AWS Amazon EC2 Peering Connection
This page shows how to write Terraform and CloudFormation for Amazon EC2 Peering Connection and write them securely.
aws_vpc_peering_connection (Terraform)
The Peering Connection in Amazon EC2 can be configured in Terraform with the resource name aws_vpc_peering_connection
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_vpc_peering_connection" "us-east-1-us-east-2" {
provider = aws.us-east-1
vpc_id = aws_vpc.us-east-1.id
peer_vpc_id = aws_vpc.us-east-2.id
peer_region = "us-east-2"
}
resource "aws_vpc_peering_connection" "cyhy_bod_peering_connection" {
vpc_id = aws_vpc.bod_vpc.id
peer_vpc_id = aws_vpc.cyhy_vpc.id
auto_accept = true
tags = merge(
Parameters
-
accept_status
optional computed - string -
auto_accept
optional - bool -
id
optional computed - string -
peer_owner_id
optional computed - string -
peer_region
optional computed - string -
peer_vpc_id
required - string -
tags
optional - map from string to string -
vpc_id
required - string -
accepter
list block-
allow_classic_link_to_remote_vpc
optional - bool -
allow_remote_vpc_dns_resolution
optional - bool -
allow_vpc_to_remote_classic_link
optional - bool
-
-
requester
list block-
allow_classic_link_to_remote_vpc
optional - bool -
allow_remote_vpc_dns_resolution
optional - bool -
allow_vpc_to_remote_classic_link
optional - bool
-
-
timeouts
single block
Explanation in Terraform Registry
Provides a resource to manage a VPC peering connection.
NOTE on VPC Peering Connections and VPC Peering Connection Options: Terraform provides both a standalone VPC Peering Connection Options and a VPC Peering Connection resource with
accepter
andrequester
attributes. Do not manage options for the same VPC peering connection in both a VPC Peering Connection resource and a VPC Peering Connection Options resource. Doing so will cause a conflict of options and will overwrite the options. Using a VPC Peering Connection Options resource decouples management of the connection options from management of the VPC Peering Connection and allows options to be set correctly in cross-account scenarios. -> Note: For cross-account (requester's AWS account differs from the accepter's AWS account) or inter-region VPC Peering Connections use theaws_vpc_peering_connection
resource to manage the requester's side of the connection and use theaws_vpc_peering_connection_accepter
resource to manage the accepter's side of the connection.
Tips: Best Practices for The Other AWS Amazon EC2 Resources
In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_default_vpc
Ensure to avoid using default VPC
It is better to define the own VPC and use it.
aws_network_acl_rule
Ensure your network ACL rule blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
aws_ebs_volume
Ensure to use a customer-managed key for EBS volume encryption
It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).
aws_instance
Ensure to avoid storing AWS access keys in user data
It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.
aws_security_group
Ensure your security group blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
AWS::EC2::VPCPeeringConnection (CloudFormation)
The VPCPeeringConnection in EC2 can be configured in CloudFormation with the resource name AWS::EC2::VPCPeeringConnection
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::EC2::VPCPeeringConnection
Condition: IfUSWestRegion
Properties:
VpcId:
Fn::ImportValue: VPCUsaId
PeerRegion: eu-central-1
Type: 'AWS::EC2::VPCPeeringConnection'
Properties:
VpcId: vpc-04834cc55f1fb268b # requester vpc id
PeerVpcId: vpc-0c967871 # accepter vpc id
PeerOwnerId: "512121751697" # accepter aws account id
PeerRoleArn: arn:aws:iam::512121751697:role/Fox2021Peering-peerRole-15CR6ELC3MEPR
Type: 'AWS::EC2::VPCPeeringConnection'
Properties:
VpcId: vpc-057b9695bf3df001b # requester vpc id
PeerVpcId: vpc-0c967871 # accepter vpc id
PeerOwnerId: "512121751697" # accepter aws account id
PeerRoleArn: arn:aws:iam::512121751697:role/puma-oct-peering-peerRole-1PAN43J4VU4U0
# Type: AWS::EC2::VPCPeeringConnection
# Properties:
# VpcId: !GetAtt VPCAlpha.Outputs.VPC
# PeerVpcId: !GetAtt VPCBeta.Outputs.VPC
# Tags:
# - Key: Name
Type: AWS::EC2::VPCPeeringConnection
Properties:
PeerOwnerId: ${env:AWS_COGNITO_ACCOUNT_ID}
PeerRoleArn: arn:aws:iam::${env:AWS_COGNITO_ACCOUNT_ID}:role/calcutta-${self:custom.stage}-peer-role
PeerVpcId: ${env:AWS_COGNITO_VPC_ID}
VpcId:
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties" : {
"PeerVpcId" : {
"Ref": "PeerVpcId"
},
"VpcId": ""
"Type" : "AWS::EC2::VPCPeeringConnection",
"Properties" : {
"PeerVpcId" : { "Ref" : "ProductionVPC" },
"VpcId" : { "Ref" : "DevelopmentVPC" },
"Tags" : [
{
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties": {
"PeerVpcId": {
"Fn::ImportValue": "cdk-blog-vpc-staging:ExportsOutputRefvpcstagingF0BF23A463A94C5D"
},
"VpcId": {
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties": {
"PeerVpcId": {
"Fn::ImportValue": "cdk-blog-vpc-staging:ExportsOutputRefvpcstagingF0BF23A463A94C5D"
},
"VpcId": {
"Type" : "AWS::EC2::VPCPeeringConnection",
"Properties" : {
"VpcId" : { "Fn::ImportValue" : { "Fn::Sub" : "${CoreVPCStackName}-VPC" }},
"PeerVpcId" : { "Fn::ImportValue" : { "Fn::Sub" : "${BuildVPCStackName}-VPC" }},
"Tags" : [
{ "Key" : "Name", "Value" : { "Fn::Sub" : "Core-BuildVPCPeeringConnection" }}
Parameters
-
PeerOwnerId
optional - String -
PeerRegion
optional - String -
PeerRoleArn
optional - String -
PeerVpcId
required - String -
Tags
optional - List of Tag -
VpcId
required - String
Explanation in CloudFormation Registry
Requests a VPC peering connection between two VPCs: a requester VPC that you own and an accepter VPC with which to create the connection. The accepter VPC can belong to another AWS account and can be in a different Region to the requester VPC.
The requester VPC and accepter VPC cannot have overlapping CIDR blocks. If you create a VPC peering connection request between VPCs with overlapping CIDR blocks, the VPC peering connection has a status of
failed
.For more information, see Walkthough: Peer with a VPC in another AWS account.
Frequently asked questions
What is AWS Amazon EC2 Peering Connection?
AWS Amazon EC2 Peering Connection is a resource for Amazon EC2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EC2 Peering Connection?
For Terraform, the huanwlisa/terraform and cisagov/cyhy_amis source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the elnurm/aws_cloudformation_templates, fmezegne/project-2-cloudformation and NelieTchat/Three_Tiers-Applications source code examples are useful. See the CloudFormation Example section for further details.