How to Handle Overlapping IPs and CIDR with AWS, Azure, and Google Clouds

With rapid industry transformations taking place in cloud infrastructure, new problems show up in unpredictable ways – one network related example is the challenge created by overlapping IP addresses.

In this new hybrid and multi-cloud environment, there is no central authority for assigning dedicated network spaces, IP addresses, subnets or any standard practice for each. As a result, organization of all sizes find themselves in situations where their applications are unable to connect to data resources, customer networks, or other applications, due to overlapping IP addresses or subnets.  This article details how the overlapping IP address problem occurs in various cloud networking use cases, and steps you can take to fix it.

Understanding the Overlapping IP Problem

The issue of overlapping IP addressing occurs when the same IP address is assigned to more than one application (or compute node) on the same network. The more common scenario is the mapping of the same range of IPs implemented on different networks. Although it is possible, this issue does not typically surface within an organization’s own network. The problem surfaces when two different networks with overlapping IP addresses or subnets (at different organizations) attempt to connect to each other.  Often, this can include a public cloud network such as AWS, Azure, OCI or Google Cloud.

Common Scenarios that Result in Overlapping IP Addresses

Below are some common scenarios and use cases that Aviatrix solution architects have seen repeatedly with customers:

1. Organizations offering cloud-based services or apps that need to connect these services to their customer’s networks. The networks involved were designed independently resulting in high probability of overlapping IP ranges.
2. Mergers and acquisitions that bring two networks together, but each one’s IP ranges were planned independently.
3. Application connectivity to third-party vendors and partners. Again, the vendor networks were planned independently.
4. Overlapping IP ranges within an organization when business units designed their cloud VPCs/on premises networks independently.  This could also occur across resources in AWS VPCs and Azure VNETs.

What Happens on the Network when Overlapping IPs are Present?

Let’s consider a setup where Application 1 resides in Network 1, in this illustration we’ll assume it’s an AWS VPC (see image below) . This application needs to reach application 2 in network 2 (for example a customer site). Both networks (1 and 2) have the same IP range: 10.0.0.1-to-10.0.0.255. So, when Application 1 sends a message to Application 2, the router of Network 1 will loop the packet back into Network 1.

Connecting these networks together creates faulty traffic flows or even worse, unpredictable traffic flow. This scenario should be avoided at all costs. Accidental overlapping IP (CIDR) connections have resulted in major network outages.

How to Fix Overlapping IP Problems

The Aviatrix cloud network platform has been implemented in hundreds of production environments to eliminate problems and complexity due to overlapping IP addresses. Aviatrix is used predominantly in public cloud and hybrid networks to provide enterprise-class networking, security (eg firewall insertion and egress filtering), and a single operational model across multiple public clouds.

Aviatrix Transit solve this problem by intelligently mapping network 1 and network 2 IP ranges to a virtual IP range designated by the user. For example, the user could map Network 1 to a virtual IP range of 192.168.0.0 to 192.168.0.255. And, Network 2’s IP range can be mapped to 172.16.2.0 to 172.16.0.255.

Aviatrix controller screenshot:

 

Now, when Application 1 sends a packet to Application 2, Aviatrix gateway changes (or maps) the source and destination IP addresses to the respective virtual IP addresses.

 

When Application 2 responds back to Application 1, Aviatrix Gateway ensures the reverse mapping is done as well:

Common Deployment Patterns to Address Overlapping IPs

Resolving Intra-cloud IP Address Overlaps

Sometimes the overlapping IP spaces are within the organization’s cloud environment. Enterprises use the Aviatrix Gateway’s mapping solution to resolve this issue. This diagram shows how you can peer two AWS VPCs with IP overlaps using Aviatrix Gateways.

Fixing Inter-cloud IP Address Overlaps

Some enterprises have cross-cloud (cross CSP) overlapping IP issues that can also be handled using the same Aviatrix capability. This diagram depicts how an AWS VPC and Azure VNET with overlapping IP spaces can be connected using Aviatrix Gateways.

Handling IP Overlaps in Partner and Customer Networks

Companies that host software for other businesses need to connect to a multitude of customer networks (3rd party sites, AWS VPCs, Azure VNETs, Oracle VCNs etc.). These customer networks pose a high possibility of overlapping IPs. Even if there was no overlapping IP with a particular customer, it is best practice to mask your internal IP ranges from external networks. Aviatrix is the market leader in providing this business-critical connectivity to 3rd party networks.

The IPsec connection can be terminated on a non-aviatrix node like a Cloud-native VPN gateway.

Handling IP Address and Subnet Overlaps

When IP overlap is encountered by organizations, most often, the overlap is not between the source and destination application IP address or the whole network range. The overlap issue is commonly between subnets in the networks. A subnet, as the name suggests, is a subset of the network’s IP range. When two networks have a subnet overlap, all the same issues surface making it impossible to connect using standard routing techniques.

Again, the Aviatrix gateway’s intelligent mapping will alleviate the problems of subnet overlap.

Key Benefits of Aviatrix Gateway’s Mapping Solution

The advantages of the above–mentioned solutions are:

1. It is a simple configuration in the Aviatrix controller.
2. There is no need to change configurations in the applications. It is transparent to the applications and the application owners.
3. It is transparent to the third-party router (Router 2). All the intelligence is built into the Aviatrix Gateways running in your public cloud (AWS/Azure/GCP/OCI etc.)
4. Built in high availability (HA) across Availability Zones and Regions.

Using this solution, enterprises are able to handle overlapping IP issues that come up internally within the organization or with external connectivity requirements involving customers and partners.

Learn More and Additional Resources

To learn more, or to talk to a Solution Architect about resolving your IP address conflicts or about Aviatrix software, schedule a demo;  or watch this 5 minute video