By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Transit Gateway - Overlapping VPC

0

I have the following vpcs (examples) in different accounts, different OU's. All VPCs have transit gateway attached up into a single TGW.

  • DEV 10.88.0.0/24
  • CI 10.90.0.0/24
  • PROD 10.87.0.0/24
  • LEGACY_DEV 10.20.0.0/24
  • LEGACY_PROD 10.20.0.0/24

Note: Legacy has the same CIDR range

In order to segerate traffic, each one is seated in their own Transit Gateway Routing table, so that DEV can see CI, and LEGACY_DEV but not PROD. And vice versa

DEV Routing Table

  • Propagates CI (10.90.0.0/24)
  • Propagates LEGACY_DEV (10.20.0.0/24)

PROD Routing Table

  • Propagates CI (10.90.0.0/24)
  • Propagates LEGACY_PROD (10.20.0.0/24)

CI Routing Table

  • Propagates DEV (10.88.0.0/24)
  • Propagates PROD (10.87.0.0/24)

Legacy Dev Routing Table

  • Propagates DEV (10.88.0.0/24)

Legacy Prod Routing Table

  • Propagates PROD (10.87.0.0/24)

The issue I have was the overlapping CIDR ranges of Legancy DEV and Legacy PROD. The transit gateway docs suggests this should not work; you cannot connect two VPCs of the same cidr range to the same TGW.

However, no error was thrown when i connected the two legacy networks. I was also able to places instances in DEV network and ssh to an instance in LEGACY_DEV, and the same with PROD -> LEGACY_PROD, within allowing traffic to cross DEV -> LEGACY_PROD. The only difference here is the use of isolated transit routing tables.

Is this the suggested way around overlapping cidr ranges, or is this working but probably be unstable / strange routing.

Topics
Networking & Content Delivery
Tags
AWS Transit Gateway
Language
English
gambol99
asked 8 months ago1383 views
4 Answers
0

You can connect two VPCs with identical CIDRs to the same TGW, but you can't route between them.

Q: Can I connect Amazon VPCs with identical CIDRs?

AWS Transit Gateway doesn’t support routing between Amazon VPCs with identical CIDRs. If you attach a new Amazon VPC that has a CIDR which is identical to an already attached Amazon VPC, AWS Transit Gateway will not propagate the new Amazon VPC route into the AWS Transit Gateway route table.

https://aws.amazon.com/transit-gateway/faqs/

profile pictureAWS
Matt_E
answered 8 months ago
0

Connecting two VPCs with identical CIDRs to the same Transit Gateway (TGW) and routing traffic between is not smart and should be avoided because AWS relies on unique CIDRs to route traffic. When VPCs have overlapping CIDRs, the TGW alone cannot handle this situation. However, you can work around this issue by using Network Address Translation (NAT) to modify the source or destination IP addresses of the traffic to ensure it can be properly routed between the VPCs. Here are the general steps to accomplish this:

** DISCLAIMER**: I do not recommend this solution, but it is doable.

  1. Create Two VPCs: Set up your two VPCs as you normally would, but make sure they have different CIDR blocks. This is a crucial step to avoid IP conflicts.
  2. Create a Transit Gateway: Create a Transit Gateway (TGW) in your AWS account if you haven't already done so. Attach both VPCs to the TGW.
  3. Create NAT Gateways/Instances:
  • In each VPC, set up a NAT Gateway or NAT instance.
  • Configure the NAT Gateway/Instance in VPC A to translate the source IP of outgoing packets from VPC A to a unique IP range (e.g., a private IP range within VPC A that doesn't conflict with VPC B's CIDR).
  • Similarly, configure the NAT Gateway/Instance in VPC B to translate the source IP of outgoing packets from VPC B to a unique IP range.
  1. Update Routing Tables:
  • In each VPC, update the route table to send traffic destined for the other VPC to the respective NAT Gateway/Instance. This will ensure that traffic leaving one VPC is translated correctly before being sent to the other VPC.
  1. Security Groups and NACLs:
  • Ensure that the security groups and Network ACLs (NACLs) in both VPCs allow the necessary traffic to flow through the NAT Gateways/Instances.
  1. Test everything:
  • Test the connectivity between the VPCs and monitor the network traffic to ensure it's working as expected.

This approach effectively translates the source IP address of the packets leaving each VPC, allowing them to traverse the TGW and reach the other VPC without IP conflicts.

Remember that this solution introduces unnecessary complexity and can impact performance due to the NAT. It's highly recommended to use non-overlapping CIDRs whenever possible to simplify networking not just in AWS, but in networking in general. If you absolutely must use overlapping CIDRs for some reason, consider readdressing one of the VPCs to avoid these complexities. Good Luck!

profile pictureAWS
JC
answered 8 months ago
0

The other two answers are correct - you can attach VPCs to Transit Gateway with overlapping IP addresses but it is not easy to get them to communicate with each other.

My strong recommendation is to change the IP addressing to avoid overlaps. That isn't easy but it avoids pain, expense and additional work later. For more information: https://aws.amazon.com/blogs/networking-and-content-delivery/connecting-networks-with-overlapping-ip-ranges/

profile pictureAWS
EXPERT
Brettski-AWS
answered 8 months ago
0

Thank you kindly for the feedback ... In the end we opted to bypass the transit gateway for these legacy environments and use direct peering instead, mitigated the need to have duplicate CIDR ranges on the TGW

gambol99
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content