Ask any question related to cloud networking including AWS, Azure, GCP, OCI, and Aviatrix
For DR purpose and features like - Fail over - Fail back - DR Testing we need to clone source VPC (10.0.0.0/16- us-west1) to another VPC (10.0.0.0/16- us-east2) with same CIDR. Is this OVERLAP-CIDR support is available. TGW etc.. not support CIDR overlaps
How does Aviatrix fix problems in Azure? We orchestrate and manage the UDR routes using Aviatrix Gateway in Azure to provide a scalable architecture and a lot of other things as well. How does Aviatrix work with ARM templates for Azure? Aviatrix has its own Terraform provider so configurations can be applied consistently across clouds. Is Azure NSG similar to NACLs or SG in AWS? Azure NSG can be attached to either subnet or instance, so it’s similar to both AWS NACL and SG. Is Azure's NVA similar to the Transit Gateway in AWS? No, the AWS Transit Gateway is an actual managed service from AWS. Azure NVA is not a managed service in itself. NVA means Network Virtual Appliance and can be either a 3rd-party element or a native Azure element such as Azure Firewall. Is there NACL in Azure? What you do with NACL in AWS, you can do with NSG in Azure. What is the preferred transit opti
Is Direct Connect (DX) encrypted by default? No. DX is not encrypted. The encryption solution needs to be built on top of it. If you are looking for near line rate encryption for DX and/or ER (Express Route), Aviatrix has a hardware appliance called CloudN that one should consider. Does the 3rd party firewall and Aviatrix controller have to be in AWS, or do the firewall services work on Azure as well? Nothing has to be in AWS. If you are a customer who has no footprint in AWS, you can only be in Azure, which means that your Controller, GWs, FWs will all be in Azure, too. I want to have routing from multiple regions to my on-prem via AWS-TGW, would I need multiple route peering? Yes, you would terminate a VPN per TGW to on-prem. If using a Direct Connect, you could leverage the DX Gateway. If the VPN tunnel is built with an AWS-TGW, do we also need to programs routes in VPCs? You will need to go into the VPC route tables and manually configure routes for D
What's the difference between the Aviatrix Controller and Gateway? Are these 2 separate appliances? The AVX-Controller sits in the Management/Operations plane. It is the Appliance you deploy from AWS/Azure/etc. You only need one controller. This controller then deploys AVX-Gateway appliances based on use-case and requirement. We can always automate the Route Table configurations via Cloud Formation, so what does Aviatrix do? Sure, you can automate the RT configuration, but compared to what the Aviatrix controller does for you, there is a huge difference. The controller injects intelligence into the cloud network. The controller will monitor routes from on-prem, routes from VPC, routes from TGW attachments, routes from peering relationships, and more, and programs those end-to-end not only in a single cloud, but across clouds AND across accounts and subscriptions. The controller audits these routes and paths, ensures that there are no black holes, ensures that th
Do you provide a VPN client for end users for the point-to-site connectivity or are they still using another third party? Aviatrix has its own VPN client with added benefits like SAML, but you can also use OpenVPN clients as well. Is there a NAC module for Aviatrix VPN clients? We can enforce the minimum version of the VPN client that the user uses. But besides that, there are no other NAC functionalities today. Is transit traffic not possible with the Smart SAML VPN? Once the user is on the Aviatrix backbone, they can access all the resources.
