multi-cloud networkingLeave a comment

Using Azure Route Server for Dynamic Routing

rtrentin

Azure Route Server is a service provided by Microsoft Azure that simplifies the process of dynamic routing for network virtual appliances (NVAs). NVAs are commonly used in virtual networks to perform tasks such as load balancing, network address translation (NAT), and virtual private network (VPN) connectivity. In a traditional network setup, dynamic routing protocols such as Border Gateway Protocol (BGP) require manual configuration and maintenance of each individual NVA. This can become time-consuming and error-prone as the network scales. With Azure Route Server, NVAs can simply connect to the route server and exchange routing information automatically. Azure Route Server supports … Continue reading Using Azure Route Server for Dynamic Routing

cloud networkingLeave a comment

Hyperautomation with GCP (draft)

rtrentin

Hyperautomation Hyperautomation is a business-driven, disciplined approach that organizations use to rapidly identify, vet and automate as many business and IT processes as possible. Hyperautomation involves the orchestrated use of multiple technologies, tools or platforms, including: artificial intelligence (AI), machine learning, event-driven software architecture, robotic process automation (RPA), business process management (BPM) and intelligent business process management suites (iBPMS), integration platform as a service (iPaaS), low-code/no-code tools, packaged software, and other types of decision, process and task automation tools. Gartner Here are some use cases: Prime: AI Artificial intelligence (AI) is a key component of hyperautomation, as it enables organizations … Continue reading Hyperautomation with GCP (draft)

multi-cloud networkingLeave a comment

Using NATGW for Centralized Internet Outbound

rtrentin

Topology Initial Config (No NATGW) Testing: (for testing I’m using curl from the internal VM towards another VM running in a different cloud provider running NGIX) NATGW Once a NATGW is attached to the firewall eth1/1 interface subnet, the NATGW takes precedence: Testing: PIP can disassociate for egress only case Adding Multiple Private IPs The advantage of specifying the interface in the NAT rule is that the NAT rule will be automatically updated to use any address subsequently acquired by the interface. DIPP is sometimes referred to as interface-based NAT or network address port translation (NAPT). References https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/dynamic-ip-and-port-nat-oversubscription#id2a358bd4-94c0-4976-a681-dad3845f8174 Continue reading Using NATGW for Centralized Internet Outbound

multi-cloud networkingLeave a comment

Scaling Up/Scaling Down HPE Gateways

rtrentin

High Performance Encryption (HPE) is an Aviatrix technology that enables 10 Gbps and higher IPsec performance between two single Aviatrix Gateway instances or between a single Aviatrix Gateway instance and on-prem Aviatrix appliance. You can change Gateway Size if needed to change gateway throughput. The gateway will restart with a different instance size. IP addresses per network interface The following tables list the maximum number of network interfaces per instance type, and the maximum number of private IPv4 addresses and IPv6 addresses per network interface: Constraints Initial Scenario Scale Up I’m going to scale to a c5n.9xlarge: Tunnels are created … Continue reading Scaling Up/Scaling Down HPE Gateways

multi-cloud networkingLeave a comment

Scaling Out Secure Dedicated Ingress on GCP

rtrentin

Proposed Architecture The architecture presented below satisfies GCP customers requirements to use third party compute instance based appliances in their flows. The design considers HTTP(S) load balancers due its advanced capabilities. Constraints GCP Load Balancers Decision Chart Update DNS How to Scale Scenario 1 How to Scale Scenario 2 How to Scale Scenario 3 How to Scale Scenario 4 The HC as before is the same as we are checking the health of the compute instances: References https://research.google/pubs/pub44824/ https://cloud.google.com/load-balancing/docs/load-balancing-overview https://cloud.google.com/load-balancing/docs/backend-service Continue reading Scaling Out Secure Dedicated Ingress on GCP

multi-cloud networkingLeave a comment

Aviatrix: Minimum Alerts Recommended

rtrentin

Mem Free CPU Iddle HDisk Free Gateway Status Connection Status BGP Peering Status PPS Limit Exceeded Rate (rate_pps_limit_exceeded) Bandwidth Egress Limit Exceeded Rate (rate_bandwidth_egress_limit_exceeded) Bandwidth Ingress Limit Exceeded Rate (rate_bandwidth_ingress_limit_exceeded) Errored Packets Transmitted Rate (rate_tx_errs) Errored Packets Received Rate (rate_rx_errs) Rate of Packets Dropped While Receiving (rate_rx_drop) Rate of Packets Dropped While Transmitting (rate_tx_drop) Conntrack Limit Exceeded Rate (rate_conntrack_limit_exceeded)Underlay Connection StatusTunnel Count References https://read.docs.aviatrix.com/HowTos/Monitoring_Your_Network.html https://docs.aviatrix.com/copilot/latest/monitoring-troubleshooting/user-alerts-network.html Continue reading Aviatrix: Minimum Alerts Recommended

multi-cloud networkingLeave a comment

Checking Bandwidth Consumption with Athena

rtrentin

VPC flow logs capture information about the IP traffic going to and from network interfaces in a VPC. Athena is an interactive query service that makes it easy to analyze data directly in S3 using standard SQL. Topology Create a (S3) Bucket Enable (VPC) Flow Logs Apache Parquet is a columnar data format that stores and queries data more efficiently and cost-effectively than a text format. Queries on data stored in Parquet format are 10 to 100 times faster and cheaper than data stored in text format. Flow logs delivered in Parquet format with Gzip compression use about 20 percent … Continue reading Checking Bandwidth Consumption with Athena

multi-cloud networkingLeave a comment

Dedicated Ingress VPC Health Checks

rtrentin

Topology (VPC003) Workload Configuration Instance Group: Health check: Network Load Balancer: (VPC001) Ingress VPC SNAT/DNAT using single NAT: Another option is to use customized NAT: Instance Group: Health Check: External Global HTTP(S) Load Balancer: Testing Packet capture from the proxy instance: Troubleshooting Health check failures: “End-to-End” Health Check In this scenario, the external load balancer health check probes the the internal load balancer: New HC on port 80 (service port): References https://cloud.google.com/load-balancing/docs/health-check-concepts Continue reading Dedicated Ingress VPC Health Checks

multi-cloud networkingLeave a comment

Going full DevOps with GCP (Draft)

rtrentin

Google API Access Instances in VPC can reach Google and third-party APIs and services without an external IP address. All Google Cloud APIs and services support private access. The access methods are different for services in VPC networks compared to services in Google’s production infrastructure Advantages: Networking Services API Container Registry Serverless VPC Access Cloud Build Cloud Build is a managed service on Google Cloud Platform infrastructure that allows you to continuously build, test and deploy containers. Private pools are customer-specific resources and can be customized. One customization option is the capability to disable the association of external IPs: Once … Continue reading Going full DevOps with GCP (Draft)

multi-cloud networkingLeave a comment

Migrating from GCP… to GCP

rtrentin

Current and Future Architecture Current state: Desired state: vpc001 is composed of the following subnets: vpc001 routing table (filtering routes of interest): On-prem (AS 36180) routing table: Staging On-prem route table after staging is complete (avx gateway is not attached): Attaching the gateway: And advertise the vpc001 subnets with a better metric (please note that RFC 6598 prefixes are not advertised from AVX by default): To avoid traffic switching over to AVX asymmetrically during the staging we have a few options: Switching traffic over (East-West) vpc001 destination routes to vpc002: When Cloud Routers learn a prefix that exactly matches the … Continue reading Migrating from GCP… to GCP