Tag: gcp

multi-cloud networkingLeave a comment

Solving PAN-OS Routing Issues with Enforce-Symmetric-Return

rtrentin

Overview Inbound internet traffic to workloads in Aviatrix spoke VPCs is routed through PAN-OS firewalls for inspection using a Global External Application Load Balancer with Zonal NEGs. A Policy Based Forwarding (PBF) rule with enforce-symmetric-return on PAN-OS handles the asymmetric routing caused by the GFE proxy sourcing all traffic from 35.191.0.0/16. Architecture Why PBF with Enforce-Symmetric-Return The Global Application LB is a reverse proxy — ALL backend traffic (health checks and real user requests) arrives from Google Front End IPs in the 35.191.0.0/16 range. This creates an asymmetric routing problem: Why dual VRs don’t solve this: PAN-OS sessions are NOT … Continue reading Solving PAN-OS Routing Issues with Enforce-Symmetric-Return

multi-cloud networkingLeave a comment

Using Cloud Interconnect with Aviatrix

rtrentin

Google Cloud Interconnect is a service provided by Google Cloud Platform (GCP) that enables customers to establish private, high-performance connections between their on-premises infrastructure and Google Cloud. It offers low-latency, secure connectivity by bypassing the public internet, making it ideal for scenarios like data migration, replication, disaster recovery, or hybrid cloud deployments. There are three main options: Key benefits include reduced latency, enhanced security (traffic stays off the public internet), cost savings on egress traffic, and direct access to Google Cloud’s internal IP addresses without needing VPNs or NAT devices. It’s widely used by enterprises in industries like media, healthcare, … Continue reading Using Cloud Interconnect with Aviatrix

multi-cloud networkingLeave a comment

Experimenting with GCP PBR

rtrentin

Policy-based routes can route traffic based on: destination, protocol,and source. How to Configure it PBR requires an internal pass-through network load balancer as next hop: Do not forget to create the proper firewall rules for the health checks. HCs are sourced from the following ranges: 130.211.0.0/22 and 35.191.0.0/16. Create a route but select Policy Based Route from the drop down menu: Testing Test is quite simple. From Test VM, if we ping 10.17.60.51 the traffic should not go through the Standalone Gateways but if we ping 192.168.200.3 we should see the traffic flowing through the standalone gateways. Constraints You can … Continue reading Experimenting with GCP PBR

multi-cloud networkingLeave a comment

Supernetting

rtrentin

From Wiki: A supernetwork, or supernet, is an Internet Protocol (IP) network that is formed by aggregation of multiple networks (or subnets) into a larger network. The new routing prefix for the aggregate network represents the constituent networks in a single routing table entry. The process of forming a supernet is called supernetting, prefix aggregation, route aggregation, or route summarization. https://en.wikipedia.org/wiki/Supernetwork Topology Prefix Advertised Gateways advertise by default subnets prefixes discovered during the deployment: Supernetting Testing Pinging an existent target: Pinging a non existent target: Continue reading Supernetting

multi-cloud networkingLeave a comment

A little help from my friend… hacks on how to work with default routes

rtrentin

Most if not all GCP customers consume GCP PaaS/SaaS services like GKE, Cloud SQL, and others. Those services have their compute capacity provisioned inside Google owned VPCs and to establish a data plane for customers to use them vpc peerings are used. AVX Behavior Constraints Workarounds AVX Gateway Routes Create routes with a higher priority and with the tag avx-<vpc name>-gbl with the next hop “Default internet gateway”. Those are used exclusively by AVX Spoke Gateways. This step is necessary to prevent a route loop when executing the step below. 0.0.0.0/0 Option 1 It is possible to use the feature … Continue reading A little help from my friend… hacks on how to work with default routes

multi-cloud networkingLeave a comment

AVX “Global VPC” Tagging

rtrentin

GCP Global VPC creates regional awareness between the VPC and Aviatrix gateways allowing you to restrict spoke gateway traffic to transit gateways in the same region as the spoke gateway. Without global VPC, communications between spokes over transit in the same region are routed outside the region. Regional awareness is achieved by appending regional network tags to virtual machines and adding regional routes to the gateways in the routing table using tags. From Google Cloud documentation: “A tag is simply a character string added to a tags field in a resource, such as Compute Engine virtual machine (VM) instances or … Continue reading AVX “Global VPC” Tagging

multi-cloud networkingLeave a comment

Google Cloud Shared VPC

rtrentin

A Shared Virtual Private Cloud (VPC) is a feature within Google Cloud that enables organizations to connect resources from multiple projects to a common network infrastructure. This shared network, hosted within a designated “host project,” allows secure and efficient communication among resources using internal IP addresses. Service projects, attached to the host project’s network, can utilize specific subnets for their instances. This setup offers a balance between centralized control over network resources, such as subnets and firewalls, and decentralized administration of instances within individual service projects. By segregating administrative responsibilities, organizations can enforce consistent access control policies, enhance security, and … Continue reading Google Cloud Shared VPC

multi-cloud networkingLeave a comment

Configuring Google Cloud Workload Identity Federation (AWS)

rtrentin

A workload identity is a special identity used for authentication and access by software applications and services. It helps them connect to other services and resources securely. The most direct method for external workloads to use Google Cloud APIs is by using downloaded service account keys. However, this approach comes with two significant challenges: To address these issues, workload identity federation offers an alternative. This approach allows applications outside of Google Cloud to replace persistent service account keys with short-lived access tokens. This is accomplished by establishing a trust relationship between Google Cloud and an external identity provider. The external … Continue reading Configuring Google Cloud Workload Identity Federation (AWS)

multi-cloud networkingLeave a comment

Google Cloud Migration Scenarios

rtrentin

Lab and Configuration Staging The lab diagram for this exercise is show below: Staging Aviatrix Flows of Interest Constraints Migration Approaches The Slicer Constraints Testing Flow 1 and Flow 2 Migration using The Slicer (Switch Traffic) Slicing it: CSR1000v routes: If the Cloud Router custom advertisement is doing (route) summarization, the slice on the avx spoke gateway advertised routes is not required. In this case, we should customize the advertisement to only allow the subnetwork where the avx gateway was deployed. Flow3 and Flow 4 Migration using The Slicer (Switch Traffic) This step requires that all the north-south flows were … Continue reading Google Cloud Migration Scenarios

multi-cloud networking1 Comment

Apigee not bee :)

rtrentin

Apigee is a Google SaaS platform for developing and managing APIs. Apigee provides an abstraction layer to backend service APIs and provides security, rate limiting, quotas, and analytics. Apigee consists of the following components: A more granular network friendly diagram is show below: A more in depth overview is provided here: https://cloud.google.com/apigee/docs/api-platform/architecture/overview Setting it up There are at least three different ways to provision Apigee: https://cloud.google.com/apigee/docs/api-platform/get-started/provisioning-intro#provisioning-options I’m going to use a free trial wizard to get acquainted with Apigee: The evaluation wizard guides us through the steps: Apigee runtime requires a dedicated /22 range for evaluation: Each Apigee instance requires … Continue reading Apigee not bee 🙂