Understanding Route Filtering in VMC on AWS
VMC on AWS added the ability to configure route filtering. This feature enables customers to have additional control of the way their SDDC route tables are advertised to external entities through egress filtering. When enabled Route Filtering removes all networks connected to the Default CGW from the selected endpoint route table. Route filtering can be configured independently for different endpoints and adds a layer of flexibility in SDDC networking. Route filtering is configured in the NSX Manager -> Networking -> Global Configuration -> Route Filtering page or via API.
Route filtering can be applied to two different endpoints in the SDDC. The first is the INTRANET interface which is where a Direct Connect and/or VMware Transit Connect attach to the SDDC. The second interface is the SERVICES interface which is where the Connected VPC attaches to the SDDC.
If there is a requirement to have specific networks continue to be advertised with filtering enabled a route aggregation can be created. The aggregation will be advertised to the filtered endpoint and network reachability maintained. The flowchart below illustrates the combination of aggregation and filtering on network reachability.
Filtered routes will have the “Filtered” attribute displayed next to them in the NSX Manager UI as shown below. This attribute is local to the SDDC and not observed external to the SDDC.
Compute Gateway firewall policies must be configured to allow traffic into and out of the SDDC, independent of route filtering and aggregations configured.
The route filtering feature is a powerful tool for the network administrator. The ability to control the external route tables for the SERVICES and INTRANET endpoints opens a new level of control. When combined with route aggregation, the ability to maintain selective network reachability while still controlling the size and contents of the external routing tables provides new design options for network administrators.