September 21, 2022

Understanding Route Filtering in VMC on AWS

Introduction

VMC on AWS added the ability to configure route filtering. This feature enables customers to have additional control of the way their SDDC route tables are advertised to external entities through egress filtering. When enabled Route Filtering removes all networks connected to the Default CGW from the selected endpoint route table. Route filtering can be configured independently for different endpoints and adds a layer of flexibility in SDDC networking. Route filtering is configured in the NSX Manager -> Networking -> Global Configuration -> Route Filtering page or via API.

General Considerations

  • SDDC must be version 1.20 or higher
  • Route Filtering is not granular in that when enabled, every network connected to the Default CGW is no longer advertised to the selected endpoint
  • Route Filtering has no impact on customer created CGW networks and their advertisements
  • When Route Filtering is combined with Route Aggregation, the configured aggregation will continue to be advertised, even if the aggregation represents networks connected to the Default CGW
  • To enable Route Filtering for use on the SERVICES endpoint for the Connected VPC, Managed Prefix List Mode must be enabled.
  • The management CIDR will not be filtered when filtering is enabled

Documentation Reference

Summarize and Aggregate Routes

Multiple T1 Configuration

Route Filtering 

Scalability

ConfigMax

Last Updated

September 2022

 

Considerations

Route filtering can be applied to two different endpoints in the SDDC. The first is the INTRANET interface which is where a Direct Connect and/or VMware Transit Connect attach to the SDDC. The second interface is the SERVICES interface which is where the Connected VPC attaches to the SDDC.

If there is a requirement to have specific networks continue to be advertised with filtering enabled a route aggregation can be created. The aggregation will be advertised to the filtered endpoint and network reachability maintained. The flowchart below illustrates the combination of aggregation and filtering on network reachability.

VMC on AWS Filtering Flowchart

Filtered routes will have the “Filtered” attribute displayed next to them in the NSX Manager UI as shown below. This attribute is local to the SDDC and not observed external to the SDDC.

VMC on AWS Filtering Attribute

Compute Gateway firewall policies must be configured to allow traffic into and out of the SDDC, independent of route filtering and aggregations configured.

Summary

The route filtering feature is a powerful tool for the network administrator. The ability to control the external route tables for the SERVICES and INTRANET endpoints opens a new level of control. When combined with route aggregation, the ability to maintain selective network reachability while still controlling the size and contents of the external routing tables provides new design options for network administrators.

 

Filter Tags

Operations and Management NSX Networking VMware Cloud on AWS Blog Intermediate Design Deploy Manage Optimize