Secure Cloud Networking – Beyond Cloud Boundaries. When you are learning cloud, networking examples are just complicated enough to get you exposed to the networking fundamentals of that cloud. Real-life is quite a bit different. Matt Kazmar, Rod Stuhlmuller, Corbin Louks and Mark Cunningham from Aviatrix walks us through the complications of cloud networking, especially those encountered beyond one cloud.

1. Secure Cloud Networking
Beyond Cloud Boundaries

2. Agenda
●Introduction
●What is Aviatrix Secure Cloud Networking?
●Embedding Security Into Your Cloud
Network
●Business Value Overview
●Aviatrix CoPilot Demo
●Deep Dive and Open Q&A

3. 3
3
Iconic Enterprise Brands Choose Aviatrix for Cloud
Networking
64 Global Fortune 500

4. 4
Gartner Recommends Aviatrix
4
“Organizations looking for advanced networking functionality missing from native
public cloud providers and/or those that desire a consistent networking console
across multiple public cloud providers, should shortlist Aviatrix”

5. 5
5
Private Interconnect

6. 6
6
Aviatrix
Controller
Private Interconnect
Programmatically Leverages and Controls Native Constructs
1
VPC VPC VCN VCN
VPC VPC
VNET VNET
VPC VPC
Available in Cloud Marketplaces

7. 7
7
VPC VPC VCN VCN
VPC VPC
VNET VNET
VPC VPC
Region 1
Region 2
Private Interconnect
Aviatrix
Controller
Private Interconnect
Adds Advanced Networking and Security on Top In Each Cloud
2

8. 8
8
VPC VPC VCN VCN
VPC VPC
VNET VNET
VPC VPC
Region 1
Region 2
Private Interconnect
Aviatrix
Controller
Consistent Networking

9. 9
9
VPC VPC VCN VCN
VPC VPC
VNET VNET
VPC VPC
Region 1
Region 2
Private Interconnect
Aviatrix
Controller
Consistent Visibility and Troubleshooting

10. 10
10
VPC VPC VCN VCN
VPC VPC
VNET VNET
VPC VPC
Region 1
Region 2
Private Interconnect
Aviatrix
Controller
Consistent Security

11. 11
11
VPC VPC VCN VCN
VPC VPC
VNET VNET
VPC VPC
Region 1
Region 2
Private Interconnect
Aviatrix
Controller
Consistent Automation

12. 12
VPC VPC VCN VCN
VPC VPC
VNET VNET
VPC VPC
Region 1
Region 2
Private Interconnect
Aviatrix
Controller
CLOUD 2 CLOUD 3 CLOUD 4
Other “Multi-Cloud” Solutions
12

13. 13
13
Security Embedded Into Your Cloud Network

14. 14
14
VPC VPC VCN VCN
VPC VPC
VNET VNET
VPC VPC
Region 1
Region 2
Private Interconnect
Aviatrix
Controller
Threat Database
“Malicious IPs” “All Seeing” Data Plane
ThreatIQ with ThreatGuard
CLOUD 2 CLOUD 3 CLOUD 4

15. 15
15
VPC VPC VCN VCN
VPC VPC
VNET VNET
VPC VPC
Region 1
Region 2
Private Interconnect
Aviatrix
Controller
Threat Database
“Malicious IPs”
Critical Threat
Discovery and
Notification
ThreatIQ with ThreatGuard

16. 16
16

17. 17
17
VPC VPC VCN VCN
VPC VPC
VNET VNET
VPC VPC
Region 1
Region 2
Private Interconnect
Aviatrix
Controller
Threat Database
“Malicious IPs”
Critical Threat
Automatic
Remediation
ThreatIQ with ThreatGuard

18. 18
Network Behavior Analytics – Built Into Your Cloud
Network
18
Secure
Cloud
Networking
Next Gen
Firewalls
Malicious
IPs
Known Threat
Signatures
Network
Behavior
Analytics
Distributed
Inspection
Distributed
Control
New Capability of Aviatrix ThreatIQ™
- Fingerprints workload and traffic characteristics to form
baseline
- Custom for every environment
- Identifies and alerts on abnormal network behavior
- Not dependent on signatures or known threat database
- Continuous baselining, ”learns” and improves over time
Baseline
(Normal) Current
Behavior
Anomaly detected; Alert Sent
Example Behavior Analysis: Actionable Intelligence that may be
an indicator of Data Exfiltration, Lateral Movement, New
Ports/Protocols, DDoS attacks, Port scan detection, or unencrypted
traffic flows

19. 19
Aviatrix Business Value Across Multiple Teams
Increase Revenue Growth with Business Innovation
• Drive higher revenue and margins from existing
customers
• Expand into new markets and quickly onboard new
customers
• Faster product time-to-market and revenue
• Accelerate acquisition integrations
Increase Control, Visibility, and Resource Efficiency
• Faster monitoring and troubleshooting, lower MTTR
• Automated provisioning using Terraform and APIs
• Higher efficiency in network engineering and
security teams
Bridge the Skills Gap
• Reduce recruiting and training expenses
• Reallocate high-value resources to more strategic
functions
• Reduce operational costs by retiring legacy tech
debt
Reduce Business Risk
• Identify and Remediate know threats automatically
• End-to-End and high-performance encryption
• Multi-cloud network segmentation

20. Aviatrix CoPilot Demo
Mark Cunningham
20

21. 21
21

22. 22
22

23. 23
23

24. 24
24

25. Datacenter Networking
Where we came from
25

26. Back in Time

27. Overlay the Datacenter

28. Security in the Network

29. Why did you do this to me?
The pain of the traditional Network Engineer.
29

30. Trying to Network in the Cloud

31. A VPC is a VPC until it isn’t.
AWS Azure Google Cloud Platform
Scope Regional Regional Global; subnets are regional
Address Space Defined at VPC level; subnets
must be within.
Defined at VNET level; subnets
must be within.
Not defined at VPC level; subnets
can use any CIDR.
Static Routing Route Tables per subnet; can
override subnet routes.
Route Tables per Subnet; can
provide per VM
microsegmentation.
Global Route table; granularity
supplied by network tags; subnet
routes cannot be overridden.
BGP support On VPN and DirectConnect only Route Server, VPN,
ExpressRoute
NCC, VPN, Cloud Interconnect
Network level
security
NACLs and Security groups Network Security Groups Global Firewall rules; granularity
supplied by network tags.
Layer 7 Firewall AWS Network Firewall Azure Network Firewall None
Private external
connectivity
VPN and DirectConnect on VGW
and TGW
VPN and ExpressRoute on
respective gateway types.
VPN Gateway or VLAN attachments
Native Transit
options
TGW vWAN None
Visibility VPC Flow Logs NSG Flow Logs VPC Flow Logs

32. AWS
Network Architecture
32
Azure

33. AWS
Firewall Insertion Architecture
33
Azure
Google

34. IPSec Performance Limitations
vCPU
vCPU
vCPU
vCPU
vCPU
vCPU
vCPU
vCPU
Traditional Tunnel
Encryption/
Decryption
Encryption/
Decryption
UDP/ESP
~ 1.25 Gbps
Azure
VPN GW
3rd party router
firewall
• Software based IPSec VPN
solutions have limits, max
performance of 1.25 Gbps with
VGW
• Packet flows can only utilize
single core, despite of
availability of multiple cores

35. A Cloud Provider network

36. Cloud Provider visibility
● The VPC and NSG flow logs are some variation of JSON.
● Any kind of visualization requires a significant amount of configuration and cost to stay
with the same vendor.
● Google requires configuration of a Cloud Logging sink to BigQuery, then visualization by something like
Data Studio.
● Azure can forward logs to Log Analytics.
● Alternatively, logs can be processed by a tool such as Splunk or other SEIM. These have
the same problems as the native solutions.
● AWS’s TGW and Azure’s vWAN do not have significant logging either. If something is
wrong, you may be staring at configurations instead of data.

37. Example record
37
{
"insertId": "12ut1l1fg1wbd6",
"jsonPayload": {
"packets_sent": "8",
"end_time": "2022-01-12T00:57:34.838547102Z",
"src_gke_details": {
"cluster": {
"cluster_name": "gke-istio",
"cluster_location": "us-central1"
}
},
"bytes_sent": "1410",
"src_instance": {
"zone": "us-central1-c",
"vm_name": "gke-gke-istio-default-pool-4405d9b3-
22bq",
"project_id": “x",
"region": "us-central1"
},
"rtt_msec": "0",
"src_vpc": {
"vpc_name": "gke-workload-1",
"project_id": “x",
"subnetwork_name": "gke-istio-1"
},
"reporter": "SRC",
"connection": {
"protocol": 6,
"src_port": 55284,
"dest_ip": "34.123.239.193",
"src_ip": "10.201.0.56",
"dest_port": 443
},
"start_time": "2022-01-12T00:57:34.829503833Z",
"dest_location": {
"asn": 15169,
"continent": "America",
"country": "usa"
}
},
"resource": {
"type": "gce_subnetwork",
"labels": {
"subnetwork_name": "gke-istio-1",
"subnetwork_id": "5399475313982064650",
"project_id": "lexical-period-304315",
"location": "us-central1-c"
}
},
"timestamp": "2022-01-12T00:57:41.274322590Z",
"logName":
"projects/x/logs/compute.googleapis.com%2Fvpc_flows",
"receiveTimestamp": "2022-01-12T00:57:41.274322590Z"
}

38. Secure Cloud Networking 101
Flatten the Learning Curve.
38

39. 39
Aviatrix Cloud Network Platform Software
39
Aviatrix
Controller
HUB & SPOKE
Aviatrix Gateways
API
Cloud Networking Abstraction
Single Multi-Cloud Provider
Not a SaaS or
Managed Service.
It’s Yours. Aviatrix
CoPilot
1
2
4
3
Native Cloud
Constructs
API
Advanced
Networking
and Security
Service Insertion
and Chaining

40. 40
Single or Multi-Cloud Networking and Security
40
Aviatrix
Controller
VPC VPC VCN VCN
Region 1
Region 2
VPC VPC
VNET VNET
VPC VPC
1. Single Cloud
Multi-Account
High-Availability (Active-Active)
End-to-End Encryption
Network Correctness
2. Multi-Region
3. Multi-Cloud Repeatable Design 6. Service Insertion & Chaining
4. High-Performance Encryption
1 2 3
6
4
Single Multi-Cloud
Provider
5. Single / Multi-Cloud Network Segmentation
5
VPC VPC
10. Cloud-Native
8. Secure Cloud Access
8
10
INTERNET
9
7. Enterprise Operational Visibility
7
9. Secure Ingress and Egress
Aviatrix
CoPilot
Private Interconnect

41. • Aviatrix builds multiple tunnels between Aviatrix devices
• Utilizes all available CPU cores
• IPSec encryption performance can be from 10Gbps to 90Gbps
vCPU
vCPU
vCPU
vCPU
vCPU
vCPU
vCPU
vCPU
Encryption/
Decryption
Encryption/
Decryption
High Performance
N x Tunnels
UDP/ESP
High Performance Encryption
Up to 90 Gbps
Aviatrix
Transit or
Spoke GW
Aviatrix
Transit GW
Aviatrix
Transit or
Spoke GW
Aviatrix
CloudN
Appliance
Aviatrix High Performance Encryption (HPE)

42. Security Domains/Segmentation
OR-Transit
10.160.0.0/16
65013
OR-Spoke-1
AZSC-Transit
172.16.10.0/16
65020
DATA CENTER
10.200.0.0/16
65050
10.150.89.134
OR-Spoke-3
10.152.24.64
OR-SS
10.154.90.201
AZSC-Spoke-1
172.16.6.20 172.16.7.20
AZSC-Spoke-2
Partner-1
10.201.0.0/16
Partner-2
10.202.0.0/16
42
Production Production Development
On prem
Partner
Partner

43. Full Netflow Visibility with Geolocation
43

44. Aviatrix ThreatIQ
44

45. Aviatrix ThreatGuard
45

46. Designs and
Reference Architectures
Aviatrix and Google Cloud Platform

47. ● Visibility at each Aviatrix
Gateway hop provided by
CoPilot.
● Customer has E-W
Inspection provided by
Firenet.
● Branch connectivity is
provided by an SDWAN
appliance.
● Connectivity to the
datacenter/colo is provided
by a Hosted Cloud
Interconnect circuit.
Full GCP Design with
SDWAN and Interconnect
47

48. A customer with two Clouds
can easily connect the two
clouds with High Performance
Encryption.
In the event of DirectConnect
or Cloud Interconnect failure,
traffic can seamlessly flow via
the functional circuit.
AWS and GCP Dual
Cloud Environment

49. GKE Native Ingress using the
HTTPS or TCP Load Balancer
options use the GKE Nodes as
the Endpoints. This means
that requests will enter the
Cluster directly, bypassing
firewalls.
Using Aviatrix with a reverse
proxy enables use of Google
Cloud Armor and NGFW
inspection.
Google Kubernetes Engine
Ingress with NGFW Inspection

50. ● Customer has a free-for-all in
Azure. Business units spin up
cloud resources without
thought to coordination or
security.
● Corporate IT is reigning it in.
● Requires private
connectivity from Azure to
GCP.
● Requires overlapping IP
support during the
migration period.
Overlapping IP
Migration in Azure
50