0

Privately connecting to partner VPCs as application Consumer or Provider
Requirement:
1. Partner's (consumer) VPC needs access to apps in your VPC
Partner should only be allowed to access specific VPCs
2. You need to access services in a provider's VPC
Applications should only be able to access specific provider VPCs and applications
- Must provision a simple and secure access method without exposing the service to internet
- Provide optionality of enforcing NGFW inspection
- Provide visibility into how traffic is moving with ability to look at flows and take packet captures
Solution:
1. Partner's (consumer) VPC needs access to apps in your VPC:
- Create a dedicated services spoke
- Deploy Aviatrix GWs (scale out) configured with Advance SNAT and DNAT
- VPC Peering between services VPC and partner's consumer VPC
- Optionally add NLBs infront of Aviatrix NAT GWs.
- Only NLB IP is exposed to consumer Partner.
- Aviatrix Gateway does NAT and Aviatrix Transit builds encrypted communication
- Optionally insert NextGen Firewalls for transparent inspection
- Deploy Aviatrix CoPilot for visibility and day2 operations.
2. You need to access services in a provider's VPC
- Very similar to the first requirement but in the opposite direction
- Aviatrix Spoke GWs in the services VPC can also be configured to NAT the traffic
- Configure DNAT rule for the IP provided by partner in Provider-VPC
- Source application will point traffic to the DNAT IP configured on Spoke GWs of Services VPC
- Aviatrix Transit builds encrypted communication
- Optionally insert NextGen Firewalls for transparent inspection
- Deploy Aviatrix CoPilot for visibility and day2 operations.
The following NAT configurations would be applied to the Aviatrix Spoke GWs
- Traffic from apps in spoke-1 will be destined to the LB in dedicated services spoke
- NLB should be configured with IP of the Aviatrix Spoke GWs (not instance-IDs) as target pool members
- NLB will send the traffic to Aviatrix Spoke GWs on the GW IP
- Aviatrix Spoke GWs will DNAT the traffic and send to actual destination in the provider VPC with its address as source
- Return traffic will come to Aviatrix Spoke GWs, to LB and off to original source via Aviatrix Transit
Like
Follow
Reply