VPC Peering

Overview

VPC Peering connects two VPC networks belonging to the same user through their VPN gateways. Once peered, each gateway can reach instances in the remote VPC -- and traffic is routed transparently over an encrypted WireGuard tunnel.

Key characteristics:

Fully automatic -- Keys, tunnel IPs, endpoints, routes, and firewall rules are configured on both sides with a single click.
Bidirectional -- Creating a peering sets up both gateways simultaneously. Deleting one side removes both.
Encrypted -- All traffic between VPCs travels through a WireGuard tunnel with a unique preshared key.
NAT-free for tunnel traffic -- VPC peering traffic is not masqueraded on the WireGuard interface, preserving source IPs end-to-end within the tunnel.

Prerequisites

Before creating a VPC peering, you need:

Two VPCs in locations where VPN Gateway is enabled
A VPN gateway deployed in each VPC -- both must be in Active status
Non-overlapping VPC CIDRs -- the two VPCs must not have overlapping address ranges (e.g., 172.16.0.0/16 and 10.0.0.0/16)
Non-overlapping tunnel subnets -- each gateway's tunnel subnet must be unique and must not overlap with either VPC's CIDR

Creating a Peering

User

Navigate to Networking > VPN Gateways and open one of the gateways
Click Create VPC Peering
Select the Remote Gateway from the dropdown (shows your other active gateways in different VPCs)
Click Create Peering

Admin

Navigate to Connectivity > VPN Gateways and open a gateway
Click Create VPC Peering
Select the Remote Gateway
Click Create Peering

Both gateways are updated immediately. The system:

Exchanges WireGuard public keys between the two gateways
Allocates tunnel IPs from each gateway's tunnel subnet
Generates a shared preshared key
Sets AllowedIPs to the remote VPC CIDR and remote tunnel subnet
Configures endpoints using the gateways' public IPs
Pushes the WireGuard configuration to both gateway instances

Validation Checks

The system performs several checks before allowing a peering:

Check	Error
VPC CIDRs overlap	"The VPC CIDRs of the two gateways overlap"
Tunnel subnets overlap	"The tunnel subnets of the two gateways overlap"
Tunnel subnet overlaps remote VPC CIDR	"A tunnel subnet overlaps with the remote VPC CIDR"
Peering already exists between these gateways	"A peering already exists between these gateways"
Same VPC	"Cannot peer gateways in the same VPC"

Road-Warrior Access to Peered VPCs

When a road-warrior (remote access) peer downloads their client configuration, the AllowedIPs automatically includes the CIDRs of all peered VPCs. This means a road-warrior client connected to VPN Gateway A can reach instances in both VPC A and any VPCs peered with it -- no additional configuration needed.

Removing a Peering

From the Gateway Detail Page

Find the VPC peering peer in the peers list (identified by the vpc-peering- prefix)
Click the Delete button on the peer
Confirm removal

Deleting a VPC peering peer on one gateway automatically removes the corresponding peer on the remote gateway. Both gateways' WireGuard configurations are updated immediately.

By Deleting a Gateway

Deleting a VPN gateway also removes all VPC peering connections associated with it. The remote gateway's peer entry is cleaned up automatically.

Overview​

Prerequisites​

Creating a Peering​

User​

Admin​

Validation Checks​

Road-Warrior Access to Peered VPCs​

Removing a Peering​

From the Gateway Detail Page​

By Deleting a Gateway​