Configuring Google Cloud Workload Identity Federation (AWS)

A workload identity is a special identity used for authentication and access by software applications and services. It helps them connect to other services and resources securely. The most direct method for external workloads to use Google Cloud APIs is by using downloaded service account keys. However, this approach comes with two significant challenges: To address these issues, workload identity federation offers an alternative. This approach allows applications outside of Google Cloud to replace persistent service account keys with short-lived access tokens. This is accomplished by establishing a trust relationship between Google Cloud and an external identity provider. The external … Continue reading Configuring Google Cloud Workload Identity Federation (AWS)

Scaling Out Secure Dedicated Ingress on GCP

Proposed Architecture The architecture presented below satisfies GCP customers requirements to use third party compute instance based appliances in their flows. The design considers HTTP(S) load balancers due its advanced capabilities. Constraints GCP Load Balancers Decision Chart Update DNS How to Scale Scenario 1 How to Scale Scenario 2 How to Scale Scenario 3 How to Scale Scenario 4 The HC as before is the same as we are checking the health of the compute instances: References https://research.google/pubs/pub44824/ https://cloud.google.com/load-balancing/docs/load-balancing-overview https://cloud.google.com/load-balancing/docs/backend-service Continue reading Scaling Out Secure Dedicated Ingress on GCP

Deploying an Aviatrix Firenet on Azure with CheckPoint CloudGuard (Single GWs)

Aviatrix Transit FireNet allows the deployment of 3rd party firewalls onto the Aviatrix transit architecture. Transit FireNet works the same way as the Firewall Network where traffic in and out of the specified Spoke is forwarded to the firewall instances for inspection or policy application. The diagram below shows the Aviatrix Firenet design for Azure. When a transit gateway is deployed with the firenet option checked, the Aviatrix controller will: create subnets create UDRs create an internal NLB configure the internal NLB (front end, back-end, healtch check) Aviatrix deploys and configures the Internal Load Balancers for a Firenet. If you … Continue reading Deploying an Aviatrix Firenet on Azure with CheckPoint CloudGuard (Single GWs)

Micro-Segmentation Cloud Architecture with Aviatrix

Architects and engineers are confronted with the criteria on how to create segments when designing segmentation for Aviatrix and how segments communicates among themselves. Today Aviatrix supports Region, Account Name, Subnets , VPC/VNets, and CSP tags as segmentation criteria: In a fabric with a “network” centric design the app domains are aligned to network constructs (vpc/vnet/subnet). For example: 1 subnet = 1 app domain or 1 vpc = 1 app domain. Usually communication is allowed unrestricted as those domains contains multiple apps. It is called an app centric design when the app domain constructs are aligned to the application and … Continue reading Micro-Segmentation Cloud Architecture with Aviatrix

Aviatrix useg: multiple app membership

In this document I’m going to experiment with multiple app domain membership: a VM belongs to more than on app domain. If you are not familiar with the feature, please visit my previous blog on useg to get started: Test Deployment I have a small environment with two spokes (spoke30 and spoke40) where I deployed three test VMs: spoke30-useg-vm1 spoke40-useg-vm1 spoke40-useg-vm2 Each one has a tag with its own VM name. App Domain “appdomain-blue”: The two VMs matches the logical OR condition and are correctly classified as belonging to the “appdomain-blue”: App Domain “appdomain-green”: The two VMs matches the logical … Continue reading Aviatrix useg: multiple app membership

Aviatrix useg: intra app domain policies

In this document I’m going to experiment with intra app domain policies: intra policy deny intra policy allow custom intra policies Aviatrix useg implementation is extremely flexible to allow any of the configurations above. Aviatrix useg is in Public Preview mode at this time (Aviatrix version 6.7b): Public preview mode feature options, performance, and scalability may be limited compared to the final feature. If you are not familiar with the feature, please visit my previous blog on useg to get started: Test Deployment I have a small environment with two spokes (spoke30 and spoke40) where I deployed two test VMs: … Continue reading Aviatrix useg: intra app domain policies