REL02-BP05 Enforce non-overlapping private IP address ranges in all private address spaces where they are connected
The IP address ranges of each of your VPCs must not overlap when peered or connected via VPN. You must similarly avoid IP address conflicts between a VPC and on-premises environments or with other cloud providers that you use. You must also have a way to allocate private IP address ranges when needed.
An IP address management (IPAM) system can help with this. Several IPAMs are available from the AWS Marketplace.
Common anti-patterns:
-
Using the same IP range in your VPC as you have on premises or in your corporate network.
-
Not tracking IP ranges of VPCs used to deploy your workloads.
Benefits of establishing this best practice: Active planning of your network will ensure that you do not have multiple occurrences of the same IP address in interconnected networks. This prevents routing problems from occurring in parts of the workload that are using the different applications.
Level of risk exposed if this best practice is not established: Medium
Implementation guidance
Monitor and manage your CIDR use. Evaluate your potential usage on AWS, add CIDR ranges to existing VPCs, and create VPCs to allow planned growth in usage.
-
Capture current CIDR consumption (for example, VPCs, subnets)
-
Use service API operations to collect current CIDR consumption.
-
-
Capture your current subnet usage.
-
Use service API operations to collect subnets per VPC in each Region.
-
Record the current usage.
-
Determine if you created any overlapping IP ranges.
-
Calculate the spare capacity.
-
Identify overlapping IP ranges. You can either migrate to a new range of addresses or use Network and Port Translation (NAT) appliances from AWS Marketplace if you need to connect the overlapping ranges.
-
-
Resources
Related documents:
Related videos: