# AWS VPC Peering Not Working
Introduction
This article covers troubleshooting steps and solutions for AWS VPC Peering Not Working. The error typically occurs in production environments and can cause service disruptions if not addressed promptly.
Symptoms
Common error messages include:
Connection timed out when connecting to instance in peered VPCDestination unreachable from peered VPCping: sendmsg: Operation not permittedCommon Causes
- Configuration misconfiguration
- Missing or incorrect credentials
- Network connectivity issues
- Version compatibility problems
- Resource exhaustion or limits
- Permission or access denied
Step-by-Step Fix
- 1.Check logs for specific error messages
- 2.Verify configuration settings
- 3.Test network connectivity
- 4.Review recent changes
- 5.Apply corrective action
- 6.Verify the fix
Common Error Patterns
VPC peering issues typically manifest as:
Connection timed out when connecting to instance in peered VPCDestination unreachable from peered VPCping: sendmsg: Operation not permittedUnable to resolve DNS name in peered VPCRoot Causes and Solutions
1. Missing Route Table Entries
Route tables don't have routes to the peered VPC.
Solution:
Add routes to both VPCs' route tables:
```bash # Get VPC peering connection ID aws ec2 describe-vpc-peering-connections \ --filters Name=status.code,Values=active
# Add route to VPC A's route table aws ec2 create-route \ --route-table-id rtb-0123456789abcdef0 \ --destination-cidr-block 10.1.0.0/16 \ --vpc-peering-connection-id pcx-0123456789abcdef0
# Add route to VPC B's route table aws ec2 create-route \ --route-table-id rtb-abcdef0123456789 \ --destination-cidr-block 10.0.0.0/16 \ --vpc-peering-connection-id pcx-0123456789abcdef0 ```
Verification:
# Check routes
aws ec2 describe-route-tables \
--route-table-ids rtb-0123456789abcdef0 \
--query 'RouteTables[0].Routes'2. Security Group Blocking Traffic
Security groups don't allow traffic from peered VPC.
Solution:
Update security groups to allow traffic from peered VPC:
```bash # Get security group for instance aws ec2 describe-instances \ --instance-ids i-0123456789abcdef0 \ --query 'Reservations[0].Instances[0].SecurityGroups'
# Add inbound rule allowing traffic from peered VPC CIDR aws ec2 authorize-security-group-ingress \ --group-id sg-0123456789abcdef0 \ --protocol tcp \ --port 22 \ --cidr 10.1.0.0/16 ```
Alternatively, reference security groups from peered VPC:
# Cross-VPC security group reference (same account only)
aws ec2 authorize-security-group-ingress \
--group-id sg-0123456789abcdef0 \
--protocol tcp \
--port 443 \
--source-group sg-abcdef01234567893. Network ACL Restrictions
Network ACLs blocking traffic between VPCs.
Solution:
Check and update NACLs:
```bash # Check NACL rules aws ec2 describe-network-acls \ --filters Name=vpc-id,Values=vpc-0123456789abcdef0
# Add inbound rule for peered VPC aws ec2 create-network-acl-entry \ --network-acl-id acl-0123456789abcdef0 \ --rule-number 100 \ --protocol -1 \ --rule-action allow \ --cidr-block 10.1.0.0/16 \ --ingress
# Add outbound rule for peered VPC aws ec2 create-network-acl-entry \ --network-acl-id acl-0123456789abcdef0 \ --rule-number 100 \ --protocol -1 \ --rule-action allow \ --cidr-block 10.1.0.0/16 \ --egress ```
4. Peering Connection Not Active
The peering connection is in pending or failed state.
Solution:
Check peering connection status:
aws ec2 describe-vpc-peering-connections \
--vpc-peering-connection-ids pcx-0123456789abcdef0 \
--query 'VpcPeeringConnections[0].Status'Accept peering request (if pending):
aws ec2 accept-vpc-peering-connection \
--vpc-peering-connection-id pcx-0123456789abcdef05. Overlapping CIDR Blocks
VPCs have overlapping CIDR blocks.
Solution:
Check for overlap:
# Get CIDR blocks
aws ec2 describe-vpcs \
--vpc-ids vpc-0123456789abcdef0 vpc-abcdef0123456789 \
--query 'Vpcs[*].CidrBlock'If CIDRs overlap, peering won't work. Options: - Create new VPC with non-overlapping CIDR - Use a transit gateway instead - Use private NAT gateways
6. DNS Resolution Issues
DNS hostnames not enabled or DNS resolution not configured.
