Use route aggregation and egress filtering to control the set of routes advertised to SDDC network uplinks like Direct Connect, VMware Transit Connect and the Connected VPC. You'll need this in cases where you have to reduce the number of entries in a VPC route table or limit the set of routes that are advertised to uplinks.

In SDDCs at version 1.18 and later, you can use NSX Manager to aggregate routes to the INTRANET and SERVICES uplinks. And beginning at SDDC version 1.20, you can also use NSX Manager to filter the set of routes advertised to those uplinks. Route aggregation and filtering are not exposed in the legacy VMware Cloud Console Networking & Security tab.

In the default configuration, all segments in the SDDC Compute Network are advertised to the Connected Amazon VPC and external connections such as AWS Direct Connect and VMware Transit Connect. You can manage the list of CIDRs that get advertised this way by aggregating and optionally filtering these routes. Filtered routes are not advertised to the selected uplinks. Management subnets are always advertised. When both aggregation and filtering are applied, aggregated subnets are advertised even if they include CIDRS that would normally be filtered out. To view or download the current set of routes advertised to the Connected VPC open the NSX Manager Networking tab and click Connected VPC > Advertised. To view or download the current set of routes advertised to Transit Connect, see View Routes Learned and Advertised over VMware Transit Connect.

See Enabling and Using IPv6 in SDDC Networks for additional information about route aggregation requirements when using IPv6 to communicate between members of an SDDC group.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER.
  4. Aggregate CGW subnet CIDRs.
    1. On the NSX Manager Networking tab, click Global Configuration > Route Aggregation.
    2. Create a prefix list of CIDR blocks to aggregate.
      Under Aggregation Prefix Lists, click ADD AGGREGATION PREFIX LIST and give the list a Name, then click Set to open the Set Prefixes editor. Add prefix CIDRS as needed. The system normalizes any CIDRS that contain a subnet that falls in the middle of larger range. For example, if your default CGW segments include 192.168.1.0/24, 192.168.5.0/24, and 192.168.22.0/24, the aggregation is advertised as 192.168.0.0/16 but the individual segments are not advertised.
    3. Add a route configuration that includes the new prefix list.
      Under Route Configurations, click ADD ROUTE CONFIGURATION and give the new configuration a Name. Select the Aggregation Prefix List you created and choose a Connectivity Endpoint:
      • Select INTRANET to apply this routing configuration to Direct Connect and VMware Transit Connect.
      • Select SERVICES to apply this routing configuration to the connected VPC. See Enable AWS Managed Prefix List Mode for the Connected Amazon VPC for information about how AWS Managed Prefix Lists affect aggregation of routes to the Connected VPC.
      You cannot add a route configuration to the INTERNET endpoint.
    4. Click SAVE to create the new configuration.
    Aggregated routes are flagged in the Advertised Routes table of the Transit Connect page and on the Advertised page of the Connected Amazon VPC tab.
  5. (Optional) Apply egress filtering to uplinks.

    When egress filtering is enabled for an uplink, only aggregated and non-overlapping CIDR blocks advertised to BGP consumers on the specified uplinks. Default CGW segments that are subnets of a configured aggregation are not advertised. You can control the application of egress filtering to the INTRANET and SERVICES uplinks on the NSX Manager Networking tab. click Global Configuration > Uplinks and toggle the Egress Filtering as needed.

    On the NSX Manager Networking tab, click Global Configuration > Route Filtering. Toggle Egress Filtering for an uplink to prevent CGW subnets from being advertised to BGP consumers on the uplink. If you turn Egress Filtering off for an uplink, all CGW subnets will be advertised. You cannot apply egress filtering to the INTERNET uplink.
    Non-default CGW segments are not advertised to the selected uplinks, although they remain reachable when they are within an aggregation. Segments that are filtered out (not advertised) have a Status of Filtered on the Advertised page of the Connected Amazon VPC tab. Segments that are not filtered out (advertised) have a Status of Success on that page. Filtered routes that include an aggregation are flagged as Aggregated here and on the Transit Connect page (see View Routes Learned and Advertised over VMware Transit Connect).