Micro-segmentation provides granular network security policy enforcement for distributed applications in the cloud.

The micro-segmentation is in private preview on Aviatrix sw version 6.7

Public Preview Features

• Features in public preview mode are fully tested and safe for deployment in production environments.
• Public preview mode feature options, performance, and scalability may be limited compared to the final feature.

Private Preview Features

• Features in private preview mode should not be deployed in production environments.
• Features in private preview mode may have undergone limited testing.
• Support for features in private preview mode may be limited and handled with low priority.

Network Segmentation

Segmentation is an architectural approach that divides a network into multiple segments. This allows network administrators to control the flow of traffic between segments based on policies.

Network segmentation consists in the use of network constructs (VPCs, subnets) to create segments.

Network Segmentation can be done using CoPilot Security Network Segmentation application:

• enable transit gateways network segmentation

• create network segments or domains
• associate spokes to the domains
• connect domains among them if communication is required

In my example I created a domain called prod and another domain called dev. Spoke40 is associated to prod while ingress to dev:

Micro Segmentation

Micro segmentation consists in the use of CSP constructs and or attributes to create segments. Those could also be network constructs but are not limited to them.

Enforcement

Aviatrix u-segmentation is enforced on the dataplane.

App Domains

An app domain groups requires with the same secure policy enforcement.

• Resource tags
• Resource attributes
• IP addresses or CIDRs

Tags is the recommended method as this automatically includes new resources created in the Cloud with the same set of tags.

Policies

Policies define controls to apply on the traffic between app domains.

A policy defines what protocols and ports are allowed or denied communication between two app domains.

Configuration

I’m going to create two app domains:

• spoke30vm1 will belong to app domain “dev”
• spoke40vm1 will belong to app domain “dev”
• spoke40vm2 will belong to app domain “prod”

I’m going to use tags for domain classification:

The security plane will look like:

The configuration is done through the CoPilot Security:

• we can create logical & and OR operators

If there are no rules, the default useg action is to allow communication. For that reason, I’m going to create a rule blocking all traffic and then use useg policies to allow only the traffic of interest:

• base domain: I’m going to use 0.0.0.0/0 to match all CIDRs

• Rule denying all traffic

Once the configuration is save as draft, it needs to be committed to take effect.

This procedure will block all traffic flows in the fabric.

Testing

From spoke30vm1:

• ping spoke40vm1:

• ping spoke40vm2:

Both pings failed as expected. Now we can start creating rules to allow traffic. I’m going to create a simple rule to allow ping between prod and dev:

• action can be allow or deny
• enforcement is on but we can disable to collect logs only
• stats is on but can also be disabled
• protocol can be any, tcp, udp, icmp
• rule order: I’m going to position the new rule above the rule denying all traffic.

Once the rules are built, we need to commit:

Testing

From spoke30vm1:

• ping spoke40vm2:

• ssh to spoke40vm2:

Source:

Destination:

Stats:

If communication among members of a domain is required, we have to create a rule to explicit permit those flows:

• source and destination domains are the same
• action is allow
• protocol is any

This rule must be installed above the deny-all.

Current Constraints

• In 6.7 micro-segmentation is only supported on AWS and Azure.
• Traffic between two app domains in the same VPC/VNet is not subject to micro-segmentation policy.

References

https://docs.aviatrix.com/HowTos/secure_networking_microsegmentation.html