Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

S2S VPN host address within CIDR range of VPC (10.0.0.0/16)

0

Hello,

Since last few days I was unsuccessfully trying to setup a S2S VPN connection from AWS VPC subnet (10.0.10.0/24) to the on-prem host which address (10.0.50.1/32) is covered by the VPC CIDR (10.0.0.0/16). I've tried to use Virtual Private Gateway and Transit Gateway but there's a problem with VPC routing table which cannot contain any route that is equal or more specific than it's CIDR blocks.

Any ideas about how to achieve this or whether it is possible at all without using NAT?

Thanks in advance

Themen
Vernetzung & Bereitstellung von Inhalten
Tags
Vernetzung & Bereitstellung von InhaltenAWS Transit GatewayVirtuelles privates VPC-GatewayAWS Virtuelles Privates Netzwerk (VPN)
Sprache
English
PaVliK
gefragt vor 2 Jahren319 Aufrufe
1 Antwort
1
Akzeptierte Antwort

It is highly recommended to not use overlapping CIDRs, if at all possible I would suggest to ReIP your VPC. AWS VGW or TGW does not natively support NATing which means you would need to deploy a 3rd party firewall on an EC2 instance.

Few things to note about VPC routing - You can propagate VGW VPN routes automatically into the VPC route table, VGW advertises full VPC CIDR (not a subset) towards on-premises (CGW) ; If your VPN is configured on TGW it doesn't support route propagation to VPC (unlike VGW) you need to configure Static routes in VPC pointing towards TGW, in TGW scenario you can advertise subset of your VPC CIDR towards on-premises CGW because the VPN encryption domain is decided by the TGW route table in this case.

In any case I would suggest avoiding overlapping CIDRs.

profile pictureAWS
EXPERTE
Tushar_J
beantwortet vor 2 Jahren
profile pictureAWS
EXPERTE
Toni_S
überprüft vor 2 Jahren
  • PaVliK
    vor 2 Jahren

    Thanks for a detailed explanation. Regarding the VGW VPN, a propagated network address needs to be outside of the VPC CIDR to be installed in VPC routing table as local route is most preferred when propagated routes are more specific?

  • Tushar_J EXPERTE
    vor 2 Jahren

    Not possible with VGW, there is a solution for TGW https://github.com/aws-samples/aws-transit-gateway-overlapping-cidrs but then again it is highly recommended to Re-IP your VPC space and just avoid overlapping IP spaces, it will save you complex troubleshooting, managing and maintaining NATs.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt