Aviatrix Certified Engineer — Multi-Cloud Network Associate Notes

About Aviatrix

Aviatrix Systems is a software company headquartered in Santa Clara, California, the heart of Silicon Valley. Aviatrix software provides a platform for companies to build networking and security infrastructure in the public cloud. The platform provides architecture applicable to both single and multiple public cloud deployments. Currently, the software supports public clouds such as AWS, Azure, GCP, and Oracle Cloud. Aviatrix Systems was the recipient of the Gartner Cool Vendor award in Cloud Computing in 2017 and is the pioneer of Multi-Cloud Network Architecture (MCNA).

In the Modern Era Center of gravity in the new Computing, the model is a focused public cloud. DevOps group led the initial charge in the cloud but When things break, DevOps teams cannot troubleshoot their own network connectivity without networking teams for support.

Multi-Cloud Computing Networking

On-Prem :

On-Premise means that a company keeps all its data, servers, and everything in its IT environment in-house. The company is responsible for running, supporting, and maintaining the data all the time. This is the traditional way of hosting your architecture.

Cloud Computing

Cloud computing is the practice of storing and accessing your data from remote servers(data-centers). Cloud is divided into three different categories

Public Cloud

This is the most common type of Cloud. Here, the servers(data centers) are shared between multiple clients. Eg: Amazon, Google, Microsoft, many more can share the servers between them.

Private Cloud

A private cloud is operated by a single user(client), a closed group of users, or a single organization. The services and security protocols are also updated frequently. Eg: Intranet, VMware.

Hybrid Cloud

Hybrid as the name means, is a mixture of both Public and Private Cloud. You can also think of it this way, having a public cloud for storing your data accessible to the public, and a private cloud for running your production lines and legacy applications.

Data Center

Cloud Service providers use data centers to household cloud services and cloud-based resources.

Region

Data Center is a group in the region and geographical area to provide regional service.

Availability Zones

Distinct locations within the cloud provider network that are engineered to be isolated from the failure.
if I have an Availability Zone 1A so another user may not have the same Availability Zone.

Infrastructure as a Service

You get the benefit of owning the infrastructure, physical or virtual machines for storage, creating a virtual network, and firewall. E.g. Amazon VPC.

Platform as a Service

Here you get a platform to perform your compute requests such as Operating System, Programming environment, and Database. E.g. AWS Elastic Beanstalk.

Software as a Service

You don’t need to install the application, you get “On-Demand Software”. Everything will be taken care of by the Cloud Service provider. E.g. YouTube, Office 360, and Gmail.

Public Cloud vs On-Prem

So In Both Public and On-prem Cloud, we have Similiar Services like Routers, Switches, Firewalls, and Servers but the location now completely changes means On-Prem you have access to Layers because you are the maintainer of the infrastructure but in Public Cloud, you don't have access on layers. Because Public cloud Services are very closed to each other as not in On-prem

AWS Networking

AWS Services

There are a total of 212 Sevices at that time on Amazon Web Services let’s discuss Few of them here

Computer Service

1. EC2

These can be thought of as virtual machines that you can build inside the AWS cloud platform. And AWS does not limit you only to virtual machines, you can build physical dedicated machines using EC2 service also.

1. AWS Lambda

2. Elastic BeanStalk

3. AWS Lightsail

Networking

1. VPC (Virtual Private Cloud)

This is a Virtual Private Cloud, which is essentially a data center in the cloud.AWS Uses implicit routers that configure auto to communicate between VPC’s.

1. Direct Connect

Helps users connect their on-premise Data Center to AWS.

1. Route 53

DNS service of Amazon Web Services is known as Route53. So IP lookup tables and other related technologies are located within this service.

1. CloudFront

CloudFront is Amazon’s content delivery network (CDN).CloudFront associates with edge locations. This network of edge locations is a CDN and is called CloudFront.

Storage

1. S3 Bucket

This is one of the oldest storage services available in AWS. This is object-based storage where you have things called buckets and you upload your files to these buckets.

IAM

This is Identity and Access Management, and it allows users to get access to the instances or applications.

Global Accelerator

Allows users to connect their remote branches to the closest point in the AWS System.

