Transit gateway & VPC peering - IP forwarding

Question

A customer has the below set-up:

Branch Subnets----(Layer 2)----> Data Center Subnets ------(VPN Tunnel via AWS Transit Gateway)--------->Transit VPC(AWS)------(VPC Peering)-----> Citrix VPC(AWS)-----(VPC Peering)----> Prod VPC(AWS)

Some constraints:

1. Prod VPC and Data Center Subnets have overlapping CIDRs as few servers have IP address affinity.
2. Direct VPN connectivity between branches and Citrix VPC would not be possible immediately

Problem - They need to get printing working from Citrix VPC EC2 instances to the printers in Branches. What would be recommended implementation approach for IP forwarding for printing to work knowing the above constraints?

Accepted Answer

A few observations:

- Transitive Routing: As VPC Peering doesn't support [transitive routing][1], the path from the Citrix VPC to the Transit VPC over VPC Peering cannot be used to establish connectivity. Unfortunately you comment that "2. Direct VPN connectivity between branches and Citrix VPC would not be possible immediately" rules out one solution approach. Instead you might want to look into connecting the Citrix VPC to the TGW to have a path between Citrix VPC and branches. 
 - Overlapping CIDRs: You need to clarify what "Prod VPC and Data Center Subnets have overlapping CIDRs" means here. If a host in the Citrix VPC needs to talk to endpoints in the Prod VPC and Data Center Subnet under the same IP address, you'll need to look into NAT. If not, more specific routes might be sufficient.

[1]: https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html

Transit gateway & VPC peering - IP forwarding

Relevant content