Author: rtrentin

Cloud enthusiast.
multi-cloud networking1 Comment

Aviatrix: Minimum Alerts Recommended

rtrentin

Mem Available (<= 20%) CPU Idle (<= 20%) HDisk Free (<= 20%) Gateway Status Connection Status BGP Peering Status PPS Limit Exceeded Rate (rate_pps_limit_exceeded) (>= 75) Bandwidth Egress Limit Exceeded Rate (rate_bandwidth_egress_limit_exceeded) (>= 40) Bandwidth Ingress Limit Exceeded Rate (rate_bandwidth_ingress_limit_exceeded) (>= 40) Errored Packets Transmitted Rate (rate_tx_errs) (>= 40) Errored Packets Received Rate (rate_rx_errs) (>= 40) Rate of Packets Dropped While Receiving (rate_rx_drop) (>= 40) Rate of Packets Dropped While Transmitting (rate_tx_drop) (>= 40) Conntrack Limit Exceeded Rate (rate_conntrack_limit_exceeded) (>= 40) Underlay Connection Status Tunnel Count References https://read.docs.aviatrix.com/HowTos/Monitoring_Your_Network.html https://docs.aviatrix.com/copilot/latest/monitoring-troubleshooting/user-alerts-network.html Continue reading Aviatrix: Minimum Alerts Recommended

multi-cloud networkingLeave a comment

Checking Bandwidth Consumption with Athena

rtrentin

VPC flow logs capture information about the IP traffic going to and from network interfaces in a VPC. Athena is an interactive query service that makes it easy to analyze data directly in S3 using standard SQL. Topology Create a (S3) Bucket Enable (VPC) Flow Logs Apache Parquet is a columnar data format that stores and queries data more efficiently and cost-effectively than a text format. Queries on data stored in Parquet format are 10 to 100 times faster and cheaper than data stored in text format. Flow logs delivered in Parquet format with Gzip compression use about 20 percent … Continue reading Checking Bandwidth Consumption with Athena

multi-cloud networkingLeave a comment

Dedicated Ingress VPC Health Checks

rtrentin

Topology (VPC003) Workload Configuration Instance Group: Health check: Network Load Balancer: (VPC001) Ingress VPC SNAT/DNAT using single NAT: Another option is to use customized NAT: Instance Group: Health Check: External Global HTTP(S) Load Balancer: Testing Packet capture from the proxy instance: Troubleshooting Health check failures: “End-to-End” Health Check In this scenario, the external load balancer health check probes the the internal load balancer: New HC on port 80 (service port): References https://cloud.google.com/load-balancing/docs/health-check-concepts Continue reading Dedicated Ingress VPC Health Checks

multi-cloud networkingLeave a comment

Going full DevOps with GCP (Draft)

rtrentin

Google API Access Instances in VPC can reach Google and third-party APIs and services without an external IP address. All Google Cloud APIs and services support private access. The access methods are different for services in VPC networks compared to services in Google’s production infrastructure Advantages: Networking Services API Container Registry Serverless VPC Access Cloud Build Cloud Build is a managed service on Google Cloud Platform infrastructure that allows you to continuously build, test and deploy containers. Private pools are customer-specific resources and can be customized. One customization option is the capability to disable the association of external IPs: Once … Continue reading Going full DevOps with GCP (Draft)

multi-cloud networkingLeave a comment

Migrating from GCP… to GCP

rtrentin

Current and Future Architecture Current state: Desired state: vpc001 is composed of the following subnets: vpc001 routing table (filtering routes of interest): On-prem (AS 36180) routing table: Staging On-prem route table after staging is complete (avx gateway is not attached): Attaching the gateway: And advertise the vpc001 subnets with a better metric (please note that RFC 6598 prefixes are not advertised from AVX by default): To avoid traffic switching over to AVX asymmetrically during the staging we have a few options: Switching traffic over (East-West) vpc001 destination routes to vpc002: When Cloud Routers learn a prefix that exactly matches the … Continue reading Migrating from GCP… to GCP

multi-cloud networking1 Comment

All those (vpc) flow logs… Consolidate vpc flow logs using BigQuery

rtrentin

VPC FlowLogs VPC Flow Logs records a sample of network flow. Logs can be used for network monitoring, forensics, real-time security analysis, and expense optimization. Once the vpc_flows are enabled on all subnets of interest, we can go to Logging to check if we see logs arriving: Sample below: BigQuery Cloud Logging “routes” logs to destinations like buckets, BigQuery or to Pub/Sub: We want to consolidate all logs in a centralized location where we can consume the data ingest. We can use BigQuery to accomplish that creating a sink. Sinks control how Cloud Logging routes logs: We can also set … Continue reading All those (vpc) flow logs… Consolidate vpc flow logs using BigQuery

multi-cloud networkingLeave a comment

Using a GCP LB to provide DNS High-Availability

rtrentin

DNS uses UDP port 53 for most of it operations but relies on TCP for operations that requires the transmission of packets exceeding 512 bytes. When the message size exceeds 512 bytes, it triggers a ‘TC’ bit (Truncation) in DNS to inform the client that the message length has exceeded the allowed size. The client needs then to re-transmit over TCP (size limit is 64000 bytes). Back End Configuration If you happen to run the HC across a device like routers or firewall you will need to configure DNAT for those devices to properly reply back to the HC of … Continue reading Using a GCP LB to provide DNS High-Availability

multi-cloud networkingLeave a comment

GCP Routing Without Subtitles

rtrentin

Topology 1 Metric 100 comes from: Topology 2 Topology 3 CSR: Subnetworks 10.11.64-66 are on us-east1. Adding a new subnet to vpc001 but located in us-central1: 100.64.0.0/24 is advertised from central gateway. Topology 4 Default Config: Import/Export: Topology 5 CSR1000v RIB: Using the same AS vpc001 and vpc002 does not exchange routes. If we change vpc002 CR to a different AS (64515): Topology 6 Topology 7 Topology 8 References https://cloud.google.com/vpc/docs/using-routes#gcloud https://cloud.google.com/network-connectivity/docs/router/support/troubleshooting https://developer.hashicorp.com/terraform/tutorials/kubernetes/gke?in=terraform%2Fkubernetes&utm_offer=ARTICLE_PAGE https://cloud.google.com/vpc/docs/routes Continue reading GCP Routing Without Subtitles

multi-cloud networking, thrid party integrationLeave a comment

That “little” AWS Security Group to PAN Migration Project

rtrentin

AWS Security Groups filters the traffic for one or more instances. It accomplishes this filtering function at the Transmission and IP layers, via their respective ports, and source/destination IP addresses. At least one Security Group is associated to an instance and it carries a set of rules that filter traffic entering and leaving the instances. Security Groups have a set of rules that filter traffic in two ways: inbound and outbound. The SG has a “Deny All” that allows data packets to be dropped if no rule is assigned to them from the source IP. The quota for security groups … Continue reading That “little” AWS Security Group to PAN Migration Project