Tuning For Sub-10 Seconds Failover Time in Overlapping Networks¶
Introduction¶
The purpose of this document is to provide the instructions for tuning network configurations for sub-10 seconds failover time when network address ranges on-prem and cloud are overlapping.
The scenario is described in the following diagram:
In the above diagram, Client-1 and Client-2 need to communicate with on-prem network. However, both Client-1 and Client-2 network address ranges overlap with each other, and worse yet, they both overlap with on-prem network address range (10.0.0.0/16). Such scenarios happen when Client-1, Client-2 and the on-prem networks belong to three different organizations.
The traditional solution is to build IPSEC tunnel between the two networks and use SNAT/DNAT rules to translate each addresses, as demonstrated in this example.. Such solution requires a potentially large number of SNAT/DNAT rules which is difficult to configure and maintain.
With the introduction of Mapped Site2Cloud for address overlapping networks , you no longer need to wrestle with the individual SNAT/DNAT rules.
Configuration Steps¶
Note
This example uses Aviatrix Gateway on client site to simulate fast convergence environment
Step 1: Follow the Multi-Cloud Transit workflow to launch gateways¶
Log in to the Controller console, go to Multi-CLOUD TRANSIT. Follow step 1, step 4 and step 6 respectively to launch transit and spoke gateways, and attach spoke gateways to transit.
Create VPN tunnel between Transit Gateway and On-prem.
Step 2: Create a Site2Cloud tunnel between Spoke Gateway and Client-1¶
2.1 Configure S2C from Spoke Gateway to Client-1¶
Go to Controller Console -> Site2Cloud -> Setup.
Click “+Add New”. Fill the form and click OK. Select “Mapped” for the Connection Type field.
| Field | Value |
|---|---|
| VPC ID/VNet Name | Choose VPC ID (Select Spoke Gateway VPC) |
| Connection Type | Mapped |
| Connection Name | Arbitrary (e.g. S2C-SPK-to-Client1) |
| Remote Gateway Type | Aviatrix |
| Tunnel Type | Route-based |
| Algorithms | Uncheck this box |
| IKEv2 | Uncheck this box |
| Over Private Network | Uncheck this box |
| Enable HA | Check this box |
| Primary Cloud Gateway | Select the Aviatrix Gateway created above |
| Backup Gateway | Select the Aviatrix Gateway HA |
| Remote Gateway IP Address | Public IP of Client-1 Primary Gateway |
| Remote Gateway IP Address (Backup) | Public IP of Client-1 Backup Gateway |
| Pre-shared Key | Optional (auto-generated if not entered) |
| Same Pre-shared Key as Primary | Check this box |
| Custom Mapped | Uncheck this box |
| Remote Subnet (Real) | 10.10.0.0/16 (Client-1 Real CIDR) |
| Remote Subnet (Virtual) | 100.64.0.0/16 (Client-1 Virtual CIDR) |
| Local Subnet (Real) | 10.10.0.0/16 (On-Prem Network CIDR) |
| Local Subnet (Virtual) | 192.168.0.0/16 (On-Prem Virtual CIDR) |
2.2 Configure S2C from Client Side¶
Go to Controller Console -> Site2Cloud -> Setup.
Click “+Add New”. Fill the form and click OK. Select “unmapped” for the Connection Type field.
| Field | Value |
|---|---|
| VPC ID/VNet Name | Choose VPC ID (Select Client-1 VPC) |
| Connection Type | Unmapped |
| Connection Name | Arbitrary (e.g. S2C-Client1-to-SPK-GW) |
| Remote Gateway Type | Aviatrix |
| Tunnel Type | Route-based |
| Algorithms | Uncheck this box |
| IKEv2 | Uncheck this box |
| Over Private Network | Uncheck this box |
| Enable HA | Check this box |
| Primary Cloud Gateway | Select the Aviatrix Gateway created above |
| Backup Gateway | Select the Aviatrix Gateway HA |
| Remote Gateway IP Address | Public IP of Spoke Primary Gateway |
| Remote Gateway IP Address (Backup) | Public IP of Spoke Backup Gateway |
| Pre-shared Key | Optional (auto-generated if not entered) |
| Same Pre-shared Key as Primary | Check this box |
| Remote Subnet | 192.168.0.0/16 (On-Prem Virtual CIDR) |
| Local Subnet | 10.10.0.0/16 (Client-1 Local Network CIDR) |
Step 3: Configure global parameters¶
Go to Controller Console -> Settings -> Advanced
- Click on “Tunnel” tab and change “Status Change Detection Time” and save settings.
| Field | Value |
|---|---|
| Aviatrix Entity | Choose Controller |
| Detecion time (secs) | 20 |
- Click on “Keepalive” tab and modify Keepalive Template Configuration
| Field | Value |
|---|---|
| Keep Alive Speed | fast |
Step 4: Configure site2cloud parameters¶
Go to Aviatrix Controller’s Console -> Site2Cloud -> Setup.
4.1 Spoke Gateway Side¶
Select Spoke Gateway VPC, spoke gateway to client site2cloud connection and click “Edit”
- Make sure only one tunnel is UP and HA status Active-Standby
- DPD Timer is enabled, configure DPD timers as shown below and click “Save and Apply”.
| Field | Value |
|---|---|
| Initial Delay | 1 |
| Retry | 1 |
| Maxfail | 1 |
- Forward Traffic to Transit Gateway is enabled
- Event Triggered HA is enabled
4.2 Client Side¶
Select Client VPC, client to spoke site2cloud connection and click “Edit”
- Make sure only one tunnel is UP and HA status Active-Standby
- DPD Timer is enabled, configure DPD timers as shown below and click “Save and Apply”.
| Field | Value |
|---|---|
| Initial Delay | 1 |
| Retry | 1 |
| Maxfail | 1 |
- Active Active HA is disabled
- Event Triggered HA is enabled