Site-2-Cloud connectivity with FortiGate and Aviatrix

The diagram below shows the environment I’m going to test: Active-Standby This option supports connecting AVX transit gateways to on-prem with only one active tunnel and the other one as backup. The use case is a deployment scenario where on-prem device such as firewall does not support asymmetric routing on two tunnels. Aviatrix configuration: The active/standby configuration will produce the following configuration: FortiGate config To align the FortiGate configuration to the AVX gateways, we need to use BGP Weight attribute to prefer a route received from the AVX primary transit gateway GRE tunnel over the AVX transit gateway ha GRE … Continue reading Site-2-Cloud connectivity with FortiGate and Aviatrix

Moving an AWS brownfield to Aviatrix

Brownfield environment is show in the diagram below: (I clicked my way through the deployment, I have to confess :(): ASA: I modified a few items from the configuration generated by AWS, mainly: Testing Once the configuration is applied to the ASAv, we see the Site-to-Site VPN connections, after a few seconds, come up online: A VM running behind the on-prem ASA firewall can ping the VMs running on AWS: Aviatrix Deployment Transit and Firenet can be deployed using the following code: Site-2-Cloud Once the AVX transit is deployed, the next step is to connect it to on-prem: S2C config: … Continue reading Moving an AWS brownfield to Aviatrix

“Terraform-ing” your way towards Secure Multi Cloud Networking with Aviatrix

I’m going to Terraform an entire Aviatrix deployment using terraform on this blog, mainly the controller and copilot. There is always discussion around the controller and copilot deployment using automation but I’m assume if you are reading this post you are already convinced. Management Network I’m creating a new management network and subnet. This step is not necessary but it helps validating that the gcp controller terraform module can deploy a controller into an existing vpc: Controller Deployment The module gcp-controller allows you to launch the Aviatrix Controller and create the Aviatrix access account connecting to the Controller in Google … Continue reading “Terraform-ing” your way towards Secure Multi Cloud Networking with Aviatrix

Establishing Multiple External Connectivity using Aviatrix Site-2-Cloud (S2C)

The premises of this design is to establish a backup path using the internet to protect application flows that still leverage on-prem and or customers seating on a main campus accessing apps living on the cloud: As I don’t have a DX circuit I’m going to use a Site-to-Site VPN to simulate it and Site-2-Cloud from the AVX transit gateways will provide backup to the DX connection. Primary Configuration The primary connection uses DX and there are a few supported scenarios to integrate it with Aviatrix. I’m going to leverage private interfaces and connect it to a VGW on the … Continue reading Establishing Multiple External Connectivity using Aviatrix Site-2-Cloud (S2C)

Replacing Native NAT Gateways with Aviatrix Spoke Gateways

In this post I’m going to transfer the functionality of a couple of native NAT gateways to Aviatrix while preserving the NAT GWs IP addresses. If you need a refresh on AVX egress capabilities please take a look at: AVX spoke gateways can be used as egress in a distributed model customizing the snat functionality. Elastic IP (EIP) An Elastic IP address is a static IPv4 address which is reachable from the internet. An Elastic IP address is allocated to your AWS account, and is yours until you release it. NAT Gateways A NAT gateway is a Network Address Translation … Continue reading Replacing Native NAT Gateways with Aviatrix Spoke Gateways

5 min RTO with Aviatrix and Terraform

Disaster recovery involves a set of policies, tools, and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. The Recovery Time Objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity. I covered using Aviatrix to address the challenges of DR/BC before: In this new blog I address a new set of requirements: Proposed Design The proposed solution has the following major … Continue reading 5 min RTO with Aviatrix and Terraform

Using Azure Log Analytics with Aviatrix

Special thanks to Jorge, Manny, and Alex! What is Log Analytics Log Analytics is a SaaS offering from Microsoft that helps you collect and report against data generated by resources in Azure or from your on-premises environment. It is a very powerful tool can hold and analyze millions of records using the Kusto query language. Workspace Log Analytics is a tool in the Azure portal that’s used to edit and run log queries with data in Azure Monitor Logs. A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft … Continue reading Using Azure Log Analytics with Aviatrix

Tech Note: Migrating an Aviatrix Controller from AWS to GCP

Constraints Deploy Controller on target CSP Connect to the controller and initialize it: Bring the controller to the desired software version: Create the access accounts: Controller Security Group Mgmt Default: Disabling it: I created a temporary SG granting inbound access to port 443. Change AWS to Access/Secret key based Change the AWS account from IAM role-based to Access and Secret keys: Backup Shutdown Controller Before proceeding to the restore, make sure the current controller is down. Restore Restore the AWS controller backup providing the Account Name, Bucket Name, and File Name to the Restore under Maintenance: Re-Enable Controller Security Group … Continue reading Tech Note: Migrating an Aviatrix Controller from AWS to GCP

Addressing corner cases using 3rd party VPN devices with Aviatrix

There are very specific use cases where all the current available Aviatrix NAT features cannot address. I ran in one of few those where one of the possible solution was to use a 3rd party Firewall (ASAv) to terminate site-2-site VPN connections. The proposed design for lab-ing purposes looks like the one below: The design relies on the feature called BGP over LAN that allows transit gateways to communicate with instances in different VNets in Azure without running any tunneling protocol such as IPsec or GRE. The configuration workflow can be found at https://docs.aviatrix.com/HowTos/azure_bgpolan_multi_peer.html?highlight=bgpolan. VNETs Creation I’ll create three new VNETs … Continue reading Addressing corner cases using 3rd party VPN devices with Aviatrix