How do you decide which type of workload should be run on private and public clouds? You can run any type of workload in the public cloud. At the end of day, the VM/Instances in Cloud are regular Linux or Windows machines. The Cloud actually gives you even more options/services to run your workload. Does Aviatrix use Terraform to deploy/automate across the Cloud platforms? Yes! Totally! For Terraform, we are an official provider. Also we support REST API. https://www.terraform.io/docs/providers/aviatrix/. What is the benefit of using different Public Clouds, why not consolidate on one preferred cloud? You want to diversify. Just like how you would do main DC and DR in separate locations, it makes sense to be in different CSPs. Sometimes, there are better offerings in terms of services and support and cost when it comes to different CSPs. Are the controllers and the gateways multi-tenant? Yes. The Controller allows you to onboard different accounts from different tena
What is an overlay network? An Overlay is a tunnel providing connectivity over the physical infrastructure. IPsec is an example of this. Does the MCNA apply to k8s workloads as well? All the examples presented were based on VMs workloads but it applies to k8s workloads as well. They would reside in a VPC at the end of the day, so we can handle it. Is the MCNA an open framework? If so, who is contributing to it? The MCNA is an architecture that Aviatrix developed and implements using our platform. Others may leverage this type of architecture in the future as it is cloud-agnostic. We believe this is the best reference architecture for the cloud for single cloud or multi-cloud deployments. If we are using the same subnet in a different VPC, how does MCNA address that? Aviatrix provides the ability to overcome overlapping CIDRs if you’re using them repeatedly. If you are referring to IP address overlap, we have some solutions for that. The gateways
What is the difference between the firewall network and the Transit FireNet? The Firewall Network is when we insert the firewall in the AWS TGW. Transit FireNet is when we insert a firewall in the Aviatrix Transit VPC/VNet, which works in all clouds. Who programs the TGW to send traffic to the appropriate FW? Aviatrix Controller will orchestrate VPC and TGW routes to send traffic to Aviatrix Gateways in the Firewall Network VPC. From there, Aviatrix Gateways will load balance traffic between available FWs. Can you have more than one HA pair of FireNet systems sitting with the Transit Gateway for further bandwidth? Absolutely, Aviatrix supports up to 10 Firewall instances per AZ (20 per Transit FireNet VPC) in AWS, for example. Do the Transit Gateways and FireNet systems have the ability to handle Malicious IP filtering and IDS/IPS? Yes, this is handled by the Aviatrix Gateways (Transit, Spoke, and Standalone) and part of the data plane. This is called Av
Is application-based filtering possible? Aviatrix Egress FQDN can filter the traffic based on Layer 7 (L7) FQDN, IP, or even with wildcard FQDN. One can also use NGFW with Aviatrix FireNet solution to provide deeper level filtering if needed. Are there any 3rd party plug-ins for the FQDN filters? ie. DNS filtering based on domain classification? No, but you can import your filters. Does the controller identify URLs on the basis of families? How do we redirect the DNS request to Aviatrix FQDN Engine? The Aviatrix Gateway replaces the native NAT GW and not only provides NAT but also advanced filtering capabilities using the L7 FQDN. Aviatrix Controller automatically programs all necessary VPC/VNET routes to redirect traffic towards the Egress GW for Internet bound traffic. Will the DNS get resolved with the packet dropped based on the data plane’s traffic? Yes. The DNS will be resolved the way it is today, but when traffic hits the Aviatrix Gatew
In HPE environments, as you are bundling IPsec tunnels to achieve greater overall throughput, are you still limited to 1.25 Gbps per session/flow? Or do you perform some form of per packet load-sharing across the available tunnels? 1- We are building multiple IPSec tunnels. 2- We do have tech. beyond just building simple tunnels. So no, we are not limited to just 1.25 Gbps per session/flow. Can we get 70Gbps with a single gateway? This is cumulative throughput and depends on the size of the gateway and whether you enable HPE or not. How do you accomplish high performance encryption on the Direct Connect/peering links? It is done using our technology called HPE (High Performance Encryption, AKA, Insane Mode Encryption). For HPE, is it bundling multiple VPN's or a single VPN with 10Gbps throughput? Check out this document for more information: https://docs.aviatrix.com/HowTos/insane_mode.html?highlight=HPE How is the Aviatrix
Are there any BGP route limitations in Aviatrix? There are no limitations. Does VNet peering have route limits like AWS? You have a limit of 500 VNet Peers. Anytime you need to change a CIDR or add a new subnet you need to break ALL the peerings. Which means it will cause an outage. The same challenges apply in AWS. Using Aviatrix TG, can AWS applications talk to applications in GCP or Azure? Absolutely, and it's very easy to do. Does Aviatrix GWs still work if the controller is down? Yes. Controller is not in the data path. Does Aviatrix Gateway and controller run on Linux VM's? Yes. But they are launched from the marketplace and automated, you do not have to do anything on a terminal. If the Aviatrix Transit Gateway is provided by Aviatrix, does that work for a customer only hosted across AWS? Aviatrix Transit works across AWS/Azure/GCP/OCI. Will subnets in the Transit Gateway have routes to all other VP
Is Site to Cloud similar to Site to Site VPN in Azure? Site to Cloud supports any remote sites with visibility. How does Aviatrix compare with other networking solutions that are available natively in public clouds? Aviatrix is Cloud Native, designed and built in the cloud, other vendors have brought their legacy products to run on the cloud. Do Aviatrix products provide SaaS or PaaS or both? Our solution runs on your IaaS, it is not a SaaS product… you are in control.
