# AWS VPC peering Allows Tray connectors to reach inside your private network using routes established via attachment of a Tray-owned VPC, as if both our VPCs were inside the same network. ## VPC Peering ![vpc-peering](https://tray.ai/documentation/images/platform/connectivity/on-premise-systems/aws-connectivity/aws-vpc-peering/4cfdf656-1bbf5b80_vpc-peering-2.png) Allows Tray connectors to reach inside your private network using routes established via attachment of a Tray-owned VPC, as if both our VPCs were inside the same network. This option will therefore only work if you are (at least partially) hosted on AWS. ### Key points in using VPC peering * A Tray and customer VPC can communicate **as if in the same network** * **No additional infrastructure** (i.e. VPN servers) required * VPCs can be in **different regions** * **No separate piece of physical hardware** is required * **No gateway** is required * There is **no single point of failure, or bandwidth bottleneck** * VPC resources including EC2 instances, Amazon RDS databases and Lambda functions can communicate with each other **using private IP addresses** * All inter-region traffic is **encrypted** * Traffic **never traverses the public internet** - reduced threats from common expolits and DDoS attacks * There is **no option to natively encrypt** this traffic, unless we use **application-level tools such as TLS** ### VPC Peering required info | Details | Notes | | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Customer Name | | | Geographic location | The region in which your VPC is locatedWe will locate the Tray.io VPC in a region that is optimal in terms of latency when connecting | | Tray OrgID | | | Your AWS Account number | | | Your VPC ID | | | Your subnet CIDR ranges | Tray uses 10.200.0.0/25 by defaultThis cannot overlap with your VPC CIDR rangeIn the unlikely event that it does, you should notify us so we can update it to be in another range | ### VPC Peering setup process 1. We set up a **separate Tray VPC network** which does not overlap with your network and will not require you to reserve a large chunk of routes 2. This endpoint will **request connectivity** to your target network which **normally requires manual acceptance by you** ('auto-accept' is not a recommended security practice) 3. Once accepted, our connectors will be able to reach the services hosted in your network ### VPC Peering technical considerations * Once the request is accepted, you can still **explicitly limit Tray’s access** to the different corners of your network by using **NACLs and Security Groups**. * If you use **Transit Gateway** to manage your network governance - as opposed to individual VPCs and route tables - we would recommend using our [Transit Gateway offering](https://tray.ai/documentation/platform/connectivity/on-premise-systems/aws-connectivity/aws-transit-gateway/).