How do I resolve the "VpcPeeringConnection failed to stabilize" error in CloudFormation?

3 minute read
1

I get a "VpcPeeringConnection failed to stabilize" error in AWS CloudFormation when I try to create an Amazon Virtual Private Cloud (Amazon VPC) peering connection.

Short description

You can receive the "VpcPeeringConnection failed to stabilize" error for the following reasons:

  • Your AWS::EC2::VPCPeeringConnection resource was created in the accepter account.
  • IPv4 CIDR ranges overlap.
  • The PeerRoleArn property isn't passed correctly when you create a VPC peering connection between VPCs in different accounts.
  • The AWS Identity and Access Management (IAM) role in the accepter account doesn't have the correct permissions.
  • The PeerRegion property isn't passed correctly when you create a VPC peering connection between VPCs in different AWS Regions.

Resolution

AWS::EC2::VPCPeeringConnection resource created in the accepter account

Create your CloudFormation stack with the AWS::EC2::VPCPeeringConnection resource in the requester account, not the accepter account.

IPv4 CIDR ranges overlap

Use different IPv4 CIDR blocks for the VPCs in your accepter account and requester account.

PeerRoleArn property isn't passed correctly when you create a VPC peering connection between VPCs in different accounts

If you create a VPC peering connection between VPCs in different accounts, then use the PeerRoleArn property. This property passes your cross-account IAM role from your accepter account in your CloudFormation template. For more information, see AWS::EC2::VPCPeeringConnection.

See the following JSON and YAML examples.

JSON:

{
  "myVPCPeeringConnection": {
    "Type": "AWS::EC2::VPCPeeringConnection",
    "Properties": {
    ......
    "PeerRoleArn": "arn:aws:iam::Accepter-Account-ID:role/PeerRole"
    }
  }
}

YAML:

myVPCPeeringConnection:
  Type: 'AWS::EC2::VPCPeeringConnection'
  Properties:
    .......
    PeerRoleArn: 'arn:aws:iam::Accepter-Account-ID:role/PeerRole'

IAM role in the accepter account doesn't have the right permissions

To allow the IAM role to accept a VPC peering connection in the accepter account, include the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "ec2:AcceptVpcPeeringConnection",
      "Resource": "arn:${Partition}:ec2:${Region}:${Account}:vpc-peering-connection/${VpcPeeringConnectionId}",
      "Effect": "Allow"
    }
  ]
}

To allow the requester account to assume the IAM role, configure a trust relationship for the IAM role. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Requester-Account-ID:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

PeerRegion property isn't passed correctly when you create a VPC peering connection between VPCs in different Regions

If the VPCs are located in different Regions, you must include PeerRegion in your CloudFormation template. Then, specify the Region where your accepter account VPC is located.

See the following JSON and YAML examples.

JSON:

{
  "myVPCPeeringConnection": {
    "Type": "AWS::EC2::VPCPeeringConnection",
    "Properties": {
      ......
      "PeerRegion": "Accepter-VPC-Region-Code"
    }
  }
}

YAML:

myVPCPeeringConnection:
  Type: 'AWS::EC2::VPCPeeringConnection'
  Properties:
    ......
    PeerRegion: Accepter-VPC-Region-Code

Related information

Walkthrough: Peer with a VPC in another AWS account

Create a VPC peering connection

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago