Enabling BGP Route Approval
The Aviatrix Transit Gateway, BGP-enable Spoke Gateway, and Edge Gateway dynamically learns BGP routes from remote sites. These learned routes are reported to the Aviatrix Controller which propagates and programs the route entries of a Spoke VPC or VNet route table.
There are scenarios where you may require an approval process before learned CIDRs are propagated to the Spoke VPC or VNet. For example, a specific VPN is connected to a partner network, and you need to make sure undesirable routes, such as the default route (0.0.0.0/0) are not propagated into your own network and accidentally bring down the network.
The Learned CIDR Approval feature enables the approval process. When this feature is enabled, dynamically learned routes from all remote peers trigger an email notification to the Controller administrator. The Controller administrator logs into CoPilot to approve the learned routes, which allows the routes to be propagated to the Spoke VPC or VNet route table.
Gateway Mode
Gateway mode is the default approval mode. In this mode, learned CIDR approval applies to all BGP connections configured on the gateway.
Connection Mode
Connection mode enables you to select a specific BGP connection for approval.
When Learned CIDR approval is not enabled, all dynamically learned routes are automatically propagated to the Spoke VPC or VNet route table.
Enabling Gateway Learned CIDR Approval
In Aviatrix CoPilot:
-
Go to Cloud Fabric > Gateways > Transit Gateways or Spoke Gateways tab.
-
In the table, locate and select the gateway to enable learned CIDR approval.
-
Go to the gateway’s Settings tab and expand Border Gateway Protocol (BGP) section.
-
Set Gateway Learned CIDR Approval toggle to On.
-
To enable learned CIDR approval for all BGP connections configured on the gateway, select Gateway.
BGP-enabled Spoke Gateway only supports gateway Learned CIDR Approval, not connection based. -
To enable learned CIDR approval for a specific BGP connection, select Connection; then from the Connection dropdown menu, select the BGP connection.
A BGP connection that is not configured for approval learns all the routes from its remote peer automatically.
-
Approving Learned CIDRs in CoPilot
When Gateway Learned CIDR Approval is enabled, an email notification is sent to the Aviatrix Controller administrator to approve the learned CIDRs before the learned CIDRs are propagated to the Spoke VPC or VNet route table.
Approving Learned CIDRs Enabled for a Gateway
In Aviatrix CoPilot:
-
Go to Cloud Fabric > Gateways > Transit Gateways or Spoke Gateways tab.
-
In the table, locate and select the gateway to approve CIDRs for propagation.
-
Ensure that the Gateway Learned CIDR Approval setting is On (on the Settings tab for the selected gateway). This will display the Approval tab.
-
Go to the gateway’s Approval tab.
-
In the table, select the CIDR and from the Actions dropdown menu. You can choose to Approve or Remove the CIDR.
You can also search for a CIDR using the Search field.
To add pre-approved CIDRs:
-
Click + Pre-Approved CIDRs.
-
In the Add Pre-Approved CIDRs dialog, enter one or more CIDRs and click Save.
Approving Learned CIDRs Enabled for a BGP Connection
If an external connection was previously selected for Learned CIDR Approval (either from the gateway or from the external connection’s Settings tab), an Approval tab is displayed for that external connection.
In Aviatrix CoPilot:
-
Go to Networking > Connectivity > External Connections (S2C) tab and click + External Connection.
-
In the table, locate and select the BGP connection to approve CIDRs for propagation.
-
Go to the BGP connection’s Approval tab (only displays if this connection was previously selected for Learned CIDR Approval).
-
In the table, select the CIDR and from the Actions dropdown menu, you can choose to Approve or Remove the CIDR.
You can also search for a CIDR using the Search field.
To add pre-approved CIDRs:
-
Click + Pre-Approved CIDRs.
-
In the Add Pre-Approved CIDRs dialog, enter one or more CIDRs and click Save.