How long would it take to configure a fully resilient Multi Cloud Network Architecture? Do you have an idea?
Today, we will make a experiment and I promise, it will not be biased.. I have no clue how much time I will spend to spin up a fully resilient Cloud Network infrastructure between AWS and Azure. The goal is just that a AWS EC2 connects another AWS EC2 from a different VPC & an Azure VM on a Multi Cloud Infrastructure which is SPOF (Single Point of Failure) resilient all along the way.
Of course, I will use Aviatrix, what else?
Not this one, but the one below - the real one --
What is Aviatrix (in minutes also 😏)
Aviatrix is the pioneer & leader in the Secure Cloud Network. It partners with all biggest Cloud Service Providers: AWS, Azure, GCP, OCI and AliCloud. But, most of all, it does what Cloud Native can't always achieve.
Aviatrix layered model
The approach is a performant, highly resilient, consistent & repeatable architecture for the Data Plane across all Clouds made with 3 layers:
1. Application layer where workloads (VPC/VNET/VCN) are configured
2. Network layer or Transit layer where
- workloads are aggregated to Aviatrix Transit Gateways
- Aviatrix Transit Gateways from different CSP's peer together to form a multi-cloud secured network architecture
3. Access Layer to connect public Clouds to on prem networks (Data Center, User VPNs, Branches with SDWAN integration, etc..)
Control Plane
The Control Plane (or Operation Layer) is made with 2 major elements:
- The Aviatrix Controller for the provisioning & Automation of your Cloud Network & Security infrastructure and thus no matter on which Public Cloud you are. You will enable it the same way overcoming the limitations & discrepancies of the Cloud Native. It can be seen as a Single Pane of Glass & gives you the possibility to provision either via WEBUI or via Terraform (because yes Aviatrix is an official Terraform Provider with same modules for all Clouds for Aviatrix constructs but as well for some Native constructs like VPCs, VNETs, etc..)
- The Aviatrix Copilot for any kind of troubleshooting of your single/multi Cloud Network infrastructure
- Monitoring in real time
- Flow analysis
- Performance & latency
- Connectivity & configuration audit
- Cyber Threat Protection & Network Behaviour Analytics
- Reports
Please check this out for more details.
Added values among others
Having discussed about the consistent & repeatable provisioning & automation as well as the troubleshooting of your Cloud infrastructure, Aviatrix provides capabilities that are unmatched in the Secure Cloud Networking.
- Performance, High Availability, Resilience & IP Overlapping solutions. Please see my initial blog post on that.
- Security: FQDN Filtering, workloads & micro segmentation, Seamless NGFW of your choice insertion, High Performance Encryption, etc.. A colleague of mine made a blog on the Top5 Security features Aviatrix can provide.
Pre requisites for my 'against the clock test'
- Aviatrix Controller & Copilot already installed (I promise, it takes no more than 1 hour)
- You launch the Software for the Aviatrix Controller from the Market place (default VPC / AWS in my case)
- Install the Copilot from the Controller (EIP, SGs, Copilot association, Remote Syslog & Netflow will be created)
- Just ensure that: EIP is linked to Copilot, RSyslog & Netflow are properly configured in the Controller, SG's are allowing what is needed (Your Public IP + Copilot Private IP (if same AZ) for Controller SG ; TCP/22&443 + UDP/5000&31283 from any for Copilot SG) & Service Account is created in RO in the Controller for the Copilot
- Onboard AWS & Azure accounts into the AVX Controller
- For the record (earlier versions are fine as well): Controller version (6.7) & Copilot version (2.3)
- Request Quota Increase for EIP in AWS us-east-1
Architecture
- Aviatrix Controller & Copilot are in Default AWS VPC
- All Spoke & Transit Aviatrix GWs are in HA (High Availability)
- All Aviatrix Spoke to Transit GWs or Aviatrix Transit to Transit GWs (AWS to Azure) are fully meshed (which is called Active Mesh 2.0 in Aviatrix World 😉). This means that all links are Active and forward traffic. (convergence time is NONE for most of failure use cases)
- All links between Aviatrix GWs are encrypted in IPSEC - meaning your Cloud Traffic is encrypted E2E
Goal of the test
- WEBUI creation (another post will talk about Terraform provisioning)
- Create all VPCs / VNETs
- Create all Aviatrix GWs
- SpokeA EC2 is able to ping SpokeB EC2 & Spoke VNET1 VM
Let's GO!
Step 1: VPCs / VNETs creation from Aviatrix Controller (~5 minutes)
Yes, you read it right! You can provision these Native Constructs from different CSPs from the Aviatrix platform!
- AWS Transit
- Azure Transit
- CIDRs must be at least /23 for Transit VPCs / VNETs
- AWS Spoke
- Azure Spoke
List of VPCs / VNETs from the Aviatrix Controller
These VPCs / VNETs can be seen of course on the CSP Portal.
- AWS
- Azure
Step2: Aviatrix Gateways Creation from Aviatrix Controller (~17 minutes)
Spoke GWs creation
- AWS
- Azure
Spoke HAGW example
Transit GWs creation
- AWS
- Azure
List of Aviatrix GWs (from Controller): 2 GWs per VPC / VNET for HA
Step3: Attach Spoke GWs to Transit GWs from Aviatrix Controller (~2 minutes)
The Aviatrix Controller has automatically inserted Static Routes to RFC1918 in Spoke VPC / VNET Route Table with Next-Hop being Spoke Gateways. This is what we call Software Defined Routing.
AWS example
Step4: Configure Transit Peering between AWS & Azure Transit GWs from Aviatrix Controller (~2 minutes)
Step5: Enable 'Connected Transit' to allow communication of Spokes connected to the same Transit GW (~1 minute) (in my case, only AWS for communication between SpokeA & SpokeB)
Route Tables & Routes can be seen on the Aviatrix Copilot for all your multicloud infrastructure - your Aviatrix Gateways but also Native Constructs like VPCs & VNETs!
Copilot Dashboard - Monitoring in real time
Copilot Topology view of your multicloud infrastructure
Step6: Spin up the 3 EC2 (2) & VM (1) directly from the CSP Portal (~7 minutes)
Step7: Testing!!
Ping SpokeA - SpokeB
Ping SpokeA -Spoke VNET1
I stop the clock!!!!
Guess what: pings are successful and this in 35 minutes!! This is all what it takes to spin up a fully resilient multicloud infrastructure between AWS & Azure in my case, with Aviatrix obviously... Do you have a rough idea on how much time it would take if pure Native with NGFW insertion for the Interco between AWS & Azure?? I have no clue and I will not make that test.. Surely days..
Aviatrix can be the easy button for you Cloud Network & Security enthusiasts!! It will spare you countless hours when you will have to setup more complex infrastructures than the one above..
Next episodes foreseen in August:
Episode2: AWS Cloud WAN - Aviatrix compatibility & Segmentation
Episode3: Connecting OnPrem Remote site to Aviatrix Cloud infrastructure via BGPoIPSEC (incl. BGP route approval)
Episode4: Embedded L4 Stateful FWs on Aviatrix GWs
Episode5: All you need to know about Aviatrix FQDN Filtering - Design Patterns
Episode6: Aviatrix Copilot Tour (including Cyber Threat Protection with ThreatIQ/ThreatGuard)
Episode7: How to spin up a fully resilient multicloud environment in minutes with Terraform
Stay tuned!
No comments:
Post a Comment