Introduction

VPC peering connects two VPCs, allowing instances to communicate as if they're in the same network. When routing fails, instances in peered VPCs can't reach each other despite the peering connection being active.

Symptoms

Connection timeout:

bash
$ ping 10.1.0.10
PING 10.1.0.10 (10.1.0.10): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

Connection refused:

bash
$ curl http://10.1.0.10:8080
curl: (7) Failed to connect to 10.1.0.10 port 8080: Connection refused

Traceroute shows no path:

bash
$ traceroute 10.1.0.10
traceroute to 10.1.0.10, 30 hops max
 1  * * *
 2  * * *

Common Causes

  1. 1.Missing route table entries - Routes not added to route tables
  2. 2.Security group blocking - Ingress/egress rules don't allow traffic
  3. 3.Network ACL blocking - NACL rules deny traffic
  4. 4.DNS resolution issue - Can't resolve hostnames across peering
  5. 5.Overlapping CIDR blocks - Cannot peer overlapping ranges
  6. 6.Peering connection not accepted - Pending request not accepted
  7. 7.Wrong route target - Route pointing to wrong peering connection

Step-by-Step Fix

  1. 1.Check logs for specific error messages
  2. 2.Verify configuration settings
  3. 3.Test network connectivity
  4. 4.Review recent changes
  5. 5.Apply corrective action
  6. 6.Verify the fix

Step 1: Check Peering Connection Status

```bash # List peering connections aws ec2 describe-vpc-peering-connections \ --query 'VpcPeeringConnections[*].[VpcPeeringConnectionId,Status.Code,Status.Message]'

# Status must be "active" # Other statuses: pending-acceptance, rejected, failed, expired, deleted

# Accept pending connection aws ec2 accept-vpc-peering-connection \ --vpc-peering-connection-id pcx-12345 ```

Step 2: Verify Route Table Entries

```bash # Get route tables for both VPCs aws ec2 describe-route-tables \ --filters Name=vpc-id,Values=vpc-a-id \ --query 'RouteTables[*].[RouteTableId,Routes[*].[DestinationCidrBlock,GatewayId,VpcPeeringConnectionId]]'

# VPC-A route table should have: # Destination: VPC-B CIDR (10.1.0.0/16) -> Target: pcx-12345

# Check VPC-B routes aws ec2 describe-route-tables \ --filters Name=vpc-id,Values=vpc-b-id \ --query 'RouteTables[*].[RouteTableId,Routes[*].[DestinationCidrBlock,VpcPeeringConnectionId]]'

# VPC-B route table should have: # Destination: VPC-A CIDR (10.0.0.0/16) -> Target: pcx-12345 ```

Add missing routes:

```bash # Add route in VPC-A to reach VPC-B aws ec2 create-route \ --route-table-id rtb-vpc-a \ --destination-cidr-block 10.1.0.0/16 \ --vpc-peering-connection-id pcx-12345

# Add route in VPC-B to reach VPC-A aws ec2 create-route \ --route-table-id rtb-vpc-b \ --destination-cidr-block 10.0.0.0/16 \ --vpc-peering-connection-id pcx-12345 ```

Step 3: Check Subnet Route Table Association

```bash # The instance's subnet must use the correct route table # Get instance subnet aws ec2 describe-instances --instance-ids i-abc123 \ --query 'Reservations[*].Instances[*].SubnetId'

# Get subnet's route table aws ec2 describe-route-tables \ --filters Name=association.subnet-id,Values=subnet-12345 \ --query 'RouteTables[*].[RouteTableId,Associations[*].SubnetId]'

# If using main route table, check main association aws ec2 describe-route-tables \ --filters Name=vpc-id,Values=vpc-12345 Name=is-main-route-table,Values=true \ --query 'RouteTables[*].Routes' ```

Step 4: Check Security Groups

```bash # Get instance security groups aws ec2 describe-instances --instance-ids i-abc123 \ --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId'

# Check inbound rules aws ec2 describe-security-groups --group-ids sg-12345 \ --query 'SecurityGroups[*].IpPermissions[*].[FromPort,ToPort,IpProtocol,IpRanges[*].CidrIp]'

# Must allow traffic from peered VPC CIDR # Add inbound rule from VPC-B aws ec2 authorize-security-group-ingress \ --group-id sg-vpc-a \ --protocol tcp \ --port 22 \ --cidr 10.1.0.0/16 # VPC-B CIDR

# Add outbound rule if egress restricted aws ec2 authorize-security-group-egress \ --group-id sg-vpc-a \ --protocol tcp \ --port 0-65535 \ --cidr 10.1.0.0/16 ```

Step 5: Check Network ACLs

```bash # Get subnet's NACL aws ec2 describe-network-acls \ --filters Name=association.subnet-id,Values=subnet-12345 \ --query 'NetworkAcls[*].[NetworkAclId,Entries[*].[RuleNumber,Egress,RuleAction,PortRange,CidrBlock]]'

