This post would not be long but extremely important.
How to control the prefix advertisement between different VNETs, Regions, Clouds, external connections (e.g. BGPoLAN or BGPoIPSec)? The answer is provided in this post below.
Route Control Options
First of all, let me present you the options I would like to focus on:
- [Transit Peering] Exclude Network CIDRs
- [Transit] Route Approval
- [Transit] Exclude CIDRs from Attached Spokes Advertisements
- [Transit and Spoke] Exclude Learned CIDRs to Spoke VPC
- [Spoke] Customize Spoke Advertised VPC CIDRs
- [Transit and Spoke] BGP Options – Route Advertisement Control
[Transit Peering] Exclude Network CIDRs
- Optional field during Transit Peering creation
- Overlapping CIDRs are not propagated to other Transit Gateways
- List of CIDRs separated by comma
- Can be edited later on
[Transit] Route Approval
- Applies only to Transit Gateways and only to the BGP External Connections,
- e.g. BGPoLAN, BGPoIPSEC towards on-prem or SD-WAN
- Controller: Multi-Cloud Transit -> Approval -> Config
- Mode: Gateway (all connections) OR Connections
- Only Approved routes will be installed/learned
- Manually input approved CIDRs
- A BGP connection that is not configured for Approval learns all routes from its peer automatically
Aviatrix Encrypted Transit Approval Process:
- New routes arrive at Aviatrix Transit GW
- Aviatrix Transit GW reports new routes
- Email notification sent to the admin
- Admin log in to the Controller to approve
- Controller programs the new routes to the Spoke VPC GWs
[Transit] Exclude CIDRs from Attached Spokes Advertisement
Attached Transit GWs will not learn the specified CIDRs from the Spoke GWs.
[Transit and Spoke] Exclude Learned CIDRs to Spoke VPC
Spoke GWs will not learn the specified CIDRs.
What is more the subset of the CIDR specified will not be advertised either.
- If it is done on Transit GW: the whole Spokes will not get the CIDR(s).
- If it is done on specific Spoke GW: just that Spoke GW will not get the CIDR(s).
[Spoke] Customize Spoke Advertised VPC CIDRs
- Configured on Spoke-GW level
- Selectively advertise the CIDRs
- The attached Transit GW will receive only the specified prefixes
- If left empty = the CIDRs are advertised
- Use case:
- NAT CIDR advertised to Transit
- Default route advertised from Spoke to Transit
[Transit and Spoke] BGP Options – Route Advertisement Control
- Gateway Manual BGP Advertised Network List
- The List of CIDRs advertised by Gateway to its BGP peers
- Connection Manual BGP Advertised Network List
- The List of CIDRs advertised by Gateway on a specific connection to BGP peer
- Gateway AS PATH Prepend
- Applies to all BGP connections
- Connection AS PATH Prepend
- Applies only to specified BGP connection
As you can see there are multiple options available for you if granular route control is required in your environment. I hope you find this post informative.