Private Mode (Controller)
Private Mode is a global setting that offers secure orchestrated intra- and multicloud networking by removing the need for public IPs for Aviatrix gateways. Web proxies are used for the gateways to access the internet. All communication is done via native cloud constructs such as Load Balancers, Private Link Services, and peering connections, which act as the underlay for the Aviatrix encrypted Transit network.
After Private Mode is configured you can create gateways using Multicloud Transit. Starting with Controller release 6.9, DNAT and SNAT are supported on gateways while using Private Mode.
image::controller/topology-private-mode.png
Cloud environments (providers) that support this feature are AWS, AWS GovCloud, Azure, and Azure Government.
Controller Location | Gateways |
---|---|
AWS GovCloud |
AWS, Azure, Azure Government |
AWS |
AWS GovCloud, Azure, Azure Government |
Limitations
In Private Mode the following limitations exist:
-
Site2Cloud can only be created over a private network using a private IP (not possible over the internet)
-
Aviatrix TGW Orchestrator not available (AWS does not accept private IPs to create tunnels)
-
You cannot launch gateways in the same VPC/VNet as the Link Service VPC/VNet
-
BGP over LAN not available
-
Controller Security tab: features on this tab not supported
-
FQDN Gateway not available
-
Creation of VPN or Public Subnet Filtering Gateways not supported
-
Egress through Firewall: cannot enable internet-bound egress traffic for inspection
-
High Performance Encryption (HPE) over the internet not supported
-
Distributed Cloud Firewall (DCF) not supported
-
Egress for Transit FireNet not supported
-
Cross-cloud Spoke-Transit peering is not supported with private IPs
-
Software rollback to 6.7 not supported (since Private Mode did not exist prior to 6.8)
Prerequisites
-
Configure the permissions for Private Mode and GWLB-Based FireNet. This is very important; you cannot deploy your Private Mode resources without these permissions. Please see sections 6 and 15 in the referenced document.
-
Upgrade to version 6.8 or later.
-
An Aviatrix Controller in AWS or AWS GovCloud. It is best to set up Private Mode from a new Controller that does not have any previously deployed gateways. Private Mode will not work if you already have public gateways deployed in your Controller.
-
The Aviatrix Controller VPC requires space for N * /28 subnets for the deployment of the Link Services. (N = the number of Availability Zones in the given region).
-
For a multicloud Private Mode environment, it is best to create a dedicated VPC which will host the multicloud access VPC endpoint in the same region as the Link Service VPC for multicloud connectivity.
-
A version of CoPilot that supports Private Mode, if you want to send syslog or Netflow data to CoPilot from the gateways. You must already have deployed CoPilot from the Private Mode Controller. When you deploy CoPilot from the Controller you must select a subnet that has outbound internet access.
(AWS) For CoPilot ARM-based images, Private Mode is currently not supported. -
If you want to associate a CoPilot instance, it must be in the same VPC as the Controller.
-
If setting up Private Mode in a multicloud deployment, a private underlay between the CSPs must exist (Direct Connect for AWS or Express Route for Azure).
Preparing Your Single Cloud Private Mode Environment
When you prepare your single cloud Private Mode environment, you are building a Link Service; creating subnets for the Link Service; and attaching Controller/CoPilot to the Link Service target.
-
To enable Private Mode, in the Controller, navigate to Settings > Private Mode > Controller. After enabling Private Mode:
-
All gateways you create will use private IPs. You will not be able to create or deploy non-private gateways. A mixture of public and private IPs is not possible.
-
The existing eth0 private IP is used for the Controller.
-
-
(optional) If you want to view syslog and Netflow data gathered by the gateways in CoPilot, you must associate a CoPilot instance with the Controller. This ensures that data is sent to CoPilot (you must have already deployed CoPilot from the Private Mode Controller as per the above Prerequisites).
-
On the Controller tab, select a CoPilot instance and click Associate.
-
In CoPilot, navigate to Settings > CoPilot > CoPilot Association and enter the private IP address of the CoPilot instance.
image::controller/private-mode-enable.png
-
-
On the Intra-Cloud tab, enter the account access name, region, and VPC ID of the Controller to create a Link Service and click Create.
image::controller/private-mode-intracloud.png
This creates a Link Service in the selected region that endpoints in that cloud can connect with. It also attaches the CoPilot instance (if configured). You are only allowed to create one Link Service per region (AWS and Azure).
If you associated a CoPilot instance in step 2 above, you must ensure that your CoPilot Security Group is open to the IP addresses Controller configures when creating the Link Service.
