About Aviatrix
Aviatrix Systems is a software company headquartered in Santa Clara, California, the heart of Silicon Valley. Aviatrix software provides a platform for companies to build networking and security infrastructure in the public cloud. The platform provides architecture applicable to both single and multiple public cloud deployments. Currently, the software supports public clouds such as AWS, Azure, GCP, and Oracle Cloud. Aviatrix Systems was the recipient of the Gartner Cool Vendor award in Cloud Computing in 2017 and is the pioneer of Multi-Cloud Network Architecture (MCNA).
In the Modern Era Center of gravity in the new Computing, the model is a focused public cloud. DevOps group led the initial charge in the cloud but When things break, DevOps teams cannot troubleshoot their own network connectivity without networking teams for support.
Multi-Cloud Computing Networking
On-Prem :
On-Premise means that a company keeps all its data, servers, and everything in its IT environment in-house. The company is responsible for running, supporting, and maintaining the data all the time. This is the traditional way of hosting your architecture.
Cloud Computing
Cloud computing is the practice of storing and accessing your data from remote servers(data-centers). Cloud is divided into three different categories
Public Cloud
This is the most common type of Cloud. Here, the servers(data centers) are shared between multiple clients. Eg: Amazon, Google, Microsoft, many more can share the servers between them.
Private Cloud
A private cloud is operated by a single user(client), a closed group of users, or a single organization. The services and security protocols are also updated frequently. Eg: Intranet, VMware.
Hybrid Cloud
Hybrid as the name means, is a mixture of both Public and Private Cloud. You can also think of it this way, having a public cloud for storing your data accessible to the public, and a private cloud for running your production lines and legacy applications.
Data Center
Cloud Service providers use data centers to household cloud services and cloud-based resources.
Region
Data Center is a group in the region and geographical area to provide regional service.
Availability Zones
Distinct locations within the cloud provider network that are engineered to be isolated from the failure.
if I have an Availability Zone 1A so another user may not have the same Availability Zone.
Infrastructure as a Service
You get the benefit of owning the infrastructure, physical or virtual machines for storage, creating a virtual network, and firewall. E.g. Amazon VPC.
Platform as a Service
Here you get a platform to perform your compute requests such as Operating System, Programming environment, and Database. E.g. AWS Elastic Beanstalk.
Software as a Service
You don’t need to install the application, you get “On-Demand Software”. Everything will be taken care of by the Cloud Service provider. E.g. YouTube, Office 360, and Gmail.
Public Cloud vs On-Prem
So In Both Public and On-prem Cloud, we have Similiar Services like Routers, Switches, Firewalls, and Servers but the location now completely changes means On-Prem you have access to Layers because you are the maintainer of the infrastructure but in Public Cloud, you don't have access on layers. Because Public cloud Services are very closed to each other as not in On-prem
AWS Networking
AWS Services
There are a total of 212 Sevices at that time on Amazon Web Services let’s discuss Few of them here
Computer Service
- EC2
These can be thought of as virtual machines that you can build inside the AWS cloud platform. And AWS does not limit you only to virtual machines, you can build physical dedicated machines using EC2 service also.
AWS Lambda
Elastic BeanStalk
AWS Lightsail
Networking
- VPC (Virtual Private Cloud)
This is a Virtual Private Cloud, which is essentially a data center in the cloud.AWS Uses implicit routers that configure auto to communicate between VPC’s.
- Direct Connect
Helps users connect their on-premise Data Center to AWS.
- Route 53
DNS service of Amazon Web Services is known as Route53. So IP lookup tables and other related technologies are located within this service.
- CloudFront
CloudFront is Amazon’s content delivery network (CDN).CloudFront associates with edge locations. This network of edge locations is a CDN and is called CloudFront.
Storage
- S3 Bucket
This is one of the oldest storage services available in AWS. This is object-based storage where you have things called buckets and you upload your files to these buckets.
IAM
This is Identity and Access Management, and it allows users to get access to the instances or applications.
Global Accelerator
Allows users to connect their remote branches to the closest point in the AWS System.
AWS — Difference between Security Groups and Network Access Control List (NACL)
Security Groups and Network Access Control List (NACL)
Scope: Subnet or EC2 Instance (Where to apply)
Security groups are tied to an instance whereas Network ACLs are tied to the subnet. i.e. Network Access control lists are applicable at the subnet level, so any instance in the subnet with an associated NACL will follow the rules of NACL. That’s not the case with security groups, security groups have to be assigned explicitly to the instance. This means any instances within the subnet group gets the rule applied. If you have many instances, managing the firewalls using Network ACL can be very useful. Otherwise, with the Security group, you have to manually assign a security group to the instances.
State: Stateless or Stateful
Network ACLs are stateless: This means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.
Security groups are stateful: This means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened.
Route and RouteTable
Users have basic access to the route-table but do not have access to the actual router.
Subnet
Once you have taken flat, you need to divide it based on your usage. A flat consists of different rooms like bedrooms, living room, kitchen, etc. Similarly, you need to divide VPC space into smaller subnets and use it for different purposes, and put security accordingly.
Public Subnet
This is your living room. This is a place where you receive your guests (internet traffic). So, if you have a web application you need to host a web tier or external-facing load balancer on this subnet.
Private Subnet
This is your bedroom for privacy and should not have direct access to the world. Its door open only internally to other internal spaces. If it needs something it always goes through the living room i.e. public subnet. This is good for deploying internal app tier or databases since they need protection from the world.
AWS Gateways
- Internet Gateway
This is your main gate which means every traffic of your application that comes or out from your VPC. If you have a public Subnet then you have direct access to the internet gateway but incase if you have a Private Subnet then you need to deploy a NAT Gateway inside your Security Group.
2. NAT Gateway
For Instance in private subnet need to get internet access.
3. Transit Gateway
A Network Transit hub that interconnects VPCs and on-premise network.
4. VPN Gateway
AWS VPN Router that links the on-prem network to VPC or creates a hub and spoke topology between third party VPN devices and AWSVGW. The anchor on the AWS Side of the VPN Connection is called VPN Gateway.
5. Customer Gateway
A Customer VPN Route Connect with VGW, TGW, DCGW
6. Direct Connect Gateway
Scalable Direct connect Connectivity to VPC across account and region.
Transit Gateway Fundamentals
Native Service
5000 VPC attached per TGW
50GBPS VPC <-> TGW throughput
Multiple Route Table
AWS Specific only
Transit Gateway Limitations
Manual VPC routing which means automation AWS VPC Routing is not available yet.
Initial Created
Subsequent Update
IPSEC Tunnel Throughput ~ 1.25 GBPS
TGW Router Scalability which means you have only 100BGP Routes per Routing table and no VPC CIDR Summarization
Limited Static Multi-Region
No Overlapping IP Support
Native firewall have performance limitation
No ITGW Peering support within the region.
TGW And Route Table Orchestration by Aviatrix
Removing Vpc Peering limitation and complexities
Orchestrates VPC Routing tables
Simplifies BGP over direct connect
Provides additional route control and traffic options
Propagates on-prem routes to VPC
New CIDRs / VPC routes updated on all other VPCs
Transit Gateway peering with Aviatrix
You can peer two transit gateway and route traffic between them. ipv4 and ipv6 traffic.
AWS TGW Orchestrator
Orchestrates VPC to VPC and on-prem to VPC connectivities via AWS Transit Gateway.
Automates AWS Resource Access Manager (RAM) for multi-account support.
Creates security boundaries between groups of VPCs to achieve network segmentation.
Out-of-the-box integration of AWS Transit Gateway and Direct Connect and Internet to re-use what has been built.
Provides Insane Mode high performance and features rich hybrid network for connecting to on-prem.
Supports Bring Your Own Firewall to TGW deployment for inline traffic inspection (Firewall Network)
Orchestrate AWS TGW Inter-Region Peering and expand the Security Domains to be global.
Advanced mode for an end to end encryption where Aviatrix gateways are deployed in the AWS Spoke VPCs and Azure Spokes VNet.
