0

Privately connecting to partner VPCs as application Consumer or Provider

Requirement:

1. Partner's (consumer) VPC needs access to apps in your VPC

Partner should only be allowed to access specific VPCs

2. You need to access services in a provider's VPC

Applications should only be able to access specific provider VPCs and applications
  • Must provision a simple and secure access method without exposing the service to internet
  • Provide optionality of enforcing NGFW inspection
  • Provide visibility into how traffic is moving with ability to look at flows and take packet captures

Solution:

1. Partner's (consumer) VPC needs access to apps in your VPC:

  • Create a dedicated services spoke
  • Deploy Aviatrix GWs (scale out) configured with Advance SNAT and DNAT
  • VPC Peering between services VPC and partner's consumer VPC
  • Optionally add NLBs infront of Aviatrix NAT GWs.
  • Only NLB IP is exposed to consumer Partner.
  • Aviatrix Gateway does NAT and Aviatrix Transit builds encrypted communication 
  • Optionally insert NextGen Firewalls for transparent inspection
  • Deploy Aviatrix CoPilot for visibility and day2 operations.

   

2. You need to access services in a provider's VPC

  • Very similar to the first requirement but in the opposite direction
  • Aviatrix Spoke GWs in the services VPC can also be configured to NAT the traffic
  • Configure DNAT rule for the IP provided by partner in Provider-VPC
  • Source application will point traffic to the DNAT IP configured on Spoke GWs of Services VPC
  • Aviatrix Transit builds encrypted communication 
  • Optionally insert NextGen Firewalls for transparent inspection
  • Deploy Aviatrix CoPilot for visibility and day2 operations.

The following NAT configurations would be applied to the Aviatrix Spoke GWs

  • Traffic from apps in spoke-1 will be destined to the LB in dedicated services spoke
  • NLB should be configured with IP of the Aviatrix Spoke GWs (not instance-IDs) as target pool members
  • NLB will send the traffic to Aviatrix Spoke GWs on the GW IP
  • Aviatrix Spoke GWs will DNAT the traffic and send to actual destination in the provider VPC with its address as source
  • Return traffic will come to Aviatrix Spoke GWs, to LB and off to original source via Aviatrix Transit

  

  

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like Follow
  • 9 days agoLast active
  • 6Views
  • 1 Following