Draft Introduction Aviatrix Firewall Network Services (FireNet) simplify the Next Generation Firewall Insertion and Operations. FireNet is the simplest, highest performance, best scale-out architecture for next generation firewalls in the cloud. Following are some of the highlights Simple deployment, autoroute propagation to firewalls Advanced egress, IDS, IPS, and ingress security Maximize performance, scale, and visibility …
Kickstart deploys cloud and multi-cloud networks in minutes without any effort. Once the hub/spoke transit network is built in the cloud, it will act as a core networking layer on which one can add more use-cases as needed later. The lightweight automation script deploys an Aviatrix controller and an Aviatrix transit architecture in AWS (and …
Aviatrix Kickstart – Spin up Cloud Networks in Minutes – UI Mode Read More »
Business Objective An important security requirement for GCP VPCs is to effectively control remote user access in a policy based manner. The cloud and the COVID-19 pandemic makes most users “remote.” Not only for employees who are out of the office, the “remote” label can be applied to developers, contractors, and partners whether they’re in …
Objective ACE Enterprise in GCP wants to connect to different partners to consume SaaS services. These partners could be present in physical DC or Branches; or in VPC/VNET in cloud such as GCP/AWS/Azure/etc. ACE cannot dictate or control the IPs/Subnets/CIDR those partners have configured and must support “Bring Your own IP” which might overlap with …
LAB5 – Bring Your Own IP/Subnet in GCP (Overlapping IP) Read More »
This lab will demonstrate how to provide Fully Qualified Domain Name (FQDN) based Egress Filtering security using Aviatrix. Only those FQDNs will be allowed which are permitted in the configured policy. Egress FQDN Filtering Overview Aviatrix FQDN Egress is a highly available security service specifically designed for workloads or applications inthe public clouds. Aviatrix Egress …
It is important to provide security compliance and fulfill audit requirements by using various methods and network segmentation is one of them. Providing Network Security segmentation is a critical business requirement. Aviatrix MCNS is helping many customers who achieved this requirement. So far we have built following topology Our objective in this lab to segment …
LAB3 – GCP Multi-Cloud Network Segmentation (MCNS) Read More »
In this lab, we will build the hub and spoke network in GCP. All the GCP VPCs and their respective subnets are already created for you to save time. GCP Spoke-2 GW VPC Network/Subnet Creation This step is already done for you so please do not attempt. Controller can create those subnets using API/Terraform as …
LAB2 – GCP Multi-Cloud Network Transit / Hub-Spoke Read More »
Introduction This document is the lab guide for GCP Test Flight Project. Anyone with basic GCP knowledge is the audience. It is GCO focused with connection to AWS as optional component of the cloud. Topology Following is the starting topology. Some components are pre-built to save time. Once you finish all lab steps, following is …
LAB1 – Google Cloud and Aviatrix Testing/POC LAB Guide Read More »
There are many features Aviatrix has developed for our Firewall partners to help achieve compliance, lower TCO, and enhanced application security needs. The following table is a list of some of the important features for Check Point CloudGuard deployment. There are some very specific ones for Check Point, and then there are some features applicable …
Aviatrix’s Check Point CloudGuard Related Features Read More »
Cloud Armor – A service that sits before a native Load Balancer to protect against DDoS attacks. In GKE, the target for Cloud Armor service is GKE Ingress LB Load Balancer Options There are different load balancer options in GCP based on specific requirement Load Balancer Traffic Type Global/Regional External/Internal External Ports HTTP(s) HTTP or …
Problem Statement As enterprises moving their applications into the cloud, they are following the best practice to deploy their virtual NGFW in the Cloud using Aviatrix’s active/active, centralized, uncompromised, cost optimized an dpolicy-based Firewall Service Insertion (FireNet) solution as shown in the following diagram Some enterprises want to keep using their on-premise physical NGFW until …
Cloud to On Premise Data Center Active/Standby Firewall Design and Deployment Read More »
Aviatrix Gateway VM Type Throughput n1-highcpu-4 3.12Gbps n1-highcpu-8 6.54Gbps n1-highcpu-16 11.58Gbps n1-highcpu-32 19.97Gbps How does Aviatrix GCP HPE work? Aviatrix HPE utilizes native peering and multiple tunnels to provide higher throughput GCP HPE can also work with /24 subnet scheme. Controller builds native peering GCP Transit Gateway Details Following is the output from the Aviatrix …
