How can AWS use public IPV4 address range for a VPC and assign them as private IP addresses to its resources like EC2s

Question

We all know that there are reserved IP range CIDR from the entire pool of IPV4 address range that is 2^32 (0.0.0.0 and 255.255.255.255) and that range includes 10.0.0.0/8 (10.0.0.0 - 10.255.255.255) 172.16.0.0/12 (172.16.0.0 - 172.31.255.255) 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)

So if any organization were to set up its LAN (intr.net), it can only use one of the above three.

But when it comes to AWS or any cloud provider, it seems they allow to create VPC using public IPV4 CIDR range which means any instance created in a private/public su.net in that VPC can default to a private IP address that can still actually be a public routable address outside of the above reserved private pool.

As stated under https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html "We refer to private IP addresses as the IP addresses that are within the IPv4 CIDR range of the VPC. Most VPC IP address ranges fall within the private (non-publicly routable) IP address ranges specified in RFC 1918; however, you can use publicly routable CIDR blocks for your VPC. Regardless of the IP address range of your VPC, we do not support direct access to the Inte.net from your VPC's CIDR block, including a publicly-routable CIDR block" So my question is how does AWS do this. I know DHCP/routing etc have their own mechanism, but how is it allowed to even choose a global public IPV4 address (WAN address pool) as private address inside its VPC. How does IETF/IANA allow that. Also if i were to set up my private home.network why can't i then choose for my LAN those public IPV4 address range as oppossed to 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

I do understand that choosing public ips have their own risks since then if they conflict with actual ones on the inte.net i won't be able to browse those public sites from my private.network. But then how does AWS manage this. Is it that it gives it the acronym as private IP and so if the same corresponding public ip is hit it will still resolve it as public and render you the site (i mean directly hitting the site public IP) or will it not see that its my own private ip and resolve it through its own private DNS

Answer 1

In case you choose a global public IPV4 (outside of reserved pool) as your EC2 private address, the routing tables for the su.net where the EC2 resides will decide how to resolve it and in that case the order of precedence would be how the route tables are set up. So usually its like:- Destination (your VPC CIDR) Target local

So the moment you hit that private IP from your.network, the route table will see its a local VPC IP and resolve it to that EC2 private DNS, so you won't be able to resolve that to the actual global IP.

Answer 2

I know the question is getting dated but...

As the doc's say - AWS won't advertise these route (unlike BYOIP where they do advertise those routes) - so AWS can't route to them.

The VPC FAQ explains you have to route to them over a site-to-site VPN or Direct Connect.

So you'll have to advertise these CIDRs from your Data center, and do the routing to these over the VPN to the VPC.

I don't know if a NAT gateway would work or not for outgoing.