Confirm approach of using transit gateways with direct connect to allow access from AWS VPC to OnPrem (with overlapping CIDR)


The problem summarised: ECS services inside VPC A (AWS) need to access API Endpoints in VPC D (onprem) with the caveat both VPCs have identical CIDR ranges.

Network diagram

We created intermediary VPC B on AWS side and VPC C (as a proxy) on the onprem side and connect with direct connect (this is confirmed working as an ec2 host in VPC B can access the api endpoint of VPC D.)

We previously attempted to use VPC peering to connect VPA A with VPC B to get to VPC C.. but realise this won't work as it's not possible to do edge to edge routing with vpc peering.

The solution appears to be using transit gateway meaning routing inside VPC A to transit gateway to connect to VPC B, which in turn routes the traffic for to a private nat gateway, which connects to direct connect and eventually VPC C, D etc.

Is this the correct solution? Have I missed something or over complicated anything? Any feedback greatly appreciated.

(Lastly, services in VPC A will only access api endpoint in VPC D, there will be no information flow the other way)


asked 5 months ago189 views
2 Answers

This pattern is explained in the below whitepaper, see the second section 'How to use Private NAT gateway to provide approved IPs for on-premises network'

profile pictureAWS
answered 5 months ago
  • thankyou, but your solution assumes the transit gateway (TGW) is connected directly to the direct connect gateway (DCG), which it isn't.

    In my setup, the DCG is directly connected to a virtual private gateway which is in turn connected to VPC B.

    The problem I face if I try to modify my solution to the whitepaper you suggested are that it's not possible to connect TGW to DCG if it's already attached to a virtual private gateway (VPGW), if I disconnect the VPGW it won't accept that the DCG already has virtual interfaces configured.


One way of connecting two VPCs with overlapping IP addresses together - and especially in this case where one VPC (A) only ever calls the other (D) - is PrivateLink. Well worth considering to eliminate all the other complexity.

For more information:

profile pictureAWS
answered 5 months ago
  • this is an interesting idea!

    My problem with this solution is Private Link will only help us connect to AWS Services or a network load balancer which doesn't make sense to implement if we only have a single fixed endpoint in

    Consider VPC B & C are already connected with direct connect and the virtual private gateway

    I've checked all the use cases from

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions