AWS VPC peering in an AWS Organization | DevOps Solution
All Solution Projects

AWS VPC peering in an AWS Organization

AWS CloudFormation allows automating VPC peering process as much as possible.

It handles VPC peering request creation and acceptance at the same time, so everything should work well as long as the connections are established between VPCs in the same AWS account, even if they are located in different AWS regions.

But things become a bit complicated when you try to do it between different AWS accounts. A VPC peering request should be issued in a VPC in the Requester AWS account and it should be accepted in the Accepter AWS account for establishing a connection. When doing so, the Accepter MUST create a Role on their side, which can then be assumed by the Requester in order to confirm the VPC peering request.

AWS_VPC_Peering_Solution_ItSvit_5

VPC peering configuration solution from IT Svit

In our case, it was unacceptable to let different AWS accounts manage each other’s resources. Thus, we couldn’t use the CloudFormation solution. So we created 2 Terraform manifests (accepter.tf and requester.tf) and there are two variants of using our solution:

  • Variant A: We have access to both AWS accounts and have all the needed permissions. We initiate VPC peering request in Requester AWS account (using requester.tf Terraform manifest) and confirm it in Accepter AWS account (using accepter.tf Terraform manifest). We’ve chosen Terraform because it allows managing the VPC peering request separately from VPC peering request confirmation.
  • Variant B: We have access to the Requester AWS account only. In this case, we create only a VPC peering request (using requester.tf Terraform manifest). The request will be in pending state as long as it takes the admin of Accepter AWS account to accept it (manually using AWS web console or using accepter.tf Terraform manifest).

Variant A

AWS_VPC_Peering_Solution_ItSvit_3

  1. Apply the requester.tf Terraform manifest in Requester AWS account
  2. Apply the accepter.tf Terraform manifest in Accepter AWS account

Variant B

AWS_VPC_Peering_Solution_ItSvit_4

  1. Apply the requester.tf Terraform manifest in Requester AWS account
  2. Ask the admin of the Accepter AWS account to accept the request

Final thoughts on VPC peering in an AWS organization

As a result, our solution makes establishing the VPC peering connection between any two AWS accounts very simple, as all the actions are combined in two Terraform manifests. Feel free to use our AWS VPC peering guide and if you need help or consultation with creating custom DevOps solutions — give us a nudge, we are always glad to help!