This document explains the conditions under which overlapping external subnets can be included in a security policy scope and the precedence rules governing their application.
Notes
The highest precedence security policy takes effect when multiple policies overlap.
Subnets not allocated to an existing policy can be assigned to another security policy under the same account.
Public IP addresses or subnets cannot overlap between organizations.
Notifications are generated when an attempt is made to add an already registered public IP address or subnet.
When defining the scope of a security policy scope for an external network behind protected by a DNS firewall, overlapping subnets containing that contain IP addresses, hosts, or subnets included defined in other security policies within an organization are allowed. In such cases, security policy precedence determines which security the organization can be included. The precedence of security policies determines which policy takes effect, ensuring that the policy with the highest precedence applies is applied to the respective IP addresses, hosts, or subnets. Subnets Additionally, subnets that are not already assigned to another any existing security policy within the organization can be added to a different security policy within under the same account.
If a public IP address or subnet is mistakenly added to an organization's security policy and has already been registered by another organization, the system will prevent prevents its addition. In this scenariocase, the organization attempting to add the IP address or subnet will receive receives a notification, as overlapping public IP addresses or subnets between organizations are not permitted.
For more information on network scope, see Configuring Network Scopes.
...