VPC peering facilitates network traffic between VPCs. By default, AWS CloudFormation does not support creating VPC peering connections between VPCs in different AWS accounts. How do I work around this limitation?

When you request a VPC peering connection from one AWS account (referred to here as the requester_account) to a VPC in another AWS account (a peer_account), the peer account must approve the request in order to activate it. By default, the requester account cannot both request and approve VPC the request.

This article describes a procedure that allows a requester_account to both request and approve the peering connection. To do so, the peer_account must create a cross-account role that the requester_account can use to accept the peering request. The requester_account uses the AWS Security Token Service (STS) AssumeRole action to obtain temporary security credentials, which confer the permissions associated with the cross-account role. Through its associated IAM policies, the cross-account role has permission to accept the peering request.

Follow these steps to use CloudFormation with AWS Lambda and CloudFormation custom resources to create a peering connection between VPCs in different AWS accounts.

Important: The AWS CloudFormation templates referenced by this article are in the Amazon Web Services - Labs (awslabs) Github repository and freely available to download and use for testing purposes only. For information about instantiating CloudFormation templates, see Creating a Stack (AWS CLI) and Creating a Stack on the AWS CloudFormation Console.

1.    Instantiate the example template (CrossAccountRoleTemplate.json) using the peer_account. This template creates an IAM role that has permission to accept the connection request.  You must provide the following parameter when you run this template:

  • RequesterAccountNumber: The account number for the AWS requester_account.

2.    Instantiate the example template (VPCPeer.json) using the requester_account. This template creates a CloudFormation stack with a custom resource (and associated Lambda function) that creates a custom VPC peering connection resource. When the custom resource is created, CloudFormation invokes the associated Lambda function which then:

  • Initiates a peering request with the peer account.
  • Assumes the cross-account role.
  • Accepts the connection request, thereby activating the peering connection.

You must provide the following parameters when you run this template:

  • LocalVPC: The VPC ID on the local account.
  • PeerVPC: The VPC ID on the peer account.
  • PeerVPCOwner: The account ID of the peer account.
  • PeerRoleName: The name of the role created by the previous template.

Note: If you need to create more than one VPC peering connection between the same AWS accounts, you must create a separate stack for each peering connection from the requester_account.

CloudFormation, stack, template, Lambda, Boto, IAM, STS, VPC, cross-account, VPCPeer, custom resource, STS, awslabs

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-03-15