About BGP Route Approval
Aviatrix Transit Gateways, BGP-enabled Spoke Gateways, and Edge Gateways dynamically learn BGP routes from remote peers. These learned routes are reported to the Aviatrix Controller, which then propagates and programs the route entries into the Spoke VPC or VNet route tables.
For scenarios such as a VPN connecting to a partner network, you may require an approval process before dynamically learned CIDRs propagate to the Spoke VPC or VNet. This prevents undesirable routes, such as the default route (0.0.0.0/0), from entering your network and causing outages.
The Learned CIDR Approval feature enforces this process. When enabled, dynamically learned routes from all remote peers trigger an email notification to the Controller administrator. To propagate the learned routes to the Spoke VPC or VNet route table, the Controller administrator should log in to the CoPilot and approve the learned routes.
Gateway Mode
Gateway mode is the default approval mode. In this mode, learned CIDR approval applies to all BGP connections configured on the gateway.
Connection Mode
Connection mode enables you to select a specific BGP connection for approval.
To propagate all the dynamically learned routes to the Spoke VPC/VNet route table, set the Manual Approval toggle to Off. See Enabling Gateway Learned CIDR Approval for more information.
Enabling Gateway Learned CIDR Approval
To set an approval process for the dynamically learned CIDRs on the Transit or Spoke Gateway, in Aviatrix CoPilot:
-
Go to Cloud Fabric > Gateways > Transit Gateways or Spoke Gateways tab, a table of gateways and their details appears.
-
In the table, click the gateway name to enable learned CIDR approval.
-
Go to the gateway’s Settings tab and expand Border Gateway Protocol (BGP) section.
The gateway’s Settings tab is in the same row as the Details, Instances, and Attachments tabs. -
Locate the Manual Learned CIDR Approval card and set Manual Approval toggle to On.
If the Manual Approval toggle is set to Off, all learned routes on the gateway from its remote peer are approved. -
To approve learned CIDRs for all BGP connections on the Transit Gateway or Spoke Gateway, select Gateway Level.
-
To approve learned CIDRs for a specific BGP connection on the Transit Gateway, select Connection Level. An On External Connections dropdown menu appears.
-
From the On External Connections dropdown menu, select one or more BGP connections to enable learned CIDR approval.
-
Click Save.
An approval process is set for the dynamically learned CIDRs on the Transit or Spoke Gateway.
Approving Learned CIDRs in CoPilot
When Gateway Learned CIDR Approval is enabled, an email notification is sent to the Aviatrix Controller administrator to approve the learned CIDRs. On approval the learned CIDRs are propagated to the Spoke VPC or VNet route table.
Approving Learned CIDRs Enabled for a Gateway
The following are the types of approval for a gateway:
-
Manual Approval: All learned CIDRs from all BGP connections on the gateway require approval.
-
Pre-Approval: You can add one, multiple, or a range of CIDRs to a pre-approved CIDRs rule. Any learned CIDR that matches a pre-approved CIDR in the rule is automatically approved and propagated to the Spoke VPC or VNet route table without requiring manual approval.
Manual Approval
For Manual Approval of the learned CIDR, in Aviatrix CoPilot:
-
Go to Cloud Fabric > Gateways > Transit Gateways or Spoke Gateways tab, a table of gateways and their details appears.
-
In the table, click the gateway name to approve CIDRs.
-
Click the Route Approval tab. A table of learned CIDRs appears.
The Route Approval tab only appears for a gateway if the Manual Approval toggle is set to On for the gateway. -
In the table, select the CIDRs and click + Approval Rules.
-
To use the Free Range Routing (FRR) syntax, set the FRR Syntax toggle to On.
See FRR Syntax for more information.
-
To add CIDRs using a relationship operator between a Base CIDR and Prefix Length instead of using FRR syntax, set the FRR Syntax toggle to Off.
-
Click +Rule. A new row appears in the Create Approval Rules table.
-
In the new row, enter the Base CIDR, select the relationship operator, and enter the Prefix Length.
-
Click Approve.
