In modern cloud architectures, it’s common to have multiple AWS accounts, each serving different environments or departments. Often, these environments need to communicate securely and efficiently. Connecting two internal Virtual Private Clouds (VPCs) across different AWS accounts can be a crucial requirement for achieving seamless communication between isolated environments. This article will guide you through the steps and considerations involved in connecting two VPCs residing in separate AWS accounts.

Why Connect VPCs Across AWS Accounts?

There are several reasons why organizations choose to connect VPCs across different AWS accounts:

1. Segregation of Duties: Different teams or departments may manage separate AWS accounts. Connecting VPCs enables them to share resources while maintaining isolation.
2. Security: Isolating environments across accounts enhances security, yet the need for inter-VPC communication remains for certain workloads.
3. Scalability: Distributing resources across multiple accounts can help manage AWS limits and allow for better resource organization.

Methods to Connect VPCs Across AWS Accounts

There are multiple ways to establish a connection between two VPCs in different AWS accounts:

1. VPC Peering
2. Transit Gateway
3. AWS PrivateLink
4. VPN or Direct Connect

Let’s explore each method in detail.

1. VPC Peering

VPC Peering is the simplest method to connect two VPCs. It creates a direct, private connection between two VPCs. However, this method has some limitations, such as the lack of transitive routing (you cannot route traffic between two VPCs through a third VPC).

Steps to Create a VPC Peering Connection:

1. Initiate Peering Request: From the first AWS account, navigate to the VPC console, select “Peering Connections,” and create a new peering connection. You’ll need the VPC ID of the second VPC and the AWS Account ID where it’s hosted.
2. Accept Peering Request: Switch to the second AWS account, navigate to the VPC console, and accept the peering request.
3. Update Route Tables: Both VPCs need to update their route tables to allow traffic to flow through the peering connection. Add a route to the CIDR block of the other VPC.
4. Security Groups and NACLs: Ensure that the security groups and network ACLs in both VPCs allow the desired traffic to flow between the instances.

Pros:

• Simple to set up.
• Low cost.

Cons:

• No transitive routing.
• Limited to a one-to-one connection.

2. AWS Transit Gateway

AWS Transit Gateway is a highly scalable and flexible service that acts as a hub for connecting multiple VPCs and on-premises networks. It supports transitive routing, allowing connected networks to communicate with each other via the gateway.

Steps to Set Up AWS Transit Gateway:

1. Create a Transit Gateway: In one of the AWS accounts, create a Transit Gateway through the VPC console.
2. Share the Transit Gateway: Use AWS Resource Access Manager (RAM) to share the Transit Gateway with the other AWS account.
3. Attach VPCs to Transit Gateway: In both AWS accounts, attach the respective VPCs to the Transit Gateway.
4. Update Route Tables: Update the route tables in both VPCs to send traffic destined for the other VPC through the Transit Gateway.
5. Configure Security Groups: Ensure that security groups and network ACLs are configured to allow the necessary traffic.

Pros:

• Scalable, supporting multiple VPCs.
• Supports transitive routing.

Cons:

• Higher cost compared to VPC Peering.
• Slightly more complex to set up.

3. AWS PrivateLink

AWS PrivateLink allows you to securely expose services running in one VPC to another VPC or account without traversing the public internet. This method is ideal for exposing services like APIs or databases between VPCs.

Steps to Set Up AWS PrivateLink:

1. Create an Endpoint Service: In the VPC where your service resides, create an endpoint service that points to your service (e.g., an NLB).
2. Create an Interface Endpoint: In the VPC of the other AWS account, create an interface VPC endpoint that connects to the endpoint service.
3. Accept Endpoint Connection: The owner of the endpoint service needs to accept the connection request.
4. Update Security Groups: Ensure security groups on both sides allow the necessary traffic.

Pros:

• Private and secure service exposure.
• Does not require route table modifications.

Cons:

• Primarily suitable for service-to-service communication.
• Limited to specific use cases.

4. VPN or AWS Direct Connect

VPN (Virtual Private Network) and AWS Direct Connect offer connectivity between VPCs in different accounts, especially when these VPCs need to connect with on-premises networks.

Steps to Set Up a VPN or Direct Connect:

1. Create a VPN Gateway: In the VPC of each account, create a Virtual Private Gateway.
2. Create Customer Gateways: Define customer gateways representing the opposite VPCs.
3. Set Up VPN Connections: Create VPN connections between the Virtual Private Gateways and the Customer Gateways.
4. Update Route Tables: Modify the route tables to direct traffic through the VPN connection.

Pros:

• Suitable for hybrid cloud scenarios.
• Secure, encrypted connection.

Cons:

• Higher cost and complexity.
• Latency concerns with VPN.

Considerations

• CIDR Overlap: Ensure that the CIDR blocks of the VPCs do not overlap, as this will prevent successful routing.
• Security: Always verify that security groups, NACLs, and IAM roles/policies are properly configured to allow desired traffic.
• Cost: Assess the cost implications of each connection method, especially as your infrastructure scales.
• Monitoring: Implement monitoring and logging to track the health and performance of the connections.

