Accessing a Virtual IP address instance via Aviatrix Transit Network
This document addresses the scenario where a customer on-prem firewall device needs to route encrypted traffic to a partner network in the cloud (AWS/Azure/GCP). However due to concerns for overlapping CIDR blocks to the customer network, the customer side enforces a policy that the destination IP address must be a public or a virtual IP address regardless if the partner network is in the RFC 1918 range.
For example, the VPC instance IP address that the on-prem machine should send data to is 220.127.116.11, but the on-prem machine must instead send data to a virtual IP address 18.104.22.168 (or even 100.100.100.100).
There are situations where there are multiple applications in different VPCs, it is desirable to access different virtual addresses without building multiple IPSEC tunnels to the cloud networks. This can be accomplished by building an Aviatrix Transit Network where Spoke VPCs host these different applications, as shown in the diagram below.
Below are the configuration steps.
Step 1: Determine the virtual IP address
As this virtual IP address is what the on-prem host sees, it should not change. There are a couple of ways to determine it.
You can allocate an EIP in the VPC for this virtual IP address. Make sure you don’t associate this EIP to any instance.
Alternatively, if the EC2 instance that on-prem hosts need to send data to has an EIP, you can use that EIP.
You can also try a reserved public IP address range, for example, 100.100.x.x range, if the customer does not object.
Step 2: Follow the Transit Network workflow to launch a Spoke gateway
Login to the Controller console, go to Site2Cloud. Follow step 1 to launch a gateway in the VPC 22.214.171.124/16. In this example the gateway name is Spoke1.
(You can follow the gateway launch instructions in this. Leave optional parameters unchecked.)
Step 3: Customize Spoke gateway advertised routes
Go to Gateway page, highlight the Spoke gateway created in the previous step, click Edit.
Scroll down to “Customize Spoke Advertised VPC CIDRs”, enter, in this example, 126.96.36.199/32
With this customization, the Spoke gateway advertises 188.8.131.52/32 to Transit Gateway and subsequently to on-prem.
Step 4: Attach the Spoke gatewway
Follow the Transit Network -> Setup -> Step 6a, Attach Spoke GW to Transit VPC.
Step 5: Configure DNAT on Spoke gateway
This step is to configure the Spoke gateway to translate the destination virtual IP address 184.108.40.206 to the real private IP address 220.127.116.11.
At the main navigation bar, click Gateway. Highlight the Spoke gateway, and click Edit.
Scroll down to Destination NAT. Follow the instructions here to configure, as shown below. Note to use “Connection” field to specify the site2cloud connection name configured in Step 3.
Step 6. Test!
Test connectivity from on-prem host to the EC2 instance. For example, ping the virtual IP address 18.104.22.168 from an on-prem host machine. The ping should reach 22.214.171.124.