IBM Cloud Docs
Creating and deleting prefix filters

Creating and deleting prefix filters

Prefix filtering allows you to set an ordered list of filters that determine the routes your transit gateway should accept or deny. You can add optional prefix filters when you add connections while creating a transit gateway, or ater a transit gateway is provisioned.

Before you begin

Make sure to review Prefix filtering considerations before you create or delete a prefix filter.

Creating prefix filters in the UI

To create a prefix filter in the UI, follow these steps:

  1. From the Transit Gateway page, click the name of the gateway where you want to create prefix filters.

  2. The prefix filtering icon Prefix filter icon shows if a connection already has prefix filters. Click the icon and then click View to show the prefix filtering side panel.

  3. If the connection does not have existing prefix filters, click the Actions menu Actions menu and select Prefix filtering.

  4. Adjust the default filter as needed. Your choices are as follows:

    • Permit prefixes (default) indicates that all prefixes in this connection are accessible to all other connections in this transit gateway. In this case, "all" means up to the established quota and limits.
    • Deny prefixes indicates that no prefixes from this connection are accessible to any other connection on this transit gateway.

  5. Click Create prefix filter, then configure the filter with the following options:

    • Select an action type: Permit or Deny.
    • Enter the network prefix along with its subnet mask (for example, 10.0.0.0/16).
    • Optionally, enter values for whether the network should be greater than or equal to the subnet mask that you chose.
    • Click Save to create the prefix filter.

    Connections are denied or permitted based on the order of the filters in the list. Edit the prefix filter list to adjust the order in which prefixes are processed.

Deleting prefix filters in the UI

To delete a prefix filter for an existing connection in the UI, follow these steps:

  1. From the details page of the transit gateway, identify the connection where you want to delete prefix filters.

    The prefix filtering icon Prefix filter icon shows if a connection already has prefix filters.

  2. Click the connection's Actions menu Actions menu icon and select Prefix filtering.

  3. Click the Actions menu Actions menu icon next to the prefix filter that you want to delete. Then, click Delete.

  4. Click Delete prefix filter to confirm deletion.

Creating prefix filters from the CLI

To create prefix filters from the CLI, follow these steps:

ibmcloud tg prefix-filter-create GATEWAY_ID CONNECTION_ID --prefix PREFIX --action ACTION [--le LE] [--ge GE] [--before BEFORE] [--output json]

Where:

  • GATEWAY_ID: ID of the gateway that the prefix filter is being applied to.

  • CONNECTION_ID: ID of the connection that the prefix filter is being applied to.

  • --prefix: Network prefix that the filter will be applied to.

  • --action: Action to take on the specified prefix (permit | deny).

  • --le: Optional: The prefix filter is applied to a subnet mask less than or equal to this value.

  • --ge: Optional: The prefix filter is applied to a subnet mask greater than or equal to this value.

  • --before: Optional: Identifier of the prefix filter that this filter should be applied before. If empty, this filter is applied last.

  • --output: Optional: Specify whether you want the output to display in JSON format.

Example: Creating a prefix filter

An example of creating a prefix filter from the CLI is as follows:

ibmcloud tg pfc 9f559c43-63f4-4da5-b312-b525a8dce185 6c1bdc19-4adb-4760-8cdc-ef3b74b626f7 --prefix 10.0.250.0/24 --action permit --le 32 --ge 28

FilterID   b4dbe0a6-c52d-4128-cc32-6f53d86bc82b
Prefix     10.0.250.0/24
Action     permit
Ge         28
Le         32
Before
Created    2022-02-28T12:35:09.226-06:00
Updated    2022-02-28T12:35:09.226-06:00

Deleting prefix filters from the CLI

To delete prefix filters from the CLI, follow these steps:

ibmcloud tg prefix-filter-delete GATEWAY_ID CONNECTION_ID FILTER_ID [-f, --force]

Where:

  • GATEWAY_ID: ID of the gateway that the prefix filter will be deleted from.

  • CONNECTION_ID: ID of the connection that the prefix filter will be deleted from.

  • FILTER_ID: ID of the prefix filter that is being deleted.

  • --force, -f: Force the deletion operation without confirmation.

Example: Deleting a prefix filter

This is an example of deleting a prefix filter from the CLI.

ibmcloud tg pfd 9f559c43-63f4-4da5-b312-b525a8dce185 6c1bdc19-4adb-4760-8cdc-ef3b74b626f7 b4dbe0a6-c52d-4128-cc32-6f53d86bc82b

This deletes filter b4dbe0a6-c52d-4128-cc32-6f53d86bc82b on gateway 9f559c43-63f4-4da5-b312-b525a8dce185 connection 6c1bdc19-4adb-4760-8cdc-ef3b74b626f7 and can't be undone. Continue [y/N] ?> Y
Deleting filter b4dbe0a6-c52d-4128-cc32-6f53d86bc82b on gateway 9f559c43-63f4-4da5-b312-b525a8dce185 connection 6c1bdc19-4adb-4760-8cdc-ef3b74b626f7 under account bbstsdv1 - IBM as user Hasan.Mahmood.Khan@ibm.com...
OK
Filter b4dbe0a6-c52d-4128-cc32-6f53d86bc82b is deleted.

Creating prefix filters with the API

Follow these steps to create a prefix filter with the API:

  1. Set up your API environment.

  2. Store any additional variables to be used in the API commands.

  3. When all variables are initiated, create prefix filters. For example:

    curl -X POST --location --header "Authorization: Bearer {iam_token}" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '{ "action": "permit", "prefix": "192.168.100.0/24" }' \
"{base_url}/transit_gateways/{transit_gateway_id}/connections/{id}/prefix_filters?version={version}"

For more information, see Adds a prefix filter to a Transit Gateway Connection in the Transit Gateway API reference.

Deleting prefix filters with the API

  1. Set up your API environment.

  2. Store any additional variables to be used in the API commands.

  3. When all variables are initiated, create prefix filters. For example:

    curl -X DELETE --location \
--header "Authorization: Bearer {iam_token}" \
"{base_url}/transit_gateways/{transit_gateway_id}/connections/{id}/prefix_filters/{filter_id}?version={version}"

For more information, see Removes a prefix filter from Transit Gateway Connection in the Transit Gateway API reference.

Creating and deleting prefix filters with Terraform

Review the following argument references that you can specify for your resource when you create or delete a prefix filter:

Arguments when adding or deleting a prefix filter using Terraform
Argument Details
gateway
Required
String 		The unique identifier of the gateway.
connection_id
Required
String 		The unique identifier of the gateway connection.
action
Required
String 		Whether to permit or deny any matching prefix.
prefix
Required
String 		The IP prefix.
before
Optional
String 		The identifier of the prefix filter to place this filter in front of. When a filter references another filter in it's before field, then the filter making the reference is applied before the referenced filter.
For example, if filter A references filter B in its before field, A is applied before B.
ge
Optional
Integer 		The IP prefix GE. The GE (greater than or equal to) value sets the minimum prefix length on which the filter action is applied.
le
Optional
Integer 		The IP prefix LE. The LE (less than or equal to) value sets the maximum prefix length on which the filter action is applied.

Example

This example shows how to create a prefix filter:

resource "ibm_tg_connection_prefix_filter" "test_tg_prefix_filter" {
    gateway = ibm_tg_gateway.new_tg_gw.id
    connection_id = ibm_tg_connection.test_ibm_tg_connection.connection_id
    action = "permit"
    prefix = "192.168.100.0/24"
    le = 32
    ge = 24
}

To remove a prefix filter, use the terraform destroy -target=ibm_tg_connection_prefix_filter.[prefix filter name] command.