Why can't I connect to a peered VPC when using an AWS Site-to-Site VPN connection that terminates on a virtual private gateway?

2 minute read
Content level: Intermediate
3

I'm using an AWS Site-to-Site VPN connection that terminates on a virtual private gateway (VGW) attached to VPC-A. I can access resources in VPC-A but I can't access resources in VPC-B that has a VPC peering connection with VPC-A.

Example:

Enter image description here

Explanation:

If VPC-A has a VPN connection to a corporate network, resources in VPC-B can't use the VPN connection to communicate with the corporate network. This is because Edge to edge routing through a gateway or private connection is not supported when using VPC Peering.

VPC Peering Limitations: https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html#vpc-peering-limitations

Resolution:

  1. To access resources in VPC-B, a new Site-to-Site VPN has to be created between the Corporate Network (example: On-premise) and a virtual private gateway (VGW) attached to VPC-B.

    Enter image description here

  2. For a more robust architecture, consider re-architecting to the AWS Transit Gateway + AWS Site-to-Site VPN approach when you want to take advantage of an AWS-managed VPN endpoint for connecting to multiple VPCs in the same region without the additional cost and management of multiple IPsec VPN connections to multiple Amazon VPCs.

    Enter image description here

Useful Resources: How do I migrate my VPN from a virtual private gateway to a transit gateway?

No comments