I have the following vpcs (examples) in different accounts, different OU's. All VPCs have transit gateway attached up into a single TGW.
- DEV 10.88.0.0/24
- CI 10.90.0.0/24
- PROD 10.87.0.0/24
- LEGACY_DEV 10.20.0.0/24
- LEGACY_PROD 10.20.0.0/24
All are connected via a transit gateway. In order to segerate traffic, each one is seated in their own Transit Gateway Routing table, so that DEV can see CI, and LEGACY_DEV but not PROD. And vice versa
DEV Routing Table
- Propagates CI (10.90.0.0/24)
- Propagates LEGACY_DEV (10.20.0.0/24)
PROD Routing Table
- Propagates CI (10.90.0.0/24)
- Propagates LEGACY_PROD (10.20.0.0/24)
CI Routing Table
- Propagates DEV (10.88.0.0/24)
- Propagates PROD (10.87.0.0/24)
Legacy Dev Routing Table
- Propagates DEV (10.88.0.0/24)
Legacy Prod Routing Table
- Propagates PROD (10.87.0.0/24)
The issue I have was the overlapping CIDR ranges of Legancy DEV and Legacy PROD. The transit gateway docs suggests this should not work; you cannot connect two VPCs of the same cidr range to the same TGW.
However, no error was thrown when i connected the two legacy networks. I was also able to places instances in DEV network and ssh to an instance in LEGACY_DEV, and the same with PROD -> LEGACY_PROD, within allowing traffic to cross DEV -> LEGACY_PROD. The only difference here is the use of isolated transit routing tables.
Is this the suggested way around overlapping cidr ranges, or is this working but probably be unstable / strange routing.