I have accidently added a secondary CIDR to a VPC which was already being used by another VPC in another AWS account our company's private network . My question here is if the cidr was already being used , how was I allowed to add again to another VPC ? Also doesn't AWS provide a mechanism to check if the cidr range that we are trying to add is available or being used ?
You can have multiple VPCs with the same CIDR range. This is the benefit of the Cloud! It's great when you want non-production networks to exactly match Production networks. It's a feature, not a failure.
Having multiple VPCs with overlapping ranges will only be an inconvenience if you wish to connect those VPCs together, or you wish to be able to route to both VPCs from the same VPN or Direct Connect connection.
Related
We are using a shared VPC with two subnets (10.65.0.0/16 and 10.66.0.0/16). The shared VPC has connection to on-prem network, so both two subnets can access the resource hosted on on-prem. Since we use one subnet for DEV environment, and the other one for PROD environment, we want to block all traffic between those two subnets. I don't want to manage those firewall rules by using tags or service accounts of each instance hosting on those subnets, since the owner of all projects hosting in those two subnets may not always following the rules, and cause extra communications to clarify. Ideally, I want to create some firewall rules to block the traffic just using those two IP ranges of subnets. To isolate subnets between each other, I need to create a "deny" firewall rule with source "10.65.0.0/16" and distinction "10.66.0.0/16", and another one with source "10.66.0.0/16" and distinction "10.65.0.0/16". For what I saw, in both egress and ingress firewalls, it's only allowed to set IP ranges on either source or distinction, but cannot be both. It looks there is no way to set both source and distinction in a single firewall using CIDR.
I know using peered network can easily cut the traffic between VPCs/subnets. But there is limitation in VPC, that the routing between 2+ layers of peering are terrible, and resources managed by google already involved a layer of peering, so if possible I don't want to involve another layer of peered network. If there are no better ideas, I probably have to use either Tags or Service accounts to create firewalls one by one.
Please share your ideas, or any other way to resolve my problem.
Thank you
Consulted Google tech support for this question. Their suggestion is no surprise. It can not be done by setting source IP CIDR and distinction CIDR. Their suggestion is using "Tags" + "resource IP ranges".
e.g. - allow all [ingress], Targets tags: vmGroup-1, Source IPv4 : CIDR of vmGroup-1
Basically, going through this way instead of create "deny" firewalls caused by one advantage of VPC, and one limitation of VPC. The advantage is: The advantage is: In VPC the traffic is blocked between any instances naturally, even they are in the same subnet, firewalls are created in VPC but working on each instance individually, it's like each instance has its own firewall. The limitation is: so far, VPC don't allow firewall be created with both source and distinction IP ranges be defined.
Is there is any workaround if we have the same vpc cidr (different aws account )at both ends and we want VPC peering? Or any other mechanism which can help me to connect between two same VPC CIDR but in different aws account ??
The peering connection requires non-overlapping CIDRs.
Ensure that your VPCs do not have overlapping IPv4 CIDR blocks. If they do, the status of the VPC peering connection immediately goes to failed. This limitation applies even if the VPCs have unique IPv6 CIDR blocks.
A way to deal with such cases is to use secondary CIDR range. Such setup is exemplified in the AWS doc:
Two VPCs peered to a specific CIDR block in one VPC
In the example, VPC A has overlapping CIDR range with VPC B and C. To establish peering connection, extra CIDR ranges are used.
There is a good article in AWS blog which provides several solutions depending on your needs:
Renumber IP networks
Use AWS PrivateLink
Use multiple IP address ranges in VPCs
Hide subnets using Private NAT Gateway
I am not an expert in networking, so I want to get a clearer image. I have an AWS running instance, and its local network is 172.31.16.0/20 with address. I know that Amazon uses 172.31.0.0/16 CIDR to manage private addresses.
If someone does a scan on 172.31.0.0/16, could he/she discover my instance?
I tried to do it with another instance of mine and it detects it, but I am not sure if it works, for instance, I don't own because of this notion of VPC that I don't really understand.
Simply no. This CIDR is for a VPC, and your VPC is different from another AWS user's VPC.
To allow another AWS user to access your VPC network, you need to share it manually, so if you do not share it, it is not possible for other users to detect your instance by a brute force query.
For public IP addresses, you definitely can be discovered.
For intern IP addresses, to the extent I know, it is a virtual network, and it is isolated from other VPCs.
Traffic for private RFC1918 addresses is not routable over the Internet. No one can hit your 172.31 address across the Internet. Not from outside AWS and not from another VPC (yours or anyone else's).
VPCs are per account and are isolated from each other. You can, however, share subnets of your VPC with another AWS account within the same AWS Organization, if you choose to. You can also peer VPCs, if you choose to.
Other instances within your VPC can reach an instance in the same VPC, of course, assuming the default routing and NACLs, as can anyone on your VPC's extended network, for example if you have a VPN connection into your VPC (but I assume that's not relevant here).
I do not have classic link enable for my vpc may be we had earlier but there is an entry(10.0.0.0/8) in my vpc route table and there is no option to remove it .how can i remove it .
There is a default entry in every Route Table that is mapped to the CIDR of the whole VPC. It is routed to local, which means that all subnets in the VPC can communicate with each other. It is not possible to remove this entry.
If you do not wish some subnets to communicate with each other (which is common in a DMZ scenario, you can use Network ACLs to deny traffic within certain CIDR ranges (eg particular subnets).
The issue will be due to classic link enabled on VPC, try disabling the same which should avoid this issue.
AWS creates default VPC with CIDR 10.0.0.0/16 or sometimes 172.31.0.0/16.
I created another AWS account & in that also same CIDR blocks were created.
So my question is
If 2 accounts have same CIDR blocks then is my number of subnets available shared by other accounts?
For for application, should I create my own VPC rather than using default one created by AWS?
Appreciate an answer
Two VPCs whether in the same account or different account can have the same CIDR BUT you cannot route traffic between them. ie., if the instances in the VPCs do not communicate.
If you really want to route traffic between them using internal IPs (using VPN etc.,) you MUST use a different CIDR, same account or different account does not matter.
If you have the same CIDR, the routing table will route the traffic internally when you intend to route it to the other VPC.