. The process involves a request-and-accept protocol: the owner of one VPC sends a peering request, and the owner of the second VPC must accept it. These VPCs can be in the same AWS account or different accounts, and even in different AWS Regions (known as Inter-Region VPC Peering).

Once the connection is active, the following steps are required to enable traffic flow:

  1. Update Route Tables: The owner of each VPC must add a route to their respective subnet route tables. This route specifies the CIDR block of the peer VPC as the destination and the VPC peering connection ID as the target.
  2. Configure Security Groups: Security Groups in each VPC must be configured to allow traffic to and from the CIDR block of the peer VPC. For VPCs peered within the same region, you can reference a security group from the peer VPC directly in your security group rules, which is more secure and dynamic than using CIDR ranges.

Traffic between peered VPCs always stays on the global AWS backbone and never traverses the public internet. This architecture avoids common bandwidth bottlenecks or single points of failure, as it uses the existing, highly available VPC infrastructure rather than a physical gateway device.

Key Features and Limits

  • Connectivity: Supports both IPv4 and IPv6 traffic.
  • Cross-Account & Cross-Region: VPCs can be peered across different AWS accounts and different AWS Regions.
  • DNS Resolution: By default, public DNS hostnames of instances in a peered VPC resolve to their public IP addresses. You can enable DNS resolution on the peering connection, which allows public DNS hostnames to resolve to private IP addresses across the peered VPCs.
  • Security Group Referencing: For VPCs peered within the same AWS Region, you can reference a security group from the peer VPC in your security group's inbound or outbound rules. This is not supported for inter-region peering; you must use CIDR blocks instead.
  • CIDR Block Restriction: VPC Peering connections cannot be created between VPCs that have matching or overlapping IPv4 or IPv6 CIDR blocks.
  • Non-Transitive Routing: VPC Peering is strictly non-transitive. If VPC A is peered with VPC B, and VPC B is peered with VPC C, there is no implied connection between VPC A and VPC C. A separate, direct peering connection must be created between VPC A and VPC C for them to communicate.
  • Service Quotas (Limits): By default, you can have up to 50 active VPC peering connections per VPC. This limit can be increased to a maximum of 125 by requesting a quota increase.

Common Use Cases

  1. Shared Services: A common pattern is to create a central VPC that hosts shared services like authentication, logging, monitoring, or CI/CD tools. Other VPCs (e.g., for development, testing, production) can then peer with the central VPC to access these services privately.
  2. Multi-Account Environments: In organizations that use multiple AWS accounts to isolate workloads or departments, VPC peering provides a simple way to enable cross-account network connectivity for resource sharing.
  3. Mergers and Acquisitions: When two companies merge, VPC peering can be used to quickly establish network connectivity between their respective AWS environments without complex VPN setups.
  4. Multi-Tier Application Isolation: A multi-tier application can be split across different VPCs for security and administrative separation (e.g., web tier in VPC A, database tier in VPC B), with a peering connection allowing private communication between the tiers.

Pricing Model

Creating the VPC peering connection itself is free. However, data transfer charges may apply:

  • Data transfer within the same Availability Zone (AZ): Free.
  • Data transfer across different AZs (within the same Region): Incurs standard in-region data transfer charges.
  • Data transfer across different Regions (Inter-Region Peering): Incurs standard inter-region data transfer charges, which are higher than intra-region rates.

Traffic flowing over a peering connection is billed to the AWS account that initiates the data transfer.

Pros and Cons

Pros:

  • Simplicity: Easy to set up and manage for a small number of VPCs.
  • Performance: Offers low latency and high bandwidth as traffic uses the AWS private backbone without any gateway bottlenecks.
  • Security: Traffic does not traverse the public internet, reducing exposure to external threats.
  • Cost-Effective: No hourly charges for the connection itself, making it a cost-effective solution for simple topologies.

