Kentik - Network Observability

What is VPC Peering?

There’s a good probability that you’ve heard about VPC peering if you build and manage apps on public clouds like GCP or AWS. This article explains what VPC peering is, how it works, and how Kentik’s network observability platform may be used to reduce the complicated problems that may arise when using VPC peering.

VPC peering is a technique for securely connecting two or more virtual private clouds, or VPCs. According to Amazon, a VPC peering connection is “a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.” Once connected by a VPC peering connection, instances in either VPC can communicate with each other just as if they were on the same network.

In modern network architectures that include multiple clouds, VPC peering offers important security and performance benefits. However, it’s important to ensure that you properly observe and manage VPC peering configurations in order to avoid potential network performance issues.

How VPC Peering Works: Multi-VPC Connections

VPC Peering

A VPC is an isolated environment within a public cloud that allows organizations to host resources in that cloud without directly exposing them to the public Internet. As such, a VPC lets you set up a private network within a public cloud. By isolating workloads on a private network, VPCs provide an added layer of security.

If all of your workloads run within a single cloud, you can use just one VPC to host any resources that require private connectivity.

But what if you use multiple clouds, and have a VPC (or multiple VPCs) set up in each one of them? That’s where VPC peering comes in. With VPC peering, you can establish private connections between two or more VPCs.

When you set up VPC peering between clouds, resources running in different public clouds can communicate with each other as if they were hosted in the same cloud and running on the same private network.

The Advantages of VPC Peering

VPC peering offers several important advantages.

1. Enhanced Security: Perhaps the most obvious benefit of VPC peering is security. Without VPC peering, workloads running in distinct clouds would have to communicate over the public internet. This requirement would significantly increase their exposure to potential attack or abuse. With VPC peering, however, private network communications between VPCs are never exposed to the internet.

2. Reduced Network Latency: VPC peering can also reduce network latency by eliminating the need to route traffic across the internet in order to enable communications between clouds. In this way, VPC peering may enhance network performance.

3. Decreased Costs of Network Expenses: Finally, because public cloud providers often charge lower egress fees for data that is transferred within VPC peering connections as compared to data that is transported across public internet connections, VPC peering can help reduce your cloud data egress bills.

VPC Peering Limitations

While VPC peering offers numerous advantages, it’s important to be aware of its limitations:

  • Connection Quotas: Public cloud providers may impose quotas on the number of active and pending VPC peering connections per VPC. Be sure to check the specific quotas for your cloud provider.

  • Overlapping CIDR Blocks: VPC peering cannot be established between VPCs with matching or overlapping IPv4 or IPv6 CIDR blocks. If multiple CIDR blocks are in use, ensure that none of them overlap.

  • Transitive Peering: VPC peering does not support transitive relationships, meaning that traffic cannot be routed through an intermediate VPC. To establish connectivity between two VPCs, a direct VPC peering connection is required.

  • Edge-to-Edge Routing Limitations: Resources in one VPC cannot use another VPC’s internet gateway, NAT device, VPN connection, AWS Direct Connect connection, or gateway endpoint to access external networks or services.

  • Inter-Region VPC Peering Constraints: When using inter-region VPC peering, certain restrictions apply, such as the inability to reference peer VPC security groups in security group rules or use jumbo frames (MTUs up to 9001 bytes) for data transmission. Additionally, DNS resolution support must be enabled to resolve private DNS hostnames of peered VPCs to private IP addresses.

  • IPv6 Limitations: IPv6 communication is not supported between a linked Amazon EC2-Classic instance and instances in a VPC on the other side of a VPC peering connection, as IPv6 is not supported in EC2-Classic.

VPC Peering and Network Observability

While VPC peering can help boost the security and performance of modern networks, it adds another layer of complexity to network architectures. Organizations must take steps to manage this complexity through network observability in order to ensure that issues with VPC peering configurations don’t disrupt network availability or performance.

A number of challenges could potentially arise within VPC peering, and pinpointing the source of a problem can be difficult. Manually configured routes could lead to traffic flow problems, for example, or a service degradation in one cloud provider’s network could increase latency across all VPCs that are peered with that provider’s VPCs.

To make matters more complicated, cloud providers themselves offer users relatively little ability to track and manage the performance of VPC peering connections. Each cloud provider focuses on helping customers manage the performance only of network resources running within its own cloud. AWS tooling will not help you troubleshoot problems with a peered VPC running in Azure, for example. AWS only tracks the performance of VPCs running within AWS.

This means that, if your team sets up VPC peering, the burden is on you to identify and manage any potential issues that arise. Network observability platforms allow you to do this by ingesting network telemetry data from multiple sources, then correlating and contextualizing that data so that you can answer questions about the state of all of your VPCs. Kentik’s network observability platform, for example, can be used to manage VPC communications in and between AWS, Google Cloud, and Microsoft Azure cloud environments.

In other words, by analyzing data sources such as flow logs, latency metrics and synthetic performance tests from across all of the cloud environments that host your VPCs, network observability tools make it possible to identify, understand and resolve performance issues that may arise within the context of VPC peering. You can trace a problem with peered VPC connections to the specific cloud or configuration that triggers them.

In turn, you can take action to ensure that your VPC peering connections fully deliver on the security, performance and cost benefits that VPC peering stands to offer.

To see how Kentik can help boost the security and performance of your organization with VPC peering, request a demo or sign up for a free trial today.

Frequently Asked Questions: VPC Peering

Q: What is a VPC?

A: A VPC (virtual private cloud) is a virtual network hosted in a public cloud environment. Though hosted remotely, VPCs resemble traditional networks that are operated in a private data center. Network resources are allocated between different users/organizations sharing the resources of the public cloud vendor which also provides some degree of isolation between the different users. In other words, a VPC lets you set up a private network within a public cloud.

Q: What is a VPC peering connection?

A: A VPC peering connection is a networking connection between two VPCs that enables network traffic to be routed between them using private IP addresses. Once connected by a VPC peering connection, instances in either VPC can communicate with each other just as if they were on the same network.

Q: How does VPC peering differ from internet/BGP peering?

A: VPC peering connects two VPC as if they were on the same network, using private IP addresses. Traditional internet peering allows for similar functionality. Internet peering is a connection between two IP networks that allows traffic to flow from sources in either of the networks to destinations in the other without allowing the traffic to travel via the internet. This sort of peering is configured using BGP (Border Gateway Protocol) which exchanges routing information between two systems. The configuration of BGP on both sides of the connection determines whether the connection is a “peering” or an “internet access/transit” type of connection. For a deeper discussion of this topic, see “What is Internet Peering?”.

We use cookies to deliver our services.
By using our website, you agree to the use of cookies as described in our Privacy Policy.