AWS — Difference between Security Groups and Network Access Control List (NACL)

Security Groups and Network Access Control List (NACL)

Scope: Subnet or EC2 Instance (Where to apply)

Security groups are tied to an instance whereas Network ACLs are tied to the subnet. i.e. Network Access control lists are applicable at the subnet level, so any instance in the subnet with an associated NACL will follow the rules of NACL. That’s not the case with security groups, security groups have to be assigned explicitly to the instance. This means any instances within the subnet group gets the rule applied. If you have many instances, managing the firewalls using Network ACL can be very useful. Otherwise, with the Security group, you have to manually assign a security group to the instances.

State: Stateless or Stateful

Network ACLs are stateless: This means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.

Security groups are stateful: This means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened.

Route and RouteTable

Users have basic access to the route-table but do not have access to the actual router.

Subnet

Once you have taken flat, you need to divide it based on your usage. A flat consists of different rooms like bedrooms, living room, kitchen, etc. Similarly, you need to divide VPC space into smaller subnets and use it for different purposes, and put security accordingly.

Public Subnet

This is your living room. This is a place where you receive your guests (internet traffic). So, if you have a web application you need to host a web tier or external-facing load balancer on this subnet.

Private Subnet

This is your bedroom for privacy and should not have direct access to the world. Its door open only internally to other internal spaces. If it needs something it always goes through the living room i.e. public subnet. This is good for deploying internal app tier or databases since they need protection from the world.

AWS Gateways

1. Internet Gateway

This is your main gate which means every traffic of your application that comes or out from your VPC. If you have a public Subnet then you have direct access to the internet gateway but incase if you have a Private Subnet then you need to deploy a NAT Gateway inside your Security Group.

2. NAT Gateway

For Instance in private subnet need to get internet access.

3. Transit Gateway

A Network Transit hub that interconnects VPCs and on-premise network.

4. VPN Gateway

AWS VPN Router that links the on-prem network to VPC or creates a hub and spoke topology between third party VPN devices and AWSVGW. The anchor on the AWS Side of the VPN Connection is called VPN Gateway.

5. Customer Gateway

A Customer VPN Route Connect with VGW, TGW, DCGW

6. Direct Connect Gateway

Scalable Direct connect Connectivity to VPC across account and region.

Transit Gateway Fundamentals

• Native Service

• 5000 VPC attached per TGW

• 50GBPS VPC <-> TGW throughput

• Multiple Route Table

• AWS Specific only

Transit Gateway Limitations

• Manual VPC routing which means automation AWS VPC Routing is not available yet.

• Initial Created

• Subsequent Update

• IPSEC Tunnel Throughput ~ 1.25 GBPS

• TGW Router Scalability which means you have only 100BGP Routes per Routing table and no VPC CIDR Summarization

• Limited Static Multi-Region

• No Overlapping IP Support

• Native firewall have performance limitation

• No ITGW Peering support within the region.

TGW And Route Table Orchestration by Aviatrix

• Removing Vpc Peering limitation and complexities

• Orchestrates VPC Routing tables

• Simplifies BGP over direct connect

• Provides additional route control and traffic options

• Propagates on-prem routes to VPC

• New CIDRs / VPC routes updated on all other VPCs

Transit Gateway peering with Aviatrix

You can peer two transit gateway and route traffic between them. ipv4 and ipv6 traffic.

AWS TGW Orchestrator

1. Orchestrates VPC to VPC and on-prem to VPC connectivities via AWS Transit Gateway.

2. Automates AWS Resource Access Manager (RAM) for multi-account support.

3. Creates security boundaries between groups of VPCs to achieve network segmentation.

4. Out-of-the-box integration of AWS Transit Gateway and Direct Connect and Internet to re-use what has been built.

5. Provides Insane Mode high performance and features rich hybrid network for connecting to on-prem.

6. Supports Bring Your Own Firewall to TGW deployment for inline traffic inspection (Firewall Network)

7. Orchestrate AWS TGW Inter-Region Peering and expand the Security Domains to be global.

8. Advanced mode for an end to end encryption where Aviatrix gateways are deployed in the AWS Spoke VPCs and Azure Spokes VNet.

AWS Global Accelerator

AWS Global Accelerator improves the availability and performance of the application for the global user. it provides a static IP with an application connectivity endpoint in single or multiple regions such as Application load balancer, Network Load Balancer, and Amazon EC2.

Benefits of AWS Global Accelerator

• Improve Globally Application Availability

• Accelerate your global Application

• Easily manage endpoint

Azure Networking

Azure Networking Components

• VNET

• Availability zone

• Networking Security Groups

• Public and private IP

• Virtual Network Gateways (VPN & Express Route, Gateway Subnet, Express Route, and Local Network Gateway)

• VNET Perring

• Routing

• NVA

VNET

A Virtual Network, or a VNet, is an isolated network within the Microsoft Azure cloud. A VNet in Azure provides a range of networking functions comparable to AWS Virtual Private Cloud (VPC). These functions include DNS, routing, enabling customization of DHCP blocks, access control, connectivity between virtual machines (VM), and virtual private networks (VPN).

An Azure VNet is a representation of a network in the cloud and is a logical isolation of the Azure cloud dedicated to a subscription. In the background, it’s a software abstraction of a network that overlays Azure’s infrastructure to provide isolation from resources outside of the VNet, practically making it a private network.

Operationally, a VNet follows common IP routing principles to connect resources inside. So, it needs to have one or more address spaces associated with it (CIDR), which can be segmented into subnets, within which resources will reside. The scope of a virtual network is a single region; however, several virtual networks of the same or different regions can be connected by virtual network peering.

VNets can be used to:

Create a dedicated private cloud-only VNet to allow services and VMs within the VNet to communicate directly and securely in the cloud. Securely extend a data center, by building traditional site-to-site (S2S) VPNs or Express Route private circuits, to securely scale capacity. Deploy hybrid clouds by securely connecting cloud-based applications to on-premises systems.

Components of Azure Vnet

Subnets

Subdivide a VNet into multiple networks which can be used for more granular separation of services

IP Address

Assigned Public or Private IP to Azure VNET

Network Security Group

Network Traffic ACL is referred to as a subnet or NIC level for Filtering.

Application Security Group

Group common workloads in world-readable tags for use in NSGs.

Service Endpoint

Secure Azure Service Resouces to your VNet

Private Link

Private Connectivity to Vnet or Azure PaaS like Outlook, Microsoft Partners, and customer-owned service.

Firewall

Azure offers a managed Firewall service that provides the ability to define L3–7 connectivity policies for granular control of what enters and leaves the network

Azure Balancing

Azure Balcning Included

• Azure Traffic Manager — Route 53 in AWS

• Azure Load Balancer

• Azure Application Gateway

• Azure FrontDoor

Route Tables

As with general routing, anytime traffic needs to leave a subnet, it needs a routing function to forward packets to other subnets and networks. A router does this using a routing table, and that route table configuration is exposed in Azure for customized configuration. Route table can have rules that define where traffic should be sent to, i.e a virtual network, virtual network gateway, or virtual machine

User-Defined Route (UDR)

A static entry in a Route Table which can be used to forward traffic to a different Vnet, Network Virtual Appliance, This can be a powerful tool to build a connection between hubs.

Virtual Network Appliance(NVA)

or integration of 3rd party solutions, a virtual network appliance can be inserted into a VNet. This appliance is a virtual machine that executes a network function, such as a firewall, WAN optimization, or other network function. To see a list of virtual network applications that can be deployed in a virtual network, see Azure Marketplace.

Transit in Azure — Inter-Region

• Express Router Hairpining

• NVA

• Peering VNET

Azure Virtual WAN

A Big hub providing connectivity for all type of entities to Azure or connecting to Azure

Azure Virtual WAN Limitations

• No MultiCloud Support

• Costly: Need to buy all features

• No 3rd party integration

• No NAT Capability

• Problem with Troubleshooting and visibility

• several features are still in previews

• Lack in controlling routing

• Lack in controlling security

Remote User VPN

Aviatrix provides an enriched User VPN Solution. which is based on OpenVPN and suitable for all OpenVPN Users. Auth with SAML directly from the client.

Aviatrix OpenVPN

OpenVPN is a registered trademark of OpenVPN Inc. OpenVPN is open-source commercial software that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.