Examples:
| Base CIDR | Relationship | Prefix Length | Description | Examples of Approved CIDRs |
|---|---|---|---|---|
10.1.0.0/16 |
Exact Match |
16 |
Approves only the Base CIDR. |
10.1.0.0/16 |
10.1.0.0/16 |
Greater Than or Equal To |
16 |
Approves the Base CIDR and all longer CIDRs greater than the Prefix Length. For the given example, /16 and /32 are included. |
|
10.1.0.0/16 |
Less Than or Equal To |
24 |
Approves the Base CIDR and any CIDRs until the Base CIDR. For the given example, /16 and /24 are included. |
|
10.0.0.0/8 |
Prefix Length Range |
16-24 |
Approves the CIDRs starting from 10.0.0.0/8 only if the prefix length is between /16 and /24. For the given example, /16 and /24 are included. |
|
The CIDRs learned from the remote peer a approved.
Pre-Approval
For Pre-Approval of the learned CIDRs:
-
Go to Cloud Fabric > Gateways > Transit Gateways or Spoke Gateways tab, a table of gateways and their details appears.
-
In the table, click the gateway name to approve CIDRs to propagate.
-
Click the Route Approval tab. A table of learned CIDRs appears.
-
Click Approval Rules.
-
Click + Approval Rule. The Create Approval Rules dialog appears.
-
Set the FRR Syntax toggle to On to use the Free Range Routing (FRR) syntax.
See FRR Syntax for more information.
-
To add CIDRs using a relationship operator between a Base CIDR and Prefix Length instead of using FRR syntax, set the FRR Syntax toggle to Off.
-
Click +Rule. A new row appears in the Create Approval Rules table.
-
In the new row, enter the Base CIDR, select the relationship operator, and enter the Prefix Length.
-
Click Save Draft.
-
Click Commit.
Examples:
| Base CIDR | Relationship | Prefix Length | Description | Examples of Approved CIDRs |
|---|---|---|---|---|
10.1.0.0/16 |
Exact Match |
16 |
Approves only the Base CIDR. |
10.1.0.0/16 |
10.1.0.0/16 |
Greater Than or Equal To |
16 |
Approves the Base CIDR and all longer CIDRs greater than the Prefix Length. For the given example, /16 and /32 are included. |
|
10.1.0.0/16 |
Less Than or Equal To |
24 |
Approves the Base CIDR and any CIDRs until the Base CIDR. For the given example, /16 and /24 are included. |
|
10.0.0.0/8 |
Prefix Length Range |
16-24 |
Approves the CIDRs starting from 10.0.0.0/8 only if the prefix length is between /16 and /24. For the given example, /16 and /24 are included. |
|
The added CIDRs are pre-approved when learned from the remote peer.
Approving Learned CIDRs Enabled for a BGP Connection
The following are the types of approval for an external connection:
-
Manual Approval: All learned CIDRs from all BGP connections on the external connection require approval.
-
Pre-Approval: You can add one, multiple, or a range of CIDRs to a pre-approved CIDRs rule. Any learned CIDR that matches a pre-approved CIDR in the rule is automatically approved and propagated to the Spoke VPC or VNet route table without requiring manual approval.
If you select an external connection for Learned CIDR Approval (either from the gateway or from the external connection’s settings tab), CoPilot displays a Route Approval tab for that connection.
Manual Approval
For Manual Approval of the learned CIDR, in Aviatrix CoPilot:
-
Go to Networking > Connectivity > External Connections (S2C) tab. A table of external connections and their details appears.
-
Click the connection name to approve CIDRs.
-
Click the Route Approval tab, a table of learned CIDRs appears.
The Route Approval tab only appears for the connection if the Manual Learned CIDR Approval toggle is set to On for the connection. -
In the table, select the CIDRs and click + Approval Rules.
-
Set the FRR Syntax toggle to On to use the Free Range Routing (FRR) syntax.
See FRR Syntax for more information.
-
To add CIDRs using a relationship operator between a Base CIDR and Prefix Length instead of using FRR syntax, set the FRR Syntax toggle to Off.
-
Click +Rule. A new row appears in the Create Approval Rules table.
-
In the new row, enter the Base CIDR, select the relationship operator, and enter the Prefix Length.
-
Click Save Draft.
