Fix AWS VPC Peering Not Working - Network Troubleshooting Guide

# AWS VPC Peering Not Working

Common Error Patterns

VPC peering issues typically manifest as:

bash

Connection timed out when connecting to instance in peered VPC

bash

Destination unreachable from peered VPC

bash

ping: sendmsg: Operation not permitted

bash

Unable to resolve DNS name in peered VPC

Root Causes and Solutions

1. Missing Route Table Entries

Route tables don't have routes to the peered VPC.

Solution:

Add routes to both VPCs' route tables:

```bash # Get VPC peering connection ID aws ec2 describe-vpc-peering-connections \ --filters Name=status.code,Values=active

# Add route to VPC A's route table aws ec2 create-route \ --route-table-id rtb-0123456789abcdef0 \ --destination-cidr-block 10.1.0.0/16 \ --vpc-peering-connection-id pcx-0123456789abcdef0

# Add route to VPC B's route table aws ec2 create-route \ --route-table-id rtb-abcdef0123456789 \ --destination-cidr-block 10.0.0.0/16 \ --vpc-peering-connection-id pcx-0123456789abcdef0 ```

Verification:

bash

# Check routes
aws ec2 describe-route-tables \
  --route-table-ids rtb-0123456789abcdef0 \
  --query 'RouteTables[0].Routes'

2. Security Group Blocking Traffic

Security groups don't allow traffic from peered VPC.

Solution:

Update security groups to allow traffic from peered VPC:

```bash # Get security group for instance aws ec2 describe-instances \ --instance-ids i-0123456789abcdef0 \ --query 'Reservations[0].Instances[0].SecurityGroups'

# Add inbound rule allowing traffic from peered VPC CIDR aws ec2 authorize-security-group-ingress \ --group-id sg-0123456789abcdef0 \ --protocol tcp \ --port 22 \ --cidr 10.1.0.0/16 ```

Alternatively, reference security groups from peered VPC:

bash

# Cross-VPC security group reference (same account only)
aws ec2 authorize-security-group-ingress \
  --group-id sg-0123456789abcdef0 \
  --protocol tcp \
  --port 443 \
  --source-group sg-abcdef0123456789

3. Network ACL Restrictions

Network ACLs blocking traffic between VPCs.

Solution:

Check and update NACLs:

```bash # Check NACL rules aws ec2 describe-network-acls \ --filters Name=vpc-id,Values=vpc-0123456789abcdef0

# Add inbound rule for peered VPC aws ec2 create-network-acl-entry \ --network-acl-id acl-0123456789abcdef0 \ --rule-number 100 \ --protocol -1 \ --rule-action allow \ --cidr-block 10.1.0.0/16 \ --ingress

# Add outbound rule for peered VPC aws ec2 create-network-acl-entry \ --network-acl-id acl-0123456789abcdef0 \ --rule-number 100 \ --protocol -1 \ --rule-action allow \ --cidr-block 10.1.0.0/16 \ --egress ```

4. Peering Connection Not Active

The peering connection is in pending or failed state.

Solution:

Check peering connection status:

bash

aws ec2 describe-vpc-peering-connections \
  --vpc-peering-connection-ids pcx-0123456789abcdef0 \
  --query 'VpcPeeringConnections[0].Status'

Accept peering request (if pending):

bash

aws ec2 accept-vpc-peering-connection \
  --vpc-peering-connection-id pcx-0123456789abcdef0

5. Overlapping CIDR Blocks

VPCs have overlapping CIDR blocks.

Solution:

Check for overlap:

bash

# Get CIDR blocks
aws ec2 describe-vpcs \
  --vpc-ids vpc-0123456789abcdef0 vpc-abcdef0123456789 \
  --query 'Vpcs[*].CidrBlock'

If CIDRs overlap, peering won't work. Options: - Create new VPC with non-overlapping CIDR - Use a transit gateway instead - Use private NAT gateways

6. DNS Resolution Issues

DNS hostnames not enabled or DNS resolution not configured.

Solution:

Enable DNS resolution for peered VPCs:

```bash # Enable DNS resolution for requester VPC aws ec2 modify-vpc-peering-connection-options \ --vpc-peering-connection-id pcx-0123456789abcdef0 \ --requester-peering-connection-options AllowDnsResolutionFromRemoteVpc=true

# Enable DNS resolution for accepter VPC aws ec2 modify-vpc-peering-connection-options \ --vpc-peering-connection-id pcx-0123456789abcdef0 \ --accepter-peering-connection-options AllowDnsResolutionFromRemoteVpc=true ```

