Site2Cloud Solution for Encryption over Direct Connect/ExpressRoute
AWS Direct Connect and Azure ExpressRoute provide a private routed circuit between an AWS VPC and an Azure VNet.
The Aviatrix Site2Cloud feature provides encryption over Direct Connect or ExpressRoute. This document describes how to implement the feature over Express Route. The same method applies to AWS.
The VNet VPN gateway that terminates the ExpressRoute connects VNet virtual machines with the on-prem servers in a traditional routing domain. While Azure ExpressRoute provides a private link between a customer’s on-prem network and an Azure VNet without going through the Internet, packets between on-prem edge and VNet travel through exchange points and third party provider networks and are not encrypted.
Aviatrix Solution for Encryption over ExpressRoute
The Aviatrix Site2Cloud solution can be applied to encrypt traffic over ExpressRoute, as shown below.
In the diagram above, an encrypted IPsec tunnel is established between an Aviatrix Gateway and the customer’s edge router.
An Aviatrix Gateway is deployed in a separate subnet from the subnets where the user virtual machines are launched. (The Controller is not drawn.) This is necessary as the Aviatrix Gateway is the router for user subnets to reach the enterprise data center.
An Aviatrix Gateway can be deployed in a 1:1 redundancy fashion where a backup gateway is ready to take over should the primary IPsec tunnel go down.
Configuration Workflow
Before beginning:
-
Make sure your Controller is upgraded to the latest version.
-
Decide if you want to enable HA for the gateway.
The configuration workflow is as follows, with major steps highlighted.
-
Create a gateway in a VNet where you would like to connect to the enterprise datacenter. Make sure the gateway is launched in a different subnet from the user subnets. In this example, the gateway is deployed on Subnet1.
-
(Optional) If enabling HA, add a second Instance row in the Gateway from step 1 which should be in the same VPC/VNet. The second Instance (for HA) should use a different subnet from the user subnets. In this example, the gateway is deployed on Subnet1.
-
To create an external connection, go to Networking > Connectivity > External Connections (S2C).
-
Click +External Connection.
-
In the Add External Connection dialog, select External Device and then select one of these External Device options:
-
Configure the external connection using the following information:
Field Value Name
Give the connection a unique name
Connect Public Cloud To
Static Route-Based (Mapped) or Static Policy-Based (Mapped)
Local Gateway
Select a Gateway launched earlier as the primary gateway
Real Local Subnet CIDR(s)
Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach.
Virtual Local Subnet CIDR(s)
A virtual local network CIDR that maps to the real local subnet
Remote Gateway Type
Generic
Real Remote Subnet CIDR(s)
Enter the network CIDR of the Enterprise data center. If there are multiple subnets separate them with commas.
Virtual Remote Subnet CIDR(s)
A virtual remote network CIDR that maps to the real remote subnet
Pre-Shared Key
Optional (auto-generated if not entered)
Over Private Network
Turn On
Remote Gateway IP
Enter the private IP address of the edge router for the Enterprise data center
-
If you added an HA entry to the Aviatrix Gateway created above, you can add High Availability for this external connection. Click +Connection in the Add External Connection dialog to add another row and enter the Remote Gateway IP, Local Gateway Instance, Local Tunnel IP (optional), and Remote Tunnel IP (optional) for the HA gateway.
-
Click Save.
Downloading the External Connection Configuration
You can generate a remote site configuration template. This template file contains the gateway public IP address, VPC/VNet CIDR, pre-shared secret and encryption algorithm. You can import the information to your remote router/firewall configuration.
To download an external connection configuration:
-
Go to Networking > Connectivity > External Connections (S2C).
-
On the External Connections (S2C) tab, locate the connection you created and click the vertical ellipsis icon in that row.
-
Click Download Configuration.
-
Enter the following values:
-
Vendor: select your remote site device from the Vendor menu, or use the Generic/Vendor Independent template (you select Generic for anything that is not an Aviatrix gateway. If you are connecting two Aviatrix gateways, you select Aviatrix as the vendor).
-
Platform: If you select a Generic vendor, the Platform field is populated as Generic, and the Software field is populated with Vendor Independent.
If you select the Aviatrix vendor, the Platform is populated with UCC, and the Software version is 1.0. If you select a specific hardware vendor (such as Cisco), available platforms belonging to that vendor are displayed in the Platform field (ISR, ASR, and CSR are for Cisco routers), and the Software field is populated with the related software version.
-
-
Click Download.
Using the Downloaded Configuration
If connecting two Aviatrix gateways, you use the information from the downloaded configuration when creating the other side of the tunnel. Gateways can be created in different Controllers or in the same Controller. See Aviatrix Gateway to Aviatrix Gateway for more information.
If connecting an Aviatrix gateway to a firewall or other on-prem vendor, you can use the downloaded configuration information to populate the necessary information in your firewall UI.
At the enterprise data center or remote site, configure encryption on the edge device. Make sure your peer network is Subnet2 and Subnet3, as shown in this example.