The expected Link Service configuration for AWS/AWS GovCloud is having one Link Service in each region where you want to launch gateways. However, if you have two AWS/AWS GovCloud accounts, you can have one Link Service used by both accounts in the same region, or you can have a Link Service in each account in the same region. |
-
If you have multiple regions in your AWS/AWS GovCloud CSP you must set up a link service for each one by repeating the previous step.
Preparing Your Multicloud Environment
An Azure proxy VM is required to accommodate connectivity between the gateways and the Internet because the Azure load balancer can only target IPs in the same VNet. The Azure proxy VM requires two types of proxy connectivity: HTTPS for the Internet and TCP for the Controller and CoPilot. You can install a proxy supporting both, or two different proxies on the same VM. Aviatrix Private Mode does not support separate VMs for TCP and HTTPS proxies.
You must have completed the steps under Preparing Your Single Cloud Private Mode Environment. See the table at the beginning of this document for where you can create your multicloud endpoints.
In a multicloud Private Mode environment, you are creating endpoints in a multicloud access VPC attached to the intra-cloud Link Service; building a multicloud Link Service; and attaching a multicloud proxy (Azure only) to the Link Service target.
-
On the Multi-Cloud Access tab, enter the Access Account Name, Region, VPC ID of the multicloud access VPC, and the Intra-Cloud Link VPC ID you want to connect to. Click Create. This launches an endpoint in the new multicloud access VPC for Direct Connect/Express Route to connect to. It also creates the necessary subnets, route tables, and endpoint security groups.
image::controller/private-mode-multicloud-access.png
-
On the Multi-Cloud Link tab, you create the multicloud Link Service and prepare it for the proxy that will be attached in the next step. In Azure, you only need to create multiple Link Services if desired for scalability. Enter the Cloud Type, Access Account Name, Region, VPC ID, and Multi-Cloud Access VPC ID.
image::controller/private-mode-multicloud-link.png
You must have already set up the private underlay (cross-cloud link, such as Direct Connect or Express Route) that will connect the two CSPs. Also, you only need to create a proxy using the two steps below if you are connecting Azure/Azure Government to your existing AWS/AWS GovCloud CSP. If you are connecting AWS/AWS GovCloud to an existing CSP you can skip these steps. |
-
Create the Azure-related proxy (Azure HTTPS and TCP proxy must be in the same VNet as the Link Service it is associated with):
-
Launch your preferred HTTPS and TCP proxies. These must be in the same VM as each other.
-
For the TCP proxy, you need to map incoming requests on port 443. Also map ports 31283 (Netflow data) and 5000 (remote syslog) if you want this information to be visible in CoPilot.
-
For the TCP proxy, the ports should forward requests for ports 443, 31283 and 5000 to the DNS entry for the multicloud access endpoint that the proxy is communicating to on the Controller cloud. The DNS entry is located under Settings > Private Mode > List > Multi-Cloud Access Endpoint List.
-
If your proxy has a public IP, make sure the SKU is Standard and not Basic. |
-
On the Multi-Cloud Link tab under Attach/Update Proxy, enter the Cloud Type, Access Account Name, and Link Service. Only instances that are in the same VNet as the Link Service are listed.
-
Attach the proxy you just created by clicking Attach and then Update. This proxy server is the Link Service target for traffic from Azure gateways. Only do this if you had to create a proxy for Azure/Azure Government.
image::controller/private-mode-multicloud-proxy.png
Creating Gateways
After completing your single cloud or multicloud configuration, you can launch transit or spoke gateways from Multi-Cloud Transit.
BGP on Spoke is supported in Private Mode starting in version 7.0.
In Private Mode, transit peering always occurs over a private network. If your transit gateway and its backups use High Performance Encryption (HPE) Mode, transmission will always occur over a private network regardless of whether you enable Peering Over Private Networks. |
In the Controller, navigate to Multi-Cloud Transit > Setup. On the Transit/Spoke tabs, enter the information required to launch your gateways. For more information see:
Deleting Multi-Cloud Access VPC and Link Service
On the Delete Functions tab you can remove the multicloud access endpoint and/or the intra/multicloud link service. If you have dependent resources you must resolve the dependencies first.
Disabling Private Mode
If you want to disable Private Mode, you must delete all gateways and Private Mode resources. If you do not delete gateways or resources first, you will receive errors when you attempt to disable Private Mode.
Backup/Restore
When in Private Mode, you can restore the Controller and related Private Mode configuration if the restoration is done in the same VPC as the previous Controller. You cannot restore a Controller that has been created in a different VPC. The restoration will change the targets of the Link Services to the new Controller.
For more information on backup and restore, click Controller Backup and Restoration.