Connect Overlapping VPC to On-prem

The Problem

Organizations usually plan out their cloud network address ranges. But there are times where a VPC CIDR overlaps with an on-prem network address range, yet still requires connectivity to on-prem.

In this document, the scenario is such that traffic is always initiated from on-prem to VPC. The constraint is that there should be no source NAT nor destination NAT performed in the on-prem network.

As shown in the diagram below, the on-prem network address range is All other VPCs connect to on-prem via Aviatrix Transit solution. However there is one VPC named spoke-vpc with an identical CIDR of


The Solution

Since the on-prem network does not perform any NAT functions, NAT must be performed in the cloud network.

The key solution steps are:

  1. Allocate two 1-1 mapped corresponding virtual address spaces for the on-prem network and spoke-VPC. For example, allocate the virtual network for the on-prem network, and for the spoke-VPC virtual VPC CIDR. These two virtual address spaces must not overlap with any on-prem or cloud address spaces.
  2. Launch an Aviatrix gateway in the spoke-vpc.
  3. Build an IPSEC tunnel between spoke-vpc and the VGW:
    1. Go to the AWS Console for VPC service. Use the same VGW that is used for the Aviatrix Transit solution to create an IPSEC tunnel to spoke-vpc with static routes configured, as shown below. Then download the VPN configuration file.


  1. On the spoke-vpc side, go to the Controller console, click Site2Cloud, and click add new. Make sure the remote subnet list include and The local subnet is, the virtual address of the spoke-VPC, as shown in the screenshot below.


  1. Perform both SNAT and DNAT functions on the Aviatrix gateway:
    1. Go to the Controller console and click Gateway. Select the Aviatrix gateway for spoke-vpc. Click Edit and scroll down to find Destination NAT .
    2. Translate the cloud virtual destination address to its real address for each instance in the VPC.
    3. Mark the session with a number that is easy to remember. In this example, it is 119.
    4. Scroll up to find Source NAT. Translate the marked session to any on-prem virtual source address, as shown in the screenshot below.


    1. Repeat the NAT configuration for each cloud instance.
  2. Done

Since the VGW runs a BGP session to on-prem for normal a Transit network, the spoke-vpc virtual CIDR should be propagated to on-prem. From on-prem, the destination IP address takes the range