Aviatrix, a Google Cloud Technology Partner, is a leader in solving customers’ complex
networking, security, visibility, and multi-cloud needs. Built upon the Aviatrix Cloud Network Platform, Aviatrix products integrate with several Google Cloud APIs and services, enabling customers to launch, control, and interact with Google Cloud services while delivering networking security and operational visibility across Google Cloud and multiple clouds.
Google Cloud provides an impressive set of capabilities for building out cloud networking and security architectures. As these architectures grow in complexity to encompass many Google Cloud projects and regions, it can become difficult to gain a holistic control and view of the network. Aviatrix augments Google Cloud cloud-native functionality with enterprise-grade management, troubleshooting, and monitoring platform.
Strengthening Aviatrix and Google Cloud Partnership with Network Connectivity Center
We are excited to announce the Aviatrix support for Google Cloud Network Connectivity Center. The integrated solution allows enterprise customers to connect applications running in Google Cloud, SaaS, or other public clouds to branches and data centers. These branches and data centers could be on-premises physical locations, in Google Cloud, or any other clouds. The joint solution provides cloud networking, traffic engineering, security, service insertion, and automation with the visibility and control enterprises demand.
Catering Enterprise Demands
The solution is well-positioned to cater to the needs of small to large enterprise customers across all verticals. These could be Google Cloud-only enterprise customers or customers using multiple clouds such as AWS, Azure, OCI, Alibaba, etc. As networks are constructed in the cloud, there will always be a need to provide data center and branch connectivity. These off-cloud sites could reside in a physical on-premises location or other public clouds. The solution provides answers to all the challenges faced by enterprises today and in years to come.
Integrated Solution Description
The foundation for the integrated solution is based on the Aviatrix Cloud Networking platform that builds a Multi-Cloud Network Architecture (MCNA) using the Aviatrix Transit and Spoke gateways in respective VPCs. The diagram below depicts the overview of this integrated solution.
The Aviatrix controller provisions and controls networking resources in Google Cloud, other public clouds, data centers, and branches. Aviatrix CoPilot provides network visibility and insights for the cloud networks. Once the network is built, it easily integrates with Google Cloud Network Connectivity Center and the other native Google Cloud capabilities to offer applications advanced networking and security services.
The joint solution is flexible to cater to many designs and scenarios, but here we would like to highlight two primary reference architectures:
- Google Cloud to Data Center Networking
- Google Cloud to Branch Networking
- With Enterprise WAN Branch
- With SD-WAN Branch
The coming sections will highlight these two reference architectures in Google Cloud and how easy it is to extend the same reference architecture to multiple clouds with consistent control, automation, and operating model.
Google Cloud to Data Center Networking Reference Architecture
Google Cloud allows enterprises to connect on-premises data centers using the private service called Google Cloud Interconnect (GCI). GCI provides higher throughput connectivity back to on-premises data centers. GCI connection attaches to Network Connectivity Center Hub as a spoke. Customers looking for advanced networking and control can leverage Aviatrix Transit Gateway. The Aviatrix Transit Gateway acts as a router appliance in the Network Connectivity Center model. Aviatrix Transit Gateway form native BGP peering with Google Cloud Cloud Router and exchange BGP routes for dynamic connectivity to and from the on-premise data center.
Aviatrix Transit Gateway builds encrypted connectivity with the workload VPC by deploying Aviatrix Spoke Gateways in the respective VPCs. This reference architecture extends Google Cloud native capabilities by providing advanced networking, security, control, and visibility.
It is important to consider that the native GCI link is not IPSec encrypted for the traffic between on-premises Data Center and Google Cloud. Enterprises looking to have enhanced security must consider Aviatrix HPE (High-Performance Encryption), which offers near-line-rate end-to-end IPSec encryption for GCI links and networks built inside the Cloud.
Google Cloud to Branch Networking Reference Architecture
Besides on-premise data center connectivity, Google Cloud also allows on-premise branches to connect to Google Cloud and its resources. At a high level, there are two types of Wide Area Networks (WAN) branches used today for Cloud to On-premise connectivity
- Enterprise WAN
- Software-Defined WAN (SD-WAN)
The Aviatrix solution is agnostic to the WAN types being used and supports all flavors of enterprises such as:
- Cloud to Enterprise WAN branch connectivity with Network Connectivity Center
- Cloud to Enterprise WAN branch connectivity without Network Connectivity Center
- Cloud to SD-WAN branch connectivity with Network Connectivity Center
- Cloud to SD-WAN branch connectivity without Network Connectivity Center
This document focuses on reference architecture with Google Cloud Network Connectivity Center. For more details about the non-Network Connectivity Center design, refer to Aviatrix documentation here.
Google Cloud to Enterprise WAN Branch Design Highlights
This is the widely deployed model where on-premise WAN branches terminate the IPSec connection to Google Cloud or other Clouds using the native constructs such as HA VPN service in Google Cloud, VGW (VPN Gateway in AWS), etc. Aviatrix supports this model by allowing enterprises to choose the hardware and encryption algorithm they want to use.
In this model, the Aviatrix Transit Gateway acts as a Network Connectivity Center Router Appliance and attaches to the Network Connectivity Center Hub. The Aviatrix Transit Gateway forms the eBGP adjacency with the Google Cloud Router. The Google Cloud Router then forms the eBGP peering with the Google Cloud HA VPN service and attaches with the Google Cloud Network Connectivity Center.
The following diagram shows this reference architecture where all enterprise branches connect to Google Cloud or other public Cloud using Aviatrix Transit Gateway.
Google Cloud to SD-WAN Branch Design Highlights
In this design, the SD-WAN vendors would typically rip and replace exiting WAN hardware with the new SD-WAN hardware. In almost all the cases, the SD-WAN hardware and connectivity are not compatible with the existing Enterprise WAN design. In a lot of situations, organizations end up managing multiple infrastructures for branch connectivity. With the rise in the SASE model, the SD-WAN is fading away already.
In this model
- SD-WAN branches terminate the connection to the SD-WAN edge router appliance in Google Cloud
- The Aviatrix Transit Gateway acts as a Network Connectivity Center Router Appliance and attaches to Network Connectivity Center Hub. The Aviatrix Transit Gateway forms the eBGP adjacency with the Google Cloud Router. Google Cloud Router also forms the eBGP peering with the SD-WAN edge router appliance
- The SD-WAN edge router also attaches with the Google Cloud Network Connectivity Center
The following diagram shows this reference architecture where all enterprise branches connect to Google Cloud using Aviatrix Transit Gateway
Aviatrix Use Cases and Advantages
The two reference architectures with Google Cloud Network Connectivity Center and Aviatrix integration simplify the Cloud to On-Premise connectivity, but it is essential to understand that On-premise connectivity is just one aspect. Aviatrix solves many technical and business challenges for enterprises that are beyond just providing connectivity.
Aviatrix brings a lot of value inside the Google Cloud network and across multiple public clouds with standard, consistent, and repeatable networking and security. This section addresses some of the critical use cases and challenges Aviatrix solves in both reference architectures. For the complete list, refer to the link here for more details.
The features and use-cased discussed here are not only available in Google
Cloud but also works seamlessly across other Cloud by using the Aviatrix
Platform. These use cases are applicable to enterprises with or without Google
Cloud Network Connectivity Center.
Aviatrix customers leverage the Aviatrix cloud network platform to deliver multi-cloud
networking, security, and operational visibility capabilities that go beyond what any cloud service provider offers. Let us take a look at some of the challenges Aviatrix is solving for Google Cloud and Multi-Cloud customers.
Aviatrix delivers a single, standard networking and security platform for Google Cloud and other public clouds. Aviatrix Multi-Cloud Network Architecture (MCNA) has been proven with hundreds of enterprise customers building cloud network infrastructure in AWS, Azure, Google Cloud, OCI, and Alibaba Cloud (CSPs) across every vertical industry around the globe. Aviatrix MCNA delivers the simplicity and automation enterprises expect in the Cloud with the operational visibility and control they require.
The following diagram shows a repeatable design with Google Cloud Interconnect (GCI) where private circuits are terminated on the Aviatrix Transit Gateway. Aviatrix Transit Gateway in Google Cloud is then connected to another Aviatrix Transit Gateway in another cloud to provide a consistent and standard operating model.
The following diagram shows a repeatable design where all enterprise branches are connected to an Aviatrix Transit Gateway in Google Cloud. The Aviatrix Transit Gateway in Google Cloud is then connected to another Aviatrix Transit Gateway in a different public cloud to build MCNA with the consistent and standard operating model.
Route Management and Engineering
Aviatrix provides the flexibility to the network operator to route and manipulate the traffic based on varying network demands. Aviatrix advanced route management, filtering, and control overcome the native CSP limitations such a basic routing, peering limits, and quota issues. These automated controls avoid human errors and make sure that the intent is maintained with desired traffic routing, filtering, and failover.
Aviatrix allows multi-tenant support between Google Cloud and on-premises. Each tenant can be placed in an isolated segment, enabling customers to provide air-gaping from on-premise to Google Cloud, between VPCs, or across clouds like a VRF model.