AWS Global Accelerator
AWS Global Accelerator improves the availability and performance of the application for the global user. it provides a static IP with an application connectivity endpoint in single or multiple regions such as Application load balancer, Network Load Balancer, and Amazon EC2.
Benefits of AWS Global Accelerator
Improve Globally Application Availability
Accelerate your global Application
Easily manage endpoint
Azure Networking
Azure Networking Components
VNET
Availability zone
Networking Security Groups
Public and private IP
Virtual Network Gateways (VPN & Express Route, Gateway Subnet, Express Route, and Local Network Gateway)
VNET Perring
Routing
NVA
VNET
A Virtual Network, or a VNet, is an isolated network within the Microsoft Azure cloud. A VNet in Azure provides a range of networking functions comparable to AWS Virtual Private Cloud (VPC). These functions include DNS, routing, enabling customization of DHCP blocks, access control, connectivity between virtual machines (VM), and virtual private networks (VPN).
An Azure VNet is a representation of a network in the cloud and is a logical isolation of the Azure cloud dedicated to a subscription. In the background, it’s a software abstraction of a network that overlays Azure’s infrastructure to provide isolation from resources outside of the VNet, practically making it a private network.
Operationally, a VNet follows common IP routing principles to connect resources inside. So, it needs to have one or more address spaces associated with it (CIDR), which can be segmented into subnets, within which resources will reside. The scope of a virtual network is a single region; however, several virtual networks of the same or different regions can be connected by virtual network peering.
VNets can be used to:
Create a dedicated private cloud-only VNet to allow services and VMs within the VNet to communicate directly and securely in the cloud. Securely extend a data center, by building traditional site-to-site (S2S) VPNs or Express Route private circuits, to securely scale capacity. Deploy hybrid clouds by securely connecting cloud-based applications to on-premises systems.
Components of Azure Vnet
Subnets
Subdivide a VNet into multiple networks which can be used for more granular separation of services
IP Address
Assigned Public or Private IP to Azure VNET
Network Security Group
Network Traffic ACL is referred to as a subnet or NIC level for Filtering.
Application Security Group
Group common workloads in world-readable tags for use in NSGs.
Service Endpoint
Secure Azure Service Resouces to your VNet
Private Link
Private Connectivity to Vnet or Azure PaaS like Outlook, Microsoft Partners, and customer-owned service.
Firewall
Azure offers a managed Firewall service that provides the ability to define L3–7 connectivity policies for granular control of what enters and leaves the network
Azure Balancing
Azure Balcning Included
Azure Traffic Manager — Route 53 in AWS
Azure Load Balancer
Azure Application Gateway
Azure FrontDoor
Route Tables
As with general routing, anytime traffic needs to leave a subnet, it needs a routing function to forward packets to other subnets and networks. A router does this using a routing table, and that route table configuration is exposed in Azure for customized configuration. Route table can have rules that define where traffic should be sent to, i.e a virtual network, virtual network gateway, or virtual machine
User-Defined Route (UDR)
A static entry in a Route Table which can be used to forward traffic to a different Vnet, Network Virtual Appliance, This can be a powerful tool to build a connection between hubs.
Virtual Network Appliance(NVA)
or integration of 3rd party solutions, a virtual network appliance can be inserted into a VNet. This appliance is a virtual machine that executes a network function, such as a firewall, WAN optimization, or other network function. To see a list of virtual network applications that can be deployed in a virtual network, see Azure Marketplace.
Transit in Azure — Inter-Region
Express Router Hairpining
NVA
Peering VNET
Azure Virtual WAN
A Big hub providing connectivity for all type of entities to Azure or connecting to Azure
Azure Virtual WAN Limitations
No MultiCloud Support
Costly: Need to buy all features
No 3rd party integration
No NAT Capability
Problem with Troubleshooting and visibility
several features are still in previews
Lack in controlling routing
Lack in controlling security
Remote User VPN
Aviatrix provides an enriched User VPN Solution. which is based on OpenVPN and suitable for all OpenVPN Users. Auth with SAML directly from the client.
Aviatrix OpenVPN
OpenVPN is a registered trademark of OpenVPN Inc. OpenVPN is open-source commercial software that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.
VPN Management
Authentication Option
Scale-out performance
Logging integration
VPN Tracker
VPC Tracker is a tool that collects and helps you manage your network CIDR ranges at a central place, eliminating the need to keep an Excel sheet on all your VPC network address allocations.
IPSEC
IPsec (Internet Protocol Security) is a suite of protocols that secure network communication across IP networks. It provides security services for IP network traffic such as encrypting sensitive data, authentication, protection against replay, and data confidentiality.
Authenticated Header(AH)
Encapsulating Security protocol
Internet Key Exchange
Modes
Transport Mode
Tunnel Mode
Aviatrix Transit Architecture for Azure
Azure Native Transit
A Hub is a Virtual Network (Vnet) in Azure that acts as a central Connectivity in the azure network. The Spoke is Vnet that peers with a Hub that can be used for subscription, department, and workload, etc. Traffic route on-premise network to Virtual network through Express Route or VPN Gateway
Azure natively provides three methods for performing this functionality. Each of these options has advantages and disadvantages however, these options can be used simultaneously for customers to apply the right transit method for the desired outcome.
IntraRegion Transit Options
The options for spoke to spoke communication across regions follow the same patterns above with a few notable nuances.
leveraging Express Route
the most common transitive method is for customers to leverage their ExpressRoute circuits to provide spoke to spoke communication. The Method is default 0.0.0.0/0.
The **advantage **to this method is that this traffic will not incur VNET peering charges and this provides any to any spoke connectivity.
The disadvantage to this approach is that bandwidth is limited by the ExpressRoute gateway SKU, traffic takes a longer path from spoke to spoke, a lack of granular control as this method provides any to any communication and the fact that this is not a recommended approach as there is no dedicated bandwidth allocation on the Microsoft Edge Routers for this configuration
Leveraging a HUB (NVA)
for this method, A NVA is deployed inside the Vnet, and UDR (Suer Defined Route) is created to spoke to spoke traffic from the route.
The advantage of this approach is that traffic takes a more ideal path, does not require any route advertisements from on-prem.
The disadvantage to this approach comes with the management of UDRs at scale, potential bandwidth limits of the NVA itself, and the configuration of NVA high availability (HA) to ensure redundancy in case of failure.
VNET Peering
The Recommended Approach to Spoke to Spoke Communication is VNEt Peering.
This option provides the lowest latency possible and has no bandwidth restrictions as opposed to the options previously discussed.
The disadvantage of this model is this connectivity is a 1 to 1 mapping.
InterRegion Transit Region
Leveraging Express route
this method is similar to what was described in Intra-Region however, as ExpressRoute circuits are terminated across regions the routes are propagated automatically. To facilitate cross-region spoke to spoke communication, no summary or default route is required. The same advantages and disadvantages apply.
Leveraging a HUb NVA
this method is also similar to what was previously described however, the number of UDRs increases as additional routes must be defined in the HUB VNETs to facilitate routing across regions to another HUB. Additionally, a VNET peer must be leveraged between the HUB to facilitate this HUB to HUB transit path.
Vnet Peering
the only change in VNET peering across regions is in naming convention. Microsoft refers to this as Global VNET Peering but still has the same advantages and disadvantages previously discussed. Azure Virtual WAN is another native architectural approach that can also provide transitive functionality. Aviatrix Transit can integrate with Azure Virtual WAN and is not covered in detail here.
Aviatrix Transit for Azure
Benefits
- Simplicity
The Aviatrix Controller provides an abstraction layer and workflow to build the Transit network. You do not need to program any Azure route tables, manage the route entries, or understand the significant details about Azure networking.
- Multi Subscriptions
The Controller provides a single pane of glass to manage the entire cloud network of multiple Azure subscriptions.
- Logging Service Integration
Out-of-the-box integration with Splunk, Sumo Logic, DataDog, ELK, Remote Syslog, and Netflow.
- Visibility
View connectivity status, network latency, and traffic statistics from a central dashboard.
- Granular Routing Control
Route redistribution can be controlled to selectively allow specific route propagation and/or summarization.
