Cross-Region Amazon VPC Peering with Terraform in AWS

Introduction

In today’s multi-region cloud architectures, connecting Amazon Virtual Private Clouds (VPCs) across different AWS regions is a key challenge, one that is critical for enabling high availability, disaster recovery, and performance optimizations. Cross-region VPC peering is an AWS feature designed to connect Amazon VPCs in different regions using private, low-latency AWS backbone links, without exposing traffic to the public internet.

But setting this up manually can be tedious and error-prone, especially at scale. That’s where Terraform, the Infrastructure as Code (IaC) tool, shines. It lets you automate cross-region Amazon VPC peering configuration, making your network more reliable and easier to maintain.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Cross-Region VPC Peering

High Availability (HA) and Disaster Recovery (DR)

Businesses today demand architectures that tolerate regional failures without downtime. By peering Amazon VPCs across AWS regions, you can seamlessly deploy redundant resources and failover when one region experiences problems. For example, your primary workload runs in us-east-1, but your DR environment in us-west-2 is connected privately through a VPC peering link. This setup enables real-time replication and quick recovery.

Latency and Performance Optimization

Cross-region VPC peering leverages the AWS global network backbone, providing lower latency and more secure connectivity than routing traffic over the public internet or VPNs. This can be crucial for applications requiring fast and secure communication between geographically separated components.

Secure Private Communication

Unlike internet-based VPNs or direct connect, cross-region VPC peering keeps traffic within AWS’s private network. This eliminates exposure to the public internet, reducing attack surface and compliance risks.

Architecture Overview: Two Regions, Two VPCs

Imagine a real-world scenario where your company operates in the US East (N. Virginia) and US West (Oregon) regions. You have:

VPC A in us-east-1 with CIDR block 10.0.0.0/16.

VPC B in us-west-2 with CIDR block 10.1.0.0/16.

The goal is to connect these VPCs privately so resources (EC2 instances, RDS databases, etc.) can communicate seamlessly.

Automating Cross-Region VPC Peering with Terraform

Manually creating VPC peering connections, accepting requests, and updating route tables across regions is cumbersome and prone to mistakes. Terraform lets us codify this process, ensuring repeatability and version control.

Step 1: Define Variables

Start by defining input variables for regions and Amazon VPC IDs:

variable "region_a" { default = "us-east-1" }
variable "region_b" { default = "us-west-2" }
variable "vpc_id_a" {}
variable "vpc_id_b" {}
variable "route_table_id_a" {}
variable "route_table_id_b" {}

variable "region_a" { default = "us-east-1" }

variable "region_b" { default = "us-west-2" }

variable "vpc_id_a" {}

variable "vpc_id_b" {}

variable "route_table_id_a" {}

variable "route_table_id_b" {}

Step 2: Configure AWS Providers

Since the peering spans regions, configure two AWS providers with aliases:

provider "aws" {
  alias  = "east"
  region = var.region_a
}
provider "aws" {
  alias  = "west"
  region = var.region_b
}

provider "aws" {

alias = "east"

region = var.region_a

}

provider "aws" {

alias = "west"

region = var.region_b

}

Request the peering connection from us-east-1 to us-west-2 and accept it automatically:

resource "aws_vpc_peering_connection" "peer" {
  provider        = aws.east
  vpc_id          = var.vpc_id_a
  peer_vpc_id     = var.vpc_id_b
  peer_region     = var.region_b
  auto_accept     = false
  tags = {
    Name = "CrossRegionPeering"
  }
}
resource "aws_vpc_peering_connection_accepter" "accept" {
  provider                  = aws.west
  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
  auto_accept               = true
  tags = {
    Name = "CrossRegionPeeringAccepter"
  }
}

resource "aws_vpc_peering_connection" "peer" {

provider = aws.east

vpc_id = var.vpc_id_a

peer_vpc_id = var.vpc_id_b

peer_region = var.region_b

auto_accept = false

tags = {

Name = "CrossRegionPeering"

}

resource "aws_vpc_peering_connection_accepter" "accept" {

provider = aws.west

vpc_peering_connection_id = aws_vpc_peering_connection.peer.id

auto_accept = true

tags = {

Name = "CrossRegionPeeringAccepter"

}

Note: We set auto_accept = false on the requester side for clarity and explicitly accept the connection on the peer side.

