Transit Gateway: Connect two DCs via VPN with overlapping CIDR range
Consider a setup similar to:
DC1: 192.168.1.0/24
DC2: 192.168.1.0/24
VPC1: 10.0.0.0/16
VPC2: 10.1.0.0/16
You want to use a Transit Gateway and site-to-site VPN to connect each on-premises data center with one of the VPCs. Is this possible if the DCs have the same CIDR Ranges? How does the TGW know where to route traffic back?
I see different use cases here:
- VPC1 <-> DC1
- VPC1 <-> DC2
- VPC2 <-> DC1
- VPC2 <-> DC2
Separately, use cases 1 and 4 together, or use cases 2 and 3 together are doable by creating two separate route tables for VPCs and have data center CIDRs pointing to VPN attachments.
if you want to do all of them together then the complication arises and you need to NAT DC1 or DC2 (one of them) to something like 192.168.2.0/24 and use that NATed range as destination in the route table. Here the aim is to make one DC's range look different for TGW. This NAT can be done either in Customer Gateway side or AWS by spinning up NAT appliance in a separate VPC then use that as destination for traffic destined to a DC.
With NAT in picture things generally get messy.
Relevant questions
VPN over Direct Connect with Transit Gateway
Accepted Answerasked 3 years agoConnect remote sites using VPN to access on-prem via existing Direct Connect?
Accepted Answerasked 2 months agoTransit Gateway: Connect two DCs via VPN with overlapping CIDR range
Accepted Answerasked 2 years agoAWS Transit Gateway through BGP propagation and routing behavior
Accepted Answerasked 2 years agoMulti Account Connectivity using PrivateLink and/or Transit Gateway along with Direct Connect
Accepted Answerasked 3 years agoTransit Gateway and SD-WAN
Accepted Answerasked 3 years agoWorkaround to overlapping IP address range
Accepted Answerasked 3 years agoCan we form AWS Transit Gateway attachments using <1Gbps hosted DX?
Accepted Answerasked 3 years agoSecondary CIDR VPC block - Direct Connect
Accepted Answerasked 3 years agoOverlapping IP with GWLB
asked a month ago