- Advanced Networking Features
Support for Network Address Translation, NGFW Insertion, FQDN filtering, etc.
- No Routing Limits
The Aviatrix solution auto summarizes the on-prem and Spoke VNet routes so that Spoke VNet route entries do not exceed the route limits.
- end to end encryptions.
All traffic in flight, between Spoke VNets and between Spoke to on-prem, is encrypted.
Transit VNet Using Vnet Peering
With VNets, you can connect your network in multiple ways. You can connect to on-premises using Point-to-Site (P2S), Site-to-Site (S2S) gateways, or ExpressRoute gateways. You can also connect to other VNets directly using VNet peering.
Gateway
Gateway transit enables you to use a peered VNet’s gateway for connecting to on-premises instead of creating a new gateway for connectivity. As you increase your workloads in Azure, you need to scale your networks across regions and VNets to keep up with the growth. Gateway transit allows you to share an ExpressRoute or VPN gateway with all peered VNets and lets you manage the connectivity in one place.
With Gateway transit enabled on VNet peering, you can create a transit VNet that contains your VPN gateway, Network Virtual Appliance, and other shared services. As your organization grows with new applications or business units and as you spin up new VNets, you can connect to your transit VNet with VNet peering.
Aviatrix Stateful Firewall Rules
Aviatrix stateful firewall is a feature on the Aviatrix gateway. It is an L4 stateful firewall that filters network CIDR, protocol, and port on the packet forwarding path. The stateful firewall allows each rule to be defined as Allow, Deny, and Force Drop, in addition to a base rule.
How many rules can be configured on a gateway?
You can configure up to 500 rules on each route this is because of rules implementations send to Route.
What is the API to configure a stateful firewall?
Currently, the API call requires you to input the entire set of rules for each call.
Google Cloud Networking
In Google Cloud, we have Product which has Services **and services have **resources insides it.
Resources in GCP
Global
Resources can be accessed by any other resource in the region and zones.
Regional
Resources can be accessed by resources in the Same Region
Zonal
Resources can be accessed by resources in the same zone.
E.g Virtual machine
GCP Projects
GCP resources must be created in the project and one project can not access other project resources unless share using VPC or VPC networking peering.
Basic GCP Networking Components
GCP regions and zones
VPC/Subnets
- VPC Peering
This is used to peer to another VPC in VM. VPC is Global while Subnet is Regional.
- Implicit Routing
- VPN Gateway
VPC Network & Subnet
Auto Mode
Custom Mode
Transit (Inter VPC Networking)
lack native transit selection to interconnect VPCs
VPC Perring preferred
Preaches Single VPC
Cloud Interconnect
Connect: your on-prem network to your VPC Network through a private connection
The limitation is that this is not encrypted.
Dedicated Interconnect
Enable to connect to your existing network to your VPC
10 GBps to 100 Gbps
Connect directly to GCP
Partner Interconnect
- 50Mbps to 10Gbps
Oracle Cloud Networking
Tenancy
Tenancies
IAM Resources
Compartment
Oracle Services and Purposes
Compute( Run Instances (Virtual machine))
IAM ( identity access management)
VCN (Virtual Network)
Block volume (Storage)
Fast Connect (Connecting on-prem)
DNS Zone Management (DNS)
Oracle Construct and Purpose
DRG (Dynamic Routing Gateway )
A virtual router that provides a single point of entry for remote network paths coming into your VCN (IPSEC VPN + Fast Connect )
SG (Service Gateway )
Service gateway is a regional ad that enables access only to supported oracle service in the same region as the VCN.
IG( Internet Gateway)
Internet Gateway provides network traffic between VCN and the internet
SUBNET
A subnet is regional in OCI Spanning Availablity Domains. OCI subnets are not tied to Availability Domains.
Route Table
Route Table Consists of a set of route rules that provide a mapping from the traffic subnet via gateway and designation outside the VCN.
