Aviatrix Certified Engineer — Multi-Cloud Network Associate Notes

About Aviatrix

Multi-Cloud Computing Networking

On-Prem :

Cloud Computing

Public Cloud vs On-Prem

AWS Networking

AWS Services

Computer Service

  1. EC2

Networking

  1. VPC (Virtual Private Cloud)
  1. Direct Connect
  1. Route 53
  1. CloudFront

Storage

  1. S3 Bucket

AWS — Difference between Security Groups and Network Access Control List (NACL)

Security Groups and Network Access Control List (NACL)

Scope: Subnet or EC2 Instance (Where to apply)

State: Stateless or Stateful

Route and RouteTable

Subnet

AWS Gateways

  1. Internet Gateway

Transit Gateway Fundamentals

  • Native Service
  • 5000 VPC attached per TGW
  • 50GBPS VPC <-> TGW throughput
  • Multiple Route Table
  • AWS Specific only

Transit Gateway Limitations

  • Manual VPC routing which means automation AWS VPC Routing is not available yet.
  • Initial Created
  • Subsequent Update
  • IPSEC Tunnel Throughput ~ 1.25 GBPS
  • TGW Router Scalability which means you have only 100BGP Routes per Routing table and no VPC CIDR Summarization
  • Limited Static Multi-Region
  • No Overlapping IP Support
  • Native firewall have performance limitation
  • No ITGW Peering support within the region.

TGW And Route Table Orchestration by Aviatrix

  • Removing Vpc Peering limitation and complexities
  • Orchestrates VPC Routing tables
  • Simplifies BGP over direct connect
  • Provides additional route control and traffic options
  • Propagates on-prem routes to VPC
  • New CIDRs / VPC routes updated on all other VPCs

Transit Gateway peering with Aviatrix

AWS TGW Orchestrator

  1. Orchestrates VPC to VPC and on-prem to VPC connectivities via AWS Transit Gateway.
  2. Automates AWS Resource Access Manager (RAM) for multi-account support.
  3. Creates security boundaries between groups of VPCs to achieve network segmentation.
  4. Out-of-the-box integration of AWS Transit Gateway and Direct Connect and Internet to re-use what has been built.
  5. Provides Insane Mode high performance and features rich hybrid network for connecting to on-prem.
  6. Supports Bring Your Own Firewall to TGW deployment for inline traffic inspection (Firewall Network)
  7. Orchestrate AWS TGW Inter-Region Peering and expand the Security Domains to be global.
  8. Advanced mode for an end to end encryption where Aviatrix gateways are deployed in the AWS Spoke VPCs and Azure Spokes VNet.

AWS Global Accelerator

Benefits of AWS Global Accelerator

  • Improve Globally Application Availability
  • Accelerate your global Application
  • Easily manage endpoint

Azure Networking

Azure Networking Components

  • VNET
  • Availability zone
  • Networking Security Groups
  • Public and private IP
  • Virtual Network Gateways (VPN & Express Route, Gateway Subnet, Express Route, and Local Network Gateway)
  • VNET Perring
  • Routing
  • NVA

VNET

VNets can be used to:

Components of Azure Vnet

Subnets

IP Address

Network Security Group

Application Security Group

Service Endpoint

Private Link

Firewall

Azure Balancing

  • Azure Traffic Manager — Route 53 in AWS
  • Azure Load Balancer
  • Azure Application Gateway
  • Azure FrontDoor

Route Tables

User-Defined Route (UDR)

Virtual Network Appliance(NVA)

Transit in Azure — Inter-Region

  • Express Router Hairpining
  • NVA
  • Peering VNET

Azure Virtual WAN

Azure Virtual WAN Limitations

  • No MultiCloud Support
  • Costly: Need to buy all features
  • No 3rd party integration
  • No NAT Capability
  • Problem with Troubleshooting and visibility
  • several features are still in previews
  • Lack in controlling routing
  • Lack in controlling security

Remote User VPN

Aviatrix OpenVPN

  • VPN Management
  • Authentication Option
  • Scale-out performance
  • Logging integration

VPN Tracker

IPSEC

  • Authenticated Header(AH)
  • Encapsulating Security protocol
  • Internet Key Exchange

Modes

  • Transport Mode
  • Tunnel Mode

Aviatrix Transit Architecture for Azure

Azure Native Transit

IntraRegion Transit Options

leveraging Express Route

Leveraging a HUB (NVA)

VNET Peering

InterRegion Transit Region

Leveraging Express route

Leveraging a HUb NVA

Vnet Peering

Aviatrix Transit for Azure

Benefits

  • Simplicity
  • Multi Subscriptions
  • Logging Service Integration
  • Visibility
  • Granular Routing Control
  • Advanced Networking Features
  • No Routing Limits
  • end to end encryptions.

Transit VNet Using Vnet Peering

Gateway

Aviatrix Stateful Firewall Rules

How many rules can be configured on a gateway?

What is the API to configure a stateful firewall?

Google Cloud Networking

Resources in GCP

GCP Projects

Basic GCP Networking Components

  • GCP regions and zones
  • VPC/Subnets
  • VPC Peering
  • Implicit Routing
  • VPN Gateway

VPC Network & Subnet

  • Auto Mode
  • Custom Mode

Transit (Inter VPC Networking)

  • lack native transit selection to interconnect VPCs
  • VPC Perring preferred
  • Preaches Single VPC

Cloud Interconnect

  • 10 GBps to 100 Gbps
  • Connect directly to GCP
  • 50Mbps to 10Gbps

Oracle Cloud Networking

  • Tenancy
  • Tenancies
  • IAM Resources
  • Compartment

Oracle Services and Purposes

Oracle Construct and Purpose

OCI VCN Peering Challenges

  1. 10 LPC per VCN
  2. 10 RPC per Tenancy
  3. 10 VCN Per region
  4. 5 DRG Per Region
  5. No Overlapping IP
  6. Lack of Visibility
  7. Route Table Management

Multi-Cloud Network Architecture(MCNA)

  • Cloud Core
  • Cloud Security
  • Cloud Access
  • Cloud Operation

Cloud Core

  • Application Layer
  • Global Transit Layer

Cloud Security

Cloud Access

Cloud Operations

The Benefits of the MCNA Approach

  • The architecture is easily replicated in the Aviatrix Controller.
  • There is a normalized data plane.
  • Service insertion and chaining are easily configured through the transit layer.

