Building Multicloud Transit Gateway Peering over Private Network
The Aviatrix Transit Gateway Peering over Private Network feature expands Transit Gateway peering to across multiclouds where there is a private network connectivity between the cloud providers via on-prem or a co-location. This enables customers to build high performance data networks while ensuring data privacy by encrypting data in motion.
The solution applies to AWS Direct Connect, Azure ExpressRoute, and Google Cloud Interconnect.
This document provides step-by-step instructions on how to build Aviatrix Transit Gateway Peering with Private Network over AWS Direct Connect and Azure ExpressRoute for R6.2 and later releases. In this document, you learn the following:
-
Workflow for building underlay connectivity for private network with AWS Direct Connect
-
Workflow for building underlay connectivity for private network with Azure ExpressRoute
-
Workflow for Aviatrix Transit Gateway Peering with private network
|
Topology
The key ideas for this solution are:
-
The edge (WAN) router runs a BGP session to AWS VGW via AWS Direct Connect where the edge router advertises the Azure Transit VNET CIDR and the AWS VGW advertises the AWS Transit VPC CIDR.
-
The edge (WAN) router runs a BGP session to Azure VNG via Azure ExpressRoute where the edge router advertises the AWS Transit VPC CIDR and the Azure VNG advertises the AZURE Transit VNET CIDR.
-
The edge (WAN) router redistributes AWS Transit VPC CIDR and AZURE Transit VNET CIDR.
-
Once the reachability between two cloud transits over private network is present, you are able to deploy Aviatrix Multi Cloud Global Transit Gateway Encrypted Peering over a Private Network.
Reachability between two transit networks' private CIDRs is not the responsibility of Aviatrix. |
Prerequisites
Upgrade Aviatrix Controller to the latest version.
In this example, we are going to deploy the below VPCs in AWS and Azure:
-
AWS Aviatrix Transit VPC (i.e. 10.1.0.0/16)
-
AWS Aviatrix Spoke VPC (i.e. 192.168.1.0/24)
-
Azure Aviatrix Transit VNET (i.e. 10.0.0.0/16)
-
Azure Aviatrix Spoke VNET (i.e. 192.168.0.0/24)
Workflow on building underlay connectivity for private network with AWS Direct Connect
Building AWS Direct Connect is your responsibility. For more information about AWS Direct Connect, see Connect Your Data Center to AWS.
Please adjust the topology depending on your requirements.
Build AWS Direct Connect
Refer to Equinix ECX Fabric AWS Direct Connect if you select an Equinix solution. The below is just an example.
Associate AWS VGW to AWS Transit VPC
-
Log into the AWS VPC Portal.
-
On the VPC dashboard, click Virtual private gateways.
-
Select the Virtual Private Gateway that has the private virtual interface to AWS Direct Connect.
-
From the Actions menu, select Attach to VPC.
-
Select the AWS Transit VPC and click Attach to VPC.
Workflow on building underlay connectivity for private network with Azure ExpressRoute
Building Azure ExpressRoute is your responsibility. For more information about Azure ExpressRoute, see the below documents:
-
Equinix ECX Fabric Microsoft Azure ExpressRoute if you select the Equinix solution. The below is just an example.
Please adjust the topology depending on your requirements.
Check Express Route Circuits - List Routes Table on Azure portal
-
Log in to the Azure Portal.
-
Search for "ExpressRoute circuits" in the search bar.
-
Select the "ExpressRoute circuits" that you created.
-
Select the Azure private peering row.
-
Click the hyperlink "Get route table".
-
Check whether the AWS Transit VPC’s CIDR appears in the table with the ASN Path of edge router and AWS VGW.
Workflow on Aviatrix Transit Gateway Peering with Private Network
Refer to Global Transit Network Workflow Instructions and Aviatrix Transit Gateway Peering for the below steps. Please adjust the topology depending on your requirements.
Deploy VPCs for Transit FireNet
-
Create an AWS Transit VPC and Azure Transit VNET with Transit + FireNet selected.
-
Create an AWS Spoke VPC and Azure Spoke VNET as per the previous step or by manually deploying in each cloud portal. You can use your existing cloud network.
Deploy Aviatrix Multicloud Transit Gateway and HA in AWS
Create an Aviatrix Transit Gateway with High Availability and High Performance Encryption (HPE) mode.
An instance size of at least c5.xlarge is required for High Performance Mode Encryption for higher throughput. The recommended minimum size for Transit in AWS is c5n.4xlarge. Please refer to High Performance Encryption Performance Benchmarks for performance details. |
Enable Route Propagation on the subnet route table for the Aviatrix Transit Gateway on AWS portal
-
Log into the AWS VPC portal.
-
Locate the subnet route table for the Aviatrix Transit Gateway.
-
Select the Route Propagation tab.
-
Click Edit route propagation.
-
On the Edit route propagation tab, locate the AWS VGW that is associated with this Transit VPC and select the Enable checkbox.
-
Click Save.
-
On the Route propagation tab, check if the Propagation status is Yes.
Check route propagation on AWS portal
-
In the AWS VPC portal, locate the subnet route table for the Aviatrix Transit Gateway.
-
On the Routes tab, check if there is a route entry pointing to the virtual private gateway (this is the Azure Transit VNet CIDR pointing to the virtual gateway).
Deploy Aviatrix Multicloud Transit Gateway and HA in Azure
-
Deploy the Transit Aviatrix Gateway and enable HA with HPE enabled in the Azure Transit VNET.
An instance size of at least Standard_D5_v2 will be required for High Performance Encryption Mode Encryption for higher throughput. Please refer to this High Performance Encryption Performance Benchmarks for performance details. -
Enable Transit FireNet Function (optional)
Check Effective Routes on Azure Portal
-
Log into the Azure Portal.
-
Search for "Network interfaces" in the search bar.
-
Select the Aviatrix Transit Gateway’s interface.
-
Click Effective routes.
-
Check if there is a route entry for the AWS Transit VPC’s CIDR pointing to the Next Hop Type Virtual network gateway.
Establish Transit Gateway Peering over Private Network
-
In Aviatrix CoPilot, go to Cloud Fabric > Gateways > Transit Gateways and click the edit icon next to the AWS Transit Gateway.
-
Ensure that the Azure Transit Gateway is shown in the Peer to Transit Gateways field (if not, click the dropdown in that field to add it).
-
Click Save.
Deploy Spoke Gateway and HA
-
Deploy a Spoke Gateway in the AWS Spoke VPC with HA and High Performance Encryption Mode enabled.
An instance size of at least c5.xlarge will be required for High Performance Encryption Mode Encryption for higher throughput.
-
Deploy a Spoke Gateway in the Azure Spoke VNet with HA and HPE enabled.
An instance size of at least Standard_D5_v2 will be required for High Performance Encryption Mode Encryption for higher throughput. Please refer to this High Performance Encryption Performance Benchmarks for performance detail.
Attach Spoke Gateways to Transit Network
See Attach Spoke Gateways to Transit Network to attach Aviatrix Spoke Gateways in AWS or Azure.