By Brad Hedlund and Abdul Rahim
Leading enterprises trust Aviatrix to accelerate cloud networking deployments and extend native capabilities of cloud service providers (CSPs). To further support our customers, Aviatrix is excited to announce integration with AWS Cloud WAN. Integrating AWS Cloud WAN with Aviatrix Transit opens advanced use cases, including multi-cloud connectivity, encrypted on-premises connectivity, firewall insertion, connecting networks with overlapping IP ranges, automated threat protection, and connectivity to other AWS partitions such as AWS Gov Cloud and AWS China.
In this article, you’ll learn about the architecture, use cases, and benefits for integrating AWS Cloud WAN with Aviatrix Transit.
Overview of AWS Cloud WAN Integration
Aviatrix integrates with AWS Cloud WAN using AWS Cloud WAN Connect attachment or AWS Cloud WAN Site-to-Site VPN attachment. Connect attachment uses industry-standard GRE tunnels whereas VPN attachment uses IPSec tunnels between Aviatrix Transit and AWS Cloud WAN. This connectivity allows for route exchanges enabling AWS Cloud WAN to route traffic through the Aviatrix Platform for advanced traffic control, inspection, visibility, and multi-cloud connectivity.
Once tunnels are established, there is full connectivity between your Aviatrix Transit and AWS Cloud WAN deployment. The attachment to AWS Cloud WAN can be part of a unique Aviatrix network domain segment, mapped to a unique AWS Cloud WAN network segment, to partition and control access to and from AWS Cloud WAN throughout your network topology. Connect attachment tunnel throughput is aggregated, and traffic will be load-balanced across all available tunnels that are configured between Aviatrix Transit and AWS Cloud WAN using equal-cost multipath (ECMP).
Figure 1: Integration using Connect attachment/GRE
Aviatrix Integration Use Cases
Now let’s look at some of the advanced use cases that can be achieved by integrating the Aviatrix platform with AWS Cloud WAN.
Multi-Cloud Connectivity
Aviatrix simplifies multi-cloud connectivity using Multi-Cloud Network Architecture (MCNA). AWS Cloud WAN can integrate with Aviatrix Transit to extend connectivity to workloads/services hosted in other cloud providers. Aviatrix Transit gateways interconnect between clouds using patented high performance encryption (HPE). The HPE can be established over the public internet or dedicated private underlay. Meanwhile, all traffic transiting through the Aviatrix data plane benefits from deep visibility with Aviatrix CoPilot.
Figure 2: Multi-Cloud connectivity using Aviatrix Transit
Network segments defined within AWS Cloud WAN can be extended to other clouds using Aviatrix Multi-Cloud network domains. This allows you to seamlessly connect workloads with identical security postures between clouds like VRF-lite. Customers can also use Aviatrix Micro-Segmentation to define and apply access control on the traffic within the same network segment across clouds. Traffic between clouds and network segments can be easily inspected and filtered by next-generation firewalls using the Aviatrix Transit Firenet Solution.
Figure 3: Multi-Cloud Segmentation using Aviatrix Transit
Encrypted On-premises Connectivity
Aviatrix encrypts data flows by default. The strong security and encryption model for Aviatrix Transit in the cloud can be extend to on-premises connectivity using Aviatrix Secure Edge. This ensures all traffic from on-premises to the cloud is encrypted end-to-end, even as it travels through intermediary networking devices, where MACSec alone offers limited protection.
Customers can use AWS Direct Connect hosted (even sub-1 Gbps) or dedicated connections using Hosted/Private VIFs to provide an underlay for the HPE connection between Aviatrix Secure Edge on-prem and your Aviatrix Transit in the cloud. In addition, you can selectively inspect and filter this traffic with a preferred Firewall vendor using Aviatrix Transit Firenet Solution as shown in Figure 4.
Figure 4: Encrypted on-premises connectivity using Private/Hosted VIF
Connecting Networks with Overlapping IP Ranges
With cloud deployments of all sizes, overlapping and conflicting IP CIDR ranges is increasing inevitability. This is especially true with mergers and acquisitions, and at scale with our largest customers from SaaS providers to healthcare and financial industries. Aviatrix makes it easy to solve for these complex IP conflict scenarios where other solutions quickly run into issues and require complex configurations.
Aviatrix Mapped NAT connectivity makes it incredibly easy to solve otherwise arbitrarily complex NAT scenarios. You simply define real and virtual CIDR address ranges when provisioning an IPsec tunnel. The remote side needs no additional configuration, in fact the device does not even need to support NAT at all.
You can see what that looks like in action in the following diagram. Customer A and B both have address ranges that directly conflict with VPC A and VPC B that are behind AWS Cloud WAN. The conflicting ranges can be easily mapped to new CIDR ranges that do not conflict using Aviatrix Spoke Gateways.
Figure 5: Connecting networks with Overlapping IP ranges
Automated Threat Protection
All traffic traversing through your Aviatrix data plane is monitored with Aviatrix ThreatIQ to detect malicious traffic based on IP address reputation and known bad actors. This capability embeds threat detection inside the data plane, at every hop, rather than limiting threat visibility to the edge of the network.
ThreatIQ serves as an intrusion detection system (IDS) to alert on malicious traffic throughout your cloud network architecture. You can enable automatic remediation to turn the IDS capability into an intrusion prevention system (IPS). This feature, called ThreatGuard, takes the ThreatIQ findings and programs drop rules in Aviatrix Gateways to block the unwanted traffic at the nearest gateway of the identified threat. This adds additional layers of protection to your defense in depth strategy for cloud networking security. You can read more details here.
Figure 6: Automated Threat Protection
Complete Architecture
Figure 7 depicts a comprehensive secure multi-cloud network architecture with Aviatrix and AWS Cloud WAN including all the above-mentioned benefits and use cases.
Figure 7: AWS Cloud WAN and Aviatrix Transit Integration
Additionally, the following uses cases can also be solved by integrating Aviatrix Transit with AWS Cloud WAN.
- Connectivity to partners remote networks
- Connectivity between AWS partitions including AWS Gov Cloud and AWS China
- Connectivity to SASE Solution
- Connectivity to SDWAN Solution
- Connectivity to AWS Regions where AWS Cloud WAN has not yet launched
AWS & Aviatrix: Better Together
The Aviatrix integration with AWS Cloud WAN highlights the deep relationship that Aviatrix has with AWS and Aviatrix’s commitment to providing advanced capabilities and interoperability to its customers. Whether you are using AWS alone or as part of a multi-cloud strategy, Aviatrix provides the cloud networking and security capabilities required by today’s enterprises.
Experience the ease of cloud networking with Aviatrix. To get started, launch the Sandbox Starter Tool, deploy directly from AWS Marketplace, or set up a demo.
About the Authors
Brad Hedlund is a Principal Solution Architect at Aviatrix with over 25 years of experience in the networking field. Prior to joining Aviatrix, Brad held senior positions with AWS, VMware, and Cisco. In his career, Brad has helped organizations optimize their network architectures and he has helped his industry peers learn about new networking technology through his many blog posts and instructional video content.
Abdul Rahim is a Principal Solutions Architect at Aviatrix. He is a triple CCIE with over 24 years of experience in networking field working with AWS, VMware, and Cisco. He has a bachelor’s in electrical engineering and MS in Telecommunications. He is passionate about improving customers cloud networking experience.