• VPN Management

• Authentication Option

• Scale-out performance

• Logging integration

VPN Tracker

VPC Tracker is a tool that collects and helps you manage your network CIDR ranges at a central place, eliminating the need to keep an Excel sheet on all your VPC network address allocations.

IPSEC

IPsec (Internet Protocol Security) is a suite of protocols that secure network communication across IP networks. It provides security services for IP network traffic such as encrypting sensitive data, authentication, protection against replay, and data confidentiality.

• Authenticated Header(AH)

• Encapsulating Security protocol

• Internet Key Exchange

Modes

• Transport Mode

• Tunnel Mode

Aviatrix Transit Architecture for Azure

Azure Native Transit

A Hub is a Virtual Network (Vnet) in Azure that acts as a central Connectivity in the azure network. The Spoke is Vnet that peers with a Hub that can be used for subscription, department, and workload, etc. Traffic route on-premise network to Virtual network through Express Route or VPN Gateway

Azure natively provides three methods for performing this functionality. Each of these options has advantages and disadvantages however, these options can be used simultaneously for customers to apply the right transit method for the desired outcome.

IntraRegion Transit Options

The options for spoke to spoke communication across regions follow the same patterns above with a few notable nuances.

leveraging Express Route

the most common transitive method is for customers to leverage their ExpressRoute circuits to provide spoke to spoke communication. The Method is default 0.0.0.0/0.

The **advantage **to this method is that this traffic will not incur VNET peering charges and this provides any to any spoke connectivity.

The disadvantage to this approach is that bandwidth is limited by the ExpressRoute gateway SKU, traffic takes a longer path from spoke to spoke, a lack of granular control as this method provides any to any communication and the fact that this is not a recommended approach as there is no dedicated bandwidth allocation on the Microsoft Edge Routers for this configuration

Leveraging a HUB (NVA)

for this method, A NVA is deployed inside the Vnet, and UDR (Suer Defined Route) is created to spoke to spoke traffic from the route.

The advantage of this approach is that traffic takes a more ideal path, does not require any route advertisements from on-prem.

The disadvantage to this approach comes with the management of UDRs at scale, potential bandwidth limits of the NVA itself, and the configuration of NVA high availability (HA) to ensure redundancy in case of failure.

VNET Peering

The Recommended Approach to Spoke to Spoke Communication is VNEt Peering.

This option provides the lowest latency possible and has no bandwidth restrictions as opposed to the options previously discussed.

The disadvantage of this model is this connectivity is a 1 to 1 mapping.

InterRegion Transit Region

Leveraging Express route

this method is similar to what was described in Intra-Region however, as ExpressRoute circuits are terminated across regions the routes are propagated automatically. To facilitate cross-region spoke to spoke communication, no summary or default route is required. The same advantages and disadvantages apply.

Leveraging a HUb NVA

this method is also similar to what was previously described however, the number of UDRs increases as additional routes must be defined in the HUB VNETs to facilitate routing across regions to another HUB. Additionally, a VNET peer must be leveraged between the HUB to facilitate this HUB to HUB transit path.

Vnet Peering

the only change in VNET peering across regions is in naming convention. Microsoft refers to this as Global VNET Peering but still has the same advantages and disadvantages previously discussed. Azure Virtual WAN is another native architectural approach that can also provide transitive functionality. Aviatrix Transit can integrate with Azure Virtual WAN and is not covered in detail here.

Aviatrix Transit for Azure

Benefits

• Simplicity

The Aviatrix Controller provides an abstraction layer and workflow to build the Transit network. You do not need to program any Azure route tables, manage the route entries, or understand the significant details about Azure networking.

• Multi Subscriptions

The Controller provides a single pane of glass to manage the entire cloud network of multiple Azure subscriptions.

• Logging Service Integration

Out-of-the-box integration with Splunk, Sumo Logic, DataDog, ELK, Remote Syslog, and Netflow.

• Visibility

View connectivity status, network latency, and traffic statistics from a central dashboard.

• Granular Routing Control

Route redistribution can be controlled to selectively allow specific route propagation and/or summarization.

