---
title: VPC Peering and AWS PrivateLink | Tiger Data Docs
description: Secure your services with Virtual Private Cloud peering and AWS PrivateLink
---

You use Virtual Private Cloud (VPC) peering to ensure that your Tiger Cloud services are only accessible through your secured AWS infrastructure. This reduces the potential attack vector surface and improves security.

The data isolation architecture that ensures a highly secure connection between your apps and Tiger Cloud is:

![Tiger Cloud VPC isolation architecture](/docs/_astro/tsc-vpc-architecture.C-S_Kcsg_Z1yM4lJ.webp)

Your customer apps run inside your AWS Customer VPC, your Tiger Cloud services always run inside the secure Tiger Cloud VPC. You control secure communication between apps in your VPC and your services using a dedicated Peering VPC. The AWS PrivateLink connecting Tiger Cloud VPC to the dedicated Peering VPC gives the same level of protection as using a direct AWS PrivateLink connection. It only enables communication to be initiated from your Customer VPC to services running in the Tiger Cloud VPC. Tiger Cloud cannot initiate communication with your Customer VPC.

To configure this secure connection, you first create a Peering VPC with AWS PrivateLink in Tiger Console. After you have accepted and configured the peering connection to your Customer VPC, you use AWS Security Groups to restrict the apps in your Customer VPC that are visible to the Peering VPC. The last step is to attach individual services to the Peering VPC in Tiger Console.

- You create each Peering VPC on a [Tiger Cloud project level](/docs/deploy/tiger-cloud/tiger-cloud-aws/security/members/index.md).

- You **can attach**:

  - Up to 50 Customer VPCs to a Peering VPC.
  - A Tiger Cloud service to a single Peering VPC at a time. The service and the Peering VPC must be in the same AWS region. However, you can peer a Customer VPC and a Peering VPC that are in different regions.
  - Multiple Tiger Cloud services to the same Peering VPC.

- You **cannot attach** a Tiger Cloud service to multiple Peering VPCs at the same time.

  The number of Peering VPCs you can create in your project depends on your [pricing plan](/docs/deploy/tiger-cloud/tiger-cloud-aws/pricing-and-account-management/index.md). If you need another Peering VPC, either contact <support@tigerdata.com> or change your pricing plan in [Tiger Console](https://console.cloud.tigerdata.com/).

## Prerequisites

To set up VPC peering, you need the following permissions in your AWS account:

- Accept VPC peering requests
- Configure route table rules
- Configure security group and firewall rules

## Set up a secured connection between Tiger Cloud and AWS

To connect to a Tiger Cloud service using VPC peering, your apps and infrastructure must be already running in an Amazon Web Services (AWS) VPC. You can peer your VPC from any AWS region. However, your Peering VPC must be within one of the [Cloud-supported regions](/docs/get-started/choose-your-path/supported-platforms/index.md).

The stages to create a secured connection between Tiger Cloud services and your AWS infrastructure are:

1. [Create a Peering VPC in Tiger Console](#create-a-peering-vpc-in-tiger-console)
2. [Complete the VPC connection in your AWS](#complete-the-vpc-connection-in-aws)
3. [Set up security groups in your AWS](#set-up-security-groups-in-aws)
4. [Attach a Tiger Cloud service to the Peering VPC](#attach-a-tiger-cloud-service-to-the-peering-vpc)

### Create a peering VPC in Tiger Console

Create the VPC and the peering connection that enables you to securely route traffic between Tiger Cloud and your Customer VPC in a logically isolated virtual network.

1. **In Tiger Console > Security > VPC, click `Create a VPC`**

   ![Creating a new peering VPC in Tiger Console](/docs/_astro/add-peering-vpc-tiger-cloud.BHFW98a8_Hcuw1.webp)

2. **Choose your region and IP range, name your VPC, then click `Create VPC`**

   ![Configuring VPC region, IP range, and name](/docs/_astro/configure-peering-vpc-tiger-cloud.DZom78te_Zspfuq.webp)

   The IP ranges of the Peering VPC and Customer VPC should not overlap.

3. **For as many peering connections as you need**

   1. In the `VPC Peering` column, click `Add`.
   2. Enter information about your existing Customer VPC, then click `Add Connection`. ![Adding a peering connection with AWS account details](/docs/_astro/add-peering-tiger-cloud.9tTfnXvs_Z1YfI1i.webp)

   - You **can attach**:

     - Up to 50 Customer VPCs to a Peering VPC.
     - A Tiger Cloud service to a single Peering VPC at a time. The service and the Peering VPC must be in the same AWS region. However, you can peer a Customer VPC and a Peering VPC that are in different regions.
     - Multiple Tiger Cloud services to the same Peering VPC.

