Why can't I connect to a peered VPC when using an AWS Site-to-Site VPN connection that terminates on a virtual private gateway?
I'm using an AWS Site-to-Site VPN connection that terminates on a virtual private gateway (VGW) attached to VPC-A. I can access resources in VPC-A but I can't access resources in VPC-B that has a VPC peering connection with VPC-A.
Example:
Explanation:
If VPC-A has a VPN connection to a corporate network, resources in VPC-B can't use the VPN connection to communicate with the corporate network. This is because Edge to edge routing through a gateway or private connection is not supported when using VPC Peering.
VPC Peering Limitations: https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html#vpc-peering-limitations
Resolution:
-
To access resources in VPC-B, a new Site-to-Site VPN has to be created between the Corporate Network (example: On-premise) and a virtual private gateway (VGW) attached to VPC-B.
-
For a more robust architecture, consider re-architecting to the AWS Transit Gateway + AWS Site-to-Site VPN approach when you want to take advantage of an AWS-managed VPN endpoint for connecting to multiple VPCs in the same region without the additional cost and management of multiple IPsec VPN connections to multiple Amazon VPCs.
Useful Resources: How do I migrate my VPN from a virtual private gateway to a transit gateway?
Relevant content
- Accepted Answerasked 4 months ago
- Accepted Answerasked a year ago
AWS OFFICIALUpdated 5 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