• Advanced Networking Features

Support for Network Address Translation, NGFW Insertion, FQDN filtering, etc.

• No Routing Limits

The Aviatrix solution auto summarizes the on-prem and Spoke VNet routes so that Spoke VNet route entries do not exceed the route limits.

• end to end encryptions.

All traffic in flight, between Spoke VNets and between Spoke to on-prem, is encrypted.

Transit VNet Using Vnet Peering

With VNets, you can connect your network in multiple ways. You can connect to on-premises using Point-to-Site (P2S), Site-to-Site (S2S) gateways, or ExpressRoute gateways. You can also connect to other VNets directly using VNet peering.

Gateway

Gateway transit enables you to use a peered VNet’s gateway for connecting to on-premises instead of creating a new gateway for connectivity. As you increase your workloads in Azure, you need to scale your networks across regions and VNets to keep up with the growth. Gateway transit allows you to share an ExpressRoute or VPN gateway with all peered VNets and lets you manage the connectivity in one place.

With Gateway transit enabled on VNet peering, you can create a transit VNet that contains your VPN gateway, Network Virtual Appliance, and other shared services. As your organization grows with new applications or business units and as you spin up new VNets, you can connect to your transit VNet with VNet peering.

Aviatrix Stateful Firewall Rules

Aviatrix stateful firewall is a feature on the Aviatrix gateway. It is an L4 stateful firewall that filters network CIDR, protocol, and port on the packet forwarding path. The stateful firewall allows each rule to be defined as Allow, Deny, and Force Drop, in addition to a base rule.

How many rules can be configured on a gateway?

You can configure up to 500 rules on each route this is because of rules implementations send to Route.

What is the API to configure a stateful firewall?

Currently, the API call requires you to input the entire set of rules for each call.

Google Cloud Networking

In Google Cloud, we have Product which has Services **and services have **resources insides it.

Resources in GCP

Global

Resources can be accessed by any other resource in the region and zones.

Regional

Resources can be accessed by resources in the Same Region

Zonal

Resources can be accessed by resources in the same zone.

E.g Virtual machine

GCP Projects

GCP resources must be created in the project and one project can not access other project resources unless share using VPC or VPC networking peering.

Basic GCP Networking Components

• GCP regions and zones

• VPC/Subnets

• VPC Peering

This is used to peer to another VPC in VM. VPC is Global while Subnet is Regional.

• Implicit Routing

• VPN Gateway

VPC Network & Subnet

• Auto Mode

• Custom Mode

Transit (Inter VPC Networking)

• lack native transit selection to interconnect VPCs

• VPC Perring preferred

• Preaches Single VPC

Cloud Interconnect

Connect: your on-prem network to your VPC Network through a private connection

The limitation is that this is not encrypted.

Dedicated Interconnect

Enable to connect to your existing network to your VPC

• 10 GBps to 100 Gbps

• Connect directly to GCP

Partner Interconnect

• 50Mbps to 10Gbps

Oracle Cloud Networking

• Tenancy

• Tenancies

• IAM Resources

• Compartment

Oracle Services and Purposes

Compute( Run Instances (Virtual machine))

IAM ( identity access management)

VCN (Virtual Network)

Block volume (Storage)

Fast Connect (Connecting on-prem)

DNS Zone Management (DNS)

Oracle Construct and Purpose

DRG (Dynamic Routing Gateway )

A virtual router that provides a single point of entry for remote network paths coming into your VCN (IPSEC VPN + Fast Connect )

SG (Service Gateway )

Service gateway is a regional ad that enables access only to supported oracle service in the same region as the VCN.

IG( Internet Gateway)

Internet Gateway provides network traffic between VCN and the internet

SUBNET

A subnet is regional in OCI Spanning Availablity Domains. OCI subnets are not tied to Availability Domains.

Route Table

Route Table Consists of a set of route rules that provide a mapping from the traffic subnet via gateway and designation outside the VCN.

