Site2Cloud Solution for Encryption over Direct Connect/ExpressRoute

AWS Direct Connect and Azure ExpressRoute provide a private routed circuit between an AWS VPC and an Azure VNet.

The Aviatrix Site2Cloud feature provides encryption over Direct Connect or ExpressRoute. This document describes how to implement the feature over Express Route. The same method applies to AWS.

The VNet VPN gateway that terminates the ExpressRoute connects VNet virtual machines with the on-prem servers in a traditional routing domain. While Azure ExpressRoute provides a private link between a customer’s on-prem network and an Azure VNet without going through the Internet, packets between on-prem edge and VNet travel through exchange points and third party provider networks and are not encrypted.

Aviatrix Solution for Encryption over ExpressRoute

The Aviatrix Site2Cloud solution can be applied to encrypt traffic over ExpressRoute, as shown below.

Topology Express Route

In the diagram above, an encrypted IPsec tunnel is established between an Aviatrix Gateway and the customer’s edge router.

An Aviatrix Gateway is deployed in a separate subnet from the subnets where the user virtual machines are launched. (The Controller is not drawn.) This is necessary as the Aviatrix Gateway is the router for user subnets to reach the enterprise data center.

An Aviatrix Gateway can be deployed in a 1:1 redundancy fashion where a backup gateway is ready to take over should the primary IPsec tunnel go down.

Configuration Workflow

Before beginning:

The configuration workflow is as follows, with major steps highlighted.

  1. Create a gateway in a VNet where you would like to connect to the enterprise datacenter. Make sure the gateway is launched in a different subnet from the user subnets. In this example, the gateway is deployed on Subnet1.

  1. (Optional) If enabling HA, add a second Instance row in the Gateway from step 1 which should be in the same VPC/VNet. The second Instance (for HA) should use a different subnet from the user subnets. In this example, the gateway is deployed on Subnet1.

  1. To create an external connection, go to Networking > Connectivity > External Connections (S2C).

  2. Click +External Connection.

  3. In the Add External Connection dialog, select External Device and then select one of these External Device options:

  4. Configure the external connection using the following information:

    Field Value

    Name

    Give the connection a unique name

    Connect Public Cloud To

    Static Route-Based (Mapped) or Static Policy-Based (Mapped)

    Local Gateway

    Select a Gateway launched earlier as the primary gateway

    Real Local Subnet CIDR(s)

    Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach.

    Virtual Local Subnet CIDR(s)

    A virtual local network CIDR that maps to the real local subnet

    Remote Gateway Type

    Generic

    Real Remote Subnet CIDR(s)

    Enter the network CIDR of the Enterprise data center. If there are multiple subnets separate them with commas.

    Virtual Remote Subnet CIDR(s)

    A virtual remote network CIDR that maps to the real remote subnet

    Pre-Shared Key

    Optional (auto-generated if not entered)

    Over Private Network

    Turn On

    Remote Gateway IP

    Enter the private IP address of the edge router for the Enterprise data center

  1. If you added an HA entry to the Aviatrix Gateway created above, you can add High Availability for this external connection. Click +Connection in the Add External Connection dialog to add another row and enter the Remote Gateway IP, Local Gateway Instance, Local Tunnel IP (optional), and Remote Tunnel IP (optional) for the HA gateway.

  2. Click Save.

Download the External Connection Configuration

If you are connecting an Aviatrix gateway and an on-premises router or firewall, Aviatrix can generate a configuration file that you can apply to your remote router or firewall. The configuration file contains the Aviatrix gateway tunnel details, such as the Public IP address, VPC/VNet CIDR, pre-shared key, and encryption algorithm. You can download the configuration file and then import the details to your remote router or firewall to configure the other end of the VPN tunnel.

After creating an external connection, to download an external connection configuration:

  1. In Aviatrix CoPilot, go to Networking > Connectivity > External Connections (S2C) tab.

  2. On the External Connections (S2C) tab, locate the connection you created and click the vertical ellipsis vertical ellipsis icon icon on the right side of the row.

  3. Select the following values:

    • Vendor: Select your remote site device. Select Generic for anything that is not an Aviatrix gateway. If you are connecting two Aviatrix gateways, you select Aviatrix as the vendor.

    • Platform and Software:

      • If you selected a Generic vendor, the Platform field is populated as Generic, and the Software field is populated with Vendor Independent.

      • If you selected the Aviatrix vendor, the Platform field is populated with UCC, and the Software version is 1.0.

      • If you selected a specific hardware vendor (such as Cisco), select from the available platforms belonging to that vendor are displayed in the Platform field (ISR, ASR, and CSR are for Cisco routers), and the Software field is populated with the related software version.

  4. Click Download.

At the enterprise data center or remote site, configure encryption on the edge device. Make sure your peer network is Subnet2 and Subnet3, as shown in this example.