How is SD-WAN and SDA accommodated in Aviatrix? Aviatrix integrates nicely with pretty much any SD-WAN provider. You can take a look here for a very common deployment model. https://docs.aviatrix.com/HowTos/transitvpc_designs.html?highlight=SD-WAN#sd-wan-integration How does CloudWAN take the optimal route? We leverage AWS Global Accelerator in AWS and Azure Anycast routing to connect the branch to cloud. With this, the branch will connect to the closest point of entry into that cloud provider's backbone. Any plans to extend CloudWAN functionality to other SD-WAN solutions (VeloCloud, Versa, Meraki, etc.)? We have customers integrated and are currently using SD-WAN and Aviatrix together. We are working with teams in WWT with a joint solution launch of Aviatrix + SD-WAN Better Together story. Does Aviatrix have Enterprise customers leveraging CloudWAN today? Were there any specific challenges with the deployment you could speak to? Y
So after I finally got the CloudFormation working, now I am trying to onboard my AWS account, however, I have the following problem as shown in this (compiled) screenshot: It doesn't matter how setup the two roles + policies. I get the same error. If anyone has a working configuration and can post the JSON, maybe that would help.
It looks like you are building the overlay on top of the CSP. Shouldn’t the Aviatrix gateways be exponential to the number of VPC or VNets? What is the recommended instance size of the gateways? The Aviatrix Gateway can be deployed with instance size as small as t2.micro; the size of your GW will be your decision based on the use case, performance and throughput. Having an Aviatrix GW inside the VPC/VNet will give you visibility and further control in that environment. You can certainly not deploy GW inside the VPC and still have connectivity into transit. Is it possible to deploy FullMesh manually without using Aviatrix? Full mesh is possible but extremely complex to manage. Management of static routes will become a headache along with no troubleshooting and visibility challenges. What is the reason for customers going to select multiple clouds, since most of the cloud providers provide 99.9999 uptime? It’s more about being able to leverage
I have spent probably 5 hours on trying to get a controller deployed into AWS. Using the information here:https://docs.aviatrix.com/StartUpGuides/aviatrix-cloud-controller-startup-guide.html After the first time I attempted it, I am to log into the controller and reset the password. I, then, failed to add my AWS account using the wizard from the first screen. The error message tells me the role "aviatrix-role-ec2" is not assigned and go to the link above and re-run the cloudformation. I have attempted to run this. However, when I am setting up template to deploy the system through Cloud formation is failed because the role "aviatrix-role-ec2" exists. However, if I go to IAM, it is NOT there, but for some reason, on the Cloudformation Stack Step 2: IAM role creation, it is listed. Yes, I've tried to use and it still failed. So I think I have the following two options: 1) figure out how to remove the 'ghosting' IAM role 2) figure out how to manually co
What are the limits of wildcards in the egress filtering tool? Can it be used in the middle of a URL or just at the end? For example, is this legal and does it work like you would expect? ecr.*.amazonaws.com or is that just the equivalent of: *.amazonaws.com Also, are these two identical or different? *.ecr.amazonaws.com ecr.amazonaws.com Thanks, Charles Wise
Network segmentation is a highly effective strategy to limit the impact of network intrusion. This article delves into ways to simplify network segmentation and how Aviatrix Network Security Domains, along with AWS Transit Gateway (TGW), provide a solution for secure network traffic in multi-VPC environments. Cloud Network Segmentation: why and how? First, let’s look at why network segmentation is vital to network security. In the traditional data center networks, segmentation was primarily done via a DMZ or perimeter which had firewall devices. The issue here was that once a bad actor got into the network, they gained wide reach throughout the “private” network. Segmentation approaches called for partitions of numerous smaller networks, reducing the reachability for intruders, minimizing the damage they could do. This type of segmentation involves developing and enforcing a set of rules to manage the traffic between segments. The best practice was to find a manageable level
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.