VPCs should not use the range `172.17.0.0/16`, as it is used by some AWS services when configured in your network.
AWS is deeply integrated into the virtual private cloud (VPC) networks it provides to customers. Due to the limitations of IPv4 address space, AWS isolates a specific address range for their services to utilise so that customers can avoid this address range. This range is 172.17.0.0/16 which is used by Cloud9 and SageMaker to provision privately networked resources in your VPC. Using this range as part of your normal VPC ranges can block certain AWS services from being able to connect and operate correctly or could lead to address conflicts and unreliable connections.
Migrating away from the 172.17.0.0/16 range can involve a significant engineering effort, dependent on the number of resources currently allocated within your VPC, how much of the range is in use and the service level agreements (SLA) in place for the services provisioned in that range. As VPCs can utilise multiple CIDR ranges, you do not necessarily have to destroy the VPC to make changes, however, migration efforts will vary based on the complexity and scale of your infrastructure.
For mostly empty networks, it may be relatively straightforward to add an additional CIDR range, create new subnets and eventually phase out the old ones. Nevertheless, the extent of the effort depends on your infrastructure and your service level agreement requirements. In some cases, this could equate to a full migration process. To determine the impact to your services and the best course of action and to discover which of your networks may be using this range get a SkySiege Cloud Assessment with included consultation to gain the clarity and visibility you need:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
