VPC Peering
Private network connectivity between your VPC and a LaserData Managed deployment
VPC Peering creates a direct, private network connection between your VPC and a LaserData Managed deployment. Traffic flows over private IPs within the cloud provider's network - it never traverses the public internet.
VPC Peering is available for Managed deployments on AWS and GCP. BYOC deployments already run in your VPC and do not need peering. Requires the Pro or Enterprise plan.
Why VPC Peering
By default, Managed deployments are accessed over public endpoints protected by access rules. VPC Peering gives you a private network path instead:
- Traffic stays within the cloud provider's backbone - lower latency, no internet exposure
- No need to open public IPs on your application side
- Combine with access rules for defense-in-depth - allow only your peered VPC CIDR
Your VPC CIDR must not overlap with the deployment's subnet or any other active peering connections on the same deployment. If there is an overlap, the request is rejected with details about which CIDRs conflict.
AWS VPC Peering
Prerequisites
- A running Managed deployment on AWS
- An AWS VPC in the same or different region
- Your AWS Account ID (12-digit number, found in the AWS Console top-right)
- Your VPC ID (starts with
vpc-, found in the AWS VPC Console) - Your VPC CIDR block
Setup
- Navigate to your deployment and open the Networking tab
- Click Add VPC Peering
- Enter a name for the connection
- Provide your VPC ID, AWS Account ID, and VPC CIDR block
- If your VPC is in a different region, specify the peer region
- Click Create
LaserData validates your inputs, creates the AWS peering request, and automatically configures routing and security groups on the deployment side. The connection starts in Pending Acceptance status.
Accept the Peering Request
- Open the AWS VPC Console in the region where your VPC is located
- Go to Peering Connections
- Find the pending request from LaserData and select it
- Click Actions → Accept Request
Configure Your VPC
After accepting the peering request, configure routing on your side:
- Go to Route Tables in the AWS VPC Console
- Select the route table associated with your VPC subnets
- Click Edit routes → Add route
- Set Destination to the LaserData deployment subnet CIDR (shown in the Console)
- Set Target to the peering connection ID (
pcx-...) - Save the route
- Update your security groups to allow traffic to/from the deployment CIDR
Connection Status
| Status | Meaning | Action |
|---|---|---|
| Pending Acceptance | Waiting for you to accept in AWS | Accept in the AWS VPC Console |
| Active | Peering established, traffic can flow | No action needed |
| Rejected | You rejected the request | Delete and recreate if needed |
| Expired | Request was not accepted in time | Delete and recreate |
| Failed | Could not establish peering | Verify VPC ID and Account ID, then recreate |
GCP VPC Peering
Prerequisites
- A running Managed deployment on GCP
- A GCP VPC network
- Your GCP Project ID (6-30 characters, lowercase letters, digits, and hyphens)
- Your VPC network name (lowercase letters, digits, and hyphens, max 63 characters)
- Your VPC CIDR block
Setup
- Navigate to your deployment and open the Networking tab
- Click Add VPC Peering
- Enter a name for the connection
- Provide your GCP Project ID, VPC network name, and VPC CIDR block
- Click Create
LaserData creates the peering connection from the deployment VPC to your network. The connection starts in Inactive status until you create the reciprocal peering on your side.
Create the Reciprocal Peering
GCP VPC Peering requires both sides to establish the connection. After LaserData creates its side:
- Open the GCP Console → VPC network → VPC network peering
- Click Create peering connection
- Enter a name for the peering
- Select your VPC network
- Enter the LaserData project ID and VPC network name (shown in the Console instructions)
- Click Create
The LaserData Console provides tailored instructions for each peering connection based on its current status. Check the peering connection detail view for step-by-step guidance specific to your setup.
Configure Firewall Rules
After both sides are peered:
- Go to VPC network → Firewall in the GCP Console
- Create an ingress rule allowing traffic from the LaserData deployment CIDR
- Create an egress rule allowing traffic to the deployment CIDR
Connection Status
| Status | Meaning | Action |
|---|---|---|
| Inactive | Waiting for reciprocal peering from your side | Create the peering in GCP Console |
| Active | Peering established, traffic can flow | No action needed |
| Failed | Could not establish peering | Verify project ID and VPC name, then recreate |
LaserData periodically syncs the peering status with GCP. The status updates automatically once the reciprocal peering is created.
Deleting a Peering Connection
You can delete a peering connection from the Networking tab in the Console. This removes the peering connection and routing configuration on the LaserData side.
You should also clean up the corresponding peering, routes, and firewall/security group entries in your own VPC.
