VPC Peering is a complex solution for inter-network connectivity that may be better replaced with VPC Private Links or other alternatives.
VPC peering is a method of connecting different Virtual Private Clouds (VPCs), effectively combining them into a larger, singular network. To establish a peering connection, each VPC must be configured with a separate CIDR range and must accept incoming VPC connection requests. This requires manual authorization from both VPCs involved.
Once peered, resources in one VPC can access resources in the other VPC, creating a unified network experience. While you can use Network Access Control Lists (NACLs) and Security Groups to manage and restrict access, the complexity of managing these permissions can become burdensome. It’s best to consider peering VPCs as essentially merging VPCs entirely as it’s likely there are no impediments to cross network communication rendering both networks completely open.
Our experience has been that VPC peering can lead to increased operational workloads or compromised security postures, as merging VPCs that were originally created separately tends to compromise designs that led to the two separate VPCs being created. As VPCs are typically designed with distinct purposes in mind, merging them through peering can result in merging disparate solutions for the sake of providing faster connectivity that can be better handled by focused connectivity solutions such as VPC Private Links.
Though there are functional use cases for VPC peering, including cross-region peering, it is generally advisable to explore simpler alternatives first. One preferred solution for sharing resources across VPCs is VPC Private Link, which allows internal VPC endpoints to be made available routing to specified services in other VPCs. VPC Private Links essentially expose your service such as a server or database as a VPC endpoint with private address and connection within a client network.
VPC Private Links are created by setting up a network load balancer for your target service which then routes incoming traffic to the service from connected clients. Each client network creates its own unique private connection point inside their VPC which connects to your network load balancer via the AWS network. This approach does not include the requirements for VPC peering such as separate CIDR ranges, and can be used to scale in a more simple and straightforward fashion than repeated VPC Peering.
Other options are available which can be explored with a consultation included in any SkySiege Cloud Assessment:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
