Why can't I connect to a peered VPC when using an AWS Site-to-Site VPN connection that terminates on a virtual private gateway?
I'm using an AWS Site-to-Site VPN connection that terminates on a virtual private gateway (VGW) attached to VPC-A. I can access resources in VPC-A but I can't access resources in VPC-B that has a VPC peering connection with VPC-A.
Example:
Explanation:
If VPC-A has a VPN connection to a corporate network, resources in VPC-B can't use the VPN connection to communicate with the corporate network. This is because Edge to edge routing through a gateway or private connection is not supported when using VPC Peering.
VPC Peering Limitations: https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html#vpc-peering-limitations
Resolution:
-
To access resources in VPC-B, a new Site-to-Site VPN has to be created between the Corporate Network (example: On-premise) and a virtual private gateway (VGW) attached to VPC-B.
-
For a more robust architecture, consider re-architecting to the AWS Transit Gateway + AWS Site-to-Site VPN approach when you want to take advantage of an AWS-managed VPN endpoint for connecting to multiple VPCs in the same region without the additional cost and management of multiple IPsec VPN connections to multiple Amazon VPCs.
Useful Resources: How do I migrate my VPN from a virtual private gateway to a transit gateway?
Hi, does the same limitation apply when VPC A is connected with external cloud and not Corporate network using Site-to-Site and Virtual private gateway? The scenario is VPC B is peered with VPC A and VPC B want to access resources in the external cloud. Thanks in advance
Hello Dee, Thanks for your question. Yes, the limitation is with "VPC Peering" not supporting transitive routing, regardless of what the "Corporate Network" is. Corporate Network can be a Remote location, other cloud providers etc.
Relevant content
- asked a year ago
- asked 2 years ago
