AWS VPC peering

You can use AWS VPC peering for C-tier and D-tier Classic databases hosted on AWS.

Prerequisites

Create the virtual network

Enable the connection in Astra

To enable the VPC peering connection in Astra, you need to attach the connection to your database, download the internal secure connect bundle for use with your VPC peering connection, and add your peering connection to your database’s IP access list.

  • Astra Portal

  • DevOps API

  1. In the Astra Portal navigation menu, click Databases, and then click the name of your database.

  2. Click Add Peering Connection.

  3. For Account ID, enter your account ID, without dashes, from My Account in the AWS Console.

  4. For VPC ID, enter the VPC ID that you want to use from the list of VPCs in your AWS VPC dashboard.

  5. For VPC CIDR, enter the CIDR block for your AWS VPC. Optionally, you can add the CIDR block to the allowlist.

    The CIDR block cannot overlap your Astra VPC CIDR block.

  6. For Application VPC Region, select a receiving VPC region.

    To reduce latency, DataStax recommends selecting a region that is geographically close to your Astra DB database’s region and your AWS VPC region.

  7. Click Initiate.

  1. Use the DevOps API to get VPC peering connection details for a database:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/peering/provider/aws/database/DATABASE_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    Replace the following:

  2. Use the DevOps API to create a VPC peering connection for a database:

    curl -sS -L -X POST "https://api.astra.datastax.com/v2/peering/provider/aws/database/DATABASE_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"
--data '{
  "accountId": AWS_ACCOUNT_ID,
  "vpcId": "VPC_ID",
  "region": "string",
  "cidrBlock": "CIDR_BLOCK"
}'

    Replace the following:

    • DATABASE_ID: The database ID.

    • APPLICATION_TOKEN: An application token with the Database Administrator role.

    • AWS_ACCOUNT_ID: The ID of the AWS account that the VPC belongs to.

    • VPC_ID: The VPC ID that you want to use from the list of VPCs in your AWS VPC dashboard.

    • CIDR_BLOCK: The CIDR block for your AWS VPC.

      Result

      A successful request returns an object describing the new VPC peering connection:

      {
  "connectionId": "PEERING_CONNECTION_UUID",
  "status": "CONNECTION_STATUS",
  "currentVpc": {
    "provider": "aws",
    "account": "AWS_ACCOUNT_ID",
    "vpcId": "VPC_UUID",
    "cidrBlock": "137.187.23.0/24"
  },
  "otherVpc": {
    "provider": "aws",
    "account": "AWS_ACCOUNT_ID",
    "vpcId": "VPC_UUID",
    "cidrBlock": "137.187.23.0/24"
  }
}

Accepting the peering request in AWS

Do the following in the AWS CLI:

  1. Accept the peering connection:

    aws ec2 accept-vpc-peering-connection --vpc-peering-connection-id ASTRA_CONNECTION_ID --region AWS_REGION

    For more information, see Accepting a VPC peering connection.

  2. Get the REQUESTER_VPC_CIDR_BLOCK:

    aws ec2 describe-vpc-peering-connections --vpc-peering-connection-ids "$PEERING_CONNECTION_ID" --region "$REGION" | jq -r ".VpcPeeringConnections[].RequesterVpcInfo.CidrBlock"

  3. Add the route in your AWS route table with sender’s CIDR and peering connection ID:

    aws ec2 create-route --route-table-id AWS_ROUTE_TABLE_ID --destination-cidr-block REQUESTER_VPC_CIDR_BLOCK --vpc-peering-connection-id CONNECTION_ID --region AWS_VPC_REGION

    For more information, see Updating your Route tables for a VPC peering connection.

Finalize the configuration

  1. Download the secure connect bundle to connect to the Astra DB database. This internal secure connect bundle ensures the connection is routed through private IP addresses, not the open internet.

    You can use the internal secure connect bundle in the same way that you use a standard secure connect bundle to connect to your database.

  2. If you didn’t do so already, add the VPC connection’s CIDR block to the database IP access list to ensure your application isn’t disconnected.

Remove a VPC peering connection

  1. Use the DevOps API to delete a VPC peering connection for a database:

    curl -sS -L -X DELETE "https://api.astra.datastax.com/v2/peering/provider/aws/database/DATABASE_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

  2. If applicable, remove the disconnected peering connection from AWS.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com