VMware Cloud on AWS VPN BGP Route filtering

-

Gilles Chekroun


Lead VMware Cloud on AWS Solutions Architect
---
Building a Route Based VPN with VMware Cloud on AWS is simple.
There are multiple descriptions in this blog using APIs here and PowerCLI here.
Today I want to highlight a very common request to filter BGP routes incoming and/or outgoing on a Route Based VPN tunnel.
To do that, I will simply use an AWS Transit Gateway as the other end of the VPN tunnel.

Initial Setup

SDDC Side

On the SDDC side I have a few Networks:
  • Management at 10.10.0.0/23
  • NSX Segments
    • 11.11.11.0/24
    • 12.12.12.0/24
    • 13.13.13.0/24
    • 192.168.1.0/24

TGW Side

On the TGW side I just added 2 static routes that will be propagated to the SDDC
  • 22.22.0.0/24
  • 33.33.0.0/24

SDDC Routes Visibility

Note that when expanding the VPN Tunnel, there is a "VIEW ROUTES" option.
This will show Advertised Routes out of the SDDC and also Learned Routes coming in.

Route Tables

SDDC Side

Advertised Routes
Learned Routes

TGW Side

SDDC Route Table

Using API to create prefix lists

The API to create a prefix list is:
The prefix-list is a list of CIDRs with PERMIT or DENY statement followed by a PERMIT ANY statement like:
In this example, the network 22.22.0.0/24 will be filtered out and others permitted.
Multiple prefix-lists can be created for example a list for outbound filters and another for inbound.

The prefix-lists are applied to the BGP Neighbor configuration.
To create or update a BGP Neighbor configuration, use the following API:
A GET on my BGP Neighbor config will show the route filtering:

I created 2 prefix-lists: 
- one that will filter OUT the 11.11.11.0/24 network from the SDDC list.
- one that will filter IN the 22.22.0.0/24 static route from the TGW.

BGP Routes filtering results

SDDC Side

Advertised Routes
Learned routes

TGW Side

BGP Routes Summarisation

A nice option on the prefix-list is the ability to do BGP Routes summarisation.
To test that I added a new network 11.11.12.0/24

There are 2 options in NSX-T prefix list called GE and LE described here.
I will modify the outbound prefix list to include GE=24 on a /16 network like:

Both 11.11.11.0/24 and 11.11.12.0/24 are now filtered out of the BGP advertising.

Terraform code

The Prefix-list and BGP neighbor are in the NSXT terraform provider.
Code example would be:
/*======================================================
Create in-out prefix lists and BGP Neighbor
=======================================================*/
resource "nsxt_policy_gateway_prefix_list" "out_prefix_Tunnel1" {
  display_name = "prefix_list"
  gateway_path = data.nsxt_policy_tier0_gateway.vmc_T0.path
  prefix {
    action  = "DENY"
    ge = 24
    network = "11.11.0.0/16"   // Filter this network from advertised list
  }
  prefix{}                      // PERMIT ANY other networks
}

resource "nsxt_policy_gateway_prefix_list" "in_prefix_Tunnel1" {
  display_name = "prefix_list"
  gateway_path = data.nsxt_policy_tier0_gateway.vmc_T0.path
  prefix {
    action  = "DENY"
    network = "22.22.0.0/24"   // Filter this network from learned list
  }
  prefix {}                    // PERMIT ANY other networks
}

resource "nsxt_policy_bgp_neighbor" "BGP1" {
  depends_on = [nsxt_policy_ipsec_vpn_tunnel_profile.tunnel_profile1]
  display_name     = "BGP_neighbor_1"
  description      = "Terraform provisioned"
  bgp_path         = "/infra/tier-0s/vmc/locale-services/default/bgp"
  hold_down_time   = 300
  keep_alive_time  = 100
  neighbor_address = cidrhost(var.tunnel1_inside_cidr, 1)
  remote_as_num    = var.AWS_ASN_TGW

  route_filtering {
    address_family   = "IPV4"
    in_route_filter  = nsxt_policy_gateway_prefix_list.in_prefix_Tunnel1.path
    out_route_filter = nsxt_policy_gateway_prefix_list.out_prefix_Tunnel1.path
  }
}
Thanks for reading.
 

Comments

Post a Comment

Populars

Egress VPC and AWS Transit Gateway (Part1)

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre
Read more

AWS Transitive routing with Transit Gateways in the same region

-
Image
Gilles Chekroun Lead VMware Cloud on AWS Specialist --- At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions. Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski , about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking. Well . . . I needed to test that and see by myself. Test bed For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs . The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I c
Read more

Considerations on vTGW to TGW Peering Link

-
Image
   Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Recently I was talking with a Customer on designing their VMware Cloud on AWS environment and linking it to their existing AWS infrastructure. The idea was to have 2 SDDCs, Test and Prod, and link them with a VMware Managed TGW and peer it to their existing TGW. The customer requirements were: VMs in each SDDC should have internet access from the SDDC out VMs from Test should be able to talk to VMs in Prod VMs in any SDDC should be able to access their own vCenter but also the other one Some VMs any SDDC should have a Public IP and NAT rule to be accessible from outside VMware traffic should stay within VMware SDDCs Other traffic, like on-prem, should go via the Customer TGW Test Setup Step1 - Create SDDC Group Create an SDDC Group and attach the 2 SDDCs Prod and Test Make sure the proper FireWall rules are open in each SDDC Compute GW. Step 2 - Attach the Customer TGW In the SDDC Groups, under External TGW TAB, add t
Read more