diff --git a/.readthedocs.yaml b/.readthedocs.yaml new file mode 100644 index 000000000..cd907238a --- /dev/null +++ b/.readthedocs.yaml @@ -0,0 +1,20 @@ +# .readthedocs.yaml +# Read the Docs configuration file +# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details + +# Required +version: 2 + +# Build documentation in the docs/ directory with Sphinx +sphinx: + configuration: conf.py + +# Optionally build your docs in additional formats such as PDF +#formats: +# - pdf + +# Optionally set the version of Python and requirements required to build your docs +python: + version: 3.7 + install: + - requirements: requirements.txt diff --git a/Downloads/AVPNC_img/3dots.png b/Downloads/AVPNC_img/3dots.png new file mode 100644 index 000000000..847d2371c Binary files /dev/null and b/Downloads/AVPNC_img/3dots.png differ diff --git a/Downloads/AVPNC_img/LDAPAuth.png b/Downloads/AVPNC_img/LDAPAuth.png new file mode 100644 index 000000000..d18ddc733 Binary files /dev/null and b/Downloads/AVPNC_img/LDAPAuth.png differ diff --git a/Downloads/AVPNC_img/MacBottomBar.png b/Downloads/AVPNC_img/MacBottomBar.png new file mode 100644 index 000000000..ef339b044 Binary files /dev/null and b/Downloads/AVPNC_img/MacBottomBar.png differ diff --git a/Downloads/AVPNC_img/MacClientLocation.png b/Downloads/AVPNC_img/MacClientLocation.png new file mode 100644 index 000000000..a287a403f Binary files /dev/null and b/Downloads/AVPNC_img/MacClientLocation.png differ diff --git a/Downloads/AVPNC_img/MacClientLocation2.png b/Downloads/AVPNC_img/MacClientLocation2.png new file mode 100644 index 000000000..4dc078bf2 Binary files /dev/null and b/Downloads/AVPNC_img/MacClientLocation2.png differ diff --git a/Downloads/AVPNC_img/MacCrendential.png b/Downloads/AVPNC_img/MacCrendential.png new file mode 100644 index 000000000..65ee56ada Binary files /dev/null and b/Downloads/AVPNC_img/MacCrendential.png differ diff --git a/Downloads/AVPNC_img/ProgressIcon.png b/Downloads/AVPNC_img/ProgressIcon.png new file mode 100644 index 000000000..6ba888205 Binary files /dev/null and b/Downloads/AVPNC_img/ProgressIcon.png differ diff --git a/Downloads/AVPNC_img/SamlAuth.png b/Downloads/AVPNC_img/SamlAuth.png new file mode 100644 index 000000000..7de0f19ce Binary files /dev/null and b/Downloads/AVPNC_img/SamlAuth.png differ diff --git a/Downloads/AVPNC_img/Settings.png b/Downloads/AVPNC_img/Settings.png new file mode 100644 index 000000000..70b70866f Binary files /dev/null and b/Downloads/AVPNC_img/Settings.png differ diff --git a/Downloads/AVPNC_img/TrayMenu.png b/Downloads/AVPNC_img/TrayMenu.png new file mode 100644 index 000000000..c37743fcd Binary files /dev/null and b/Downloads/AVPNC_img/TrayMenu.png differ diff --git a/Downloads/AVPNC_img/WinBottomBar.png b/Downloads/AVPNC_img/WinBottomBar.png new file mode 100644 index 000000000..87c8aa23c Binary files /dev/null and b/Downloads/AVPNC_img/WinBottomBar.png differ diff --git a/Downloads/AVPNC_img/WinClientLocation.png b/Downloads/AVPNC_img/WinClientLocation.png new file mode 100644 index 000000000..fd785966d Binary files /dev/null and b/Downloads/AVPNC_img/WinClientLocation.png differ diff --git a/Downloads/AVPNC_img/WinClientPopup.png b/Downloads/AVPNC_img/WinClientPopup.png new file mode 100644 index 000000000..719ba7507 Binary files /dev/null and b/Downloads/AVPNC_img/WinClientPopup.png differ diff --git a/Downloads/AVPNC_img/WinClientStartUp.png b/Downloads/AVPNC_img/WinClientStartUp.png new file mode 100644 index 000000000..8ec6bc709 Binary files /dev/null and b/Downloads/AVPNC_img/WinClientStartUp.png differ diff --git a/Downloads/AVPNC_img/add.png b/Downloads/AVPNC_img/add.png new file mode 100644 index 000000000..84e15e4fc Binary files /dev/null and b/Downloads/AVPNC_img/add.png differ diff --git a/Downloads/AVPNC_img/minus.png b/Downloads/AVPNC_img/minus.png new file mode 100644 index 000000000..5328620f1 Binary files /dev/null and b/Downloads/AVPNC_img/minus.png differ diff --git a/Downloads/cloudndownload.rst b/Downloads/cloudndownload.rst.obsolate similarity index 100% rename from Downloads/cloudndownload.rst rename to Downloads/cloudndownload.rst.obsolate diff --git a/Downloads/samlclient.rst b/Downloads/samlclient.rst index 11fbfa1a6..540ca0a0c 100755 --- a/Downloads/samlclient.rst +++ b/Downloads/samlclient.rst @@ -24,9 +24,9 @@ provides a seamless user experience when authenticating a VPN user through a SAM The VPN Client can be installed on desktop platforms and is supported on various OS like Windows, Mac and Linux. -Consult the VPN client `user guide `__ for how to use it. +Consult the VPN client `user guide `__ for how to use it. -Latest version: 2.6.6 - (Jan 29th 2020) `Changelog. `_ +Latest version: 2.14.14 - (April 27 2021) `Changelog. `_ Please ask your Aviatrix Administrator to upgrade the Aviatrix Controller to version 4.7.501 + to prevent seeing certificate errors -`Ref. `_ @@ -35,6 +35,8 @@ Windows |win| ************* The Windows client can be downloaded from `this link `__ +The Windows client checksum can be downloaded from `this link `__ + At the end of the installation, please install the TUN TAP driver if you haven't done so earlier. Please note that the client uses the default browser, and Microsoft Edge/IE is not supported @@ -45,6 +47,8 @@ Mac |mac| The Mac client can be downloaded from `this link `__. Please make sure that you are running macOS 10.12(Sierra) or higher. +The Mac client checksum can be downloaded from `this link `__. + If you have installed version 1.4.26 or lower, please uninstall before you install the newer version. Please note that the client uses the default browser, and Safari is not supported (will show certificate warnings) *********** @@ -59,18 +63,27 @@ If the icon is missing from the launcher, type AVPNC in the terminal to launch t Debian/Ubuntu ============= +Ubuntu20.04 LTS - `Debian file `__, +`Tar file `__, +`Debian file checksum `__, +`Tar file checksum. `__ Ubuntu18.04.1 LTS/Generic - `Debian file `__, -`Tar file. `__ +`Tar file `__, +`Debian file checksum `__, +`Tar file checksum. `__ Ubuntu18.04.3 LTS - `Debian file `__, -`Tar file. `__ - -Ubuntu16.04 LTS - `Debian file `__, `Tar file `__ +`Tar file `__, +`Debian file checksum `__, +`Tar file checksum. `__ -Ubuntu14.04 LTS - `Debian file `__, `Tar file `__ +Ubuntu16.04 LTS - `Debian file `__, +`Tar file `__, +`Debian file checksum `__, +`Tar file checksum. `__ -Note: Currently we do not support Fedora/Arch-Linux +Note: Currently we do not support Fedora/Arch-Linux. VPN Clients running on Ubuntu 14.04 are designated EOL. ************* @@ -85,18 +98,60 @@ tar -xvzf file.tar.gz; cd AVPNC_setup; sudo ./install.sh to install FIPS140-2 version ***************** -`Windows `__, `Mac `__ , `Ubuntu 18 tar `__, `deb `__ +`Windows `__, +`Checksum `__ + +`Mac `__ , +`Checksum `__ + +`Ubuntu 20 tar `__, +`Checksum `__ + +`Ubuntu 20 deb `__, +`Checksum `__ + +`Ubuntu 18 tar `__, +`Checksum `__ + +`Ubuntu 18 deb `__, +`Checksum `__ + +***************** +Archived Clients +***************** + +Ubuntu14.04 LTS - `Debian file `__, +`Tar file `__, +`Debian file checksum `__, +`Tar file checksum. `__ ******************* Development version ******************* These are preview images for the next release. -`Windows `__, `Mac `__ , `Linux tar `__, `Debian file `__, `Linux tar bionic `__, `Debian bionic `__, `Linux tar xenial `__, `Debian xenial `__, `Linux tar trusty `__, `Debian trusty `__, `FreeBSD `__ +`Windows `__, +`MacOS `__ , +`Debian Focal Fossa `__, +`Linux tar Focal Fossa `__, +`Linux tar `__, +`Debian file `__, +`Linux tar bionic `__, +`Debian bionic `__, +`Linux tar xenial `__, +`Debian xenial `__, +`Linux tar trusty `__, +`Debian trusty `__, +`FreeBSD `__ FIPS140-2 Dev version -`Windows `__, `Mac `__ , `Ubuntu-18 tar `__, `deb `__ +`Windows `__, +`Mac `__ , +`Ubuntu-20 tar `__ , +`Ubuntu-20 deb `__ , +`Ubuntu-18 tar `__, +`deb `__ OpenVPN is a registered trademark of OpenVPN Inc. diff --git a/Downloads/vpnclientguide.rst b/Downloads/vpnclientguide.rst new file mode 100644 index 000000000..169296943 --- /dev/null +++ b/Downloads/vpnclientguide.rst @@ -0,0 +1,267 @@ +.. meta:: + :description: Aviatrix VPN Client Guide + :keywords: SAML, openvpn, SSL VPN, remote user vpn, SAML client. Openvpn with SAML + +.. |win| image:: AVPNC_img/Win.png + +.. |mac| image:: AVPNC_img/Mac.png + +.. |lux| image:: AVPNC_img/Linux.png + +.. |bsd| image:: AVPNC_img/BSD.png + +.. |Client| image:: AVPNC_img/Client.png + :width: 400 + +.. |LDAPAuth| image:: AVPNC_img/LDAPAuth.png + :height: 200 + +.. |MacBottomBar| image:: AVPNC_img/MacBottomBar.png + :height: 30 + +.. |MacClientLocation| image:: AVPNC_img/MacClientLocation.png + :height: 50 + +.. |MacClientLocation2| image:: AVPNC_img/MacClientLocation2.png + :width: 400 + +.. |MacCrendential| image:: AVPNC_img/MacCrendential.png + :width: 300 + +.. |ProgressIcon| image:: AVPNC_img/ProgressIcon.png + :width: 400 + +.. |SamlAuth| image:: AVPNC_img/SamlAuth.png + :width: 300 + +.. |Settings| image:: AVPNC_img/Settings.png + :width: 400 + +.. |TrayMenu| image:: AVPNC_img/TrayMenu.png + :width: 150 + +.. |WinBottomBar| image:: AVPNC_img/WinBottomBar.png + :height: 40 + +.. |WinClientLocation| image:: AVPNC_img/WinClientLocation.png + :height: 400 + +.. |WinClientPopup| image:: AVPNC_img/WinClientPopup.png + :width: 400 + +.. |WinClientStartUp| image:: AVPNC_img/WinClientStartUp.png + :width: 400 + +.. |minus| image:: AVPNC_img/minus.png + :height: 16 + +.. |add| image:: AVPNC_img/add.png + :height: 16 + +.. |3dots| image:: AVPNC_img/3dots.png + :height: 16 + +============================== +Aviatrix VPN Client User Guide +============================== + +**************************************** +Installing and Launching the Application +**************************************** + +************* +Windows |win| +************* + +1. Download the Aviatrix VPN Client installer from `this link `__ + + Run the installer and follow the on screen instructions to install the application. + + If you have installed OpenVPN previously, TUN TAP drivers would have been installed. If they are not installed , you can install the same from the `this link `__ + +2. Save the OpenVPN configuration file (with the extension .ovpn) that was sent to you by your Admin, on to your machine. + +3. Open the “Aviatrix VPN Client” application by going to “Start Menu -> Aviatrix VPN Client-> Aviatrix VPN Client”. + + |WinClientLocation| + +4. A UAC window pops up. + + |WinClientPopup| + +5. Allow administrator access so that the application can modify the routing tables. The Aviatrix VPN Client window should come up which should look like. + + |WinClientStartUp| + +6. Skip to the `Using the Application <#using-the-application>`__ section if you do not need to install it on a Mac or Linux + +********* +Mac |mac| +********* + +1. Download the Aviatrix VPN Client installer from `this link `__ + + Follow the on-screen instructions to install the application + +2. Save the OpenVPN configuration file (with the extension .ovpn) that was sent to you by your Admin, on to your machine. + +3. Start the Aviatrix VPN Client application by going to LaunchPad and clicking on “Aviatrix VPN Client”. + + |MacClientLocation| + + |MacClientLocation2| + +4. A popup comes up to request sudo privelages to modify routing tables + + |MacCrendential| + +5. This opens the application window. + +6. Skip to the `Using the Application <#using-the-application>`__ section if you do not need to install it on Linux + +*********** +Linux |lux| +*********** + +1. Download the Aviatrix VPN Client installer from `this link `__ + +2. To install the application run the following commands + + tar -xvzf AVPC_linux.tar.gz + + sudo ./install.sh + +3. Save the OpenVPN configuration file (with the extension .ovpn) that was sent to you by your Admin, on to your machine. + +4. To open the “Aviatrix VPN Client” launch a new terminal and type AVPNC + +.. note:: + + This has been tested only on Ubuntu 16/14. Theoretically, it should work with other flavours of linux as well as long as openvpn is installed separately. + +.. _using_the_application: + +********************* +Using the Application +********************* + +There are 3 buttons on the bottom + + +1. |add| : This opens a window to choose the OpenVPN configuration (.ovpn) file. + + +2. |minus| : This deletes a item choosed in the Connection Profiles + + +3. |3dots| : This pops up a submenu including "Edit", "Sort", "Connection Log" and "Settings" + + + 3.1 "Edit": Modify a item choosed in the Connection Profiles + + 3.2 "Connection Log": Show every single connection's log + + 3.3 "Settings": Open the advanced settings + +************* +Windows |win| +************* + +1. There is a menu on the top of the App GUI + + 1.1 "File" has a menu to quit the App + + 1.2 "Help" has menu "About" to show the App information + +2. Closing the application window hides it to the system tray + + |WinBottomBar| + +********* +Mac |mac| +********* + +1. There is a menu on the top-left of the screen + + 1.1 "About" shows show the App information + + 1.2 "Quit" exit the App information + +2. Closing the application window hides it to the system tray + + |MacBottomBar| + + By a right click on Windows's or a click on Mac's system tray icon to show a menu + + |TrayMenu| + +3. There are 3 status icons that are shown in the window and on the tray. + + |ProgressIcon| + + +*********************** +Advanced Settings Page +*********************** + +|Settings| + +Here you can perform special operations if Troubleshooting is required + +1. Flush DNS: (Not for windows) Flushes the DNS configuration if there are internet issues after full tunnel VPN disconnection. Also turning the wifi/ethernet adapter on/off can fix some internet issues. + +2. Kill all OpenVPN process: (Not supported on Windows) Sends a soft kill to all running OpenVPN processes + +3. Force kill all OpenVPN process: Terminates other OpenVPN processes that are running abruptly + +4. Check VPN DNS server reachability: (MacOS only) If this option is checked, it will apply the VPC DNS servers in the MacOS system. If it is disabled, it will use the local DNS servers or other local DNS mechanism (e.g. CISCO Umbrella) + + +**************************** +Connecting to a SAML Gateway +**************************** + +Enter your IDP Credentials to login. + +Check doc `OpenVPN® with SAML Authentication `__ for detail. + +************************************************** +Connecting to a Gateway without any Authentication +************************************************** + +Just load the OpenVPN configuration(.ovpn) file on to the VPN Client and click on “Connect”. + +************************************************************* +Connecting to a Gateway with Username-Password Authentication +************************************************************* + +CloudN VPC supports a variety of authentication methods to verify VPN user credentials. Here’s a brief overview of how to enter user credentials for different authentication methods. + +LDAP: + + Enter username and password stored on LDAP server. + + Check doc `LDAP Configuration for Authenticating VPN Users `__ for detail. + +Google 2-step verification: + + Use your email address as the username. + + Password should be appended with the 6-digit code generated by Google authenticator app on your phone. + + E.g., If your email is "joe@examplecompany.com", the following username password combination of "joe@examplecompany.com" and "password123456" should be used where "password" is your account password and "123456" is the 6 digit-code. + +Duo Security Two-Factor Authentication: Mac and Windows users: + + An automatic approval request will be pushed to your registered cellphone. Select “Approve” to connect to VPN gateway. + +LDAP + Duo Security Two-Factor Authentication: + + Enter username and password for the LDAP server and an automatic approval request will be pushed to your registered cellphone. + + Select “Approve” to connect to VPN gateway. + +The username and password windows is shown + +|LDAPAuth| + diff --git a/HowTos/AdminUsers_DuoAuth.rst b/HowTos/AdminUsers_DuoAuth.rst index 664913122..d1fc8a44b 100644 --- a/HowTos/AdminUsers_DuoAuth.rst +++ b/HowTos/AdminUsers_DuoAuth.rst @@ -96,14 +96,14 @@ Follow the `instruction in `_ to Create Duo Authentication ------------------------- -To enable DUO, go to Settings -> Setup 2FA Login +To enable DUO, go to Settings -> Controller -> Duo Login Enter Duo integration key, secret key, and API hostname of your account in DUO website described earlier. Currently only DUO push is supported. Once it is created successfully, the Duo push login applies to all -users, including user admin. Every user (listed in settings -> Manage +users (admin is exempt). Every user (listed in settings -> Manage Accounts -> Users) who wishes to login to the system must have a matching user name in their DUO account. diff --git a/HowTos/AdminUsers_LDAP.rst b/HowTos/AdminUsers_LDAP.rst index 41409ffd3..f0e72bddc 100644 --- a/HowTos/AdminUsers_LDAP.rst +++ b/HowTos/AdminUsers_LDAP.rst @@ -87,7 +87,7 @@ Considerations * Once enabled, local user accounts will no longer be active. That is, if there is a user created in the Controller that does not match a user in LDAP, they will no longer be able to login to the Controller. .. note:: - The local `admin` account is always active even when this setting is enabled + The local `admin` account is active when ldap is used for controller login authentication as descrived above. Please note that if the `admin` account is disabled via "Settings/Controller/LoginCustomization" and if your ldap authentication is not working as expected for any reason(for eexamp, server is down or not reachable), you will get locked out of the controller till your ldap authentication process is back up. .. |imageLDAPForm| image:: AdminUsers_LDAP_media/controller_settings_ldap.png diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/cloudn_from_init_setup_to_dcx_using_linux_curl_command.rst b/HowTos/AviatrixAPI/CloudN_curl_examples/cloudn_from_init_setup_to_dcx_using_linux_curl_command.rst deleted file mode 100644 index 334d461e2..000000000 --- a/HowTos/AviatrixAPI/CloudN_curl_examples/cloudn_from_init_setup_to_dcx_using_linux_curl_command.rst +++ /dev/null @@ -1,278 +0,0 @@ -.. meta:: - :description: CloudN: From Initial-Setup to DataCenterExtension Using Linux curl command - :keywords: cloudn, init, setup, curl, dcx, datacenter extension - - -============================================================================= -CloudN: From Initial-Setup to DataCenterExtension Using Linux "curl" Command -============================================================================= - -| - -Description: -============ - * Thank you for choosing Aviatrix! This document demonstrates using the Linux "**curl**" command to operate an Aviatrix CloudN instance from Initial-Setup to DataCenterExtension creation. If you prefer using the command line interface over WebUI to work with CloudN, this doc is for you. - * We used a controller instance without configuring a valid cert for this demonstration. Therefore, the examples in this document use "-k" parameter when issuing a "curl" command in order to bypass the cert check. If you wish, you can configure your own valid cert on your controller. - -| - -Prerequisites -============= - * Aviatrix CloudN instance is up and running - * CloudN has already acquired an IP address by using one of the following CloudN commands... - - 1. Option A (static IP): setup_interface_static_address - - 2. Option B (DHCP): setup_interface_address <2ndary_dns> - -| - -Tips: -===== -If your value contains some special characters that cause the command to fail, you can search online for `"URL Encoder" `__, which is one of many tools that will convert the value into a valid format if you happen to encounter the problem. - -| - -Example List -============ - 1. `Login CloudN with private IP and get CID <#example01>`__ - 2. `Setup admin email <#example02>`__ - 3. `Change admin password <#example03>`__ - 4. `Login with new password and get CID <#example04>`__ - 5. `Setup Aviatrix customer ID <#example05>`__ - 6. `Setup Maximum number of VPC/VNets <#example06>`__ - 7. `List Maximum number of VPC/VNets <#example07>`__ - 8. `List Available CIDRs <#example08>`__ - 9. `Create Aviatrix-Cloud-Account (AWS-SecretKey based) <#example09>`__ - 10. `Create Aviatrix-Cloud-Account (Azure-ARM based) <#example10>`__ - 11. `Create DataCenterExtension (AWS-SecretKey, without VPN access) <#example11>`__ - 12. `Create DataCenterExtension (Azure-ARM, without VPN access) <#example12>`__ - -| - -.. _example01: - -**Example 01: Login CloudN with private IP and get CID** - -:: - - curl -k "https://10.67.0.2/v1/api?action=login&username=admin&password=10.67.0.2" - -|image1| - -| - -.. _example02: - -**Example 02: Setup admin email** - -:: - - curl -k "https://10.67.0.2/v1/api?action=add_admin_email_addr&CID=XXXXXXXXXX&admin_email=test@aviatrix.com" - -|image2| - -| - -.. _example03: - -**Example 03: Change admin password** - -:: - - curl -k "https://10.67.0.2/v1/api?action=change_password&CID=XXXXXXXXXX&account_name=admin&user_name=admin&old_password=10.67.0.2&password=Test123!" - -|image3| - -| - -.. _example04: - -**Example 04: Login with new password and get CID** - -:: - - curl -k "https://10.67.0.2/v1/api?action=login&username=admin&password=Test123!" - -|image4| - -| - -.. _example05: - -**Example 05: Setup Aviatrix customer ID** - -:: - - curl -k "https://10.67.0.2/v1/api?action=setup_customer_id&CID=XXXXXXXXXX&customer_id=XXXXXXXXXX" - -|image5| - -| - -.. _example06: - -**Example 06: Setup Maximum number of VPC/VNets** - -:: - - curl -k "https://10.67.0.2/v1/api?action=setup_max_vpc_containers&CID=XXXXXXXXXX&vpc_num=4" - -|image6| - -| - -.. _example07: - -**Example 07: List Maximum number of VPC/VNets** - -:: - - curl -k "https://10.67.0.2/v1/api?action=list_max_vpc_containers&CID=XXXXXXXXXX" - -|image7| - -| - -.. _example08: - -**Example 08: List Available CIDRs** - -:: - - curl -k "https://10.67.0.2/v1/api?action=list_cidr_of_available_vpcs&CID=XXXXXXXXXX" - -|image8| - -| - -.. _example09: - -**Example 09: Create Aviatrix-Cloud-Account (AWS-SecretKey based)** - -:: - - curl -k --data "action=setup_account_profile" - --data "CID=XXXXXXXXXX" - --data "account_name=my-cloud-account-AWS" - --data "account_password=Test123!" - --data "account_email=test@aviatrix.com" - --data "cloud_type=1" - --data "aws_account_number=123456789999" - --data "aws_iam=false" - --data "aws_access_key=XXXXXXXXXX" - --data "aws_secret_key=XXXXXXXXXX" - "https://10.67.0.2/v1/api" - -|image9| - -| - -.. _example10: - -**Example 10: Create Aviatrix-Cloud-Account (Azure-ARM based)** - -:: - - curl -k --data "action=setup_account_profile" - --data "CID=XXXXXXXXXX" - --data "account_name=my-cloud-account-ARM" - --data "account_password=Test123!" - --data "account_email=test@aviatrix.com" - --data "cloud_type=8" - --data "arm_subscription_id=XXXXXXXXXX" - --data "arm_application_endpoint=XXXXXXXXXX" - --data "arm_application_client_id=XXXXXXXXXX" - --data "arm_application_client_secret=XXXXXXXXXX" - "https://10.67.0.2/v1/api" - -|image10| - -| - -.. _example11: - -**Example 11: Create DataCenterExtension (AWS-SecretKey, without VPN access)** - -:: - - curl -k --data "action=create_container" - --data "CID=XXXXXXXXXX" - --data "account_name=my-cloud-account-AWS" - --data "cloud_type=1" - --data "vpc_reg=ca-central-1" - --data "vpc_name=my-dcx-name" - --data "vpc_net=10.67.128.0/19" - --data "vpc_size=t2.micro" - --data "internet_access=yes" - --data "public_subnet=yes" - --data "tunnel_type=tcp" - "https://10.67.0.2/v1/api" - -|image11| - -| - -.. _example12: - -**Example 12: Create DataCenterExtension (Azure-ARM, without VPN access)** - -:: - - curl -k --data "action=create_container" - --data "CID=XXXXXXXXXX" - --data "account_name=my-cloud-account-ARM" - --data "cloud_type=8" - --data "vpc_reg=West US" - --data "vpc_name=my-arm-dcx" - --data "vpc_net=10.67.96.0/19" - --data "vpc_size=Standard_D2" - --data "internet_access=yes" - --data "public_subnet=yes" - --data "tunnel_type=tcp" - "https://10.67.0.2/v1/api" - -|image12| - -| - - -.. |image1| image:: ./img_01_login_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image2| image:: ./img_02_setup_admin_email_result.PNG - :width: 2.00000 in - :height: 2.00000 in -.. |image3| image:: ./img_03_change_password_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image4| image:: ./img_04_login_with_new_password_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image5| image:: ./img_05_setup_customer_id_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image6| image:: ./img_06_setup_max_number_of_vpc_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image7| image:: ./img_07_list_max_number_of_vpc_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image8| image:: ./img_08_list_available_cidrs_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image9| image:: ./img_09_create_aws_account_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image10| image:: ./img_10_create_arm_account_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image11| image:: ./img_11_create_aws_dcx_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image12| image:: ./img_12_create_arm_dcx_result.png - :width: 2.00000 in - :height: 2.00000 in - - -.. disqus:: diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_01_login_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_01_login_result.png deleted file mode 100644 index 843134fd6..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_01_login_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_02_setup_admin_email_result.PNG b/HowTos/AviatrixAPI/CloudN_curl_examples/img_02_setup_admin_email_result.PNG deleted file mode 100644 index 7bae3a9d4..