AWS Partner Network (APN) Blog
How Aviatrix Provides Deep Visibility, Troubleshooting, and Monitoring for Your AWS Network
By James Devine, Principal Solutions Architect – Aviatrix
By Josh Dean, Sr. Partner Solutions Architect, Networking – AWS
Amazon Web Services (AWS) provides an impressive set of capabilities for building out advanced networking architectures.
As these architectures grow in complexity to encompass many AWS accounts and regions, it can become difficult to gain a holistic view of the network. Aviatrix augments cloud-native functionality with enterprise-grade visibility, troubleshooting, and monitoring tools.
In this post, we’ll give a brief introduction to the Aviatrix Cloud Network Platform and dig into the advanced capabilities that make day-2 operations a breeze.
Aviatrix is an AWS ISV Partner with the Networking Competency. The Aviatrix Platform is built from the ground up for AWS environments and enables enterprises to realize the benefits of agility, scale, and mobility when deploying applications in the cloud.
About the Aviatrix Cloud Network Platform
The Aviatrix Cloud Network Platform consists of a centralized controller that is multi-cloud aware and intelligent cloud routers called gateways. By bringing a data plane into AWS, you get more control over traffic and can introduce intelligent routing.
Since the platform is cloud-native, it can seamlessly integrate and orchestrate AWS services like Amazon GuardDuty, AWS Global Accelerator, and AWS Transit Gateway.
The Aviatrix Platform also makes it easy to integrate third-party devices from Palo Alto, Checkpoint, F5, and Fortinet into any architecture.
Figure 1 – High-level view of the Aviatrix Platform.
Gateways exist in virtual private clouds (VPCs) that use Aviatrix Transit, as shown in the VPCs on the left of Figure 1. The platform also works with AWS Transit Gateway, as can be seen in the VPCs on the right.
The controller provisions and orchestrates all of the networking resources. Lastly, CoPilot provides network visibility and insights.
Deep Visibility with CoPilot
The components of the Aviatrix Cloud Network Platform are deeply integrated. Each gateway collects and exports NetFlow data, as well as overall health and topology, to a central collector called CoPilot.
Within CoPilot, there’s visibility into the infrastructure across the entire data plane and control plane for the entire network topology. This can be mapped out with topology mapping.
It can be difficult, even in a modestly sized environment, to have a unified topology view. CoPilot has this functionality built-in.
There’s a full end-to-end view of your entire network across regions and cloud providers. You can drill down to specific gateways through a single pane of glass.
On the left-hand side of Figure 2, we’ve clicked on each node to expand the architecture so you can see the subnets, instances, and gateways.
Figure 2 – Aviatrix CoPilot topology view.
In addition to seeing current topology, you can also track topology changes over time through a feature called topology replay. Think of it as a cloud DVR for your network.
This is a powerful tool for troubleshooting. You can quickly identify changes that have occurred and their impact on the overall network.
In Figure 3, you can see the changes and affected nodes are highlighted. Double-click on affected gateways to drill down further.
Figure 3 – Aviatrix CoPilot Topology Replay view.
Flow Analysis and Intelligence with FlowIQ
Since each gateway is exporting NetFlow data to CoPilot, there is insight and visibility into all of the traffic as it traverses the Aviatrix Cloud Network Platform. This allows for flow-based insight through a feature called FlowIQ.
FlowIQ performs deep analysis on the data the Aviatrix Platform collects to determine tends and gain insights. You can see in Figure 4 an overview of all traffic flows. It’s also possible to filter to specific IP address and CIDR ranges to drill down into portions of the network.
Figure 4 – Aviatrix CoPilot FlowIQ overview.
From the trends tab, you can see the trends in traffic flows. This makes it easy to identify top source and destination traffic by port.
Figure 5 – Aviatrix CoPilot FlowIQ trends view.
Going one level deeper, you can see the flow data from the flows tab. This can be helpful in pinpointing large data flows and figuring out their source and destination.
Figure 6 – Aviatrix CoPilot FlowIQ flows view.
You can make sense of these IP addresses by looking at the geolocation tab to see just where all the traffic is sourced and destined to. In this example, there are traffic flows from around the world into the demo environment we are using.
Figure 7 – Aviatrix CoPilot geolocation view.
You can also dig into individual flows under the records tab and drill down into individual traffic flows across the full set of over 90 fields of NetFlow logs gathered for each flow. This can be helpful for root cause analysis, security investigations, and confirming compliance.
Application Network Insights with AppIQ
Having data plane and control plane data means it’s possible to probe into communication paths to look at performance. This is exactly what AppIQ does.
You can select any two instances that are a part of the Aviatrix Platform to get a view of the traffic path along with performance metrics. The generic “my app is slow” or “the network is slow” complaints can be easily confirmed or dismissed.
In Figure 8, you can see these metrics between an ingress VPC and an Amazon Elastic Kubernetes Service (Amazon EKS) cluster we have running.
Figure 8 – Aviatrix CoPilot FlowIQ view.
Here, we can see everything is green with sub-1ms latency. The full reachability and performance report can be exported to a PDF document that can be used to help prove the networking path is performing as expected.
It can also be helpful to pinpoint specific points in the network that could be causing performance issues. If you were to notice higher than normal latency, for example, you can pinpoint your troubleshooting to the problematic nodes in the network path.
Egress FQDN Monitoring
A common use case customers leverage the Aviatrix Platform for is egress filtering to control traffic out to the internet and enforce allow lists and deny lists for traffic.
In many environments, it can be difficult to get a handle of just where traffic is going, let alone controlling access. Services often need to talk to the internet for licensing, software updates, and patching.
Each Aviatrix Gateway is capable of monitoring egress requests and recording activity. This can be helpful for both troubleshooting and to assess all of the destinations instances in a given VPC are trying to reach out to.
We have demonstrated this by enabling Fully Qualified Domain Name (FQDN) monitoring on a spoke gateway in us-west-2 in Figure 9 below.
You can quickly see there are nine sites that are being visited from within the VPC. If any of those sites were to look suspect, you could create explicit deny lists for those sites. If any traffic is going to AWS services like Amazon Simple Storage Service (Amazon S3), those FQDNs are also captured and can be analyzed.
Figure 9 – Aviatrix FQDN monitoring.
Conclusion
The Aviatrix Cloud Network Platform enhances AWS networking by adding visibility and troubleshooting capabilities. With Aviatrix, you can easily gain control of your cloud network and data flows.
To get started, launch the Sandbox Starter Tool or deploy directly from AWS Marketplace. If you’d like to learn more and see what Aviatrix can for your cloud networking, reach out and set up a demo.
Aviatrix – AWS Partner Spotlight
Aviatrix is an AWS ISV Partner with the Networking Competency. The Aviatrix Platform is built from the ground up for AWS environments and enables enterprises to realize the benefits of agility, scale, and mobility when deploying applications in the cloud.
Contact Aviatrix | Partner Overview | AWS Marketplace
*Already worked with Aviatrix? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.