By Sunil Kishen, VP Sales and Partnerships, Aviatrix Systems Inc.
Aviatrix cloud networking solutions empowers CloudOps and cloud infrastructure engineers to self-sufficiently manage cloud network infrastructure and network security. The product is fully integrated with Google Cloud networking to enable CloudOps engineers to easily build and scale their hybrid or all-in-cloud environments on Google Cloud.
Aviatrix solutions complement Google Cloud networking capabilities by providing the following additional capabilities:
- SSL-based enterprise secure remote access.
- Encrypted multi-cloud peering.
- Encrypted cross-project peering.
- Encrypted site-to-Google Cloud scalable connectivity.
- Encryption on Cloud Interconnect.
Aviatrix provides a centrally managed, secure, and point-and-click and REST API-driven network solution for Google Cloud. The central controller builds encrypted tunnel connections and security services by integrating with Google Cloud infrastructure to launch gateway instances, modify Google Cloud network routing tables, enforce security policies, and leverage other Google Cloud services.
The following figure shows Aviatrix and Google Cloud networking services.
Aviatrix networking and Google Cloud reference architecture
The following figure illustrates a typical cloud network architecture in which Aviatrix controller and Aviatrix gateways are deployed in Google Cloud networks that belong to the end customer or enterprise. Aviatrix controller is deployed in one of the customer's Google Cloud networks. The controller deploys the Aviatrix gateways that enable the services, which are described in the following sections.
Google Cloud cross-network and cross-project encrypted peering
Cross-network encrypted peering enables enterprises to build full-mesh, partial-mesh, or hub-and-spoke connectivity between their Virtual Private Cloud (VPC) networks. A typical enterprise footprint in Google Cloud has multiple projects owned by different business groups. A Google Cloud project can span the globe across all Google Cloud regions. Aviatrix Cloud Networking Solution for Google Cloud provides point-and-click peering between Google Cloud projects (cross-project peering) without any manual configuration of routing and other network level changes that are difficult to perform and maintain. This solution, based on the Aviatrix central controller, simplifies cross-project peering.
Highlights of Aviatrix cross-project peering
- High availability with standby tunnel and automatic failover.
- Automatic discovery of Google Cloud.
- Automatic discovery of networks.
- Configuration of routing across Google Cloud networks; no static routes necessary.
- Policy-based routing.
- Stateful inspection for TCP port filtering at a Google Cloud network level.
Multi-cloud encrypted peering
Multi-cloud peering enables enterprises that deploy their public cloud across multiple cloud providers to connect securely to one another. VPC networks can now peer with Amazon Web Services (AWS) VPCs and Azure Virtual Networks (VNets). This inter-cloud networking feature enables you to set up a multi-public cloud environment, and enables many IT application use cases such as cloud-to-cloud migration, cloud-to-cloud backup, and cloud-to-cloud disaster recovery.
Aviatrix cloud networking solution for Google Cloud supports point-and-click peering between Google Cloud, AWS, and Azure without any manual configuration of routing or other changes that are difficult to perform manually and maintain.
Highlights of Aviatrix multi-cloud peering
- High availability with standby tunnel and auto-failover.
- Automatic discovery of AWS, Azure, and VPC networks.
- Configuration of routing across VPCs/VNets, with no static routes necessary.
- Policy-based routing.
- Stateful inspection for TCP port-based filtering at a VPC and VNet Level.
- Point-and-click peering.
Site-to-cloud or branch office peering
Branch office or site-to-cloud peering enables enterprise sites or branch offices to connect to Google Cloud via IPsec connections over the internet. Aviatrix gateway is a highly scalable multi-function network services gateway that can support hundreds of IPsec connections from enterprise site or branch offices. Aviatrix gateways also support Source and Destination NAT functions (SNAT/DNAT), to overcome overlapping IP problems and other complex IP scenarios between Google Cloud and your sites.
Highlights of Aviatrix branch office-to-cloud peering
- Offers high availability with standby tunnel and automatic failover.
- Supports large-scale IPsec VPN termination.
- Supports static route configuration.
- Supports overlapping IP address ranges between Google Cloud and on-premises network.
- Supports policy-based routing.