# NACL rules: # - Evaluated in order (lowest rule number first) # - Must have ALLOW rule for traffic # - Must allow return traffic (ephemeral ports)

# Common NACL issue: Allow inbound but not outbound # Add outbound rule for return traffic aws ec2 create-network-acl-entry \ --network-acl-id acl-12345 \ --rule-number 100 \ --protocol tcp \ --port-range From=1024,To=65535 \ --cidr-block 10.1.0.0/16 \ --rule-action allow \ --egress ```

Step 6: Test Connectivity Step by Step

```bash # From instance in VPC-A, test connectivity to VPC-B

# 1. Test basic reachability ping 10.1.0.10 # Instance in VPC-B

# 2. Test specific port nc -zv 10.1.0.10 80

# 3. Test with curl curl -v http://10.1.0.10:80

# 4. Check MTU (jumbo frames may not work across peering) ping -s 1500 10.1.0.10 # Standard MTU ping -s 9000 10.1.0.10 # Jumbo frames (may fail) ```

Step 7: Enable DNS Resolution Across Peering

```bash # Check if DNS resolution is enabled aws ec2 describe-vpc-peering-connections \ --vpc-peering-connection-ids pcx-12345 \ --query 'VpcPeeringConnections[*].RequesterPeeringConnectionOptions.AllowDnsResolutionFromRemoteVpc'

# Enable DNS resolution aws ec2 modify-vpc-peering-connection-options \ --vpc-peering-connection-id pcx-12345 \ --requester-peering-connection-options AllowDnsResolutionFromRemoteVpc=true

# Also enable on accepter side if needed aws ec2 modify-vpc-peering-connection-options \ --vpc-peering-connection-id pcx-12345 \ --accepter-peering-connection-options AllowDnsResolutionFromRemoteVpc=true ```

Step 8: Check for Overlapping CIDRs

```bash # Get CIDR blocks of both VPCs aws ec2 describe-vpcs --vpc-ids vpc-a-id vpc-b-id \ --query 'Vpcs[*].[VpcId,CidrBlock]'

# CIDRs must NOT overlap # Cannot peer if: # VPC-A: 10.0.0.0/16 # VPC-B: 10.0.1.0/24 # Overlaps with VPC-A

# If overlapping, cannot peer - must re-IP one VPC ```

Step 9: Verify Both Sides Are Using Correct Peering

```bash # Check requester VPC aws ec2 describe-vpc-peering-connections \ --vpc-peering-connection-ids pcx-12345 \ --query 'VpcPeeringConnections[*].[RequesterVpcInfo.VpcId,AccepterVpcInfo.VpcId]'

# Both VPCs must be correct # Routes must point to correct peering connection ID ```

```bash # If accessing services via VPC endpoints, verify endpoint configuration aws ec2 describe-vpc-endpoints \ --filters Name=vpc-id,Values=vpc-a-id \ --query 'VpcEndpoints[*].[VpcEndpointId,ServiceName,State]'

# VPC endpoints in one VPC are NOT accessible from peered VPC by default # Use PrivateLink for cross-VPC service access ```

VPC Peering Connectivity Checklist

CheckCommandExpected
Peering statusdescribe-vpc-peering-connectionsactive
Route table VPC-Adescribe-route-tablesRoute to VPC-B CIDR
Route table VPC-Bdescribe-route-tablesRoute to VPC-A CIDR
Security group inbounddescribe-security-groupsAllow from peer CIDR
Security group outbounddescribe-security-groupsAllow to peer CIDR
NACL inbounddescribe-network-aclsAllow required ports
NACL outbounddescribe-network-aclsAllow ephemeral ports
DNS resolutiondescribe-vpc-peering-connectionsEnabled

Verification

```bash # Test connectivity between instances # From VPC-A instance: ping 10.1.0.10 # VPC-B instance IP

# Should get responses # Test application port curl http://10.1.0.10:8080/health

# Check VPC flow logs if still failing aws ec2 describe-flow-logs --filter Name=vpc-id,Values=vpc-a-id ```

  • [Fix AWS EC2 Security Group Blocking](/articles/fix-aws-ec2-security-group-blocking)
  • [Fix AWS VPC Endpoint Connection Failed](/articles/fix-aws-ec2-instance-not-responding)
  • [Fix DNS Resolution Failure](/articles/fix-dns-resolution-failure)
  • [AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
  • [AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
  • [AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
  • [AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
  • [AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix AWS VPC Peering Connection Not Routing", "description": "Troubleshoot VPC peering routing failures. Fix route tables, security groups, and DNS configuration.", "url": "https://www.fixwikihub.com/fix-aws-vpc-peering-not-routing", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-01T16:47:27.534Z", "dateModified": "2026-04-01T16:47:27.534Z" } </script>