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_02_setup_admin_email_result.PNG and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_03_change_password_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_03_change_password_result.png deleted file mode 100644 index 902397617..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_03_change_password_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_04_login_with_new_password_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_04_login_with_new_password_result.png deleted file mode 100644 index d8073d86b..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_04_login_with_new_password_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_05_setup_customer_id_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_05_setup_customer_id_result.png deleted file mode 100644 index e25765069..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_05_setup_customer_id_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_06_setup_max_number_of_vpc_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_06_setup_max_number_of_vpc_result.png deleted file mode 100644 index 5acd4f49b..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_06_setup_max_number_of_vpc_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_07_list_max_number_of_vpc_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_07_list_max_number_of_vpc_result.png deleted file mode 100644 index ed3021e1f..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_07_list_max_number_of_vpc_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_08_list_available_cidrs_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_08_list_available_cidrs_result.png deleted file mode 100644 index 9093f437d..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_08_list_available_cidrs_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_09_create_aws_account_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_09_create_aws_account_result.png deleted file mode 100644 index 20fc74dd5..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_09_create_aws_account_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_10_create_arm_account_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_10_create_arm_account_result.png deleted file mode 100644 index f1a2fbb84..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_10_create_arm_account_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_11_create_aws_dcx_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_11_create_aws_dcx_result.png deleted file mode 100644 index 93061405a..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_11_create_aws_dcx_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_12_create_arm_dcx_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_12_create_arm_dcx_result.png deleted file mode 100644 index df46929a7..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_12_create_arm_dcx_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/ReadMe.txt b/HowTos/AviatrixAPI/ReadMe.txt deleted file mode 100644 index a689d63b2..000000000 --- a/HowTos/AviatrixAPI/ReadMe.txt +++ /dev/null @@ -1 +0,0 @@ -This directory contains files/documents that relate to Aviatrix REST API. diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_01_postman_login_execution_results.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_01_postman_login_execution_results.png deleted file mode 100644 index 819dee6d6..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_01_postman_login_execution_results.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_02_linux_curl_login_execution_results.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_02_linux_curl_login_execution_results.png deleted file mode 100644 index e4000fe3c..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_02_linux_curl_login_execution_results.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_03_python_login_execution_results.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_03_python_login_execution_results.png deleted file mode 100644 index fc6b558ab..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_03_python_login_execution_results.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_04_postman_create_account_execution_results.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_04_postman_create_account_execution_results.png deleted file mode 100644 index 06d04952e..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_04_postman_create_account_execution_results.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_05_linux_curl_create_account_execution_results.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_05_linux_curl_create_account_execution_results.png deleted file mode 100644 index ef8b7aa20..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_05_linux_curl_create_account_execution_results.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_06_python_create_account_execution_results.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_06_python_create_account_execution_results.png deleted file mode 100644 index 0da2978be..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_06_python_create_account_execution_results.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_07_postman_disable_ssl.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_07_postman_disable_ssl.png deleted file mode 100644 index f14050a93..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_07_postman_disable_ssl.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/multiple_approaches_to_use_aviatrix_api.rst b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/multiple_approaches_to_use_aviatrix_api.rst deleted file mode 100644 index 30c8b1dc9..000000000 --- a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/multiple_approaches_to_use_aviatrix_api.rst +++ /dev/null @@ -1,289 +0,0 @@ -.. meta:: - :description: Multiple Approaches to Use Aviatrix API - :keywords: REST, API, CID, login, cloud account - -======================================= -Multiple Ways to Use Aviatrix API -======================================= - - -Introduction ------------- - -Aviatrix provides a REST/RESTful (Representational State Transfer) API to help customers to integrate Aviatrix products or to automate some routine tasks, such as backups for the Aviatrix controller, checking the status of active/live VPN users for management purposes, etc. - -| - -Tools ------ - -In this document, we demonstrate Aviatrix REST API invocation with the following tools. - 1. **Postman** - 2. Linux **"curl"** command - 3. Python **"requests"** module/library/package - 4. PowerShell - -| - -Value Format (URL Encoding) ---------------------------- - -If the input value contains certain special characters, such as '#' or '/' you may need to convert them to conform to a valid URL: - - -Tip: -""""" - -Use '%23' instead of '#'; use '%2F' instead of '/' - - -For example: -"""""""""""" - -If my Azure ARM Subscription ID is "abc#efg", instead of using... - - "arm_subscription_id=abc#efg" - -you need to use the following format instead... - - "arm_subscription_id=abc%23efg" - -| - -Tools to convert the value format ---------------------------------- - -There are many tools online that can do the job. Just simply google **"URL Encoder"**, and you can encode/convert the special character to the correct format. - -| - -How the Aviatrix REST API Works -------------------------------- - -In order to invoke most of the Aviatrix API(s), the user must have a valid **"CID"** (session ID) for security purposes. Moreover, a valid CID can be acquired through the Aviatrix **"login"** API. The examples are provided below. -Please refer to the `Aviatrix API site. `_ for the completed Aviatrix REST API list. - -| - -Examples: Invoke Aviatrix "login" API to get a valid CID --------------------------------------------------------- - -Postman -""""""" - - |image1| - - -.. Tip:: You may disable Postman SSL certificate verification for simple testing. See the follow screenshot. -.. - - - |image7| - - - -Linux "curl" command -"""""""""""""""""""" - -**Syntax:** - -:: - - ubuntu@ip-10-1-1-2:/$ curl -k --request POST \ - --url https://10.67.0.2/v1/api \ - --form action=login \ - --form 'username=admin' \ - --form 'password=MyPassword#' - - { - "return":true, - "results":"User login:admin in account:admin has been authorized successfully on controller 10.67.0.2 - - Please check email confirmation.", - "CID":"ntFqLV4NNr63sTmxp42S" - } - - ubuntu@ip-10-1-1-2:/$ - - -**Example:** - - |image2| - - -Python "requests" module -"""""""""""""""""""""""" - -**Example Code:** - -.. code-block:: python - - import requests - - # Controller configuration - base_url = "https://10.67.0.2/v1/api" - username = "admin" - password = "MyPassword" - action = "login" - CID = "" - - # Configuration for "login" API - payload = { - "action": action, - "username": username, - "password": password - } - - # Use "requests" module to invoke REST API - response = requests.post(url=base_url, data=payload, verify=False) - - # If login successfully - if True == response.json()["return"]: - CID = response.json()["CID"] - print("Successfully login to Aviatrix Controller. The valid CID is: " + CID) - - - -**Execution Result:** - - |image3| - -PowerShell Example -"""""""""""""""""""""""" -:: - - $params = @{"action"="login"; - >> "username"="admin"; - >> "password"="password"; - >> } - -:: - - Invoke-WebRequest -Uri $Uri -Method POST -Body $params - StatusCode : 200 - StatusDescription : OK - Content : {"return":true,"results":"User login:admin in account:admin has been authorized successfully - - Please check email confirmation.","CID":"RwuXX5KoJsTrOBAjXl9N"} - RawContent : HTTP/1.1 200 OK - Pragma: no-cache - X-Frame-Options: DENY - Strict-Transport-Security: max-age=77760000 - Content-Length: 158 - Cache-Control: no-store - Content-Type: text/json - Date: Tue, 10 Apr 2018 17:... - Forms : {} - Headers : {[Pragma, no-cache], [X-Frame-Options, DENY], [Strict-Transport-Security, max-age=77760000], - [Content-Length, 158]...} - Images : {} - InputFields : {} - Links : {} - ParsedHtml : mshtml.HTMLDocumentClass - RawContentLength : 158 - - - -Examples: Invoke Other Aviatrix APIs with a valid CID ----------------------------------------------------- - -.. Note:: - The following example demonstrates how to use the Aviatrix API **"setup_account_profile"** to create an Aviatrix **"Cloud Account"**. - - -Postman -""""""" - - |image4| - - -Linux "curl" command -"""""""""""""""""""" - - |image5| - - -Python -"""""" - -**Example Code:** - -.. code-block:: python - - import requests - - # Configuration for "setup_account_profile" API to create AWS IAM Role based account - payload = { - "action": "setup_account_profile", - "CID": "B4XvxZYJUTHNaMcK2Nf2", - "account_name": "my-AWS-operation-account", - "account_password": "!MyPassword", - "account_email": "test@aviatrix.com", - "cloud_type": "1", - "aws_account_number": "123456789999", - "aws_iam": "true", - "aws_access_key": "XXXXXXXXXXXXXXXXXXXXXX", - "aws_secret_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" - } - - # Use "requests" module to invoke REST API - response = requests.post(url="https://10.67.0.2/v1/api", data=payload, verify=False) - - # Display return message - print(response.json()) - - -**Execution Result:** - - |image6| - -PowerShell -""""""""""" -:: - - $paramsaccount = @{"action"="setup_account_profile"; - >> "CID"="RwuXX5KoJsTrOBAjXl9N"; - >> "account_name"="test_api"; - >> "account_password"="xxx"; - >> "account_email"="xxx.com"; - >> "cloud_type"=1; - >> "aws_account_number"="xxxx"; - >> "aws_access_key"="xxxx"; - >> "aws_secret_key"="xxxx"; - >> } - -:: - - Invoke-WebRequest -Uri $Uri -Method Post -Body $paramsaccount - - StatusCode : 200 - StatusDescription : OK - Content : {"return":true,"results":"An email confirmation has been sent to lyan@aviatrix.com"} - RawContent : HTTP/1.1 200 OK - Pragma: no-cache - X-Frame-Options: DENY - Strict-Transport-Security: max-age=77760000 - Content-Length: 84 - Cache-Control: no-store - Content-Type: text/json - Date: Tue, 10 Apr 2018 17:1... - Forms : {} - Headers : {[Pragma, no-cache], [X-Frame-Options, DENY], [Strict-Transport-Security, max-age=77760000], - [Content-Length, 84]...} - Images : {} - InputFields : {} - Links : {} - ParsedHtml : mshtml.HTMLDocumentClass - RawContentLength : 84 - - - -.. |image1| image:: ./img_01_postman_login_execution_results.png -.. |image2| image:: ./img_02_linux_curl_login_execution_results.png -.. |image3| image:: ./img_03_python_login_execution_results.png -.. |image4| image:: ./img_04_postman_create_account_execution_results.png -.. |image5| image:: ./img_05_linux_curl_create_account_execution_results.png -.. |image6| image:: ./img_06_python_create_account_execution_results.png -.. |image7| image:: ./img_07_postman_disable_ssl.png - - - -.. disqus:: diff --git a/HowTos/AviatrixAccountForAzure_media/Image03.png b/HowTos/AviatrixAccountForAzure_media/Image03.png index 6b17d9f08..ed8fe8bfd 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image03.png and b/HowTos/AviatrixAccountForAzure_media/Image03.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image04.png b/HowTos/AviatrixAccountForAzure_media/Image04.png index e9c35f0f3..1413b16e2 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image04.png and b/HowTos/AviatrixAccountForAzure_media/Image04.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image06.png b/HowTos/AviatrixAccountForAzure_media/Image06.png index 193b57af8..3fbbee6e2 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image06.png and b/HowTos/AviatrixAccountForAzure_media/Image06.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image07.png b/HowTos/AviatrixAccountForAzure_media/Image07.png index 6545fbf6e..e760fdadd 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image07.png and b/HowTos/AviatrixAccountForAzure_media/Image07.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image08.png b/HowTos/AviatrixAccountForAzure_media/Image08.png index 99aef6b8a..7a59f83f5 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image08.png and b/HowTos/AviatrixAccountForAzure_media/Image08.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image09.png b/HowTos/AviatrixAccountForAzure_media/Image09.png index 0a3f99597..c170ec625 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image09.png and b/HowTos/AviatrixAccountForAzure_media/Image09.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image10.png b/HowTos/AviatrixAccountForAzure_media/Image10.png index 96e39f095..7709c6059 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image10.png and b/HowTos/AviatrixAccountForAzure_media/Image10.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image14.png b/HowTos/AviatrixAccountForAzure_media/Image14.png index cf1650453..bc1f339f1 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image14.png and b/HowTos/AviatrixAccountForAzure_media/Image14.png differ diff --git a/HowTos/AviatrixLogging.rst b/HowTos/AviatrixLogging.rst index 0d3558b7d..b94fbed89 100644 --- a/HowTos/AviatrixLogging.rst +++ b/HowTos/AviatrixLogging.rst @@ -1,6 +1,6 @@ .. meta:: - :description: Data Analytics with Aviatrix Logs -Splunk and Sumo - :keywords: Splunk, Sumo, aviatrix logs, data analytics + :description: Data Analytics with Aviatrix Logs + :keywords: Rsyslog, Datadog, Splunk, Elastic Filebeat, Sumo, Netflow, Cloudwatch, aviatrix logs, data analytics @@ -19,36 +19,16 @@ to the logging server. Out of box integration is supported for the following log - Remote syslog (recommended to use) - - AWS CloudWatch - - Splunk Enterprise - - Datadog - Elastic Filebeat + - Splunk Enterprise/Cloud - Sumo Logic + - Datadog - Netflow + - AWS CloudWatch .. note:: We highly recommend user to use remote syslog (rsyslog) as log forwarder which is both efficient and the industry standard. Most log collectors support rsyslog as forwarder. We may only add new features to rsyslog going forward. -Here are the sample instructions to configure log services to collect from rsyslog forwarder. -"Note" box gives example of template needed for the config on the Aviatrix rsyslog logging service. - - - Splunk https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports - - .. note:: (No rsyslog template needed for splunk config) - - - - Datadog https://docs.datadoghq.com/integrations/rsyslog/?tab=datadogussite - - .. note:: <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% - - - %msg%\n - - (replace DATADOG_API_KEY with your datadog key) - - - Sumologic https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Cloud-Syslog-Source - - .. note:: <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [YOUR_TOKEN] %msg%\n - - (replace YOUR_TOKEN with your sumo token) - In addition to standard information on syslog, Aviatrix also provides capability for user VPN connections, VPN user TCP sessions, security @@ -71,16 +51,17 @@ Management System for further analysis: - `AviatrixUser `_ - `AviatrixLicenseVPNUsers `_ - `AviatrixRule `_ -- `AviatrixGwNetStats `_ -- `AviatrixGwSysStats `_ -- `AviatrixFQDNRule `_ -- `AviatrixTunnelStatusChange `_ -- `AviatrixCMD `_ +- `AviatrixGwNetStats `_ +- `AviatrixGwSysStats `_ +- `AviatrixFQDNRule `_ +- `AviatrixTunnelStatusChange `_ +- `AviatrixCMD `_ - `AviatrixBGPOverlapCIDR `_ - `AviatrixBGPRouteLimitThreashold `_ - `AviatrixGuardDuty `_ -- `AviatrixFireNet `_ -- `AviatrixVPNVersion `_ +- `AviatrixFireNet `_ +- `AviatrixVPNVersion `_ +- `AviatrixGatewayStatusChanged `_ Below are the details of each log keyword. @@ -199,17 +180,16 @@ Two example logs: :: - 2018-02-19T06:51:03.496447+00:00 ip-172-31-58-147 perfmon.py: AviatrixGwNetStats: - timestamp=2018-02-19 06:51:03.496156 name=gg public_ip=35.172.17.198.fifo - private_ip=172.31.58.147 interface=eth0 total_rx_rate=4.48Kb total_tx_rate=3.14Kb - total_rx_tx_rate=7.62Kb total_rx_cum=292.43MB total_tx_cum=169.99MB - total_rx_tx_cum=462.42MB + 2020-06-09T17:29:31.372628+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwNetStats: + timestamp=2020-06-09T17:29:31.371791 name=test public_ip=10.23.183.116.fifo private_ip=172.31.78.160 + interface=eth0 total_rx_rate=10.06Kb total_tx_rate=12.77Kb total_rx_tx_rate=2.85Kb + total_rx_cum=207.16MB total_tx_cum=1.2MB total_rx_tx_cum=208.36 - 2018-02-19T05:44:07.491705+00:00 ip-172-31-58-147 perfmon.py: AviatrixGwNetStats: - timestamp=2018-02-19 05:44:07.491411 name=gg public_ip=35.172.17.198.fifo - private_ip=172.31.58.147 interface=eth0 total_rx_rate=3.99Kb total_tx_rate=2.84Kb - total_rx_tx_rate=6.83Kb total_rx_cum=290.44MB total_tx_cum=168.48MB - total_rx_tx_cum=458.92MB + 2020-06-12T08:30:09.297478+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwNetStats: + timestamp=2020-06-12T08:30:09.296752 name=test public_ip=10.23.183.116.fifo private_ip=172.31.78.160 + interface=eth0 total_rx_rate=8.84Kb total_tx_rate=8.45Kb total_rx_tx_rate=17.29Kb + total_rx_cum=4.63MB total_tx_cum=6.8MB total_rx_tx_cum=11.44MB + AviatrixGwSysStats: ------------------- @@ -222,13 +202,16 @@ Two example logs: :: - May 17 00:23:20 ip-10-0-0-129 gwmon.py: AviatrixGwSysStats: - timestamp=2017-05-17 00:23:06.065548 name=wing-aws-aws-use-2-gw0000 - cpu_idle=100 memory_free=237048 disk_total=8115168 disk_free=4665560 + 2020-06-09T17:29:31.372822+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwSysStats: + timestamp=2020-06-09T17:29:31.371791 name=test cpu_idle=68 + memory_free=414640 memory_available=1222000 memory_total=1871644 + disk_total=16197524 disk_free=10982084 + + 2020-06-12T08:22:09.295660+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwSysStats: + timestamp=2020-06-12T08:22:09.294333 name=test cpu_idle=99 + memory_free=919904 memory_available=1264792 memory_total=1871644 + disk_total=16197524 disk_free=11409716 - May 17 00:28:20 ip-10-0-0-129 gwmon.py: AviatrixGwSysStats: - timestamp=2017-05-17 00:28:06.064229 name=wing-aws-aws-use-2-gw0000 - cpu_idle=100 memory_free=237072 disk_total=8115168 disk_free=4665560 AviatrixFQDNRule ---------------- @@ -349,28 +332,53 @@ Example log: :: 2020-02-07T11:38:48.276150-08:00 Controller-52.204.188.212 cloudxd: AviatrixVPNVersion: The VPN connection was rejected as it did not satisfy the minimum version requirements. Current version: AVPNC-2.4.10 Required minimum version: AVPNC-2.5.7 . The rejected VPN user name is tf-aws-52-tcplb-user1 + + +AviatrixGatewayStatusChanged +----------------------------- + +These log messages will be seen from the Controller's syslogs when a gateway's status changes + +Example log: + +:: + + 2020-03-29T00:09:13.201669+00:00 ip-10-88-1-63 cloudxd: AviatrixGatewayStatusChanged: status=down gwname=EMEA-ENG-VPNGateway + + 3. Logging Configuration at Aviatrix Controller ================================================ To enable logging at the Aviatrix Controller, go to Settings->Logging page. Once logging is enabled, both the Controller and all gateways will forward logs directly to the logging server. -Two examples for Remote Syslog and Logstash Forwarder follow below. + .. note:: A total of 10 profiles from index 0 to 9 are supported for remote syslog, while index 9 is reserved for CoPilot. + + Newly deployed gateway will be added to a profile if it is the only profile enabled in the index range of 0 to 8, + + If more than one profiles are enabled in the range of 0 to 8, the newly deployed gateway will not be added to any profile in the range of 0 to 8. User may use the advanced options in the logging "edit options" window to edit the exclude and include list. + + However newly deployed gateway will always be added to profile 9 which is reserved for Copilot to monitor. + 3.1 Remote Syslog ------------------ On the Aviatrix Controller: - a. Server: FQDN or IP address of the remote syslog server + a. Profile Index: select a profile to edit + #. Server: FQDN or IP address of the remote syslog server #. Port: Listening port of the remote syslog server (6514 by default) #. CA Certificate: Certificate Authority (CA) certificate #. Server Public Certificate: Public certificate of the controller signed by the same CA #. Server Private Key: Private key of the controller that pairs with the public certificate #. Protocol: TCP or UDP (TCP by default) - #. Optional Custom Template: (Deprecated) + #. Optional Custom Template: Useful when forwarding to 3rd party servers like Datadog or Sumo (Details bellow) On the Remote syslog server: - -Configure /etc/rsyslog.conf with the similar content depends on the version to enable tls connection + a. Install rsyslog and rsyslog-gnutls packages + #. Create a new config file in /etc/rsyslog.d with the similar content as in the following box depends on your rsyslog version to enable tls connection. Please make sure key paths are readable by the syslog user + #. Make sure the output directory /var/log is writable by rsyslog user/daemon + #. Restart rsyslog service and check port is listening and no error in /var/log/syslog + #. Confirm the port is allowed in the security group / fireware for incoming traffic (version <8) :: @@ -394,7 +402,7 @@ Configure /etc/rsyslog.conf with the similar content depends on the version to e & ~ -(version 8+) +(version >=8) :: global( @@ -432,6 +440,7 @@ Then #. syslog + 3.1.a Using Rsyslog to send logs to Sumo ------------------------------------------- @@ -443,14 +452,61 @@ Since Sumo agents on the controller and gateways tend to consume a lot of cpu/me #. Provide the port - obtained from the first step #. Upload the CA cert from Sumo pointed by their documentation #. Keep the Protocol set to TCP - #. For Optional Custom Template, copy the following string into a new text file and replace the string ADD_YOUR_SUMO_TOKEN_HERE with the token you received in the first step and upload it. Please do keep the square brackets around the token. - - :: + #. For Optional Custom Template, copy the following string and replace the string ADD_YOUR_SUMO_TOKEN_HERE with the token you received in the first step. Please do keep the square brackets around the token. + + .. note:: <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [YOUR_TOKEN] %msg%\\n + .. note:: The Aviatrix Controller expects certificates in PEM format. Attempting to upload the wrong format may return an Exception Error. To convert the DigiCert certificate downloaded from SumoLogic's documentation into PEM format, use the following command: openssl x509 -in DigiCertHighAssuranceEVRootCA.crt -inform der -outform pem -out DigiCertHighAssuranceEVRootCA.pem + +|rsyslog_template| -<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [ADD_YOUR_SUMO_TOKEN_HERE] %msg%\n +.. |rsyslog_template| image:: AviatrixLogging_media/rsyslog_template.png + :width: 6.50500in + :height: 6.20500in + +3.1.b Using Rsyslog to send logs to Datadog +--------------------------------------------- + #. Go to Controller/Settings/Logging/Remote Syslog and enable the service + #. Server: intake.logs.datadoghq.com + #. Port: 10516 + #. Protocol: TCP + #. For Optional Custom Template, copy the following string and replace the string DATADOG_API_KEY with your own key. Please do keep the square brackets around the token. - #. Click on Advanced, if you want to selectively send logs from only some gateways - #. Click on Enable + .. note:: <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% - - - %msg%\\n + + +3.1.c Using Rsyslog to send logs to Splunk +--------------------------------------------- + #. Follow the directions in `Splunk Monitornetworkports `_ to create a listener in Splunk. + #. Go to Controller/Settings/Logging/Remote Syslog and enable the service + #. Server: your Splunk server fqdn or ip + #. Port: your Splunk listener port + #. Protocol: TCP + #. Optional Custom Template: (leave blank) + + +3.1.d Using Rsyslog to send logs to Logstash (ElasticSearch/Kibana/ELK stack) +-------------------------------------------------------------------------------- + #. Follow the directions in `Logstash TCP input `_ to create a tcp listener in Logstash. + #. Go to Controller/Settings/Logging/Remote Syslog and enable the service + #. Server: your Logstash server fqdn or ip + #. Port: your Logstash listener port + #. Protocol: TCP + #. Optional Custom Template: (leave blank) + +A sample config of Logstash to work with Rsyslog in ELK stack v7 is +:: + + input { + syslog { + port => 6514 + } + } + + output { + elasticsearch { + hosts => ["127.0.0.1:9200"] + } + } 3.2 Filebeat Forwarder @@ -461,6 +517,30 @@ On the Aviatrix Controller: #. Optional Configuration File: (Deprecated) +A sample config of Logstash to work with Filebeat in ELK stack v7 is +:: + + input { + beats { + port => 5000 + } + } + + filter { + mutate { + rename => { + "[host][name]" => "[host]" + } + } + } + + output { + elasticsearch { + hosts => ["127.0.0.1:9200"] + } + } + + 3.3 Splunk Logging ------------------- On the Aviatrix Controller: @@ -472,6 +552,7 @@ On the Aviatrix Controller: Note: If "Import File" is selected for "How to configure", please provide the Splunk configuration file. + 3.4 Sumo Logic ------------------- On the Aviatrix Controller: @@ -485,6 +566,21 @@ Sumologic Collectors(eg: Controllers/Gateways) from SumoLogic servers. Please note that Sumo collector is memory intensive and needs instances with at least 2GB of memory - for AWS, t3.small, or higher depending on features deployed. + +3.5 DataDog Agent +------------------- +You may refer to this link, `DatadogIntegration `_ to set up. However, based on the past year experience, the vendor has changed the client root certificates for a few times. + a. You may disable DataDog Agent and re-enable it to fetch the current new root certificate. + #. Or, we highly recommend to follow above 3.1.b steps to use Remote Syslog as client to forward to any servers and will not encounter any of these cert issues. + +Before 5.3 release, DataDog agent woulld only upload metrics from the Aviatrix Controller and Gateways - from release 5.3, we also upload syslogs to bring it on par with Sumo and Splunk agent behavior. + + +3.6 Cloudwatch +------------------- +Please follow this link `AWS CloudWatch Integration `_ for instruction. + + 4. Log management system Apps ==================================== @@ -498,8 +594,7 @@ Splunk App for Aviatrix Splunk app for Aviatrix can be downloaded from `Splunkbase `_. -Click `here `_ to check -instructions on GitHub. +Click `SplunkforAviatrix `_ to check instructions on GitHub. **Sample** @@ -535,10 +630,14 @@ To configure Loggly integration through an intermediary syslog server relay: 3. Follow `this document `_ to configure the relay to send to Loggly -6. Netflow and Span port support -================================= -Starting from Release 4.0, Aviatrix Controller and gateways support netflow and span port. +6. Netflow +============= + +Aviatrix gateways support Netflow protocol v5 and v9. + +Please follow this link `Netflow Integration `_ to enable it. + diff --git a/HowTos/AviatrixLogging_media/rsyslog_template.png b/HowTos/AviatrixLogging_media/rsyslog_template.png new file mode 100644 index 000000000..00f5161d0 Binary files /dev/null and b/HowTos/AviatrixLogging_media/rsyslog_template.png differ diff --git a/HowTos/Aviatrix_Account_Azure.rst b/HowTos/Aviatrix_Account_Azure.rst index dfa8af7a6..b150388e0 100644 --- a/HowTos/Aviatrix_Account_Azure.rst +++ b/HowTos/Aviatrix_Account_Azure.rst @@ -3,69 +3,53 @@ :keywords: Aviatrix account, Azure, Aviatrix Azure account credential, API credential =========================================================== -Azure ARM +Azure Account Credential Setup =========================================================== -1.0 Overview +1. Overview ============= -This document helps you setup API credentials on Azure ARM. - -Aviatrix Cloud Controller uses Azure APIs extensively to launch Aviatrix +Aviatrix Controller uses Azure APIs extensively to launch Aviatrix gateways, configure encrypted peering and other features. -In order to use Azure API, you need to first create an Aviatrix Cloud -Account on the Aviatrix Cloud controller. This cloud account corresponds -to a valid Azure account with API credentials. +In order to use Azure API, you need to first create an Aviatrix `Access +Account `_ on the Aviatrix controller. This access account corresponds +to a valid Azure subscription with API credentials. You need to create an access account for each subscription. -The new Microsoft Azure (as opposed to Azure Classic) is significantly -different in how applications are authenticated and authorized to -interact with Azure Resource Manager APIs to manage resources, such as -Virtual Machines, Network, Storage Accounts, etc. +This document describes, for a given subscription, how to obtain the necessary information, +specifically Application ID, Application Key (Client secret), and +Application Directory ID to create an Aviatrix Access Account so that the Controller can execute APIs on that subscription. +There are 3 sections, make sure you go through all of them. -This document describes how to obtain the necessary information, -specifically Application ID, Application Key(Client secret), and -Application Directory ID to create an Aviatrix Cloud Account with step by -step instructions. There are 3 sections, make sure you go through all of -them. -| - - -2.0 Azure Permission Setup for Aviatrix +2. API and Permission Setup ======================================== Setting up Azure permission for Aviatrix involves three main steps. 1. Register Aviatrix Controller Application with Azure Active Directory -2. Grant Permissions +2. Assign a role to the Aviatrix Controller Application -3. Get Application ID, Application Key(Client secret) and Directory - ID +3. Get Application ID, Application Key (Client secret) and Directory ID **Important:** Complete the following steps in order. -2.1 Step 1 – Register Aviatrix Controller Application +2.1 – Register Aviatrix Controller Application ------------------------------------------------------- -Login to the Azure Portal. - -https://portal.azure.com +Login to the Azure Portal: https://portal.azure.com -***Register Aviatrix Controller*** -1. From the Azure portal click on "All services" and search for “Azure Active Directory” and click on “Azure Active Directory” - -|Image01| +1. From the Azure portal click on "All services" and search for “Azure Active Directory” and click on “Azure Active Directory”. 2. Click “App registrations". Do not choose "App registrations (Legacy)" -|Image03| +|image03| 3. Click “+ New registration” -|Image04| +|image04| a. Name = Aviatrix Controller @@ -75,76 +59,74 @@ https://portal.azure.com 3. Done -2.2 Step 2 – Grant Permissions -------------------------------- - +2.2 – Assign a role to the Aviatrix Application +------------------------------------------------------------ -***Grant Permissions*** 1. Login to the Azure portal 2. On the top left, click All services, search for “Subscriptions” -|Image11| + |image11| 3. Copy the Subscription ID (to notepad or a convenient location) -|Image12| +|image12| 4. Click on the Subscription ID 5. Then select “Access control (IAM)”. -|Image13| +|image13| -6. Click Add and then select the “Contributor” role. +6. Click Add and then select the “Contributor” role. If the "Contributor" role is too broad, you can later replace it with a custom role with specific permissions. Refer to `Use Azure IAM Custom Role `_ for instructions. 7. In the Select search field, type in “Aviatrix”. The Aviatrix Controller - app should show up. Select this one and click Select towards to the + (that you created in section 2.1) app should show up. Select this one and click Select towards to the bottom. -2.3 Step 3 – Get Application Information ------------------------------------------ - -**Get Application Information** +2.3 – Setup Information for Programmatic Sign in +------------------------------------------------------------ 1. From the Azure portal, click All services and search for “Azure Active Directory”. Click “App registrations” and then the application to see the Application (client) ID and Directory (tenant) ID. - |Image01| + |image01| 2. Retrieve the **Application (client) ID** and **Directory (tenant) ID**. A. Copy the Application ID and Directory ID for later use. - |Image14| + |image14| 3. Retrieve the **Client Secrets**. A. Click Certificates & secrets - B. Click New client secret + B. Click + New client secret - |Image06| + |image06| - C. Enter in the following + C. Enter in the following, and then click Add * Description = Aviatrix * Expires = Never - |Image07| + |image07| - E. Click Add + E. You should see the new secret as shown below. - |Image15| + |image15| F. Copy the secret. This will be used as the Application Key in the Aviatrix Controller. 5. Add **API permissions**. + Go to Azure Active Directory -> select the "Aviatrix Controller" application, click into the application. + A. Click API permissions |Image08| @@ -154,25 +136,49 @@ https://portal.azure.com C. Choose Azure Service Management |Image09| - - D. Select user_impersonation then Add permissions |Image10| 6. Done -At this point you should have the following information. +At this point you should have the following information to create an access account on Azure. + +========================================== ====================== +Access Account Setup Input Field Value +========================================== ====================== +Subscription ID From section 2.2 +Directory ID From section 2.3 +Application ID From section 2.3 +Application Key (Client Secret) From section 2.3 +========================================== ====================== + +Additional References +======================= + +If you need additional information, refer to `How to: Use the portal to create an Azure AD application and service principal that can access resources `_ on Azure documentation. + +Azure China notes +================== + +Deploying the Aviatrix Gateway in the Azure China Cloud +----------------------------------------------------------- + +Prerequisites: + +- You must already have a Microsoft Azure China account and Aviatrix Controller in AWS China to deploy an Aviatrix Gateway in the Azure China Cloud. + + +1. Create the Aviatrix Controller in your AWS China Cloud. Go to Onboarding and select Azure China. + +2. Enter the Aviatrix Customer ID. + +3. Enter the Certificate Domain. + +4. Create the Primary Access Account. -+-----------------------------------+---------------+ -| **Subscription ID** | From step 2 | -+-----------------------------------+---------------+ -| **Directory** **ID** | From step 3 | -+-----------------------------------+---------------+ -| **Application ID** | From step 3 | -+-----------------------------------+---------------+ -| **Application Key(Client secret)**| From step 3 | -+-----------------------------------+---------------+ +6. Deploy Aviatrix gateway from the Gateway page in the Aviatrix Controller or the Multi-Cloud Transit Solution page. +For more information, see “What is a China ICP License?” .. |image01| image:: AviatrixAccountForAzure_media/az-ad-01.PNG :width: 5.20313in diff --git a/HowTos/Aviatrix_Controller_API.rst b/HowTos/Aviatrix_Controller_API.rst deleted file mode 100644 index bb15e3910..000000000 --- a/HowTos/Aviatrix_Controller_API.rst +++ /dev/null @@ -1,11 +0,0 @@ -.. meta:: - :description: Aviatrix Controller API, points to real HTML URL - :keywords: Aviatrix API, Controller API - -=========================== -Aviatrix APIs -=========================== - -Click `this link `_ for Aviatrix API documentation. - -.. disqus:: diff --git a/HowTos/Azure_ingress_firewall_example.rst b/HowTos/Azure_ingress_firewall_example.rst new file mode 100644 index 000000000..40e4971f5 --- /dev/null +++ b/HowTos/Azure_ingress_firewall_example.rst @@ -0,0 +1,325 @@ +.. meta:: + :description: Azure ingress firewall network + :keywords: AVX Transit Architecture for Azure, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Azure virtual network peering + + +========================================================= +Azure Ingress Firewall Setup Solution +========================================================= + +This document illustrates a simple architecture for Ingress traffic inspection firewall that leverages Azure Load Balancers, `Transit FireNet for Azure `_, and `Azure Transit with Native Spoke VNets `_. The solution also allows +you to view the client IP address. + +The deployment is shown as the diagram below. + +|transit_firenet_vnet| + +The key idea is from FireNet point of view, the ingress inspection is simply a VNET to VNET traffic inspection. This is accomplished by + + #. Place an Internet facing Azure Application Gateway in a spoke VNET (in the diagram, this spoke VNET is called Ingress Spoke VNET) to load balance traffic to the VNET where applications reside (Application Spoke VNET). + + #. Manage Spoke Inspection Policies for the Application Spoke VNET traffic that requires inspection with the Aviatrix Transit VNET. + +In this unified architecture, firewalls can be used for Ingress, Egress, North-South and VNET to VNET filtering. The solution does not need Azure Load Balancers to directly attach to firewall instances which then requires firewall instances to source NAT the incoming traffic from the Internet. Firewall instances can scale out as applications scale for all traffic types. + +.. Note:: + + This architecture works for `Azure Application Gateway `_. You can create multiple load balancers in the Ingress Spoke VNET. + +1. Prerequisite Setup +-------------------------------- + +First of all, upgrade the Aviatrix Controller to at least version UserConnect-5.3.1428 + + - https://docs.aviatrix.com/HowTos/inline_upgrade.html + +In this instruction, we are going to deploy the below topology in Azure + +- Azure VNETs + + - Aviatrix Transit VNET (i.e. 192.168.23.0/24) + + - Ingress Spoke VNET (i.e. 10.20.0.0/16) + + - Application Spoke VNET (i.e. 10.21.0.0/16) + +- Azure Transit with Native Spoke VNets topology + +.. Note:: + + Aviatrix Transit FireNet for Azure Encrypted Transit topology also supports this Azure Ingress Firewall Solution. + +Deploy an Aviatrix Transit VNET +^^^^^^^^^^^^^^^^^^^^^ + +Create an Aviatrix Transit VNET by utilizing Aviatrtix feature `Create a VPC `_ with Aviatrix FireNet VPC option enabled + +- Go to the Aviatrix Controller Console. + +- Click on the link "Useful Tools -> Create a VPC" + +- Click on the button "+ Add new" to create a new VPC with Cloud Type Azure ARM + +- Enable the checkbox "Aviatrix FireNet VPC" + +Deploy an Ingress Spoke VNET +^^^^^^^^^^^^^^^^^^^^^ + +Create an Ingress Spoke VNET by utilizing Aviatrtix feature `Create a VPC `_ as the previous step or manually deploying it in Azure portal. Moreover, feel free to use your existing VNET. + +Deploy an Application Spoke VNET +^^^^^^^^^^^^^^^^^^^^^ + +Create an Application Spoke VNET by utilizing Aviatrtix feature `Create a VPC `_ as the previous step or manually deploying it in Azure portal. Moreover, feel free to use your existing Application VNET. + +Deploy Azure Transit with Native Spoke VNets topology +^^^^^^^^^^^^^^^^^^^^^ + +Follow `Global Transit Network Workflow Instructions (AWS/Azure/GCP/OCI) `_ to deploy Azure Transit with Native Spoke VNets topology. + +- Create an Aviatrix Transit Gateway in Aviatrix Transit VNET by following the step `Launch a Transit Gateway `_ as the following screenshot. + + .. important:: + + For Azure deployment, the Aviatrix Transit Gateway must be launched with the option Enable Transit FireNet Function enabled. The minimum Azure FireNet gateway size is Standard_B2ms. + +|azure_avx_transit_gw| + +- Attach both Ingress Spoke VNET and Application Spoke VNET via Azure native peering by following the step `Attach Azure ARM Spoke VNet via native peering `_ + +Manage Transit FireNet +^^^^^^^^^^^^^^^^^^^^^ + +Follow `Aviatrix Transit FireNet Workflow `_ to deploy manage FireNet policy, and firewall instances. + +- Manage a spoke inspection policy for the Application spoke VNET by referring to step `Manage Transit FireNet Policy `_ as the following screenshot. + +|azure_avx_manage_firenet_policy| + +- Deploy firewall instance in Aviatrix Transit VNET by following the step `Deploy Firewall Network `_ as the following screenshot. + + Here is the Firewall information in this example for your reference. Please adjust it depending on your requirements. + + ========================================== ========== + **Example setting** **Example value** + ========================================== ========== + Firewall Image Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1 + Firewall Image Version 9.1.0 + Firewall Instance Size Standard_D3_v2 + Management Interface Subnet Select the subnet whose name contains "gateway-and-firewall-mgmt" + Egress Interface Subnet Select the subnet whose name contains "FW-ingress-egress" + Username Applicable to Azure deployment only. “admin” as a username is not accepted. + Attach Check + ========================================== ========== + + |azure_avx_deploy_firewall| + +- Set up firewall configuration by referring to `Example Config for Palo Alto Network VM-Series `_ + + .. Note:: + + In Azure, instead of using pem file, please use username/password to ssh into firewall instance to reset password if needed. Additionally, use the same username/password to login into firewall website. + +2. Launch an Apache2 Web server in Application Spoke VNET +------------------------------------- + +In Application Spoke VNET, create an Ubuntu Server 18.04 LTS virtual machine and install Apache2 HTTP Server with custom port 8080. + +======================== ============== +**Example setting** **Example value** +======================== ============== +Protocol HTTP +Port 8080 +======================== ============== + +.. Note:: + + Refer to `Install The Latest Apache2 HTTP Server ( 2.4.34 ) On Ubuntu 16.04 | 17.10 | 18.04 LTS Servers `_ to install Apache2 HTTP Server + + Refer to `How To Change Apache Default Port To A Custom Port `_ to use custom port 8080 + +3. Create Azure Application Gateway +------------------------------------- + +In Ingress Spoke VNET, create an Azure Application Gateway, make sure you select the following: + +- Create an Azure Application Gateway in Ingress Spoke VNET + + |azure_application_gw_creation| + +- Select "Public" for Frontend IP address type in section Frontends + + |azure_application_gw_frontend| + +- Select "IP address or hostname" for Target type and configure the private IP of Apache2 Web Server for Target in section Backends + + |azure_application_gw_backend| + +- Add a routing rule on Listener depending on your requirement + + + ======================== ============== + **Example setting** **Example value** + ======================== ============== + Frontend IP Public + Protocol HTTP + Port 80 + ======================== ============== + + + |azure_application_gw_routing_rule_listener| + + +- Add a routing rule on Backend targets and create a HTTP setting depending on your requirement + + |azure_application_gw_routing_rule_backend_target| + +- Click the button "Create new" on HTTP settings + + + |azure_application_gw_routing_rule_http_setting| + + + ======================== ================= + **Example setting** **Example value** + ======================== ================= + Bankend protocol HTTP + Backend port 8080 + ======================== ================= + + + |azure_application_gw_routing_rule_backend_target_02| + + +- Review the configuration and click the button "Create" at the page "Review + create" + +.. note:: + + Refer to the instruction `Quickstart: Direct web traffic with Azure Application Gateway - Azure portal `_ + + +4. Ready to go! +--------------- + +Make sure Server (backend pool) status is in Healthy state from the Azure portal page "Application Gateway -> Backend health". + +|azure_application_gw_health_check| + +Run a http request targeting on the Azure Application Gateway Public IP or DNS name. + +- Find the Frontend public IP address of Azure Application Gateway from the Azure portal page "Application Gateway -> Overview" + + |azure_application_gw_frontend_public_IP| + +- Copy the Frontend public IP address of Azure Application Gateway and paste it on a browser from your laptop/PC. + + |azure_browser| + +- Perform tcpdump with port 8080 on Apache2 Web server + + |azure_application_server_tcpdump| + +- Furthermore, Azure Application Gateway automatically preserves client original IP address in the HTTP header field "X-Forwarded-For (XFF)". Here is an HTTP packet example which is opened with Wireshark tool for your reference: + + |azure_application_server_wireshark| + +.. note:: + + `Does Application Gateway support x-forwarded-for headers? `_ + + `What is X-Forwarded-For `_ + + `How do I see X forwarded for in Wireshark? `_ + + +5. View Traffic Log on Firewall +--------------- + +You can view if traffic is forwarded to the firewall instance by logging in to the Palo Alto VM-Series console. Go to the page "Monitor -> Logs -> Traffic". Perform http/https traffic from your laptop/PC to the public IP or domain name of Azure Application Gateway. + +6. Capturing Client IP in logs +------------------------- + +To view the client IP address in the access log, follow the instructions in `How to save client IP in access logs `_. + +- Find and open Apache configuration file. + + :: + + #vim /etc/apache2/apache2.conf + +- In the LogFormat section, add %{X-Forwarded-For}i as follows: + + :: + + ... + LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + ... + +- Save your changes. + +- Reload the Apache service. + + :: + + #systemctl reload apache2 + +- Review the public/original client IP on apache2 access log + +|azure_application_server_apache2_accesslog| + + +.. |transit_firenet_vnet| image:: ingress_firewall_example_media/transit_firenet_vnet.png + :scale: 50% + +.. |azure_avx_transit_gw| image:: ingress_firewall_example_media/azure_avx_transit_gw.png + :scale: 30% + +.. |azure_avx_manage_firenet_policy| image:: ingress_firewall_example_media/azure_avx_manage_firenet_policy.png + :scale: 30% + +.. |azure_avx_deploy_firewall| image:: ingress_firewall_example_media/azure_avx_deploy_firewall.png + :scale: 30% + +.. |azure_application_gw_creation| image:: ingress_firewall_example_media/azure_application_gw_creation.png + :scale: 30% + +.. |azure_application_gw_frontend| image:: ingress_firewall_example_media/azure_application_gw_frontend.png + :scale: 30% + +.. |azure_application_gw_backend| image:: ingress_firewall_example_media/azure_application_gw_backend.png + :scale: 30% + +.. |azure_application_gw_routing_rule_listener| image:: ingress_firewall_example_media/azure_application_gw_routing_rule_listener.png + :scale: 30% + +.. |azure_application_gw_routing_rule_backend_target| image:: ingress_firewall_example_media/azure_application_gw_routing_rule_backend_target.png + :scale: 30% + +.. |azure_application_gw_routing_rule_backend_target_02| image:: ingress_firewall_example_media/azure_application_gw_routing_rule_backend_target_02.png + :scale: 30% + +.. |azure_application_gw_routing_rule_http_setting| image:: ingress_firewall_example_media/azure_application_gw_routing_rule_http_setting.png + :scale: 30% + +.. |azure_application_gw_health_check| image:: ingress_firewall_example_media/azure_application_gw_health_check.png + :scale: 30% + +.. |azure_application_gw_frontend_public_IP| image:: ingress_firewall_example_media/azure_application_gw_frontend_public_IP.png + :scale: 30% + +.. |azure_browser| image:: ingress_firewall_example_media/azure_browser.png + :scale: 30% + +.. |azure_application_server_tcpdump| image:: ingress_firewall_example_media/azure_application_server_tcpdump.png + :scale: 30% + +.. |azure_application_server_wireshark| image:: ingress_firewall_example_media/azure_application_server_wireshark.png + :scale: 30% + +.. |azure_application_server_apache2_accesslog| image:: ingress_firewall_example_media/azure_application_server_apache2_accesslog.png + :scale: 50% + +.. disqus:: + diff --git a/HowTos/CloudFormationResources.rst b/HowTos/CloudFormationResources.rst index f4de83bef..1dc6f5ab6 100644 --- a/HowTos/CloudFormationResources.rst +++ b/HowTos/CloudFormationResources.rst @@ -14,9 +14,9 @@ Managing Aviatrix Resources in CloudFormation Overview -------- -Automating Aviatrix components is managed by REST APIs on the Aviatrix Controller. However, many AWS customers use CloudFormation to automate their infrastructure within AWS. In order to call `Aviatrix REST APIs `__ from CloudFormation templates, a `Custom Resource `__ is required. +Automating Aviatrix components is managed by APIs on the Aviatrix Controller. However, many AWS customers use CloudFormation to automate their infrastructure within AWS. In order to call Aviatrix APIs from CloudFormation templates, a `Custom Resource `__ is required. -Aviatrix has developed a Custom Resource to facilitate automation of Aviatrix components from CloudFormation templates. This Custom Resource is backed by an AWS Lambda function that will invoke the appropriate REST API call using the `Aviatrix Python SDK `__. +Aviatrix has developed a Custom Resource to facilitate automation of Aviatrix components from CloudFormation templates. This Custom Resource is backed by an AWS Lambda function. Use this guide to set up your AWS account with the necessary components to automate Aviatrix from your CloudFormation templates. @@ -212,8 +212,6 @@ This resource allows you to create Aviatrix Gateways. +------------------+----------+------------------------------------------------+ | additional_args | Yes | Dictionary with additional arguments for this | | | | gateway. | -| | | | -| | | | See |linkAliasAPI|_ for available arguments | +------------------+----------+------------------------------------------------+ **Example** @@ -354,6 +352,3 @@ This sample shows how to create a new FQDN filter called `production` that is en .. |imageASMKey| image:: CloudFormationResources_media/asm_secret_key_name.png :width: 300px - -.. |linkAliasAPI| replace:: Aviatrix REST API -.. _linkAliasAPI: https://s3-us-west-2.amazonaws.com/avx-apidoc/API.htm#_connect_container diff --git a/HowTos/CloudN-config-drive-v1_4.rst b/HowTos/CloudN-config-drive-v1_4.rst deleted file mode 100644 index 0b73a7b17..000000000 --- a/HowTos/CloudN-config-drive-v1_4.rst +++ /dev/null @@ -1,360 +0,0 @@ -.. meta:: - :description: ClounN Config Drive - :keywords: CloudN, CloudN config drive, Aviatrix, hybrid cloud - -==================================================== -Auto Booting CloudN VM Using ISO File -==================================================== - -This document provides one method to boot CloudN VM automatically without the initial manual configuration stage for interface address. - -This method uses a customized ISO file when launching the virtual machine. - -Note: -CloudN can be downloaded from `this link: `_. - -1. Installation on VMware vSphere Client -========================================= - -Create the customized configuration -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -In order to boot CloudN that passes in interface address information, we need to create an ISO image containing both user-data and meta-data -in ISO9660 format. - -Creating user-data file ------------------------- - -In the following example, CloudN is designed to boot up with a -static ip address 10.10.0.10, netmask 255.255.0.0, gateway 10.10.0.1 and -dns-nameservers 8.8.8.8 and 8.8.4.4. Please note that “#cloud-config” is not -a comment but a directive to cloud-init. - -Sample contents of user-data: - -:: - - #cloud-config - - write_files - - path: /etc/network/interfaces - content: | - auto lo - iface lo inet loopback - auto eth0 - iface eth0 inet static - address 10.10.0.10 - netmask 255.255.0.0 - gateway 10.10.0.1 - dns-nameservers 8.8.8.8 8.8.4.4 - -.. Note:: If CloudN VM were to be deployed in a proxy environment, we would need to include additional proxy settings in the user-data. In the following sample, 10.10.0.21 is the IP address of the CloudN VM, 10.28.144.137 is the proxy IP address with port 8080, as shown in the example below. - -.. - -Sample contents of user-data (with proxy settings): - -:: - - #cloud-config - - write_files: - - path: /etc/sudoers.d/90-proxy - content: | - #Aviatrix http/https proxy integration - Defaults env_keep += "http_proxy https_proxy no_proxy" - - - path: /etc/network/interfaces - content: | - auto lo - iface lo inet loopback - auto eth0 - iface eth0 inet static - address 10.10.0.21 - netmask 255.255.0.0 - gateway 10.10.0.1 - dns-nameservers 8.8.8.8 8.8.4.4 - - bootcmd: - - - grep -q _proxy /etc/environment || (echo "http_proxy=http://10.28.144.137:8080"; echo - "https_proxy=http://10.28.144.137:8080"; echo "no_proxy=127.0.0.1,10.10.0.21") >> - /etc/environment - - - grep -q _proxy /etc/apache2/envvars || (echo "export - http_proxy=http://10.28.144.137:8080"; echo "export - https_proxy=http://10.28.144.137:8080"; echo "export no_proxy=127.0.0.1,10.10.0.21") >> - /etc/apache2/envvars - - -Create meta-data file ------------------------- - -:: - - instance-id: CloudN-local - local-hostname: CloudN-local - -Create the ISO -~~~~~~~~~~~~~~ - -After the user-data file and meta-data file are created, you can create the ISO by using this following command. - -:: - - ubuntu@ubuntu:~ $ genisoimage -o cloudn-10-10-0-10.iso -volid cidata -J - -r user-data meta-data - -Verify the ISO (optional) -~~~~~~~~~~~~~~~~~~~~~~~~~ - -:: - - ubuntu@ubuntu:~$ sudo mkdir /media/test_iso - - ubuntu@ubuntu:~$ sudo mount -o loop cloudn-10-10-0-10.iso - /media/test_iso - - mount: /dev/loop0 is write-protected, mounting read-only - - ubuntu@ubuntu:~$ cat /media/test_iso/user-data - - #cloud-config - - write_files: - - - path: /etc/network/interfaces - content: | - auto lo - iface lo inet loopback - auto eth0 - iface eth0 inet static - address 10.10.0.10 - netmask 255.255.0.0 - gateway 10.10.0.1 - dns-nameservers 8.8.8.8 8.8.4.4 - - ubuntu@ubuntu:~$ cat /media/test_iso/meta-data - - instance-id: CloudN-local - - local-hostname: CloudN-local - - ubuntu@ubuntu:~$ sudo umount /media/test_iso - -Deploy CloudN VM with the ISO -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Now you can deploy a CloudN VM with the cloudn-10-10-0-10.iso attached as a -CDROM to the VM. During the boot up process, the CloudN will be -configured with the customized configuration in user-data and meta-data. -Once the CloudN network is up, it will automatically download the latest -CloudN software. We will be able to access the web UI directly without -having to access the CloudN VM console to perform the initial interface -setup. - -|image0| - -|image1| - -After importing the CloudN ovf is completed, - -- Click on “Edit virtual machine settings” and select CD/DVD Drive - under the Hardware section. - -- Make sure the Device status “Connect at power on” option is checked - -- Click on “Use ISO image” to browse to the cloudn-10-10-0-10.iso. - -- Click “OK” to complete the Virtual Machine Settings. - -|image2| - -Power on the CloudN virtual machine. The configuration in -cloudn-10-10-0-10.iso will be read by cloud-init during the installation -process and CloudN will upgrade to default version when the network is -up. - -|image3| - -|image4| - -Once the CloudN login prompt is shown on the VM console, we can access -the https://10.10.0.10 to complete the admin’s email and password -initialization process. - -|image5| - -2. Installation on Linux KVM -============================= - -The same methods previously described to create the -cloudn-172-25-0-10.iso can be applied to KVM virtualization environment. - -Contents of user-data: -~~~~~~~~~~~~~~~~~~~~~~~ -:: - - #cloud-config - - write_files: - - - path: /etc/network/interfaces - content: | - auto lo - iface lo inet loopback - auto eth0 - iface eth0 inet static - address 172.25.0.10 - netmask 255.255.0.0 - gateway 172.25.0.1 - - dns-nameservers 8.8.8.8 8.8.4.4 - -.. Note: If your environment has proxy server for accessing Internet, you need to include that as described in the VMware section. - -.. - -Contents meta-data: -~~~~~~~~~~~~~~~~~~~ -:: - - instance-id: CloudN-local - - local-hostname: CloudN-local - -Create the ISO Image -~~~~~~~~~~~~~~~~~~~~~ - -:: - - ubuntu@ubuntu:~ $ genisoimage -o cloudn-172-25-0-10.iso -volid cidata -J - -r user-data meta-data - -Deploy CloudN VM with the ISO Image -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Copy the CloudN qcow2 image and cloudn-172-25-0-10.iso to the -/var/lib/libvirt/images. - -:: - - root@ubuntu1:/var/lib/libvirt/images# cp - /home/ubuntu/Downloads/CloudN-ovf-013017.qcow2 . - - root@ubuntu1:/var/lib/libvirt/images# cp - /home/ubuntu/Downloads/cloudn-172-25-0-10.iso . - - root@ubuntu1:/var/lib/libvirt/images# ls -l CloudN-kvm-013017.qcow2 - - -rw-r--r-- 1 root root 7761634304 Mar 19 22:09 CloudN-kvm-013017.qcow2 - - root@ubuntu1:/var/lib/libvirt/images# ls -l cloudn-172-25-0-10.iso - - -rw-r--r-- 1 root root 374784 Mar 19 22:11 cloudn-172-25-0-10.iso - -In this example below, a bridge interface “br1” is created and -eno1 is assigned to this “br1”. - -:: - - ubuntu@ubuntu1:~$ ifconfig - br1 Link encap:Ethernet HWaddr 00:30:48:b3:59:92 - inet addr:172.25.0.2 Bcast:172.25.255.255 Mask:255.255.255.0 - inet6 addr: fe80::230:48ff:feb3:5992/64 Scope:Link - UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 - RX packets:2060 errors:0 dropped:0 overruns:0 frame:0 - TX packets:507 errors:0 dropped:0 overruns:0 carrier:0 - collisions:0 txqueuelen:1000 - RX bytes:163384 (163.3 KB) TX bytes:74489 (74.4 KB) - - eno1 Link encap:Ethernet HWaddr 00:30:48:b3:59:92 - inet6 addr: fe80::230:48ff:feb3:5992/64 Scope:Link - UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 - RX packets:2076 errors:0 dropped:0 overruns:0 frame:0 - TX packets:559 errors:0 dropped:0 overruns:0 carrier:0 - collisions:0 txqueuelen:1000 - RX bytes:201572 (201.5 KB) TX bytes:83977 (83.9 KB) - Interrupt:21 Memory:fe600000-fe620000 - - enp4s0 Link encap:Ethernet HWaddr 00:30:48:b3:59:93 - UP BROADCAST MULTICAST MTU:1500 Metric:1 - RX packets:0 errors:0 dropped:0 overruns:0 frame:0 - TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 - collisions:0 txqueuelen:1000 - RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) - Interrupt:19 Memory:fe400000-fe420000 - - lo Link encap:Local Loopback - inet addr:127.0.0.1 Mask:255.0.0.0 - inet6 addr: ::1/128 Scope:Host - UP LOOPBACK RUNNING MTU:65536 Metric:1 - RX packets:656 errors:0 dropped:0 overruns:0 frame:0 - TX packets:656 errors:0 dropped:0 overruns:0 carrier:0 - collisions:0 txqueuelen:1 - RX bytes:107212 (107.2 KB) TX bytes:107212 (107.2 KB) - - virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 - inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 - UP BROADCAST MULTICAST MTU:1500 Metric:1 - RX packets:0 errors:0 dropped:0 overruns:0 frame:0 - TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 - collisions:0 txqueuelen:1000 - RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) - - ubuntu@ubuntu:~$ brctl show - bridge name bridge id STP enabled interfaces - br1 8000.003048b35992 no eno1 - virbr0 8000.000000000000 yes - -Create a new CloudN-1 by importing the CloudN-kvm-013017.qcow2 image -with the customized cloudn-172-25-0-10.iso - -:: - - root@ubuntu1:/var/lib/libvirt/images# virt-install --os-type linux - --os-variant ubuntu14.04 --import --disk - path=./CloudN-kvm-013017.qcow2,bus=virtio,format=qcow2,size=20 --name - CloudN-1 --ram 4096 --vcpus 2 --disk - path=./cloudn-172-25-0-10.iso,device=cdrom --network - bridge=br1,model=virtio --network bridge=br1,model=virtio --graphics spice - -.. Note:: You may need to install virt-viewer package on your Linux machine in order to use the SPICE graphics. - -A Virt Viewer window will pop up to show the installation process of -CloudN. Once the CloudN login prompt is shown on the Virt Viewer -console, we can access the https://172.25.0.10 to complete the admin’s -email and password initialization process. - -|image6| - -|image7| - -|image8| - -When you close the Virt Viewer window, the CloudN VM will continue running -and you will notice that the “Domain creation completed” on the terminal -that you executed virt-install command earlier. - -To shut down or delete the CloudN VM, you may use the Virtual Machine -Manager or virsh commands like any other VMs supported by Linux KVM. - -.. |image0| image:: CloudN-config-drive_media/image1.png - -.. |image1| image:: CloudN-config-drive_media/image2.png - -.. |image2| image:: CloudN-config-drive_media/image3.png - -.. |image3| image:: CloudN-config-drive_media/image4.png - -.. |image4| image:: CloudN-config-drive_media/image5.png - -.. |image5| image:: CloudN-config-drive_media/image6.png - -.. |image6| image:: CloudN-config-drive_media/image7.png - -.. |image7| image:: CloudN-config-drive_media/image8.png - -.. |image8| image:: CloudN-config-drive_media/image9.png - -.. disqus:: diff --git a/HowTos/CloudN-config-drive_media/image1.png b/HowTos/CloudN-config-drive_media/image1.png deleted file mode 100644 index 787ee27b7..000000000 Binary files a/HowTos/CloudN-config-drive_media/image1.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image2.png b/HowTos/CloudN-config-drive_media/image2.png deleted file mode 100644 index 9092970c7..000000000 Binary files a/HowTos/CloudN-config-drive_media/image2.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image3.png b/HowTos/CloudN-config-drive_media/image3.png deleted file mode 100644 index b3a7aa0e1..000000000 Binary files a/HowTos/CloudN-config-drive_media/image3.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image4.png b/HowTos/CloudN-config-drive_media/image4.png deleted file mode 100644 index c2a6cfaa4..000000000 Binary files a/HowTos/CloudN-config-drive_media/image4.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image5.png b/HowTos/CloudN-config-drive_media/image5.png deleted file mode 100644 index f4e4fa67e..000000000 Binary files a/HowTos/CloudN-config-drive_media/image5.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image6.png b/HowTos/CloudN-config-drive_media/image6.png deleted file mode 100644 index 76b4d35db..000000000 Binary files a/HowTos/CloudN-config-drive_media/image6.