π Secure EC2 β RDS Access Across AWS Accounts Using VPC Peering
Shad Reza
Ever faced the challenge of needing to access a private RDS database in one AWS account from an EC2 instance in another β all without exposing either to the public internet?
Welcome to the world of VPC Peering β one of AWS's cleanest and most cost-effective ways to enable secure, low-latency, private communication between services across accounts.
In this guide, Iβll walk you through the exact setup, share the architecture diagram, and highlight critical gotchas that might just save you hours of troubleshooting.
π§ The Use Case
You have:
An EC2 instance (or Lambda/ECS) in AWS Account A
A private RDS instance in AWS Account B
No intention to expose either via public IPs
β The goal: Enable the EC2 to privately connect to the RDS using VPC peering.
πΌοΈ Architecture Diagram
β Solution Overview: VPC Peering to the Rescue
VPC Peering creates a direct network route between two VPCs β even across AWS accounts β with no internet in between. It allows private IP communication while retaining full control via route tables and security groups.
π§ Step-by-Step Setup
1. π Create and Accept the VPC Peering Connection
In Account A (EC2-side):
Navigate to VPC β Peering Connections
Create a new connection:
Requester VPC: Account Aβs VPC ID
Accepter Account: Account B's AWS Account ID
Accepter Account Region: Account Bβs Region
Accepter VPC: Account Bβs VPC ID
In Account B (RDS-side):
Go to VPC β Peering Connections
Accept the pending connection
β The peering status will go from βPendingβ to βActiveβ
2. π‘ Update Route Tables (Bidirectional Routing)
You need both VPCs to know how to reach each other.
In Account A (EC2-side):
Go to the route table attached to your EC2 subnet - usually private subnet
Add a route:
Destination: Account Bβs VPC CIDR (e.g.,
10.1.0.0/16)Target: VPC Peering Connection
In Account B (RDS-side):
Find the route table linked to your RDS subnet
Add a reverse route:
Destination: Account Aβs VPC CIDR (e.g.,
10.0.0.0/16)Target: Same Peering Connection
3. π Update Security Groups
Even with a network path open, security groups can still block traffic.
On RDS (Account B):
Inbound Rules:
Type: MySQL/Aurora (or your DB engine)
Port: 3306 (or appropriate port)
Source: Either EC2βs private IP (e.g.,
10.0.1.10/32) or entire subnet (e.g.,10.0.0.0/16)
On EC2 (Account A):
- Optional: Outbound rules allowing access to RDS IP/CIDR on port 3306
4. π Enable DNS Resolution Over Peering
To use RDSβs hostname instead of private IP:
Go to Peering Connections in both accounts
Select the connection
Enable:
- DNS resolution from peer VPC
If DNS doesnβt work, test with RDSβs private IP.
5. β Test the Connection
From the EC2 instance:
nc -zv <rds-endpoint> 3306
π If that works β you're done!
π¨ Common Gotcha: Overlapping CIDRs β
If both VPCs use the same CIDR block (e.g., 10.0.0.0/16), VPC peering will fail β either during creation or route propagation. AWS wonβt allow peering between VPCs with overlapping CIDRs, even across different accounts.
π₯ Tip: Always plan VPC CIDRs in advance to avoid overlap!
π¦ Multi-VPC Peering Warning
Letβs say using VPC Peering you want to connect:
Account A β Account B
Account C β Account B
In this case, the CIDRs of Account A and Account C must also be different. Why?
π Because Account B cannot have overlapping peer routes to both VPCs β otherwise, routing will break, and AWS will prevent the second peering connection.
β Each VPC involved in a mesh of peering relationships must have unique, non-overlapping CIDRs.
π§ Rule of thumb: Treat CIDR planning like IP real estate β allocate with future growth and peering in mind!
π VPC Peering: Pros, Cons & Caveats
VPC Peering is a simple and effective way to enable private communication between AWS VPCsβeven across accounts. But like any architecture decision, it comes with trade-offs.
β Why Choose VPC Peering?
π Private & Secure: No internet exposure. Traffic stays within the AWS global network.
β‘ Low Latency: Traffic flows directly between VPCs without NAT or public IP hops.
π° Cost-Effective: No data processing fees like Transit Gateway. You only pay for the standard inter-AZ or inter-region data transfer.
π Easy Setup: Create β Accept β Route β Secure β it takes minutes, not hours.
β οΈ Limitations to Know
π One-to-One Only: VPC Peering is non-transitive β VPC A peered with B cannot reach VPC C unless explicitly peered.
π« CIDR Block Overlap: Peering fails if VPCs use overlapping CIDRs (e.g., both
10.0.0.0/16).π₯ Multi-VPC Conflicts: If two or more source VPCs (e.g., Accounts A & C) want to peer with the same target VPC (Account B), each VPC must have a unique CIDR. If A and C share a CIDR block, only one peering can succeed.
π§ Manual Route Table Management: You must manually update routes on both sides β no automatic propagation.
πΈ Cost Overview
Please check AWS VPC Peering Pricing for the latest pricing.
β Final Thoughts
π VPC Peering is a secure, scalable, and budget-friendly way to enable private cross-account access
π§ Donβt forget to configure route tables, security groups, and DNS resolution
π« CIDR block overlap is a dealbreaker β plan wisely!
π§° Choose the right migration tool based on your data and downtime needs
π Was this helpful?
I write about real-world DevOps experiences and AWS solutions on DevOps Stories.
If you found this guide useful, share it, comment, or follow for more real-world AWS & infrastructure content!
Subscribe to my newsletter
Read articles from Shad Reza directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by