For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Overview
        • Connect to data services
          • AWS
            • Access a public AWS endpoint
              • VPC Peering
              • VPN
              • AWS PrivateLink
              • AWS Transit Gateway
              • Hostname resolution options
          • Azure
          • GCP
      • Billing
    • Book Office Hours

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Prerequisites
  • Setup
  • Configure additional routes for a VPC connection
  • DNS considerations for VPC peering
AdministrationNetworkingConnect to data servicesAWSAWS Private Networking Options

AWS Networking: VPC Peering

Edit this page
Built with

Choose one of the following setups based on the security requirements of your company and your existing infrastructure.

This connection option is only available for dedicated Astro clusters.

Prerequisites

  • An external VPC on AWS
  • A CIDR block for your external VPC in the RFC 1918 range
  • Organization Owner permissions

Setup

To set up a private connection between an Astro VPC and an AWS VPC, you can create a VPC peering connection. VPC peering ensures private and secure connectivity, reduces network transit costs, and simplifies network layouts.

  1. Open the AWS console of the AWS account with the external VPC and copy the following:

    • AWS account ID
    • AWS region
    • VPC ID of the external VPC
    • CIDR block of the external VPC

  2. In the Astro UI, click Organization Settings, then click Clusters, select your cluster, click VPC Peering Connections, then click + VPC Peering Connection.

  3. Configure the following values for your VPC peering connection using the information you copied in Step 1:

    • Peering Name: Provide a name for the VPC peering connection.
    • AWS account ID: Enter the account ID of the external VPC.
    • Destination VPC ID: Enter the VPC ID.
    • Destination VPC region: Enter the region of the external VPC.
    • Destination VPC CIDR block: Enter the CIDR block of the external VPC.

  4. Click Create Connection. The connection appears as Pending.

  5. Wait a few minutes for the Complete Activation button to appear, then click Complete Activation link.

  6. In the modal that appears, follow the instructions to accept the connection from your external VPC and create routes from the external VPC to Astro.

A few minutes after you complete the instructions in the modal, the connection status changes from Pending to Active. A new default route appears in Routes with your configured CIDR block.

Troubleshooting VPC connection statuses

Astro might show additional information in your connection status if it has an issue when it creates the connection. The following are all possible connection statuses.

  • Pending (Without Complete Activation): Astro is sending the peering request to the external VPC. Wait 1-2 minutes for request to be created and sent.
  • Pending (With Complete Activation): The peering connection request has been created and sent. Click Complete Activation to finish the setup.
  • Active: The peering connection was successfully created and accepted.
  • Failed: The peering connection request was rejected. Delete the failed connection and retry using a new connection configuration. If you don’t delete the failed connection, Astro will retry creating the peering request whenever you create a new VPC connection.
  • Not Found: Astro failed to create the peering request. Wait 5 minutes for Astro to retry. If the status hasn’t changed after 5 minutes, delete the connection and retry using a new connection configuration.

Note that a VPC connection can be listed as Active even when it has an incorrectly configured CIDR block. To reconfigure your CIDR block without deleting your connection, delete the route that was generated when you configured the connection and create a new route with the correct CIDR block.

Configure additional routes for a VPC connection

Your initial VPC connection connects Astro to your external VPC through a primary CIDR block. To connect Astro to other data services or systems within the external VPC, you can create additional routes to secondary CIDR blocks or subnets within the primary CIDR block. You can also complete this setup if you recently configured a new service in your external VPC and want to connect it with Astro without updating your base VPC connection.

  1. Open the Routes tab, then click + Route.

  2. Configure the following details for your route:

    • Route ID: Provide a name for the route.
    • Destination: Enter the subnet of the service in the external VPC.
    • Target: Select the VPC peering connection you configured.

  3. Click Create Route, then wait a few minutes for the route to be created.

DNS considerations for VPC peering

If your external VPC resolves DNS hostnames using DNS Hostnames and DNS Resolution, you must also enable the Accepter DNS Resolution setting on AWS. This allows Astro clusters and Deployments to resolve the public DNS hostnames of the external VPC to its private IP addresses. To configure this option, see AWS Documentation.

If your external VPC resolves DNS hostnames using private hosted zones, then you must associate your Route53 private hosted zone with the Astro VPC using instructions provided in AWS Documentation.

To retrieve the ID of any Astro VPC, contact Astronomer support. If you have more than one Astro cluster, request the VPC ID of each cluster.