Prerequisites GoQuorum installed Tessera A running network Install GoQuorum [ec2-user@ip-10-101-91-122 ~]$ sudo yum update[ec2-user@ip-10-101-91-122 ~]$ sudo yum install git[ec2-user@ip-10-101-91-122 ~]$ sudo yum install go [ec2-user@ip-10-101-91-122 ~]$ sudo git clone https://github.com/ConsenSys/quorum.git Cloning into ‘quorum’… remote: Enumerating objects: 11, done. remote: Counting objects: 100% (11/11), done. remote: Compressing objects: 100% (7/7), done. remote: Total 99524 (delta 4), …
Install BlockChain Quorum Node on AWS EC2 Instance Read More »
Introduction Quorum is an enterprise blockchain platform. Quorum is a privacy-centric fork of Ethereum client “geth” with several protocol level enhancements to support enterprise business needs. Quorum is an open-source project. The very nature of blockchain or distrubuted ledger provides a secure, shardd platform for decentralized applications (DAPPs) and data. It is cryptographically secure, auditable …
In some situation it might be desired to send a subset of DNS traffic from on-prem to cloud. One example is sending the S3 bucket traffic from on-prem to Cloud if one has deployed Direct Connect circuit without needing to use public VIF. The most important aspect is that your orginization should not become the …
Selective DNS Traffic Forwarding From On-Prem to Cloud Read More »
Introduction GCP shared VPC allows an organization to share or extend its vpc-network (you can also call it subnet) from one project (called host) to another project (called service/tenant). When you use Shared VPC in a project call “X”, you are automatically designating this project “X” as a host project. Now you can attach one …
GCP Shared VPC Transit Design and Deploy For Enterprises Read More »
This pattern is more suited for small deployments, PoC or lab setup where the networking is kept very simple. The Aviatrix transit GW is deployed inside the host-project. The Aviatrix spokes are also deployed inside the host-project but the VPC network (or subnet) is shared with the service/tenant VPC. This same shared VPC network (subnet) …
Aviatrix Spoke GW and Workload VMs in Same GCP Shared VPC Subnets Read More »
Problem Statement By default GCP Compute Service Account permissions are wide open with the Editor role. Here is how you can see the problem yourself. Create a new GCP Project Notice the “Service Accounts” area and notice that there is no account there yet. Enable Compute API for PCI Service Project Default GCP Service Account …
Onboarding GCP Project in Aviatrix Controller with Restricted Access Read More »
Aviatrix controller provides unified control and management plane for Google Cloud. Aviatrix allows enterprises to on-board hundreds of GCP projects/accounts into the controller. Once these projects are on-boarded, Aviatrix controller is intelligent to control and manage networking and security across those projects. On the Aviatrix document page one of the options is to use the …
GCP Least Privileged Service Account for Aviatrix Read More »
The requires only single VPC for testing purposes Aviatrix ingress filtering gateway (aka public subnet filter PSF) is deployed in the public subnet External ALB deployed in the same public subnet as AVX-PSF-GW WordPress App was launched in the non-routable private subnet (vpc2-subnet1) Bonus testing with Internal ALB Test Windows EC2 was launched in a …
Aviatrix Ingress Filtering Deployment with AWS ALB (Application Load Balancer) Read More »
Kickstart deploys cloud and multi-cloud networks in minutes without any efforts. Once the hub/spoke transit network is built in the cloud, it will act as core networking layer on which one can add more use-cases as needed later. The light weight automation script deploys Aviatrix controller and an Aviatrix transit architecture in AWS (and optionally …
Aviatrix Kickstart – Spin up Cloud Networks in Minutes – CLI Mode Read More »
What is GCP Shared VPC? GCP shared VPC allows an organization to share or extend its vpc-network (you can also call it subnet) from one projects (called host) to another project (called service/tenant). When you use Shared VPC, you designate a project as a host project and attach one or more other service projects to …
Aviatrix Transit Network Design Options for GCP Shared VPC Read More »
Introduction Aviatrix release 6.0 introduced Firewall Instances Health Check Enhancement. This enhancement checks a firewall instance’s health by pinging its LAN interface from the connecting Aviatrix FireNet gateway. An alternative option to check health through firewall’s management interface. ICMP health check to the Firewall LAN interface improves firewall failure detection time and detection accuracy. This …
Check Point CloudGuard IaaS in AWS with Quick Failover Read More »