Tuesday, July 7, 2020

VPC Peering

-      https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html
-     A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different regions (also known as an inter-region VPC peering connection).
-     Peering is 1:1     
-     CIDR blocks from each VPC can NOT overlap: private IPv4 or IPv6
-     GLOBAL resource - when peering across regions traffic goes over AWS backbone and not internet
-     AWS take care of resilience - no need for secondary connection    
-     Non-transitive - routing point to point. Can’t re-route traffic from A to C via B. A needs to peer with C. If you need a full mesh, # of connections = n(n-1)/2 (4 VPCs = 6 connections)
-     Peering process:
     o    Peering Wizard
     o    Add Route Table entries on both sides as needed target pcx-<...>
     o    Can reference Security Group names across VPC’s – but only in same region, not inter-region
-     Limitations:
     o    Can't peer VPC's w matching/overlapping IPv4/6 CIDR blocks
        o    Supports 50 active and 25 pending connections
        o    No transitive peering
        o    Can't have more than 1 peering connection b/w same 2 VPC's
        o    Does not support Unicast Revers Path Forwarding***
        o    Available not in every region (4 regions as of now: N Virginia, Oregon, Ireland, Ohio)
        o    In an inter-region connection scenario you cannot create a security group rule that references a peer VPC security group. Only w/in same region this is allowed.


A VPC peering connection  
-        Unicast Reverse Path Forwarding (uRPF) - a security feature that prevents spoofing attacks. Whenever your router receives an IP packet it will check if it has a matching entry in the routing table for the source IP address. If it doesn’t match, the packet will be discarded. uRPF has two modes:
-        https://networklessons.com/cisco/ccie-routing-switching/unicast-reverse-path-forwarding-urpf

No comments:

Post a Comment