Question #657
A software company hosts an application on AWS with resources in multiple AWS accounts and Regions. The application runs on a group of Amazon EC2 instances in an application VPC located in the us-west-1 Region with an IPv4 CIDR block of 10.20.0.0/16. In a different AWS account, a shared services VPC is located in the us-west-2 Region with an IPv4 CIDR block of 10.20.0.0/24. When a cloud engineer uses AWS CloudFormation to attempt to peer the application VPC with the shared services VPC, an error message indicates a peering failure.
Which factors could cause this error? (Choose two.)
The IPv4 CIDR ranges of the two VPCs overlap
The VPCs are not in the same Region
One or both accounts do not have access to an Internet gateway
One of the VPCs was not shared through AWS Resource Access Manager
The IAM role in the peer accepter account does not have the correct permissions
Explanation
The two correct answers are A and E.
A: Overlapping CIDR Ranges
VPC peering requires non-overlapping IPv4 CIDR blocks. The application VPC (10.20.0.0/16) includes the entire shared services VPC range (10.20.0.0/24), causing a conflict.
E: IAM Permissions
The IAM role in the accepter account must have permissions (e.g., ec2:AcceptVpcPeeringConnection) to accept the peering request. Missing permissions would prevent successful peering.
Incorrect Options:
- B: VPCs can be peered across regions.
- C: Internet gateways are irrelevant to VPC peering.
- D: AWS Resource Access Manager (RAM) is not required for VPC peering; cross-account peering uses request/accept workflows.
Key Points:
1. Ensure non-overlapping CIDR ranges for VPC peering.
2. Verify IAM permissions for peering operations in both accounts.
Answer
The correct answer is: {A,E}