Google Cloud Migration Scenarios

Lab and Configuration Staging The lab diagram for this exercise is show below: Staging Aviatrix Flows of Interest Constraints Migration Approaches The Slicer Constraints Testing Flow 1 and Flow 2 Migration using The Slicer (Switch Traffic) Slicing it: CSR1000v routes: If the Cloud Router custom advertisement is doing (route) summarization, the slice on the avx spoke gateway advertised routes is not required. In this case, we should customize the advertisement to only allow the subnetwork where the avx gateway was deployed. Flow3 and Flow 4 Migration using The Slicer (Switch Traffic) This step requires that all the north-south flows were … Continue reading Google Cloud Migration Scenarios

Using Azure Route Server for Dynamic Routing

Azure Route Server is a service provided by Microsoft Azure that simplifies the process of dynamic routing for network virtual appliances (NVAs). NVAs are commonly used in virtual networks to perform tasks such as load balancing, network address translation (NAT), and virtual private network (VPN) connectivity. In a traditional network setup, dynamic routing protocols such as Border Gateway Protocol (BGP) require manual configuration and maintenance of each individual NVA. This can become time-consuming and error-prone as the network scales. With Azure Route Server, NVAs can simply connect to the route server and exchange routing information automatically. Azure Route Server supports … Continue reading Using Azure Route Server for Dynamic Routing

Scaling Up/Scaling Down HPE Gateways

High Performance Encryption (HPE) is an Aviatrix technology that enables 10 Gbps and higher IPsec performance between two single Aviatrix Gateway instances or between a single Aviatrix Gateway instance and on-prem Aviatrix appliance. You can change Gateway Size if needed to change gateway throughput. The gateway will restart with a different instance size. IP addresses per network interface The following tables list the maximum number of network interfaces per instance type, and the maximum number of private IPv4 addresses and IPv6 addresses per network interface: Constraints Initial Scenario Scale Up I’m going to scale to a c5n.9xlarge: Tunnels are created … Continue reading Scaling Up/Scaling Down HPE Gateways

Aviatrix: Minimum Alerts Recommended

Mem Available (<= 20%) CPU Idle (<= 20%) HDisk Free (<= 20%) Gateway Status Connection Status BGP Peering Status PPS Limit Exceeded Rate (rate_pps_limit_exceeded) (>= 75) Bandwidth Egress Limit Exceeded Rate (rate_bandwidth_egress_limit_exceeded) (>= 40) Bandwidth Ingress Limit Exceeded Rate (rate_bandwidth_ingress_limit_exceeded) (>= 40) Errored Packets Transmitted Rate (rate_tx_errs) (>= 40) Errored Packets Received Rate (rate_rx_errs) (>= 40) Rate of Packets Dropped While Receiving (rate_rx_drop) (>= 40) Rate of Packets Dropped While Transmitting (rate_tx_drop) (>= 40) Conntrack Limit Exceeded Rate (rate_conntrack_limit_exceeded) (>= 40) Underlay Connection Status Tunnel Count References Continue reading Aviatrix: Minimum Alerts Recommended

Migrating from GCP… to GCP

Current and Future Architecture Current state: Desired state: vpc001 is composed of the following subnets: vpc001 routing table (filtering routes of interest): On-prem (AS 36180) routing table: Staging On-prem route table after staging is complete (avx gateway is not attached): Attaching the gateway: And advertise the vpc001 subnets with a better metric (please note that RFC 6598 prefixes are not advertised from AVX by default): To avoid traffic switching over to AVX asymmetrically during the staging we have a few options: Switching traffic over (East-West) vpc001 destination routes to vpc002: When Cloud Routers learn a prefix that exactly matches the … Continue reading Migrating from GCP… to GCP

Using GitHub Actions to deploy Aviatrix

Automating Terraform with CI/CD enforces configuration best practices, promotes collaboration and automates the Terraform workflow. GitHub Actions Prime Actions An action is a custom application for the GitHub Actions platform that performs a repeated task. GitHub Actions is composed by: Workflow Workflows are defined by a YAML in a repository and will run when triggered by an event or manually. A workflow contains one or more jobs which can run in sequential order or in parallel. Jobs A job is a set of steps in a workflow that execute on the same runner. Each step is either a shell script … Continue reading Using GitHub Actions to deploy Aviatrix

Aviatrix Notification using WebHooks

Aviatrix CoPilot CoPilot leverages the intelligence, advanced network, and security services delivered by Aviatrix’s multi-cloud network platform to provide enterprise cloud network operations teams both familiar day-two operational features such as packet capture, trace route and ping and new operational capabilities specifically built for multi-cloud network environments. The following previous blog post provides more details: The following previous posts go into details on how to deploy Aviatrix: Avitrix CoPilot Notifications is where alerts can be configured so that you can be notified about changes in your Aviatrix transit network. The alerts can be based on common telemetry data monitored in … Continue reading Aviatrix Notification using WebHooks

Site-2-Cloud connectivity with FortiGate and Aviatrix

The diagram below shows the environment I’m going to test: Active-Standby This option supports connecting AVX transit gateways to on-prem with only one active tunnel and the other one as backup. The use case is a deployment scenario where on-prem device such as firewall does not support asymmetric routing on two tunnels. Aviatrix configuration: The active/standby configuration will produce the following configuration: FortiGate config To align the FortiGate configuration to the AVX gateways, we need to use BGP Weight attribute to prefer a route received from the AVX primary transit gateway GRE tunnel over the AVX transit gateway ha GRE … Continue reading Site-2-Cloud connectivity with FortiGate and Aviatrix

Moving an AWS brownfield to Aviatrix

Brownfield environment is show in the diagram below: (I clicked my way through the deployment, I have to confess :(): ASA: I modified a few items from the configuration generated by AWS, mainly: Testing Once the configuration is applied to the ASAv, we see the Site-to-Site VPN connections, after a few seconds, come up online: A VM running behind the on-prem ASA firewall can ping the VMs running on AWS: Aviatrix Deployment Transit and Firenet can be deployed using the following code: Site-2-Cloud Once the AVX transit is deployed, the next step is to connect it to on-prem: S2C config: … Continue reading Moving an AWS brownfield to Aviatrix

“Terraform-ing” your way towards Secure Multi Cloud Networking with Aviatrix

I’m going to Terraform an entire Aviatrix deployment using terraform on this blog, mainly the controller and copilot. There is always discussion around the controller and copilot deployment using automation but I’m assume if you are reading this post you are already convinced. Management Network I’m creating a new management network and subnet. This step is not necessary but it helps validating that the gcp controller terraform module can deploy a controller into an existing vpc: Controller Deployment The module gcp-controller allows you to launch the Aviatrix Controller and create the Aviatrix access account connecting to the Controller in Google … Continue reading “Terraform-ing” your way towards Secure Multi Cloud Networking with Aviatrix