I get a "VpcPeeringConnection failed to stabilize" error in AWS CloudFormation when I try to create an Amazon Virtual Private Cloud (Amazon VPC) peering connection.
Short description
You can receive the "VpcPeeringConnection failed to stabilize" error for the following reasons:
- Your AWS::EC2::VPCPeeringConnection resource was created in the accepter account.
- IPv4 CIDR ranges overlap.
- The PeerRoleArn property isn't passed correctly when you create a VPC peering connection between VPCs in different accounts.
- The AWS Identity and Access Management (IAM) role in the accepter account doesn't have the correct permissions.
- The PeerRegion property isn't passed correctly when you create a VPC peering connection between VPCs in different AWS Regions.
Resolution
AWS::EC2::VPCPeeringConnection resource created in the accepter account
Create your CloudFormation stack with the AWS::EC2::VPCPeeringConnection resource in the requester account, not the accepter account.
IPv4 CIDR ranges overlap
Use different IPv4 CIDR blocks for the VPCs in your accepter account and requester account.
PeerRoleArn property isn't passed correctly when you create a VPC peering connection between VPCs in different accounts
If you create a VPC peering connection between VPCs in different accounts, then use the PeerRoleArn property. This property passes your cross-account IAM role from your accepter account in your CloudFormation template. For more information, see AWS::EC2::VPCPeeringConnection.
See the following JSON and YAML examples.
JSON:
{
"myVPCPeeringConnection": {
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties": {
......
"PeerRoleArn": "arn:aws:iam::Accepter-Account-ID:role/PeerRole"
}
}
}
YAML:
myVPCPeeringConnection:
Type: 'AWS::EC2::VPCPeeringConnection'
Properties:
.......
PeerRoleArn: 'arn:aws:iam::Accepter-Account-ID:role/PeerRole'
IAM role in the accepter account doesn't have the right permissions
To allow the IAM role to accept a VPC peering connection in the accepter account, include the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:AcceptVpcPeeringConnection",
"Resource": "arn:${Partition}:ec2:${Region}:${Account}:vpc-peering-connection/${VpcPeeringConnectionId}",
"Effect": "Allow"
}
]
}
To allow the requester account to assume the IAM role, configure a trust relationship for the IAM role. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Requester-Account-ID:root"
},
"Action": "sts:AssumeRole"
}
]
}
PeerRegion property isn't passed correctly when you create a VPC peering connection between VPCs in different Regions
If the VPCs are located in different Regions, you must include PeerRegion in your CloudFormation template. Then, specify the Region where your accepter account VPC is located.
See the following JSON and YAML examples.
JSON:
{
"myVPCPeeringConnection": {
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties": {
......
"PeerRegion": "Accepter-VPC-Region-Code"
}
}
}
YAML:
myVPCPeeringConnection:
Type: 'AWS::EC2::VPCPeeringConnection'
Properties:
......
PeerRegion: Accepter-VPC-Region-Code
Related information
Walkthrough: Peer with a VPC in another AWS account
Create a VPC peering connection