AWS Managed Prefix List Mode can simplify route table management in a Multi-Edge SDDC and enable support in any SDDC for custom route tables and route aggregation.

When you enable AWS Managed Prefix Lists for the Connected VPC, VMware Cloud on AWS creates an AWS prefix list populated with the default Compute Gateway prefixes and any other prefix list aggregations you have created, then shares it with the AWS Account ID shown on the Connected Amazon VPC page. Once you accept this AWS resource share, you can add prefix lists to the Connected VPC route tables.

VMware Cloud on AWS uses the Managed Prefix List to update the main route table for the Connected VPC. When a prefix list is added to a route table, that entry in the route table is pointed to a destination ENI and the prefix list replaces the individual CIDRs the ENI includes. Because it is a managed object, the prefix list gets updated automatically whenever new segments or aggregations are configured. In addition, the route table entries for that prefix list are updated to point to the correct ENI whenever the active Edge instance's host changes. You are responsible for adding Connected VPC prefix lists to any custom route tables that you've created. For more about managed prefix lists, see the VMware Cloud Tech Zone article Understanding Managed Prefix List Mode for Connected VPC in VMC on AWS.
Note: In a multi-edge SDDC, the managed prefix list for the Connected VPC is populated with entries from the prefix list for the default traffic group. You'll need to manually update the prefix list for each additional NSX edge.
If you remove the prefix list from any routing table, including the main route table for the Connected VPC, but later decide you want to restore it, you'll need to do that manually.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page. See SDDC Network Administration with NSX Manager.
    You can also use the VMware Cloud Console Networking & Security tab for this workflow.
  4. Click Connected VPC to open the Connected Amazon VPC page.
    The Traffic Groups table on this page shows the default traffic group and its active AWS network interface ID.
  5. Enable AWS Managed Prefix List Mode.
    1. Toggle AWS Managed Prefix List Mode to Enabled.
      Review the message and click ENABLE or CANCEL. If you click ENABLE, AWS Managed Prefix List Mode transitions to ACTION PENDING and you are prompted to accept the AWS resource share containing the managed prefix list.
    2. Log into the AWS console with an identity that has permission to accept a resource share and click Resource Access Manager > Shared with me.
      The resource Name has the form managed-prefix-list-resource-share-vpc-ID and a Status of Pending. Click the resource Name to open the resource Summary card, then click Accept resource share and confirm acceptance,
    3. In the VMware Cloud Console, return to the Connected Amazon VPC tab and wait for AWS Managed Prefix List Mode to change from Pending to Enabled.
      AWS resource association can take up to ten minutes.

    In the main route table for the Connected VPC, individual routes to the management and compute gateways are replaced by a prefix list. The Traffic Groups table now includes the Prefix List ID, Prefix List Name, and Route Tables Programmed for the default traffic group. Click the Prefix List Name to view the list.

What to do next

Add the prefix list to a custom route table in the Connected VPC. This allows AWS resources in subnets associated with that custom route table to communicate with the SDDC.

VMware Cloud on AWS automatically detects the additional route table and updates the prefix list to point to the correct ENI. After the initial update, you can manually configure the route table to point to the same ENI that the prefix list uses. Otherwise, this update and subsequent updates happen automatically whenever VMware Cloud on AWS detects the addition of the prefix list to a new route table.

Note:

Each prefix list counts as a single Route when added to a route table but can contain many entries, each of which counts toward the route table's quota. See AWS VPC route table quotas and be sure that the route table has sufficient capacity to accommodate all the routes in the prefix list. You can Aggregate and Filter Routes to Uplinks to control the set of routes advertised to SDDC network uplinks like Direct Connect, VMware Transit Connect and the Connected VPC. Aggregation can help in cases where you have to reduce the number of entries in a VPC route table, and egress filtering is useful for limiting the set of routes that are advertised to the Connected Amazon VPC (SERVICES uplink) and other uplinks.

After VMware Cloud on AWS detects the prefix list in a custom route table (this can take up to ten minutes) it updates that entry to point to the active ENI and adds the updated route table to the Traffic Groups table. Subsequent updates to that route table take place immediately whenever the active ENI changes.