🎯 Goal: Connect two VPCs privately (no internet gateway!) — across regions, with Terraform.
✅ You’ll build:
- ✅ Two VPCs (
10.0.0.0/16+10.1.0.0/16) — non-overlapping CIDRs- ✅ Cross-region VPC peering (us-east-1 ↔ us-west-2)
- ✅ Bidirectional peering acceptance
- ✅ Route table updates for private traffic
- ✅ EC2 instances with Apache (test
curl/pingover private IPs)
| Approach | Security | Cost | Latency | Use Case |
|---|---|---|---|---|
| ❌ Public IPs + IGW | ❌ Exposed to internet | High (data transfer) | High (public path) | ❌ Never for internal traffic |
| ✅ VPC Peering | ✅ Private, encrypted | Low (regional) | ⚡ Low (direct) | ✅ App ↔ DB, Shared services |
⚠️ Critical Rules:
- 🔒 CIDRs must NOT overlap (e.g.,
10.0.0.0/16+10.1.0.0/16✅;10.0.0.0/16+10.0.1.0/24❌)- ↔️ Peering is NOT transitive:
A ↔ B+B ↔ C≠A ↔ C→ explicitA ↔ Crequired- ✅ Bidirectional:
A → BandB → Amust be accepted
flowchart LR
subgraph us-east-1 [VPC A: 10.0.0.0/16]
A_EC2[EC2: 10.0.1.10]
A_RT[Route Table]
A_IGW[Internet Gateway] -. optional .-> A_EC2
A_RT -->|10.1.0.0/16 via pcx-123| Peering
end
subgraph us-west-2 [VPC B: 10.1.0.0/16]
B_EC2[EC2: 10.1.1.10]
B_RT[Route Table]
B_RT -->|10.0.0.0/16 via pcx-456| Peering
end
Peering[VPC Peering Connection\\\\npcx-123 (A→B)\\\\npcx-456 (B→A)] <--> A_RT & B_RT
✅ Key Flow:
A_EC2 → 10.1.1.10 (B’s private IP)10.1.0.0/16 → sends to pcx-12310.1.1.10/day15/)day15/
├── provider.tf # Multi-region providers (alias = primary/secondary)
├── variables.tf # CIDRs, regions, instance types
├── data.tf # AZs, AMIs (region-specific)
├── vpc-a.tf # VPC A (us-east-1)
├── vpc-b.tf # VPC B (us-west-2)
├── peering.tf # Peering + route tables
├── instances.tf # EC2 + security groups
└── TASK.md # 📝 Your challenge (transitive fix, security hardening)
provider.tf — Multi-Region Setup