Organisations should avoid using the default address space provided by AWS Virtual Private Clouds (VPCs), as this limits connectivity options such as VPC Peering in the future.
By default, AWS creates a virtual private cloud (VPC) with a single, standard address space. This default range is identical for every newly-created VPC and, as a result, is commonly used across many AWS networks. Because this address space is not only popular but also predictable, it poses significant issues for VPC peering. VPCs that employ the default address range are often unable to successfully peer, as they share the same range with candidate peers.
This situation doesn’t just obstruct VPC peering; it also suggests that the VPC has not been deliberately designed. Using the default address space indicates a lack of careful planning, as organisations typically should utilise more expansive private address ranges, such as 10.0.0.0/8
. We commonly recommend designing VPC networks around the 10.0.0.0/8
range due to its simplicity, ease of management and capacity for future scaling. This helps mitigate conflicts with other commonplace private IP ranges, such as 192.168.0.0/16
and 172.16.0.0/12
, which are frequently found in non-cloud environments, therefore affecting VPN services and other cross network connectivity operations.
If VPC Peering is going to form a key part of your service connectivity then you’ll want to be selective about the address ranges you utilise in your networks. To improve the chances of successful VPC peering and to use a more easily identifiable address space, consider using less common address ranges - such as those toward the end of the 10.0.0.0/8
space - or adopting unused or experimental IP ranges. However, these less conventional options should undergo thorough testing to ensure they do not lead to unforeseen issues.
There are numerous other options for provisioning network connectivity including VPC Private Links and other flexible options. To detect what IP Address Ranges are already in use in your environments and to determine the best network design for your use case get a SkySiege Cloud Assessment with included consultation:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.