TGW-VPN with 2 Customers having overlapping on-prem CIDRs and Firewall in Inspection-VPC

0

Hi,

I have two clients and both are using 172.22.0.0/16 in their on-prem network.

I have established IPSec VPN with both (using static routing) and have terminated the VPN on TGW in eu-west-1 for both. Both customers connect to their respective VPC (no overlapping CIDRs in VPCs). Customer-A connects to VPC-A. Customer-B connects to VPC-B.

I'm making use of separate routing tables for each of them. There are total of 4 routing tables. Customer-A traffic gets routed to VPC-A using VPN-A-RT. Return traffic gets back to Customer-A using VPC-A-RT. Customer-B traffic gets routed to VPC-B using VPN-B-RT. Return traffic gets back to Customer-B using VPC-B-RT.

Now, I need to put a AWS Network Firewall (AWNF) in an Inspection-VPC and filter both VPNs traffic. What I can do is that I can route traffic for each VPN using its respective route table to Inspection VPC. Using an Firewall-RT, I can then forward traffic to their respective VPC.

Issue/Problem: When I get the (response) traffic back from VPCs (VPC-A and VPC-B) to the Inspection-VPC, how do I make sure that the response traffic eventually gets back to each customer properly, given then both use 172.22.0.0/16 on prem. Using the Firewall-RT, I can route the return traffic to only one customer's VPN, either Customer-A or Customer-B VPN.

Can this issue be fixed by using policies in CloudWAN? Can I make use of CloudWAN for single TGW (or completely replace TGW with Core Network in Global Network) and use segments, policies and/or tags to make sure that I can do more of a policy based routing in this scenario? At this time, I'm trying to find a solution which does not involve private NAT sort of thing to managed overlapping on-prem CIDRs.

1 Answer
1

Because your clients are using the same IP range your options are limited.

Network Firewall doesn't support different networks with overlapping IP addresses. But what you can do is create a separate VPC for each client and put Network Firewall endpoints in each VPC. You're essentially creating separate infrastructure for each client. This is necessary because (as you point out): How will the network know which 172.22.0.0/16 network to send the traffic back to? It doesn't - so separate VPCs and endpoints are the way to go.

In the larger scheme of things, if you're able to use PrivateLink to present your application(s) to your client it will make everything much simpler. More options are discussed in this blog post.

profile pictureAWS
EXPERT
answered 2 years ago
  • Thanks, Brettski. I'll take a detailed look at the blog which I skimmed through just yesterday when I was searching for some relevant solution to my problem.

    I've also been going through the available docs on CloudWAN. I think even if I use segments in the core network, my issue will still persists. Segment's routing will still not be able to handle the forwarding of traffic for 172.22/16 to the customers' VPNs. What's your take on it?

    Thanks again for the response.

  • Cloud WAN doesn't bring any solution for overlapping IP addresses: It's great for setting up policies and ensuring that different groups of applications can/can't communicate. So it might be helpful here; but not in solving the overlap issue.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions