AWS VPN Connection with Overlapping CIDR Blocks | Networking Best Practices

Routing for VPN Connection with Overlapping CIDR Blocks

Prev Question Next Question

Question

You're planning to create a VPN connection to 2 VPCs in AWS.

You are going to be using the same customer gateway in both cases.

These VPCs have overlapping CIDR blocks.

What can be done to ensure the routing is done right on the customer side?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - C.

This is given in the AWS Documentation.

Virtual Routing and Forwarding (VRF) is a technology that allows multiple instances of a routing table to co-exist within the same router at the same time.

Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other.

AWS recommends using VRFs when connecting a single customer gateway to multiple Amazon VPCs because the VPN connection creation logic is designed to ensure unique tunnel IP addresses for each connection within a single VPC, but not necessarily across multiple VPCs.

Options A and B are incorrect since these would not help in routing.

Option D is incorrect because this is used for failover connections.

For more information on configuring routes to multiple VPCs, please refer to the below URL.

https://aws.amazon.com/articles/connecting-a-single-customer-router-to-multiple-vpcs/

When creating a VPN connection to two VPCs with overlapping CIDR blocks using the same customer gateway, there is a risk of routing issues on the customer side. To ensure that routing is done correctly, you can use various techniques such as:

A. Use static routes on the customer side:

With static routes, you manually configure the routing table on the customer gateway to direct traffic to the correct VPC. This method requires that the customer has knowledge of the network topology and ensures that traffic is directed to the correct destination.

B. Configure AS_PATH for each of the routes:

AS_PATH (Autonomous System Path) is a path vector protocol used by Border Gateway Protocol (BGP). By configuring AS_PATH for each of the routes, you can distinguish between the two VPCs and ensure that traffic is directed to the correct VPC. This method requires that the customer has knowledge of BGP and the network topology.

C. Use VRF technology for routing:

Virtual Routing and Forwarding (VRF) is a technology used to create multiple routing tables in a network. By using VRF, you can create separate routing tables for each VPC, which ensures that traffic is directed to the correct VPC. This method requires that the customer has knowledge of VRF and the network topology.

D. Use BFD technology for routing:

Bidirectional Forwarding Detection (BFD) is a network protocol used to detect faults in the forwarding path between two routers. By using BFD, you can detect faults in the VPN connection and take corrective actions, which ensures that traffic is directed to the correct VPC. This method requires that the customer has knowledge of BFD and the network topology.

In summary, to ensure that routing is done correctly when creating a VPN connection to two VPCs with overlapping CIDR blocks using the same customer gateway, you can use various techniques such as static routes, AS_PATH configuration, VRF technology, or BFD technology. The choice of technique depends on the customer's knowledge of the network topology and the technologies involved.