Tag: security

multi-cloud networkingLeave a comment

Solving PAN-OS Routing Issues with Enforce-Symmetric-Return

rtrentin

Overview Inbound internet traffic to workloads in Aviatrix spoke VPCs is routed through PAN-OS firewalls for inspection using a Global External Application Load Balancer with Zonal NEGs. A Policy Based Forwarding (PBF) rule with enforce-symmetric-return on PAN-OS handles the asymmetric routing caused by the GFE proxy sourcing all traffic from 35.191.0.0/16. Architecture Why PBF with Enforce-Symmetric-Return The Global Application LB is a reverse proxy — ALL backend traffic (health checks and real user requests) arrives from Google Front End IPs in the 35.191.0.0/16 range. This creates an asymmetric routing problem: Why dual VRs don’t solve this: PAN-OS sessions are NOT … Continue reading Solving PAN-OS Routing Issues with Enforce-Symmetric-Return

cloud networking, multi-cloud networking, thrid party integrationLeave a comment

Centralized Ingress using FortiGate NGFWs and Aviatrix Transit Gateways with FireNet enabled

rtrentin

High Level Design Ingress Design using the Aviatrix FireNet FortiGates: All FortiGates receive sessions via the load balancer as long as they pass the health checks. While an Active-Passive (A-P) cluster behind the load balancer is an option, it is generally more effective to use standalone FGT units behind the load balancer in multiple Availability Zones (AZs). This configuration provides a robust mechanism to withstand the complete failure of an AZ. For reference, i have attached the Aviatrix Transit Firewall Network design for FortiGate firewalls below: The application flow is show below: Aviatrix Transit Configuration Enable Firenet Navigate to CoPilot … Continue reading Centralized Ingress using FortiGate NGFWs and Aviatrix Transit Gateways with FireNet enabled

multi-cloud networkingLeave a comment

Hello again old friend…

rtrentin

Distributed Cloud Firewall Distributed Cloud Firewall enhances security by enforcing network policies between SmartGroups, which you define to manage applications within single or multiple cloud environments. SmartGroups: Network Policy Enforcement: How to enable it Once you are logged in on Copilot, go to Security -> Distributed Cloud Firewall. Click on Enable Distributed Cloud Firewall: Click Beging Using Distributed Cloud Firewall to start configuring it: A Greenfield Rule will be created to allow traffic that maintains the current state, facilitating the creation of custom rules for specific security needs. Distributed Cloud Firewall will deny all previously permitted traffic due to its … Continue reading Hello again old friend…

multi-cloud networkingLeave a comment

Configuring Google Cloud Workload Identity Federation (AWS)

rtrentin

A workload identity is a special identity used for authentication and access by software applications and services. It helps them connect to other services and resources securely. The most direct method for external workloads to use Google Cloud APIs is by using downloaded service account keys. However, this approach comes with two significant challenges: To address these issues, workload identity federation offers an alternative. This approach allows applications outside of Google Cloud to replace persistent service account keys with short-lived access tokens. This is accomplished by establishing a trust relationship between Google Cloud and an external identity provider. The external … Continue reading Configuring Google Cloud Workload Identity Federation (AWS)

multi-cloud networkingLeave a comment

Scaling Out Secure Dedicated Ingress on GCP

rtrentin

Proposed Architecture The architecture presented below satisfies GCP customers requirements to use third party compute instance based appliances in their flows. The design considers HTTP(S) load balancers due its advanced capabilities. Constraints GCP Load Balancers Decision Chart Update DNS How to Scale Scenario 1 How to Scale Scenario 2 How to Scale Scenario 3 How to Scale Scenario 4 The HC as before is the same as we are checking the health of the compute instances: References https://research.google/pubs/pub44824/ https://cloud.google.com/load-balancing/docs/load-balancing-overview https://cloud.google.com/load-balancing/docs/backend-service Continue reading Scaling Out Secure Dedicated Ingress on GCP

multi-cloud networking1 Comment

Deploying an Aviatrix Firenet on Azure with CheckPoint CloudGuard (Single GWs)

rtrentin

Aviatrix Transit FireNet allows the deployment of 3rd party firewalls onto the Aviatrix transit architecture. Transit FireNet works the same way as the Firewall Network where traffic in and out of the specified Spoke is forwarded to the firewall instances for inspection or policy application. The diagram below shows the Aviatrix Firenet design for Azure. When a transit gateway is deployed with the firenet option checked, the Aviatrix controller will: create subnets create UDRs create an internal NLB configure the internal NLB (front end, back-end, healtch check) Aviatrix deploys and configures the Internal Load Balancers for a Firenet. If you … Continue reading Deploying an Aviatrix Firenet on Azure with CheckPoint CloudGuard (Single GWs)

multi-cloud networking1 Comment

Micro-Segmentation Cloud Architecture with Aviatrix

rtrentin

Architects and engineers are confronted with the criteria on how to create segments when designing segmentation for Aviatrix and how segments communicates among themselves. Today Aviatrix supports Region, Account Name, Subnets , VPC/VNets, and CSP tags as segmentation criteria: In a fabric with a “network” centric design the app domains are aligned to network constructs (vpc/vnet/subnet). For example: 1 subnet = 1 app domain or 1 vpc = 1 app domain. Usually communication is allowed unrestricted as those domains contains multiple apps. It is called an app centric design when the app domain constructs are aligned to the application and … Continue reading Micro-Segmentation Cloud Architecture with Aviatrix

multi-cloud networkingLeave a comment

Aviatrix useg: multiple app membership

rtrentin

In this document I’m going to experiment with multiple app domain membership: a VM belongs to more than on app domain. If you are not familiar with the feature, please visit my previous blog on useg to get started: Test Deployment I have a small environment with two spokes (spoke30 and spoke40) where I deployed three test VMs: spoke30-useg-vm1 spoke40-useg-vm1 spoke40-useg-vm2 Each one has a tag with its own VM name. App Domain “appdomain-blue”: The two VMs matches the logical OR condition and are correctly classified as belonging to the “appdomain-blue”: App Domain “appdomain-green”: The two VMs matches the logical … Continue reading Aviatrix useg: multiple app membership

multi-cloud networkingLeave a comment

Aviatrix useg: intra app domain policies

rtrentin

In this document I’m going to experiment with intra app domain policies: intra policy deny intra policy allow custom intra policies Aviatrix useg implementation is extremely flexible to allow any of the configurations above. Aviatrix useg is in Public Preview mode at this time (Aviatrix version 6.7b): Public preview mode feature options, performance, and scalability may be limited compared to the final feature. If you are not familiar with the feature, please visit my previous blog on useg to get started: Test Deployment I have a small environment with two spokes (spoke30 and spoke40) where I deployed two test VMs: … Continue reading Aviatrix useg: intra app domain policies