- Newest
- Most votes
- Most comments
You can connect two VPCs with identical CIDRs to the same TGW, but you can't route between them.
Q: Can I connect Amazon VPCs with identical CIDRs?
AWS Transit Gateway doesn’t support routing between Amazon VPCs with identical CIDRs. If you attach a new Amazon VPC that has a CIDR which is identical to an already attached Amazon VPC, AWS Transit Gateway will not propagate the new Amazon VPC route into the AWS Transit Gateway route table.
Connecting two VPCs with identical CIDRs to the same Transit Gateway (TGW) and routing traffic between is not smart and should be avoided because AWS relies on unique CIDRs to route traffic. When VPCs have overlapping CIDRs, the TGW alone cannot handle this situation. However, you can work around this issue by using Network Address Translation (NAT) to modify the source or destination IP addresses of the traffic to ensure it can be properly routed between the VPCs. Here are the general steps to accomplish this:
** DISCLAIMER**: I do not recommend this solution, but it is doable.
- Create Two VPCs: Set up your two VPCs as you normally would, but make sure they have different CIDR blocks. This is a crucial step to avoid IP conflicts.
- Create a Transit Gateway: Create a Transit Gateway (TGW) in your AWS account if you haven't already done so. Attach both VPCs to the TGW.
- Create NAT Gateways/Instances:
- In each VPC, set up a NAT Gateway or NAT instance.
- Configure the NAT Gateway/Instance in VPC A to translate the source IP of outgoing packets from VPC A to a unique IP range (e.g., a private IP range within VPC A that doesn't conflict with VPC B's CIDR).
- Similarly, configure the NAT Gateway/Instance in VPC B to translate the source IP of outgoing packets from VPC B to a unique IP range.
- Update Routing Tables:
- In each VPC, update the route table to send traffic destined for the other VPC to the respective NAT Gateway/Instance. This will ensure that traffic leaving one VPC is translated correctly before being sent to the other VPC.
- Security Groups and NACLs:
- Ensure that the security groups and Network ACLs (NACLs) in both VPCs allow the necessary traffic to flow through the NAT Gateways/Instances.
- Test everything:
- Test the connectivity between the VPCs and monitor the network traffic to ensure it's working as expected.
This approach effectively translates the source IP address of the packets leaving each VPC, allowing them to traverse the TGW and reach the other VPC without IP conflicts.
Remember that this solution introduces unnecessary complexity and can impact performance due to the NAT. It's highly recommended to use non-overlapping CIDRs whenever possible to simplify networking not just in AWS, but in networking in general. If you absolutely must use overlapping CIDRs for some reason, consider readdressing one of the VPCs to avoid these complexities. Good Luck!
The other two answers are correct - you can attach VPCs to Transit Gateway with overlapping IP addresses but it is not easy to get them to communicate with each other.
My strong recommendation is to change the IP addressing to avoid overlaps. That isn't easy but it avoids pain, expense and additional work later. For more information: https://aws.amazon.com/blogs/networking-and-content-delivery/connecting-networks-with-overlapping-ip-ranges/
Thank you kindly for the feedback ... In the end we opted to bypass the transit gateway for these legacy environments and use direct peering instead, mitigated the need to have duplicate CIDR ranges on the TGW
Relevant content
- Accepted Answerasked 10 months ago
- Accepted Answerasked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago