- Newest
- Most votes
- Most comments
It is highly recommended to not use overlapping CIDRs, if at all possible I would suggest to ReIP your VPC. AWS VGW or TGW does not natively support NATing which means you would need to deploy a 3rd party firewall on an EC2 instance.
Few things to note about VPC routing - You can propagate VGW VPN routes automatically into the VPC route table, VGW advertises full VPC CIDR (not a subset) towards on-premises (CGW) ; If your VPN is configured on TGW it doesn't support route propagation to VPC (unlike VGW) you need to configure Static routes in VPC pointing towards TGW, in TGW scenario you can advertise subset of your VPC CIDR towards on-premises CGW because the VPN encryption domain is decided by the TGW route table in this case.
In any case I would suggest avoiding overlapping CIDRs.
Relevant content
- asked a year ago
- asked 3 years ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 3 years ago
Thanks for a detailed explanation. Regarding the VGW VPN, a propagated network address needs to be outside of the VPC CIDR to be installed in VPC routing table as local route is most preferred when propagated routes are more specific?
Not possible with VGW, there is a solution for TGW https://github.com/aws-samples/aws-transit-gateway-overlapping-cidrs but then again it is highly recommended to Re-IP your VPC space and just avoid overlapping IP spaces, it will save you complex troubleshooting, managing and maintaining NATs.