How do I troubleshoot problems establishing communication over VPC peering?

Short description

VPC peering network connectivity failures might occur due to incorrect or missing route tables, firewall rules, or DNS (if applicable). To route traffic between VPCs in a peering connection using private IP addresses, the VPCs must be able to communicate with each other as if they are in the same network.

Resolution

1. Verify that the VPC peering connection is in the Active state.
2. Be sure to update your route tables for your VPC peering connection. Verify that the correct routes exist for connections to the IP address range of your peered VPCs through the appropriate peering ID.
3. Verify that an ALLOW rule exists in the network access control (network ACL) table for the required traffic.
4. Verify that the security group rules allow network traffic between the peered VPCs.
5. If you're trying to reach a destination in the peer VPC using a domain name, see Why can't I resolve domain names over my VPC peering connection?
6. Use VPC flow logs to verify that the required traffic isn't rejected at the source or destination. This rejection might occur due to the missing rules under security groups or network ACLs of the source or destination.
7. Use Reachability Analyzer to check reachability between two resources in VPCs connected using VPC peering. This VPC tool validates that the network configuration (network ACL, security group, and route table) are configured correctly. Be aware that Reachability Analyzer requires that the source and destination resources are owned by the same AWS account and are in the same Region.

Related information

VPC peering basics