Connecting Specific ECSs from Different VPCs

Scenarios

If your VPCs with the same CIDR block also include subnets that overlap, you can configure VPC peering connections that connect specific ECSs from these VPCs.

To enable traffic forwarding among these ECSs, you need to add routes with private IP addresses of these ECSs as the destinations and a VPC peering connection as the next hop to VPC route tables. Table 1 shows example scenarios.

**Table 1** Scenario description
Scenario	Scenario Description	IP Address Version	Networking Configuration	Related Reference
ECS in a central VPC peered to ECSs in two other VPCs	You want a central VPC to communicate with the other two VPCs. However, you do not want the other two VPCs to communicate with each other. The other two VPCs have the same CIDR block and also include subnets that overlap. To prevent route conflicts in the central VPC, you can configure VPC peering connections to connect to specific ECSs in the other two VPCs.	IPv4	ECS in a Central VPC Peered to ECSs in Two Other VPCs (IPv4)	Creating a VPC Peering Connection with Another VPC in Your Account Creating a VPC Peering Connection with a VPC in Another Account
A central VPC peered with two other VPCs using longest prefix match	This scenario is similar to the preceding one. In addition to peering specific ECSs, you can create the following VPC peering connections based on the longest prefix match rule: Create a VPC peering connection between the central VPC and an ECS in VPC-B Create a VPC peering connection between the central VPC and a subnet in VPC-C This configuration expands the communication scope.	IPv4	A Central VPC Peered with Two Other VPCs Using Longest Prefix Match (IPv4)

Notes and Constraints

If the ECSs in VPCs connected by a VPC peering connections are in different security groups, you need to add rules to the security groups to allow access to each other. For details, Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network.
In all examples in this section, the ECSs in local and peer VPCs are in the same security group. No additional security group rule is required.
All route tables in a VPC can contain a maximum of 1,000 routes. If you want to establish VPC peering connections between multiple VPCs, consider this restriction when planning networking.
In a VPC route table, the route priority is as follows:
- Local route: A route that is automatically added by the system for communication within a VPC. It has a higher priority than a custom route.
- Custom route: A route added by a user or routes that are delivered during instance creation. It uses the longest prefix match rule to find a destination for packet forwarding.
  Figure 1 VPC route table

ECS in a Central VPC Peered to ECSs in Two Other VPCs (IPv4)

You want to create a VPC peering connection between VPC-A and VPC-B, and between VPC-A and VPC-C. VPC-B and VPC-C have matching CIDR blocks. You can set the destinations of routes to private IP addresses of specific ECSs to limit traffic to these ECSs. If the destination of a route is not properly planned, traffic cannot be correctly forwarded. For details, see One Central VPC Peered to Overlapping Subnets from Two VPCs (IPv4).

In this example, you need to create Peering-AB between ECS-A01-1 in VPC-A and ECS-B01 in VPC-B, and Peering-AC between ECS-A01-2 in VPC-A and ECS-C01 in VPC-C. Subnet-B01 and Subnet-C01 have matching CIDR blocks. The private IP addresses of ECS-B01 and ECS-C01 must be different. Otherwise, there will be route conflicts because the route table of VPC-A will have routes with the same destination.

For details about resource planning, see Table 2.
For details about VPC peering relationships, see Table 3.

Figure 2 Networking diagram (IPv4)

**Table 2** Resource planning details (IPv4)
VPC Name	VPC CIDR Block	Subnet Name	Subnet CIDR Block	VPC Route Table	ECS Name	Security Group	Private IP Address
VPC-A	172.16.0.0/16	Subnet-A01	172.16.0.0/24	rtb-VPC-A	ECS-A01-1	sg-web: general-purpose web server	172.16.0.111
VPC-A	172.16.0.0/16	Subnet-A01	172.16.0.0/24	rtb-VPC-A	ECS-A01-2		172.16.0.218
VPC-B	10.0.0.0/16	Subnet-B01	10.0.0.0/24	rtb-VPC-B	ECS-B01		10.0.0.139
VPC-C	10.0.0.0/16	Subnet-C01	10.0.0.0/24	rtb-VPC-C	ECS-C01		10.0.0.71

**Table 3** Peering relationships (IPv4)
Peering Relationship	Peering Connection Name	Local VPC	Peer VPC
ECS-A01-1 in VPC-A is peered with ECS-B01 in VPC-B.	Peering-AB	VPC-A	VPC-B
ECS-A01-2 in VPC-A is peered with ECS-C01 in VPC-C.	Peering-AC	VPC-A	VPC-C