OCI VCN Peering Challenges
10 LPC per VCN
10 RPC per Tenancy
10 VCN Per region
5 DRG Per Region
No Overlapping IP
Lack of Visibility
Route Table Management
Multi-Cloud Network Architecture(MCNA)
MCNA is unlike any other Architecture because it controls and embraces and manages not only cloud-native architecture but also provides advance through cloud services (AWS, GCP, AZURE, ORACLE). Aviatrix created a purpose Multiloud Network Architecture by implementing data plane through dynamic and software-defined routing which centralized through the control plane.
Security is also built on multi-cloud networking architecture through segmentation, encryptions igness. egree filtering and security service insertion.
The Cloud Infrastrayrcure is only limited to single -cloud-single region, single-cloud-multiple-region, and multiple-cloud-multiple-region and referred green and brownfield business with no issue. The Component and the main pillar of the MulitCloud Infratsurtucre are
Cloud Core
Cloud Security
Cloud Access
Cloud Operation
Cloud Core
The Core of the Multi-Cloud Architecture goes on the simple connectivity. This Sale and Support Applications and business. Deliver a normalized data plane by supporting Cloud Native Cloud Construct, API, the Advance capability to form a common data plane with visibility and control to optimized Multi-Cloud Infrastructure. Two Types of Cloud Core
Application Layer
Global Transit Layer
Application Layer
This is the area where Applications are. These Applications are sitting inside the VPC/VNET or VM and Aviatrix control the native construct in the cloud. The Application is Deployed in this layer with the respective Operating System.
Global Transit Layer
Aviatrix software enables enterprise IT to easily deploy a high-availability, multi-cloud network data plane with end-to-end encryption, high-performance encryption, multi-cloud security domains, and operational telemetry operations teams need. This is the main point of connection for every aspect of the cloud. This global transit layer also has the notion of inserting services in its platform, which is done through the service insertion framework.
Cloud Security
Cloud security is a crucial part of the MCN architecture. This layer encompasses all the other layers of the cloud. It ensures that all the areas in the cloud, such as the applications, transit, and access layer are secure. The MCNA model enforces cloud security in many aspects, such as when connecting cloud to on-premise, ingress, egress, and security within the cloud security with encryption and security segmentation.
Cloud Access
The multi-cloud access layer is a crucial layer of the multi-cloud network when interconnecting to on-premise resources. This layer ensures that the cloud is securely accessible by all the components of a business. This architecture sets the multi-cloud foundation by securely bringing employees, partners, customers, branch offices, and legacy data centers into the cloud as one cohesive unit.
Cloud Operations
This layer provides full visibility for all aspects of the cloud, meaning that it encompasses each layer. It is a centralized operations plane. This is also the layer of the cloud that encompasses the most crucial tools, such as troubleshooting, visibility, and automation.
The Benefits of the MCNA Approach
The architecture is easily replicated in the Aviatrix Controller.
There is a normalized data plane.
Service insertion and chaining are easily configured through the transit layer.
AWS Direct Conect Virtual Interfance
Private Virtual Interface
A private virtual interface should be used to access an Amazon VPC using private IP addresses.
Public Virtual Interface
A public virtual interface should be used to access an Amazon VPC using public IP addresses.
Transit Virtual Interface
A transit virtual interface should be used to access one or more Amazon VPC Transit Gateways associated with Direct Connect gateways. You can use transit virtual interfaces with 1/2/5/10 Gbps AWS Direct Connect connections.
Aviatrix Platform
Core Features
Intelligent orchestration and control, Multi-Account
Advance networking, Multi-Region, and Multi-Cloud
High-performance encryptions
The site to site /On-prem
Cloud WAN
Smart SAML User Vpn
Secure Engress/Igress
Firewall Network
Operational Tool
Core Feature Simplified
Transit
Operational
Security
Automation
Aviatrix Platform
A Centralized Controller
A Centralized controller of aviatrix making complex networking easy and does not require any knowledge of Networking CLI. Aviatrix Centralized Controller entry point for multi-cloud automation. which can be done using application programming terraform. Aviatrix is a browser-based and points and clicks management console for native (AWS, GCP, AZURE, and OCI ) and advanced services from aviatrix.
