- Newest
- Most votes
- Most comments
If you have VPCs (or networks in general) with overlapping IP ranges my strongest recommendation in this situation is to use non-overlapping IP ranges. See this blog post for other alternatives but using different IP ranges is by far the cheapest and (despite appearances) the easiest.
When you create a VPC you get to choose how large the IP range for that VPC is. The default /16 (subnet mask: 255.255.0.0) range gives you 65,000 (give or take a few) IP addresses in your VPC. You probably don't need that many. Which means by creating a VPC with a smaller IP range you can have thousands of VPCs before you run out of IP addresses.
It's possible to cope with overlapping CIDRs but it adds complexity. By far the best approach is to avoid overlaps if it's not too late.
Would you run out of addresses? You can fit a lot of VPCs in the RFC 1918 ranges, for example in 10.0.0.0/8 you can fit 4096 /20 VPCs, and you can make VPCs as small as /28 if workable for you, with room for over a million of those.
If that's not enough, EFS doesn't support IPv6 yet but when it does you could consider IPv6-only VPCs - you'll never run out of addresses for those!
A workaround for comms between VPCs with overlapping CIDRs adds complexity as I said. Basically you NAT the addresses, for example:
- Each VPC has a secondary address block, and these don't overlap.
- Secondary subnets on the server side contain an ALB front-ending the app.
- Secondary subnets on the client side contain NAT GWs. Note that the VPC needs an IGW as a prerequisite for NAT GW even if you're not using it for internet traffic.
- Attach the VPCs to TGW with static routes, no propagation, so you only have routes for the non-overlapping secondary CIDRs.
To mount an Amazon Elastic File System (EFS) from a different Virtual Private Cloud (VPC), you will need to set up a VPC peering connection between the two VPCs. Once the peering connection is established, you can mount the EFS file system in the target VPC by specifying its file system ID and the DNS name of the mount target in the other VPC. You may also need to configure the security groups and network access control lists for the mount target and the instances in the target VPC to allow access to the EFS file system.
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago