Extending Segmentation from On-Premise to GCP over Interconnect using Aviatrix Solution
Enterprises want to provide segmentation over private connections like GCP Interconnect to extend the various segments from on-premise to the cloud. This could be for reasons such as compliance, governance, and audit.
Customers use capabilities like VRF-Lite on Cisco/Juniper/etc. routers to achieve this segmentation on-prem connectivity between branches and DC.
Aviatrix Transit Gateways & Spoke Gateways deployed in GCP can be used to build connectivity to on-prem devices and segments can be created based on customer requirements to provide connectivity and extending segmentation end to end from their host/spoke VPCs to on-prem.
In this example, we are using IPsec tunnels between Aviatrix Transit gateway(s) and on-prem device(s). For each segment, we are creating a separate tunnel, where each tunnel will be part of a different segment. (GRE Tunnels cannot be used since GCP Firewalls don't allow GRE traffic over interconnect connections).
On the GCP side, we deploy Aviatrix spoke gateways in the host/spoke VPCs and connect these to the Aviatrix transit gateways. The transit gateways are deployed in a VPC whose prefixes are advertised to on-prem via the GCP Cloud Router and it also receives prefixes to provide underlay connectivity to build the IPsec tunnels.
The point to remember here is that every spoke GW is connecting to the transit gateway, which means that this is a separate connection. So the aviatrix solution offers the flexibility to assign the same segment to multiple such connections or split them into different segments.
Similarly when connecting from the on-prem side to the transit gateway when multiple tunnels (again here each tunnel is a separate connection) are built there is the flexibility to decide which tunnel to place into which segment.
It is assumed that the customer has an interconnect connection, and the GCP Cloud Router is connected to the correct VPC to advertise the VPC subnet prefixes and to receive the prefixes from the on-prem side. This VPC will be where the Aviatrix transit gateway will be deployed, and for the purpose of building the tunnels, it would require that the IPs are reachable.
The Spoke gateways need to be deployed in the spoke VPCs, this can be done by the controller, it is recommended to have these created prior to going through the below steps.
Also, the customer needs to decide how many segments are required and what host VPCs and on-prem connections are part of which segment.
Step1 - Build an IPSec Tunnel over Google Interconnect
Build the connectivity to the on-prem device by selecting Multi-Cloud transit on the Aviatrix Controller and scrolling down to #3
- Select an external device
- In this case, IPsec was selected
- Now the required options were provided
- Remember to select over a private network
- The assumption here is that since we are building connectivity over a private connection we will build tunnels over a private IP
Step2 - Select the IPSec S2C Tunnel Connection
Next, select the Site2Cloud option on the controller and select the connection that was built in the above step and click edit
Step3 - Download the Tunnel IPSec Configuration and Configure On-Prem Device
Download the configuration for the selected connection based on the vendor option, if your vendor is not showing you can select the Generic option
Configure the on-prem device based on the configuration, if everything is correct you should have BGP established between the on-prem device and transit gateway.
Step4 - Connect Aviatrix Transit Gateway to Spoke GWs
Next, connect your Spoke gateway(s) to the transit gateways (the same one which has been used for the on-prem connection above). Again this is an important step, this is where you decide which spoke gateways are part of which segments.
Step5 - Enable Aviatrix Multi-Cloud Segmentation on Transit Gateway
Enable Segmentation on the Transit Gateway by going under the multi-cloud transit option and then selecting segmentation, and then selecting the correct transit gateway, under the Plan option
Step6 - Create Desired Segment Names
Create a Segment Name under the security domain section, repeat this step for creating multiple segments, under the plan option
Step7 - Map On-Prem Segments (VRF) to Respective Segments
Next click on the Build option on top and select which connections are part of which segment. The attachment name option will be the on-prem and the spoke-to-transit gateway connection that you want as part of the segment.
Also make sure to attach the right spoke gateway to the right segment, in the below case the required spoke gateway is attached as part of segment 1
Repeat Step 1-3 to create the tunnel for other segments, and then repeat Step 7 to place the connections into different segments.
If the segments are correctly configured with the correct attachments and connections, you should see the correct prefixes being advertised for each segment.
Please make sure that on the on-prem device the correct configuration for the tunnel(s) is part of the correct VRF(s), and that the correct VRF(s) is mapped to the correct segment on the aviatrix side.
To verify the routing for your segments, you can go under Multi-cloud transit--> list—Select the correct transit gateway and then click on Details. Then scroll down to select the Gateway Routing table and in the search box enter the segment name, in the below case we have Segment-1.
In this case, 192.168.20.0/24 subnet is advertised from the on-prem side.
The above step can be repeated for other segments as well