NGFW Service Insertion
Next-Generation Firewall (NGFW) and other 3rd party services such as advance load balancers are integral to enterprise deployments. The Aviatrix FireNet framework is a cost-effective and automated way to service chain those services in the traffic flow with a simplified policy. FireNet allows NGFW (and other services) insertion for E/W, Ingress, and Egress in this model as well.
The Aviatrix Platform simplifies design, deployment, and operational capabilities by deeply integrating with devices from Palo Alto, Checkpoint, F5, and Fortinet into any architecture.
Active/Active, Dynamic, and Highly Available Connectivity
Aviatrix builds Active/Active, dynamic, and highly available networks for the enterprise
workload. This overcomes the cloud-native route and VPC peering limitations providing these networks with redundant paths for various traffic patterns. The connectivity applies to workloads inside the clouds and when connecting Google Cloud to the on-premise data center.
For instance, Aviatrix allows enterprises to build multiple connections while connecting to another region and even another public cloud. Traffic could use GCI as a priority (to connect to another region or cloud). In case of failure of the GCI link, the traffic could be dynamically re-routed using the public connectivity option.
Simplify Overlapping IP Connectivity
Dealing with overlapping IP space is a challenge that no enterprise wants to face, but this is becoming more of an unfortunate reality with cloud adoption and scale. This issue could arise due to mergers and acquisitions, application migrations, or connecting SaaS or partner services where the enterprise has no control.
The gravity of the situation increases because none of the CSP (Cloud Service Providers) support overlapping IP. Aviatrix has a simple and elegant solution to tackle this issue. Aviatrix provides full SNAT/DNAT capabilities through Aviatrix gateways and can also implement more advanced mapped NAT configurations to support bi-directional communications.
Secure Egress with FQDN Filtering
Many cloud workloads are subject to corporate or regulatory compliance, such as PCI (Payment Card Industry). Aviatrix FQDN (Fully Qualified Name) filtering-based egress security is an easy and quick solution to deploy to secure these egress flows. Organizations can meet compliance and audit requirements without sacrificing architecture and control.
Policy-Based SAML Client/User VPN
Enterprises need policy-based secure connectivity for their employees, developers, clients, and partners so they can connect to the workloads hosted in Google Cloud or within the SaaS provider. With Aviatrix, enterprises can leverage its SAML-based user VPN solution, allowing end-users to connect with Zero Trust policy-based approach. Aviatrix solution will also enable clients/users to communicate with MFA and geolocation services to satisfy the need of roaming or WFH (Working from Home) users.
The Aviatrix Multi-Cloud Networking platform consists of a centralized controller that is
multi-cloud aware and intelligent cloud routers called gateways. By bringing a data plane into GCP, you get more control over traffic and introduce intelligent routing. Since the platform is cloud-native, it can seamlessly integrate and control Google Cloud services like Global VPC, Shared VPC, Cloud Functions, Google Kubernetes (GKE), Anthos, etc.
The features and use-cases discussed here are available in Google Cloud and work easily across other clouds by following the MCNA design. These use-cases and advantages apply to both reference architectures we discussed here
- Data Center to Google Cloud and Multi-Cloud
- Enterprise and SD-WAN Branch to Google Cloud and Multi-Cloud
Aviatrix customers leverage the Aviatrix cloud network platform to deliver multi-cloud
networking, security, and operational visibility capabilities beyond what any cloud service provider offers.
Following are some of the challenges that enterprises are solving with Aviatrix and Network Connectivity Center joint solution today.
- Google Cloud and Multi-Cloud Enterprise Architecture
- Google Cloud and Multi-Cloud Network Segmentation
- Google Cloud and Multi-Cloud NGFW Insertion
- Advance BGP support for non-SD-WAN virtual router
- Advance BGP support for SD-WAN appliances
- Overlapping IP support
- Multi-Cloud Operation, Visibility, and Control
- Line-rate IPSec end-to-end encryption for Google Cloud Interconnect
This integration is just the latest example of Aviatrix’s work with Google Cloud, based on an architecture that leverages many of the Google Cloud cloud service constructs, including:
- Google Cloud VMs
- Google Kubernetes Engine (GKE)
- Google Cloud Anthos
- Istio Service Mesh
- Google Cloud Cloud Functions
- Google Cloud Global VPC
- Google Cloud Shared VPC
- Google Cloud Cloud Router
- Google Cloud Cloud SQL
- Big Query
- and many more.
Our shared enterprise customers work with Aviatrix to deliver on the complex enterprise network, security, visibility, and multi-cloud requirements.
Engage with Aviatrix
About the Author
Shahzad Ali is VP Customer Solutions Architecture team at Aviatrix. Shahzad and his team delivered solution architecture and designs for a number of customers in the Financial Services, Healthcare, Technology, and Manufacturing industries. These designs have been validated and adopted by many Aviatrix enterprise customers.