Features:
Browser-based — Point and click management console
Orchestrate both native clouds (AWS, Azure, GCP, Oracle) and advance service from aviatrix
Making Complexity to easy
Aviatrix Gateway
Aviatrix Gateway instance provides a centralized controller to the on-prem, cloud, and edge connectivity.
A Distributed and Common Data Plane
The Aviatrix platform embraces native cloud constructs and extends the functionality using advanced networking and security which are both provided by Aviatrix Gateway and Aviatrix Controller. The Aviatrix Gateway is considering as Nodes, robust and common data plane across multi-cloud computing. As a part of the data plane, these gateways also provide transit routing, High-performance encryption, Igress/Engress Edge connectivity, on-prem Connectivity, and user VPN.
Operational Visbility
Co-pilot is an aviatrix service that provides operational visibility, Common Tagging, and Diagnostic in the network and also informs the user if any issue occurs in the network.
Features
Complete Report of Cloud Network
Visualize Network Status, Latency rate, and performance
Monitoring and display alert
MultiAccount and Cloud
Aviatrix provides multi-account and cloud on one single interface. You can Interconnect AWS, GCP, AZURE, and Oracle with the same point.
Features
Manage Multiple account and region in one place
Network Cloud Region from a global view, not point to point view
Interconnect with AWS, Azure, GCP and Oracle, Viewpoint, and from one point.
Security and Compliance
To help its service run smoothly, Aviatrix provides many security and compliance measures. It allows users to manage security domains, such as the Development domain and the Production domain, and also allows for Virtual Private Cloud connectivity through Connection Policies. Users can easily apply firewall filters based on tags or specific address ranges, CIDR, protocols, and ports. Aviatrix services are also integrated with AWS GuardDuty to block malicious activity automatically at the Virtual Private Cloud network level.
Features
Manage Security Domains
VPC connectivity allows by Security policies
User-Friendly tagging
Easily apply firewall on VPC based on protocol, CIDR, and ports
Control onbound traffic with egress filtering
Interconnect with AWS GaurdDuty to block malicious activity automatically at the VPC network level
Automation
Automate your cloud networking by delivering the network as code, rather than as a series of manually configured virtual routers. With Aviatrix, networking functionality easily becomes part of your cloud stack. No CCIE, no problem.
Features
DevOps Automation
Terraform and CloudFormation
Controlled via RestApi
Troubleshooting
Easily handle your daily calls to fix problems. Usually, the network is blamed, even when it’s not the culprit. Quickly determine if networking is the issue. Minimize downtime with faster troubleshooting.
Integrate Dignostic tool
Limited use of border gateway protocol
Automated EC2 flightpath and identify Contivity issues
Continuous monitoring of multi-cloud network
Integrated Analytics
Drive your cloud networking decisions with intuitive, meaningful, real-time reports.
Integrated monitoring, alerting, and troubleshooting
Comprehensive Syslog for network statistics, policy violations, and more
API integration with modern cloud tools: Splunk, SumoLogic, Syslog, ELK, and Datadog.
Robust API to easily integrate with Netflow and CloudWatch
HA Working with Aviatrix
Peering Active/Passive
This will allow you to create a set of a gateway which connect with two or more VPCs
FQDN Egress Filter Active / Active
Site2Cloud Active/Passive
WorkFlow Bound High Availability Configuration Active /Passive
Native VPC/VNET Peering Issues
Full Mesh of Native Peering
Complex to manage initial Deployment
Complex to manage incremental updates
Network Correctness
Management and troubleshooting Issues
AWS Support Native Peering while using AWS Transit Gateway but having Visibility issues
Azure also Supports Native Peering while using Azure Firewall WAN but also having visibility issues.
GCP also Support Native Peering but with 3rd Party Tool
OCI also Support Native Peering but with 3rd Party tool
3rd Party Native Tool Issues
1.2GBPs Per tunnel
Manage BGP
Huge Blast Radius
management and troubleshooting issues
Aviatrix Native Peering
Well Rounded Architecture
Centrally Manage
Robust Connectivity
Scale-out
High-performance Encryptions
Fully Qualified Domain Egress Filter
Ingress Security (Aviatrix Gaurd Duty Enforcement)
Firewall
Cloud
L4 Firewall
L7 Firewall is limited to internet-based web applications
no Inspection for East-West
Expecting Customer to manually routing traffic
Firewall Vendor
Firewall vendors have repackaged on-prem level
Customer
Manual Routing
IPsec, BGP, SNAT and limited to 500MBPS
Azure Native Firewall
No DPI, IDS, IPS Support
Manual routing
SNAT is required for Automation
AWS Native Firewall
Solution # 1
VPC Attachment
Expensive — only one VM will attach
High Complexity
Cannot Scale
Long and Complicated Failover (AWS lambda)
Solution # 2
IPSEC VPN Model
Reduced Throughput -550MBPS
Security Groups cannot use inside VM
Manual Router Configurations
Aviatrix Firewall Network
Fire net
Fire net is a turnkey network solution to deploy firewall instances in the cloud.
With Aviatrix achieve throughput with Firenet up to 70Gbps
Features
Simplicity
Full Traffic Inspection
No IPsec Tunnels
no BGP
no SNAT
Scale-out
Policy Drive
Vendor integration
Automation
Private S3
Aviatrix PrivateS3 is a feature that allows you to leverage AWS Direct Connect to transfer objects and files between on-prem and S3 while giving you control of the S3 buckets by the ability to whitelist the S3 buckets.
Benefits of PrivateS3
Transferring objects/data between on-prem and S3 by leveraging Direct Connect without using public VIF.
The ability to control which S3 buckets can be accessed.
The ability to deploy multiple Aviatrix gateways to load balance the data traffic.
Operations
Operational Challenges in Public Cloud
Evidential Data (Fault/Issues)
Unfamiliar toolset (Ping, Packet Capture)
Black Box(No Visibility)
Infrastructure as code
A Flat world in Public Cloud
Tier 3 become Tier 1
Scaling out
FlightPath
A flightPath is a troubleshooting tool. It retrieves and displays, in a side by side fashion, AWS EC2 related information such as Security Groups, Route table, and route table entries, and network ACL. This helps you to identify connectivity problems. You do not need to launch Aviatrix gateways to use this tool, but you need to create Aviatrix accounts so that the Controller can use the account credentials to execute AWS APIs to retrieve relevant information
DevOps Automation
Automation
DevOps Workflow
Export to Terraform
Cloud Formation
MutliCloud — Multi Account
Controller HA
Controlling and Monitoring AWS Transit Gateway VPCs, Launch a new controller, and restore configurations
VPC Tracker
TGW Router Transit
Immediately Discover the missing route in the spoke VPC route table.
Traffic Metrics — Gateway
AWS Transit Gateway Orchestrator
list VPC and Security domains
List VPC, TGW, and associate AViatrix Gateway Routing Table
ChargeBack Functionality
Hitless Upgrade
Security Patches
High Availability
Co-Pilot
Visibility
Custom Tagging
Diagnostic
CoPilot also filters to limit data to define resource, application and flows
Aviatrix Flow IQ
Traffic is seen by gateways
More Learning :
https://atulkamble.github.io/AviatrixACE/
Complete Self Paced Learning is available at Aviatrix Community
Wrapping Up
Aviatrix is one of the best controllers which provides MultiCloud Computing. You can connect with me on Linkedin if you have any questions related to Aviatrix or MultiCloud Computing.
Top comments (3)
Hi,
This is a great article. Thank you for sharing.
Well, I'm not not from networking background and would you be advising me on how to configure azure vnet securely. I'm building a customer facing website hosted in azure
Based on the this article, I've derived this, with in a vnet there are 4 subnets such as front-end subnet, aks subnet, application subnet and db subnet.
Front-End subnet has => storage, static website, CDN
Aks subnet => aks (for microservices and internal applications)
Application subnet => service bus, event hubs
Back-End subnet => Redis, CosmosDb, SQL Server and Azure Search
Thank you Adil for sharing notes to Cloud Learning Community & Congratulations on AviatrixACE. Best Luck.
You are very welcome :)