1. What is VPC Peering?

VPC Peering creates a private networking connection between two VPCs. Instances in either VPC can communicate as if they are in the same network, using private IP addresses. Traffic stays on the AWS backbone and never traverses the public internet.

Core Concept

VPC Peering is a 1-to-1, non-transitive connection between two VPCs. It works across Regions and across AWS accounts. The VPCs’ CIDR ranges must NOT overlap. You must update route tables in BOTH VPCs to direct traffic through the peering connection.

2. Key Characteristics

  1. One-to-one connection between exactly two VPCs
  2. Works within the same Region (intra-Region) or across Regions (inter-Region)
  3. Works within the same account or across different AWS accounts
  4. Traffic uses private IPs and stays on the AWS network (not over internet)
  5. No bandwidth bottleneck (uses AWS backbone)
  6. CIDRs must NOT overlap between the two VPCs
  7. Both VPCs must update their route tables to route traffic through the peering connection
  8. Security Groups in one VPC can reference Security Groups in the peered VPC (same Region only)

3. Non-Transitive Routing

VPC Peering is NOT transitive:
VPC-A <──peering──> VPC-B <──peering──> VPC-C
VPC-A can talk to VPC-B ✓ VPC-B can talk to VPC-C ✓ VPC-A CANNOT talk to VPC-C ✗
To connect A to C, you must create a SEPARATE peeringconnection between VPC-A and VPC-C.
For many VPCs, this creates a mesh: n(n-1)/2 connections. 10 VPCs = 45 peering connections! Solution: Use Transit Gateway instead (see Lesson 3).

Important Warning

VPC Peering is NOT transitive. This is the #1 exam trick. If VPC-A peers with VPC-B, and VPC-B peers with VPC-C, VPC-A CANNOT reach VPC-C through VPC-B. Each pair needs its own peering connection. For many VPCs, use Transit Gateway instead.

4. Setup Steps

  1. Step 1: Create a peering connection request (from VPC-A to VPC-B).
  2. Step 2: Accept the peering request in VPC-B (manual acceptance required, even for same-account).
  3. Step 3: Update VPC-A’s route table: add route to VPC-B’s CIDR → peering connection.
  4. Step 4: Update VPC-B’s route table: add route to VPC-A’s CIDR → peering connection.
  5. Step 5: Update Security Groups and NACLs in both VPCs to allow the desired traffic.


Route Table Example

5. VPC Peering Limitations

  1. NOT transitive — each pair needs its own connection
  2. CIDRs cannot overlap
  3. Cannot route through peering to access on-premises networks (no edge-to-edge routing)
  4. Cannot use VPC-A’s IGW, NAT Gateway, or VPN from VPC-B through peering
  5. Max 125 active peering connections per VPC
  6. Cross-Region peering: Security Group reference not supported (must use CIDR)

Exam Tip

VPC Peering: 1-to-1, non-transitive, no overlapping CIDRs. Route tables must be updated in BOTH VPCs. No edge-to-edge routing (can’t use peer’s IGW/NAT/VPN). "Connect 2 VPCs privately" = VPC Peering. "Connect 10+ VPCs" = Transit Gateway (not Peering). Cross-Region peering works but SG references don’t work cross-Region.