“Terraforming” an Aviatrix FireNet on GCP with PANs

This document can be considered as an addendum https://rtrentinsworld.com/2022/05/28/bootstrapping-pans-using-aviatrix/  to and https://rtrentinsworld.com/2022/05/28/deploying-an-aviatrix-firenet-on-gcp-with-pans/

Aviatrix Transit FireNet allows the deployment of 3rd party firewalls onto the Aviatrix transit architecture.

Transit FireNet works the same way as the Firewall Network where traffic in and out of the specified Spoke is forwarded to the firewall instances for inspection or policy application.

The topology I’m going to automate using Aviatrix terraform provider is depicted below:

Assumptions

  • GCP account was properly onboard
  • bootstrap bucket was created and populated with a init-cfg.txt, bootstrap.xml, and desired software images for upgrade.

Deployment

I’m going to leverage the mc-firenet developed by my colleague Dennis Hagens to deploy a Firenet.

Here is my provider:


terraform {
required_providers {
aviatrix = {
source = "AviatrixSystems/aviatrix"
version = "2.21.2"
}
google = {
source = "hashicorp/google"
version = "4.14.0"
}
http = {
source = "hashicorp/http"
version = "2.1.0"
}
}
}
provider "aviatrix" {
controller_ip = var.controller_ip
username = var.username
password = var.password
skip_version_validation = true
verify_ssl_certificate = false
}
provider "google" {
project = var.project
region = var.region
}
provider "http" {
# Configuration options
}
provider "random" {
# Configuration options
}
data "http" "ip" {
url = "https://ifconfig.me/"
}

view raw

provider.tf

hosted with ❤ by GitHub

The module deploys 4 VPCs (Transit Firenet, Management, Egress and LAN), transit gateways (HA), and firewall instances. The following inputs are required for the firenet design:

  • account
  • cloud
  • region
  • cidr (transit)
  • lan_cidr
  • firewall_image
  • bootstrap_bucket_name_1
  • egress_cidr
  • mgmt_cidr
  • egress_enabled
  • fw_amount

The terraform file that I used in my environment can be downloaded from here:


module "mc_transit" {
source = "terraform-aviatrix-modules/mc-transit/aviatrix"
version = "v2.0.0"
cloud = var.cloud
cidr = var.vpcs["firenet"]
region = var.region
account = var.account
enable_transit_firenet = true
lan_cidr = var.vpcs["lan"]
}
module "firenet_1" {
source = "terraform-aviatrix-modules/mc-firenet/aviatrix"
version = "1.0.0"
transit_module = module.mc_transit
firewall_image = var.firewall_image
firewall_image_version = var.firewall_image_version
bootstrap_bucket_name_1 = var.storage_bucket_name
egress_cidr = var.vpcs["egress"]
egress_enabled = true
inspection_enabled = true
instance_size = var.instance_size
mgmt_cidr = var.vpcs["mgmt"]
password = var.password
}

view raw

firenet.tf

hosted with ❤ by GitHub

Vendor Integration

At the time of this writing the vendor integration terraform module was not ready for testing but the API was.

Aviatrix API documentation and download page is located at https://support.aviatrix.com/apiDownloads

Testing

For testing purposes I’m going to create to spokes, spokes gateways, and one CentOS compute instance each. The terraform files can be downloaded from here:

  • vpcs and gateways using the mc-spoke module:


module "mc-spoke" {
for_each = {
"spoke30" = "spoke30"
"spoke40" = "spoke40"
"ingress" = "ingress"
}
source = "terraform-aviatrix-modules/mc-spoke/aviatrix"
version = "1.1.2"
account = var.account
cloud = var.cloud
name = "gcp-${each.value}${var.region}"
region = var.region
cidr = var.vpcs["${each.value}"]
inspection = true
transit_gw = module.mc_transit.transit_gateway.gw_name
ha_gw = false
instance_size = var.instance_size
single_az_ha = false
}

  • compute engine instance


resource "random_id" "instance_id_spoke3" {
byte_length = 8
}
resource "google_compute_instance" "instance-1-spoke3" {
name = "spoke3-vm-${random_id.instance_id_spoke3.hex}"
machine_type = "f1-micro"
zone = "${var.region}-b"
boot_disk {
initialize_params {
image = "centos-cloud/centos-stream-9"
}
}
network_interface {
network = aviatrix_vpc.vpc_spoke3.name
subnetwork = aviatrix_vpc.vpc_spoke3.subnets[0].name
access_config {}
}
metadata = {
ssh-keys = "centos:${file("~/.ssh/id_rsa.pub")}"
}
metadata_startup_script = "sudo yum update -y; sudo yum install httpd -y; sudo systemctl start httpd; sudo systemctl enable httpd"
}
resource "google_compute_firewall" "firewall-instance-spoke3" {
name = "instance-spoke3-rules"
network = aviatrix_vpc.vpc_spoke3.name
allow {
protocol = "icmp"
}
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["${data.http.ip.body}/32"]
}

Visualizing Using CoPilot Topology Map

CoPilot automatically draws a map based on the information retrieved from the Controller:

Troubleshooting using CoPilot AppIQ

AppIQ allows you to generate a comprehensive report of latency, traffic, and performance monitoring data between any two cloud instances connected via your Aviatrix transit network:

A screenshot from the report is show below:

References

Deploying an Aviatrix FireNet on GCP with PANs

Bootstrapping PANs using Aviatrix

6 thoughts on ““Terraforming” an Aviatrix FireNet on GCP with PANs

Leave a Reply