Application Segmentation From GCP to Data Center over Cloud Interconnect

Problem Statement 


Enterprises want to provide segmentation over private connections like GCP Cloud Interconnect to extend various segments from on-premise to cloud. This could be for reasons such as compliance, governance, and audit. 

Customers use capabilities like VRF-Lite on Cisco/Juniper/etc routers to achieve this segmentation on-prem connectivity between branches and DC. 


Aviatrix Transit Gateways & Spoke Gateways deployed in GCP can be used to build connectivity to on-prem devices and segments can be created based on customer requirements to provide connectivity and extending segmentation end to end from their host/spoke VPCs to on-prem. 

Test Network 



In this example, we are using IPsec tunnels between Aviatrix Transit gateway(s) and on-prem device(s). For each segment, we are creating a separate tunnel. GRE Tunnels cannot be used since VPC Firewalls in GCP don't allow GRE traffic over interconnect connections. (https://cloud.google.com/vpc/docs/firewalls#blockedtraffic)

On the GCP side, we deploy Aviatrix spoke gateways in the host/spoke VPCs and connect these to the Aviatrix transit gateways which are deployed in separate VPC (transit VPC). Since we are doing dynamic routing using BGP the GCP cloud router receives/advertises required prefixes between the transit VPC and on-prem over the interconnect connection to establish the underlay connectivity.

 The Aviatrix solution offers flexibility to assign the same or different segments to multiple connections which could either be spoke gateway to transit gateway connection or on-premise to gateway connection. 



It is assumed that the customer has an interconnect connection, and the GCP Cloud Router is connected to the transit VPC where the transit gateways are deployed to advertise the relevant prefixes and to receive required prefixes from the on-prem side. 

The Spoke gateways need to be deployed in the spoke VPCs, this can be done by the controller, it is recommended to have these created prior to going through the below steps. 

Also, the customer needs to decide how many segments are required and what host VPCs and on-prem connections are part of which segment. 


Deployment Steps 


Step1 -  Build an IPSec Tunnel over Google Interconnect


Build the connectivity to the on-prem device by selecting Multi-Cloud transit on the Aviatrix Controller and scrolling down to #3 

  • Select an external device
  • In this case, IPsec was selected
  • Now the required options were provided
  • Remember to select over a private network
    • The assumption here is that since we are building connectivity over a private connection we will build tunnels over a private IP 




Step2 - Select the IPSec S2C Tunnel Connection

Next, select the Site2Cloud option on the controller and select the connection that was built in the above step and click edit 



Step3 - Download the Tunnel IPSec Configuration and Configure On-Prem Device

Download the configuration for the selected connection based on the vendor option, if your vendor is not showing as an option in the drop down you can select the Generic option 


Configure the on-prem device based on the configuration, if everything is correct you should have BGP established between the on-prem device and transit gateway. 


Step4 - Connect Aviatrix Transit Gateway to Spoke GWs


Next, connect your Spoke gateway(s) to the transit gateways (the same one which has been used for the on-prem connection above). Again this is an important step, this is where you decide which spoke gateways are part of which segments.



Step5 - Enable Aviatrix Multi-Cloud Segmentation on Transit Gateway

Enable Segmentation on the Transit Gateway by going under the multi-cloud transit option and then selecting segmentation, and then selecting the correct transit gateway, under the Plan option 


Step6 - Create Desired Segment Names

Create a Segment Name under the security domain section, repeat this step for creating multiple segments, under the plan option 



Step7 - Map On-Prem Segments (VRF) to Respective Segments

Next click on the Build option on top and select which connections are part of which segment. The attachment name option will be the on-prem and the spoke-to-transit gateway connection that you want as part of the segment. 



Also make sure to attach the right spoke gateway to the right segment, in the below case the required spoke gateway is attached as part of segment 1



Repeat Step 1-3 to create the tunnel for other segments, and then repeat Step 7 to place the connections into different segments. 

If the segments are correctly configured with the correct attachments and connections, you should see the correct prefixes being advertised for each segment. 


Please make sure that on the on-prem device the correct configuration for the tunnel(s) is part of the correct VRF(s), and that the correct VRF(s) is mapped to the correct segment on the aviatrix side. 




To verify the routing for your segments, you can go under Multi-cloud transit--> list—Select the correct transit gateway and then click on Details. Then scroll down to select the Gateway Routing table and in the search box enter the segment name, in the below case we have Segment-1. 

In this case, subnet is advertised from the on-prem side. 


The above step can be repeated for other segments as well 

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like2 Follow
  • 6 mths agoLast active
  • 181Views
  • 1 Following