Solution:
Enable DNS resolution for peered VPCs:
```bash # Enable DNS resolution for requester VPC aws ec2 modify-vpc-peering-connection-options \ --vpc-peering-connection-id pcx-0123456789abcdef0 \ --requester-peering-connection-options AllowDnsResolutionFromRemoteVpc=true
# Enable DNS resolution for accepter VPC aws ec2 modify-vpc-peering-connection-options \ --vpc-peering-connection-id pcx-0123456789abcdef0 \ --accepter-peering-connection-options AllowDnsResolutionFromRemoteVpc=true ```
Enable DNS hostnames on both VPCs:
```bash aws ec2 modify-vpc-attribute \ --vpc-id vpc-0123456789abcdef0 \ --enable-dns-hostnames
aws ec2 modify-vpc-attribute \ --vpc-id vpc-abcdef0123456789 \ --enable-dns-hostnames ```
7. Cross-Region Peering Issues
Cross-region peering has additional requirements.
Solution:
For cross-region peering:
- 1.Ensure peering connection is accepted
- 2.Routes must be added to both regions
- 3.Security groups must reference CIDR blocks (not security group IDs)
- 4.Check regional latency
# Create cross-region route
aws ec2 create-route \
--route-table-id rtb-0123456789abcdef0 \
--destination-cidr-block 10.1.0.0/16 \
--vpc-peering-connection-id pcx-0123456789abcdef0 \
--region us-east-1Connectivity Testing
Test from Instance
```bash # Test connectivity ping 10.1.0.10
# Test specific port nc -zv 10.1.0.10 22
# Test with telnet telnet 10.1.0.10 22
# Trace route traceroute 10.1.0.10 ```
Use Reachability Analyzer
```bash # Create analysis aws ec2 create-network-insights-path \ --source-ip-address 10.0.0.10 \ --destination-ip-address 10.1.0.10 \ --destination-port 22 \ --protocol TCP
# Start analysis aws ec2 start-network-insights-analysis \ --network-insights-path-id nip-0123456789abcdef0 ```
Prevention
| Check | Command | Expected Result |
|---|---|---|
| Peering status | describe-vpc-peering-connections | active |
| Route table routes | describe-route-tables | Route to peer CIDR |
| Security group rules | describe-security-groups | Allow peer CIDR |
| NACL rules | describe-network-acls | Allow peer CIDR |
| DNS resolution | modify-vpc-peering-connection-options | Enabled |
| No CIDR overlap | describe-vpcs | Non-overlapping CIDRs |
Architecture Best Practices
Centralized Peering Hub
┌─────────────┐
│ Central │
│ VPC │
└──────┬──────┘
╱ │ ╲
┌────┐ ┌────┐ ┌────┐
│VPC │ │VPC │ │VPC │
│ A │ │ B │ │ C │
└────┘ └────┘ └────┘Transit Gateway Alternative
For complex networks, use Transit Gateway:
```bash # Create transit gateway aws ec2 create-transit-gateway \ --description "Central transit gateway"
# Attach VPCs aws ec2 create-transit-gateway-vpc-attachment \ --transit-gateway-id tgw-0123456789abcdef0 \ --vpc-id vpc-0123456789abcdef0 \ --subnet-ids subnet-01234567 subnet-abcdef01 ```
Verification
| Issue | Solution |
|---|---|
| No route | Add route to both route tables |
| SG blocking | Add inbound rule for peer CIDR |
| NACL blocking | Add allow rule for peer CIDR |
| DNS not resolving | Enable DNS resolution options |
| CIDR overlap | Use non-overlapping CIDRs |
| Pending status | Accept peering request |
Prevention
- 1.Use infrastructure as code for VPC peering
- 2.Document CIDR allocations to prevent overlap
- 3.Use consistent security group naming
- 4.Enable DNS resolution at peering creation
- 5.Test connectivity after peering setup
Related Articles
- [AWS EC2 Instance Not Reachable](#)
- [AWS RDS Connection Failed](#)
- [AWS IAM Permission Denied](#)
Related Articles
- [AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
- [AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
- [AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
- [AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
- [AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "AWS VPC Peering Not Working", "description": "Resolve VPC peering connectivity issues. Covers route table configuration, security groups, overlapping CIDRs, and DNS resolution.", "url": "https://www.fixwikihub.com/fix-aws-vpc-peering-not-working", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2025-11-20T07:15:08.126Z", "dateModified": "2025-11-20T07:15:08.126Z" } </script>