Aviatrix Route-Control Options

This post would not be long but extremely important.

How to control the prefix advertisement between different VNETs, Regions, Clouds, external connections (e.g. BGPoLAN or BGPoIPSec)? The answer is provided in this post below.

Route Control Options

First of all, let me present you the options I would like to focus on:

Aviatrix Route Control Options
Aviatrix Route Control Options

[Transit Peering] Exclude Network CIDRs

  • Optional field during Transit Peering creation
  • Overlapping CIDRs are not propagated to other Transit Gateways
  • List of CIDRs separated by comma
  • Can be edited later on
Transit Peering - Exclude Network CIDRs
Transit Peering – Exclude Network CIDRs
Transit Peering - Exclude Network CIDRs - Example
Transit Peering – Exclude Network CIDRs example

[Transit] Route Approval

  • Applies only to Transit Gateways and only to the BGP External Connections,
    • e.g. BGPoLAN, BGPoIPSEC towards on-prem or SD-WAN
    • Controller: Multi-Cloud Transit -> Approval -> Config
  • Mode: Gateway (all connections) OR Connections
  • Only Approved routes will be installed/learned
  • Manually input approved CIDRs
  • A BGP connection that is not configured for Approval learns all routes from its peer automatically

Aviatrix Encrypted Transit Approval Process:

  1. New routes arrive at Aviatrix Transit GW
  2. Aviatrix Transit GW reports new routes
  3. Email notification sent to the admin
  4. Admin log in to the Controller to approve
  5. Controller programs the new routes to the Spoke VPC GWs
Route Approval Process
Route Approval Process
Step 1 - Enable Route Approval
Step 1 – Enable Route Approval
Step 2 - Approve the CIDRs
Step 2 – Approve the CIDRs

[Transit] Exclude CIDRs from Attached Spokes Advertisement

Attached Transit GWs will not learn the specified CIDRs from the Spoke GWs.

Exclude CIDRs from Attached Spokes Advertisement
Exclude CIDRs from Attached Spokes Advertisement – step 1
Exclude CIDRs from Attached Spokes Advertisement
Exclude CIDRs from Attached Spokes Advertisement – step 2

[Transit and Spoke] Exclude Learned CIDRs to Spoke VPC

Spoke GWs will not learn the specified CIDRs.

What is more the subset of the CIDR specified will not be advertised either.

  • If it is done on Transit GW: the whole Spokes will not get the CIDR(s).
  • If it is done on specific Spoke GW: just that Spoke GW will not get the CIDR(s).
Exclude Learned CIDRs to Spoke VPC - step 1
Exclude Learned CIDRs to Spoke VPC – step 1
Exclude Learned CIDRs to Spoke VPC - step 2
Exclude Learned CIDRs to Spoke VPC – step 2

[Spoke] Customize Spoke Advertised VPC CIDRs

  • Configured on Spoke-GW level
  • Selectively advertise the CIDRs
  • The attached Transit GW will receive only the specified prefixes
  • If left empty = the CIDRs are advertised
  • Use case:
    • NAT CIDR advertised to Transit
    • Default route advertised from Spoke to Transit
Customize Spoke Advertised VPC CIDRs
Customize Spoke Advertised VPC CIDRs – step 1
Customize Spoke Advertised VPC CIDRs
Customize Spoke Advertised VPC CIDRs – step 2

[Transit and Spoke] BGP Options – Route Advertisement Control

  • Gateway Manual BGP Advertised Network List
    • The List of CIDRs advertised by Gateway to its BGP peers
  • Connection Manual BGP Advertised Network List
    • The List of CIDRs advertised by Gateway on a specific connection to BGP peer
  • Gateway AS PATH Prepend
    • Applies to all BGP connections
  • Connection AS PATH Prepend
    • Applies only to specified BGP connection

Summary

As you can see there are multiple options available for you if granular route control is required in your environment. I hope you find this post informative.

Leave a Reply

Your email address will not be published. Required fields are marked *