September 23, 2022

Understanding Shared Prefix Lists for SDDC Groups in VMC on AWS

VMC on AWS now supports  the capability to configure Shared Prefix Lists for SDDC Groups. This feature simplifies customer operations when resources in or connecting through AWS VPCs or connectivity attached to VMware Transit Connect. The VMC-managed prefix list can be configured in AWS VPC security groups and/or in any AWS route tables in AWS VPCs or Transit Gateways (TGWs). Shared Prefix List for SDDC Groups can be configured in the VMC SDDC Groups [SDDC Group Name] -> Routing page or via API.

General Considerations

  • A shared prefix list is regionally specific. It contains the SDDC member routes from the region specified during creation

  • Shared prefix lists are exported only to the region specified during creation

  • Multiple shared prefix lists can be created to address any combination of inter-region connectivity
  • Shared prefix list can be used in multiple AWS accounts in any region
  • The customer owns the responsibility of ensuring the AWS route tables are sized to accommodate the managed prefix list.
  • The customer owns the responsibility of ensuring the AWS security groups are sized to accommodate the managed prefix list.

Documentation Reference

Route Aggregation

Shared Prefix Lists

Last Updated

September 2022

Considerations

The use of the Shared Prefix List for SDDC Groups simplifies the operations for network administrators to allow automated updates of networks added or removed from a SDDC Group. As an alternative to manually configuring static routes back to the SDDC networks, the use of the prefix list eases the workload for the network administrator through centrally maintaining the prefix list. The prefix list can also be used in AWS VPC security groups to simplify security policy as well.

When using a managed prefix list, it’s important to ensure the AWS route tables and/or security group are sized appropriately to accommodate the prefix list size. Route aggregation can be configured to minimize the size of the prefix list. The AWS route table and security group display the managed prefix list as a single entry but it is important to note that every network in the prefix list consumes an entry in the AWS route table or security group.

When a shared prefix list is created, it initially appears as a resource share in the AWS console of the account specified when created. After the resource share is accepted, the prefix list can be used in VPC route tables, AWS TGW route tables and/or AWS VPC security groups. In the image below, a shared prefix list is being used in a VPC route table.

It’s important to note that while the shared prefix list adds SDDC segment CIDRs and any configured aggregations to the AWS route tables and/or security groups consuming the prefix list, it does not circumvent SDDC security policy. An administrator will need to configure the appropriate firewall policies to allow traffic between the SDDC and AWS resources.

Shared Prefix List used in a VPC route table

 

In the image below, the shared prefix list is being used in an AWS security group.

Shared Prefix List used in an AWS Security Group

NOTE - The use the shared prefix list in an AWS TGW, a prefix list reference must be created.  See this AWS page.

Operationally, in the VMC Console and/or the NSX Manager UI the AWS resources configured to use the shared prefix list can be found. The image below shows an example of this.

VMC Console UI showing PL being used by RTB and SG

Summary

The Shared Prefix List for SDDC Groups capability in VMC on AWS simplifies operations for network administrators for AWS resources to access SDDC based resources. The additional automatically maintained capability the prefix list provides an easier  network administration experience compared to manual static route configuration.

 

Filter Tags

Operations and Management NSX AWS Services Networking VMware Cloud on AWS Blog Technical Overview Intermediate Design Optimize

Ron Fuller

Read More from the Author