VMware Cloud on AWS VPN BGP Route filtering

Gilles Chekroun


Lead VMware Cloud on AWS Solutions Architect
---
Building a Route Based VPN with VMware Cloud on AWS is simple.
There are multiple descriptions in this blog using APIs here and PowerCLI here.
Today I want to highlight a very common request to filter BGP routes incoming and/or outgoing on a Route Based VPN tunnel.
To do that, I will simply use an AWS Transit Gateway as the other end of the VPN tunnel.

Initial Setup

SDDC Side

On the SDDC side I have a few Networks:
  • Management at 10.10.0.0/23
  • NSX Segments
    • 11.11.11.0/24
    • 12.12.12.0/24
    • 13.13.13.0/24
    • 192.168.1.0/24

TGW Side

On the TGW side I just added 2 static routes that will be propagated to the SDDC
  • 22.22.0.0/24
  • 33.33.0.0/24

SDDC Routes Visibility

Note that when expanding the VPN Tunnel, there is a "VIEW ROUTES" option.
This will show Advertised Routes out of the SDDC and also Learned Routes coming in.

Route Tables

SDDC Side

Advertised Routes
Learned Routes

TGW Side

SDDC Route Table

Using API to create prefix lists

The API to create a prefix list is:
The prefix-list is a list of CIDRs with PERMIT or DENY statement followed by a PERMIT ANY statement like:
In this example, the network 22.22.0.0/24 will be filtered out and others permitted.
Multiple prefix-lists can be created for example a list for outbound filters and another for inbound.

The prefix-lists are applied to the BGP Neighbor configuration.
To create or update a BGP Neighbor configuration, use the following API:
A GET on my BGP Neighbor config will show the route filtering:

I created 2 prefix-lists: 
- one that will filter OUT the 11.11.11.0/24 network from the SDDC list.
- one that will filter IN the 22.22.0.0/24 static route from the TGW.

BGP Routes filtering results

SDDC Side

Advertised Routes
Learned routes

TGW Side

BGP Routes Summarisation

A nice option on the prefix-list is the ability to do BGP Routes summarisation.
To test that I added a new network 11.11.12.0/24

There are 2 options in NSX-T prefix list called GE and LE described here.
I will modify the outbound prefix list to include GE=24 on a /16 network like:

Both 11.11.11.0/24 and 11.11.12.0/24 are now filtered out of the BGP advertising.

Terraform code

The Prefix-list and BGP neighbor are in the NSXT terraform provider.
Code example would be:
/*======================================================
Create in-out prefix lists and BGP Neighbor
=======================================================*/
resource "nsxt_policy_gateway_prefix_list" "out_prefix_Tunnel1" {
display_name = "prefix_list"
gateway_path = data.nsxt_policy_tier0_gateway.vmc_T0.path
prefix {
action = "DENY"
ge = 24
network = "11.11.0.0/16" // Filter this network from advertised list
}
prefix{} // PERMIT ANY other networks
}

resource "nsxt_policy_gateway_prefix_list" "in_prefix_Tunnel1" {
display_name = "prefix_list"
gateway_path = data.nsxt_policy_tier0_gateway.vmc_T0.path
prefix {
action = "DENY"
network = "22.22.0.0/24" // Filter this network from learned list
}
prefix {} // PERMIT ANY other networks
}

resource "nsxt_policy_bgp_neighbor" "BGP1" {
depends_on = [nsxt_policy_ipsec_vpn_tunnel_profile.tunnel_profile1]
display_name = "BGP_neighbor_1"
description = "Terraform provisioned"
bgp_path = "/infra/tier-0s/vmc/locale-services/default/bgp"
hold_down_time = 300
keep_alive_time = 100
neighbor_address = cidrhost(var.tunnel1_inside_cidr, 1)
remote_as_num = var.AWS_ASN_TGW

route_filtering {
address_family = "IPV4"
in_route_filter = nsxt_policy_gateway_prefix_list.in_prefix_Tunnel1.path
out_route_filter = nsxt_policy_gateway_prefix_list.out_prefix_Tunnel1.path
}
}

Thanks for reading.
 

Comments

Populars

Using Terraform with multiple providers in multiple phases to deploy and configure VMware Cloud on AWS

AWS Transit Gateway and VMware Cloud on AWS

AWS Transit Gateway and Multiple Accounts