Mobility Optimized Networking policy route configuration settings can vary depending on the HCX deployment.
This section describes the default MON policy configuration and provides best practices and considerations for configuring policy routes in these environments: VMware Cloud on AWS, Amazon S3 Object Storage, deployments with Route-based VPN (RBVPN).
Default MON Policy Configuration
The default MON policy includes all RFC-1918 networks. This policy configuration forwards private subnet traffic (not destined to segments within the SDDC) to the on-premises router and sends internet egress traffic to the SDDC tier-0 router.
Policy Configuration for Internet Egress On-premises
For MON deployments where security policies require internet access on-premises, replace the default MON Policy Configuration:
Remove the default RFC-1918 entries from the Policy Routes interface.
Add a single Allow entry for network 0.0.0.0/0.
This policy configuration forwards private subnet traffic (not destined to segments within the SDDC) to the on-premises router and internet egress traffic, while maintaining routing symmetry.
Policy Configuration for Cloud Services
MON policy routing can be revised to achieve cloud service reachability.
Configure the IP address ranges for the cloud based service as Deny entries (exclusions) to the MON Policy.
Deny entries are sent to the SDDC tier-1 router.