Application Segmentation From GCP to Data Center over Cloud Interconnect
Enterprises want to provide segmentation over private connections like GCP Cloud Interconnect to extend various segments from on-premise to cloud. This could be for reasons such as compliance, governance, and audit.
Customers use capabilities like VRF-Lite on Cisco/Juniper/etc routers to achieve this segmentation on-prem connectivity between branches and DC.
Aviatrix Transit Gateways & Spoke Gateways deployed in GCP can be used to build connectivity to on-prem devices and segments can be created based on customer requirements to provide connectivity and extending segmentation end to end from their host/spoke VPCs to on-prem.
In this example, we are using IPsec tunnels between Aviatrix Transit gateway(s) and on-prem device(s). For each segment, we are creating a separate tunnel. GRE Tunnels cannot be used since VPC Firewalls in GCP don't allow GRE traffic over interconnect connections. (https://cloud.google.com/vpc/docs/firewalls#blockedtraffic)
On the GCP side, we deploy Aviatrix spoke gateways in the host/spoke VPCs and connect these to the Aviatrix transit gateways which are deployed in separate VPC (transit VPC). Since we are doing dynamic routing using BGP the GCP cloud router receives/advertises required prefixes between the transit VPC and on-prem over the interconnect connection to establish the underlay connectivity.
The Aviatrix solution offers flexibility to assign the same or different segments to multiple connections which could either be spoke gateway to transit gateway connection or on-premise to gateway connection.
It is assumed that the customer has an interconnect connection, and the GCP Cloud Router is connected to the transit VPC where the transit gateways are deployed to advertise the relevant prefixes and to receive required prefixes from the on-prem side.
The Spoke gateways need to be deployed in the spoke VPCs, this can be done by the controller, it is recommended to have these created prior to going through the below steps.
Also, the customer needs to decide how many segments are required and what host VPCs and on-prem connections are part of which segment.
Step1 - Build an IPSec Tunnel over Google Interconnect
Build the connectivity to the on-prem device by selecting Multi-Cloud transit on the Aviatrix Controller and scrolling down to #3
- Select an external device
- In this case, IPsec was selected
- Now the required options were provided
- Remember to select over a private network
- The assumption here is that since we are building connectivity over a private connection we will build tunnels over a private IP
Step2 - Select the IPSec S2C Tunnel Connection
Next, select the Site2Cloud option on the controller and select the connection that was built in the above step and click edit
Step3 - Download the Tunnel IPSec Configuration and Configure On-Prem Device
Download the configuration for the selected connection based on the vendor option, if your vendor is not showing as an option in the drop down you can select the Generic option
Configure the on-prem device based on the configuration, if everything is correct you should have BGP established between the on-prem device and transit gateway.
Step4 - Connect Aviatrix Transit Gateway to Spoke GWs
Next, connect your Spoke gateway(s) to the transit gateways (the same one which has been used for the on-prem connection above). Again this is an important step, this is where you decide which spoke gateways are part of which segments.
Step5 - Enable Aviatrix Multi-Cloud Segmentation on Transit Gateway
Enable Segmentation on the Transit Gateway by going under the multi-cloud transit option and then selecting segmentation, and then selecting the correct transit gateway, under the Plan option
Step6 - Create Desired Segment Names
Create a Segment Name under the security domain section, repeat this step for creating multiple segments, under the plan option
Step7 - Map On-Prem Segments (VRF) to Respective Segments
Next click on the Build option on top and select which connections are part of which segment. The attachment name option will be the on-prem and the spoke-to-transit gateway connection that you want as part of the segment.
Also make sure to attach the right spoke gateway to the right segment, in the below case the required spoke gateway is attached as part of segment 1
Repeat Step 1-3 to create the tunnel for other segments, and then repeat Step 7 to place the connections into different segments.
If the segments are correctly configured with the correct attachments and connections, you should see the correct prefixes being advertised for each segment.
Please make sure that on the on-prem device the correct configuration for the tunnel(s) is part of the correct VRF(s), and that the correct VRF(s) is mapped to the correct segment on the aviatrix side.
To verify the routing for your segments, you can go under Multi-cloud transit--> list—Select the correct transit gateway and then click on Details. Then scroll down to select the Gateway Routing table and in the search box enter the segment name, in the below case we have Segment-1.
In this case, 192.168.20.0/24 subnet is advertised from the on-prem side.
The above step can be repeated for other segments as well