Aviatrix Hybrid Cloud Network Landing Zone

  • 24 January 2024
  • 0 replies

Userlevel 3
Badge +5

Aviatrix Hybrid Cloud Network Landing Zone provides a best practice based, consistent, and fully automated network solution for landing hybrid cloud connections from Data Centers, Colocation facilities, and more to the public cloud. Aviatrix Hybrid Cloud Network Landing Zone complements native CSP transit solutions such as AWS Transit Gateway, Azure Virtual WAN, Google NCC etc. to provide critical traffic engineering, Netflow, packet captures, visibility, and troubleshooting capabilities required by network engineers and operators.

In addition, the Aviatrix Hybrid Cloud Network data plane proves to be much more cost effective especially for landing connections used to move large quantity of data. See the Cost Optimized Hybrid Cloud Section for details.


Key Benefits

  • Deep visibility into traffic flows such as Netflow
  • Advance troubleshooting capabilities in cloud such as packet capture
  • High scale routing to overcome native route limits
  • Multicloud architecture that works in every cloud
  • Best Practices based architecture validated by CSP Networking SMEs
  • Capabilities including line-rate Encryption, SDWAN & Firewall integration


High Level Architecture

Figure 1: High Level Architecture


Why is this needed?

Enterprises build Landing Zones in public cloud with a focus on applications and in-cloud infrastructure which often does not address the operational requirements of the teams managing hybrid cloud network connectivity. The Hybrid Cloud Network Landing Zone addresses these challenges while also providing a clean delineation between cloud and network teams.


Network teams have existing visibility, troubleshooting capabilities, route scaling, and traffic engineering options when connecting on-premises environments (DC, Colo, Branch etc.) to the cloud. However, most of these facilities are either completely missing or very basic on the cloud side. In the absence of these required tools and visibility, even the basic connectivity issues become complicated to solve impacting uptime, increasing MTTR and impacting SLAs.


The Hybrid Cloud Network Landing Zone architecture by Aviatrix provides network teams a peering architecture in the cloud that gives them advance capabilities in the cloud, overcome CSP limitations, enhance CSP capabilities and peer seamlessly with other cloud entities such as AWS Transit Gateway, Azure Virtual WAN, Google NCC, OCI DRG etc. With this architecture, network teams can own both ends of the hybrid cloud connection and provide an excellent experience to application teams and business.


What are the business benefits?

The feature provides a consistent design for building architecture in any region of any cloud. This results in faster on-boarding time, reduced MTTR, and better employee resource utilization. The collaboration between teams improve with clear delineation in responsibilities between network and cloud teams where cloud teams can continue to use cloud native services they are comfortable with while Networking teams get a feature rich networking service which gives them control over both ends of their hybrid, multi-region and multi-cloud connections. With this clarity and additional capabilities businesses see better uptime, solve problems much faster and significantly reduce on-boarding times.


What are the technical advantages?

The core features of the Aviatrix Cloud Network Landing Zone encompass cutting-edge traffic engineering, vastly increased routing scalability, and enhanced troubleshooting effectiveness. It also offers comprehensive insights into traffic behavior, real-time latency monitoring, and diagnostic functionalities such as Packet Capture. Moreover, the landing zone facilitates smooth integration with any firewall for efficient control over inbound, outbound, and inter-region traffic. Aviatrix architecture seamlessly aligns with pre-existing SDWAN infrastructure as well. Notably, the Aviatrix Cloud Network Landing Zone boasts cloud-agnosticism, allowing the same solution to seamlessly extend across multiple regions within diverse cloud service providers.


How does it work?

As shown in Figure 1, Aviatrix Transit (the round orange icons), are multi services routing and security devices that form the data plane pushing the packets. It seamlessly work with any other network device such as CSP Transits, router, sdwan or a security device such as a firewall to build a robust, scalable and secure overlay based backbone over the hybrid cloud on-ramp, csp backbone or internet.

Here are the simple steps that can be performed via Terraform or UI

  1. Deploy Aviatrix Transit in a standalone cloud network such as a VPC/VNet or VCN.
  2. Aviatrix Transit automatically builds tunnel-less BGP, or multiple high performance GRE / IPSec connections to existing CSP Transit such as AWS Transit Gateway, Virtual WAN, Google NCC, OCI DRG etc.
  3. Aviatrix Transit can connect to any external device such as a router or a firewall over VPN or Direct Connect
  4. Optionally, Aviatrix Edge (virtual or physical) can be deployed at an on-premises location such as an Equinix Colo or a DC  to provide high performance line-rate encryption and high routing scale·  
    • For ex, this capability overcomes native AWS Transit Gateway limit of 200 routes from cloud to on-prem and 100 routes per Direct Connect from on-prem to cloud.

I am moving a lot of data between on-prem and cloud, how does this solution optimizes for cost?

