pyVMC: BGP Prefix Filters

Recently, during a proof of concept for a customer testing out VMware Cloud DR, we had a need to prevent specific routes from being advertised over the VPN… This can be accomplished using BGP prefix filters.

Essentially the customer wanted to be able to recreate networks in VMC on AWS to allow recovered workloads to be able to land with the same IP address as on-premise, preventing the need for reconfiguration of virtual machines. They were not interested in the complexities associated with using HCX or NSX to perform a layer-2 stretch, so the easiest thing turned out to be simply recreate the necessary subnets in VMC on AWS… but of course to ensure isolation for testing purposes we needed to prevent any advertisement of the duplicate networks.

Luckily for me, my good friend Patrick Kremer has already written about how to do this using APIs and Postman here. So I recruited him for some assistance, and with his help we were able to get this implemented for the customer… Of course, nobody wants to have to do something like this manually – it can get confusing, it’s highly prone to error, and tedious. So, I undertook an effort to help make this easier for future customers and users… I am super excited to have (finally) contributed to a public, open source effort- specifically the Python Client for VMC on AWS.

Today’s release of pyVMC – version 1.5 – includes some specific capabilities around viewing, creating, and removing prefix lists. What is a prefix list, you ask? Great question, and it’s fairly straightforward. A BGP prefix filter simply permits or denies route being learned or advertised as a result of BGP peering. Here – LMGTFY…

show-t0-prefix-lists

This command actually was put in place by Patrick – simply put, it will enumerate the current prefix lists managed in the SDDC.

new-t0-prefix-list

As you might guess, running pyVMC.py new-t0-prefix-list will create a new prefix list to be uploaded to the SDDC. The user will be prompted to create a name, description, and ID for the new prefix list, then enter one or more CIDR blocks to be added to the list, as per the screen shot below. This is the first release of this feature – I am hoping to make this more user-friendly in the next revision.

As you can see below, I a using a new menu system – this code has been pushed but hasn’t yet been released. First the user is asked to enter a name and ID for the new prefix list, and then is presented with a list of options. In the screen below, I have selected “3” to review the new list.

Of course, the new prefix list contains nothing more than a name at this point, so I have to add at least one CIDR to it. Below, you will see I select “2” to add a new prefix and enter the details appropriately.

[UPDATED September 22, 2021] – Note that “scope” and “length” are part of the same key:value pair, so if you leave “scope” blank you won’t be prompted for “length” and the pair will be excluded from the JSON… I have also included some error checking to ensure that “action” can only be “PERMIT” or “DENY”

I want to make sure I entered the prefix correctly, so once again I select “3” below.

Everything looks good, so I select option “1” to commit the prefix list and upload it to the SDDC – and as you can see in the image below, I receive confirmation the list has been added.

I run the pyVMC.py show-t0-prefix-lists command again to show the newly created list:

remove-t0-prefix-list

Finally, running pyVMC.py remove-t0-prefix-list <prefix-list-id> will delete the prefix list from your SDDC.

Future Work

The next step will be to actually attach a filter to one of the network interfaces in the SDDC – which is the final step to actually be able to implement the filter on your environment. That will be the topic of a future blog. 🙂

You can read up on that here. 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s