AWS “Allowed Prefixes” BGP Routing with More Specific Route

We have a subnet configured in the “Allowed prefixes,” a /16. You can’t change the size of a subnet after it’s been created. You have to delete and recreate it, which could be a pain.

Let’s say you have a request that requires you not to advertise the /16 because it overlaps with a subnet of a company you just bought out. Or it just overlaps, and you can do it anymore. Instead of deleting and recreating the configuration, you can advertise a more specific route and filter out the other subnets on the “on-prem” WAN routers.

So you have two options:

  1. Implement another IPv4 CIDR block by designating it as a secondary CIDR within your VPC.
  2. If applicable, establish a new VPC using the CIDR block of your choice and then transfer the resources from your existing VPC to this new one.

AWS: (add second CIDR block)
AWS Direct Connect > Virtual private gateways

Direct Connect gateway association settings
Allowed prefixes
List of prefixes you want to be allowed to be advertised to the on-premises network through the Direct Connect gateway.

Specify up to 200 prefixes, each prefix separated by a comma. Or, put each prefix on separate lines.

If we list both and in our allowed prefixes, AWS Direct Connect will advertise both routes, as both and are included in the list of allowed prefixes.

Remember that in BGP, more specific routes are preferred over less specific ones, assuming that all other attributes are equal. This means that for traffic to addresses in the – range, the /24 route will be preferred. For all other addresses in the – range, the /16 route will be used.

However, the final decision also depends on the routing policies of the on-premises network. If the on-premises router receives both routes, it should prefer the /24 for traffic to those addresses, unless there’s a routing policy in place that changes this behavior.

Cisco: (filter out /16 on-prem)

ip prefix-list PL_ALLOWED_ROUTES seq 10 permit
ip prefix-list PL_ALLOWED_ROUTES seq 20 permit le 32
ip prefix-list PL_ALLOWED_ROUTES seq 30 permit le 32

route-map RM_WAN_IN permit 10
 match ip address prefix-list PL_ALLOWED_ROUTES

The first entry matches exactly on the prefix. The next two entries match on the and networks respectively and any subnets within these ranges because of the “le 32” at the end.

The “le 32” at the end of a prefix in an IP prefix-list in Cisco IOS is used to match routes that have a prefix length that is less than or equal to the value specified, in this case, 32.

For example, ip prefix-list PL_ALLOWED_ROUTES seq 20 permit le 32 will match any route that starts with and has a prefix length that is less than or equal to 32.