Hello Jose
The problem you’re describing is commonly solved in modern VXLAN EVPN fabrics using the overlay control plane. The key insight is that tenant routing (including default routes) typically travels in the EVPN overlay using Type-5 routes with Route Targets, while the underlay (eBGP Multi-AS between spines/leafs) only carries VTEP loopbacks and infrastructure reachability. Spines don’t need to understand tenant VRFs, they just reflect/transit EVPN routes with extended communities intact. Remember, in most designs, the default route is originated or learned on the border gateway and then advertised into EVPN per tenant VRF.
There are some common variations that can be deployed:
Variation A: Per-Tenant VRF on Border (Most Common for IaaS)
- Border Gateway has VRF for each tenant needing Internet
- Clean isolation, scales well with automation
- Each VRF peers separately with firewall/upstream (or uses subinterfaces)
Variation B: External/Internet VRF + Route Leaking
- Single “Internet VRF” on Border Gateway facing firewall/ISP
- Use inter-VRF route leaking with RT manipulation to provide the default route only to selected tenant VRFs
- Reduces VRF sprawl at the edge but adds complexity in route policies
Variation C: Shared Services VRF
- Centralized services VRF with strict import/export controls
- Good when Internet access goes through centralized security services
Nice instincts on the network design!
I hope this has been helpful!
Laz