![\"\"](\"https:\/\/vminded.com\/wp-content\/uploads\/2021\/06\/Screenshot-2021-06-24-at-18.12.55.png\")
<\/figure>\n\n\n\nAnd created a service mesh:<\/p>\n\n\n\n Then I have extended 3 networks to the VMware Cloud on AWS SDDC: APP (VLAN 1712), DB (VLAN 1713) and WEB (VLAN 1711).<\/p>\n\n\n\n On the APP network (VLAN 1712), I have deployed one VM (DEB10-APP01) which is running in my VSAN on-premise 3 nodes cluster. This network Extension hasn’t MON feature enabled.<\/p>\n\n\n\n <\/p>\n\n\n\n I have also setup a second subnet called WEB(VLAN 1711). I have another VM (DEB10-WEB01) running there, which have been migrated on a new cluster in VMware Cloud on AWS. This extended network is MON enabled.<\/p>\n\n\n\n I have open a shell session and try to ping the on premise VM DEB10-APP01 from DEB10-WEB01. The trafic is flowing over the internet to my on-premise site through the service mesh:<\/p>\n\n\n\n Now I wanted to check where the default route is in the SDDC. Is it going to be the IGW through the T0 router or is it going to be the on-premise gateway?<\/p>\n\n\n\n To check, I have traceroute to the 8.8.8.8.<\/p>\n\n\n\n This is not using my on-premise gateway to egress traffic. However default traffic is going out through the T0 router and internet gateway of the SDDC in AWS.<\/p>\n\n\n\n So now how can I make traffic on a MON enabled network to egress via on-premises?<\/p>\n\n\n\n How HCX MON Policy routing works is very simple. When MON is enabled on a network extended segment, HCX adds the gateway IP with \/32 net mask into the SDDC Compute Gateway. For each VM that has MON enabled there is also a \/32 route injection for created or Migrated Virtual Machines. So whenever a Virtual machine on the different segment in the SDDC wants to reach the VM it will allow reachability from SDDC Compute Gateway.<\/p>\n\n\n\n There is a default setting in the Policy routing that is evaluated whenever a destination is not within the SDDC:<\/p>\n\n\n\n If the destination IP is matched in the policy and allowed by the policy, the trafic is forwarded to the on-premise gateway. If the destination IP is not listed in the policy settings then the traffic is sent to the T0 router in the SDDC and routed accordingly.<\/p>\n\n\n\n This setting can however be changed by editing it through a menu available from the ADVANCED tab in the console:<\/p>\n\n\n\n <\/p>\n\n\n\n The default MON Policy setting is, as displayed, allowing only RFC-1918 subnets to be routed back to on-premise gateway :<\/p>\n\n\n\n![\"\"](\"https:\/\/vminded.com\/wp-content\/uploads\/2021\/06\/Screenshot-2021-06-24-at-18.13.43.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/vminded.com\/wp-content\/uploads\/2021\/06\/Screenshot-2021-06-24-at-17.29.47-1024x371.png\")
![\"\"](\"https:\/\/vminded.com\/wp-content\/uploads\/2021\/06\/Screenshot-2021-06-24-at-17.32.46-1024x216.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/vminded.com\/wp-content\/uploads\/2021\/06\/Screenshot-2021-06-24-at-17.37.47-1024x255.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/vminded.com\/wp-content\/uploads\/2021\/06\/Screenshot-2021-06-24-at-17.44.04.png\")
![\"\"](\"https:\/\/vminded.com\/wp-content\/uploads\/2021\/06\/Screenshot-2021-06-24-at-18.05.37-1024x502.png\")
<\/figure>\n\n\n\nHow the HCX MON Policy routing works?<\/h2>\n\n\n\n
Changing the HCX MON Policy routes<\/h2>\n\n\n\n
![\"\"](\"https:\/\/vminded.com\/wp-content\/uploads\/2021\/06\/Screenshot-2021-06-24-at-19.14.04.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/vminded.com\/wp-content\/uploads\/2021\/06\/Screenshot-2021-06-24-at-19.22.52.png\")
![\"\"](\"https:\/\/vminded.com\/wp-content\/uploads\/2021\/06\/Screenshot-2021-06-24-at-19.25.51.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/vminded.com\/wp-content\/uploads\/2021\/06\/Screenshot-2021-06-24-at-19.25.57.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/vminded.com\/wp-content\/uploads\/2021\/06\/Screenshot-2021-06-24-at-19.30.13.png\")
<\/figure>\n\n\n\n