About Spoke Gateway Routing Policy
This document describes the routing policies for Aviatrix Spoke Gateways.
Configure Private VPC/VNet Default Route
The Configure Private VPC/VNet Default Route policy minimizes VPC private routing table programming.
This route policy allows the Aviatrix Controller to program a default route in the Transit VPC’s private routing table to point to the Spoke Gateway. Subsequently, any route change from the attached Transit Gateway will need no route change to the Transit Gateway’s private routing table.
The Configure Private VPC/VNet Default Route policy is only supported for Spoke Gateways in AWS. |
Skip Public VPC/VNet Route Table
The Skip Public VPC/VNet Route Table policy minimizes VPC public routing table programming.
This route policy allows the Aviatrix Controller to skip the Spoke VPC’s public routing table programming for non-RFC 1918 route changes from the attached Transit Gateway.
This route policy is only supported for Spoke Gateways in AWS.
Customize Spoke VPC/VNet route table and this feature are mutually exclusive. |
Auto Advertise Spoke Site2Cloud CIDRs
Dynamic Route updates on Spoke Gateway for Site2Cloud allows regional redundancy for overlapping and non-overlapping CIDRs.
With Auto Advertise Spoke Site2Cloud CIDRs policy, route will be auto advertised or removed for remote and local virtual CIDRs when:
-
Site2Cloud connection is created or deleted.
-
Site2Cloud connection status changes to up or down.
-
Spoke-to-Transit gateway link goes down.
This routing polciy is only supported for mapped Site2Cloud connections on AWS and AWS-GovCloud, GCP, and Azure and Azure-GovCloud. |
Customize Spoke VPC/VNet Route Table
The Customize Spoke VPC/VNet Route Table routing policy enables you to customize Spoke VPC or VNet route table entry by specifying a list of comma separated CIDRs.
When a CIDR is specified, automatic route propagation to the Spoke(s) VPC or VNet will be disabled, overriding propagated CIDRs from other Spoke and Transit gateways and on-premises network. For example, you could enable this policy by specifying CIDRs for a Spoke VPC or VNet that is customer facing and your customer is propagating routes that may conflict with your on-premises routes.
When this route policy is enabled on an Aviatrix Spoke Gateway, only that gateway VPC or VNet route table is applied.
To disable this policy, leave the CIDRs field empty.
Exclude Learned CIDRs to Spoke VPC/VNet Route Table
The Exclude Learned CIDRs to Spoke VPC/VNet Route Table routing policy enables you to filter on-premises network CIDRs to Spoke VPC or VNet route table entry by specifying a list of comma separated CIDRs. For example, you could enable this policy by specifying CIDRs for a Spoke VPC or VNet that is customer facing, and you do not want your customer to access all your on-premises network CIDRs.
-
The list of the filtered out CIDRs can be a super set of on-premises learned routes. For example, if the on-premises learned routes are 100.10.0.0/24 and 100.10.1.0/24, you can enter 100.10.0.0/16 to filter out both routes.
-
If the filtered out CIDR is a subnet of on-premises learned CIDR, the filtered CIDR won’t work.
-
When this policy is applied to a specific Spoke VPC or VNet, only the Spoke VPC or VNet route table is affected.
Customize Spoke Advertised VPC/VNet CIDRs
The Customize Spoke Advertised VPC/VNet CIDRs routing policy enables you to selectively exclude some VPC or VNet CIDRs from being advertised to on-premises.
For example, if you have Spoke VPCs or VNets that have multiple CIDR Spoke VPCs or VNets, the Aviatrix Controller will reject them as there are overlapping CIDRs. By excluding the overlapping CIDRs, you will be able to attach the Spoke VPC/VNets.
When this policy is applied to an Aviatrix Spoke Gateway, the list is a "Include list", that is, only the CIDRs in the input fields are advertised to on-premises. Include list can be network ranges that are outside the Spoke VPC or VNet CIDR.
Update Encrypted Spoke VPC/VNet CIDRs
The Update Encrypted Spoke VPC/VNet CIDRs routing policy queries the cloud service provider (CSP) and updates the Aviatrix Spoke VPC or VNet route tables with any added CIDRs without requiring to detach or re-attach the Spoke Gateway.
For example, when new subnets and instances are added to a Spoke VPC, Aviatrix automatically updates the Spoke VPC route tables and propagates the new CIDRs to the transit network depending on the routing configurations.
The Update Encrypted Spoke VPC/VNet CIDRs routing policy is supported on AWS, Azure, and GCP clouds. |