I just set up a VPC peering connection between two of my VPCs, accepted it successfully, and expected traffic to flow immediately. But when I tried pinging an instance in the peer VPC, the requests timed out completely. Everything looked connected in the console, yet nothing worked. In this post, I’ll walk through exactly what causes this and how to fix it.
The Problem
You’ve created a VPC peering connection, accepted it on both sides, but instances in one VPC can’t reach instances in the other VPC. The connection shows as “Active” in the console, but when you run ping 10.1.0.100 from an instance in VPC-A to reach an instance in VPC-B, you get zero responses.
Here’s what the error looks like when testing connectivity:
PING 10.1.0.100 (10.1.0.100) 56(84) bytes of data.
--- 10.1.0.100 statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 113ms
| Issue | Description |
|---|---|
| Connection Active but No Traffic | Peering connection shows Active in console, but traffic doesn’t flow between instances |
| Timeout on Network Requests | Ping, curl, and application traffic all time out to peer VPC resources |
| Instance IP Reachable from EC2 Instance | Instance has internet but can’t reach peer VPC even though IPs are routable |
Why Does This Happen?
-
Route tables in both VPCs not updated: When you peer two VPCs, AWS doesn’t automatically add routes to the route tables. You must manually add a route in each VPC’s route table to tell traffic destined for the peer CIDR to go via the peering connection.
-
Security groups in destination VPC too restrictive: Security groups on the destination instance don’t allow inbound traffic from the source VPC’s CIDR block. You need to add inbound rules explicitly allowing the source.
-
Overlapping CIDR blocks: VPC peering requires non-overlapping CIDR blocks. If both VPCs use
10.0.0.0/16, peering won’t work and won’t give you a clear error message. -
DNS resolution not enabled: Even with routes in place, private DNS names won’t resolve across peered VPCs unless you enable
EnableDnsResolutionandEnableDnsHostnameson both the peering connection and the VPCs themselves. -
Peering connection in pending state: If the connection hasn’t been accepted yet, or is stuck in pending-acceptance, traffic won’t flow. The connection must be in “Active” state.
The Fix
First, verify the peering connection is actually active:
aws ec2 describe-vpc-peering-connections \
--vpc-peering-connection-ids pcx-0a1b2c3d4e5f6g7h8 \
--query 'VpcPeeringConnections[0].Status.Code' \
--output text
If it returns active, move forward. Now add routes to both VPC route tables. Get the route table IDs for each VPC:
aws ec2 describe-route-tables \
--filters "Name=vpc-id,Values=vpc-0a1b2c3d4e5f6g7h8" \
--query 'RouteTables[*].[RouteTableId,Tags[?Key==`Name`].Value|[0]]' \
--output table
Add a route in VPC-A’s route table to reach VPC-B’s CIDR via the peering connection:
aws ec2 create-route \
--route-table-id rtb-0a1b2c3d4e5f6g7h8 \
--destination-cidr-block 10.1.0.0/16 \
--vpc-peering-connection-id pcx-0a1b2c3d4e5f6g7h8
Repeat for VPC-B’s route table, pointing back to VPC-A:
aws ec2 create-route \
--route-table-id rtb-0x1y2z3a4b5c6d7e8 \
--destination-cidr-block 10.0.0.0/16 \
--vpc-peering-connection-id pcx-0a1b2c3d4e5f6g7h8
Enable DNS Resolution
Enable DNS across the peering connection:
aws ec2 modify-vpc-peering-connection-options \
--vpc-peering-connection-id pcx-0a1b2c3d4e5f6g7h8 \
--requester-peering-connection-options AllowDnsResolutionFromRemoteVpc=true \
--accepter-peering-connection-options AllowDnsResolutionFromRemoteVpc=true
Also enable DNS on both VPCs:
aws ec2 modify-vpc-attribute \
--vpc-id vpc-0a1b2c3d4e5f6g7h8 \
--enable-dns-hostnames
aws ec2 modify-vpc-attribute \
--vpc-id vpc-0x1y2z3a4b5c6d7e8 \
--enable-dns-support
Fix Security Groups
Add an inbound rule to the destination instance’s security group to allow traffic from the source VPC:
aws ec2 authorize-security-group-ingress \
--group-id sg-0a1b2c3d4e5f6g7h8 \
--protocol tcp \
--port 443 \
--cidr 10.0.0.0/16
How to Run This
- Verify peering connection is in Active state using the first command above.
- Add routes to both route tables — traffic must be allowed in both directions.
- Update security groups on destination instances to allow inbound from source VPC CIDR.
- Enable DNS options on the peering connection and both VPCs.
- Test connectivity:
ping <instance-ip-in-peer-vpc>oraws ec2-instance-connect send-command.
Is This Safe?
Yes, adding peering routes and security group rules is safe. These are standard networking configurations. DNS resolution is also safe and recommended. Just ensure CIDR blocks don’t overlap before accepting the peering connection.
Key Takeaway
VPC peering requires three things: an active peering connection, routes in both VPCs’ route tables, and security groups allowing traffic. Don’t forget the routes—AWS won’t add them automatically, and that’s the most common cause of “peering is active but traffic doesn’t flow.”
Have questions or ran into a different networking issue? Connect with me on LinkedIn or X.