Enable DNS hostnames on both VPCs:

```bash aws ec2 modify-vpc-attribute \ --vpc-id vpc-0123456789abcdef0 \ --enable-dns-hostnames

aws ec2 modify-vpc-attribute \ --vpc-id vpc-abcdef0123456789 \ --enable-dns-hostnames ```

7. Cross-Region Peering Issues

Cross-region peering has additional requirements.

Solution:

For cross-region peering:

1.Ensure peering connection is accepted
2.Routes must be added to both regions
3.Security groups must reference CIDR blocks (not security group IDs)
4.Check regional latency

bash

# Create cross-region route
aws ec2 create-route \
  --route-table-id rtb-0123456789abcdef0 \
  --destination-cidr-block 10.1.0.0/16 \
  --vpc-peering-connection-id pcx-0123456789abcdef0 \
  --region us-east-1

Connectivity Testing

Test from Instance

```bash # Test connectivity ping 10.1.0.10

# Test specific port nc -zv 10.1.0.10 22

# Test with telnet telnet 10.1.0.10 22

# Trace route traceroute 10.1.0.10 ```

Use Reachability Analyzer

```bash # Create analysis aws ec2 create-network-insights-path \ --source-ip-address 10.0.0.10 \ --destination-ip-address 10.1.0.10 \ --destination-port 22 \ --protocol TCP

# Start analysis aws ec2 start-network-insights-analysis \ --network-insights-path-id nip-0123456789abcdef0 ```

Troubleshooting Checklist

Check	Command	Expected Result
Peering status	`describe-vpc-peering-connections`	`active`
Route table routes	`describe-route-tables`	Route to peer CIDR
Security group rules	`describe-security-groups`	Allow peer CIDR
NACL rules	`describe-network-acls`	Allow peer CIDR
DNS resolution	`modify-vpc-peering-connection-options`	Enabled
No CIDR overlap	`describe-vpcs`	Non-overlapping CIDRs

Architecture Best Practices

Centralized Peering Hub

bash

┌─────────────┐
         │  Central    │
         │     VPC     │
         └──────┬──────┘
          ╱     │     ╲
    ┌────┐  ┌────┐  ┌────┐
    │VPC │  │VPC │  │VPC │
    │ A  │  │ B  │  │ C  │
    └────┘  └────┘  └────┘

Transit Gateway Alternative

For complex networks, use Transit Gateway:

```bash # Create transit gateway aws ec2 create-transit-gateway \ --description "Central transit gateway"

# Attach VPCs aws ec2 create-transit-gateway-vpc-attachment \ --transit-gateway-id tgw-0123456789abcdef0 \ --vpc-id vpc-0123456789abcdef0 \ --subnet-ids subnet-01234567 subnet-abcdef01 ```

Quick Reference

Issue	Solution
No route	Add route to both route tables
SG blocking	Add inbound rule for peer CIDR
NACL blocking	Add allow rule for peer CIDR
DNS not resolving	Enable DNS resolution options
CIDR overlap	Use non-overlapping CIDRs
Pending status	Accept peering request

Prevention Tips

1.Use infrastructure as code for VPC peering
2.Document CIDR allocations to prevent overlap
3.Use consistent security group naming
4.Enable DNS resolution at peering creation
5.Test connectivity after peering setup

[AWS EC2 Instance Not Reachable](#)
[AWS RDS Connection Failed](#)
[AWS IAM Permission Denied](#)

AWS VPC Peering Not Working

Common Error Patterns

Root Causes and Solutions

1. Missing Route Table Entries

2. Security Group Blocking Traffic

3. Network ACL Restrictions

4. Peering Connection Not Active

5. Overlapping CIDR Blocks

6. DNS Resolution Issues

7. Cross-Region Peering Issues

Connectivity Testing

Test from Instance

Use Reachability Analyzer

Troubleshooting Checklist

Architecture Best Practices

Centralized Peering Hub

Transit Gateway Alternative

Quick Reference

Prevention Tips

Related Articles

Share this guide

More AWS Troubleshooting Guides

AWS DynamoDB Contributor Insights Not Showing

AWS DynamoDB DAX Cache Miss

AWS DynamoDB Global Table Replication Lag

AWS Step Functions Workflow Stuck Waiting

AWS Step Functions Execution Throttled

AWS EventBridge Pipe Source Error