BGP needs a way to filter learned routes #170
Description
TL;DR
BGP needs to be able to filter not just advertised routes, but also received routes. An example user story would be wanting to use Cloud Interconnect to connect from GCP to AWS S3, but only AWS S3. This can be done with a public VIF (see Architecture 1 here) and using route filters to only match IP ranges used for S3.
Terraform Resources
Detailed design
Additional information
This powershell code generates a prefix-list that can be used in a route-map on a router to do the route filtering. Because AWS routes are sometimes aggregated in the ip-ranges.json file, but deaggregated in the actual announcement, the "ge $cidr" is necessary to pick up all the S3 routes.
I imagine this looking similar to advertised_ip_ranges = []; perhaps accepted_ip_ranges = []; but the ge needs to be taken into account for the deaggregated case.
$aws_ips = Invoke-WebRequest -Uri "https://ip-ranges.amazonaws.com/ip-ranges.json" | ConvertFrom-Json $s3_ips = $aws_ips.prefixes | Where-Object { $_.service -eq "S3" } | Select-Object -ExpandProperty ip_prefix foreach ($ip in $s3_ips) { $cidr = $ip.Split("/")[1] Write-Output "ip prefix-list AWSS3 permit $ip ge $cidr" }