Tag: aws

cloud networking, multi-cloud networking, thrid party integrationLeave a comment

Centralized Ingress using FortiGate NGFWs and Aviatrix Transit Gateways with FireNet enabled

rtrentin

High Level Design Ingress Design using the Aviatrix FireNet FortiGates: All FortiGates receive sessions via the load balancer as long as they pass the health checks. While an Active-Passive (A-P) cluster behind the load balancer is an option, it is generally more effective to use standalone FGT units behind the load balancer in multiple Availability Zones (AZs). This configuration provides a robust mechanism to withstand the complete failure of an AZ. For reference, i have attached the Aviatrix Transit Firewall Network design for FortiGate firewalls below: The application flow is show below: Aviatrix Transit Configuration Enable Firenet Navigate to CoPilot … Continue reading Centralized Ingress using FortiGate NGFWs and Aviatrix Transit Gateways with FireNet enabled

multi-cloud networkingLeave a comment

Connecting On-Prem to AWS using MegaPort

rtrentin

There are several designings possible when connecting on-premises equipment to AWS using Direct Connect: In this document, we are going to use Megaport offerings to connect a data center to AWS. Port Types of ports offered by MegaPort: How to request/create a port Connect to the Megaport portal and click on Services tab. Select Create a Port: Pick a location: Choose the speed required, give a name to the port, and select the minimum contract term: MegaPort can cross connect ports in a few locations. Ports are assigned to diversity zones. A diversity zone groups devices at the same location … Continue reading Connecting On-Prem to AWS using MegaPort

multi-cloud networkingLeave a comment

AVX and AWS DNS

rtrentin

AWS DNS Design Options (from reference #1) Option 1: Inbound and Outbound endpoints deployed in the hub vpc Option 2: Inbound and Outbound endpoints deployed in the hub vpc for forwarding Option 3: VPC sharing This option will not be investigated as it does not fit a scalable and secure hub and spoke topology. Option 4: Shared Private Zones and Forwarded Rules (AWS recommended) Testing Configuration Information Hosted Private Zone: Outbound Config: Rule: Inbound config: Design Option 1 Create a dhcp option set pointing to the inbound endpoints: and associate to the vpc: Servers will have its /etc/resolv.conf updated to: … Continue reading AVX and AWS DNS

multi-cloud networkingLeave a comment

Tech Note: Migrating an Aviatrix Controller from AWS to Azure

rtrentin

Constraints AWS Controller Change the AWS account from IAM role-based to Access and Secret keys This procedure is only supported on Accounts without Gateways deployed. Backup Shutdown Controller Azure Controller Requirements Aviatrix Cloud Network Controller deploys Controller 7.1.4105 and later. To deploy Controller version 7.1.4101 or earlier, subscribe to Aviatrix Secure Networking Platform BYOL. Deploy New Controller The steps below should be completed before the cut over. Bring the controller to the desired software version (7.1.3176) Onboard Access Accounts Transfer Backup from AWS Bucket to Azure Storage Account Restore Use the Controller Settings -> Maintenance -> Backup and Restore to … Continue reading Tech Note: Migrating an Aviatrix Controller from AWS to Azure

multi-cloud networkingLeave a comment

Private Mode

rtrentin

Private Mode facilitates Aviatrix deployments without relying on public IPs. Private Mode was introduced on Aviatrix software version 6.8. Constraints Architecture Transit to Spoke data plane tunnels will utilize orchestrated native peering as an underlay. Cloud instances will only have private IPs (Aviatrix Controller, Gateways, and CoPilot) and management traffic occurs through native cloud constructs like Load Balancers, Private Link Services, and peering connections, serving as the foundation for the Aviatrix encrypted Transit network. Load Balancers Elastic Load Balancing (ELB) automatically disperses incoming traffic among multiple targets, including EC2 instances, containers, and IP addresses, across one or more Availability Zones. … Continue reading Private Mode

multi-cloud networkingLeave a comment

External Connections Traffic Engineering

rtrentin

BGP (Border Gateway Protocol) is typically used in wide-area networks (WANs) to exchange routing information between different autonomous systems (ASes) on the internet. It’s not commonly used in local area networks (LANs) because LANs typically use interior gateway protocols (IGPs) like OSPF or RIP for routing within the same network. However, there are scenarios where BGP can be used within a LAN, particularly in large-scale data center environments or specialized network setups. One such scenario is when peering with third-party Network Virtual Appliances (NVAs) that are deployed within the LAN. These NVAs might need BGP to exchange routing information with … Continue reading External Connections Traffic Engineering

cloud networkingLeave a comment

VPC Peering Security Groups

rtrentin

A security group serves as a protective barrier, functioning like a firewall to manage the flow of network traffic to and from the resources within your Virtual Private Cloud (VPC). With security groups, you have the flexibility to select the specific ports and communication protocols that are permitted for both incoming (inbound) and outgoing (outbound) network traffic. You have the capability to modify the inbound or outbound rules within your VPC’s security groups to make reference to security groups in a peered VPC. This adjustment enables the smooth exchange of network traffic between instances associated with the specified security groups … Continue reading VPC Peering Security Groups

multi-cloud networkingLeave a comment

Configuring Google Cloud Workload Identity Federation (AWS)

rtrentin

A workload identity is a special identity used for authentication and access by software applications and services. It helps them connect to other services and resources securely. The most direct method for external workloads to use Google Cloud APIs is by using downloaded service account keys. However, this approach comes with two significant challenges: To address these issues, workload identity federation offers an alternative. This approach allows applications outside of Google Cloud to replace persistent service account keys with short-lived access tokens. This is accomplished by establishing a trust relationship between Google Cloud and an external identity provider. The external … Continue reading Configuring Google Cloud Workload Identity Federation (AWS)

multi-cloud networkingLeave a comment

Checking Bandwidth Consumption with Athena

rtrentin

VPC flow logs capture information about the IP traffic going to and from network interfaces in a VPC. Athena is an interactive query service that makes it easy to analyze data directly in S3 using standard SQL. Topology Create a (S3) Bucket Enable (VPC) Flow Logs Apache Parquet is a columnar data format that stores and queries data more efficiently and cost-effectively than a text format. Queries on data stored in Parquet format are 10 to 100 times faster and cheaper than data stored in text format. Flow logs delivered in Parquet format with Gzip compression use about 20 percent … Continue reading Checking Bandwidth Consumption with Athena