- Newest
- Most votes
- Most comments
It is important to note that if two VPCs propagate the exact same CIDR prefix (e.g., both are 10.0.0.0/16) and no static route exists, the Transit Gateway does not perform Equal-Cost Multi-Path (ECMP) routing or load balancing between them. In this scenario, the routing behavior becomes non-deterministic.
Effectively, the Transit Gateway cannot distinguish between the two paths for the same destination. To ensure reliable traffic flow, you must either:
- Use a Static Route to manually point to the preferred VPC.
- Use more specific prefixes (Longest Prefix Match) for one of the attachments.
- Implement Network Address Translation (NAT) if both VPCs need to be reachable simultaneously despite the overlap.
Solution for Overlapping CIDRs: Private NAT Gateway
When two VPCs with identical CIDRs (e.g., both 10.0.0.0/16) need to communicate, you cannot route between them directly. To resolve this, you implement a "Translation VPC" or use Private NAT Gateways in each VPC to map the overlapping addresses to a unique, non-overlapping range.
1. Inventory Unique IP Space:
Assign a new, unique CIDR block to each VPC specifically for transit (e.g., VPC A gets 192.168.1.0/24 and VPC B gets 192.168.2.0/24).
2. Deploy Private NAT Gateways:
Place a Private NAT Gateway in a subnet of each VPC.
3. Address Translation:
When an instance in VPC A wants to talk to VPC B, it sends traffic to the unique IP (192.168.2.x).
- The Private NAT Gateway in VPC B receives this and translates the destination back to the actual overlapping IP (10.0.x.x).
4. TGW Routing:
The Transit Gateway route table now only sees the unique 192.168.x.x routes, eliminating the overlap conflict and ensuring deterministic routing.
Note: This setup requires careful planning of the Route Tables within the VPCs (pointing the unique ranges to the TGW) and the TGW Route Table itself.
Transit Gateway does NOT support overlapping CIDR blocks across VPC attachments in the same route table. You need to remember few things:
-
When you enable route propagation from VPC attachments with overlapping CIDRs, Transit Gateway will accept the first propagated route and reject subsequent overlapping routes from other attachments.
-
Traffic destined for the overlapping CIDR will only route to the VPC whose route was accepted first. The other VPC with the same CIDR becomes unreachable through that route table.
-
Design your VPC CIDR blocks to be non-overlapping when using Transit Gateway. Use RFC 1918 address space strategically: VPC-A: 10.0.0.0/16, VPC-B: 10.1.0.0/16, VPC-C: 10.2.0.0/16
-
If overlapping CIDRs are unavoidable, use separate Transit Gateway route tables with route table associations to isolate the overlapping networks. However, these VPCs cannot communicate with each other through Transit Gateway. OR you can take advantages of below solutions for Bidirectional connectivity:
Option 1 - Secondary VPC CIDRs and Transit gateway (TGW) with more specific routing: If you add secondary CIDRs to the VPCs, you can then create non-overlapping subnets and then deploy/move (or create ENI-Network interfaces in the new subnet and associate it with the instances) your resources into those subnets. You can further interconnect the overlapping IP VPCs using TGW. [+] https://aws.amazon.com/blogs/networking-and-content-delivery/connecting-networks-with-overlapping-ip-ranges/
Option 2 - Using Bidirectional NAT (twice NAT) along with Transit Gateway (TGW) for connectivity Note: This solution is complex with bottlenecks on the NAT instances and increased overall overheard. This solution will only work for 2 overlapping VPCs and not with 3 or more. [+] https://github.com/aws-samples/aws-transit-gateway-overlapping-cidrs
When you have multiple VPC attachments with overlapping CIDR blocks propagating routes to a Transit Gateway route table, the behavior follows specific precedence rules:
Route Precedence: Static routes always take precedence over propagated routes with the same destination. If you have two VPCs with identical CIDR ranges (10.0.0.0/16) propagating routes, and you want to control which VPC receives the traffic, you would need to add a static route pointing to your preferred VPC attachment. Without a static route, the Transit Gateway will handle the overlapping propagated routes, but the selection may not be deterministic.
Handling Overlapping CIDRs: When dealing with overlapping CIDR blocks from propagated routes, it's important to understand that more specific routes always take priority regardless of whether they are static or propagated. However, when you have identical CIDR blocks (same specificity) from multiple propagated routes, you should use static routes to explicitly define which attachment should handle the traffic.
Best Practice: To avoid ambiguity and ensure predictable routing behavior, you should verify your route table configuration and confirm that each attachment is associated with its intended route table with proper route propagation enabled. If you need to override a propagated route or control traffic flow between overlapping CIDRs, add a static route to the Transit Gateway route table pointing to the desired VPC attachment. If you later remove that static route, the Transit Gateway will then prioritize any overlapping propagated routes that remain in the route table.
This approach gives you explicit control over traffic routing when dealing with overlapping CIDR ranges across multiple VPC attachments.
Sources
How route priority works - Amazon Virtual Private Cloud
Monitor transit gateway routes and detect configuration changes | AWS re:Post
Relevant content
- asked 2 years ago
- asked 3 years ago
- asked 2 years ago
