Technical Forum

How do you decide which type of workload should be run on private and public clouds? You can run any type of workload in the public cloud. At the end of day, the VM/Instances in Cloud are regular Linux or Windows machines. The Cloud actually gives you even more options/services to run your workload. Does Aviatrix use Terraform to deploy/automate across the Cloud platforms? Yes! Totally! For Terraform, we are an official provider. Also we support REST API. https://www.terraform.io/docs/providers/aviatrix/. What is the benefit of using different Public Clouds, why not consolidate on one preferred cloud? You want to diversify. Just like how you would do main DC and DR in separate locations, it makes sense to be in different CSPs. Sometimes, there are better offerings in terms of services and support and cost when it comes to different CSPs. Are the controllers and the gateways multi-tenant?  Yes. The Controller allows you to onboard different accounts from different tena

What is an overlay network? An Overlay is a tunnel providing connectivity over the physical infrastructure. IPsec is an example of this. Does the MCNA apply to k8s workloads as well? All the examples presented were based on VMs workloads but it applies to k8s workloads as well.  They would reside in a VPC at the end of the day, so we can handle it. Is the MCNA an open framework? If so, who is contributing to it? The MCNA is an architecture that Aviatrix developed and implements using our platform. Others may leverage this type of architecture in the future as it is cloud-agnostic. We believe this is the best reference architecture for the cloud for single cloud or multi-cloud deployments. If we are using the same subnet in a different VPC, how does MCNA address that? Aviatrix provides the ability to overcome overlapping CIDRs if you’re using them repeatedly. If you are referring to IP address overlap, we have some solutions for that. The gateways

What is the difference between the firewall network and the Transit FireNet? The Firewall Network is when we insert the firewall in the AWS TGW. Transit FireNet is when we insert a firewall in the Aviatrix Transit VPC/VNet, which works in all clouds.  Who programs the TGW to send traffic to the appropriate FW? Aviatrix Controller will orchestrate VPC and TGW routes to send traffic to Aviatrix Gateways in the Firewall Network VPC. From there, Aviatrix Gateways will load balance traffic between available FWs.  Can you have more than one HA pair of FireNet systems sitting with the Transit Gateway for further bandwidth? Absolutely, Aviatrix supports up to 10 Firewall instances per AZ (20 per Transit FireNet VPC) in AWS, for example.  Do the Transit Gateways and FireNet systems have the ability to handle Malicious IP filtering and IDS/IPS? Yes, this is handled by the Aviatrix Gateways (Transit, Spoke, and Standalone) and part of the data plane. This is called Av

Is application-based filtering possible?     Aviatrix Egress FQDN can filter the traffic based on Layer 7 (L7) FQDN, IP, or even with wildcard FQDN. One can also use NGFW with Aviatrix FireNet solution to provide deeper level filtering if needed. Are there any 3rd party plug-ins for the FQDN filters?  ie. DNS filtering based on domain classification? No, but you can import your filters. Does the controller identify URLs on the basis of families? How do we redirect the DNS request to Aviatrix FQDN Engine? The Aviatrix Gateway replaces the native NAT GW and not only provides NAT but also advanced filtering capabilities using the L7 FQDN. Aviatrix Controller automatically programs all necessary VPC/VNET routes to redirect traffic towards the Egress GW for Internet bound traffic. Will the DNS get resolved with the packet dropped based on the data plane’s traffic? Yes. The DNS will be resolved the way it is today, but when traffic hits the Aviatrix Gatew

In HPE environments, as you are bundling IPsec tunnels to achieve greater overall throughput, are you still limited to 1.25 Gbps per session/flow? Or do you perform some form of per packet load-sharing across the available tunnels? 1- We are building multiple IPSec tunnels.  2- We do have tech. beyond just building simple tunnels. So no, we are not limited to just 1.25 Gbps per session/flow.  Can we get 70Gbps with a single gateway? This is cumulative throughput and depends on the size of the gateway and whether you enable HPE or not. How do you accomplish high performance encryption on the Direct Connect/peering links? It is done using our technology called HPE (High Performance Encryption, AKA, Insane Mode Encryption).  For HPE, is it bundling multiple VPN's or a single VPN with 10Gbps throughput?     Check out this document for more information: https://docs.aviatrix.com/HowTos/insane_mode.html?highlight=HPE How is the Aviatrix

Are there any BGP route limitations in Aviatrix? There are no limitations. Does VNet peering have route limits like AWS? You have a limit of 500 VNet Peers. Anytime you need to change a CIDR or add a new subnet you need to break ALL the peerings. Which means it will cause an outage. The same challenges apply in AWS. Using Aviatrix TG, can AWS applications talk to applications in GCP or Azure? Absolutely, and it's very easy to do.             Does Aviatrix GWs still work if the controller is down? Yes. Controller is not in the data path. Does Aviatrix Gateway and controller run on Linux VM's? Yes. But they are launched from the marketplace and automated, you do not have to do anything on a terminal. If the Aviatrix Transit Gateway is provided by Aviatrix, does that work for a customer only hosted across AWS? Aviatrix Transit works across AWS/Azure/GCP/OCI. Will subnets in the Transit Gateway have routes to all other VP

Is Site to Cloud similar to Site to Site VPN in Azure? Site to Cloud supports any remote sites with visibility.  How does Aviatrix compare with other networking solutions that are available natively in public clouds? Aviatrix is Cloud Native, designed and built in the cloud, other vendors have brought their legacy products to run on the cloud.  Do Aviatrix products provide SaaS or PaaS or both? Our solution runs on your IaaS, it is not a SaaS product… you are in control.

How is SD-WAN and SDA accommodated in Aviatrix? Aviatrix integrates nicely with pretty much any SD-WAN provider. You can take a look here for a very common deployment model. https://docs.aviatrix.com/HowTos/transitvpc_designs.html?highlight=SD-WAN#sd-wan-integration How does CloudWAN take the optimal route? We leverage AWS Global Accelerator in AWS and Azure Anycast routing to connect the branch to cloud. With this, the branch will connect to the closest point of entry into that cloud provider's backbone.  Any plans to extend CloudWAN functionality to other SD-WAN solutions (VeloCloud, Versa, Meraki, etc.)? We have customers integrated and are currently using SD-WAN and Aviatrix together.  We are working with teams in WWT with a joint solution launch of Aviatrix + SD-WAN Better Together story.   Does Aviatrix have Enterprise customers leveraging CloudWAN today? Were there any specific challenges with the deployment you could speak to?  Y

So after I finally got the CloudFormation working, now I am trying to onboard my AWS account, however, I have the following problem as shown in this (compiled) screenshot: It doesn't matter how setup the two roles + policies. I get the same error. If anyone has a working configuration and can post the JSON, maybe that would help.  

It looks like you are building the overlay on top of the CSP. Shouldn’t the Aviatrix gateways be exponential to the number of VPC or VNets? What is the recommended instance size of the gateways?   The Aviatrix Gateway can be deployed with instance size as small as t2.micro; the size of your GW will be your decision based on the use case, performance and throughput. Having an Aviatrix GW inside the VPC/VNet will give you visibility and further control in that environment. You can certainly not deploy GW inside the VPC and still have connectivity into transit. Is it possible to deploy FullMesh manually without using Aviatrix? Full mesh is possible but extremely complex to manage. Management of static routes will become a headache along with no troubleshooting and visibility challenges.  What is the reason for customers going to select multiple clouds, since most of the cloud providers provide 99.9999 uptime?  It’s more about being able to leverage

I have spent probably 5 hours on trying to get a controller deployed into AWS. Using the information here:https://docs.aviatrix.com/StartUpGuides/aviatrix-cloud-controller-startup-guide.html After the first time I attempted it, I am to log into the controller and reset the password. I, then, failed to add my AWS account using the wizard from the first screen.  The error message tells me the role "aviatrix-role-ec2" is not assigned and go to the link above and re-run the cloudformation.  I have attempted to run this. However, when I am setting up template to deploy the system through Cloud formation is failed because the role "aviatrix-role-ec2" exists. However, if I go to IAM, it is NOT there, but for some reason, on the Cloudformation Stack Step 2: IAM role creation, it is listed. Yes, I've tried to use and it still failed. So I think I have the following two options: 1) figure out how to remove the 'ghosting' IAM role 2) figure out how to manually co

can you please let me know the calculation.

Hi Team,   In coming days is there any plan for the support for VMware ON AWS, though it is VMware is platform but backend NSX-T run the show.

What are the limits of wildcards in the egress filtering tool? Can it be used in the middle of a URL or just at the end? For example, is this legal and does it work like you would expect? ecr.*.amazonaws.com or is that just the equivalent of: *.amazonaws.com Also, are these two identical or different? *.ecr.amazonaws.com ecr.amazonaws.com Thanks, Charles Wise

How are you and your teams approaching Terraform in general. Terraform is great in certain use-cases but I want to hear what are the limitations and choke points in using Terraform? What are the things it cannot really do?

Network segmentation is a highly effective strategy to limit the impact of network intrusion. This article delves into ways to simplify network segmentation and how Aviatrix Network Security Domains, along with AWS Transit Gateway (TGW), provide a solution for secure network traffic in multi-VPC environments. Cloud Network Segmentation: why and how? First, let’s look at why network segmentation is vital to network security. In the traditional data center networks, segmentation was primarily done via a DMZ or perimeter which had firewall devices. The issue here was that once a bad actor got into the network, they gained wide reach throughout the “private” network. Segmentation approaches called for partitions of numerous smaller networks, reducing the reachability for intruders, minimizing the damage they could do. This type of segmentation involves developing and enforcing a set of rules to manage the traffic between segments. The best practice was to find a manageable level

The problem: The number of inbound or outbound rules per security group in amazon is 60. Reference. From the inbound perspective, this is not a big issue because if your instances are serving customers on the internet, then your security group is wide open; on the other hand, if you want to allow access only from a few internal IPs, then the 60 IP limit is sufficient. However, outbound or egress traffic is a different discussion. Let's say you have a production instance that needs updates from updates.ubuntu.com ( 15 IPs) and a few other repositories like GitHub (12 IPs), and perhaps a third party partner. You can quickly realize that 60 IPs are not enough. The solution: Aviatrix solution to this problem is the Secure Cloud Egress with FQDN that allows you to specify filters using Fully Qualified Domain Name of the destinations that your instances are allowed to reach. This simplifies the management as you only introduce FQDN such as update.ubuntu.com or github.com to

AWS Transit Gateway (TGW) enables customers to connect their VPCs and their on-premises networks to a single gateway. It acts as a hub that controls how traffic is routed among all the connected networks which act like spokes. The AWS Transit Gateway (TGW) was designed to replace the older Transit VPC architecture, which deployed third-party instances that performed transitive routing functions. While both the AWS Transit Gateway (TGW) and the older Transit VPC constructs allow for connectivity, the routing updates and related challenges are entirely different. Let’s take a look at the legacy approach of implementing transit using the Transit VPC architecture:   The connectivity to on-premise relies on Direct Connect or IPsec VPN and terminates in a VGW, which is attached to the Transit VPC. A third-party appliance (Cloud Router) with transitive routing capabilities connects the VGW to all the “spoke VPCs.” In this construct, the on-premise (or Datacenter) environment

looking for some details on pros/cons of leveraging native AWS TGW vs using Aviatrix transit gateway ?

The AWS Transit Gateway (TGW) was introduced to eliminate complexity involved in peering many VPCs together. In the pre-AWS Transit Gateway (TGW) world, if you had to connect many VPCs, you were required to use a complex mesh of VPC peerings. To be accurate n (n-1)/2, where n is the number of VPCs. AWS Transit Gateway (TGW) was introduced to make peering of VPCs easier. But, it does not make routing easy. When attaching the AWS Transit Gateway (TGW) to a VPC, it does not propagate routes to the VPCs. Similarly, creating propagation across route tables in the AWS Transit Gateway (TGW) does not automatically populate routes into the respective tables. The formula of how many route tables need to be managed, reviewed and updated when using an AWS Transit Gateway (TGW) is equal to: n ( s + r - 1), where n is the number of VPCs attached to the AWS Transit Gateway (TGW), s is the number of subnets in each VPC and r is the number of route tables in the AWS Transit Gateway (TGW). Let

Azure VPN GW cannot be used as a transit gateway. You should be using NVA (for example Aviatrix Trnsit GW) in Transit VNET

I am building a lab environment and deploying Aviatrix Service Gateways. Is there a matrix that can tell me what features I can enable on the same GW?For example can I enable Aviatrix Transit and FireNet on the same Gateway?What are the features I cannot turn on the same GW?

Wondering how to recover from a failed upgrade on my controller? I tried to install the upgrade again but it failed. 

I am using Cloudwatch for logging all aviatrix events. We would like to raise an alert whenever there is a status change in one of the tunnels. Email alerts contain the following text: "State Change: Up -> Down" but I have not been able to find a similar text in the logs.  Any help would be welcome. Antonio