After the VPC peering connections are created, add the following routes to the route tables of the local and peer VPCs:

**Table 4** VPC route table details (IPv4)
Route Table	Destination	Next Hop	Route Type	Description
rtb-VPC-A	172.16.0.0/24	Local	System	Local routes are automatically added for communications within a VPC.
	10.0.0.139/32 (ECS-B01)	Peering-AB	Custom	Add a route with the private IP address of ECS-B01 as the destination and Peering-AB as the next hop.
	10.0.0.71/32 (ECS-C01)	Peering-AC	Custom	Add a route with the private IP address of ECS-C01 as the destination and Peering-AC as the next hop.
rtb-VPC-B	10.0.0.0/24	Local	System	Local routes are automatically added for communications within a VPC.
rtb-VPC-B	172.16.0.111/32 (ECS-A01-1)	Peering-AB	Custom	Add a route with the private IP address of ECS-A01-1 as the destination and Peering-AB as the next hop.
rtb-VPC-C	10.0.0.0/24	Local	System	Local routes are automatically added for communications within a VPC.
rtb-VPC-C	172.16.0.218/32 (ECS-A01-2)	Peering-AC	Custom	Add a route with the private IP address of ECS-A01-2 as the destination and Peering-AC as the next hop.

A Central VPC Peered with Two Other VPCs Using Longest Prefix Match (IPv4)

In this example, you need to create Peering-AB between central VPC-A and ECS-B01 in VPC-B, and Peering-AC between central VPC-A and VPC-C. Subnet-B01 and Subnet-C01 have matching CIDR blocks. You can use the longest prefix match rule to control traffic forwarding.

For details about resource planning, see Table 5.
For details about VPC peering relationships, see Table 6.

Figure 3 Networking diagram (IPv4)

**Table 5** Resource planning details (IPv4)
VPC Name	VPC CIDR Block	Subnet Name	Subnet CIDR Block	VPC Route Table	ECS Name	Security Group	Private IP Address
VPC-A	172.16.0.0/16	Subnet-A01	172.16.0.0/24	rtb-VPC-A	ECS-A01	sg-web: general-purpose web server	172.16.0.111
VPC-A	172.16.0.0/16	Subnet-A02	172.16.1.0/24	rtb-VPC-A	ECS-A02		172.16.1.91
VPC-B	10.0.0.0/16	Subnet-B01	10.0.0.0/24	rtb-VPC-B	ECS-B01		10.0.0.139
VPC-C	10.0.0.0/16	Subnet-C01	10.0.0.0/24	rtb-VPC-C	ECS-C01		10.0.0.71

**Table 6** Peering relationships (IPv4)
Peering Relationship	Peering Connection Name	Local VPC	Peer VPC
VPC-A is peered with ECS-B01 in VPC-B.	Peering-AB	VPC-A	VPC-B
VPC-A is peered with VPC-C.	Peering-AC	VPC-A	VPC-C

After the VPC peering connections are created, add the following routes to the route tables of the local and peer VPCs:

**Table 7** VPC route table details (IPv4)
Route Table	Destination	Next Hop	Route Type	Description
rtb-VPC-A	172.16.0.0/24	Local	System	Local routes are automatically added for communications within a VPC.
	172.16.1.0/24	Local	System
	10.0.0.139/32 (ECS-B01)	Peering-AB	Custom	Add a route with the private IP address of ECS-B01 as the destination and Peering-AB as the next hop.
	10.0.0.0/16 (VPC-C)	Peering-AC	Custom	Add a route with the CIDR block of VPC-C as the destination and Peering-AC as the next hop.
rtb-VPC-B	10.0.0.0/24	Local	System	Local routes are automatically added for communications within a VPC.
rtb-VPC-B	172.16.0.0/16 (VPC-A)	Peering-AB	Custom	Add a route with the CIDR block of VPC-A as the destination and Peering-AB as the next hop.
rtb-VPC-C	10.0.0.0/24	Local	System	Local routes are automatically added for communications within a VPC.
rtb-VPC-C	172.16.0.0/16 (VPC-A)	Peering-AC	Custom	Add a route with the CIDR block of VPC-A as the destination and Peering-AC as the next hop.