I am working on an Azure-based networking solution.
We have a typical hub and spoke VNets topology. The Hub VNet connects to on-prem DC via ExpressRoute and spoke VNets peer to Hub VNet. There is an Azure Firewall in the Hub that filters traffic between Hub-spokes and hub-on-prem segments. GREEN in the diagram
We have a bizarre requirement of adding a new isolated VNet (RED in the diagram) that will have overlapping IPs with the existing network (GREEN). We want to allow workloads in this new VNet to access private apps deployed in Hub or on-prem.
I need help on how to achieve this connectivity.
Note: We don’t want to set up any VPN between the new VNet and Hub
2
Answers
It is not possible to peer Virtual Networks with overlapping IP addresses. This is documented here. You will have to move to a different address space and move/recreate resources under this new address space.
If it helps you can take a look at this Checklist before moving resources.
As you might appreciate, this is more of a general networking limitation moreso than an Azure limitation. If we want two different networks with overlapping IP addresses to communicate then we would need networking devices in between both networks that perform some form of network address translation so the IP addresses appear to be different to the communicating hosts. Below is an example from the Azure documentation
Logically you have two options here:
I saw your note above for not wanting to use any VPN devices. Having said that, however, generally speaking it is usually a better option from an availability & supportability perspective to leverage the built-in offering vs. hand rolling your own virtual appliance using IP tables or a Windows NAT Router or something similar. Hope this clarifies.