Lets take an example of data being migrated from on-prem to an AWS region. A typical setup would include packets to move from Direct Connect (DX) --> Direct Connect Gateway (DXGW) --> AWS Transit Gateway (TGW) --> Workload VPC. Although DX and DXGW won’t charge for any ingress data, TGW does charges $0.02 per GB. This means just a 2 Gbps sustained utilization per month on a typical 10 Gbps DX circuit, you will end up moving 657 TB of data resulting in $13,140 due for just data processing at transit (657000 * $0.02),

Figure 2: Data processing charges across transit options

Similar savings apply to Azure Virtual WAN and Google NCC. In addition, traffic pattern that use NextGen Firewalls in the path provide significant additional savings. Please contact the author specific requirements.


What is Aviatrix High Performance Line-Rate Encryption?

The private connectivity options from CSPs such as Direct Connect, ExpressRoute, Google Interconnect are NOT encrypted by default. Some customers leverage hardware based MacSec to encrypt the data but MacSec is not end to end and only exists on the physical link between customer router and CSP owned routers. Traffic passes unencrypted at many spots including the routing devices. To overcome this, customers can IPSec to encrypt, however in all CSPs there is a limit of only one IPSec tunnel which is capped at around 1.25 Gbps. Aviatrix has a patented technology which can automatically create a mesh of multiple IPSec tunnels achieving line-rate encryption speed, i.e. ~10 Gbps encryption on a 10 Gbps Direct Connect.
Limited encrypted thruput with cloud native end-to-end encryption
Upto 100 Gbps encrypted thruput with Aviatrix end-to-end encryption


Figure 3: Technical overview of high performance encrypted connectivity


Could you provide an example of how Aviatrix overcomes route limitations?

Let’s use AWS as an example but similar solution applies to other clouds such as Azure, GCP and OCI. In AWS, Transit Gateway has a hard limit of manually summarized routes of 200 routes from cloud to on-prem and 100 BGP routes per Direct Connect from on-prem to cloud. When the 101st route is advertised, the BGP session goes down without warning until the additional routes are withdrawn. Aviatrix avoids these constraints, enabling the advertisement of thousands of routes in any cloud direction. Moreover, it offers various traffic engineering options absent in native cloud services. Similar limitations apply to Azure ExpressRoute and Google InterConnect as well.


Figure 4: How Aviatrix overcomes native route limits

In a brownfield deployment, what is the expected downtime to switch to this architecture?

The switchover can be done with no packet loss but a change window is recommended. Aviatrix Network Landing Zone using Private VIF is setup in parallel to AWS Transit Gateway which uses Transit VIF. The new path advertises routes with AS-Path prepended so testing can be done while no production traffic uses it. At the time of switchover, detaching the Transit VIF will switch the traffic via Aviatrix Network Landing Zone without any disruption to applications.


How does it integrate with SDWAN in the cloud and in Data Center?

SDWAN appliances are great at connecting several branch locations to an SDWAN Headend. The SDWAN headend device itself has no knowledge of the routes in cloud and relies on a cloud device to integrate with so that branch traffic can flow to applications.
Aviatrix has full knowledge of the routes in all regions of all clouds hence it provides the best integration to connect SDWAN branches to cloud based applications. Aviatrix provides several connectivity options including tunnel-less high speed BGP over LAN, GRE or IPSec.
Figure 5: SDWAN integration options


I have Colocation with Equinix/Megaport, does it work there?

Yes. Aviatrix has deep native integration with colo providers such as Equinix and Megaport.
At Equinix, the solution is available for Equinix Fabric offerings such as Equinix Network Edge, Equinix Metal and Equinix Colo Racks. Many detailed design patterns are available on Aviatrix and Equinix partner page.
Figure 6: Integrating with Equinix


Can I see Technical Deep Dives and demos?

Give me an example of a customer using it?Listen to Spence Nelson, Senior Network Engineer at Adobe Workfront talk about why Adobe is using Aviatrix as their strategic cloud networking platform.  


How is the solution priced?

The pricing structure for Aviatrix Architecture is based on the connections it manages which in most cases are equal to number Direct Connects, ExpressRoutes, Google InterConnect or VPN connections. It does not incur any additional charges for data processing and includes Netflow and troubleshooting capabilities at no extra cost.
Additionally, Aviatrix offers the on-premises (Aviatrix Edge) device in both virtual and hardware form factors. The virtual appliance is provided free of charge, while the hardware appliance can be directly obtained from our approved hardware provider.


How can I get started today?

You can get started with Aviatrix in the marketplace of any cloud provider. Alternatively, you can reach out to us at info@aviatrix.com to discuss your design with a Solutions Architect.
Learn More about Aviatrix Secure Cloud Networking
  • Request a demo > https://aviatrix.com/schedule-demo/
  • Get ACE Certified > https://aviatrix.com/ace/
  • Learn more > www.aviatrix.com

0 replies

Be the first to reply!