Understanding Shared Prefix Lists for SDDC Groups in VMC on AWS
VMC on AWS now supports the capability to configure Shared Prefix Lists for SDDC Groups. This feature simplifies customer operations when resources in or connecting through AWS VPCs or connectivity attached to VMware Transit Connect. The VMC-managed prefix list can be configured in AWS VPC security groups and/or in any AWS route tables in AWS VPCs or Transit Gateways (TGWs). Shared Prefix List for SDDC Groups can be configured in the VMC SDDC Groups [SDDC Group Name] -> Routing page or via API.
The use of the Shared Prefix List for SDDC Groups simplifies the operations for network administrators to allow automated updates of networks added or removed from a SDDC Group. As an alternative to manually configuring static routes back to the SDDC networks, the use of the prefix list eases the workload for the network administrator through centrally maintaining the prefix list. The prefix list can also be used in AWS VPC security groups to simplify security policy as well.
When using a managed prefix list, it’s important to ensure the AWS route tables and/or security group are sized appropriately to accommodate the prefix list size. Route aggregation can be configured to minimize the size of the prefix list. The AWS route table and security group display the managed prefix list as a single entry but it is important to note that every network in the prefix list consumes an entry in the AWS route table or security group.
When a shared prefix list is created, it initially appears as a resource share in the AWS console of the account specified when created. After the resource share is accepted, the prefix list can be used in VPC route tables, AWS TGW route tables and/or AWS VPC security groups. In the image below, a shared prefix list is being used in a VPC route table.
It’s important to note that while the shared prefix list adds SDDC segment CIDRs and any configured aggregations to the AWS route tables and/or security groups consuming the prefix list, it does not circumvent SDDC security policy. An administrator will need to configure the appropriate firewall policies to allow traffic between the SDDC and AWS resources.
In the image below, the shared prefix list is being used in an AWS security group.
NOTE - The use the shared prefix list in an AWS TGW, a prefix list reference must be created. See this AWS page.
Operationally, in the VMC Console and/or the NSX Manager UI the AWS resources configured to use the shared prefix list can be found. The image below shows an example of this.
The Shared Prefix List for SDDC Groups capability in VMC on AWS simplifies operations for network administrators for AWS resources to access SDDC based resources. The additional automatically maintained capability the prefix list provides an easier network administration experience compared to manual static route configuration.