Effectively Managing Overlapping IP Address Ranges in Cloud Networking with Prosimo’s Full Stack Platform
In today’s interconnected world, a frequent challenge in customer cloud networking design is managing overlapping IP address ranges, especially when two networks or applications need to communicate. This often happens in certain situations.
Sophisticated Architecture > Cloud Networking Challenges > Overlapping IP
What is the Overlapping IP Range problem?
IP communication requires unique source and destination addresses. When both source and destination networks share the same IP ranges, e.g. 10.1.0.0/16, routing table conflicts break communications. With the speed at which new, ephemeral networks are created in the cloud, and the nature in which resources today are shared across regions, providers, and companies, overlapping IP range challenges are common and grow in frequency as organizations scale, collaborate, and merge.
Typical Scenarios leading to Overlapping IP Ranges
Overlapping IP ranges can occur in various scenarios within cloud networking, often presenting technical challenges that require sophisticated solutions. Here are some typical scenarios where overlapping IP ranges may arise:
- Planned IP RangeOverlaps for IP Exhaustion Mitigation
Enterprises may intentionally design their network infrastructure with IP overlaps as a proactive measure to reduce the risk of IP address exhaustion. Organizations can efficiently manage their address space by strategically reusing IP address ranges in different parts of their network without depleting it. A typical example is using the same CIDR range across all VPCs / VNETs for individual app teams.
- Mergers and Acquisitions (M&A)
In Post Merger Integration (PMI), when companies attempt to interconnect network infrastructures, they are often using common private IP address ranges. This results in a collision of IP addresses and unroutable transits, posing a significant challenge inhibiting network integration. - Extending Core Applications to Business Partners
When organizations extend their core applications or services to business partners they may encounter a situation where both entities use the same IP address ranges. This can occur when multiple organizations need to collaborate closely, sharing network resources and applications. - Accessing Common Services within a Single Service Provider
Service providers, such as cloud service providers or telecommunications companies, may face scenarios where they must connect two clients with the same IP address range. These providers must find a way to bridge the gap between the conflicting IP addresses to ensure seamless connectivity for their clients. - Unexpected Overlaps with Provider Platforms and Services
Unanticipated IP address overlaps can occur due to the automatic reservation of specific IP ranges by certain cloud services or microservices architectures. For instance, AWS services or products like Docker may reserve IP ranges leading to unexpected conflicts when integrating these services with existing networks.
Additional Challenges
This situation poses several additional challenges beyond IP communication:
- NAT Cost: Cloud Provider’s NAT Gateway solutions are inhibitively expensive at scale.
- Architectural challenges: Some cloud providers do not allow having overlaps in a hub-and-spoke model.
- Routing Complexity at Scale: Managing routing for networks with overlapping IP ranges becomes intricate. Traditional routing solutions need help differentiating between overlapping addresses, complicating traffic delivery to the correct destination.
How Prosimo Solves the Technical Challenges
Prosimo offers a comprehensive solution to address the technical challenges of overlapping IP address ranges in cloud networking. Our approach involves using Prosimo’s Full Stack Cloud Transit, which provides an interconnected, secure, and intelligent fabric using Prosimo Edges in a meshed configuration. This fabric is controlled through cloud APIs and credentials, ensuring efficient management of overlapping IP address scenarios.
Using Prosimo datapath, there are three unique ways to solve Overlapping IP challenges:
OPTION 1:
Prosimo Service Core with NAT capabilities
Solution Overview: Prosimo Service Core provides a robust solution to the technical challenges of overlapping IP address ranges:
- NAT Capabilities: Within Prosimo Edges and connectors, overlapping IP/subnet addresses are mapped to link-local IP addresses within the source VPC. This effectively provides NAT functionality at the IP or subnet level.
- Mapping Management: The Service Core maintains mappings of source or destination IP addresses and their corresponding link-local IP addresses. Connectors in the workload VPC/VNet help tunnel and NAT traffic, obfuscating it from the target.
- Flexibility: Customers can choose from a link-local pool to maintain the mapping. Without customer-provided subnets/CIDR, the service core assigns IPs from its link-local pool of reserved IPs in the 100.127.x.x range.
Detailed blog: Service core and overlapping IP
OPTION 2:
Use of Cloud-Native Private Link (AWS/Azure/GCP)
Solution Overview: Prosimo Service Core provides a robust solution to the technical challenges of overlapping IP address ranges:
- Seamless Communication: Private Link seamlessly publishes APIs, services, and application endpoints across VPCs or VNets, even when they share IP address ranges. It simplifies complex network architectures without altering existing address schemes or using NAT gateways.
- Prosimo Integration: Prosimo enables enterprises to use Private Link endpoints in source VPCs/VNets attached to Prosimo Edge as a hub to route traffic between VPC/VNet endpoints. It ensures security and compliance while providing centralized network resource management.
- Scalability: Prosimo Control Plane uses Cloud APIs to orchestrate endpoint creation, DNS, and routing in customer VPCs/VNets, reducing complexity and improving scalability.
OPTION 3:
Prosimo Application-Aware Proxy
Solution Overview: Prosimo Edges act as proxies facilitating communication with application endpoints using higher-layer protocols such as HTTP/s and TCP through DNS. By using a combination of additional application identifying properties – hostname/FQDN, ports and IP addresses – to create a unique identity for the app, in the event of an IP Address overlap, the applications unique identity persists, abstracted at the proxied IP layer, and remains reachable. This effectively masks target IPs and prevents IP address conflicts.
Take the next step
Typical scenarios for IP overlap:
Extending core applications to business partners that use the same IP range
Similarly, service providers may encounter this when they need to connect two clients who share the same IP range
Unexpected overlaps are also a reality. For instance, certain AWS services or microservices architectures and products like Docker automatically reserve specific IP ranges.
Handling Overlapping IP Ranges in the Cloud
OFFICE HOURS
Handling Overlapping IP Ranges in the Cloud
Speakers
Dan Sheldon
Sharol Pereira
Instructor-led training to solve complex enterprise networking challenges.
Reserve your spot in one of our free Prosimo Lab’s and receive hands-on, instructor-led training on how to solve complex networking challenges with the Prosimo platform – single-cloud, multi-cloud, network-to-network, and network-to-app.
Cloud Field Day 18
Get a comprehensive view on how Prosimo’s platform solves complex cloud networking challenges.
