By Brad Hedlund and Abdul Rahim
Leading enterprises trust Aviatrix to accelerate cloud networking deployments and extend native capabilities of cloud service providers (CSPs). To further support our customers, Aviatrix is excited to announce integration with AWS Cloud WAN. Integrating AWS Cloud WAN with Aviatrix Transit opens advanced use cases, including multi-cloud connectivity, encrypted on-premises connectivity, firewall insertion, connecting networks with overlapping IP ranges, automated threat protection, and connectivity to other AWS partitions such as AWS Gov Cloud and AWS China.
In this article, you’ll learn about the architecture, use cases, and benefits for integrating AWS Cloud WAN with Aviatrix Transit.
Overview of AWS Cloud WAN Integration
Aviatrix integrates with AWS Cloud WAN using AWS Cloud WAN Tunnel-less Connect, AWS Cloud WAN Connect attachment, or AWS Cloud WAN Site-to-Site VPN attachment. Connect attachments can use industry-standard GRE tunnels or the new AWS Cloud WAN Tunnel-less Connect option without the overhead of GRE encapsulation. VPN attachments use IPSec tunnels between Aviatrix Transit and AWS Cloud WAN. This connectivity allows for route exchanges enabling AWS Cloud WAN to route traffic through the Aviatrix Platform for advanced traffic control, inspection, visibility, and multi-cloud connectivity.
Connect attachments to AWS Cloud WAN using GRE tunnels or Site-to-Site VPN can be assigned to a unique Aviatrix network domain and mapped to a unique AWS Cloud WAN network segment, allowing you to extend your AWS Cloud WAN segments outside of AWS Cloud WAN to on premises, colocation sites, other cloud providers, or wherever Aviatrix Gateways are deployed.
Figure 1: Integration using AWS Cloud WAN Tunnel-less Connect
Connect attachments using Tunnel-less Connect (shown in Figure 1 above) have lower overhead and higher throughput however you can only extend one AWS Cloud WAN segment to the Aviatrix Transit Gateways using this attachment type.
Note: The Tunnel-less Connect connection is in early access. Please register your interest with your Aviatrix representative to get it prioritized for general availability.
Figure 2: Integration using Connect attachments with GRE tunnels
Connect attachments using GRE tunnels (shown above in Figure 2) will per-flow load-balance traffic across all available tunnels in the Connect attachment between Aviatrix Transit and AWS Cloud WAN using equal cost multipathing (ECMP).
Aviatrix Integration Use Cases
Now let’s look at some of the advanced use cases that can be achieved by integrating the Aviatrix platform with AWS Cloud WAN.
Multi-Cloud Connectivity
AWS Cloud WAN can integrate with Aviatrix Transit to easily extend connectivity to workloads and services hosted in other cloud providers. Aviatrix Transit gateways interconnect between clouds using patented High Performance Encryption (HPE). The HPE can be established over the public internet or a dedicated private underlay. Meanwhile, all traffic transiting through the Aviatrix data plane benefits from deep visibility with Aviatrix CoPilot.
Figure 3: Multi-Cloud connectivity using Aviatrix Transit
Network segments defined within AWS Cloud WAN can be extended to other clouds using Aviatrix Multi-Cloud Network Domains. This allows you to seamlessly connect workloads with identical security postures between clouds. Customers can also use Aviatrix Distributed Cloud Firewall to define and apply access control on the traffic within and between network segments across clouds. Traffic between clouds and network segments can also be inspected and filtered by next-generation firewalls using the Aviatrix Transit Firenet Solution.
Figure 4: Multi-Cloud Segmentation using Aviatrix Transit
Encrypted On-Premises Connectivity
Aviatrix encrypts dataflows by default. The strong security and encryption model for Aviatrix Transit in the cloud can be extend to on-premises connectivity using Aviatrix Secure Edge. This ensures all traffic from on-premises to the cloud is encrypted end-to-end, even as it travels through intermediary networking devices, where MACSec alone offers limited protection.
Customers can use AWS Direct Connect hosted (even sub-1 Gbps) or dedicated connections using Hosted/Private VIFs to provide an underlay for the HPE connection between Aviatrix Secure Edge on-prem and your Aviatrix Transit in the cloud. In addition, you can selectively inspect and filter this traffic with a preferred Firewall vendor using Aviatrix Transit Firenet Solution as shown in Figure 4.
Figure 5: Encrypted on-premises connectivity using Private/Hosted VIF
Connecting Networks with Overlapping IP Ranges
With cloud deployments of all sizes, overlapping and conflicting IP CIDR ranges is increasing inevitability. This is especially true with mergers and acquisitions, and at scale with our largest customers from SaaS providers to healthcare and financial industries. Aviatrix makes it easy to solve for these complex IP conflict scenarios where other solutions quickly run into issues and require complex configurations.
Aviatrix Mapped NAT connectivity makes it incredibly easy to solve otherwise arbitrarily complex NAT scenarios. You simply define real and virtual CIDR address ranges when provisioning an IPsec tunnel. The remote side needs no additional configuration, in fact the device does not even need to support NAT at all.
You can see what that looks like in action in the following diagram. Customer A and B both have address ranges that directly conflict with VPC A and VPC B that are behind AWS Cloud WAN. The conflicting ranges can be easily mapped to new CIDR ranges that do not conflict using Aviatrix Spoke Gateways.
Figure 6: Connecting networks with Overlapping IP ranges
Automated Threat Protection
All traffic traversing through your Aviatrix data plane is monitored with Aviatrix ThreatIQ to detect malicious traffic based on IP address reputation and known bad actors. This capability embeds threat detection inside the data plane, at every hop, rather than limiting threat visibility to the edge of the network.
ThreatIQ serves as an intrusion detection system (IDS) to alert on malicious traffic throughout your cloud network architecture. You can enable automatic remediation to turn the IDS capability into an intrusion prevention system (IPS). This feature takes the ThreatIQ findings and programs drop rules in Aviatrix Gateways to block the unwanted traffic at the nearest gateway of the identified threat. This adds additional layers of protection to your defense in depth strategy for cloud networking security. You can read more details here.
Figure 7: Automated Threat Protection
Complete Architecture
Figure 8 depicts a comprehensive secure multi-cloud network architecture with Aviatrix and AWS Cloud WAN including all the above-mentioned benefits and use cases.
Figure 8: AWS Cloud WAN and Aviatrix Transit Integration
Additionally, the following uses cases can also be solved by integrating Aviatrix Transit with AWS Cloud WAN.
- Connectivity to Partners remote networks
- Connectivity between AWS partitions including AWS Gov Cloud and AWS China
- Connectivity to SASE Solution
- Connectivity to SDWAN Solution using BGP over LAN (without GRE or IPSec support required from SDWAN platform)
- Connectivity to AWS Regions where AWS Cloud WAN has not yet launched
AWS & Aviatrix: Better Together
The Aviatrix integration with AWS Cloud WAN highlights the deep relationship that Aviatrix has with AWS and Aviatrix’s commitment to providing advanced capabilities and interoperability to its customers. Whether you are using AWS alone or as part of a multi-cloud strategy, Aviatrix provides the cloud networking and security capabilities required by today’s enterprises.
Experience the ease of cloud networking with Aviatrix. To get started, launch the Sandbox Starter Tool, deploy directly from AWS Marketplace or set up a demo.
About the Authors
Brad Hedlund is a Principal Solution Architect at Aviatrix with over 25 years of experience in the networking field. Prior to joining Aviatrix, Brad held senior positions with AWS, VMware, and Cisco. In his career, Brad has helped organizations optimize their network architectures and he has helped his industry peers learn about new networking technology through his many blog posts and instructional video content.
Abdul Rahim is a Principal Solutions Architect at Aviatrix. He is a triple CCIE with over 24 years of experience in networking field working with AWS, VMware, and Cisco. He has a bachelor’s in electrical engineering and MS in Telecommunications. He is passionate about improving customers cloud networking experience.