VMware Cloud on AWS VPN BGP Route filtering

Gilles Chekroun

Lead VMware Cloud on AWS Solutions Architect
Building a Route Based VPN with VMware Cloud on AWS is simple.
There are multiple descriptions in this blog using APIs here and PowerCLI here.
Today I want to highlight a very common request to filter BGP routes incoming and/or outgoing on a Route Based VPN tunnel.
To do that, I will simply use an AWS Transit Gateway as the other end of the VPN tunnel.

Initial Setup


On the SDDC side I have a few Networks:
  • Management at
  • NSX Segments

TGW Side

On the TGW side I just added 2 static routes that will be propagated to the SDDC

SDDC Routes Visibility

Note that when expanding the VPN Tunnel, there is a "VIEW ROUTES" option.
This will show Advertised Routes out of the SDDC and also Learned Routes coming in.

Route Tables


Advertised Routes
Learned Routes

TGW Side

SDDC Route Table

Using API to create prefix lists

The API to create a prefix list is:
The prefix-list is a list of CIDRs with PERMIT or DENY statement followed by a PERMIT ANY statement like:
In this example, the network will be filtered out and others permitted.
Multiple prefix-lists can be created for example a list for outbound filters and another for inbound.

The prefix-lists are applied to the BGP Neighbor configuration.
To create or update a BGP Neighbor configuration, use the following API:
A GET on my BGP Neighbor config will show the route filtering:

I created 2 prefix-lists: 
- one that will filter OUT the network from the SDDC list.
- one that will filter IN the static route from the TGW.

BGP Routes filtering results


Advertised Routes
Learned routes

TGW Side

BGP Routes Summarisation

A nice option on the prefix-list is the ability to do BGP Routes summarisation.
To test that I added a new network

There are 2 options in NSX-T prefix list called GE and LE described here.
I will modify the outbound prefix list to include GE=24 on a /16 network like:

Both and are now filtered out of the BGP advertising.

Terraform code

The Prefix-list and BGP neighbor are in the NSXT terraform provider.
Code example would be:
Create in-out prefix lists and BGP Neighbor
resource "nsxt_policy_gateway_prefix_list" "out_prefix_Tunnel1" {
display_name = "prefix_list"
gateway_path = data.nsxt_policy_tier0_gateway.vmc_T0.path
prefix {
action = "DENY"
ge = 24
network = "" // Filter this network from advertised list
prefix{} // PERMIT ANY other networks

resource "nsxt_policy_gateway_prefix_list" "in_prefix_Tunnel1" {
display_name = "prefix_list"
gateway_path = data.nsxt_policy_tier0_gateway.vmc_T0.path
prefix {
action = "DENY"
network = "" // Filter this network from learned list
prefix {} // PERMIT ANY other networks

resource "nsxt_policy_bgp_neighbor" "BGP1" {
depends_on = [nsxt_policy_ipsec_vpn_tunnel_profile.tunnel_profile1]
display_name = "BGP_neighbor_1"
description = "Terraform provisioned"
bgp_path = "/infra/tier-0s/vmc/locale-services/default/bgp"
hold_down_time = 300
keep_alive_time = 100
neighbor_address = cidrhost(var.tunnel1_inside_cidr, 1)
remote_as_num = var.AWS_ASN_TGW

route_filtering {
address_family = "IPV4"
in_route_filter = nsxt_policy_gateway_prefix_list.in_prefix_Tunnel1.path
out_route_filter = nsxt_policy_gateway_prefix_list.out_prefix_Tunnel1.path

Thanks for reading.



Egress VPC and AWS Transit Gateway (Part1)

AWS Transitive routing with Transit Gateways in the same region

Build a VMware Cloud on AWS Content Library using AWS S3