OCI VCN Peering Challenges

1. 10 LPC per VCN

2. 10 RPC per Tenancy

3. 10 VCN Per region

4. 5 DRG Per Region

5. No Overlapping IP

6. Lack of Visibility

7. Route Table Management

Multi-Cloud Network Architecture(MCNA)

MCNA is unlike any other Architecture because it controls and embraces and manages not only cloud-native architecture but also provides advance through cloud services (AWS, GCP, AZURE, ORACLE). Aviatrix created a purpose Multiloud Network Architecture by implementing data plane through dynamic and software-defined routing which centralized through the control plane.

Security is also built on multi-cloud networking architecture through segmentation, encryptions igness. egree filtering and security service insertion.

The Cloud Infrastrayrcure is only limited to single -cloud-single region, single-cloud-multiple-region, and multiple-cloud-multiple-region and referred green and brownfield business with no issue. The Component and the main pillar of the MulitCloud Infratsurtucre are

• Cloud Core

• Cloud Security

• Cloud Access

• Cloud Operation

Cloud Core

The Core of the Multi-Cloud Architecture goes on the simple connectivity. This Sale and Support Applications and business. Deliver a normalized data plane by supporting Cloud Native Cloud Construct, API, the Advance capability to form a common data plane with visibility and control to optimized Multi-Cloud Infrastructure. Two Types of Cloud Core

• Application Layer

• Global Transit Layer

Application Layer

This is the area where Applications are. These Applications are sitting inside the VPC/VNET or VM and Aviatrix control the native construct in the cloud. The Application is Deployed in this layer with the respective Operating System.

Global Transit Layer

Aviatrix software enables enterprise IT to easily deploy a high-availability, multi-cloud network data plane with end-to-end encryption, high-performance encryption, multi-cloud security domains, and operational telemetry operations teams need. This is the main point of connection for every aspect of the cloud. This global transit layer also has the notion of inserting services in its platform, which is done through the service insertion framework.

Cloud Security

Cloud security is a crucial part of the MCN architecture. This layer encompasses all the other layers of the cloud. It ensures that all the areas in the cloud, such as the applications, transit, and access layer are secure. The MCNA model enforces cloud security in many aspects, such as when connecting cloud to on-premise, ingress, egress, and security within the cloud security with encryption and security segmentation.

Cloud Access

The multi-cloud access layer is a crucial layer of the multi-cloud network when interconnecting to on-premise resources. This layer ensures that the cloud is securely accessible by all the components of a business. This architecture sets the multi-cloud foundation by securely bringing employees, partners, customers, branch offices, and legacy data centers into the cloud as one cohesive unit.

Cloud Operations

This layer provides full visibility for all aspects of the cloud, meaning that it encompasses each layer. It is a centralized operations plane. This is also the layer of the cloud that encompasses the most crucial tools, such as troubleshooting, visibility, and automation.

The Benefits of the MCNA Approach

• The architecture is easily replicated in the Aviatrix Controller.

• There is a normalized data plane.

• Service insertion and chaining are easily configured through the transit layer.

AWS Direct Conect Virtual Interfance

Private Virtual Interface

A private virtual interface should be used to access an Amazon VPC using private IP addresses.

Public Virtual Interface

A public virtual interface should be used to access an Amazon VPC using public IP addresses.

Transit Virtual Interface

A transit virtual interface should be used to access one or more Amazon VPC Transit Gateways associated with Direct Connect gateways. You can use transit virtual interfaces with 1/2/5/10 Gbps AWS Direct Connect connections.

Aviatrix Platform

Core Features

• Intelligent orchestration and control, Multi-Account

• Advance networking, Multi-Region, and Multi-Cloud

• High-performance encryptions

• The site to site /On-prem

• Cloud WAN

• Smart SAML User Vpn

• Secure Engress/Igress

• Firewall Network

• Operational Tool

Core Feature Simplified

Transit

Operational

Security

Automation

Aviatrix Platform

A Centralized Controller

A Centralized controller of aviatrix making complex networking easy and does not require any knowledge of Networking CLI. Aviatrix Centralized Controller entry point for multi-cloud automation. which can be done using application programming terraform. Aviatrix is a browser-based and points and clicks management console for native (AWS, GCP, AZURE, and OCI ) and advanced services from aviatrix.

Features:

• Browser-based — Point and click management console

• Orchestrate both native clouds (AWS, Azure, GCP, Oracle) and advance service from aviatrix

• Making Complexity to easy

Aviatrix Gateway

Aviatrix Gateway instance provides a centralized controller to the on-prem, cloud, and edge connectivity.

