CODEWITHSUNDEEP
aws-cloudformationamazon-vpcsubnet
ImPurshu
ImPurshu

Reputation: 430

VPC peering between 2 AWS Regions VPC via cloudformation

I am trying vpc peering between two different region. Here I have already created the resources now I just want to pass their ids as parameters. In same region I am able to peer between two VPC. But I am getting error in two different region as route_id does not exist.

Error logs

My template is below:

AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Parameters:
  PeerVPCAccountId:
    Type: String
    Description: "Peer VPC Account ID"
    Default: (Acc_id)
  PeerVPCRegion:
    Type: String
    Description: "Peer Region"
    Default: (region)
  VPC1:
    Description: VPC Id of DataPipeline
    Type: AWS::EC2::VPC::Id
    Default: (vpc_id)
  VPC1CIDRRange:
    Description: The IP address range of DataPipeline VPC.
    Type: String
    MinLength: '9'
    MaxLength: '18'
    Default: (vpc_range)
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
  VPC1PrivateSubnet1CIDRRange:
    Description: The IP address range for Private Subnet 1 in DataPipeline.
    Type: String
    MinLength: '9'
    MaxLength: '18'
    Default: (vpc_subnet_range)
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.

  VPC1Private1Route:
    Description: RouteTableId of Private Subnet 1 for DataPipeline
    Type: String
    Default: (vpc_subnet_route_id)


  VPC2:
    Description: VPC Id of PII-Isolation Pipeline
    Type: String
    Default: (vpc_id)
  VPC2CIDRRange:
    Description: The IP address range of PII Pipeline VPC.
    Type: String
    MinLength: '9'
    MaxLength: '18'
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
    Default: (vpc_range)
  VPC2PrivateSubnet1CIDRRange:
    Description: The IP address range for Private Subnet 1 in PII Pipeline.
    Type: String
    MinLength: '9'
    MaxLength: '18'
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
    Default: (vpc_subnet_range)

  VPC2Private1Route:
    Description: RouteTableId of Private Subnet 1 for PII Pipeline
    Type: String
    Default: (vpc_subnet_route_id)

Resources:
  peerRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Principal:
              AWS: !Ref PeerVPCAccountId
            Action:
              - 'sts:AssumeRole'
            Effect: Allow
      Path: /
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: 'ec2:AcceptVpcPeeringConnection'
                Resource: '*'

  VPC1Private1PeeringRoute1:
    Type: AWS::EC2::Route
    Properties:
      DestinationCidrBlock:
        Ref: VPC2PrivateSubnet1CIDRRange
      RouteTableId:
        Ref: VPC1Private1Route
      VpcPeeringConnectionId:
        Ref: myVPCPeeringConnection




  VPC2Private1PeeringRoute1:
    Type: AWS::EC2::Route
    Properties:
      DestinationCidrBlock:
        Ref: VPC1PrivateSubnet1CIDRRange
      RouteTableId:
        Ref: VPC2Private1Route
      VpcPeeringConnectionId:
        Ref: myVPCPeeringConnection


  myVPCPeeringConnection:
    Type: AWS::EC2::VPCPeeringConnection
    Properties:
      VpcId:
        Ref: VPC1
      PeerVpcId:
        Ref: VPC2
      PeerOwnerId:
        Ref: PeerVPCAccountId
      PeerRegion:
        Ref: PeerVPCRegion
      PeerRoleArn: !GetAtt
              - peerRole
              - Arn

I have given everything which template want, still showing me this error. Can someone help modify it or point the mistake?

Upvotes: 0

Views: 1748

Answers (2)

David Webster
David Webster

Reputation: 2321

Impurshu, I think there was definitely some confusion regarding understanding that a Cloudformation template can only apply to a single region. However, Cloudformation Stacksets can apply to multiple regions, and I even found an example that applies to your problem VPC Peering across regions

Upvotes: 1

Yogev Hen
Yogev Hen

Reputation: 1

CloudFormation deploys resources only in a specific region. For deploying the same resources in different regions you can use CloudFormation StackSet. Regarding your scenario, id suggest using CloudFormation to create the necessary resources in one region and also deploy a lambda that will deploy resources in a second region and perform the peering - request, accept and alter RouteTable. In addition to the Lambda you'll need to deploy a custom resource to execute the lambda and a Role+Policy for the Lambda (permissions for the actions it will make)

Upvotes: 0

Related Questions