Multi- Cloud Networking with Aviatrix
Networking is the foundational requirement of any cloud solution and enabling a multi-cloud network should be high in the list of priorities for all organizations. Organizations moving to the cloud may select a primary cloud provider for the majority of their work loads but there may be solutions that are better served, for one reason or another, from a second or third cloud provider network. The challenge is providing a multi-cloud network solution that enables implementation simplicity as well as performance, scalability and visibility.
Your organisation requires secure connectivity between AWS, and Azure. The solution is expected to provide multi-cloud connectivity as well as the potential to create region to region connectivity. You are looking to make use of cloud native solutions to provide the scale, flexibility and performance.
Cloud platforms AWS and Azure
Azure Express Route
AWS Transit Gateway (TGW)
Aviatrix Transit gateways for both AWS and Azure
Aviatrix AWS TGW Orchestration
My solution focuses on Aviatrix cloud networking technology to provide the AWS and Azure connectivity. Aviatrix provide a number of cloud native networking solutions including:
Aviatrix Transit networking*
AWS TGW Orchestration*
Aviatrix Egress Gateway for fully qualified domain filtering*
Policy based remote access VPN
*included in solution below.
The proposed solution incorporates the Aviatrix Transit, Aviatrix AWS TGW Orchestration and Aviatrix Egress Gateway. The diagram below illustrates two Aviatrix transits, one in AWS and one Azure. These transit gateways provide the multi-cloud connectivity and, by adding Aviatrix active mesh technology, will provide load sharing across all active gateways between the two cloud provider networks.
The Aviatrix Controller is the central orchestration and management platform to launch Aviatrix Gateway. These gateways can be launched and configured using the console menus and flow based steps to guide you to the desired solution or via terraform scripts.
Firstly I launched the gateways in the Aviatrix-Edge-VPC and Azure VNET to begin the process of creating a transit from AWS to Azure. This step took less than 10 minutes to complete and has an ActiveMesh configured between Azure and AWS. From the Aviatrix console you can view the connectivity and the mesh topology as illustrated in the diagram below. Aviatrix color code with the Azure gateways represented by the darker blue and AWS gateways by the lighter blue.
A quick listing of the transit gateway status and you can also see the HA mode as ActiveMesh. I can see I have now connected my AWS to Azure cloud networks.
The steps to create a transit as above, is the same when you are looking at connecting multiple regions together from the same cloud provider.
The next step was to add the AWS Transit Gateway. I completed this using the orchestration provided from the Aviatrix console. The orchestrator attaches your VPCs, modifies the route tables on the VPCs and the TGW and defines the configuration of the AWS route domains used on the TGW.
The view that is provided in the Aviatrix console for the AWS TGW is excellent for a graphical representation of the environment as illustrated below. For this setup I have used the default domain and added a shared-services domain as well as the Aviatrix Edge domain. These domains represent the route/security control of inter VPC communication. The Edge domain also extends the TGW and is the connectivity to the AWS/Azure transit.
I displayed the route table on the Aviatrix transit used in Azure from the console and as shown below, the routes from AWS have propagated to Azure. This can be seen from the route 10.108.0.0/16 CIDR from cloud-net-test. The public addresses in the next hop column have been obfuscated but represent the tunnel endpoints.
Aviatrix provide administrators control of the routing for the multi-cloud network solution combining software defined routing with traditional BGP routing mechanisms such as AS PATH prepend and manually adding CIDR blocks. Not only do they provide the route controls, the gateways also incorporate security components such as a stateful firewall, egress filtering and integration with AWS GuardDuty to layer on security as part of your multi-cloud solution.
The final part of the solution was to provide egress control from the VPC/VNETs with compute resources for example the cloud-test-net VPC. I deployed Aviatrix Egress gateways which I touched on above, and these provide fully qualified domain name (FQDN) filtering including support for applications that do not use port 80 and 443 such as SSH and SFTP and specific API targets with non standard ports. I deployed these gateways from the orchestration console and that provides a work flow, step by step guide to implementing the desired solution with the orchestrator configuring the appropriate security groups and route table updates. A good feature as part of the deployment is you can run gateways in a discover mode for a period of time to understand the egress traffic and then upload the rules to the gateway. This provides a non intrusive deployment and the need to predetermine the targets that your systems require access to via the egress gateway and allow your security team to determine what is relevant.
I found the Aviatrix console to be intuitive and was able to complete the end to end solution in about 20 minutes. Although I did perform this using the console, the Aviatrix solution can be implemented as part of your DevOps CI/CD processes with API and Terraform capability.
Aviatrix provide many diagnostic and troubleshooting tools to assess the health of your network connectivity with graphical representation of components of the network but there are other tools including local logs, exports to 3rd party SIEM such as splunk, VPC testing and a fantastic tool they call flightpath that allows troubleshooting of AWS security groups and network ACLs. Another cool feature is the ability to upload from the console diagnostic and trace results to the Aviatrix support team for analysis during troubleshooting. I will look to provide an overview of these in a future blog.
Give it a go and see how easy it can be to deploy multi-cloud networks with the right platform. If you would like to test a similar deployment, then AWS and Azure provide access to Aviatrix Controllers from their market place.