   - You **cannot attach** a Tiger Cloud service to multiple Peering VPCs at the same time.

     The number of Peering VPCs you can create in your project depends on your [pricing plan](/docs/deploy/tiger-cloud/tiger-cloud-aws/pricing-and-account-management/index.md). If you need another Peering VPC, either contact <support@tigerdata.com> or change your pricing plan in [Tiger Console](https://console.cloud.tigerdata.com/).

   Tiger Cloud sends a peering request to your AWS account so you can [complete the VPC connection in AWS](#complete-the-vpc-connection-in-aws).

### Complete the VPC connection in AWS

When you receive the Tiger Cloud peering request in AWS, edit your routing table to match the `IP Range` and `CIDR block` between your Customer and Peering VPCs.

When you peer a VPC with multiple CIDRs, all CIDRs are added to the Tiger Cloud rules automatically. After you have finished peering, further changes in your VPC‘s CIDRs are not detected automatically. If you need to refresh the CIDRs, recreate the peering connection.

The request acceptance process is an important safety mechanism. Do not accept a peering request from an unknown account.

1. **In AWS > VPC Dashboard > Peering connections, select the peering connection request from Tiger Cloud**

   Copy the peering connection ID to the clipboard. The connection request starts with `pcx-`.

2. **In the peering connection, click `Route Tables`, then select the `Route Table ID` that corresponds to your VPC**

3. **In `Routes`, click `Edit routes`**

   You see the list of existing destinations.

   ![Adding a new VPC route in the AWS console](/docs/_astro/tsc-vpc-add-route.BPur-Qe3_ieNCz.webp)

   If you do not already have a destination that corresponds to the `IP range / CIDR block` of your Peering VPC:

   1. Click `Add route`, and set: `Destination`: the CIDR block of your Peering VPC. For example: `10.0.0.7/17`. `Target`: the peering connection ID you copied to your clipboard.
   2. Click `Save changes`.

   Network traffic is secured between your AWS account and Tiger Cloud for this project.

### Set up security groups in AWS

Security groups allow specific inbound and outbound traffic at the resource level. You can associate a VPC with one or more security groups, and each instance in your VPC may belong to a different set of security groups. The security group choices for your VPC are:

- Create a security group to use for your Tiger Cloud VPC only.
- Associate your VPC with an existing security group.
- Do nothing, your VPC is automatically associated with the default one.

To create a security group specific to your Tiger Cloud Peering VPC:

1. **In AWS > VPC Dashboard > Security Groups, click `Create security group`**

2. **Enter the rules for this security group**

   ![AWS VPC security group configuration](/docs/_astro/aws-vpc-securitygroup.CaesDIXY_Z1PJqnn.webp)

   - `VPC`: select the VPC that is peered with Tiger Cloud.

   - `Inbound rules`: leave empty.

   - `Outbound rules`:

     - `Type`: `Custom TCP`
     - `Protocol`: `TCP`
     - `Port range`: `5432`
     - `Destination`: `Custom`
     - `Info`: the CIDR block of your Tiger Cloud Peering VPC.

3. **Click `Add rule`, then click `Create security group`**

### Attach a Tiger Cloud service to the peering VPC

Now that Tiger Cloud is communicating securely with your AWS infrastructure, you can attach one or more services to the Peering VPC.

After you attach a service to a Peering VPC, you can only access it through the peered AWS VPC. It is no longer accessible using the public internet.

1. **In Tiger Console > Services select the service you want to connect to the Peering VPC**
2. **Click `Operations` > `Security` > `VPC`**
3. **Select the VPC, then click `Attach VPC`**

Your service is now securely communicating with your AWS account inside a VPC.

## Migrate a Tiger Cloud service between VPCs

To ensure that your applications continue to run without interruption, you keep service attached to the Peering VPC. However, you can change the Peering VPC your service is attached to, or disconnect from the Peering VPC and enable access to the service from the public internet.

Tiger Cloud uses a different DNS for services that are attached to a Peering VPC. When you migrate a service between public access and a Peering VPC, you need to update your connection string.

1. **In Tiger Console > Services select the service to migrate**

   If you don’t have a service, [create a new one](/docs/get-started/quickstart/create-service/index.md).

2. **Click `Operations` > `Security` > `VPC`**

3. **Select the VPC, then click `Attach VPC`**

Migration takes a few minutes to complete and requires a change to DNS settings for the service. The service is not accessible during this time. If you receive a DNS error, allow some time for DNS propagation.