• Operational Pain – Device-by-device discrete config file through a legacy CLI is an artifact of a 1990’s hardware centric operational model that enterprise customers moving into the cloud want to leave behind. Customers are looking for a modern, intelligent operational model that allows IT to operate at “cloud speed”.
• Automation – While application teams have been embracing a DevOps approach to services delivery for years, traditional hardware-centric deployment models, even when virtualized, have not evolved to keep pace. Enterprise customers must have multi-cloud Terraform Infrastructure as Code automation that fits seamlessly into existing DevOps CI/CD pipelines.
• Visibility – CSR-based cloud transit networks offer almost no visibility and troubleshooting capabilities. Enterprise customers what dynamic multi-cloud topology mapping, intelligent flow visualization and detailed analytics, they want the troubleshooting capabilities such as ping, traceroute, and packet capture, which were available on-premises, but now are required in the cloud.
• Performance – Customers discover serious performance limitations of link throughput. CSRs are limited to < 1.25 Gbps with ~5 Gbps backplane because of IPSec tunnel and processing overhead. Aviatrix can provide up to 75 Gbps throughput leveraging unique tunnel aggregation and processing distribution over multiple host cores.
• Route Table Limitations – CSRs limited by AWS VGW attachment to 100 route table entries, and while this may satisfy the requirements for very small deployments, Aviatrix customers are often challenged by this limitation and are forced to summarize or make unnatural architectural compromises that add to design complexity. Aviatrix delivers unlimited route table entries.
• NextGen Firewall Service Insertion – Cisco CSRs are effectively unaware they are even operating in a cloud environment, so they offer no leverage or interaction with native cloud constructs or dynamic integration with third party cloud services such as virtual next generation firewalls. Aviatrix simplifies both deployment and operations of native cloud services and next gen security service insertion, while maximizing throughput performance and source address visibility.

Aviatrix Intelligent Centralized Controller

The Aviatrix controller is the brain of the cloud network platform. The platform leverages the centralized intelligence and knowledge of the controller to dynamically program both native cloud network constructs and Aviatrix’s own gateway’s advanced services. Combined with Aviatrix’s Terraform provider this design enables network and security Infrastructure-as- Code automation across a multi-cloud environment. The Aviatrix controller provides the central point of control and management either through the controller UI or directly via the Aviatrix multi-cloud Terraform Provider API, giving customers central operational control over the fully distributed data plane.

Aviatrix Gateways

Aviatrix gateways deliver advanced cloud networking and security services. In this validated design guide Aviatrix Gateways are mostly deployed to provide advanced transit network and security features such as intelligent dynamic routing, active-active network high-availability, end-to-end and high-performance encryption and collect operational visibility data that feeds CoPilot, Aviatrix’s powerful visibility platform. Aviatrix gateways replace Cisco CSR 1Kv appliances and provide optimized high throughput with limited compute requirements, in most cases dramatically reducing the costs of the underlying compute capacity. Aviatrix Gateways are multi-functional, and services can be aggregated on a single compute platform or deployed individually to optimize for performance, cost, security or any combination.

Aviatrix CoPilot (optional)

Aviatrix CoPilot provides a global operational view of your multi-cloud network not available from AWS, Azure or any other cloud provider. Enterprise IT teams – who need day-two operational visibility for cloud networking – use CoPilot’s dynamic topology mapping to maintain an accurate view of their global multi-cloud networks, FlowIQ to analyze global network traffic flows and global heat maps and time series trend charts to easily pinpoint and troubleshoot traffic anomalies. CoPilot leverages the intelligence and advanced network and security services delivered by the Aviatrix cloud network platform. With Aviatrix, cloud network and security operations teams have familiar day-two operational capabilities such as packet capture, trace route and ping to resolve problems faster. Operational features include resource tagging, resource clustering, infrastructure monitoring and alerting, all specifically built for multi-cloud network operations.

End-to-End and High-Performance Encryption

The Aviatrix Transit defaults to end-to-end encryption, however standard IPSec encryption is limited to 1.25 Gbps, so in active- active ECMP high-availability mode provides 5Gbps bi-directional throughput. To achieve much higher IPSec encrypted throughput, Aviatrix’s high-performance encryption distributes processing across multiple cores and aggregates IPSec tunnels to reach wire speed encryption across private connections, such as AWS Direct Connect or Azure Express Route and up to 75 Gbps for intra-cloud links.

Multi-Cloud Network Segmentation and Security Policy Compliance

Most enterprise corporate or regulatory security policies require network segmentation. While it is possible to filter traffic with ACLs in CSR-based cloud network configurations, this is a tedious manual process that is prone to human error. Aviatrix designs deliver an automated solution that extends secure network segmentation beyond cloud boundaries, enabling multi- cloud security domains, with consistent, centrally managed, global network segmentation and connection policies.