Cost Comparison

When choosing a method to connect VPCs across AWS accounts, cost is a significant factor. Below is a cost comparison of the different methods:

1. VPC Peering

• Pricing: VPC Peering is generally the most cost-effective solution. You only pay for the data transferred between the VPCs.
• Data Transfer Costs: Data transfer across regions incurs charges, but within the same region, it is free between VPCs.
• Per GB Charge: Within the same region: $0.01/GB; across regions: $0.02/GB to $0.09/GB depending on the regions.
• Considerations: The costs are linear with the amount of data transferred, making it ideal for low to moderate traffic volumes.

2. AWS Transit Gateway

• Pricing: Transit Gateway is more expensive than VPC Peering but offers more features and flexibility.
• Per Hour Charge: You pay an hourly charge per Transit Gateway attachment (approximately $0.05 per VPC attachment per hour).
• Data Transfer Costs: $0.02/GB within the same region, and cross-region data transfer charges vary similarly to VPC Peering.
• Considerations: This solution is suitable for environments with multiple VPCs or complex network architectures that require transitive routing. Costs can accumulate with more attachments and higher data transfer.

3. AWS PrivateLink

• Pricing: AWS PrivateLink pricing involves charges for the endpoint and data processing.
• Per Hour Charge: $0.01 per endpoint hour.
• Data Processing Costs: $0.01/GB processed by the interface endpoint.
• Considerations: PrivateLink is cost-effective for exposing services but can be more expensive for high traffic volumes due to the data processing charges. Ideal for specific service communication.

4. VPN or AWS Direct Connect

• Pricing: VPN is relatively affordable, while Direct Connect can be costly.
• VPN Costs: About $0.05 per VPN connection hour plus data transfer charges.
• Direct Connect Costs: Direct Connect charges a per-hour port fee (e.g., $0.30/hour for a 1 Gbps port) and data transfer costs. These charges are significantly higher for dedicated lines.
• Considerations: VPN is suitable for secure, occasional connections with low to moderate traffic. Direct Connect is ideal for high-throughput, low-latency connections, but it is expensive.

Latency Impact

Latency is another critical factor, especially for applications that require real-time or near-real-time communication.

1. VPC Peering

• Latency: VPC Peering provides the lowest latency because it uses AWS’s high-speed backbone network for direct connections between VPCs.
• Intra-Region: Virtually negligible latency.
• Inter-Region: Latency is introduced due to the physical distance between regions but is still minimized by AWS’s optimized routing.
• Use Case: Suitable for applications requiring fast, low-latency connections within the same region or across regions.

2. AWS Transit Gateway

• Latency: Transit Gateway introduces minimal latency, slightly more than VPC Peering, as traffic must pass through the Transit Gateway.
• Latency Overhead: Generally low, with an additional hop compared to direct peering.
• Use Case: Ideal for connecting multiple VPCs with low to moderate latency requirements, especially when transitive routing is needed.

3. AWS PrivateLink

• Latency: AWS PrivateLink is optimized for low latency, but since it involves traffic going through an endpoint, there can be minimal latency overhead.
• Latency Impact: Negligible within the same region, slight overhead due to interface endpoint processing.
• Use Case: Best suited for service-specific, low-latency connections, especially within the same region.

4. VPN or AWS Direct Connect

• VPN Latency: VPN connections have higher latency due to encryption and routing over the internet.
• Latency Impact: Significant overhead compared to other methods, especially for applications sensitive to delays.
• Direct Connect Latency: Direct Connect offers very low latency, typically better than VPC Peering or Transit Gateway.
• Latency Impact: Near zero latency over dedicated lines, making it suitable for high-performance applications.
• Use Case: VPN is suitable for secure connections where latency is not a primary concern. Direct Connect is ideal for high-performance, low-latency requirements.

Summary

Cost:

• VPC Peering is the most economical for simple, direct connections.
• Transit Gateway costs more but offers greater flexibility and scalability.
• PrivateLink is cost-efficient for exposing services but can be expensive for high data volumes.
• VPN is affordable but comes with higher latency, while Direct Connect is costly but delivers the best performance.

Latency:

• VPC Peering and Transit Gateway both offer low latency, suitable for most inter-VPC communication needs.
• PrivateLink introduces minimal latency, making it ideal for service-to-service communication.
• VPN has the highest latency, while Direct Connect provides the lowest latency but at a higher cost.

Choosing the right method depends on the specific requirements of your architecture, including budget, performance, and scalability considerations.

The impact on data transfer when connecting VPCs across different AWS accounts is a crucial consideration. Each method of connecting VPCs has different implications for data transfer costs, throughput capacity, and overall performance. Below, I’ll break down how each method affects data transfer:

1. VPC Peering

Data Transfer Costs:

• Intra-Region: When VPCs are in the same region, there are no additional data transfer costs between peered VPCs. This makes VPC Peering highly cost-effective for intra-region connections.
• Inter-Region: When peering VPCs across different regions, AWS charges for data transfer. The cost varies depending on the regions involved, typically ranging from $0.02/GB to $0.09/GB.

