1. Help Center
  2. Infrastructure
  3. AWS

Requirements for VPC Peering in AWS

AWS
Edwin Mejias  
Edited

What is VPC Peering?

VPC peering creates a secure, private connection between your VPC and Snowplow's VPC. This allows data to flow between your networks without going over the internet, making it ideal for integrations with internal services, data warehouses, or streaming platforms. (note: VPC peering and using a custom VPC are an additional bolt-on).

When Do You Need VPC Peering?

Consider VPC peering if you need to:

  • Connect to internal data destinations (Kafka, Redshift, databases) securely
  • Enforce stricter security policies by keeping traffic off the internet
  • Reduce your public-facing API surface area
  • Route data to services in private subnets within your VPC

Difference between VPC Peering and BYON (custom VPC)

VPC Peering is not the same as BYON (Bring Your Own Network). VPC Peering allows a Snowplow-created VPC to connect securely to a customer VPC, allowing us to send data to remote networks securely, while BYON allows for setting up the entire pipeline on an existing custom VPC created in the shared AWS account on your end.

Critical: Timing of VPC Peering Setup

VPC peering must be configured at the time of initial pipeline deployment. Adding peering after a pipeline is already running typically requires a full pipeline migration, which involves downtime. The duration depends on your pipeline complexity, but plan for it during a maintenance window. Raise this requirement early, ideally during your onboarding so we can plan accordingly.

If your pipeline is already deployed and you need to add private network connectivity, Transit Gateway (TGW) may be an alternative that does not require a pipeline migration. Reach out to your Support or Customer Success contact to assess the right approach for your environment.

What Information We Need From You

To set up VPC peering, you will first need to initiate a VPC peering request from your AWS account, directed at Snowplow's VPC. Contact Support to receive Snowplow's VPC ID and AWS account details for your region — you will need these to send the request. Once sent, the connection will appear as pending-acceptance and our team will accept it on our end.

Please also provide the following details:

  • VPC CIDR Range(s): Select a peering-compatible /21 or /22 CIDR range (2048 or 1024 addresses) at minimum.
  • VPC Peering Connection ID: The AWS peering connection identifier (starts with pcx-), generated when you initiate the request from your side. Request from support the source AWS account and Snowplow VPC ID so you can allow the connection.
  • Destination CIDR for Routing: The specific subnet or address range where your target service lives
  • Number of Peering Connections: How many separate peering connections you need (we support up to 5 per environment)
  • Target Environments: Whether you need peering in QA, production, or both

Important Requirements and Constraints

No IP Overlap: Your VPC CIDR ranges must not overlap with Snowplow's infrastructure. We'll validate this during setup.

Routing Configuration: Snowplow Support configures route table entries on your behalf using the connection ID and destination CIDR you provide, so traffic to your target service flows through the peering connection.

Security Groups: Your security groups must allow inbound traffic from Snowplow's VPC CIDR range. We will provide this during setup.

Common Use Cases

AWS MSK (Managed Streaming for Kafka): Connect to your Kafka brokers privately without exposing them to the internet.

Redshift Warehouse: Send processed data directly to your Redshift cluster over private IP.

Internal APIs: Enable enrichment components to call your internal APIs securely.

Custom Data Destinations: Route events to any service in your VPC without internet exposure.

What Happens After Setup

Once peering is established, traffic between Snowplow and your VPC flows entirely through the private connection. Note that you may still need to verify that the security groups on your destination services (such as MSK or Redshift) allow inbound traffic from Snowplow's VPC CIDR — your Support contact will flag this if relevant during setup.

Next Steps

If you need VPC peering, mention it during your onboarding process or contact Support with the information listed above. Our team will provide Snowplow's VPC details for you to initiate the peering request, validate your configuration, and ensure routing is in place before your pipeline goes live.