Architects and engineers are confronted with the criteria on how to create segments when designing segmentation for Aviatrix and how segments communicates among themselves.
Today Aviatrix supports Region, Account Name, Subnets , VPC/VNets, and CSP tags as segmentation criteria:
In a fabric with a “network” centric design the app domains are aligned to network constructs (vpc/vnet/subnet). For example: 1 subnet = 1 app domain or 1 vpc = 1 app domain. Usually communication is allowed unrestricted as those domains contains multiple apps.
It is called an app centric design when the app domain constructs are aligned to the application and security is enhanced with rules allowing communication only where it is required and the use of granular policies.
The design approaches are not mutually exclusive
The case for app centric:
What ADM is
Application Dependency Mapping (ADM) is the process of establishing and tracking the relationships and dependencies between IT components such as servers, networks, storage, and applications that comprise any given IT service. This is typically done through the use of ADM tools (sometimes referred to as Discovery and Dependency Mapping tools), which automate the process of discovering and visually “mapping” the relationships between the components. Maps are then imported in the Configuration Management Database (CMDB).
There are four major methods of employing application dependency mapping:
We use ADM for collecting application communication flow data from existing gateway devices to create an application policy design. ADM allows us to properly lay down the useg constructs:
- app domains
Do ADM yourself using CoPilot FlowIQ
CoPilot FlowIQ provides visualization of traffic flows that is moving across any gateway managed by the Aviatrix Controller in the Aviatrix transit network (multi-cloud or single cloud network).
FlowIQ has 5 tabs: overview, trends, geolocation, flows, and records. Records can be filtered and or exported:
Using the filter option:
I can see that 10.255.230.37 is a client of 10.255.240.36 web server:
If you prefer to manipulate the data using an external tool, you can download the flows records and use the tool of your choice:
Do ADM yourself using Micro-Segmentation Allow/Deny Logs
Aviatrix useg can be configured to not enforce (Enforcement = off) log and/or monitor the traffic flow for a rule (Logging = On). You can enable and view the logging of flows allowed because of a permit rule and the logging of flows that were dropped because of deny rules using an external syslog server at this time.
A domain that represents the entire fabric is can be created to capture traffic:
A rule allowing inter traffic inside the domain is also created: we can enforce or not but what is important is to enable “Logging”:
Below is an example of a log entry:
AviatrixGwMicrosegPacket: POLICY=b718ecd6-ab15-40cf-8b78-c90157ddd361 SRC_MAC=d8:9e:f3:d4:42:e2 DST_MAC=00:22:48:1d:59:53 IP_SZ=84 SRC_IP=10.255.230.36 DST_IP=10.255.240.36 PROTO=ICMP SRC_PORT=0 DST_PORT=0 DATA=0x ACT=PERMIT ENFORCED=true
Another example can be found below:
AviatrixGwMicrosegPacket: POLICY=b718ecd6-ab15-40cf-8b78-c90157ddd361 SRC_MAC=d8:9e:f3:d4:42:e2 DST_MAC=00:22:48:1d:59:53 IP_SZ=52 SRC_IP=10.255.230.37 DST_IP=10.255.240.36 PROTO=TCP SRC_PORT=53220 DST_PORT=80 DATA=0x ACT=PERMIT ENFORCED=true
From the log above we can extract the following information:
- 10.255.230.37 can be considered a client
- 10.255.240.36 can be considered a server
- 10.255.230.37 can be allocated to a segment (app domain 1)
- 10.255.240.36 can be allocated to a different segment (app domain 2)
- a policy allowing app domain 1 to talk to app domain 2 on port 80 would be required
Yes, I know it works fine for a few and simple scenarios. For real world scenarios the entire process would require automation or adoption of a commercial package.
As application component’s dependency are to be gleaned from the collected information, detailed level of flow scrutiny via external tool set will be necessary to achieve the final reporting. There are a considerable amount of vendors providing ADM. A few of them are listed below:
- SolarWinds Server & Application Monitor
- Site24x7 Application Performance Monitor
- Cisco Workload Security (Tetration)
I might test one or two of the tools above later.
One thought on “Micro-Segmentation Cloud Architecture with Aviatrix”