Accessing a Virtual IP address instance via Aviatrix Transit Network
This document addresses the scenario where a customer on-prem firewall device needs to route encrypted traffic to a partner network in the cloud (AWS/Azure/GCP), but due to concerns for overlapping CIDR blocks to the customer network, the customer side enforces a policy that the destination IP address must be a public or a virtual IP address regardless of if the partner network is in the RFC 1918 range.
For example, the VPC instance IP address that the on-prem machine should send data to is 172.123.4.5, but the on-prem machine must instead send data to a virtual IP address 54.189.117.94 (or even 100.100.100.100).
Normally this problem can be solved by combining the Site2Cloud feature and DNAT feature.
There are situations where there are multiple applications in different VPCs, and it is desirable to access different virtual addresses without building multiple IPSEC tunnels to the cloud networks. This can be accomplished by building an Aviatrix Transit Network where Spoke VPCs host these different applications, as shown in the diagram below.
Below are the configuration steps.
Step 1: Determine the virtual IP address
As this virtual IP address is what the on-prem host sees, it should not change. There are a couple of options for a virtual IP address:
-
You can allocate an EIP in the VPC for this virtual IP address. Make sure you don’t associate this EIP to any instance.
-
Alternatively, if the EC2 instance that on-prem hosts need to send data to has an EIP, you can use that EIP.
You can also try a reserved public IP address range (for example, 100.100.x.x range).
Step 2: Follow the Transit Network workflow to launch a Spoke gateway
In the Aviatrix Controller, navigate to Site2Cloud. Follow step 1 to launch a gateway in the VPC 172.32.0.0/16. In this example the gateway name is Spoke1.
(You can follow the gateway launch instructions here. Leave optional parameters unchecked.)
Step 3: Customize Spoke gateway advertised routes
On the Gateway page, highlight the Spoke gateway created in the previous step and click Edit.
Scroll down to "Customize Spoke Advertised VPC CIDRs" and enter (as per this example) 54.189.117.94/32.
With this customization, the Spoke gateway advertises 54.189.117.94/32 to the Transit Gateway and subsequently to on-prem.
Step 4: Attach the Spoke gateway
On the Multi-Cloud Transit > Setup > Attach/Detach page, attach the Spoke gateway to the Transit VPC.
Step 5: Configure DNAT on Spoke gateway
This step is to configure the Spoke gateway to translate the destination virtual IP address 54.189.117.94 to the real private IP address 172.123.4.5.
-
On the Gateway page, highlight the Spoke gateway and click Edit.
-
Scroll down to Destination NAT. Follow the instructions in Destination NAT to configure, as shown below. Use the "Connection" field to specify the Site2Cloud connection name configured in Step 3.
