DEV Community: Nate Goodman The latest articles on DEV Community by Nate Goodman (@nategoodman88). https://dev.to/nategoodman88 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1253788%2F2a5c8201-a225-42f5-8a42-dbcb61d82c86.jpg DEV Community: Nate Goodman https://dev.to/nategoodman88 en Overcoming Overlapping Subnets: Syncing RDS Across AWS Orgs with PrivateLink Nate Goodman Fri, 06 Mar 2026 15:42:29 +0000 https://dev.to/nategoodman88/overcoming-overlapping-subnets-syncing-rds-across-aws-orgs-with-privatelink-19o https://dev.to/nategoodman88/overcoming-overlapping-subnets-syncing-rds-across-aws-orgs-with-privatelink-19o <p>When we were tasked with an application rebuild, a unique networking challenge came to light: we needed to sync an existing legacy MySQL database (in our general AWS organization) to a new Postgres database (in a client-specific organization).</p> <p><strong>The Challenge</strong></p> <p>Cross-organization communication usually suggests VPC Peering. However, we hit a major roadblock: the separate VPCs were using the same CIDR blocks. Since VPC peering does not support overlapping subnets, it was out of the question. There was of course the option to <em>change</em> subnets, but with existing infrastructure, this was a volatile option that would lead to resource destruction and rebuilding, increasing the time of the task.</p> <p>After researching ways to tunnel traffic without merging address spaces, I landed on AWS PrivateLink. It was the perfect solution—it provides private connectivity between VPCs even with IP conflicts and integrates seamlessly into Infrastructure as Code (in this case, Terraform).</p> <p><strong>The "Provider" Side (Legacy Application)</strong></p> <p>On the legacy side, we need to expose the RDS instance's IP. Since RDS doesn't have a static IP, we grab the Network Interface (ENI) to dynamically target the IP with a Network Load Balancer (NLB). </p> <p><em>Note: in the below code, the client name has been redacted from resource names.</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># Grab the network interface for the RDS</span> <span class="k">data</span> <span class="s2">"aws_network_interfaces"</span> <span class="s2">"rds_eni"</span> <span class="p">{</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"description"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"RDSNetworkInterface"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"vpc-id"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">virtual_network</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Pull that interface to get the current private IP of the RDS instance</span> <span class="k">data</span> <span class="s2">"aws_network_interface"</span> <span class="s2">"rds_specific_eni"</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_network_interfaces</span><span class="p">.</span><span class="nx">rds_eni</span><span class="p">.</span><span class="nx">ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Create a target group for the RDS instance </span> <span class="k">resource</span> <span class="s2">"aws_lb_target_group"</span> <span class="s2">"rds_target"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"rds-privatelink-target"</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">3306</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"TCP"</span> <span class="nx">target_type</span> <span class="p">=</span> <span class="s2">"ip"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">virtual_network</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_lb_target_group_attachment"</span> <span class="s2">"rds_attachment"</span> <span class="p">{</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">rds_target</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_network_interface</span><span class="p">.</span><span class="nx">rds_specific_eni</span><span class="p">.</span><span class="nx">private_ip</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">3306</span> <span class="p">}</span> <span class="c1"># The NLB acts as the entry point for PrivateLink</span> <span class="k">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"rds_nlb"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"rds-provider-nlb"</span> <span class="nx">internal</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">load_balancer_type</span> <span class="p">=</span> <span class="s2">"network"</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="k">module</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">private1_subnet</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="k">module</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">private2_subnet</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="k">module</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">private3_subnet</span><span class="p">.</span><span class="nx">id</span> <span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_lb_listener"</span> <span class="s2">"rds_listener"</span> <span class="p">{</span> <span class="nx">load_balancer_arn</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">rds_nlb</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">3306</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"TCP"</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"forward"</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">rds_target</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># The actual Endpoint Service that the other Org will connect to</span> <span class="k">resource</span> <span class="s2">"aws_vpc_endpoint_service"</span> <span class="s2">"rds_service"</span> <span class="p">{</span> <span class="nx">acceptance_required</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">network_load_balancer_arns</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_lb</span><span class="p">.</span><span class="nx">rds_nlb</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"rds_endpoint_service_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_vpc_endpoint_service</span><span class="p">.</span><span class="nx">rds_service</span><span class="p">.</span><span class="nx">service_name</span> <span class="p">}</span> <span class="c1"># Security: Allow the NLB to perform health checks on the RDS instance</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"allow_nlb_health_checks"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">3306</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">3306</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">rds_security_group_id</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="k">module</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">private1_subnet</span><span class="p">.</span><span class="nx">cidr_block</span><span class="p">,</span> <span class="k">module</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">private2_subnet</span><span class="p">.</span><span class="nx">cidr_block</span><span class="p">,</span> <span class="k">module</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">private3_subnet</span><span class="p">.</span><span class="nx">cidr_block</span> <span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow NLB Health Checks for PrivateLink tunnel"</span> <span class="p">}</span> </code></pre> </div> <p><strong>The "Consumer" Side (Rebuild Application)</strong></p> <p>On the new application side, we create the VPC Endpoint. This creates a local IP address in the new VPC that "tunnels" traffic back to the legacy database.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># Create the security group for the local endpoint</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"legacy_rds_proxy_endpoint_sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"legacy-db-proxy-endpoint-sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allows the app to talk to the PrivateLink Endpoint"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">virtual_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">3306</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">3306</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="c1"># Allow traffic from your application security group</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">app_security_group</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Create the link to the service in the other organization</span> <span class="k">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"legacy_db_link"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">unified</span><span class="p">.</span><span class="nx">virtual_network</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">legacy_db_service_name</span> <span class="c1"># The output from the previous step</span> <span class="nx">vpc_endpoint_type</span> <span class="p">=</span> <span class="s2">"Interface"</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">legacy_rds_proxy_endpoint_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">private1_subnet</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="k">module</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">private2_subnet</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"legacy_db_connect_string"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_vpc_endpoint</span><span class="p">.</span><span class="nx">legacy_db_link</span><span class="p">.</span><span class="nx">dns_entry</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">dns_name</span> <span class="p">}</span> </code></pre> </div> <p><strong>Conclusion</strong></p> <p>By using PrivateLink, we bypassed the subnet overlap issue entirely. The new application simply sees a local DNS name that behaves like a database within its own network, while AWS handles the heavy lifting of routing that traffic across organization boundaries securely.</p> devops aws