September 23, 2022

Understanding Managed Prefix List Mode for Connected VPC in VMC on AWS

VMC on AWS added the capability to configure Managed Prefix List Mode for Connected VPC. The VMC-managed prefix list can be configured in AWS VPC security groups and/or in custom AWS route tables. This feature simplifies customer operations when using resources in the Connected VPC to access resources in the associated SDDC. Managed Prefix List Mode can be configured in the VMC Networking & Security tab -> Connected VPC or in the NSX Manager- > Networking -> Connected VPC page or via API.

General Considerations
  • SDDC must be version 1.18 or higher
  • SDDC’s Management CIDR, default CGW prefixes and user created aggregations are populated in the managed prefix list
  • The prefix list will automatically be programmed into the main routing table by VMC
  • The customer owns the responsibility of programming the prefix list into custom routing tables or security groups
  • The customer owns the responsibility of ensuring the AWS route tables are sized to accommodate the managed prefix list.
  • The customer owns the responsibility of ensuring the AWS security groups are sized to accommodate the managed prefix list.

Documentation Reference

Route Aggregation

Multiple CGWs

Last Updated

September 2022

Considerations

The managed prefix list feature expands the use of SDDC resource by AWS resources in the Connected VPC by virtue of being able to automatically manage and maintain the SDDC networks available to custom routing tables. Additionally, AWS VPC security policy can be simplified by using the managed prefix list so that as networks are added or removed from the SDDC, the security groups are updated automatically.

When using a managed prefix list, it’s important to ensure the AWS route tables and/or security group are sized appropriately to accommodate the prefix list size. Route aggregation can be configured to potentially minimize the size of the prefix list. The AWS route table and security group display the managed prefix list as a single entry but it is important to note that every network in the prefix list consumes an entry in the AWS route table or security group. If the VPC route table is full, the enablement of Managed Prefix List mode will still succeed but not all of the entries will be programmed in the Connected VPC’s main route table.

VMC on AWS will automatically maintain the prefix list association to the AWS Elastic Network Interfaces (ENIs) attached to the active NSX Edge(s). With this consideration, it is recommended to use the managed prefix list in the default security group.  When the SDDC Multi Edge capability is being used, a managed prefix list will be configured for the Traffic Group. The image below shows a SDDC with Multi-Edge enabled and the associated prefix lists.

Managed Prefix Lists used on multiple edges

The Prefix List Name displayed in the VMC Console and/or NSX Manager UI can also be seen in the AWS console. Any route tables or security groups configured to use the prefix list will also be displayed so simplify operations. VMC on AWS will also periodically validate the ENI to prefix list mapping and in the event the managed prefix list is configured to use an incorrect ENI, VMC on AWS will correct it.

Summary

The Managed Prefix List Mode capability in VMC on AWS opens additional uses for AWS resources to access SDDC based resources when using custom routing tables. It also simplifies the operations for customers when network and/or aggregations are added or removed in a SDDC’s networking configuration.

 

Filter Tags

Operations and Management NSX AWS Services Networking VMware Cloud on AWS Blog Technical Overview Intermediate Design Manage Optimize

Ron Fuller

Read More from the Author