Connect Overlapping VPC/VNet to On-prem

The Problem

Organizations usually plan out their cloud network address ranges. But there are times where a VPC/VNet CIDR overlaps with an on-prem network address range, yet still requires connectivity to on-prem.

In this document, the scenario is such that traffic is always initiated from on-prem to VPC/VNet. The constraint is that there should be no source NAT nor destination NAT performed in the on-prem network.

As shown in the diagram below, the on-prem network address range is All other VPCs connect to on-prem via Aviatrix Transit solution. However, there is one VPC named spoke-vpc with an identical CIDR of


The Solution

Since the on-prem network does not perform any NAT functions, NAT must be performed in the cloud network.

The key solution steps are:

  1. Allocate two 1-1 mapped corresponding virtual address spaces for the on-prem network and spoke-vpc/vnet. For example, allocate the virtual network for the on-prem network, and for the spoke-vpc/vnet virtual VPC/VNet CIDR. These two virtual address spaces must not overlap with any on-prem or cloud address spaces.

  2. Launch an Aviatrix Gateway in the spoke-vpc/vnet.

  3. Build an IPsec tunnel between spoke-vpc/vnet and the VPN Gateway (VGW/VPN Connect):
    1. Go to the CSP Console (AWS, Azure, GCP, or OCI) for the VPC/VNet service. Use the same VGW that is used for the Aviatrix Transit solution to create an IPsec tunnel to spoke-vpc/vnet with static routes configured, as shown below. Then download the VPN configuration file.


  1. On the spoke-vpc/vnet side, go to your Aviatrix Controller, click Site2Cloud on the left sidebar, and click Add New. Make sure the remote subnet list includes and The local subnet is, the virtual address of the spoke-vpc/vnet, as shown in the screenshot below.


  1. Perform both SNAT and DNAT functions on the Aviatrix Gateway:
    1. Go to your Aviatrix Controller and click Gateway. Select the Aviatrix Gateway for spoke-vpc/vnet. Click Edit and scroll down to find Destination NAT .

    2. Translate the cloud virtual destination address to its real address for each instance in the VPC/VNet.

    3. Mark the session with a number that is easy to remember. In this example, it is 119.

    4. Scroll up to find Source NAT. Translate the marked session to any on-prem virtual source address, as shown in the screenshot below.


    1. Repeat the NAT configuration for each cloud instance.

Since the VPN Gateway (VGW/VPN Connect) runs a BGP session to on-prem for normal a Transit Network, the spoke-vpc/vnet virtual CIDR should be propagated to on-prem. From on-prem, the destination IP address takes the range