GCP Transit Networking and Routing with Aviatrix

Aviatrix Transit Network in GCP is a powerful use-case for customers looking to design consistent transit architecture in GCP and in other clouds. This is neede to build a unified and consistent network forming the cloud core essentially.

This design also allows business to have full visibility into the traffic beyond what Cloud primitive options can provide.

GCP Transit Network Topology

We will be using a simple hub and spoke transit topology as depicted below. This topology can be extended to hundreds of VPCs and across multiple clouds without any compromises.

Create GCP VPCs Directly from Aviatrix Controller UI

This is very powerful deploy directly from the Aviatrix Controller UI. There is no need to learn different Cloud constructs as Aviatrix can speak all the “Cloud” languages.

Following example shows the output when all necessary VPCs were created to build the transit topology we showcased earlier.

Create GCP Transit Gateway from AVX-Ctrl UI

NOTE: AVX-Ctrl –> Aviatrix Controller

Create GCP Spoke Aviatrix Gateway-1


Create GCP Spoke Aviatrix Gateway-2

Following is the output when AVX-GW is created

GCP Transit (Hub) and Spoke GWs Deployed

At this point you have your HUB and Spoke GW deployed

Attach GCP Hub to Spoke-VPC1 and VPC2

Attachment Process

AVX-Ctrl creates the IPSec Tunnels / Firewall rules etc. to attach Spoke-VPC to Transit-VPC as shown below

Aviatrix Encrypted Peering Section

Encrypted Peering section will also show the following outcome

GCP Transit Networking Is Deployed Now

Testing GCP Transit

We deployed two test VMs in Spoke VPCs as follows

Test VM Properties

Enable GCP “OS Login” Feature to Login to VMs

https://cloud.google.com/compute/docs/instances/managing-instance-access

OS Login allows you to use Compute Engine IAM roles to manage SSH access to Linux instances and is an alternative to manually managing instance access by adding and removing SSH keys in metadata.

To configure OS Login and connect to your instances, use the following process:

  1. Enable the OS Login feature on your project or on individual instances.
  2. Grant the necessary IAM roles to yourself, your project members, or your organization members.
  3. Optionally, complete any of the following steps:
    1. Set up two-factor authentication.
    2. Add custom SSH keys to user accounts for yourself, your project member, or organization members. Alternatively, Compute Engine can automatically generate these keys for you when you connect to instances.
    3. Modify user accounts using the Directory API.
    4. Grant instance access to users outside of your organization.
  4. Connect to instances.
  5. Review the expected login behaviors.

Install important Tools on both GCP VMs

ttps://cloud.google.com/solutions/building-high-throughput-vpns

# sudo apt-get -y install traceroute mtr tcpdump iperf whois host dnsutils siege

Enable Aviatrix Connected Transit Feature

This feature allows VPCs to talk to each other. By default VPCs can only talk to Transit VPC. This is meant for SaaS based apps or for Service Providers for VPC isolation.

Testing Successful

At this point it is all good and working.

Leave a Reply