Cloudflare Docs
Learning Paths
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Manage overlapping IPs

  2 min read

Virtual networks allow you to connect private networks that have overlapping IP ranges without creating conflicts for users or services. For example, an organization may want to expose two distinct virtual private cloud (VPC) networks which they consider to be “production” and “staging”. However, if the two private networks happened to receive the same RFC 1918 IP assignment, there may be two different resources with the same IP address. By creating two separate virtual networks, you can deterministically route traffic to duplicative private addresses like staging and production. These virtual networks will appear as user-selectable options within the WARP client GUI.

​​ Example

This example illustrates best practices for managing overlapping subnets. For this example, assume that you are connecting two different private networks: a production VPC that uses the space holistically and a staging VPC that uses the space. These networks are served by Tunnel-A and Tunnel-B respectively.

The following table shows the default configuration without a virtual network assigned:

Routes in Tunnel-AVirtual network
Routes in Tunnel-BVirtual network

In the above configuration, all user traffic to takes the most specific path and routes to the staging VPC (Tunnel-B). All other traffic routes to the production VPC (Tunnel-A). Users would not be able to reach the subnet for the network served by Tunnel-A.

To solve this problem, add a route to Tunnel-A and assign it the production virtual network. Next, assign the staging virtual network to in Tunnel-B.

Routes in Tunnel-AVirtual network
Routes in Tunnel-BVirtual network

The user can now toggle between the two virtual networks in their WARP client, similar to the concept of switching VPN profiles in a VPN client. When a user selects production, they can connect to the entire range served by Tunnel-A. When they select staging, they can connect to all of in Tunnel-A except for, which will be served by Tunnel-B.

​​ Set up virtual networks

For setup instructions, refer to Create a virtual network.