0

I setup a VPC peering connection between two regions (us-west-2, eu-central-1) in a single AWS account. In the documentation I see:

You cannot reference the security group of a peer VPC that's in a different region.

Let's say I want to create a security group in us-west-2 to allow port 3306 from both regions.

Am I supposed to make the new security group ALLOW the entire eu-central-1 VPC CIDR range and then the us-west-2 3306 security group id? This means any instance that is created in eu-central-1 can communicate with port 3306 in us-west-2 even though it may not need to.

Justin
  • 5,328
  • 19
  • 64
  • 84

1 Answers1

0

Yes, but you don't need to allow the entire CIDR of the foreign VPC... you will, however, need to allow the relevant remote IP addresses, whatever they are. If they aren't static, you'll need to allow the relevant subnets, by CIDR. This means you may need more subnets, if you need to restrict traffic and not include the entire remote VPC.

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86