Handling On-premise network CIDR overlapping with AWS VPC CIDR
Customers often have an issue with the AWS VPN when the remote network CIDR overlaps with the CIDR of their AWS VPC.
The AWS VPN does not support NAT at this point in time which could prevent customers from using the AWS VPN. Previously customers would need to set up a Software VPN solution within their VPC to resolve this conflict.
However, since 29 August 2017, Amazon Virtual Private Cloud (VPC) allows customers to expand their existing VPCs and an additional CIDR can be added to their existing VPC to mitigate this issue.
Resolution:
- Add an additional CIDR to the VPC and ensure routing to the specific VPN via this new subnet.
- Create the VPN using the CIDR of the additional Subnet and route the NAT range of the customer network.
Let’s see how this can be achieved:
Prerequisite on Customer Gateway
- The overlapping CIDR on the customer network will need to be NAT to a new CIDR.
- Each side will need to agree on a new CIDR that does not overlap with any existing CIDRs.
Detailed solution for adding an additional subnet to your VPC:
1. Associating a Secondary IPv4 CIDR Block with Your VPC
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Your VPCs.
- Select the VPC, and choose Actions, Edit CIDRs.
- Choose Add IPv4 CIDR, and enter the CIDR block to add.
- Choose Close
2. Creating a Subnet in Your VPC
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Subnets, Create Subnet.
- Specify the subnet details as necessary and choose Create Subnet.
- Name tag: Optionally provide a name for your subnet. Doing so creates a tag with a key of Name and the value that you specify.
- VPC: Choose the VPC for which you’re creating the subnet.
- Availability Zone: Optionally choose an Availability Zone in which your subnet will reside, or leave the default No Preference to let AWS choose an Availability Zone for you.
- IPv4 CIDR block: Specify an IPv4 CIDR block for your subnet.
3. Creating a Custom Route Table
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Route Tables.
- Choose Create Route Table.
- In the Create Route Table dialog box, you can optionally name your route table for Name tag. Doing so creates a tag with a key of Name and a value that you specify. Select your VPC for VPC, and then choose Yes, Create.
4. To enable route propagation
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Route Tables, and then select the route table.
- On the Route Propagation tab, choose Edit.
- Select the Propagate check box next to the virtual private gateway, and then choose Save.
5. Associating a Subnet with a Route Table
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose Route Tables, and then select the route table.
- On the Subnet Associations tab, choose Edit.
- Select the Associate check box for the subnet to associate with the route table, and then choose Save.
6. Creating a Network Interface
- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- In the navigation pane, choose Network Interfaces.
- Choose Create Network Interface.
- For Description, enter a descriptive name.
- For Subnet, select the subnet.
- For Private IP (or IPv4 Private IP), enter the primary private IPv4 address.
- For Security groups, select one or more security groups.
- Choose Yes, Create.
7. Attaching a Network Interface
- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- In the navigation pane, choose Network Interfaces.
- Select the network interface and choose Attach.
- In the Attach Network Interface dialog box, select the instance and choose Attach.
8. To modify a static route for the VPN connection
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose VPN Connections.
- Choose Static Routes, Edit.
- Modify your existing static IP prefixes, or choose Remove to delete them. Choose Add Another Rule to add a new IP prefix to your configuration. When you are done, choose Save.
Once this has been completed you should be able to route traffic for the VPN from the new ENI of your instance.
References:
Associating a Secondary IPv4 CIDR Block with Your VPC — https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/working-with-vpcs.html#add-ipv4-cidr
Adding IPv4 CIDR Blocks to a VPC — https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#vpc-resize
Creating a Subnet in Your VPC — https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/working-with-vpcs.html#AddaSubnet
Creating a Custom Route Table — https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html#CustomRouteTable
Enabling and Disabling Route Propagation — https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html#EnableDisableRouteProp
Associating a Subnet with a Route Table — https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html#AssociateSubnet
Creating a Network Interface — https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#create_eni
Attaching a Network Interface When Launching an Instance — https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#attach_eni_launch
Editing Static Routes for a VPN Connection — https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/SetUpVPNConnections.html#vpn-edit-static-routes