A Distributed and Common Data Plane

The Aviatrix platform embraces native cloud constructs and extends the functionality using advanced networking and security which are both provided by Aviatrix Gateway and Aviatrix Controller. The Aviatrix Gateway is considering as Nodes, robust and common data plane across multi-cloud computing. As a part of the data plane, these gateways also provide transit routing, High-performance encryption, Igress/Engress Edge connectivity, on-prem Connectivity, and user VPN.

Operational Visbility

Co-pilot is an aviatrix service that provides operational visibility, Common Tagging, and Diagnostic in the network and also informs the user if any issue occurs in the network.

Features

• Complete Report of Cloud Network

• Visualize Network Status, Latency rate, and performance

• Monitoring and display alert

MultiAccount and Cloud

Aviatrix provides multi-account and cloud on one single interface. You can Interconnect AWS, GCP, AZURE, and Oracle with the same point.

Features

• Manage Multiple account and region in one place

• Network Cloud Region from a global view, not point to point view

• Interconnect with AWS, Azure, GCP and Oracle, Viewpoint, and from one point.

Security and Compliance

To help its service run smoothly, Aviatrix provides many security and compliance measures. It allows users to manage security domains, such as the Development domain and the Production domain, and also allows for Virtual Private Cloud connectivity through Connection Policies. Users can easily apply firewall filters based on tags or specific address ranges, CIDR, protocols, and ports. Aviatrix services are also integrated with AWS GuardDuty to block malicious activity automatically at the Virtual Private Cloud network level.

Features

• Manage Security Domains

• VPC connectivity allows by Security policies

• User-Friendly tagging

• Easily apply firewall on VPC based on protocol, CIDR, and ports

• Control onbound traffic with egress filtering

• Interconnect with AWS GaurdDuty to block malicious activity automatically at the VPC network level

Automation

Automate your cloud networking by delivering the network as code, rather than as a series of manually configured virtual routers. With Aviatrix, networking functionality easily becomes part of your cloud stack. No CCIE, no problem.

Features

• DevOps Automation

• Terraform and CloudFormation

• Controlled via RestApi

Troubleshooting

Easily handle your daily calls to fix problems. Usually, the network is blamed, even when it’s not the culprit. Quickly determine if networking is the issue. Minimize downtime with faster troubleshooting.

• Integrate Dignostic tool

• Limited use of border gateway protocol

• Automated EC2 flightpath and identify Contivity issues

• Continuous monitoring of multi-cloud network

Integrated Analytics

Drive your cloud networking decisions with intuitive, meaningful, real-time reports.

1. Integrated monitoring, alerting, and troubleshooting

2. Comprehensive Syslog for network statistics, policy violations, and more

3. API integration with modern cloud tools: Splunk, SumoLogic, Syslog, ELK, and Datadog.

4. Robust API to easily integrate with Netflow and CloudWatch

HA Working with Aviatrix

Peering Active/Passive

This will allow you to create a set of a gateway which connect with two or more VPCs

FQDN Egress Filter Active / Active

Site2Cloud Active/Passive

WorkFlow Bound High Availability Configuration Active /Passive

Native VPC/VNET Peering Issues

• Full Mesh of Native Peering

• Complex to manage initial Deployment

• Complex to manage incremental updates

• Network Correctness

• Management and troubleshooting Issues

AWS Support Native Peering while using AWS Transit Gateway but having Visibility issues

Azure also Supports Native Peering while using Azure Firewall WAN but also having visibility issues.

