Secure Cloud Networking – Beyond Cloud Boundaries. When you are learning cloud, networking examples are just complicated enough to get you exposed to the networking fundamentals of that cloud. Real-life is quite a bit different. Matt Kazmar, Rod Stuhlmuller, Corbin Louks and Mark Cunningham from Aviatrix walks us through the complications of cloud networking, especially those encountered beyond one cloud.
2. Agenda
●Introduction
●What is Aviatrix Secure Cloud Networking?
●Embedding Security Into Your Cloud
Network
●Business Value Overview
●Aviatrix CoPilot Demo
●Deep Dive and Open Q&A
4. 4
Gartner Recommends Aviatrix
4
“Organizations looking for advanced networking functionality missing from native
public cloud providers and/or those that desire a consistent networking console
across multiple public cloud providers, should shortlist Aviatrix”
7. 7
7
VPC VPC VCN VCN
VPC VPC
VNET VNET
VPC VPC
Region 1
Region 2
Private Interconnect
Aviatrix
Controller
Private Interconnect
Adds Advanced Networking and Security on Top In Each Cloud
2
18. 18
Network Behavior Analytics – Built Into Your Cloud
Network
18
Secure
Cloud
Networking
Next Gen
Firewalls
Malicious
IPs
Known Threat
Signatures
Network
Behavior
Analytics
Distributed
Inspection
Distributed
Control
New Capability of Aviatrix ThreatIQ™
- Fingerprints workload and traffic characteristics to form
baseline
- Custom for every environment
- Identifies and alerts on abnormal network behavior
- Not dependent on signatures or known threat database
- Continuous baselining, ”learns” and improves over time
Baseline
(Normal) Current
Behavior
Anomaly detected; Alert Sent
Example Behavior Analysis: Actionable Intelligence that may be
an indicator of Data Exfiltration, Lateral Movement, New
Ports/Protocols, DDoS attacks, Port scan detection, or unencrypted
traffic flows
19. 19
Aviatrix Business Value Across Multiple Teams
Increase Revenue Growth with Business Innovation
• Drive higher revenue and margins from existing
customers
• Expand into new markets and quickly onboard new
customers
• Faster product time-to-market and revenue
• Accelerate acquisition integrations
Increase Control, Visibility, and Resource Efficiency
• Faster monitoring and troubleshooting, lower MTTR
• Automated provisioning using Terraform and APIs
• Higher efficiency in network engineering and
security teams
Bridge the Skills Gap
• Reduce recruiting and training expenses
• Reallocate high-value resources to more strategic
functions
• Reduce operational costs by retiring legacy tech
debt
Reduce Business Risk
• Identify and Remediate know threats automatically
• End-to-End and high-performance encryption
• Multi-cloud network segmentation
31. A VPC is a VPC until it isn’t.
AWS Azure Google Cloud Platform
Scope Regional Regional Global; subnets are regional
Address Space Defined at VPC level; subnets
must be within.
Defined at VNET level; subnets
must be within.
Not defined at VPC level; subnets
can use any CIDR.
Static Routing Route Tables per subnet; can
override subnet routes.
Route Tables per Subnet; can
provide per VM
microsegmentation.
Global Route table; granularity
supplied by network tags; subnet
routes cannot be overridden.
BGP support On VPN and DirectConnect only Route Server, VPN,
ExpressRoute
NCC, VPN, Cloud Interconnect
Network level
security
NACLs and Security groups Network Security Groups Global Firewall rules; granularity
supplied by network tags.
Layer 7 Firewall AWS Network Firewall Azure Network Firewall None
Private external
connectivity
VPN and DirectConnect on VGW
and TGW
VPN and ExpressRoute on
respective gateway types.
VPN Gateway or VLAN attachments
Native Transit
options
TGW vWAN None
Visibility VPC Flow Logs NSG Flow Logs VPC Flow Logs
34. IPSec Performance Limitations
vCPU
vCPU
vCPU
vCPU
vCPU
vCPU
vCPU
vCPU
Traditional Tunnel
Encryption/
Decryption
Encryption/
Decryption
UDP/ESP
~ 1.25 Gbps
Azure
VPN GW
3rd party router
firewall
• Software based IPSec VPN
solutions have limits, max
performance of 1.25 Gbps with
VGW
• Packet flows can only utilize
single core, despite of
availability of multiple cores
36. Cloud Provider visibility
● The VPC and NSG flow logs are some variation of JSON.
● Any kind of visualization requires a significant amount of configuration and cost to stay
with the same vendor.
● Google requires configuration of a Cloud Logging sink to BigQuery, then visualization by something like
Data Studio.
● Azure can forward logs to Log Analytics.
● Alternatively, logs can be processed by a tool such as Splunk or other SEIM. These have
the same problems as the native solutions.
● AWS’s TGW and Azure’s vWAN do not have significant logging either. If something is
wrong, you may be staring at configurations instead of data.
39. 39
Aviatrix Cloud Network Platform Software
39
Aviatrix
Controller
HUB & SPOKE
Aviatrix Gateways
API
Cloud Networking Abstraction
Single Multi-Cloud Provider
Not a SaaS or
Managed Service.
It’s Yours. Aviatrix
CoPilot
1
2
4
3
Native Cloud
Constructs
API
Advanced
Networking
and Security
Service Insertion
and Chaining
40. 40
Single or Multi-Cloud Networking and Security
40
Aviatrix
Controller
VPC VPC VCN VCN
Region 1
Region 2
VPC VPC
VNET VNET
VPC VPC
1. Single Cloud
Multi-Account
High-Availability (Active-Active)
End-to-End Encryption
Network Correctness
2. Multi-Region
3. Multi-Cloud Repeatable Design 6. Service Insertion & Chaining
4. High-Performance Encryption
1 2 3
6
4
Single Multi-Cloud
Provider
5. Single / Multi-Cloud Network Segmentation
5
VPC VPC
10. Cloud-Native
8. Secure Cloud Access
8
10
INTERNET
9
7. Enterprise Operational Visibility
7
9. Secure Ingress and Egress
Aviatrix
CoPilot
Private Interconnect
41. • Aviatrix builds multiple tunnels between Aviatrix devices
• Utilizes all available CPU cores
• IPSec encryption performance can be from 10Gbps to 90Gbps
vCPU
vCPU
vCPU
vCPU
vCPU
vCPU
vCPU
vCPU
Encryption/
Decryption
Encryption/
Decryption
High Performance
N x Tunnels
UDP/ESP
High Performance Encryption
Up to 90 Gbps
Aviatrix
Transit or
Spoke GW
Aviatrix
Transit GW
Aviatrix
Transit or
Spoke GW
Aviatrix
CloudN
Appliance
Aviatrix High Performance Encryption (HPE)
47. ● Visibility at each Aviatrix
Gateway hop provided by
CoPilot.
● Customer has E-W
Inspection provided by
Firenet.
● Branch connectivity is
provided by an SDWAN
appliance.
● Connectivity to the
datacenter/colo is provided
by a Hosted Cloud
Interconnect circuit.
Full GCP Design with
SDWAN and Interconnect
47
48. A customer with two Clouds
can easily connect the two
clouds with High Performance
Encryption.
In the event of DirectConnect
or Cloud Interconnect failure,
traffic can seamlessly flow via
the functional circuit.
AWS and GCP Dual
Cloud Environment
49. GKE Native Ingress using the
HTTPS or TCP Load Balancer
options use the GKE Nodes as
the Endpoints. This means
that requests will enter the
Cluster directly, bypassing
firewalls.
Using Aviatrix with a reverse
proxy enables use of Google
Cloud Armor and NGFW
inspection.
Google Kubernetes Engine
Ingress with NGFW Inspection
50. ● Customer has a free-for-all in
Azure. Business units spin up
cloud resources without
thought to coordination or
security.
● Corporate IT is reigning it in.
● Requires private
connectivity from Azure to
GCP.
● Requires overlapping IP
support during the
migration period.
Overlapping IP
Migration in Azure
50