This document can be considered as an addendum https://rtrentinsworld.com/2022/05/28/bootstrapping-pans-using-aviatrix/ to and https://rtrentinsworld.com/2022/05/28/deploying-an-aviatrix-firenet-on-gcp-with-pans/
Aviatrix Transit FireNet allows the deployment of 3rd party firewalls onto the Aviatrix transit architecture.
Transit FireNet works the same way as the Firewall Network where traffic in and out of the specified Spoke is forwarded to the firewall instances for inspection or policy application.
The topology I’m going to automate using Aviatrix terraform provider is depicted below:
Assumptions
- GCP account was properly onboard
- bootstrap bucket was created and populated with a init-cfg.txt, bootstrap.xml, and desired software images for upgrade.
Deployment
I’m going to leverage the mc-firenet developed by my colleague Dennis Hagens to deploy a Firenet.
Here is my provider:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| terraform { | |
| required_providers { | |
| aviatrix = { | |
| source = "AviatrixSystems/aviatrix" | |
| version = "2.21.2" | |
| } | |
| google = { | |
| source = "hashicorp/google" | |
| version = "4.14.0" | |
| } | |
| http = { | |
| source = "hashicorp/http" | |
| version = "2.1.0" | |
| } | |
| } | |
| } | |
| provider "aviatrix" { | |
| controller_ip = var.controller_ip | |
| username = var.username | |
| password = var.password | |
| skip_version_validation = true | |
| verify_ssl_certificate = false | |
| } | |
| provider "google" { | |
| project = var.project | |
| region = var.region | |
| } | |
| provider "http" { | |
| # Configuration options | |
| } | |
| provider "random" { | |
| # Configuration options | |
| } | |
| data "http" "ip" { | |
| url = "https://ifconfig.me/" | |
| } |
The module deploys 4 VPCs (Transit Firenet, Management, Egress and LAN), transit gateways (HA), and firewall instances. The following inputs are required for the firenet design:
- account
- cloud
- region
- cidr (transit)
- lan_cidr
- firewall_image
- bootstrap_bucket_name_1
- egress_cidr
- mgmt_cidr
- egress_enabled
- fw_amount
The terraform file that I used in my environment can be downloaded from here:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module "mc_transit" { | |
| source = "terraform-aviatrix-modules/mc-transit/aviatrix" | |
| version = "v2.0.0" | |
| cloud = var.cloud | |
| cidr = var.vpcs["firenet"] | |
| region = var.region | |
| account = var.account | |
| enable_transit_firenet = true | |
| lan_cidr = var.vpcs["lan"] | |
| } | |
| module "firenet_1" { | |
| source = "terraform-aviatrix-modules/mc-firenet/aviatrix" | |
| version = "1.0.0" | |
| transit_module = module.mc_transit | |
| firewall_image = var.firewall_image | |
| firewall_image_version = var.firewall_image_version | |
| bootstrap_bucket_name_1 = var.storage_bucket_name | |
| egress_cidr = var.vpcs["egress"] | |
| egress_enabled = true | |
| inspection_enabled = true | |
| instance_size = var.instance_size | |
| mgmt_cidr = var.vpcs["mgmt"] | |
| password = var.password | |
| } |
Vendor Integration
At the time of this writing the vendor integration terraform module was not ready for testing but the API was.
Aviatrix API documentation and download page is located at https://support.aviatrix.com/apiDownloads
Testing
For testing purposes I’m going to create to spokes, spokes gateways, and one CentOS compute instance each. The terraform files can be downloaded from here:
- vpcs and gateways using the mc-spoke module:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module "mc-spoke" { | |
| for_each = { | |
| "spoke30" = "spoke30" | |
| "spoke40" = "spoke40" | |
| "ingress" = "ingress" | |
| } | |
| source = "terraform-aviatrix-modules/mc-spoke/aviatrix" | |
| version = "1.1.2" | |
| account = var.account | |
| cloud = var.cloud | |
| name = "gcp-${each.value}–${var.region}" | |
| region = var.region | |
| cidr = var.vpcs["${each.value}"] | |
| inspection = true | |
| transit_gw = module.mc_transit.transit_gateway.gw_name | |
| ha_gw = false | |
| instance_size = var.instance_size | |
| single_az_ha = false | |
| } |
- compute engine instance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "random_id" "instance_id_spoke3" { | |
| byte_length = 8 | |
| } | |
| resource "google_compute_instance" "instance-1-spoke3" { | |
| name = "spoke3-vm-${random_id.instance_id_spoke3.hex}" | |
| machine_type = "f1-micro" | |
| zone = "${var.region}-b" | |
| boot_disk { | |
| initialize_params { | |
| image = "centos-cloud/centos-stream-9" | |
| } | |
| } | |
| network_interface { | |
| network = aviatrix_vpc.vpc_spoke3.name | |
| subnetwork = aviatrix_vpc.vpc_spoke3.subnets[0].name | |
| access_config {} | |
| } | |
| metadata = { | |
| ssh-keys = "centos:${file("~/.ssh/id_rsa.pub")}" | |
| } | |
| metadata_startup_script = "sudo yum update -y; sudo yum install httpd -y; sudo systemctl start httpd; sudo systemctl enable httpd" | |
| } | |
| resource "google_compute_firewall" "firewall-instance-spoke3" { | |
| name = "instance-spoke3-rules" | |
| network = aviatrix_vpc.vpc_spoke3.name | |
| allow { | |
| protocol = "icmp" | |
| } | |
| allow { | |
| protocol = "tcp" | |
| ports = ["22"] | |
| } | |
| source_ranges = ["${data.http.ip.body}/32"] | |
| } |
Visualizing Using CoPilot Topology Map
CoPilot automatically draws a map based on the information retrieved from the Controller:
Troubleshooting using CoPilot AppIQ
AppIQ allows you to generate a comprehensive report of latency, traffic, and performance monitoring data between any two cloud instances connected via your Aviatrix transit network:
A screenshot from the report is show below:
6 thoughts on ““Terraforming” an Aviatrix FireNet on GCP with PANs”