Throughput:

• VPC Peering uses AWS’s internal backbone network, which provides high throughput. There is no single point of failure or bottleneck, ensuring efficient and reliable data transfer.

Impact on Performance:

• Intra-Region: Since data transfer happens over the AWS backbone network, you can expect minimal latency and high performance.
• Inter-Region: Performance is still robust, but latency increases due to the physical distance between regions.

2. AWS Transit Gateway

Data Transfer Costs:

• Intra-Region: AWS charges $0.02/GB for data transferred between VPCs connected to the same Transit Gateway.
• Inter-Region: Transit Gateway supports inter-region peering, but like VPC Peering, inter-region data transfer costs are higher. Data transfer across regions typically ranges from $0.02/GB to $0.09/GB, similar to VPC Peering.

Throughput:

• Transit Gateway is highly scalable and designed to handle large volumes of traffic. It supports up to 50 Gbps per attachment (VPC, VPN, etc.), making it suitable for high-throughput applications.

Impact on Performance:

• Intra-Region: Transit Gateway adds a small amount of latency compared to VPC Peering, as all traffic passes through the Transit Gateway. However, the performance impact is generally minimal for most use cases.
• Inter-Region: Latency is higher due to the physical distance between regions, but throughput remains robust, thanks to AWS’s network infrastructure.

3. AWS PrivateLink

Data Transfer Costs:

• Intra-Region: Data transfer through PrivateLink is billed at $0.01/GB for data processed by the interface endpoint, in addition to $0.01 per hour for the endpoint itself.
• Inter-Region: If you use PrivateLink across regions (e.g., accessing a service in one region from a VPC in another), inter-region data transfer charges apply, similar to VPC Peering and Transit Gateway.

Throughput:

• PrivateLink is designed for service-to-service communication, so the throughput is generally limited to the capacity of the Network Load Balancer (NLB) and interface endpoints. It can handle substantial data volumes but might not match the raw throughput of VPC Peering or Transit Gateway for bulk data transfers.

Impact on Performance:

• Intra-Region: PrivateLink is optimized for low latency and is highly efficient for internal service communication within the same region.
• Inter-Region: As with other methods, inter-region connections incur latency due to physical distances, though PrivateLink maintains a low-latency profile for service communication.

4. VPN or AWS Direct Connect

Data Transfer Costs:

• VPN: Data transfer over a VPN connection incurs standard internet egress charges. AWS charges for data transferred out of your VPC to the internet, which can add up if significant data is moved.
• Direct Connect: Direct Connect offers lower data transfer costs compared to VPN, especially for large volumes of data. Data transfer rates vary by location, but they are generally lower than standard internet rates, often ranging from $0.01/GB to $0.05/GB, depending on the connection type and region.

Throughput:

• VPN: Limited by the internet bandwidth and VPN tunnel capacity. Typically, VPN connections are capped at around 1.25 Gbps per tunnel, with potential performance degradation due to encryption overhead.
• Direct Connect: Offers up to 100 Gbps throughput, making it ideal for high-volume data transfers. This makes it highly suitable for large-scale, high-performance applications that require consistent throughput.

Impact on Performance:

• VPN: Higher latency and lower throughput compared to other methods, due to encryption and the use of public internet for data transfer.
• Direct Connect: Provides the lowest latency and highest throughput, making it the best choice for latency-sensitive applications that require moving large amounts of data across regions or between on-premises and AWS environments.

Summary of Data Transfer Impact

• VPC Peering: Cost-effective for intra-region data transfer with high throughput and minimal latency. Costs and latency increase for inter-region connections.
• AWS Transit Gateway: Slightly higher cost than VPC Peering for intra-region transfers, but it offers flexibility and scalability, making it suitable for complex architectures with multiple VPCs.
• AWS PrivateLink: Best for service-to-service communication with moderate data volumes. It incurs endpoint processing costs but maintains low latency.
• VPN: Higher data transfer costs due to internet egress fees, with limited throughput and higher latency. Suitable for low-volume, secure connections.
• Direct Connect: Lower data transfer costs and high throughput make it ideal for large-scale data transfers, but it requires a higher upfront investment and ongoing costs.

When choosing the method to connect VPCs, consider the data transfer costs, required throughput, and acceptable latency based on your application’s needs and traffic patterns.

Conclusion

Connecting two internal VPCs across different AWS accounts is an essential task for multi-account environments. The method you choose—whether it’s VPC Peering, Transit Gateway, AWS PrivateLink, or VPN/Direct Connect—will depend on your specific use case, scalability requirements, and budget. By following the steps outlined above, you can establish secure, efficient, and scalable inter-VPC communication to meet your organizational needs.