0

The AWS documentation on peering refers to the situation where VPCs B and C each have a subnet with an identical CIDR and which are both peered with VPC A, as per the diagram below:

Overlapping CIDR peering response

The documentation does not make it clear to me whether it is possible to set up the routes within VPC C such that response traffic is routed to the correct subnet in the correct VPC. Is this possible?

i.e. if traffic originates in Subnet B of VPC B, can its return traffic be correctly routed to it, such that traffic originating in Subnet B of VPC C also has its return traffic correctly routed to it? If so, how do you do this?

John
  • 263
  • 1
  • 2
  • 11

1 Answers1

2

In the link to the AWS doc I would say that the answer is below the diagram. If traffic originates in Subnet B of VPC B it's the route table in VPC A that determines whether the traffic get's back to the correct sender.

Initially the answers is it will not because the route table in VPC A says "send traffic destined for 10.0.0.0/16 to VPC C".

However you can provide more specific routing by adding routes to VPC A's route table with a smaller CIDR block (bigger CIDR number). So for example if the traffic origintaing from VPC B came from 10.0.1.66/32 then add this destination to the route table of VPC A and make sure it gets sent over the correct VPC peer (i.e. to VPC B).

Luke
  • 36
  • 2
  • Thanks, but the diagram does not really answer the question, which is what happens when the subnets within the originating VPC (B & C in this example) have the same CIDR? Thus, for the diagram, Subnet B of B or C may initiate traffic, and both subnets have the same CIDR, 10.0.1.0/24. So is it possible to configure VPC A such that responses get directed to the correct Subnet B in the correct VPC and if so, what does that configuration within the routing table of VPC A look like? – John May 17 '21 at 07:37
  • 1
    I found the answer in the small print of "AWS Certified Advanced Networking", page 67. "A hub VPC can peer with multiple spoke VPCs that use the same address range, but the hub will only be able to route any particular portion of the overlapping address range to a single peered VPC." I read this as meaning that you can only choose a single spoke VPC to receive responses from the hub, where the spokes have overlapping CIDRs. – John May 17 '21 at 10:45