AWS Networking: Managing IP Subnets and Overlapping Address Solutions

Efficient IP address management is a cornerstone of the AWS Certified Advanced Networking Specialty. This guide explores the challenges of IP exhaustion and the architectural patterns required to connect networks with overlapping CIDR blocks.

Learning Objectives

After studying this guide, you should be able to:

• Identify scenarios leading to IP address overlaps and exhaustion.
• Compare remediation strategies: re-addressing, NAT, and AWS PrivateLink.
• Implement secondary CIDR blocks to expand existing VPC address space.
• Configure routing for complex multi-VPC and hybrid environments with conflicting ranges.

Key Terms & Glossary

• CIDR (Classless Inter-Domain Routing): A method for allocating IP addresses and IP routing. (Example: 10.0.0.0/16).
• Overlapping CIDR: When two VPCs or networks use the same IP address range, making standard VPC peering impossible.
• Secondary CIDR: An additional IP range associated with an existing VPC to provide more address space.
• Interface VPC Endpoint (PrivateLink): A technology that allows private access to services using an Elastic Network Interface (ENI) with a private IP, bypassing the need for VPC peering.
• NAT Gateway: A managed service that performs Network Address Translation, allowing instances in a private subnet to connect to services outside the VPC while hiding their internal IP addresses.

The "Big Idea"

In an ideal world, every network globally would have unique IP ranges. In reality, mergers, acquisitions, and decentralized IT teams often result in "IP Collisions." Since standard routing requires unique destinations, these collisions break connectivity. The "Big Idea" is that you don't always need to re-address your network to connect it; AWS provides abstraction layers like PrivateLink and NAT to bridge these conflicting worlds without a massive re-IP project.

Formula / Concept Box

Hierarchical Outline

• I. IP Depletion & Expansion
  • Monitoring: Using CloudWatch and CLI to track available IPs.
  • Resizing: Creating new, larger subnets within existing CIDR.
  • Secondary CIDR: Adding blocks (e.g., 100.64.0.0/10 or private ranges) to an exhausted VPC.
• II. The Overlap Problem
  • VPC Peering Constraints: Direct peering fails if CIDRs overlap.
  • Transit Gateway Constraints: TGW cannot route to identical prefixes in different spokes without specific NAT configurations.
• III. Solutions for Overlap
  • A. AWS PrivateLink: The preferred solution for service-based access. Hides the provider's CIDR.
  • B. NAT (Network Address Translation): Using NAT to map overlapping IPs to unique "transit" IPs.
  • C. Re-addressing: The most invasive but cleanest long-term fix.

Visual Anchors

Overlap Resolution Logic

PrivateLink Architecture for Overlapping VPCs

\begin{tikzpicture}[node distance=2cm, every node/.style={font=\small}] % VPC A \draw[thick, blue] (0,0) rectangle (3.5,3.5); \node[blue, above] at (1.75,3.5) {Consumer VPC (10.0.0.0/16)}; \node[draw, rounded corners] (App) at (1.75,2.5) {Client App}; \node[draw, fill=blue!10] (EP) at (1.75,1) {Interface Endpoint};

\end{tikzpicture}

Definition-Example Pairs

• Secondary CIDR: Associating a new IP block with a VPC.
  • Example: A VPC running out of addresses in 10.0.0.0/16 adds 10.1.0.0/16 as a secondary CIDR to support new microservices.
• Overlapping Route: Two routes in a table with the same prefix.
  • Example: A route table has 172.16.0.0/24 pointing to a Peering connection AND the same prefix pointing to a VPN. AWS uses the most specific prefix rule or priority logic to resolve.

Worked Examples

Scenario: Merger of Two 10.0.0.0/16 VPCs

Problem: Company A (VPC A: 10.0.0.0/16) acquires Company B (VPC B: 10.0.0.0/16). VPC A needs to access a MySQL database in VPC B. Standard VPC Peering fails due to the identical CIDR.

Step-by-Step Solution (PrivateLink):

1. VPC B (Provider): Create a Network Load Balancer (NLB) in front of the MySQL database instances.
2. VPC B (Provider): Create an Endpoint Service configuration and associate it with the NLB.
3. VPC A (Consumer): Request the service name (e.g., com.amazonaws.vpce.region.vpce-svc-id).
4. VPC A (Consumer): Create an Interface VPC Endpoint. This places an ENI in VPC A with an IP from VPC A's range (e.g., 10.0.0.50).
5. Result: Company A's application connects to 10.0.0.50, which PrivateLink transparently routes to the MySQL database in VPC B, despite both VPCs sharing the same 10.0.0.0/16 range.

Checkpoint Questions

1. Why can you not use VPC Peering to connect two VPCs with the CIDR 10.1.0.0/16?
2. What are the three primary methods for increasing available IP space in a VPC?
3. How does AWS PrivateLink resolve the issue of overlapping IP addresses?
4. In a route table, if you have 10.0.0.0/16 (Local) and 10.0.1.0/24 (VPC Peer), which route is followed for traffic to 10.0.1.50?

Muddy Points & Cross-Refs

• VPC Peering vs. Secondary CIDR: Many students think adding a secondary CIDR allows you to peer overlapping VPCs. False. Peering checks the entire associated CIDR list; any overlap prevents the peering connection.
• The /28 Limit: Remember that the smallest subnet you can create in AWS is /28 (16 IPs, 11 usable).
• Deep Dive: For more on how NAT handles overlaps, see documentation on Private NAT Gateways (often used with Transit Gateway to handle overlapping on-prem ranges).

Comparison Tables

[!IMPORTANT] When adding a secondary CIDR block, it cannot be from the 169.254.0.0/16 range or any range currently used in your route tables, even if that range is for an external VPN connection.