I have two VPCs in the same AWS account: VPC1 is where my applications are running, and VPC2 is set up for isolation and has a Direct Connect (with a Virtual Gateway associated with a Direct Connect Gateway). Is it feasible for VPC1 to access on-prem resources using the peering connection with VPC2? Here's the traffic flow I'm envisioning:
`VPC1 → VPC Peering → VPC2 → VGW/DGW/Direct Connect → On-Premises`
Some documents suggest this isn't supported, while others hint it could work. I've even seen mentions of needing a proxy or a Network Virtual Appliance (NVA) in VPC2 to facilitate this. For instance, one document states:
`If VPC A has an AWS Direct Connect connection to a corporate network, resources in VPC B can't use the AWS Direct Connect connection to communicate with the corporate network.`
I'd really appreciate any insights on how to navigate these requirements. If peering isn't a viable option, what alternatives exist to maintain isolation while allowing VPC2 to connect to on-prem resources, like using a Transit Gateway?
5 Answers
Transit Gateway is really the ideal solution for your use case. It allows effective routing between your VPCs and on-prem without compromising isolation. You may need to configure it to connect to your Direct Connect Gateway directly, depending on your architecture.
AWS typically recommends using a Transit Gateway for scenarios like this. The main challenge is the routing—making sure the return traffic from the Direct Connect to VPC2 works correctly, since you can't depend on VPC peering for that.
VPC Peering doesn’t allow transitive routing—VPC1 can’t reach the on-prem via VPC2 and Direct Connect like you’re trying to do. Therefore, considering Transit Gateway will be your best bet for maintaining VPC isolation while achieving connectivity!
Thanks! For the Transit Gateway solution, does it have to connect directly with the Direct Connect Gateway for both VPCs? I want to ensure isolation is preserved.
Unfortunately, no—it’s important to know that VPC peering is non-transitive. You might want to consider using a Transit Gateway instead of peering to facilitate this setup.
Exactly! You can’t route traffic that way without having a specific routing mechanism in place. It's best to connect your Direct Connect to a gateway with access to both VPCs.
Have you thought about why VPC1 can't send traffic through the Direct Connect Gateway? If you want to keep it isolated, you could set up a Network ACL for VPC1 that only allows outbound to the DGW. That way, there’s no inbound traffic from the on-prem network.
I see your point! Initially, we designed VPC1 to only expose a single app to customers. Now, as we’re looking to include on-prem connectivity, I’m trying to find the best way to keep our existing isolation intact.
Got it! So with the Transit Gateway, I can assume my traffic path is VPC1 → Transit Gateway → VPC2 → VGW/Direct Connect → On-Prem? Or should I connect the Transit Gateway to the Direct Connect and bypass the VGW?