I am a bit confused by some AWS documentation. Here it states that:
If VPC A has a VPN connection to a corporate network, resources in VPC B [,peered to A] can’t use the VPN connection to communicate with the corporate network.
Which I understand as: VPC B can not communicate with corporate network since VPN connection is not in its own VPC.
However here, it describes how to established a VPN connection with a peered VPC.
Which I understand as, you put a VPN in VPC A, peer VPC A with VPC B, and you can now communicate between corporate network and VPC B.
So to be both are in total contradiction. What am I missing here?
2
Answers
It means that the connection is only one way:
not:
The following may help clarify it some more:
VPC peering and VPN connection are different things.
VPN connection is a private encrypted connection (over internet or direct connect) between a user workstation and AWS or a private encrypted connection between AWS and a corporate network.
VPC Peering is between 2 AWS VPCs only, no third entity here.
So in VPC peering Transitive Routing is not allowed.
If VPC A is peered with VPC B, they can communicate using that peering connection. Transitive Routing would be the case where VPC A is able to use the peering connection to B to connect to another VPC, such as VPC C, that VPC B is peered with.
Note that VPC C is on AWS and not an on-premise location or a personal workstation.
The following link shows both vpn connection and peered connections.
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/how-it-works.html
In case of a client vpn connection between a personal workstation and AWS, if the client is able to connect to an AWS VPC say VPC A, which is peered with VPC B, then the client is able to connect to VPC B. Notice that the connection between the client workstation and VPC A is not a peering connection.
Hope that helps.