VPC Peering Security Groups

A security group serves as a protective barrier, functioning like a firewall to manage the flow of network traffic to and from the resources within your Virtual Private Cloud (VPC). With security groups, you have the flexibility to select the specific ports and communication protocols that are permitted for both incoming (inbound) and outgoing (outbound) network traffic. You have the capability to modify the inbound or outbound rules within your VPC’s security groups to make reference to security groups in a peered VPC. This adjustment enables the smooth exchange of network traffic between instances associated with the specified security groups … Continue reading VPC Peering Security Groups

Google Cloud Shared VPC

A Shared Virtual Private Cloud (VPC) is a feature within Google Cloud that enables organizations to connect resources from multiple projects to a common network infrastructure. This shared network, hosted within a designated “host project,” allows secure and efficient communication among resources using internal IP addresses. Service projects, attached to the host project’s network, can utilize specific subnets for their instances. This setup offers a balance between centralized control over network resources, such as subnets and firewalls, and decentralized administration of instances within individual service projects. By segregating administrative responsibilities, organizations can enforce consistent access control policies, enhance security, and … Continue reading Google Cloud Shared VPC

Configuring Google Cloud Workload Identity Federation (AWS)

A workload identity is a special identity used for authentication and access by software applications and services. It helps them connect to other services and resources securely. The most direct method for external workloads to use Google Cloud APIs is by using downloaded service account keys. However, this approach comes with two significant challenges: To address these issues, workload identity federation offers an alternative. This approach allows applications outside of Google Cloud to replace persistent service account keys with short-lived access tokens. This is accomplished by establishing a trust relationship between Google Cloud and an external identity provider. The external … Continue reading Configuring Google Cloud Workload Identity Federation (AWS)

Google Cloud Migration Scenarios

Lab and Configuration Staging The lab diagram for this exercise is show below: Staging Aviatrix Flows of Interest Constraints Migration Approaches The Slicer Constraints Testing Flow 1 and Flow 2 Migration using The Slicer (Switch Traffic) Slicing it: CSR1000v routes: If the Cloud Router custom advertisement is doing (route) summarization, the slice on the avx spoke gateway advertised routes is not required. In this case, we should customize the advertisement to only allow the subnetwork where the avx gateway was deployed. Flow3 and Flow 4 Migration using The Slicer (Switch Traffic) This step requires that all the north-south flows were … Continue reading Google Cloud Migration Scenarios

Apigee not bee :)

Apigee is a Google SaaS platform for developing and managing APIs. Apigee provides an abstraction layer to backend service APIs and provides security, rate limiting, quotas, and analytics. Apigee consists of the following components: A more granular network friendly diagram is show below: A more in depth overview is provided here: https://cloud.google.com/apigee/docs/api-platform/architecture/overview Setting it up There are at least three different ways to provision Apigee: https://cloud.google.com/apigee/docs/api-platform/get-started/provisioning-intro#provisioning-options I’m going to use a free trial wizard to get acquainted with Apigee: The evaluation wizard guides us through the steps: Apigee runtime requires a dedicated /22 range for evaluation: Each Apigee instance requires … Continue reading Apigee not bee 🙂

Using Azure Route Server for Dynamic Routing

Azure Route Server is a service provided by Microsoft Azure that simplifies the process of dynamic routing for network virtual appliances (NVAs). NVAs are commonly used in virtual networks to perform tasks such as load balancing, network address translation (NAT), and virtual private network (VPN) connectivity. In a traditional network setup, dynamic routing protocols such as Border Gateway Protocol (BGP) require manual configuration and maintenance of each individual NVA. This can become time-consuming and error-prone as the network scales. With Azure Route Server, NVAs can simply connect to the route server and exchange routing information automatically. Azure Route Server supports … Continue reading Using Azure Route Server for Dynamic Routing

Hyperautomation with GCP (draft)

Hyperautomation Hyperautomation is a business-driven, disciplined approach that organizations use to rapidly identify, vet and automate as many business and IT processes as possible. Hyperautomation involves the orchestrated use of multiple technologies, tools or platforms, including: artificial intelligence (AI), machine learning, event-driven software architecture, robotic process automation (RPA), business process management (BPM) and intelligent business process management suites (iBPMS), integration platform as a service (iPaaS), low-code/no-code tools, packaged software, and other types of decision, process and task automation tools. Gartner Here are some use cases: Prime: AI Artificial intelligence (AI) is a key component of hyperautomation, as it enables organizations … Continue reading Hyperautomation with GCP (draft)

Using NATGW for Centralized Internet Outbound

Topology Initial Config (No NATGW) Testing: (for testing I’m using curl from the internal VM towards another VM running in a different cloud provider running NGIX) NATGW Once a NATGW is attached to the firewall eth1/1 interface subnet, the NATGW takes precedence: Testing: PIP can disassociate for egress only case Adding Multiple Private IPs The advantage of specifying the interface in the NAT rule is that the NAT rule will be automatically updated to use any address subsequently acquired by the interface. DIPP is sometimes referred to as interface-based NAT or network address port translation (NAPT). References https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/dynamic-ip-and-port-nat-oversubscription#id2a358bd4-94c0-4976-a681-dad3845f8174 Continue reading Using NATGW for Centralized Internet Outbound

Scaling Up/Scaling Down HPE Gateways

High Performance Encryption (HPE) is an Aviatrix technology that enables 10 Gbps and higher IPsec performance between two single Aviatrix Gateway instances or between a single Aviatrix Gateway instance and on-prem Aviatrix appliance. You can change Gateway Size if needed to change gateway throughput. The gateway will restart with a different instance size. IP addresses per network interface The following tables list the maximum number of network interfaces per instance type, and the maximum number of private IPv4 addresses and IPv6 addresses per network interface: Constraints Initial Scenario Scale Up I’m going to scale to a c5n.9xlarge: Tunnels are created … Continue reading Scaling Up/Scaling Down HPE Gateways

Scaling Out Secure Dedicated Ingress on GCP

Proposed Architecture The architecture presented below satisfies GCP customers requirements to use third party compute instance based appliances in their flows. The design considers HTTP(S) load balancers due its advanced capabilities. Constraints GCP Load Balancers Decision Chart Update DNS How to Scale Scenario 1 How to Scale Scenario 2 How to Scale Scenario 3 How to Scale Scenario 4 The HC as before is the same as we are checking the health of the compute instances: References https://research.google/pubs/pub44824/ https://cloud.google.com/load-balancing/docs/load-balancing-overview https://cloud.google.com/load-balancing/docs/backend-service Continue reading Scaling Out Secure Dedicated Ingress on GCP