Task Statement 1.6: Design a routing strategy and connectivity architecture that include multiple AWS accounts, AWS Regions, and VPCs to support different connectivity patterns.
📘AWS Certified Advanced Networking – Specialty
1. What is an IP Address and Subnet?
IP Address
An IP address is a unique identifier assigned to a device in a network (for example, a server, EC2 instance, or router).
- Example:
10.0.1.25 - It helps devices communicate with each other.
Subnet
A subnet (subnetwork) is a smaller range of IP addresses within a larger network.
In AWS:
- Each Amazon Virtual Private Cloud (VPC) is divided into subnets.
- A subnet defines:
- Which IP addresses can be used
- Which Availability Zone resources are deployed in
Example:
- VPC CIDR:
10.0.0.0/16 - Subnets:
10.0.1.0/2410.0.2.0/24
Each subnet is used to separate workloads like:
- Web servers
- Application servers
- Databases
2. What is CIDR?
CIDR (Classless Inter-Domain Routing) defines the size of a subnet.
Example:
10.0.0.0/16→ Large network (65,536 IPs)10.0.1.0/24→ Smaller network (256 IPs)
Important for AWS design:
- You must plan CIDR blocks carefully before creating VPCs.
- AWS does NOT allow overlapping CIDR blocks in directly connected networks.
3. IP Address Overlap Problem
What is IP Overlap?
IP overlap happens when two networks use the same IP address range.
Example:
- VPC A:
10.0.0.0/16 - VPC B:
10.0.0.0/16
Both networks use the same IP range → conflict
Why is Overlap a Problem?
In AWS networking:
- Systems cannot distinguish where to route traffic
- Routing breaks between networks
- Connectivity solutions like VPC peering will fail
Where Overlap Becomes a Problem in AWS:
- VPC peering
- AWS Transit Gateway
- Site-to-Site VPN
- Direct Connect
4. AWS Services Affected by Overlapping IPs
4.1 VPC Peering
- Does NOT support overlapping CIDR blocks
- One-to-one connectivity only
- No transitive routing
4.2 AWS Transit Gateway
- Also does NOT allow overlapping CIDR blocks
- Supports multi-account and multi-region architectures
4.3 Site-to-Site VPN / Direct Connect
- Overlapping IPs create routing conflicts
- Requires special handling (NAT, re-addressing, or proxies)
5. Solutions for IP Address Overlap
When IP overlap occurs, AWS provides multiple solutions.
5.1 Re-IP (Best Practice)
What it means:
Change the IP address range to avoid overlap.
Example:
- Change:
- VPC A:
10.0.0.0/16 - VPC B:
10.0.0.0/16
- VPC A:
- To:
- VPC A:
10.0.0.0/16 - VPC B:
10.1.0.0/16
- VPC A:
Advantages:
- Clean architecture
- Native AWS support
- No complex configuration
Disadvantages:
- Time-consuming
- May require downtime or migration
5.2 NAT (Network Address Translation)
What it does:
Maps one IP address to another.
In AWS:
- Use NAT instances or NAT gateways to translate overlapping IPs
Example:
- Internal network uses
10.0.0.0/16 - NAT translates it to a different range when communicating externally
Use cases:
- Hybrid networks (on-prem + AWS)
- Temporary workaround when re-IP is not possible
5.3 AWS PrivateLink
What it does:
Allows private access to services without exposing IP ranges
Key concept:
- No need for direct network connectivity
- No routing between VPCs
Benefits:
- Avoids IP overlap completely
- Secure and scalable
- Works across accounts and VPCs
Example use case:
- A shared service VPC exposes an API
- Other VPCs connect using PrivateLink without routing issues
5.4 AWS Transit Gateway with NAT / Segmentation
With AWS Transit Gateway:
- You can segment networks using routing tables
- But overlapping IPs still need NAT or redesign
Advanced design:
- Use NAT between overlapping networks
- Or isolate environments with separate routing domains
5.5 Overlay Networks (Advanced)
Overlay networks create a virtual network on top of existing infrastructure.
Examples:
- SD-WAN solutions
- VPN overlays
In AWS:
- Often used with:
- Transit Gateway Connect
- Third-party networking appliances
Benefit:
- Encapsulates traffic
- Avoids direct IP conflicts
5.6 Proxy-Based Architecture
Instead of direct communication:
- Use a proxy or middleware layer
Example:
- Application A connects to proxy
- Proxy communicates with Application B
Advantage:
- Hides IP overlap
- Controls traffic flow
5.7 DNS-Based Routing
Instead of using IP addresses directly:
- Use DNS names
Example:
app.internal.company.com- Points to different endpoints in different environments
Benefit:
- Avoids dependency on IP addresses
- Easier to manage in multi-account setups
6. Designing IP Addressing for AWS (Best Practices)
To avoid overlap problems from the start:
1. Plan CIDR Hierarchies
- Allocate large ranges per environment:
- Production:
10.0.0.0/16 - Dev:
10.1.0.0/16 - Test:
10.2.0.0/16
- Production:
2. Use Non-Overlapping Ranges Across:
- Accounts
- Regions
- VPCs
3. Use IP Address Management (IPAM)
AWS provides:
- Centralized IP planning
- Helps prevent overlaps
4. Use Smaller Subnets Where Possible
- Avoid wasting IP space
- Easier to manage scaling
7. Exam Key Points (Very Important)
You should remember these for the exam:
✔ Overlapping CIDR blocks:
- NOT allowed in:
- VPC peering
- Transit Gateway
- Direct Connect / VPN (without workaround)
✔ Solutions to overlap:
- Re-IP (best solution)
- NAT (translation)
- PrivateLink (no routing needed)
- Overlay networks
- Proxy-based communication
- DNS-based routing
✔ Best Practice:
- Always design non-overlapping CIDR blocks from the start
✔ Key AWS Services:
- Amazon VPC
- AWS Transit Gateway
- AWS PrivateLink
8. Simple Summary
- IP addresses identify devices in a network.
- Subnets divide networks into smaller parts.
- Overlapping IP ranges cause routing failures.
- AWS requires unique IP ranges for direct connectivity.
- If overlap exists, you must:
- Re-IP, OR
- Use NAT, PrivateLink, overlays, or proxies.