AWS Direct Conect Virtual Interfance

Private Virtual Interface

Public Virtual Interface

Transit Virtual Interface

Aviatrix Platform

Core Features

  • Intelligent orchestration and control, Multi-Account
  • Advance networking, Multi-Region, and Multi-Cloud
  • High-performance encryptions
  • The site to site /On-prem
  • Cloud WAN
  • Smart SAML User Vpn
  • Secure Engress/Igress
  • Firewall Network
  • Operational Tool

Core Feature Simplified

Aviatrix Platform

A Centralized Controller

Features:

  • Browser-based — Point and click management console
  • Orchestrate both native clouds (AWS, Azure, GCP, Oracle) and advance service from aviatrix
  • Making Complexity to easy

Aviatrix Gateway

A Distributed and Common Data Plane

Operational Visbility

Features

  • Complete Report of Cloud Network
  • Visualize Network Status, Latency rate, and performance
  • Monitoring and display alert

MultiAccount and Cloud

Features

  • Manage Multiple account and region in one place
  • Network Cloud Region from a global view, not point to point view
  • Interconnect with AWS, Azure, GCP and Oracle, Viewpoint, and from one point.

Security and Compliance

Features

  • Manage Security Domains
  • VPC connectivity allows by Security policies
  • User-Friendly tagging
  • Easily apply firewall on VPC based on protocol, CIDR, and ports
  • Control onbound traffic with egress filtering
  • Interconnect with AWS GaurdDuty to block malicious activity automatically at the VPC network level

Automation

Features

  • DevOps Automation
  • Terraform and CloudFormation
  • Controlled via RestApi

Troubleshooting

  • Integrate Dignostic tool
  • Limited use of border gateway protocol
  • Automated EC2 flightpath and identify Contivity issues
  • Continuous monitoring of multi-cloud network

Integrated Analytics

  1. Integrated monitoring, alerting, and troubleshooting
  2. Comprehensive Syslog for network statistics, policy violations, and more
  3. API integration with modern cloud tools: Splunk, SumoLogic, Syslog, ELK, and Datadog.
  4. Robust API to easily integrate with Netflow and CloudWatch

HA Working with Aviatrix

Peering Active/Passive

FQDN Egress Filter Active / Active

Site2Cloud Active/Passive

WorkFlow Bound High Availability Configuration Active /Passive

Native VPC/VNET Peering Issues

  • Full Mesh of Native Peering
  • Complex to manage initial Deployment
  • Complex to manage incremental updates
  • Network Correctness
  • Management and troubleshooting Issues

3rd Party Native Tool Issues

  • 1.2GBPs Per tunnel
  • Manage BGP
  • Huge Blast Radius
  • management and troubleshooting issues

Aviatrix Native Peering

  • Well Rounded Architecture
  • Centrally Manage
  • Robust Connectivity
  • Scale-out

Firewall

  • L4 Firewall
  • L7 Firewall is limited to internet-based web applications
  • no Inspection for East-West
  • Expecting Customer to manually routing traffic
  • Manual Routing
  • IPsec, BGP, SNAT and limited to 500MBPS

Azure Native Firewall

  • No DPI, IDS, IPS Support
  • Manual routing
  • SNAT is required for Automation

AWS Native Firewall

  • Expensive — only one VM will attach
  • High Complexity
  • Cannot Scale
  • Long and Complicated Failover (AWS lambda)
  • Reduced Throughput -550MBPS
  • Security Groups cannot use inside VM
  • Manual Router Configurations

Aviatrix Firewall Network

Features

  • Simplicity
  • Full Traffic Inspection
  • No IPsec Tunnels
  • no BGP
  • no SNAT
  • Scale-out
  • Policy Drive
  • Vendor integration
  • Automation

Private S3

Benefits of PrivateS3

  • Transferring objects/data between on-prem and S3 by leveraging Direct Connect without using public VIF.
  • The ability to control which S3 buckets can be accessed.
  • The ability to deploy multiple Aviatrix gateways to load balance the data traffic.

Operations

Operational Challenges in Public Cloud

  • Evidential Data (Fault/Issues)
  • Unfamiliar toolset (Ping, Packet Capture)
  • Black Box(No Visibility)
  • Infrastructure as code
  • A Flat world in Public Cloud
  • Tier 3 become Tier 1
  • Scaling out

FlightPath

DevOps Automation

  • Automation
  • DevOps Workflow
  • Export to Terraform
  • Cloud Formation

MutliCloud — Multi Account

Controller HA

VPC Tracker

TGW Router Transit

Traffic Metrics — Gateway

AWS Transit Gateway Orchestrator

  • list VPC and Security domains
  • List VPC, TGW, and associate AViatrix Gateway Routing Table

ChargeBack Functionality

  • Hitless Upgrade
  • Security Patches
  • High Availability

Co-Pilot

  • Visibility
  • Custom Tagging
  • Diagnostic

Aviatrix Flow IQ

More Learning :

Wrapping Up

Linkedin

--

--

DevOps Engineer - Author

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store