Aviatrix Platform version 6.3 Enhancements Related to GCP
Aviatrix Multi-Cloud Networking platform version 6.3 was released on Jan. 31st 2021. It is an action packed release. This post will focus on GCP enhancements and new features.
Aviatrix takes security very seriously. Among so many other aspects, taking care of the Aviatrix Platform and its software components is equally important.
Following are some of the recent enhancements in 6.3 (besides many that were done in prior releases)
Tightening Aviatrix GCP GW Firewall Rules
- ssh access is blocked by default blocked to Aviatrix Gateways
- The access is only opened during the troubleshooting session
- ssh can only be done by the Aviatrix support team
- ssh port remains open only during the troubleshooting session
- ssh is only allowed from the Aviatrix Controller
- Once the support session is over, the firewall rule is removed
- Access to Controller is blocked by default
- One has to open it by going into Troubleshooting --> Diagnostic --> Remote Support
- A random ssh port will be generated only for that session
- The aviatrix support team will log in to Controller
- ssh to gateways is only allowed from the Controller and only for the duration of troubleshooting session
- It should be disabled as soon as the troubleshooting session is done with the Aviatrix support team
Tightening the Default Service Account
- With 6.3 we are reducing the scope for cloud API call from the gateway
- We are also taking out the default service account credentials while launching the Aviatrix gateway
Prior to 6.3
You should not see any default service account and API scope should be none
GCP Outbound Rules
Enhancements are added to GCP gateway instance that explicitly opens the default route CIDR (0.0.0.0/0) to all destinations. This helps security and compliance team for audit purposes.
Stateful Firewall Rules
Stateful Firewall Rules Enhancement simplifies editing and viewing IP address based stateful firewall rules, allowing large set of rules to be managed easily. To configure, go to Security -> Stateful Firewall -> Policy to edit policies.
Route based IPSEC with IKEv2
Provides an option to run route-based VPN with IKEv2. For more information, refer to Create Site2Cloud Connection.
DPD Parameters for S2C Tunnels
This can now be modified through the Controller User Interface in additional to API and Terraform. One use case of modifying DPD parameters is to reduce tunnel failure detection time. To configure, refer to DPD Configuration.
Event Trigger for S2C
This is a new mechanism to reduce failure detection time. This is an alternative to the default setting where tunnel status change is detected by a periodic monitoring process running on the gateways. To configure, refer to Event Triggered HA.
- GCP Shared VPC (Host Project) and Service Project ehancements for FlightPath
Cloud Core (Transit Network)
- Granular control to block SNATed traffic based on GCP Network Tag and native route priority
- Enhanced GCP Shared VPC and routing control using native and advance capabilities using Aviatrix Transit
- Insane Mode in GCP is now available for Multi-cloud Transit solution. For performance benchmark, refer to GCP Insane Mode performance test results. Insane Mode is enabled when launching a new Aviatrix Transit Gateway or Spoke gateway in GCP.
- Support N2 and C2 instance types on GCP gateways improves Insane Mode (HPE) performance on GCP cloud. For new network throughput with these new instance types, refer to GCP Insane Mode Performance.