-
Click Commit.
Examples:
| Base CIDR | Relationship | Prefix Length | Description | Examples of Approved CIDRs |
|---|---|---|---|---|
10.1.0.0/16 |
Exact Match |
16 |
Approves only the Base CIDR. |
10.1.0.0/16 |
10.1.0.0/16 |
Greater Than or Equal To |
16 |
Approves the Base CIDR and all longer CIDRs greater than the Prefix Length. For the given example, /16 and /32 are included. |
|
10.1.0.0/16 |
Less Than or Equal To |
24 |
Approves the Base CIDR and any CIDRs until the Base CIDR. For the given example, /16 and /24 are included. |
|
10.0.0.0/8 |
Prefix Length Range |
16-24 |
Approves the CIDRs starting from 10.0.0.0/8 only if the prefix length is between /16 and /24. For the given example, /16 and /24 are included. |
|
The CIDR learned from the remote peer is approved.
Pre-Approval
For Pre-Approval of the learned CIDRs:
-
Go to Networking > Connectivity > External Connections (S2C) tab. A table of external connections and their details appears.
-
Click the connection name to approve CIDRs.
-
Click the Route Approval tab.
-
Click Approval Rules.
-
Click + Approval Rule. The Create Approval Rules dialog appears.
-
Set the FRR Syntax toggle to On to use the Free Range Routing (FRR) syntax.
See FRR Syntax for more information.
-
To add CIDRs using a relationship operator between a Base CIDR and Prefix Length instead of using FRR syntax, set the FRR Syntax toggle to Off.
-
Click +Rule. A new row appears in the Create Approval Rules table.
-
In the new row, enter the Base CIDR, select the relationship operator, and enter the Prefix Length.
-
Click Save Draft.
-
Click Commit.
Examples:
| Base CIDR | Relationship | Prefix Length | Description | Examples of Approved CIDRs |
|---|---|---|---|---|
10.1.0.0/16 |
Exact Match |
16 |
Approves only the Base CIDR. |
10.1.0.0/16 |
10.1.0.0/16 |
Greater Than or Equal To |
16 |
Approves the Base CIDR and all longer CIDRs greater than the Prefix Length. For the given example, /16 and /32 are included. |
|
10.1.0.0/16 |
Less Than or Equal To |
24 |
Approves the Base CIDR and any CIDRs until the Base CIDR. For the given example, /16 and /24 are included. |
|
10.0.0.0/8 |
Prefix Length Range |
16-24 |
Approves the CIDRs starting from 10.0.0.0/8 only if the prefix length is between /16 and /24. For the given example, /16 and /24 are included. |
|
The added CIDRs are pre-approved when learned from the remote peer.
FRR Syntax
Use Free Range Routing (FRR) syntax with ‘ge’ (greater than or equal to) and ‘le’ (less than or equal to) to match a range of prefixes. This approves multiple routes without needing to specify each exact match.
For example, 10.1.0.0/16 ge 16 le 24 matches any prefix within the 10.1.0.0/16 block that has a subnet mask between /16 and /24, where /16 and /24 are inclusive.
Special Cases
-
0.0.0.0/0 le 32 matches all CIDRs.
-
0.0.0.0/0 ge 0 only matches the exact default route.
Examples:
| FRR syntax | Relationship | Description | Examples of approved CIDRs |
|---|---|---|---|
10.1.0.0/16 ge 16 |
Greater than or equal to |
Approves the base CIDR and any more specific CIDRs inside the same block. |
|
10.1.0.0/16 le 24 |
Less than or equal to |
Approves the base CIDR and any CIDRs in this block up to prefix length /24. |
|
10.0.0.0/8 ge 16 le 24 |
Prefix length range |
Approves CIDRs only if they match the base CIDR and have prefix lengths between /16 and /24. |
The 10.0.0.0/8 CIDR is not approved |
10.1.0.0/16 ge 24 le 24 |
Exact prefix length match |
Approves CIDRs only if they match the base CIDR and have prefix length /24. |
The 10.1.0.0/16 CIDR is not approved |
10.1.0.0/16 |
Exact match |
Approves only the base CIDR. |
10.1.0.0/16 |