Solved with Aviatrix: Consolidate While Preserving Agility

 Solved with Aviatrix

Consolidate While Preserving Agility

Matt Kazmar, Customer Solutions Architect

    Imagine, if you will, a typical large corporation. There are many business units and no one talks to each other. The corporate IT department is overwhelmed and was slower to adopt Cloud than many teams would have liked. Out comes the corporate credit card and a new Cloud Environment is born. Cloud networks everywhere.

    This environment sprawl is often called Shadow IT. While these environments are agile and responsive to user demands, they aren't subject to Governance, Compliance or Security Controls.

    IT is finally onboard with Cloud and has their own infrastructure built out. The CIO requests a company-wide report on Cloud expenditures and is shocked at the volume that is returned. A directive is issued - all non-Corporate Cloud environments must be merged into the corporate managed infrastructure.

    With the directive in hand, your boss comes to you, the Network Engineer or Architect, to start designing a solution. The top priority is connectivity to the corporate network followed by security controls. You glance at the chaos. How do you securely connect hundreds of VPCs and VNETs to the corporate network when the IP ranges are all over the place like a preschooler's toy room?

Just as importantly, how do you preserve the agility and responsiveness that the business units have come to enjoy?

Enter Aviatrix.

"The Aviatrix cloud network platform delivers a single, common platform for multi-cloud networking, regardless of public cloud providers used. Aviatrix delivers the simplicity and automation enterprises expect in the cloud with the operational visibility and control they require."



    One of the many features that Aviatrix offers is the ability to easily handle overlapping IP scenarios. In the below diagram, there is small diagram of the Consolidation/Shadow IT scenario.


    In the scenario, the Shadow IT exists in AWS and Corporate IT is using Azure. The Shadow IT and Corporate workloads need connectivity before they can be migrated over to their new home. The Cloud type doesn't matter here - its the same general process.

    The shadow workload subnets are SNAT'd to the uniquely IP'd Aviatrix Spoke Gateways for access to the corporate network. Conversely, DNAT is used to access workloads in the overlapping IP spaces.

What about Security Controls?

Another feature of Aviatrix is Firewall Insertion. Assuming your firewall vendor has a cloud appliance, it is very likely we can insert it into the path. East-West, Ingress, Egress, and Cloud-Onprem traffic can be inspected.

The diagram below combines the Consolidation scenario with Aviatrix Firenet.



In this example, there are two firewalls in the corporate-transit VNET. 
  • InterVPC/VNET inspection can be enforced, such as from shadow-workload-0 to corporate workload-1.
  • Ingress can be enforced on a set of ingress VMs, such as an Nginx reverse proxy, then inspected by the firewall.
  • Egress to the Internet can also be controlled.
  • Not shown: Connectivity from on-prem to the Cloud can also be inspected.
All necessary Cloud route programming is handled by the Aviatrix Controller for all Public Clouds.

How about agility?

    As you can see above, the different clouds are deployed in a consistent method. Consistency in design means minimal network design time for different deployments.

    While we can't speak for your firewall vendor, everything else on the above network can be defined with Terraform. The entire deployment can be orchestrated through your Build environment.

    The combination of consistency and orchestration makes for quick and easy deployments, enabling you to respond more rapidly to change and user demands.

Supportability?

    Visibility at all Gateways is provided by Copilot, which collects flow data from all Gateways and presents in a usable form. Packet captures can be performed as well. The Firewall and Cloud flow logs are available as well.

    Yes, it is possible to duplicate some of the automation and visibility. However, that involves deep knowledge of all Clouds, the routing, and how to integrate with the monitoring tools. Aviatrix is an easy, performant way to design your network for a minimum of effort both at deployment and on Day 2.

Visit the Aviatrix website and get a sales call together. Let's see how easy we can make your Cloud networking journey.


Comments

Post a Comment

Popular posts from this blog

Solved with Aviatrix: Infoblox Anycast BGP on AWS/Azure

Image
 Infoblox Anycast BGP with Aviatrix Matt Kazmar, Customer Solutions Architect Infoblox is well known and used appliance for DNS, IPAM, and other functions. Like most appliances, there are versions for multiple Public Cloud providers. Aviatrix is the leading vendor of Multicloud connectivity solutions. "The Aviatrix cloud network platform delivers a single, common platform for multi-cloud networking, regardless of public cloud providers used. Aviatrix delivers the simplicity and automation enterprises expect in the cloud with the operational visibility and control they require." Why do this? DNS is a crucial requirement for any networking. Availability is a must, regardless of region. A DNS outage can cripple applications and business. Infoblox provides a DNS solution (among other things) that provides robust replication and availability of DNS resources. In the on-prem world, their appliances peer with core switches and advertise the same IPs, regardless of location. This i
Read more

Solved with Aviatrix: Securely bring Google-managed Apigee-X to another Cloud or Datacenter

Image
  How To: Securely bring Google-managed Apigee-X to another Cloud or Datacenter Product Focus Google Apigee is one of the most popular tools to expose APIs to the wider world. From the Apigee documentation:  Apigee is a platform for developing and managing APIs. By fronting services with a proxy layer, Apigee provides an abstraction or facade for your backend service APIs and provides security, rate limiting, quotas, analytics, and more. This blog is focused on Apigee-X , which is hosted in Google Cloud. Aviatrix   is the leading vendor of Secure Multicloud Networking. From the website:  The Aviatrix cloud network platform delivers a single, common platform for multi-cloud networking, regardless of public cloud providers used. Aviatrix delivers the simplicity and automation enterprises expect in the cloud with the operational visibility and control they require. Aviatrix can easily connect Google Apigee-X to AWS, Azure, and on-prem backends with full encryption and visibility. Backgro
Read more

Solved with Aviatrix - Google Compute instances with DNS Forwarding Zones

Image
 Solved with Aviatrix Google Compute instances with DNS Forwarding Zones Aviatrix   is the leading vendor of Secure Multicloud Networking. From the website:  The Aviatrix cloud network platform delivers a single, common platform for multi-cloud networking, regardless of public cloud providers used. Aviatrix delivers the simplicity and automation enterprises expect in the cloud with the operational visibility and control they require. Environment and DNS Structure In the interest of simplicity, the customer has a single region Aviatrix-based deployment in GCP, using Firewall Insertion. They connect to their datacenter using Cloud Interconnect and Aviatrix Edge. They also have Apigee-X, deployed using a single region version of this  article. DNS is deployed on the same servers as the Active Directory Domain Controller role. The DCs/DNS Servers are on-prem at this time. GCP Domain Controllers will eventually be deployed as well. So what's the problem? When VM instances are deployed i
Read more