Direct Connect Hide VPC CIDR Blocks from BGP Peer

0

My customer will have Kubernetes clusters with thousands of pods. Each pod will get a IP address. They don't want all these IPs to be propagated back to on-premises network. Just want the host EC2 IPs to be propagated. Is this possible and how to selectively hide CIDR in VPC when they are using BGP Dynamic routing.

1 Answer
0
Accepted Answer

The only way to do it today on AWS side is via allowed prefixes on DXGW with TGW (not in all Regions yet): https://docs.aws.amazon.com/directconnect/latest/UserGuide/allowed-to-prefixes.html

To give you an idea, VPC could have 2 CIDR ranges. Primary used for EC2 and the other for CIDR for containers. You'd only allow (originate) the primary prefix on DXGW in this case and the other CIDR would not be advertised.

Customer of course could always just filter out whatever CIDRs they don't want on their end. Fairly trivial but you'd want to use at least 2 x CIDRs in your VPC to make their life simpler.

profile pictureAWS
EXPERT
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions