Multi Cloud - ganeshahv/Contrail_SRE GitHub Wiki

AWS

Azure

  2. Azure only supports Availability Zones in certain regions.

  3. Virtual Network Gateways are used for Hybrid Connectivity termination constructs for VPN or Express Route.

  4. ResourceGroup groups items together for better organization control of a specific workload.

  5. AD Tenant is the top level organizational structure in Azure.

  6. Azure Virtual WAN as a platform does not provide encryption within the cloud, a multi-cloud architecture, nor supports 3rd party devices in the HUB.

  7. ExpressRoute circuit in Azure can terminate on ExpressRoute Gateway or Virtual Network Gateway.

  8. NVA in Azure is a 3rd party device in the Azure marketplace.

  9. SNAT required for traffic symmetry and User Defined Route Management at scale are the challenges with using an NVA to provide spoke to spoke communication in Azure.

GCP

  1. GCP private dedicated connectivity is referred to as Cloud Interconnect.
  2. A Virtual Machine is an example of a Zonal Resource.
  3. A VPC is an example of a Global Resource.
  4. For a single user, GCP resources are structurally organized in a Project.
  5. Auto Mode in GCP means subnets are created in each region.
  6. GCP supports dynamic routes within the cloud.

OCI

  1. Virtual cloud networks are called VCN in OCI.
  2. OCI subnets are not tied to Availability Domains.
  3. There can be 5 DRGs in an OCI Region.
  4. Overlapping IPs are not allowed when peering VCNs in OCI.
  5. In OCI you need to specify a Compartment ID when creating resources.

MCNA

  1. Cloud Core, Operations, and Access are the main pillars of the MCNA.
  2. Security and Visibility is inserted throughout the MCNA Architecture.
  3. Normalized Data Plane, Centralized Control Plan which are repeatable across cloud providers is a benefit of having a Multi-Cloud Network Architecture
  4. Go Build, Vendor Lock In and Black Box are some of the Customer Challenges in cloud.
  5. Transit is the most important aspect of any multi-cloud network.
  6. The Cloud Core layer of the MCNA provides Normalized Data plane across clouds.
  7. Cloud Access in MCNA provides common access for SDWAN, Direct Connect options from cloud providers and VPN connectivity.
  8. The core principal of MCNA is a multi-cloud network and security framework for consistent deployment across clouds.

Aviatrix

  1. Aviatrix Systems is the pioneer of Multi-Cloud Network Architecture (MCNA).

  2. MCNA provides a consistent and repeatable architecture across multiple clouds.

  3. Aviatrix implements a data plane through dynamic and software-defined routing with a centralized control plane.

  4. Security is built into the network architecture through segmentation, encryption, ingress and egress filtering, and security services insertion.

  5. MCNA architecture defines four distinct layers at a high level. These are Cloud Core, Cloud Security, Cloud Access, and Cloud Operations.

  6. Architecture

  8. A centralised controller is also the entry-point for multi-cloud automation, which can be done using APIs or Terraform.

  9. The Aviatrix gateways act as a Distributed and Common Data-Plane.

  10. Aviatrix services are also integrated with AWS GuardDuty to block malicious activity automatically at the Virtual Private Cloud network level.

ACE

  1. Aviatrix Transit Solution is built using Aviatrix IPSEC for encryption by default with option for high performance.
  2. Cloud environments are not natively encrypted, are limited to 1.25G and tied to a single core within compute.
  3. Controller, Gateways and Co-Pilot are the components within the Aviatrix Platform.
  4. Native solutions build tunnels across a single core only limiting the IPSEC to 1.25G.
  5. The Aviatrix FQDN Egress Filter supports both centralized and distributed egress methods.
  6. Aviatrix can extend native AWS features like Guard Duty to provide enforcement of alerts.
  7. Aviatrix Transit provides End to End Encryption, is repeatable across Clouds and ensures complete visibility and control.
  8. With Aviatrix HPE, customers can get near line rate encryption within the cloud, between clouds and between on-prem and cloud.
  9. Aviatrix can provide filtering of partner route advertisements through a BGP Approval Process.
  10. Challenges with inserting firewalls in the cloud include:
    1. Repackaged Firewall Solution from on-prem world
    2. Native Firewall Solutions are primarily L4 firewalls
    3. Customer required to configure and manage routing
  11. Aviatrix can achieve 70G throughput with Firenet
  12. The Aviatrix Site to Cloud offers support for Network Address Translation (NAT), TCP and UDP tunnels and a template driven manner for configuration.
  13. Aviatrix Firenet can orchestrate the firewall deployment, firewall routing, and VNET/VPC routing for NGFW insertion.
  14. The Aviatrix User VPN solution allows profile based granular access control.
  15. DUO, Okta, AD and SAML are some of the 3rd party integrations available for Aviatrix User VPN.
  16. Security Domains allow customers to group VPC/VNETs with common security properties for access.
  17. Aviatrix Site 2 Cloud can also be used to onboard IoT devices.
  18. Aviatrix Private S3 solution provides private access (RFC1918 only) to S3 buckets without the need of public addresses.
  19. Aviatrix is a multi-cloud Terraform provider.
  20. Aviatrix can provide packet captures of live traffic.
  21. Aviatrix uses a Lambda script, an S3 bucket and an auto scaling group for Controller HA in AWS.
  22. Flight Path provides a visual walk-through based on source and destination to highlight path issues.
  23. Limited visibility into native constructs and lack of standard troubleshooting tools like ping, traceroute, etc. are some operational challenges that customers face in the cloud.
  24. The Aviatrix controller can perform auditing of routing constructs. This ensures that no new routes have been added, that can affect end to end network correctness.
  25. Common troubleshooting tasks like ping and traceroute can be run from any Aviatrix gateway.
  26. Aviatrix upgrades are hitless.
  27. Customers can spin up a single Aviatrix controller and on-board multiple cloud accounts for management.
  28. CoPilot must be deployed only once to gain visibility across your multi-cloud network.
  29. CoPilot topology can provide customized visibility options, custom tagging of resources and diagnostic functions from gateways.
  30. CoPilot provides geolocation features for data traffic.
  31. Aviatrix FlowIQ provides netflow data across the multi-cloud network for all traffic seen by gateways.
  32. Flow IQ will provide summarization of netflow data but for specific records we must perform tasks on the gateways.
  33. Aviatrix CoPilot provides intelligent visibility into cloud networks through dynamic topology, netflow, troubleshooting.
  34. CoPilot allows for custom filters to limit data to defined resources, applications, and flows.
  35. A single controller is needed to run a multi-cloud environment consisting of OCI, Azure and GCP.
  36. CloudFormation template from docs.aviatrix.com is the recommended or easiest way of deploying the Aviatrix controller in AWS.
  37. Aviatrix Controller cannot be deployed in a on-prem DC.