How do I resolve the “VpcPeeringConnection failed to stabilize” error in AWS CloudFormation?

Last updated: 2019-05-28

I get a "VpcPeeringConnection failed to stabilize" error in AWS CloudFormation when I try to create an Amazon Virtual Private Cloud (Amazon VPC) peering connection between an accepter VPC and requester VPC. How can I resolve this error?

Short Description

You can receive this error for the following reasons:

  • Your AWS::EC2::VPCPeeringConnection resource was created in the accepter account.
  • IPv4 CIDR ranges overlap.
  • The PeerRoleArn property isn't passed correctly when you're creating a VPC peering connection between VPCs in different accounts.
  • The AWS Identity and Access Management (IAM) role in the accepter account doesn't have the right permissions.
  • The PeerRegion property isn't passed correctly when you're creating a VPC peering connection between VPCs in different Regions.

Resolution

Your AWS::EC2::VPCPeeringConnection resource was created in the accepter account

Create your AWS CloudFormation stack with the AWS::EC2::VPCPeeringConnection resource in the requester account, not the accepter account.

IPv4 CIDR ranges overlap

Use different IPv4 CIDR blocks for the VPCs in your accepter account and requester account.

The PeerRoleArn property isn't passed correctly when you're creating a VPC peering connection between VPCs in different accounts

If you're creating a VPC peering connection between VPCs in different accounts, then use the PeerRoleArn property to pass your cross-account IAM role from your accepter account in your AWS CloudFormation template. For more information, see AWS::EC2::VPCPeeringConnection. See the following JSON and YAML examples:

JSON:

{
    "myVPCPeeringConnection": {
        "Type": "AWS::EC2::VPCPeeringConnection",
        "Properties": {
            ......
            "PeerRoleArn": "arn:aws:iam::Accepter-Account-ID:role/PeerRole"
        }
    }
}

YAML:

myVPCPeeringConnection:
  Type: 'AWS::EC2::VPCPeeringConnection'
  Properties:
    .......
    PeerRoleArn: 'arn:aws:iam::Accepter-Account-ID:role/PeerRole'

The IAM role in the accepter account doesn't have the right permissions

To allow the IAM role to accept a VPC peering connection in the accepter account, include the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ec2:AcceptVpcPeeringConnection",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

To allow the requester account to assume the IAM role, configure a trust relationship for the IAM role as follows:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Requester-Account-ID:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

The PeerRegion property isn't passed correctly when you're creating a VPC peering connection between VPCs in different Regions

If the VPCs are located in different AWS Regions, then you must include the PeerRegion in your AWS CloudFormation template. Then, specify the AWS Region where your accepter account VPC is located. See the following JSON and YAML examples:

JSON:

{
    "myVPCPeeringConnection": {
        "Type": "AWS::EC2::VPCPeeringConnection",
        "Properties": {
            ......
            "PeerRegion": Accepter-VPC-Region-Code
        }
    }
}

YAML:

myVPCPeeringConnection:
  Type: 'AWS::EC2::VPCPeeringConnection'
  Properties:
    ......
    PeerRegion: Accepter-VPC-Region-Code