By using AWS re:Post, you agree to the Terms of Use

S2S VPN host address within CIDR range of VPC (10.0.0.0/16)

0

Hello,

Since last few days I was unsuccessfully trying to setup a S2S VPN connection from AWS VPC subnet (10.0.10.0/24) to the on-prem host which address (10.0.50.1/32) is covered by the VPC CIDR (10.0.0.0/16). I've tried to use Virtual Private Gateway and Transit Gateway but there's a problem with VPC routing table which cannot contain any route that is equal or more specific than it's CIDR blocks.

Any ideas about how to achieve this or whether it is possible at all without using NAT?

Thanks in advance

1 Answer
1
Accepted Answer

It is highly recommended to not use overlapping CIDRs, if at all possible I would suggest to ReIP your VPC. AWS VGW or TGW does not natively support NATing which means you would need to deploy a 3rd party firewall on an EC2 instance.

Few things to note about VPC routing - You can propagate VGW VPN routes automatically into the VPC route table, VGW advertises full VPC CIDR (not a subset) towards on-premises (CGW) ; If your VPN is configured on TGW it doesn't support route propagation to VPC (unlike VGW) you need to configure Static routes in VPC pointing towards TGW, in TGW scenario you can advertise subset of your VPC CIDR towards on-premises CGW because the VPN encryption domain is decided by the TGW route table in this case.

In any case I would suggest avoiding overlapping CIDRs.

profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • Thanks for a detailed explanation. Regarding the VGW VPN, a propagated network address needs to be outside of the VPC CIDR to be installed in VPC routing table as local route is most preferred when propagated routes are more specific?

  • Not possible with VGW, there is a solution for TGW https://github.com/aws-samples/aws-transit-gateway-overlapping-cidrs but then again it is highly recommended to Re-IP your VPC space and just avoid overlapping IP spaces, it will save you complex troubleshooting, managing and maintaining NATs.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions