Using Aviatrix Secure Networking to Simplify Multi-Cloud Connectivity and Fully Leverage AWS
By Olabanji Soaga, Partner Solutions Architect – AWS
By Brad Hedlund, Principal Solutions Architect – Aviatrix Systems
By Abdul Rahim, Principal Solutions Architect – Aviatrix Systems
As organizations continue to expand their cloud infrastructure, they have ongoing requirements to connect their Amazon Web Services (AWS) environments to other cloud providers. However, connecting different cloud networks seamlessly and securely can be a challenge due to varying networking architectures, security models, and operational tools.
In this post, we will explore how Aviatrix Systems simplifies this process and enables businesses to fully leverage AWS while easily connecting to other cloud providers.
Aviatrix is an AWS Partner and AWS Marketplace Seller with Competencies in Networking and Security. It has helped many businesses succeed with their multi-cloud networking requirements using an enterprise-grade cloud network backbone solution.
Aviatrix Secure Cloud Network Backbone helps companies connect, manage, and secure their connections between cloud providers, colocation facilities, on-premises data centers, branch offices, and third parties.
Aviatrix augments cloud-native functionality with enterprise-grade visibility, troubleshooting, and monitoring tools. It delivers an enterprise-class cloud backbone that offers resiliency, agility, advanced security, and mature troubleshooting tools without overrunning budgets.
Figure 1 – Connecting AWS to other clouds using Aviatrix secure networking.
Customers using this solution enjoy the following benefits:
Simplified Deployment and Management
Aviatrix uses a centralized controller, the Aviatrix Controller, to automate and streamline the deployment and management of cloud networking components. This reduces the complexity of managing connections to other cloud environments and minimizes the risk of misconfigurations. Additionally, it provides the required agility by using a single Terraform provider to build or expand the Aviatrix Secure Cloud Network Backbone.
Security and Performance
Aviatrix creates end-to-end secure connections with IPSec while providing high performance encryption (up to 100 Gbps), real-time threat detection, embedded stateful L4 firewalling, and simplified traffic steering to next-generation firewalls (NGFW).
Intelligent Traffic Routing and Network Segmentation
Aviatrix offers advanced traffic engineering capabilities for optimal traffic routing between AWS and other cloud environments. Its network segmentation features enable organizations to isolate different workloads and control access between them. Customers can extend their existing segmentation domains in AWS Cloud WAN to other cloud providers for a unified and consistent segmentation policy.
Enterprise-Class Operations and Troubleshooting
Aviatrix CoPilot provides a suite of monitoring and visualization tools for real-time insights into network performance, topology, and security, enabling organizations to quickly identify and resolve issues with their cloud networks.
The solution architecture shown in Figure 2 consists of three main components:
- Aviatrix Control Plane: Aviatrix Controller and Aviatrix CoPilot are deployed from AWS Marketplace as Amazon Elastic Compute Cloud (Amazon EC2) instances in your AWS account to provide centralized control and monitoring of your cloud network backbone.
- Aviatrix Secure Cloud Network Backbone: The Aviatrix Controller deploys Aviatrix Transit Gateways as EC2 instances in multiple AWS Availability Zones (AZs) in a dedicated transit virtual private cloud (VPC) in your AWS account, and as virtual machines in a dedicated transit VPC/VNET in your other cloud provider(s) account. It builds a software-defined secure network overlay between them using the internet or private network as the underlay.
- Connection Application VPCs: Aviatrix Transit Gateways in AWS are peered with AWS Cloud WAN or AWS Transit Gateway using connect attachments. This allows for the exchange of routing information using Border Gateway Protocol (BGP) and provides high-speed connectivity (20 Gbps per connect attachment) for the application VPCs in AWS to access the other cloud provider(s).
Figure 2 – Aviatrix Secure Cloud Network Backbone architecture.
Aviatrix Controller deploys the Aviatrix Transit Gateways and configures all the necessary cloud-native components in the other cloud provider. This means you don’t need to learn the other cloud providers’ native constructs, console, or API.
It also removes skill gaps and reduces the experience required to operate a multi-cloud network. Just provide the access credentials for the other cloud account to the Aviatrix Controller and use the Aviatrix CoPilot web user interface (UI) or Terraform modules to do the deployment for you.
The Aviatrix Transit Gateways deployed in the other cloud provider can be attached to application VPC/VNETs using native peering mechanisms, or you can extend the Aviatrix network to the application VPC/VNETs by deploying Aviatrix Spoke Gateways into the application VPCs/VNETs.
Internet as the Underlay
You can take advantage of the AWS-provided internet connectivity to build your connection to the other cloud provider. Aviatrix Transit Gateways are deployed in public subnets with an AWS elastic IP address (EIP) and can use the AWS Internet Gateway (IGW) attached to the transit VPC to carry the IPSec tunnel traffic to the other cloud provider.
This approach leverages the robust and high-speed backbone infrastructure provided by AWS, ensuring secure and reliable communication between the two cloud environments.
Figure 3 – Using the internet to connect to other cloud providers.
You can optionally enable Aviatrix-patented High Performance Encryption which will create multiple IPSec tunnels between each Aviatrix Transit Gateway, with each tunnel intelligently distributed across the gateways’ CPU cores—all while network traffic is distributed per-flow across all the tunnels.
You can achieve up to 20 Gbps of aggregate throughput between clouds using the internet as the underlay, depending on the instance size and type you chose for your Aviatrix Gateways.
Private Network as the Underlay
If enhanced security, predictable latency, and consistent performance is required when connecting cloud environments, you can leverage the high-speed private network connections offered by the cloud service providers, such as AWS Direct Connect.
Figure 4 – Using a private network to connect to other cloud providers.
In the diagram above, an on-premises or colocation router is exchanging BGP routes between AWS Direct Connect and the other cloud provider’s private connection—for the transit VPC routes only. This is enough routing information for the Aviatrix Transit Gateways to build the IPSec tunnels between themselves.
The on-premises router and AWS Direct Connect do not need to carry all the routes for the VPCs in each cloud. This allows you to avoid reaching hard limits in the number of routes a cloud provider’s private connections can carry.
With High Performance Encryption enabled, you can reach aggregate throughputs of 100 Gbps using a private network, depending on the instance sizes you use for your Aviatrix Transit Gateways.
With either the internet or private network, the Aviatrix Controller is configuring, managing, and load balancing all the IPSec tunnels for you as one logical software-defined connection. You don’t need to individually manage each tunnel.
Peering with AWS Cloud WAN (or AWS Transit Gateway)
Once the Aviatrix Cloud Network Backbone is established between AWS and the other cloud provider using the internet or private network, the next step is peering your Aviatrix Transit Gateways to AWS Cloud WAN or AWS Transit Gateway (whichever you’re using to network your application VPCs), using BGP-over-GRE connect attachments, as shown in the diagram below.
Figure 5 – Peering Aviatrix to AWS Cloud WAN using connect attachments.
The transit VPC containing the Aviatrix Transit Gateways will have a connect attachment to AWS Cloud WAN, with a minimum of (4) BGP over GRE connect peers defined (two from each Aviatrix Gateway for high availability and throughput). With each connect peer supporting 5 Gbps throughput, both Aviatrix and AWS Cloud WAN will equal-cost load balance traffic across all peers for an aggregate throughput of 20 Gbps per connect attachment.
If you’ve defined segmentation domains in AWS Cloud WAN, they can be extended to Aviatrix by creating a connect attachment and associating it to a domain. The diagram in Figure 6 shows Dev and Prod domains defined in both AWS Cloud WAN and Aviatrix, and dedicated connect attachments joining the AWS Cloud WAN domains with the Aviatrix domains.
Figure 6 – Mapping AWS Cloud WAN segments to Aviatrix network domains.
This architecture allows you to have consistent and unified network segmentation while extending your AWS infrastructure to another cloud provider by using Aviatrix to connect and extend your AWS Cloud WAN domains.
With your connect attachments created, Aviatrix Transit Gateways and AWS Cloud WAN will begin exchanging routing information with BGP to establish bi-directional traffic flow between your VPCs attached to AWS Cloud WAN and the VPCs/VNETs of the other cloud provider–all connected by the Aviatrix Cloud Network Backbone.
Traffic Visibility and Troubleshooting
With your Aviatrix Cloud Network Backbone up and running, you can now use Aviatrix CoPilot to get deep visibility of traffic flowing between AWS and the other cloud provider with real-time and historical session details and rich visualization and query capabilities. This is shown in the screenshot below from the FlowIQ feature in Aviatrix CoPilot.
Figure 7 – Traffic flows screenshot in Aviatrix CoPilot FlowIQ.
It’s always nice when traffic is flowing as it should be, but when it’s not Aviatrix CoPilot gives you the tools to quickly identify and resolve issues. One example is trying to figure out why an Amazon EC2 instance is not able to communicate with a virtual machine in the other cloud provider.
You may know AWS troubleshooting well enough, but you might not know how to troubleshoot the native constructs of the other cloud provider. The Aviatrix platform has this knowledge, and you can put it to work for you.
For this scenario, Aviatrix CoPilot provides you with a tool called AppIQ that allows you to pick your source EC2 instance and destination virtual machine in the other cloud provider. AppIQ will generate a troubleshooting report showing you the topology, latency, observed traffic, and any configuration issues with the native constructs, like VPC route tables and security groups (and their equivalents in the other cloud).
Figure 8 – Gateway diagnostic tools screenshot in Aviatrix CoPilot.
You can also see real-time sessions and take full packet captures from any Aviatrix gateway to see if traffic is arriving at the other cloud provider and what it looks like. Just select the Aviatrix gateway in the CoPilot topology view and select Diagnostic Tools. In the screen shot above, the Active Sessions and Packet Capture tools are highlighted.
How to Get Started
Getting your cloud network backbone deployed is easy. Just launch the Aviatrix Controller and CoPilot in your AWS account from AWS Marketplace, onboard your cloud accounts, and begin deploying Aviatrix Transit Gateways from the CoPilot UI or with Terraform modules.
- Deploy Aviatrix Controller and CoPilot using the AWS getting started guide or the Aviatrix self-service launch tool
- Deploy Aviatrix Secure Cloud Backbone using Terraform
- Integrate AWS Transit Gateway/AWS Cloud WAN with Aviatrix Secure Cloud Backbone
Aviatrix’s intelligent cloud networking technology offers a promising solution to some of the issues organizations face while expanding and connecting to diverse cloud environments.
With Aviatrix Secure Cloud Network Backbone, cloud architects can seamlessly connect AWS infrastructure to other cloud providers through cloud-native technology. This solution facilitates secure and high-performance connections across clouds, while maintaining full network traffic visibility and control.
Furthermore, the platform provides powerful troubleshooting tools, such as AppIQ and FlowIQ which enable quick resolution of network issues, and ensure uninterrupted business operations. Aviatrix empowers organizations to extend and expand their cloud presence efficiently and eliminating unnecessary complexities.
Learn more about Aviatrix in AWS Marketplace.
Aviatrix Systems – AWS Partner Spotlight
Aviatrix Systems is an AWS Partner that has helped many businesses succeed with their multi-cloud networking requirements using an enterprise-grade cloud network backbone solution.