How do I resolve the “VpcPeeringConnection failed to stabilize” error in AWS CloudFormation?

3 minute read
1

I get a "VpcPeeringConnection failed to stabilize" error in AWS CloudFormation when I try to create an Amazon Virtual Private Cloud (Amazon VPC) peering connection between an accepter VPC and requester VPC.

Short description

You can receive this error for the following reasons:

  • Your AWS::EC2::VPCPeeringConnection resource was created in the accepter account.
  • IPv4 CIDR ranges overlap.
  • The PeerRoleArn property isn't passed correctly when you're creating a VPC peering connection between VPCs in different accounts.
  • The AWS Identity and Access Management (IAM) role in the accepter account doesn't have the right permissions.
  • The PeerRegion property isn't passed correctly when you're creating a VPC peering connection between VPCs in different AWS Regions.

Resolution

If your AWS::EC2::VPCPeeringConnection resource was created in the accepter account

Create your AWS CloudFormation stack with the AWS::EC2::VPCPeeringConnection resource in the requester account, not the accepter account.

If IPv4 CIDR ranges overlap

Use different IPv4 CIDR blocks for the VPCs in your accepter account and requester account.

If the PeerRoleArn property isn't passed correctly when you create a VPC peering connection between VPCs in different accounts

If you're creating a VPC peering connection between VPCs in different accounts, then use the PeerRoleArn property to pass your cross-account IAM role from your accepter account in your AWS CloudFormation template. For more information, see AWS::EC2::VPCPeeringConnection. See the following JSON and YAML examples:

JSON:

{
    "myVPCPeeringConnection": {
        "Type": "AWS::EC2::VPCPeeringConnection",
        "Properties": {
            ......
            "PeerRoleArn": "arn:aws:iam::Accepter-Account-ID:role/PeerRole"
        }
    }
}

YAML:

myVPCPeeringConnection:
  Type: 'AWS::EC2::VPCPeeringConnection'
  Properties:
    .......
    PeerRoleArn: 'arn:aws:iam::Accepter-Account-ID:role/PeerRole'

If the IAM role in the accepter account doesn't have the right permissions

To allow the IAM role to accept a VPC peering connection in the accepter account, include the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ec2:AcceptVpcPeeringConnection",
            "Resource": "arn:${Partition}:ec2:${Region}:${Account}:vpc-peering-connection/${VpcPeeringConnectionId}",
            "Effect": "Allow"
        }
    ]
}

To allow the requester account to assume the IAM role, configure a trust relationship for the IAM role. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Requester-Account-ID:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

If the PeerRegion property isn't passed correctly when you're creating a VPC peering connection between VPCs in different AWS Regions

If the VPCs are located in different AWS Regions, then you must include the PeerRegion in your AWS CloudFormation template. Then, specify the AWS Region where your accepter account VPC is located. See the following JSON and YAML examples:

JSON:

{
    "myVPCPeeringConnection": {
        "Type": "AWS::EC2::VPCPeeringConnection",
        "Properties": {
            ......
            "PeerRegion": Accepter-VPC-Region-Code
        }
    }
}

YAML:

myVPCPeeringConnection:
  Type: 'AWS::EC2::VPCPeeringConnection'
  Properties:
    ......
    PeerRegion: Accepter-VPC-Region-Code

Related information

Walkthrough: Peer with an Amazon VPC in another AWS account

Create a VPC peering connection

AWS OFFICIAL
AWS OFFICIALUpdated 3 years ago