Site2Cloud Solution for Encryption over Direct Connect/ExpressRoute

AWS Direct Connect and Azure ExpressRoute provide a private routed circuit between an AWS VPC and an Azure VNet.

The Aviatrix Site2Cloud feature provides encryption over Direct Connect or ExpressRoute. This document describes how to implement the feature over Express Route. The same method applies to AWS.

The VNet VPN gateway that terminates the ExpressRoute connects VNet virtual machines with the on-prem servers in a traditional routing domain. While Azure ExpressRoute provides a private link between a customer’s on-prem network and an Azure VNet without going through the Internet, packets between on-prem edge and VNet travel through exchange points and third party provider networks and are not encrypted.

Aviatrix Solution for Encryption over ExpressRoute

The Aviatrix Site2Cloud solution can be applied to encrypt traffic over ExpressRoute, as shown below.

Topology Express Route

In the diagram above, an encrypted IPsec tunnel is established between an Aviatrix Gateway and the customer’s edge router.

An Aviatrix Gateway is deployed in a separate subnet from the subnets where the user virtual machines are launched. (The Controller is not drawn.) This is necessary as the Aviatrix Gateway is the router for user subnets to reach the enterprise data center.

An Aviatrix Gateway can be deployed in a 1:1 redundancy fashion where a backup gateway is ready to take over should the primary IPsec tunnel go down.

Configuration Workflow

Before beginning:

The configuration workflow is as follows, with major steps highlighted.

  1. Create a gateway in a VNet where you would like to connect to the enterprise datacenter. Make sure the gateway is launched in a different subnet from the user subnets. In this example, the gateway is deployed on Subnet1.

  1. (Optional) If enabling HA, add a second Instance row in the Gateway from step 1 which should be in the same VPC/VNet. The second Instance (for HA) should use a different subnet from the user subnets. In this example, the gateway is deployed on Subnet1.

  1. To create an external connection, go to Networking > Connectivity > External Connections (S2C).

  2. Click +External Connection.

  3. In the Add External Connection dialog, select External Device and then select one of these External Device options:

  4. Configure the external connection using the following information:

    Field Value

    Name

    Give the connection a unique name

    Connect Public Cloud To

    Static Route-Based (Mapped) or Static Policy-Based (Mapped)

    Local Gateway

    Select a Gateway launched earlier as the primary gateway

    Real Local Subnet CIDR(s)

    Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach.

    Virtual Local Subnet CIDR(s)

    A virtual local network CIDR that maps to the real local subnet

    Remote Gateway Type

    Generic

    Real Remote Subnet CIDR(s)

    Enter the network CIDR of the Enterprise data center. If there are multiple subnets separate them with commas.

    Virtual Remote Subnet CIDR(s)

    A virtual remote network CIDR that maps to the real remote subnet

    Pre-Shared Key

    Optional (auto-generated if not entered)

    Over Private Network

    Turn On

    Remote Gateway IP

    Enter the private IP address of the edge router for the Enterprise data center

  1. If you added an HA entry to the Aviatrix Gateway created above, you can add High Availability for this external connection. Click +Connection in the Add External Connection dialog to add another row and enter the Remote Gateway IP, Local Gateway Instance, Local Tunnel IP (optional), and Remote Tunnel IP (optional) for the HA gateway.

  2. Click Save.

Downloading the External Connection Configuration

You can generate a remote site configuration template. This template file contains the gateway public IP address, VPC/VNet CIDR, pre-shared secret and encryption algorithm. You can import the information to your remote router/firewall configuration.

To download an external connection configuration:

  1. Go to Networking > Connectivity > External Connections (S2C).

  2. On the External Connections (S2C) tab, locate the connection you created and click the vertical ellipsis 25 icon in that row.

  3. Click Download Configuration.

  4. Enter the following values:

    • Vendor: select your remote site device from the Vendor menu, or use the Generic/Vendor Independent template (you select Generic for anything that is not an Aviatrix gateway. If you are connecting two Aviatrix gateways, you select Aviatrix as the vendor).

    • Platform: If you select a Generic vendor, the Platform field is populated as Generic, and the Software field is populated with Vendor Independent.

      If you select the Aviatrix vendor, the Platform is populated with UCC, and the Software version is 1.0. If you select a specific hardware vendor (such as Cisco), available platforms belonging to that vendor are displayed in the Platform field (ISR, ASR, and CSR are for Cisco routers), and the Software field is populated with the related software version.

  5. Click Download.

Using the Downloaded Configuration

If connecting two Aviatrix gateways, you use the information from the downloaded configuration when creating the other side of the tunnel. Gateways can be created in different Controllers or in the same Controller. See Aviatrix Gateway to Aviatrix Gateway for more information.

If connecting an Aviatrix gateway to a firewall or other on-prem vendor, you can use the downloaded configuration information to populate the necessary information in your firewall UI.

At the enterprise data center or remote site, configure encryption on the edge device. Make sure your peer network is Subnet2 and Subnet3, as shown in this example.