Aviatrix Overview
Aviatrix is a cloud network platform that brings multi-cloud networking, security, and operational visibility capabilities that go beyond what any cloud service provider offers. Aviatrix software leverages AWS, Azure, GCP and Oracle Cloud APIs to interact with and directly program native cloud networking constructs, abstracting the unique complexities of each cloud to form one network data plane, and adds advanced networking, security and operational features enterprises require.
A multi-cloud network architecture can be split in 3 major blocks:
- cloud application layer: provide secure and network connectivity to application workloads
- cloud network layer: provides connectivity among application layer, access layer, from a single or multiple region, and among different cloud service providers. This layer is also where l4-l7 are inserted for centralized policy enforcement.
- cloud access layer: provides access to the cloud environment. It is usually composed by dedicated circuits, VPN, and sometimes SD-WAN.
Multi-Region Hybrid Design Overview
The multi-region design is show in the diagram below:
- two regions each running its transit firewall network
- transits are peered
- each region has its own dedicated ingress vpc
- each region has multiple spokes dedicated to workloads and they are connected to transit
- on-prem connects to GCP using Cloud Interconnect or Cloud Partner Interconnect or Cloud VPN
- Routes are exchanged between on-prem and Aviatrix transit using Google Cloud Router
The design is broken in transit firenet, ingress, egress, and access and discussed below.
Transit
Aviatrix supports multiple NGFW vendors such as CheckPoint, FortiNet, PaloAlto Networks among others. FireNet with those vendors is extensively discussed on the posts below.
Transits are connected back-to-back using the Multi-Cloud Transit Peering:
Access Layer
Ingress
Egress
Hybrid Connectivity
BGP over LAN is configured between transit gateways and cloud routers in each region:
