AWS Cross-Region VPC Peering Failure Log

VPC peering setup between regions tripped me up again.

Environment:

• Requester: ap-northeast-3 (Osaka) / profile-requester
• Accepter: ap-northeast-1 (Tokyo) / profile-accepter

Cross-account × cross-region. The annoying pattern.

What I messed up

Ran create-vpc-peering-connection. Looked successful, got a pcx-xxxxx ID. Tried to accept on the accepter side, got NotFound error.

An error occurred (InvalidVpcPeeringConnectionID.NotFound) when calling the AcceptVpcPeeringConnection operation

Checked the ID, it was in failed state. Tried to delete, got InvalidStateTransition.

An error occurred (InvalidStateTransition) when calling the DeleteVpcPeeringConnection operation

Can’t transition from failed to deleting. Stuck.

Root cause

Forgot to specify —peer-region. Required for cross-region. Without it, AWS treats it as same-region peering, can’t find the target VPC, immediately goes to failed.

Failed resources can’t be manually deleted. AWS cleans them up automatically after a while.

Correct commands

Create from requester side (Osaka):

aws ec2 create-vpc-peering-connection \
  --region ap-northeast-3 \
  --profile profile-requester \
  --vpc-id vpc-requester-id \
  --peer-vpc-id vpc-accepter-id \
  --peer-owner-id 123456789012 \
  --peer-region ap-northeast-1

Accept from accepter side (Tokyo):

aws ec2 accept-vpc-peering-connection \
  --region ap-northeast-1 \
  --profile profile-accepter \
  --vpc-peering-connection-id pcx-new-id

Don’t forget to specify the accepter’s region when accepting.

Post-connection setup

Even when active, traffic won’t flow yet.

• Route tables on both VPCs: point peer CIDR to pcx
• Security groups on both VPCs: allow inbound from peer CIDR

Cross-region doesn’t support security group references. Must use CIDR.

Lesson

—peer-region is easy to forget. If it goes to failed, just wait it out.