- Supports stateful inspection for TCP port-based filtering at Google Cloud network level.
- Supports IPsec interoperability with all standard IPsec routers and firewalls.
Remote Access – SSL VPN
Aviatrix Cloud Connect (ACC) enables enterprise-class secure remote access to Google Cloud. Aviatrix SSL VPN to Google Cloud offers global-scale, full-function remote access VPN capabilities. It enables an enterprise's employees and partners to directly connect into Google Cloud over VPN. Combined with Aviatrix cross-project and inter-cloud peering, ACC allows you to securely access your environment with a single certificate, even if they are spread across multiple projects, networks, and cloud providers. This capability can reduce user VPN management time for CloudOps. Comprehensive orchestration, monitoring, and logging can bring efficiencies to deployment and operation.
Highlights of Aviatrix Cloud Connect
ACC supports the following:
- A wide range of clients: Windows, macOS, Linux, Chromebook, Android, and iOS.
- A scalable and highly available Cloud VPN solution.
- Remote access for end users to connect to the cloud directly.
- Multi-factor authentication: Duo, LDAP, and Okta.
- SAML authentication with Aviatrix proprietary VPN clients for Windows, macOS, and Linux.
- User-profile based access rules that allow administrators to define and enforce access privilege to any resources (network, protocols, and ports) in GCP VPC at the perimeter of the enterprise cloud network.
- Active user dashboard and user browsing activity.
- Policy-based multi-region and multi-cloud (AWS, Azure, and GCP) encrypted peering.
- Multiple accounts for different business groups and projects.
- The following log forwarders for remote logging: Logstash, Splunk, Sumo Logic, and rsyslog.
- Split-tunnel and full-tunnel mode. Split-tunnel mode allows additional CIDRs to be pushed to client.
- Mmodular configuration to support incremental configuration as your environment scales.
In addition, ACC offers the following advantages:
- Scales to large number of VPN gateways to serve thousands of users and bandwidth by integrating with Cloud Load Balancing.
- Requires no extra hop to access instances in different projects.
Encryption on Cloud Interconnect
To businesses adopting hybrid-cloud architecture, Google Cloud provides dedicated connectivity to their environment using Cloud Interconnect. Cloud Interconnect allows you to connect to Google using enterprise-grade connections with higher availability and/or lower latency than existing internet connections. Connections are offered by Cloud Interconnect service provider partners, and might offer higher SLAs than standard internet connections. Google Cloud also supports direct connections to its network through direct peering. If you cannot meet Google Cloud at its peering locations, or do not meet peering requirements, you may benefit from Cloud Interconnect.
Compared to connections over the internet, Cloud Interconnect is reliable and offers fast speeds, lower latency, and increased security. Cloud Interconnect provides a private high bandwidth, low latency link between a your on-premises network and Google Cloud without going through the internet. But packets between on-premises edge and Google Cloud travel through exchange points, and third-party provider networks are not encrypted.
Often, enterprises require encryption for security and compliance reasons. Google Cloud edge gateways that terminate Cloud Interconnect links do not support encryption on Cloud Interconnect links.
Aviatrix provides a powerful solution to enable high-performance encryption on top of an established Cloud Interconnect link to a customer site:
Highlights of the encryption on Cloud Interconnect
- No additional hardware is required to encrypt traffic.
- The central controller offers point-and-click deployment.
- The Aviatrix Gateway interoperates with third-party IPsec-enabled routing and firewall devices.
- Aviatrix gateways support 1:1 redundancy for high availability. The controller monitors all IPsec tunnel status. If the tunnel goes down, the controller automatically reprograms the cloud infrastructure routing table to switch to a standby gateway instance.
- The controller provides diagnostic capabilities for troubleshooting the gateway and IPsec tunnel status.
- Extensive logging allows administrators to have complete visibility of network traffic.
GCP deployment guides for Aviatrix
- Aviatrix Cloud Controller Setup Guide
- Setting up GCP Permissions for Aviatrix
- Configuring NET Peering for GCP
- Configuring user VPN for GCP
Aviatrix white papers
Explore reference architectures, diagrams, tutorials, and best practices about Google Cloud. Take a look at our Cloud Architecture Center.