Securely Connecting Tenants, Customer and Partners to VM/EC2

There are different ways for customers/tenants/partners to get access into their assigned spoke VMs or Spoke VPC. You can think of it as your customers accessing a SaaS in their respective VPC/VNETs 

I am mentioning few design choices here but there are more to that. If it does not fit the bill, contact us or comment at the end about your specific need


Policy-based and Zero trust SASE

This should not require IGW (Native Cloud Internet GW) into the Spoke VPC itself. Basically, customers will land into a SASE VPC (Policy Based, Zero Trust, SAML based, MFA OpenVPN client) first and from there they will be routed to their respective VPC/VNET

Think of it as a proxy in the middle as you have in the SASE model

Private Circuit from On-Premise to Transit VPC

Another option is to use direct and private tunnels from on-prem with proper segmentation so the customer has ZTNA access only to their respective VPC/VNET

The details are here in Deepesh’s blog  https://community.aviatrix.com/t/35hz0vl/extending-segmentation-from-on-premise-to-gcp-over-cloud-interconnect-using-aviatrixsolution

Direct Connectivity to Spoke VPC

Another option is to directly land the customer into the Spoke GW. Spoke GW would then NAT the traffic. Spoke GW would be deployed in the public subnet with IGW in there, but VMs will be in the private subnet. We can lock the access even further by using SG/NSG etc.

Private Link to Spoke VPC

There is another option using Private Links, but those are uni-directional. So let’s say if traffic is always initiated by on-prem towards the VPC, that could work. Check out the example here


In the example, the Partner VPC could be your customer VPC. Also, the example talks about S3, but it could be any type of access because we can expose it via LB.

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like Follow
  • 1 yr agoLast active
  • 35Views
  • 1 Following