Aviatrix Blog

Aviatrix Tech Deep Dive: SmartGroups as the Key to Simplified and Secure Networking

Explore how Aviatrix SmartGroups create universal tags that enable multicloud, multi-region network segmentation.

Network management is complex and multi-layered. Our Tech Deep Dive series is made for cloud architects, engineers, developers, operations, platform, and security teams who want the deeper technical explanation of the Aviatrix solution. We’ll explore the particular details of what makes our dataplane, feature set, and configuration work, and how they empower networking teams.

 

One of the biggest challenges of creating a hybrid network is working with multiple connectivity providers such as cloud service providers (CSPs), middle-mile colocation providers such as Megaport and Equinix, and even traditional WAN providers. AWS, Microsoft Azure, Google Cloud, Oracle, and Alibaba all use different structures, hierarchies, rulesets, policies, and default settings, to say nothing of the complexity of integrating other hybrid networks. Trying to design and manage a network that spans two or more of these clouds, not to mention plenty of environments, applications, and other third-party solutions, is just as difficult as banking or working with employees across different countries with various currencies, taxes, and laws. Building a hybrid cloud network gives you freedom in flexibility, negotiation, cost optimization, and design, but without the right management solution, your network grows into a sprawling mess held together with bubbling gum and bailing wire.

Aviatrix SmartGroups are one simple feature that helps every team involve in networking – cloud architects, developers, DevOps, SecOps, and IT – to create a simple and consistent multicloud architecture. SmartGroups organize and categorize a vast and diverse network to empower you to create uniform security policies, resiliency options, high performance, and cost awareness in every site and location.

Here’s how they work.

 

SmartGroup Tags: Identity-Based Categorization

The key to Aviatrix SmartGroups are cloud-agnostic, universal tags that you can use to group any resource – AWS or Google VPCs, Azure VNets, Oracle VCNs, cloud accounts, regions, or any other resource managed from your Aviatrix CoPilot account. You can create SmartGroups to represent departments, business units, teams, projects, or other groupings for your business for which you want to set network-wide policies.

 

Using SmartGroup Tags

When you create an Aviatrix SmartGroup, you can classify it based on four types of tags:

  • CSP (cloud service provider) resource tags: these tags identify resources you can group. This is the best and easiest classification method, as this automatically includes new resources created in the Cloud with the same set of tags. In Google Cloud, you configure “labels” that can be selected as tags when creating your SmartGroup.
  • Resource attributes: classify by account or region.
  • IP addresses or CIDRs: for resources that are not tagged, you can directly specify IP addresses or CIDRs.
  • Edge sites (for policy-based routing): select an Edge Site ID used in a previously created Edge Gateway. These tags help you connect edge sties to your network

 

Harnessing the Power of Kubernetes SmartGroups

Aviatrix SmartGroups work seamlessly with another industry solution for simplified networking: Kubernetes. Kubernetes containerized networking offers new flexibility and agility, but Kubernetes clusters recycle IP addresses rapidly and bypass traditional subnet policies, limiting how granular you can get with security policies. Kubernetes SmartGroups enable you to filter and group pods by namespaces, services, or wildcard patterns, enabling granular policies that align with Kubernetes’ dynamic nature.

 

Using SmartGroups to Create Security Policies

After categorizing your network resources based on tags, you can set up security policies for each SmartGroup or multiple SmartGroups. This is where Aviatrix’s multicloud solution really harmonizes your network. Security policies within each cloud provider only work within that cloud provider, but cross-cloud connections are much harder to protect. These SmartGroup security policies empower you to build network-wide, multicloud, multi-region security policies you can easily create and enforce.

When you create a policy using our Distributed Cloud Firewall solution, you can use micro-segmentation by selecting which SmartGroups are included in the policy. Here are some examples of policies you can set:

  • Deny traffic between a SmartGroup that covers all cloud resources in one region and a SmartGroup that includes resources in another region. This policy could help prevent lateral movement across your network.
  • Allow traffic between a SmartGroup that contains AWS and Google Cloud resources and another SmartGroup that contains Azure and OCI resources. This policy establishes multicloud connectivity between these resources.
  • Deny certain resources to reach resources based on geography, such as China, Russia or the US depending on the use case.
  • Allow Kubernetes resources to access corporate container registry resources while denying access to public (untrusted) container registries on the Internet.

 

For a step-by-step guide to creating SmartGroups and policies, see our technical documentation.

 

If your network feels like a patchwork of resources, regions, cloud accounts, and services, Aviatrix SmartGroups provide simplicity, consistency, and security.