Hi,
I have two clients and both are using 172.22.0.0/16 in their on-prem network.
I have established IPSec VPN with both (using static routing) and have terminated the VPN on TGW in eu-west-1 for both. Both customers connect to their respective VPC (no overlapping CIDRs in VPCs). Customer-A connects to VPC-A. Customer-B connects to VPC-B.
I'm making use of separate routing tables for each of them. There are total of 4 routing tables.
Customer-A traffic gets routed to VPC-A using VPN-A-RT. Return traffic gets back to Customer-A using VPC-A-RT.
Customer-B traffic gets routed to VPC-B using VPN-B-RT. Return traffic gets back to Customer-B using VPC-B-RT.
Now, I need to put a AWS Network Firewall (AWNF) in an Inspection-VPC and filter both VPNs traffic.
What I can do is that I can route traffic for each VPN using its respective route table to Inspection VPC.
Using an Firewall-RT, I can then forward traffic to their respective VPC.
Issue/Problem:
When I get the (response) traffic back from VPCs (VPC-A and VPC-B) to the Inspection-VPC, how do I make sure that the response traffic eventually gets back to each customer properly, given then both use 172.22.0.0/16 on prem. Using the Firewall-RT, I can route the return traffic to only one customer's VPN, either Customer-A or Customer-B VPN.
Can this issue be fixed by using policies in CloudWAN? Can I make use of CloudWAN for single TGW (or completely replace TGW with Core Network in Global Network) and use segments, policies and/or tags to make sure that I can do more of a policy based routing in this scenario? At this time, I'm trying to find a solution which does not involve private NAT sort of thing to managed overlapping on-prem CIDRs.
Thanks, Brettski. I'll take a detailed look at the blog which I skimmed through just yesterday when I was searching for some relevant solution to my problem.
I've also been going through the available docs on CloudWAN. I think even if I use segments in the core network, my issue will still persists. Segment's routing will still not be able to handle the forwarding of traffic for 172.22/16 to the customers' VPNs. What's your take on it?
Thanks again for the response.
Cloud WAN doesn't bring any solution for overlapping IP addresses: It's great for setting up policies and ensuring that different groups of applications can/can't communicate. So it might be helpful here; but not in solving the overlap issue.