Connect Overlapping VPC to On-prem¶
The Problem¶
Organizations usually plan out their cloud network address ranges. But there are times where a VPC CIDR overlaps with an on-prem network address range, yet still requires connectivity to on-prem.
In this document, the scenario is such that traffic is always initiated from on-prem to VPC. The constraint is that there should be no source NAT nor destination NAT performed in the on-prem network.
As shown in the diagram below, the on-prem network address range is 10.20.0.0/16. All other VPCs connect to on-prem via Aviatrix Transit solution. However there is one VPC named spoke-vpc with an identical CIDR of 10.20.0.0/16.
The Solution¶
Since the on-prem network does not perform any NAT functions, NAT must be performed in the cloud network.
The key solution steps are:
- Allocate two 1-1 mapped corresponding virtual address spaces for the on-prem network and spoke-VPC. For example, allocate the virtual network 100.105.0.0/16 for the on-prem network, and 100.101.0.0/16 for the spoke-VPC virtual VPC CIDR. These two virtual address spaces must not overlap with any on-prem or cloud address spaces.
- Launch an Aviatrix gateway in the spoke-vpc.
- Build an IPSEC tunnel between spoke-vpc and the VGW:
- Go to the AWS Console for VPC service. Use the same VGW that is used for the Aviatrix Transit solution to create an IPSEC tunnel to spoke-vpc with static routes 100.101.0.0/16 configured, as shown below. Then download the VPN configuration file.
- Perform both SNAT and DNAT functions on the Aviatrix gateway:
- Go to the Controller console and click Gateway. Select the Aviatrix gateway for spoke-vpc. Click Edit and scroll down to find Destination NAT .
- Translate the cloud virtual destination address to its real address for each instance in the VPC.
- Mark the session with a number that is easy to remember. In this example, it is 119.
- Scroll up to find Source NAT. Translate the marked session to any on-prem virtual source address, as shown in the screenshot below.
- Repeat the NAT configuration for each cloud instance.
Done
Since the VGW runs a BGP session to on-prem for normal a Transit network, the spoke-vpc virtual CIDR 100.101.0.0/16 should be propagated to on-prem. From on-prem, the destination IP address takes the range 100.101.0.0/16.