Challenged with hosting and managing your services in public clouds ? Let Aviatrix help you

Enterprise’s IT team typically acting as a service provider for their various business units and sub organizations. However, many enterprises also opted Managed Services from System Integrators (SI) or Managed Service Providers (MSP) to manage their public cloud environments. In both cases, managing various environments in public cloud can be challenging, as every customer’s Architecture, Network, Security and Compliance requirements are different. Due to limited visibility and control in CSP native construct it’s difficult to provide proactive monitoring. Also, its complex to perform forensic investigations and troubleshooting without deep packet level visibility. It becomes more complex when customer is in multiple clouds.

For Cloud Managed Service Providers (CMSP) who are managing various customers in public cloud, there is always a desire to have multi-tenancy architecture especially for small to medium sized customers, so the operations team can have single pane of glass view with complete segregation between customers.  However, some organizations would need complete isolation and a dedicated environment. Having same architecture for each customer with or without multi-tenancy would simplify the architecture and Day 2 operations.

Solution:

Aviatrix is a market leader in Secure Cloud Networking, Day 2 Operations and Visibility across multiple public clouds.

The Aviatrix cloud network platform provides the proven solution to Cloud Managed Services providers need for enterprise-class cloud networking, security and operations required for incredibly complex environments. This document outlines the design options for managed service providers require to streamline their customer’s cloud network and security infrastructure to overcome visibility and troubleshooting challenges. This design is also applicable for enterprises who are managing multiple BUs and sub organizations looking for simplified repeatable architecture with Day 2 operations.

Cloud Managed Service Design Options

Option 1 – MCNA for each Customer

In this design option we are considering a dedicated Aviatrix Muti-Cloud Network Architecture (MCNA) for each customer. The SI/MSP will deploy and manage Aviatrix solution for each of their customer with a dedicated controller and CoPilot. The CoPilot provides Day 2 Operations & visibility to customer’s Single or Multi-cloud environment. 

Design Highlights:

• Multi-Cloud transit, with centralize control plane, management & visibility
• Multi-cloud Transit for inter-cloud/inter-region connectivity with option for service insertion via NGFW (i.e. PaloAlto, Fortinet, Checkpoint, etc.)
• Customer VPC/VNET with Aviatrix Spoke Gateway managed by Aviatrix controller
• Customer VPC/VNET without Aviatrix Gateway – Connectivity via IPSec over BGP (if needed)
• Site2Cloud IPSec over BGP connectivity with & without overlapping CIDR
• End to End Encryption - within single cloud (VPC/VNET-VPC/VNET), between regions, between clouds and on-prem
• Multi-Cloud Segmentation to isolate different BU’s or accounts. Micro Segmentation for Intra VPC/VNET level application segregation (if needed)
• Embedded Security features like distributed IPS/IDS (ThreatIQ/ThreatGuard) and Network Behavior Analytics
• Management VPC/VNET to host in house service provider monitoring applications
• Egress FQDN for secure Egress towards any SaaS/SASE providers, ServiceNow & other domains / Services
• Full Visibility & Control via CoPilot - access to troubleshooting tools like trace route, packet capture, real time latency and dynamic topology view
• Customer access to on Controller & CoPilot (with RBAC for control access)

Note: The entire Aviatrix architecture (Transit Gateways, Controller & CoPilot) can be in customer environment. In this case MSP will have required access to manage the environment.  

Option 2 – Shared MCNA Architecture with Multiple Customers

In this design option we have common Aviatrix transit architecture for multiple customers or Business Units managed by cloud managed service provider or Enterprise’s IT team. The architecture is built on a single control and management plane with distributed data plan across multiple clouds. The data plan for each customer will be completely isolated using Aviatrix multi-cloud segmentation feature. The operations team of MSP will have a single pane of glass view of all customers single cloud or multi-cloud public cloud environment. The CoPilot provides Day 2 Operations & visibility to customer’s multi-cloud environment.   

Design Highlights:

• Shared Multi-Cloud transit architecture, with centralize control plane, management & visibility for multiple customers
• Multi-cloud Transit for inter-cloud/inter-region connectivity with option for service insertion via NGFW (i.e. PaloAlto, Fortinet, Checkpoint, etc.)
• Cloud Managed Service Provider or Enterprise IT is managing their customer VPC/VNETs
• Customer VPC/VNET with Aviatrix Gateway manage by Aviatrix controller
• Customer VPC/VNET without Aviatrix Gateway – Connectivity via IPSec over BGP
• Site2Cloud IPSec connectivity other VPC & external environments with & without overlapping CIDR
• Advanced NAT features on Aviatrix Spoke gateways to support overlapping IP or hiding customer subnets/IP
• Aviatrix Transit Gateways with Multi-Cloud Segmentation for segregation between customers.
• Embedded Security features like distributed IPS/IDS (ThreatIQ/ThreatGuard) and Network Behavior Analytics
• Management VPC to host in house service provider monitoring applications for each customer or shared services VPC/VNET
• Egress FQDN for secure Egress towards SaaS providers, ServiceNow & other domains / Services
• Full Visibility & Control via CoPilot - access to troubleshooting tools like trace route, packet capture, real time latency and dynamic topology view