VPC Peering
Private network connectivity between your AWS VPC and a LaserData Managed deployment
VPC Peering creates a direct, private network connection between your AWS VPC and a LaserData Managed deployment. Traffic flows over private IPs within the AWS network — it never traverses the public internet.
VPC Peering is available for Managed deployments on AWS only. BYOC deployments already run in your VPC and do not need peering. Requires the Pro or Enterprise plan.
Why VPC Peering
By default, Managed deployments are accessed over public endpoints protected by access rules. VPC Peering gives you a private network path instead:
- Traffic stays within the AWS backbone — lower latency, no internet exposure
- No need to open public IPs on your application side
- Combine with access rules for defense-in-depth — allow only your peered VPC CIDR
Prerequisites
Before setting up VPC Peering, make sure you have:
- A running Managed deployment on AWS
- An AWS VPC in the same or different region
- Your AWS Account ID (12-digit number, found in the AWS Console top-right)
- Your VPC ID (starts with
vpc-, found in the AWS VPC Console) - Your VPC CIDR block (must not overlap with the deployment's subnet or other peering CIDRs)
Setting Up VPC Peering
Step 1 — Create the Peering Connection
- Navigate to your deployment and open the Networking tab
- Click Add VPC Peering
- Enter a name for the connection
- Provide your VPC ID, AWS Account ID, and VPC CIDR block
- If your VPC is in a different region, specify the peer region
- Click Create
LaserData validates your inputs, creates the AWS peering request, and automatically configures routing and security groups on the deployment side. The connection starts in Pending Acceptance status.
Your VPC CIDR must not overlap with the deployment's subnet or any other active peering connections on the same deployment. If there is an overlap, the request is rejected with details about which CIDRs conflict.
Step 2 — Accept the Peering Request in AWS
The peering connection requires acceptance from your AWS account:
- Open the AWS VPC Console in the region where your VPC is located
- Go to Peering Connections
- Find the pending request from LaserData and select it
- Click Actions → Accept Request
The LaserData Console provides tailored instructions for each peering connection based on its current status. Check the peering connection detail view for step-by-step guidance specific to your setup.
Step 3 — Configure Your VPC
After accepting the peering request, configure routing on your side:
- Go to Route Tables in the AWS VPC Console
- Select the route table associated with your VPC subnets
- Click Edit routes → Add route
- Set Destination to the LaserData deployment subnet CIDR (shown in the Console)
- Set Target to the peering connection ID (
pcx-...) - Save the route
- Update your security groups to allow traffic to/from the deployment CIDR
Once both sides are configured, traffic flows privately between your VPC and the deployment.
Connection Status
LaserData periodically syncs the peering status with AWS. You can see the current status in the Console:
| Status | Meaning | Action |
|---|---|---|
| Pending Acceptance | Waiting for you to accept in AWS | Accept in the AWS VPC Console |
| Active | Peering established, traffic can flow | No action needed |
| Rejected | You rejected the request | Delete and recreate if needed |
| Expired | Request was not accepted in time | Delete and recreate |
| Failed | Could not establish peering | Verify VPC ID and Account ID, then recreate |
Deleting a Peering Connection
You can delete a peering connection from the Networking tab in the Console. This removes:
- The AWS VPC peering connection
- The route in the deployment's route table
- The security group rules on the LaserData side
You should also clean up the corresponding route and security group entries in your own VPC.
Plan Limits
| Resource | Basic | Pro | Enterprise |
|---|---|---|---|
| VPC peering connections per deployment | — | 3 | 10 |
| Private networking | — | Available | Available |
Audit
All VPC peering operations are recorded in the audit log:
- Peering created — who requested it, which VPC and CIDR
- Peering deleted — who removed it and when
API Reference
For programmatic access via API keys, the following endpoints are available.
Required permission: DeploymentNetworkManage (create, delete) or DeploymentNetworkRead (list, instructions)
Create a Peering Connection
curl -X POST {supervisor_url}/deployments/{deployment_id}/network/vpc_peering \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "app-to-iggy",
"peer_vpc_id": "vpc-0abc123def456789a",
"peer_owner_id": "123456789012",
"peer_vpc_cidr": "172.16.0.0/16",
"peer_region": "us-west-2",
"remarks": "Application VPC to deployment"
}'List Peering Connections
curl {supervisor_url}/deployments/{deployment_id}/network/vpc_peering \
-H "ld-api-key: YOUR_API_KEY"[
{
"id": 1,
"name": "app-to-iggy",
"peering_connection_id": "pcx-0abc123def456789a",
"requester_vpc_id": "vpc-deployment",
"accepter_vpc_id": "vpc-0abc123def456789a",
"accepter_cidr": "172.16.0.0/16",
"requester_region": "us-east-1",
"accepter_region": "us-west-2",
"status": "active",
"remarks": "Application VPC to deployment",
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:35:00Z"
}
]Get Setup Instructions
Returns step-by-step instructions tailored to the current peering status:
curl {supervisor_url}/deployments/{deployment_id}/network/vpc_peering/{peering_id}/instructions \
-H "ld-api-key: YOUR_API_KEY"Delete a Peering Connection
curl -X DELETE {supervisor_url}/deployments/{deployment_id}/network/vpc_peering/{peering_id} \
-H "ld-api-key: YOUR_API_KEY"