Plan Limits
| Resource | Basic | Pro | Enterprise |
|---|---|---|---|
| VPC peering connections per deployment | - | 3 | 10 |
| Private networking | - | Available | Available |
Audit
All VPC peering operations are recorded in the audit log:
- Peering created - who requested it, which VPC and CIDR
- Peering deleted - who removed it and when
API Reference
For programmatic access via API keys, the following endpoints are available. The API path differs by cloud provider.
Required permission: deployment:network:manage (create, delete) or deployment:network:read (list, instructions)
AWS
Create a Peering Connection
curl -X POST {supervisor_url}/deployments/{deployment_id}/network/vpc_peering \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "app-to-iggy",
"peer_vpc_id": "vpc-0abc123def456789a",
"peer_owner_id": "123456789012",
"peer_vpc_cidr": "172.16.0.0/16",
"peer_region": "us-west-2",
"remarks": "Application VPC to deployment"
}'Returns 204 No Content.
List Peering Connections
curl {supervisor_url}/deployments/{deployment_id}/network/vpc_peering \
-H "ld-api-key: YOUR_API_KEY"[
{
"id": 1,
"name": "app-to-iggy",
"peering_connection_id": "pcx-0abc123def456789a",
"requester_vpc_id": "vpc-deployment",
"requester_cidr": "10.0.0.0/16",
"accepter_vpc_id": "vpc-0abc123def456789a",
"accepter_cidr": "172.16.0.0/16",
"requester_region": "us-west-1",
"accepter_region": "us-west-2",
"requester_owner_id": "987654321098",
"accepter_owner_id": "123456789012",
"route_table_ids": ["rtb-0abc123def456789a"],
"status": "active",
"expiry_at": null,
"remarks": "Application VPC to deployment",
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:35:00Z"
}
]Get Setup Instructions
Returns step-by-step instructions tailored to the current peering status:
curl {supervisor_url}/deployments/{deployment_id}/network/vpc_peering/{peering_id}/instructions \
-H "ld-api-key: YOUR_API_KEY"Delete a Peering Connection
curl -X DELETE {supervisor_url}/deployments/{deployment_id}/network/vpc_peering/{peering_id} \
-H "ld-api-key: YOUR_API_KEY"Returns 204 No Content.
GCP
Create a Peering Connection
curl -X POST {supervisor_url}/deployments/{deployment_id}/network/gcp/vpc_peering \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "app-to-iggy",
"peer_vpc_name": "my-vpc-network",
"peer_project_id": "my-gcp-project",
"peer_vpc_cidr": "172.16.0.0/16",
"remarks": "Application VPC to deployment"
}'Returns 204 No Content.
| Field | Required | Description |
|---|---|---|
name | Yes | Name for the peering connection |
peer_vpc_name | Yes | Your GCP VPC network name (lowercase, digits, hyphens, max 63 chars) |
peer_project_id | Yes | Your GCP project ID (6-30 chars, lowercase, digits, hyphens) |
peer_vpc_cidr | Yes | Your VPC CIDR block (must not overlap with deployment subnet) |
remarks | No | Optional description |
List Peering Connections
curl {supervisor_url}/deployments/{deployment_id}/network/gcp/vpc_peering \
-H "ld-api-key: YOUR_API_KEY"[
{
"id": 1,
"name": "app-to-iggy",
"peering_name": "laser-peering-12345",
"local_vpc_name": "ld-vpc-deployment-42",
"peer_vpc_name": "my-vpc-network",
"peer_project_id": "my-gcp-project",
"state": "ACTIVE",
"state_details": null,
"remarks": "Application VPC to deployment",
"created_at": "2026-03-20T10:30:00Z",
"updated_at": "2026-03-20T10:35:00Z"
}
]Get Setup Instructions
Returns step-by-step instructions tailored to the current peering state. For INACTIVE peerings, includes detailed steps to create the reciprocal peering in your GCP Console.
curl {supervisor_url}/deployments/{deployment_id}/network/gcp/vpc_peering/{peering_id}/instructions \
-H "ld-api-key: YOUR_API_KEY"{
"peering_name": "laser-peering-12345",
"state": "INACTIVE",
"local_vpc_name": "ld-vpc-deployment-42",
"peer_vpc_name": "my-vpc-network",
"peer_project_id": "my-gcp-project",
"steps": [
"Open the Google Cloud Console...",
"Navigate to VPC network peering...",
"..."
]
}Delete a Peering Connection
curl -X DELETE {supervisor_url}/deployments/{deployment_id}/network/gcp/vpc_peering/{peering_id} \
-H "ld-api-key: YOUR_API_KEY"Returns 204 No Content.