Tag: aviatrix

cloud networking, multi-cloud networking, thrid party integrationLeave a comment

Centralized Ingress using FortiGate NGFWs and Aviatrix Transit Gateways with FireNet enabled

rtrentin

High Level Design Ingress Design using the Aviatrix FireNet FortiGates: All FortiGates receive sessions via the load balancer as long as they pass the health checks. While an Active-Passive (A-P) cluster behind the load balancer is an option, it is generally more effective to use standalone FGT units behind the load balancer in multiple Availability Zones (AZs). This configuration provides a robust mechanism to withstand the complete failure of an AZ. For reference, i have attached the Aviatrix Transit Firewall Network design for FortiGate firewalls below: The application flow is show below: Aviatrix Transit Configuration Enable Firenet Navigate to CoPilot … Continue reading Centralized Ingress using FortiGate NGFWs and Aviatrix Transit Gateways with FireNet enabled

multi-cloud networkingLeave a comment

Using Cloud Interconnect with Aviatrix

rtrentin

Google Cloud Interconnect is a service provided by Google Cloud Platform (GCP) that enables customers to establish private, high-performance connections between their on-premises infrastructure and Google Cloud. It offers low-latency, secure connectivity by bypassing the public internet, making it ideal for scenarios like data migration, replication, disaster recovery, or hybrid cloud deployments. There are three main options: Key benefits include reduced latency, enhanced security (traffic stays off the public internet), cost savings on egress traffic, and direct access to Google Cloud’s internal IP addresses without needing VPNs or NAT devices. It’s widely used by enterprises in industries like media, healthcare, … Continue reading Using Cloud Interconnect with Aviatrix

multi-cloud networkingLeave a comment

Connecting On-Prem to AWS using MegaPort

rtrentin

There are several designings possible when connecting on-premises equipment to AWS using Direct Connect: In this document, we are going to use Megaport offerings to connect a data center to AWS. Port Types of ports offered by MegaPort: How to request/create a port Connect to the Megaport portal and click on Services tab. Select Create a Port: Pick a location: Choose the speed required, give a name to the port, and select the minimum contract term: MegaPort can cross connect ports in a few locations. Ports are assigned to diversity zones. A diversity zone groups devices at the same location … Continue reading Connecting On-Prem to AWS using MegaPort

multi-cloud networkingLeave a comment

AVX and AWS DNS

rtrentin

AWS DNS Design Options (from reference #1) Option 1: Inbound and Outbound endpoints deployed in the hub vpc Option 2: Inbound and Outbound endpoints deployed in the hub vpc for forwarding Option 3: VPC sharing This option will not be investigated as it does not fit a scalable and secure hub and spoke topology. Option 4: Shared Private Zones and Forwarded Rules (AWS recommended) Testing Configuration Information Hosted Private Zone: Outbound Config: Rule: Inbound config: Design Option 1 Create a dhcp option set pointing to the inbound endpoints: and associate to the vpc: Servers will have its /etc/resolv.conf updated to: … Continue reading AVX and AWS DNS

multi-cloud networkingLeave a comment

Tech Note: Migrating an Aviatrix Controller from AWS to Azure

rtrentin

Constraints AWS Controller Change the AWS account from IAM role-based to Access and Secret keys This procedure is only supported on Accounts without Gateways deployed. Backup Shutdown Controller Azure Controller Requirements Aviatrix Cloud Network Controller deploys Controller 7.1.4105 and later. To deploy Controller version 7.1.4101 or earlier, subscribe to Aviatrix Secure Networking Platform BYOL. Deploy New Controller The steps below should be completed before the cut over. Bring the controller to the desired software version (7.1.3176) Onboard Access Accounts Transfer Backup from AWS Bucket to Azure Storage Account Restore Use the Controller Settings -> Maintenance -> Backup and Restore to … Continue reading Tech Note: Migrating an Aviatrix Controller from AWS to Azure

multi-cloud networkingLeave a comment

Experimenting with GCP PBR

rtrentin

Policy-based routes can route traffic based on: destination, protocol,and source. How to Configure it PBR requires an internal pass-through network load balancer as next hop: Do not forget to create the proper firewall rules for the health checks. HCs are sourced from the following ranges: 130.211.0.0/22 and 35.191.0.0/16. Create a route but select Policy Based Route from the drop down menu: Testing Test is quite simple. From Test VM, if we ping 10.17.60.51 the traffic should not go through the Standalone Gateways but if we ping 192.168.200.3 we should see the traffic flowing through the standalone gateways. Constraints You can … Continue reading Experimenting with GCP PBR

multi-cloud networkingLeave a comment

Supernetting

rtrentin

From Wiki: A supernetwork, or supernet, is an Internet Protocol (IP) network that is formed by aggregation of multiple networks (or subnets) into a larger network. The new routing prefix for the aggregate network represents the constituent networks in a single routing table entry. The process of forming a supernet is called supernetting, prefix aggregation, route aggregation, or route summarization. https://en.wikipedia.org/wiki/Supernetwork Topology Prefix Advertised Gateways advertise by default subnets prefixes discovered during the deployment: Supernetting Testing Pinging an existent target: Pinging a non existent target: Continue reading Supernetting

multi-cloud networkingLeave a comment

A little help from my friend… hacks on how to work with default routes

rtrentin

Most if not all GCP customers consume GCP PaaS/SaaS services like GKE, Cloud SQL, and others. Those services have their compute capacity provisioned inside Google owned VPCs and to establish a data plane for customers to use them vpc peerings are used. AVX Behavior Constraints Workarounds AVX Gateway Routes Create routes with a higher priority and with the tag avx-<vpc name>-gbl with the next hop “Default internet gateway”. Those are used exclusively by AVX Spoke Gateways. This step is necessary to prevent a route loop when executing the step below. 0.0.0.0/0 Option 1 It is possible to use the feature … Continue reading A little help from my friend… hacks on how to work with default routes

multi-cloud networkingLeave a comment

Hello again old friend…

rtrentin

Distributed Cloud Firewall Distributed Cloud Firewall enhances security by enforcing network policies between SmartGroups, which you define to manage applications within single or multiple cloud environments. SmartGroups: Network Policy Enforcement: How to enable it Once you are logged in on Copilot, go to Security -> Distributed Cloud Firewall. Click on Enable Distributed Cloud Firewall: Click Beging Using Distributed Cloud Firewall to start configuring it: A Greenfield Rule will be created to allow traffic that maintains the current state, facilitating the creation of custom rules for specific security needs. Distributed Cloud Firewall will deny all previously permitted traffic due to its … Continue reading Hello again old friend…

multi-cloud networkingLeave a comment

Private Mode

rtrentin

Private Mode facilitates Aviatrix deployments without relying on public IPs. Private Mode was introduced on Aviatrix software version 6.8. Constraints Architecture Transit to Spoke data plane tunnels will utilize orchestrated native peering as an underlay. Cloud instances will only have private IPs (Aviatrix Controller, Gateways, and CoPilot) and management traffic occurs through native cloud constructs like Load Balancers, Private Link Services, and peering connections, serving as the foundation for the Aviatrix encrypted Transit network. Load Balancers Elastic Load Balancing (ELB) automatically disperses incoming traffic among multiple targets, including EC2 instances, containers, and IP addresses, across one or more Availability Zones. … Continue reading Private Mode