Cons:

  • Scalability Challenges: Managing connections becomes complex at scale. A full mesh network of 'n' VPCs requires n(n-1)/2 peering connections, which is difficult to manage.
  • Non-Transitive: The lack of transitive routing means you cannot use a central VPC as a transit point, requiring a mesh of connections for full connectivity.
  • CIDR Overlap Restriction: The strict requirement for non-overlapping CIDR blocks can be a major constraint, especially in large organizations or after mergers.

Comparison with Alternatives

VPC Peering vs. AWS Transit Gateway

The primary alternative to VPC Peering for interconnecting multiple VPCs is the AWS Transit Gateway.

| Feature | VPC Peering | AWS Transit Gateway | | :--- | :--- | :--- | | Topology | Point-to-point (1:1) | Hub-and-spoke | | Routing | Non-transitive | Transitive | | Scalability | Becomes complex with >10 VPCs (mesh) | Highly scalable; simplifies management for hundreds of VPCs | | Management | Each connection managed individually | Centralized routing and management | | On-Premises | Each VPC needs its own VPN/Direct Connect | Connect on-premises once to the TGW to reach all attached VPCs | | Pricing | No hourly charge; data transfer costs only | Per-hour charge per attachment + data processing charge |

When to choose VPC Peering: Ideal for simple scenarios connecting a small number of VPCs (<10) where transitive routing is not required. When to choose AWS Transit Gateway: The better choice for large-scale deployments, complex network architectures, or when you need to connect many VPCs and on-premises networks through a central hub.

Exam Relevance

VPC Peering is a fundamental networking topic that frequently appears on several AWS certification exams:

  • AWS Certified Solutions Architect - Associate (SAA-C03): Expect questions on the basic setup, the non-transitive nature of peering, and when to choose it over a Transit Gateway.
  • AWS Certified Solutions Architect - Professional (SAP-C02): Questions may involve more complex multi-account or hybrid scenarios, requiring a deep understanding of routing and security group configurations.
  • AWS Certified Advanced Networking - Specialty (ANS-C01): Deep-dive questions covering limitations, DNS resolution options, security group referencing, and performance considerations are common.

Key concepts to master for exams include: non-transitive routing, the requirement for non-overlapping CIDRs, updating route tables, and security group referencing.

Frequently Asked Questions

Q: Can you create a VPC peering connection between VPCs with overlapping CIDR blocks?

A: No. AWS does not permit a VPC peering connection to be established between two VPCs that have matching or overlapping CIDR blocks. The request will fail immediately. This is a critical constraint to consider during network design.

Q: Is VPC Peering transitive?

A: No, VPC Peering is not transitive. This means if VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A cannot send traffic to VPC C through VPC B. To enable communication between VPC A and VPC C, you must create a direct peering connection between them.

Q: Can I reference a security group from a peered VPC in my own security group rules?

A: Yes, but only if the peered VPCs are in the same AWS Region. This allows you to create rules based on the security group ID of an instance in the peer VPC (e.g., sg-12345678) instead of its IP address range. For inter-region VPC peering, you must use the CIDR block of the peer VPC in your security group rules.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/10/2026 / Updated: 5/10/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Networking

API Gateway REST vs HTTP: How It Works & When to Use It

Amazon API Gateway offers REST APIs and HTTP APIs. Understand their differences, features, and pricing to choose the right one for your needs. Learn when to choose it.

AWS Global Accelerator: Improve App Performance & Availability

AWS Global Accelerator improves application availability and performance for users worldwide. Get static IPs, optimize traffic routing. Learn when to use it.

CloudFront OAC: How It Works & When to Use It

CloudFront Origin Access Control (OAC) restricts S3 bucket access to CloudFront distributions. Learn how it enhances security and when to use it.

AWS Data Transfer Costs: The Hidden Bill Explained (2026 Guide)

AWS data transfer pricing decoded: internet egress, cross-AZ, cross-region, NAT Gateway, VPC peering, CloudFront, and public IPv4. Avoid surprise bills with this guide.

CloudFront Signed URLs: Secure Private Content Access

CloudFront Signed URLs provide temporary, secure access to private content via CloudFront CDN. Protect paid media, docs, or downloads. Learn how to use them.

View all Networking terms →