VPC and VNet Internet Egress and Ingress filtering

Aviatrix Transit provides a secure point of access for network and security services such as next-generation firewalls, IDS/IPS and SD-WAN cloud edge connections. Aviatrix gateways provide load balancing to scale out connected services and ensure redundant and failover high availability. While many enterprises leverage the Aviatrix Transit FireNet centralized design, others opt for a distributed solution that provides filtering directly from within each VPC or VNet. Aviatrix gateways offer both ingress and egress L4 and Fully Qualified Domain Name (FQDN) filtering. Centrally managed filter groups with distributed execution ensure consistent multi-cloud security for any cloud application communicating with Internet-based resources and service.

Optimal Path Routing and Traffic Engineering

ActiveMesh allows gateways to leverage BGP metrics such as MED, AS-PATH into consideration for the same route from different neighbors and use that to make the optimal path selection. The path selection algorithm is prescriptive and provides significant flexibility options for multi-region designs. For example, allowing for on-prem route manipulation setting preference between neighbors in different regions. To support, for example multi-region HA, both on-prem data centers advertise the same routes into multiple regions through the cloud access layer into each of the Aviatrix Transit gateways. Overlapping CIDRs learned by Aviatrix Transit gateways in both regions are advertised over the transitive peering connections to the other region’s transit pair. This would normally cause serious asymmetric routing or routing loop challenges. However, the Aviatrix Controller has the intelligence to ensure the local region route is preferred over the transitive peering route, avoiding any loops or asymmetric issues.

Automation, Visibility and Operational Control

Deployment and updates easily fit into existing CI/CD pipelines with Terraform and the Aviatrix API. Visibility and operational control over internet bound traffic is an important element of any enterprise cloud architecture. Cloud applications with unrestricted access to the Internet-based services expose environment to attack. Best practices limit application network communications to only known Internet-based services. For example, app tier services that require build packages from GitHub must have access to github.com, but all other access should be filtered and blocked. Aviatrix provides the visibility to understand what Internet-based services applications are communicating with and gives the control to filter those communications by Fully Qualified Domain Names (FQDN).

When evaluating a possible migration to Aviatrix cloud network platform from an existing Cisco CSR deployment or evaluating whether to use Aviatrix or CSRs, there are a number of factors you should consider that can have significant impact on your design and your end result. These design considerations include performance, large frame support, network segmentation, centralized management and visibility, route limitations, third-party service insertion, cloud native awareness and intelligent network correctness.

The Aviatrix Cloud Network Platform is extremely flexible and can be deployed number of different ways based on your business and technical requirements. It is a low friction solution that fits easily in existing processes without requiring significant modifications to the existing cloud provisioning workflows.

The following are number of different deployment models and designs. This document focuses on three validate designs that are widely deployed by the Aviatrix customers, including single cloud, single region; single cloud, multi-region; multi-cloud; and multi-cloud with SD-WAN handoff.

This design option enables organizations to utilize full suite of Aviatrix platform features and build their cloud network even with the presence in a single cloud and a single region. In a typical network design, usually, the workloads could be spread across multiple cloud accounts and networks (VPCs or VNETs) within a region. Aviatrix platform enables to connect these networks in a hub and spoke aka transit architecture and also build a consolidated edge connectivity to establish hybrid networks. The design is achieved by creating a global transit VPC with Aviatrix transit gateways in it. Each Spoke VPC (VPCs with workloads) also has Aviatrix spoke gateways in it. Spoke VPCs are connected to the Transit VPC by establishing full mesh encrypted connectivity between the spoke and the transit gateways. The hybrid connectivity is established by either building BGP or static connections from transit gateways.

Design Advantages

• The design could be deployed either through the Aviatrix controller or through automation using Aviatrix APIs or Aviatrix terraform provider
• Two gateways in each VPC for active-active, full mesh connectivity and highly available design
• Aviatrix Controller takes care of updating the VPC/VNET route tables to avoid human errors and ensures network correctness
• Option to introduce Next generation firewalls for inline traffic inspection
• Ability to segment the network traffic based on the business units, VPC/VNET owners, type of applications deployed etc.
• Ability to build as many edge connections, both BGP and static, as needed. Also, the flexibility to build edge connections to third parties i.e. customers or partners
• Aviatrix supports SD-WAN Handoff to easily connect any SD-WAN service to the Aviatrix transit in a way that simplifies SD-WAN configuration, maintains BGP traffic engineering and network segmentation and takes advantage of centralized NGFW services in the cloud

• Aviatrix platform provides deterministic and optimal path selection by taking BGP metrics into consideration for making routing decisions
• All traffic between Aviatrix gateways is IPSec encrypted. Standard IPSec encryption is limited to 1.25 Gbps. Aviatrix’s high- performance encryption distributes processing across multiple cores and aggregates IPSec tunnels to achieve wire speed encryption, up to 75 Gbps.