GCP also Support Native Peering but with 3rd Party Tool

OCI also Support Native Peering but with 3rd Party tool

3rd Party Native Tool Issues

• 1.2GBPs Per tunnel

• Manage BGP

• Huge Blast Radius

• management and troubleshooting issues

Aviatrix Native Peering

• Well Rounded Architecture

• Centrally Manage

• Robust Connectivity

• Scale-out

High-performance Encryptions

Fully Qualified Domain Egress Filter

Ingress Security (Aviatrix Gaurd Duty Enforcement)

Firewall

Cloud

• L4 Firewall

• L7 Firewall is limited to internet-based web applications

• no Inspection for East-West

• Expecting Customer to manually routing traffic

Firewall Vendor

Firewall vendors have repackaged on-prem level

Customer

• Manual Routing

• IPsec, BGP, SNAT and limited to 500MBPS

Azure Native Firewall

• No DPI, IDS, IPS Support

• Manual routing

• SNAT is required for Automation

AWS Native Firewall

Solution # 1

VPC Attachment

• Expensive — only one VM will attach

• High Complexity

• Cannot Scale

• Long and Complicated Failover (AWS lambda)

Solution # 2

IPSEC VPN Model

• Reduced Throughput -550MBPS

• Security Groups cannot use inside VM

• Manual Router Configurations

Aviatrix Firewall Network

Fire net

Fire net is a turnkey network solution to deploy firewall instances in the cloud.

With Aviatrix achieve throughput with Firenet up to 70Gbps

Features

• Simplicity

• Full Traffic Inspection

• No IPsec Tunnels

• no BGP

• no SNAT

• Scale-out

• Policy Drive

• Vendor integration

• Automation

Private S3

Aviatrix PrivateS3 is a feature that allows you to leverage AWS Direct Connect to transfer objects and files between on-prem and S3 while giving you control of the S3 buckets by the ability to whitelist the S3 buckets.

Benefits of PrivateS3

• Transferring objects/data between on-prem and S3 by leveraging Direct Connect without using public VIF.

• The ability to control which S3 buckets can be accessed.

• The ability to deploy multiple Aviatrix gateways to load balance the data traffic.

Operations

Operational Challenges in Public Cloud

• Evidential Data (Fault/Issues)

• Unfamiliar toolset (Ping, Packet Capture)

• Black Box(No Visibility)

• Infrastructure as code

• A Flat world in Public Cloud

• Tier 3 become Tier 1

• Scaling out

FlightPath

A flightPath is a troubleshooting tool. It retrieves and displays, in a side by side fashion, AWS EC2 related information such as Security Groups, Route table, and route table entries, and network ACL. This helps you to identify connectivity problems. You do not need to launch Aviatrix gateways to use this tool, but you need to create Aviatrix accounts so that the Controller can use the account credentials to execute AWS APIs to retrieve relevant information

DevOps Automation

• Automation

• DevOps Workflow

• Export to Terraform

• Cloud Formation

MutliCloud — Multi Account

Controller HA

Controlling and Monitoring AWS Transit Gateway VPCs, Launch a new controller, and restore configurations

VPC Tracker

TGW Router Transit

Immediately Discover the missing route in the spoke VPC route table.

Traffic Metrics — Gateway

AWS Transit Gateway Orchestrator

• list VPC and Security domains

• List VPC, TGW, and associate AViatrix Gateway Routing Table

ChargeBack Functionality

• Hitless Upgrade

• Security Patches

• High Availability

Co-Pilot

• Visibility

• Custom Tagging

• Diagnostic

CoPilot also filters to limit data to define resource, application and flows

Aviatrix Flow IQ

Traffic is seen by gateways

More Learning :

https://atulkamble.github.io/AviatrixACE/

Complete Self Paced Learning is available at Aviatrix Community

Wrapping Up

Aviatrix is one of the best controllers which provides MultiCloud Computing. You can connect with me on Linkedin if you have any questions related to Aviatrix or MultiCloud Computing.

Linkedin

Comments

[Venkatesh Thatham]

Hi,
This is a great article. Thank you for sharing.
Well, I'm not not from networking background and would you be advising me on how to configure azure vnet securely. I'm building a customer facing website hosted in azure

Based on the this article, I've derived this, with in a vnet there are 4 subnets such as front-end subnet, aks subnet, application subnet and db subnet.

Front-End subnet has => storage, static website, CDN
Aks subnet => aks (for microservices and internal applications)
Application subnet => service bus, event hubs
Back-End subnet => Redis, CosmosDb, SQL Server and Azure Search

[Atul Kamble]

Thank you Adil for sharing notes to Cloud Learning Community & Congratulations on AviatrixACE. Best Luck.

[Adil Shahzad]

You are very welcome :)