I need to install a Direct Connect private gateway in account A which provides access to on-premises resources. There are multiple (20+) VPCs in different accounts (B, C, D, ...) which require access to the on-premises resources. The VPCs have overlapping CIDRs. Accounts B, C, D etc only need to connect to account A; they should not be connected with each other.
My thinking about how I could do this involves the following:
- Peering of VPCs is out because of the overlapping CIDR issue.
- Use PrivateLink to connect accounts B, C, D to account A, using an endpoint service in account A, fronting a NLB.
At this point, I should be able to have the VPCs in accounts B, C, D be able to access resources inside the VPC in account A, provided that the NLB targets those resources.
For the Direct Connect side, I can't use a Direct Connect Gateway to connect to the VPCs in the other accounts because because there is a limit on the number of accounts that a DCG will support and in any case, it doesn't support overlapping CIDRs. I can use a private virtual gateway to connect to Direct Connect VIFs, which will link the VPC in account A to the on-premises resources.
I now would need to somehow point the NLB to the DC private virtual gateway. How can I do this? Do I need to set up servers in the VPC of account A, make them targets of the NLB and have them act as some form of NAT to the virtual private gateway of the Direct Connect connection? What would this look like?
Is this even the right way to go about doing this? Are there other ways of doing this which do not involve creating multiple Direct Connect connections from accounts B, C, D directly to the on-premises resources?
