Free AI web copilot to create summaries, insights and extended knowledge, download it at here

Abstract

network migration can be a hassle. Therefore, we chose to decline this option.</li><li>Create a new VPC with a different CIDR <code>10.2.0.0/26</code>, attach it to the transit gateway and enable VPC peering between <code>10.1.0.0/26</code> and <code>10.2.0.0/26</code>. Add a route <code>10.0.0.0/8 -> TRANSIT GATEWAY</code> in <code>10.2.0.0/26</code> .</li></ul><figure id="73b8"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*yBM9JfrF76KJGao4KYR1eA.png"><figcaption></figcaption></figure><blockquote id="4657">The VPC peering option didn’t work as VPC peering doesn’t support transit networks. :(</blockquote><h2 id="1e89">So, What should be done, when multiple identical VPC CIDRs compete for an AWS Transit Gateway?</h2>There may be several solutions to rectify it. Here I’ll share the solution that we implemented and worked for us.3. SOLUTIONWe need a non-conflicting VPC CIDR, such as <code>10.2.0.0/26</code>, that can be attached to the transit gateway. Traffic from <code>10.1.0.0/26</code> to <code>10.0.0.0/8</code>` should be routed or NATed via<code>10.2.0.0/26</code>.<ul><li>AWS VPC secondary CIDR</li></ul><blockquote id="eee0">In AWS, a secondary CIDR block can be associated with a Virtual Private Cloud (VPC) to expand the address range of the VPC. AWS can have up to four secondary CIDR blocks associated with it. Each secondary CIDR block must be unique and non-overlapping with the VPC’s primary CIDR block as well as any other secondary CIDR blocks associated with the VPC.</blockquote><figure id="e5f7"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*ahP2K3RfoRjmujnXNRIRGA.png"><figcaption>Add a secondary CIDR to VPC</figcaption></figure><figure id="9b5d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*3DSE4JZORM_FAZJZqwjUpg.png"><figcaption></figcaption></figure><figure id="54c2"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*VG_LgrZZpyyLADIkTmD7WA.png"><figcaption>VPC with two CIDRs</figca

Options

ption></figure><figure id="2d24"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*-dCNIwTGTOvjJZ1vPGF0Aw.png"><figcaption>Routes between two VPC CIDRs</figcaption></figure>When you associate a secondary CIDR block with a VPC in AWS, the associated route is automatically added to the main route table of the VPC. Therefore, you don’t need to manually add a route for the secondary CIDR block in this case. This entry tells the VPC that it can reach the <code>10.2.0.0/26</code> and <code>10.1.0.0/26</code>subnets locally.It allows us to route traffic from <code>10.1.0.0/26</code> to <code>10.2.0.0/26</code> effortlessly and same time we can attach <code>10.2.0.0/26</code> to the transit gateway.What’s next? we need a NAT gateway in secondary CIDR to NAT and forward the traffic to the destination.<ul><li>Private NAT Gateway</li></ul><blockquote id="b039">Private NAT gateway uses a unique private IP address to perform network address translation for the overlapping source IP address, and a unique destination IP address that load balances the destination overlapping IP address. You can route traffic from your private NAT gateway to other VPCs or on-premises network using Transit Gateway or virtual private gateway <a href="https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/private-nat-gateway.html">(Source)</a>.</blockquote><figure id="c347"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*vCtlS5ZM5wjVEghL--79Ag.png"><figcaption></figcaption></figure>We cooked our recipe using these two ingredients. As shown in the diagram traffic of <code>10.0.0.0/8</code>from <code>10.1.0.0/26</code> will be routed to the NAT gateway running on <code>10.2.0.0/26</code> . From there, it’ll be NATed and routed to the transit gateway.In conclusion, this setup efficiently manages the flow of traffic, ensuring a smooth and secure network operation.HAPPY NETWORKING!</article></body>

When multiple identical VPC CIDRs compete for an AWS Transit Gateway!

We recently had to integrate with one of our service providers in my organization. Both entities operate on AWS, and the service provider exclusively supports Transit Gateway integration.

Throughout the integration process, we faced an issue with VPC CIDR overlap. We were not able to attach our VPC to their transit gateway due to a VPC CIDR overlap.

What is IP overlapping?

IP overlap occurs when two or more networks use the same ranges of IP addresses.

PROBLEM

SERVICE Bshould be able to access SERVICE Avia the transit gateway. However account B’s CIDR could not attach, as the transit gateway already has an equivalent CIDR attachment.

Q: Does AWS Transit Gateway support overlapping VPC CIDRs?

Amazon Transit Gateway doesn’t support routing between Amazon VPCs with overlapping CIDRs. If you attach a new Amazon VPC that has a CIDR which overlaps with an already attached Amazon VPC, Amazon Transit Gateway will not propagate the new Amazon VPC route into the Amazon Transit Gateway route table. (Source)

2. PROPOSALS

Creating a new VPC with a different CIDR and attaching it to the transit gateway would easily resolve this issue. However, in reality, network migration can be a hassle. Therefore, we chose to decline this option.
Create a new VPC with a different CIDR 10.2.0.0/26, attach it to the transit gateway and enable VPC peering between 10.1.0.0/26 and 10.2.0.0/26. Add a route 10.0.0.0/8 -> TRANSIT GATEWAY in 10.2.0.0/26 .

The VPC peering option didn’t work as VPC peering doesn’t support transit networks. :(

So, What should be done, when multiple identical VPC CIDRs compete for an AWS Transit Gateway?

There may be several solutions to rectify it. Here I’ll share the solution that we implemented and worked for us.

3. SOLUTION

We need a non-conflicting VPC CIDR, such as 10.2.0.0/26, that can be attached to the transit gateway. Traffic from 10.1.0.0/26 to 10.0.0.0/8` should be routed or NATed via10.2.0.0/26.

AWS VPC secondary CIDR

In AWS, a secondary CIDR block can be associated with a Virtual Private Cloud (VPC) to expand the address range of the VPC. AWS can have up to four secondary CIDR blocks associated with it. Each secondary CIDR block must be unique and non-overlapping with the VPC’s primary CIDR block as well as any other secondary CIDR blocks associated with the VPC.

When you associate a secondary CIDR block with a VPC in AWS, the associated route is automatically added to the main route table of the VPC. Therefore, you don’t need to manually add a route for the secondary CIDR block in this case. This entry tells the VPC that it can reach the 10.2.0.0/26 and 10.1.0.0/26subnets locally.

It allows us to route traffic from 10.1.0.0/26 to 10.2.0.0/26 effortlessly and same time we can attach 10.2.0.0/26 to the transit gateway.

What’s next? we need a NAT gateway in secondary CIDR to NAT and forward the traffic to the destination.

Private NAT Gateway

Private NAT gateway uses a unique private IP address to perform network address translation for the overlapping source IP address, and a unique destination IP address that load balances the destination overlapping IP address. You can route traffic from your private NAT gateway to other VPCs or on-premises network using Transit Gateway or virtual private gateway (Source).

We cooked our recipe using these two ingredients. As shown in the diagram traffic of 10.0.0.0/8from 10.1.0.0/26 will be routed to the NAT gateway running on 10.2.0.0/26 . From there, it’ll be NATed and routed to the transit gateway.

In conclusion, this setup efficiently manages the flow of traffic, ensuring a smooth and secure network operation.

HAPPY NETWORKING!