AWS : Accepting a VPC Peering Connection Request

Question

I have several pre-prod VPC's for dev, qa, etc. So far everything is managed via CloudFormation + Lambda and is very clean.

Since none of the VPC's talk to each other, I can launch and tear down environments, all from one single set of templates and it is very idempotent.

Now I have a requirement to add a management VPC for some common things between the environments. I have used VPC peering through the UI before and it's easy to manage.

However I like the flexibility of tearing down and launching new environments, especially since prod will end up being blue/green.

So to avoid having to use the UI I was thinking of adding two Lambda functions:

1. on the mngmt VPC, list all VPC's and if there's not an existing VPC peering connection with one, request it
2. on pre-prod VPC's poll for VPC connection peering requests and accept if from a trusted owner

This way I can tear down the stack and re-launch them without any manual intervention.

Is this a wasteful design? Are there any problems that I am not foreseeing? What is a better way to accomplish this?

Answer 1

The AWS documentation states that only the owner of an account can accept a VPC peering connection. You could create a Lambda for each account and then use DescribeVpcPeeringConnections to detect pending-acceptance state. Then call AcceptVpcPeeringConnection. To create a VPC peering connection call AcceptVpCPeeringConnection.

Notes: I do not like polling designs. In your case you would need to constantly poll to detect a new peering connection request. A better solution would be to invoke (or trigger via SNS) the Lambda functions via a script (program) after creating the VPCs.

This link is to the API Reference. From here you can select the language that you will be using at the bottom of the page.

AcceptVpcPeeringConnection