I'm currently working with a client who has multiple accounts — over 18 — and I've found out that their VPCs have overlapping IP ranges. They want to establish secure connectivity between some of these VPCs without using the internet. With plans to expand to 30+ accounts next year, I'm considering whether creating a new environment altogether might be a better route for secure internal network connectivity. Any suggestions on how to handle this?
5 Answers
Changing your network CIDRs by adding a secondary CIDR is another route. It might involve moving resources around, but it's crucial for avoiding limitations on future growth. For any new accounts, create new VPCs with unique CIDRs right from the start and consider pulling these from an IPAM pool automatically. You don’t want the default VPC cluttering things up.
If you're really up against it, trying out VPC endpoints can work well too. It keeps things controlled without needing a full IP mesh. I remember Transit Gateway can do IP remapping, which could be useful, but I haven't had to use that feature much myself. Planning for a long-term migration sounds wise, and using IPAM can help you manage your IP space for now.
Good to know! I'll definitely check into the IP remapping capability. I agree, it’s probably worth investing the effort now for better scalability.
I used to work in AWS Networking, and I'd recommend checking out the AWS blog on connecting networks with overlapping IPs. If you only need a few point-to-point connections, PrivateLink is a good option. For wider connectivity, you’ll likely need to implement more complex solutions. Also, you should really consider starting an IP Address Management (IPAM) strategy and use new VPCs with unique address ranges to avoid those overlapping issues in the future!
Thanks for the insight! Full connectivity is necessary for us, so I think a transit gateway with a private NAT could work here. The IPAM in a central account seems like a smart way to avoid IP overlaps.
It's a good idea to start using IPAM for your VPCs. Once you do, you can set up a Transit Gateway to connect your VPCs across multiple accounts. It simplifies management significantly. Just remember that it can get a bit tricky if you're cost-sensitive; peering might be an option but it's not as clean as a Transit Gateway.
I had a good experience with Transit Gateway too. It sounds solid for what we need now but I’ll look into peering options just in case they're more budget-friendly.
If you're looking to connect across VPCs or accounts in the same region, consider using VPC Lattice. It's designed for that purpose!
I’m not too familiar with Lattice either, but I'll take a look. Thanks for the heads up!
That sounds good to me! I'm also new to AWS and dealing with this kind of disorganized setup is a challenge. Do you know if there's a way to automate the deletion of default VPCs now?