Step 4: Update Route Tables

Add routes on both Amazon VPC route tables so traffic destined for the peer VPC CIDR uses the peering connection:

resource "aws_route" "route_to_vpc_b" {
  provider                 = aws.east
  route_table_id           = var.route_table_id_a
  destination_cidr_block   = "10.1.0.0/16"
  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
}
resource "aws_route" "route_to_vpc_a" {
  provider                 = aws.west
  route_table_id           = var.route_table_id_b
  destination_cidr_block   = "10.0.0.0/16"
  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
}

resource "aws_route" "route_to_vpc_b" {

provider = aws.east

route_table_id = var.route_table_id_a

destination_cidr_block = "10.1.0.0/16"

vpc_peering_connection_id = aws_vpc_peering_connection.peer.id

}

resource "aws_route" "route_to_vpc_a" {

provider = aws.west

route_table_id = var.route_table_id_b

destination_cidr_block = "10.0.0.0/16"

vpc_peering_connection_id = aws_vpc_peering_connection.peer.id

}

Deploy and Test Connectivity

Deploying the Infrastructure

To deploy this configuration:

terraform init
terraform plan \
  -var="vpc_id_a=vpc-0abcd1234efgh5678" \
  -var="vpc_id_b=vpc-0wxyz9876lmnop4321" \
  -var="route_table_id_a=rtb-0a1b2c3d4e5f6g7h8" \
  -var="route_table_id_b=rtb-1h2g3f4e5d6c7b8a9"
terraform apply \
  -var="vpc_id_a=vpc-0abcd1234efgh5678" \
  -var="vpc_id_b=vpc-0wxyz9876lmnop4321" \
  -var="route_table_id_a=rtb-0a1b2c3d4e5f6g7h8" \
  -var="route_table_id_b=rtb-1h2g3f4e5d6c7b8a9"

terraform init

terraform plan \

-var="vpc_id_a=vpc-0abcd1234efgh5678" \

-var="vpc_id_b=vpc-0wxyz9876lmnop4321" \

-var="route_table_id_a=rtb-0a1b2c3d4e5f6g7h8" \

-var="route_table_id_b=rtb-1h2g3f4e5d6c7b8a9"

terraform apply \

-var="vpc_id_a=vpc-0abcd1234efgh5678" \

-var="vpc_id_b=vpc-0wxyz9876lmnop4321" \

-var="route_table_id_a=rtb-0a1b2c3d4e5f6g7h8" \

-var="route_table_id_b=rtb-1h2g3f4e5d6c7b8a9"

Testing Connectivity
Launch Amazon EC2 instances in each Amazon VPC.
SSH into the instance in us-east-1.
Ping the private IP of the instance in us-west-2:

ping 10.1.1.10

1	ping 10.1.1.10

If ping succeeds, your cross-region peering works!

Cost Considerations of Cross-Region Peering

While cross-region Amazon VPC peering offers excellent connectivity, there are costs to consider:

Data Transfer Costs: AWS charges for data transferred across regions using peering. Rates vary by region pair and can add up if you have heavy traffic.
Request Costs: Peering connections themselves have no hourly cost, but associated data transfer costs apply.
Alternatives: For many-to-many connections or complex network topologies, consider AWS Transit Gateway (which can connect multiple VPCs across regions but may have different pricing).

Always review your expected traffic and pricing to avoid surprises.

Conclusion

Cross-region VPC peering is a foundational building block for modern cloud architectures requiring global presence and resilience.

By automating peering setup with Terraform, you reduce manual effort, minimize errors, and make your infrastructure repeatable and auditable.

Drop a query if you have any questions regarding Cross-region VPC peering and we will get back to you quickly.

Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.

Reduced infrastructure costs
Timely data-driven decisions

Get Started

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. Can I peer VPCs across AWS accounts or Organizations?

ANS: – Yes! You can peer VPCs in different accounts, but the peer account must accept the peering request. Using Terraform, you can automate this across accounts by using different AWS provider credentials.

2. Can I peer Amazon VPCs with overlapping CIDR blocks?

ANS: – No. AWS requires peered VPCs to have non-overlapping CIDR blocks to avoid routing conflicts.

WRITTEN BY Rajveer Singh Chouhan

Rajveer works as a Cloud Engineer at CloudThat, specializing in designing, deploying, and managing scalable cloud infrastructure on AWS. He is skilled in various AWS services as well as automation tools like Terraform and CI/CD pipelines. With a strong understanding of cloud architecture best practices, Rajveer focuses on building secure, cost-effective, and highly available solutions. In his free time, he keeps up with the latest advancements in cloud technologies and enjoys exploring infrastructure automation and DevOps tools.