As the organizations grow their footprint in the cloud, a multi-region cloud design is often required. This design enables organizations to build and manage their cloud network using Aviatrix cloud network platform across multiple regions within a single cloud platform. Multi-region connectivity allows organizations to meet additional requirements such as multiple data centers, customers, partners and employee locations that require access to cloud-based applications or regionally specific resources. This design builds on the principles laid out in “Single Cloud, Single Region design” and extends them to deliver multi-region network requirements. The architecture delivers an inter-region transit network leveraging Aviatrix gateways in each region and peers them together to enable communication among the workloads spread across regions. The Aviatrix Multi-Region High-Availability Cloud Network Validated Design Guide provides more detail on this design pattern.

Design Advantages (includes all of the advantages described above for the Single Cloud, Single Region Design, plus)

• Provides full control on network route propagation across the connected regions
• Delivers multi-region fault tolerance and high availability for cloud services and applications
• Extends secure network segmentation across the regions
• Allows multiple cloud-to-on-premises connections, enabling network redundancy and multi-path reachability
• Reduces latency by allowing users to access cloud workloads via the closest point of entry in their region

This design fully leverages a multi-cloud network architecture to enable businesses to leverage any combination of cloud service providers required to best support their applications, business and customers. The Aviatrix cloud network platform delivers the architectural flexibility and enterprise-class features IT organizations need to design a multi-cloud network. Aviatrix cloud network platform avoids service provider lock-in by delivering a superset of capabilities that meet enterprise requirements for advanced networking, security, operational visibility and multi-cloud optionality. This design builds upon the principles of both the above Single Cloud, Single Region and the Single Cloud, Multi-Region designs and extends them to a complete multi-cloud design. The Aviatrix Transit network traverses cloud providers, creating a common, repeatable hub and spoke design in each cloud, leveraging and controlling the underlying native cloud constructs and adding advanced features to create a common multi-cloud network data plan and operational visibility. This is achieved by leveraging Aviatrix gateways in both transit and application VPCs or VNETs and connecting them together to build the multi-cloud transit network.

Design Advantages: (includes all of the advantages described above for the Single Cloud, Single and Multi-Region Designs, plus)

• Empowers organizations to choose best-of-breed cloud platform based on the application, business and customer needs
• Delivers full control over network route propagation across any connected cloud environments
• Provides multi-cloud fault tolerance and high availability for cloud applications
• Extends secure network segmentation across clouds
• Allows multi-cloud-to-on-premises connections, enabling network redundancy and multi-path reachability

Aviatrix offers a Professional Services engagement specifically for planning for, automating, executing and testing CSR migrations to ensure your application environments are transferred to the Aviatrix Transit without incident.

In the end the migration is actually very simple and consists of the following steps:

1. Plan the migration. A good plan ensures that all transit network and application requirements are taken into account and any unique connectivity details have been considered and prepared for.
2. Deploy the Aviatrix Controller and Transit hub. This is a simple process of launching the Aviatrix controller and transit gateways. This can be done at any time prior to the migration and takes less than 30 mins.
3. Deploy Aviatrix Spoke Gateways in each VPC or VNet. This step is usually automated and performed without impacting the existing environment.
4. Duplicate the Route tables in each Spoke VPC or VNet. This step is automated and will result in the duplicated copy of each Route table and ensure the same VPC to be attached to the Aviatrix transit and CSR transit at the same time
5. Attach Spoke Gateways to the Aviatrix Transit Hub. Again, this step is usually automated and performed without impacting the existing environment. This step attaches the Spoke VPCs to the Aviatrix transit VPC using the duplicate route tables (Aviatrix managed Route tables). Once attached, the Aviatrix controller will inject the appropriate routes in all Aviatrix managed Route table. This step ensures existing traffic flowing through the CSRs is not impacted until you are ready to make the final switch over to the Aviatrix Transit.
6. Disengage the CSR Connections by changing the subnet associations to the Aviatrix managed route tables. This is an automated process for each VPC/VNet that disassociates the subnets from the existing route tables and associates them to the Aviatrix managed Route tables thus directing all the application traffic through the Aviatrix Gateway and Aviatrix Transit Hub.
7. Transfer any Direct Connect or Express Route Connections to Aviatrix Transit. This removes the final remaining connection to the CSR environment.
8. Remove CSRs and CSR Transit VPC/VNet.
9. Test Plan Execution. During the planning stage a test pan will be established to confirm that all expected application
   connectivity is still operational and performing as expected.

To find out more about Aviatrix Professional Services please send an email to [email protected].