Technical VMware Cloud on AWS

Using NSX-T Policy API to retrieve the Routing Table in VMC

In VMware Cloud on AWS, the default behavior of the NSX-T Distributed Firewall is to allow all traffic between compute workloads, even across different logical networks. In this blog post, we show you how to change the default function to Deny All, which instead blocks all traffic.

When configuring connectivity from your on-premises environment to your VMware Cloud on AWS (VMC) NSX-T SDDC, you can either use a Direct Connect (DX) or a Route/Policy-based VPN. During the configuration, it can really be useful to have insights into the network routing table, especially if you need to verify a specific route or for general network debugging. Today, the NSX-T routing table in VMC is not currently available in the Network and Security UI, however this information can be retrieved using the NSX-T Policy API, which I have written about quite extensively here, here, here and here.

The NSX-T routing table can be retrieved by performing a GET operation on /policy/api/v1/infra/tier-0s/vmc/routing-table?enforcement_point_path=/infra/deployment-zones/default/enforcement-points/vmc-enforcementpoint By default, you will get the entire routing table, but you also filter out specific route sources such as BGP, Static or Connected routes by appending the following query parameter to the request URL ?route_source={BGP,CONNECTED,STATIC}

To demonstrate how this API works, I have created a new function in my VMC NSX-T PowerShell Module as well as a quick shell script sample using cURL.

For PowerShell/PowerCLI users, I have a new Get-NSXTRouteTable function which will list the entire routing table by default as shown in the screenshot below.

 

You can also filter on a specific route source such as BGP, CONNECTED or STATIC routes by simply providing the -RouteSource argument and the route source type. In the screenshot below, I am only interested in the BGP routes.

 

Here is the output when running the list_vmc_nsxt_route_table.sh script which requires a valid CSP Refresh Token, OrgId and SDDCId.