Implementing Network Segmentation in an Aviatrix-Managed Network
Aviatrix Multicloud Transit Segmentation provides network isolation and enhanced security through network domains and connection policies to Aviatrix Transit network where both Spoke and Transit networks deploy Aviatrix Gateways across multi-region and multi-cloud.
The CoPilot Network Segmentation page enables you to configure network segmentation for Aviatrix Multicloud Transit Segmentation and view visualizations of your network domains and how they can or cannot connect to each other. The key use case for building network domains is to segment traffic for an enhanced security posture.
Aviatrix does not currently support duplicated CIDRs that cross domains or Transit networks. Overlapping CIDRs advertised from on-prem to different Spoke network domains connected to one Aviatrix Transit gateway is not supported. |
About Network Domains
When you identify groups of Spoke and Edge VPC/VNets in your infrastructure with the same requirements from a networking point of view (network reachability), you may want to group them so that you can apply connection policies at the group level. You can group them as members of an Aviatrix network domain. A network domain is an Aviatrix enforced network of one or more Spoke or Edge VPC/VNets. You use the network domains in conjunction with connection policies to achieve the network isolation for inter-VPC/VNet connectivity that you want for your network. You can have up to 200 network domains on each Aviatrix Transit Gateway.
The following diagram shows two network domains, one named Blue and one named Green.
In the above diagram, Spokes associated with the Blue Domain can communicate with each other, and Spokes associated with the Green Domain can communicate with each other. However, there is no cross-communication between the Blue and Green Domains unless you configure a connection policy. These connection policies are implemented with Aviatrix Transit where both Spokes and the Transit VPC/VNet deploy Aviatrix gateways.
This segmentation works with Azure native Spoke VNets. |
When you create a network domain, you give it a unique name, specify the Spoke and Edge VPC/VNets that are members of it, and specify any connection relationships you want it to have with other network domains.
Spoke and Edge VPC/VNets within a given network domain communicate with each other via an Aviatrix transit gateway that is enabled for network segmentation. You must enable Transit Gateways for network segmentation before creating network domains that will use those Transit Gateways for communication.
When a network domain is saved, the Aviatrix Controller dynamically programs and updates all applicable VPC/VNet route tables so that instances in different Spoke and Edge VPC/VNets in the same network domain can communicate with each other.
A network domain also applies to the hybrid connection from Aviatrix Transit Gateway to on-prem or remote sites. Each BGP peer or connection can be associated with one network domain.
Configuring Network Segmentation for Inter-VPC/VNet Connectivity
-
In CoPilot, go to Networking > Network Segmentation or search for Network Segmentation in the navigation search.
-
Enable network segmentation on each of the Aviatrix Transit Gateways in your network that will route traffic between network-domain members.
-
Verify that your network segmentation configuration is implemented the way you want:
-
In CoPilot, refer to the Networking > Network Segmentation > Logical, Physical, or Regional View visualizations. You should see your network domains. See Network Segmentation Visualizations for a description of the visualizations.
-
Log in to compute instances that are running in separate Spoke and Edge VPC/VNets that are members of the same network domain and verify they are allowed to connect to each other and not allowed to connect to Spoke and Edge VPC/VNets that are not members of the network domain.
-
Log in to compute instances that are running in different Spoke and Edge VPC/VNets that are members of different network domains that have a connection relationship and verify they are allowed to connect to each other.
-
Editing Your Network Segmentation Configuration
If needed, you can make changes to your network segmentation configuration. Note the following points about changing a network segmentation configuration:
-
For Transit Gateways that route traffic in your segments, you can disable them from network segmentation. You should only do this if there are no longer network domains relying on them for connectivity.
-
For a given network domain, you can change its members (disassociate a Spoke or Edge gateway from it or associate new Spoke or Edge Gateways to it) and connection relationships to other domains at any time.
-
If you decide to switch network domains for a given Spoke or Edge Gateway, you must first disassociate the Spoke or Edge Gateway from the network domain it is currently a member of before associating it with another network domain. For example, if you want a Spoke to be in Domain_Dev instead of Domain_Prod, you must first remove the Spoke from the associations list of Domain_Prod and save the domain, and then add the Spoke to the associations list of Domain_Dev and save the domain.
-
Currently, you cannot change the name of a network domain after it has been saved. If you want to use a different name for an existing network segment, you must disassociate all Spoke and Edge Gateways and connection relationships from them and create a new network domain with those configurations with the new name.
Enabling a Transit Gateway for Network Segmentation
This section describes how to enable network segmentation for inter-VPC/VNet connectivity using network domains. You must enable network segmentation on all Transit Gateways that will route traffic between the Aviatrix network domains.
I want to add a note here indicating why a Transit Gateway might not be available for network segmentation. |
These instructions apply if you are using the Aviatrix CoPilot user interface to build network segmentation. To enable network segmentation using Aviatrix Controller, see the discussion about the Aviatrix multicloud transit segmentation workflow in the Aviatrix documentation.
To enable a Transit Gateway for network segmentation:
-
In CoPilot, go to Networking > Network Segmentation or search for Network Segmentation in the navigation search.
-
In the Network Domain view, click Transit Gateways.
-
Toggle the network segmentation option to Enabled for each Transit Gateway in your infrastructure that will route traffic for the Spoke and Edge VPC/VNets that will be members of your network domains.
-
Click Save.
The selected Transit Gateways are now enabled for network segmentation.
If you disable network segmentation on a Transit Gateway that connects Spoke and Edge VPC/VNets that are members of a network domain, the Spoke and Edge VPC/VNets will no longer be able to communicate with each other using that Transit Gateway.
Creating, Connecting, and Associating a Network Domain
Create a network domain to be used for network segmentation, which will also create a connection policy and associate a Spoke/Edge Gateway to the network domain. See also About Network Domains.
Prerequisite: Before creating an Aviatrix network domain, verify that you have enabled network segmentation on the Transit Gateways that will route traffic for its members.
To create a network domain:
-
In CoPilot, go to Networking > Network Segmentation or search for Network Segmentation in the navigation search.
-
In the Network Domain view, click + Network Domain.
-
In the Create Network Domain dialog, specify a unique name for the network domain.
A network-domain name can only have letters, digits, a hyphen (-), and an underscore (_). The name must start with a letter and must have 2-27 characters. For example, Dev_Domain.
After you create and save a network domain, you cannot change its name. -
From the Associations list, select the Spoke or Edge Gateway(s), or AWS TGW, that are to be members of this network domain. Network domain members can communicate with each other but cannot communicate with members of other network domains unless you configure them to do so in the next step.
After you select an association it is unavailable for any other network domains you create.
-
From the Connect to Network Domain list, specify the connection relationship (connection policy) of this network domain to other network domains. When you specify a connection relationship, it means the spokes in this network domain can communicate with Spoke/Edge Gateways of the other network domain.
-
Click Save.
When you save the network domain configuration, Aviatrix Controller dynamically programs and updates the applicable VPC/VNet route tables so that instances in different Spoke and Edge VPC/VNets in the same network domain (and in connected network domains, if applicable) can communicate with each other.
AWS TGW Network Domain Associations
If you associate an AWS TGW domain to the network domain, now any resources (regardless of whether they are AWS TGW or Aviatrix Transit) that share the network domain can communicate with each other. The following is now also possible:
-
AWS TGW native Edge connections can route to Spokes attached to an Aviatrix Transit network.
-
Can peer an AVX Transit to an AWS TGW that is connected to on-prem. The network domains in both of these domains will work across Transit gateway peering and vice versa (but not AWS TGW peering).
-
Any two Aviatrix network domains that are connected are able to route to TGW Shared Services (for example, if Transit domain 1 is connected to Transit domain 2, and TGW domain A is associated with Transit domain 1, then TGW domain A can communicate with Spoke gateways in Transit domain 2).
-
TGW domains associated with any two connected Aviatrix network domains can communicate with each other (as long as they are not in the same TGW).
VPCs in the same AWS TGW but in different domains cannot communicate with each other unless you configure a connection policy.
For a VPC attached to the TGW domains that are connected to an Edge domain, its VPC CIDR is propagated to the main route table of the Transit gateway and its connected Transit/Spoke gateways.
Network Domain Connections
It may be easiest to create network domains first, and then click the Edit icon to connect the domains (using the Connect to Network Domain field).
Connecting network domains allows you to identify groups of Spoke and Edge Gateways/AWS TGW domains that have the same requirements from a networking point of view, and to apply connection policies at a group level. Two connected domains imply that Spoke and Edge Gateways in each domain can communicate with each other despite being in different domains.
Network Segmentation Visualizations
In Networking > Network Segmentation > Overview, CoPilot uses visual elements to demonstrate the segments of your Aviatrix transit network that can and cannot communicate with each other if you created Aviatrix enforced network domains. The segments (network domains) and their ability to communicate with each other is dictated by the connection relationships you configure. You can enable network segmentation in Aviatrix Controller or in Aviatrix CoPilot. After your network segmentation configuration is enabled and saved, CoPilot dynamically shows the logical and physical view of your network-domain segments and their connection relationships in the network graph logical and physical views.
In Logical View, CoPilot lists the defined network domains and shows how they can and cannot communicate with each other (Network Domain Relationships). CoPilot also shows the connectivity between gateway VPCs/VNets (Spoke/Edge or Site2Cloud instances) based on their network domains (Multi Cloud Network Domain Connectivity). The thick colored lines on the circle’s edge represent the network domain assigned to the gateway’s nodes resting on them and the thin colored lines within the circle represent the connectivity between the gateways.
In Physical View, CoPilot shows how Spoke/Edge VPCs/VNets can communicate with other spoke VPCs/VNets based on their allowed network-domain connection relationships. When you hover over a Spoke/Edge node on the circle, the thin colored lines within the circle represent the connectivity from that Spoke/Edge to other Spokes/Edges allowed to communicate with it.
In Regional View, CoPilot shows how Spoke/Edge VPC/VNets can communicate with other Spoke/Edge VPC/VNets based on their Gateway Regions. When you hover over a Spoke/Edge node on the circle, the thin colored lines within the circle represent the connectivity from that Spoke/Edge to other Spokes/Edges allowed to communicate with it.