Using a GCP LB to provide DNS High-Availability

DNS uses UDP port 53 for most of it operations but relies on TCP for operations that requires the transmission of packets exceeding 512 bytes. When the message size exceeds 512 bytes, it triggers a ‘TC’ bit (Truncation) in DNS to inform the client that the message length has exceeded the allowed size. The client needs then to re-transmit over TCP (size limit is 64000 bytes). Back End Configuration If you happen to run the HC across a device like routers or firewall you will need to configure DNAT for those devices to properly reply back to the HC of … Continue reading Using a GCP LB to provide DNS High-Availability

GCP Routing Without Subtitles

Topology 1 Metric 100 comes from: Topology 2 Topology 3 CSR: Subnetworks 10.11.64-66 are on us-east1. Adding a new subnet to vpc001 but located in us-central1: 100.64.0.0/24 is advertised from central gateway. Topology 4 Default Config: Import/Export: Topology 5 CSR1000v RIB: Using the same AS vpc001 and vpc002 does not exchange routes. If we change vpc002 CR to a different AS (64515): Topology 6 Topology 7 Topology 8 References https://cloud.google.com/vpc/docs/using-routes#gcloud https://cloud.google.com/network-connectivity/docs/router/support/troubleshooting https://developer.hashicorp.com/terraform/tutorials/kubernetes/gke?in=terraform%2Fkubernetes&utm_offer=ARTICLE_PAGE https://cloud.google.com/vpc/docs/routes Continue reading GCP Routing Without Subtitles

That “little” AWS Security Group to PAN Migration Project

AWS Security Groups filters the traffic for one or more instances. It accomplishes this filtering function at the Transmission and IP layers, via their respective ports, and source/destination IP addresses. At least one Security Group is associated to an instance and it carries a set of rules that filter traffic entering and leaving the instances. Security Groups have a set of rules that filter traffic in two ways: inbound and outbound. The SG has a “Deny All” that allows data packets to be dropped if no rule is assigned to them from the source IP. The quota for security groups … Continue reading That “little” AWS Security Group to PAN Migration Project

Using GitHub Actions to deploy Aviatrix

Automating Terraform with CI/CD enforces configuration best practices, promotes collaboration and automates the Terraform workflow. GitHub Actions Prime Actions An action is a custom application for the GitHub Actions platform that performs a repeated task. GitHub Actions is composed by: Workflow Workflows are defined by a YAML in a repository and will run when triggered by an event or manually. A workflow contains one or more jobs which can run in sequential order or in parallel. Jobs A job is a set of steps in a workflow that execute on the same runner. Each step is either a shell script … Continue reading Using GitHub Actions to deploy Aviatrix

Migrating a full mesh vpc deployment to Aviatrix

The diagram below shows the initial scenario: This TGW is not “managed” by Aviatrix. Private route table looks like: Public route tables look like: CSR config: AVX Transit Gateway connection to AWS TGW TGW supports the following types of attachment: An AWS TGW Connect allows you to establish connection between a transit gateway and the AVX Transit Gateway using Generic Routing Encapsulation (GRE) and Border Gateway Protocol (BGP). You can create up to 4 Transit Gateway Connect peers per Connect attachment (up to 20 Gbps in total bandwidth per Connect attachment) GRE is established on top of an attachment: A … Continue reading Migrating a full mesh vpc deployment to Aviatrix

Aviatrix Notification using WebHooks

Aviatrix CoPilot CoPilot leverages the intelligence, advanced network, and security services delivered by Aviatrix’s multi-cloud network platform to provide enterprise cloud network operations teams both familiar day-two operational features such as packet capture, trace route and ping and new operational capabilities specifically built for multi-cloud network environments. The following previous blog post provides more details: The following previous posts go into details on how to deploy Aviatrix: Avitrix CoPilot Notifications is where alerts can be configured so that you can be notified about changes in your Aviatrix transit network. The alerts can be based on common telemetry data monitored in … Continue reading Aviatrix Notification using WebHooks

SAP HANA on GCP with Aviatrix

SAP HANA SAP HANA is SAP AG’s implementation of in-memory database technology. There are three components within the software group: HANA DB takes advantage of the low cost of main memory (RAM), data processing abilities of multi-core processors and the fast data access of solid-state drives relative to traditional hard drives to deliver better performance of analytical and transactional applications. It offers a multi-engine query processing environmentwhich allows it to support relational data (with both row- and column-oriented physical representations in a hybrid engine) as well as graph and text processing for semi- and unstructured data management within the same … Continue reading SAP HANA on GCP with Aviatrix

Site-2-Cloud connectivity with FortiGate and Aviatrix

The diagram below shows the environment I’m going to test: Active-Standby This option supports connecting AVX transit gateways to on-prem with only one active tunnel and the other one as backup. The use case is a deployment scenario where on-prem device such as firewall does not support asymmetric routing on two tunnels. Aviatrix configuration: The active/standby configuration will produce the following configuration: FortiGate config To align the FortiGate configuration to the AVX gateways, we need to use BGP Weight attribute to prefer a route received from the AVX primary transit gateway GRE tunnel over the AVX transit gateway ha GRE … Continue reading Site-2-Cloud connectivity with FortiGate and Aviatrix

Moving an AWS brownfield to Aviatrix

Brownfield environment is show in the diagram below: (I clicked my way through the deployment, I have to confess :(): ASA: I modified a few items from the configuration generated by AWS, mainly: Testing Once the configuration is applied to the ASAv, we see the Site-to-Site VPN connections, after a few seconds, come up online: A VM running behind the on-prem ASA firewall can ping the VMs running on AWS: Aviatrix Deployment Transit and Firenet can be deployed using the following code: Site-2-Cloud Once the AVX transit is deployed, the next step is to connect it to on-prem: S2C config: … Continue reading Moving an AWS brownfield to Aviatrix