Connect Overlapping VPC to On-prem

The Problem

Organizations usually plan out their cloud network address ranges. But there are times where a VPC CIDR overlaps with an on-prem network address range, yet still requires connectivity to on-prem.

In this document, the scenario is such that traffic is always initiated from on-prem to VPC. The constraint is that there should be no source NAT nor destination NAT performed in the on-prem network.

As shown in the diagram below, the on-prem network address range is 10.20.0.0/16. All other VPCs connect to on-prem via Aviatrix Transit solution. However there is one VPC named spoke-vpc with an identical CIDR of 10.20.0.0/16.

overlap_cidr

The Solution

Since the on-prem network does not perform any NAT functions, NAT must be performed in the cloud network.

The key solution steps are:

  1. Allocate two 1-1 mapped corresponding virtual address spaces for the on-prem network and spoke-VPC. For example, allocate the virtual network 100.105.0.0/16 for the on-prem network, and 100.101.0.0/16 for the spoke-VPC virtual VPC CIDR. These two virtual address spaces must not overlap with any on-prem or cloud address spaces.
  2. Launch an Aviatrix gateway in the spoke-vpc.
  3. Build an IPSEC tunnel between spoke-vpc and the VGW:
    1. Go to the AWS Console for VPC service. Use the same VGW that is used for the Aviatrix Transit solution to create an IPSEC tunnel to spoke-vpc with static routes 100.101.0.0/16 configured, as shown below. Then download the VPN configuration file.

vgw_config

  1. On the spoke-vpc side, go to the Controller console, click Site2Cloud, and click add new. Make sure the remote subnet list include 10.20.0.0/16 and 100.105.0.0/16. The local subnet is 100.101.0.0/16, the virtual address of the spoke-VPC, as shown in the screenshot below.

site2cloud

  1. Perform both SNAT and DNAT functions on the Aviatrix gateway:
    1. Go to the Controller console and click Gateway. Select the Aviatrix gateway for spoke-vpc. Click Edit and scroll down to find Destination NAT .
    2. Translate the cloud virtual destination address to its real address for each instance in the VPC.
    3. Mark the session with a number that is easy to remember. In this example, it is 119.
    4. Scroll up to find Source NAT. Translate the marked session to any on-prem virtual source address, as shown in the screenshot below.

    nat_config

    1. Repeat the NAT configuration for each cloud instance.
  2. Done

Since the VGW runs a BGP session to on-prem for normal a Transit network, the spoke-vpc virtual CIDR 100.101.0.0/16 should be propagated to on-prem. From on-prem, the destination IP address takes the range 100.101.0.0/16.