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image7.png b/HowTos/CloudN-config-drive_media/image7.png deleted file mode 100644 index dba9fbdab..000000000 Binary files a/HowTos/CloudN-config-drive_media/image7.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image8.png b/HowTos/CloudN-config-drive_media/image8.png deleted file mode 100644 index 667cb35d3..000000000 Binary files a/HowTos/CloudN-config-drive_media/image8.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image9.png b/HowTos/CloudN-config-drive_media/image9.png deleted file mode 100644 index 79027d918..000000000 Binary files a/HowTos/CloudN-config-drive_media/image9.png and /dev/null differ diff --git a/HowTos/CloudN_insane_mode.rst b/HowTos/CloudN_insane_mode.rst index a97b71d81..53c2310aa 100644 --- a/HowTos/CloudN_insane_mode.rst +++ b/HowTos/CloudN_insane_mode.rst @@ -4,7 +4,7 @@ =============================================== -Insane Mode CloudN Deployment Checklist +Standalone CloudN Deployment Checklist =============================================== When Insane Mode is applied to improve encryption performance between on-prem and cloud, you need to deploy the Aviatrix hardware appliance CloudN. Making this use case work requires edge router configurations. This document lists the checklist you should follow in @@ -13,6 +13,10 @@ successfully deploying Insane Mode for hybrid connection. CloudN Insane Mode can be applied to hybrid connection by AWS Direct Connect or Azure Express Route. CloudN can also be applied to hybrid connection by Internet. +One CloudN supports `multiple Transit Gateways connections. `_ + +Starting in Release 6.2, Managed CloudN is the supported deployment model where CloudN configuration and operations are managed by the Controller. + Step 1. Understand Deployment Architecture ---------------------------------------------- @@ -49,11 +53,21 @@ Aviatrix CloudN Appliance with HA |deployment_ha| -Redundant DX Deployment +Redundant DX Deployment (Active/Standby) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In this deployment model, Direct Connects are being used in a Active/Standby mode. The Preferred path is indicated on the picture. + +.. note:: + The firewalls on the left side of the picture cannot handle asymmetric traffic which maybe the reason of having Direct Connect as Active/Standby |deployment_dual_dx| +Redundant DX Deployment (Active/Active) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In this deployment model, Direct Connects are Active / Active. One of the requirements would be for the firewall to handle asymmetric routing. + +|deployment_dual_dx_aa| + Step 1.2 Connection over Internet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -94,17 +108,16 @@ CloudN Interface Private IP Address Subnet Mask Default Gateway MTU Siz 1- WAN Not Required Not Required WAN port that connects edge router 2- LAN Not Required Not Required Not Required LAN port that connects edge router 3- MGMT Not Required Management port for CloudN configuration and software upgrade -4- HPE iLO (optional) Not Required Not Required Not Required HP Integrated Lights-Out +4- HPE iLO Not Required Not Required Not Required HP Integrated Lights-Out ===================== ================== =========== =============== =============== ================== ===================== ============================================================= 2.1 Internet Access ~~~~~~~~~~~~~~~~~~~~~~~~ -A CloudN appliance does not require a public IP address, but the management port requires outbound internet access on the management port for software upgrade. - -Here is the list of the public IP address that CloudN requires for outbound traffic. +A CloudN appliance does not require a public IP address, but the management port requires outbound internet access on the management port for software upgrade. Please see `Required Access for External Sites `_. - - www.carmelonetworks.com (54.149.28.255) for CloudN software upgrade. +.. note:: + You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. 2.2 BGP Requirement ~~~~~~~~~~~~~~~~~~~~~~~ @@ -132,16 +145,24 @@ Before powering up CloudN, make sure After you power up CloudN, first test that the CloudN interfaces are alive and connected properly by doing the following tests. a. From ASR, ping the CloudN LAN interface, WAN interface and Mgmt interface. - #. CloudN mgmt interface can ping Internet (From CloudN clish console) + #. CloudN mgmt interface can ping Internet (From CloudN cli console) 3.3 Upgrade CloudN to the Latest Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - a. Login to the CloudN console. Open a browser console and type: https://CloudN_Mgmt_IP_Address - #. Login with username "admin" and password "Aviatrix 123#" (You can change the password later) + a. Log in to the CloudN console. Open a browser console and type: https://CloudN_Mgmt_IP_Address. + #. Log in with username "admin" and the password provided by your Aviatrix Support Representative (You can change the password later). #. Upgrade CloudN to the latest. -3.4 Configure Insane Moode +3.4 Configure NTP Sync and SMTP Services +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + a. Add a firewall rule to allow CloudN’s MGMT outbound UDP port 123 access to ntp.ubuntu.com or to a local NTP server. + #. In the CloudN UI, go to Setting -> Controller -> System Time. Enter ntp.ubuntu.com or a local NTP server then select the Sync option. + #. Do a manual sync to the NTP server. + #. In the CloudN UI, go to Setting -> Controller -> Email. Setup the SMTP settings to allow CloudN to send alert emails. + +3.5 Configure Insane Mode ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From the Controller in AWS, configure Transit Setup Step 3 to CloudN, make sure to select all the correct options. @@ -153,7 +174,7 @@ From the Controller in AWS, configure Transit Setup Step 3 to CloudN, make sure #. After configuration, download the configure file and import to CloudN. #. If there is HA, import to CloudN HA. -3.5 Troubleshooting Tips +3.6 Troubleshooting Tips ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ a. Check on CloudN Console. Go to Site2Cloud, make sure the tunnel is up. @@ -190,6 +211,9 @@ From the Controller in AWS, configure Transit Setup Step 3 to CloudN, make sure .. |deployment_dual_dx| image:: insane_mode_media/deployment_dual_dx.png :scale: 30% +.. |deployment_dual_dx_aa| image:: insane_mode_media/deployment_dual_dx_aa.png + :scale: 30% + .. |ISR-sample-config| image:: insane_mode_media/ISR-sample-config.png :scale: 50% diff --git a/HowTos/CloudN_workflow.rst b/HowTos/CloudN_workflow.rst new file mode 100644 index 000000000..db8ebedd6 --- /dev/null +++ b/HowTos/CloudN_workflow.rst @@ -0,0 +1,753 @@ +.. meta:: + :description: Global Transit Network + :keywords: CloudN workflow, Transit hub, AWS Global Transit Network, Encrypted Peering, Transitive Peering, Insane mode, Transit Gateway, TGW, Managed CloudN + + +=============================================== +Managed CloudN Workflows +=============================================== + +Introduction +============ + +Aviatrix CloudN hardware appliance is deployed on-prem to connect to public cloud. It provides up to 25Gbps encryption performance over AWS Direct Connect and Azure Express Route. + +Aviatrix Managed CloudN enables you to manage CloudN hardware appliances by Aviatrix Controller as an `Aviatrix CloudN device `_. + +Benefits: +--------- + +- Ease of use: + + - Centrally manage all CloudN appliances from Aviatrix Controller without logging into each Standalone CloudN GUI individually for ongoing configuration and operation actions. + + - Simplifying connection configuration by removing manually importing S2C IPsec configuration method as in Standalone CloudN. + +- Enhanced visibility and troubleshooting: + + - Perform running diagnostics, upload tracelog and upgrade on Managed CloudN device the same way as an Aviatrix gateway. + + - Support backup/restore function + +- Active Mesh support: + + - Managed CloudN automatically load balance traffic to both Aviatrix Transit primary gateway and backup gateway + +- Scalability: + + - Support scale-out fashion to achieve higher IPsec throughput + +.. note:: + + - Managed CloudN only supports High-Performance (Insane Mode) encryption connection. It works with Aviatrix Transit Gateways with Insane Mode enabled. + + - This solution applies to over AWS Direct Connect, Azure ExpressRoute and Internet. + + - This solution applies to over GCP InterConnect starting from 6.3. + + - This solution in GCP supports only one tunnel per transit gateway for over Internet scenario. + +For more information and benefits about CloudN, please check out the below documents: + + `Insane Mode CloudN Deployment Checklist `_ + + `Insane Mode Encryption FAQ `_ + +This document describes a step-by-step Managed CloudN deployment workflow for R6.2 and later. It covers the following topics. + + - Workflow on Aviatrix CloudN + + - Workflow on Aviatrix Controller + + - Traffic Flow Verification + + - Troubleshooting Tips + + - Upgrade + + - Backup/Restore + + - Workflow on cleanup + + - FAQ + +Topology +================== + + |managed_cloudn_topology| + +Prerequisite +==================== + +Step 1.1 Order CloudN appliance +--------------------------------- + +`Order a CloudN appliance `_ and install it properly in your data center or data center provider + +Step 1.2 (Optional) FQDN name for Controller +----------------------------------------------- + +Create and register an FQDN Name for Aviatrix Controller public IP. This is useful if Controller has HA configured. + + +Step 1.3 (Optional) Remove the current connection +----------------------------------------------------- + +Skip if this is a brand new deployment) Remove/delete any Site2Cloud (IPsec) connection between Aviatrix Transit gateway and Standalone CloudN if you have any in your existing Standalone CloudN deployment + +Step 1.4 Upgrade to the latest +--------------------------------- + +`Upgrade `_ Aviatrix Controller to at least version 6.2 + +Step 1.5 Deploy VPCs, Aviatrix Multi-Cloud Transit Gateways, and Spoke Gateways +-------------------------------------------------------------------------------- + +Deploy Aviatrix Multi-Cloud Transit solution in the cloud. + + - Follow this `step `_ to launch Aviatrix Transit gateway with insane mode enabled. Recommended minimum size for Transit in AWS is c5n.4xlarge. Please refer to this `doc `_ for performance detail. + + - (Optional) Follow this `step `_ to launch Aviatrix Spoke gateway with insane mode enabled. Recommended minimum size for Spoke with insane mode in AWS is c5.2xlarge. Please refer to this `doc `_ for performance detail. Notes: Users has option to attach non-insane mode Spoke gateway to insane mode Transit gateway. + + - (Optional) Follow this `step `_ to attach Aviatrix Spoke gateway to Aviatrix Transit gateway + + +.. note:: + + In this example, Aviatrix Multi-Cloud Transit Gateway and Aviatrix Spoke Gateway with HPE are deployed in AWS platform. The workflow applies to Azure. + + +Workflow on Aviatrix CloudN +============================= + +Step 2.1 Open Controller inbound ports +-------------------------------------- + +CloudN is deployed inside a data center, it does not require any public IP addressees. However you need to collect the public IP for +the management interface (The ISP provided pubic IP) and open port 443 on the Controller for that public IP. + +Update Aviatrix Controller's inbound security group to allow TCP 443 from public IP address of the router of CloudN's MGMT interface + + - Open a browser + + - Navigate to the AWS portal + + - Sign in with AWS account + + - Find the security group which is associated with Aviatrix Controller + + - Configure inbound rule to allow TCP 443 from public IP address provided by the ISP where CloudN's management interface egresses to Internet. + + .. important:: + + This public IP address needs to be static. + +Step 2.2 Configure NTP Sync and SMTP Services +--------------------------------------------- + + - Add a firewall rule to allow CloudN’s MGMT outbound UDP port 123 access to ntp.ubuntu.com or to a local NTP server. + + - From the CloudN UI, go to Setting -> Controller -> System Time. Enter ntp.ubuntu.com or a local NTP server then select the Sync option. + + - Do a manual sync to the NTP server. + + - From the CloudN UI, go to Setting -> Controller -> Email, Setup SMTP settings to allow CloudN to send alert email. + +Step 2.3 Login CloudN GUI +-------------------------- + + - Open a browser + + - Navigate to the CloudN GUI with CloudN domain name/IP and port 443 + + - Sign in with CloudN login credentials + +Step 2.4 (Optional) Check whether CloudN requires a Controller IP migration +--------------------------------------------------------------------------------------------- + +This is a rare case. It is documented here for completeness. Skip if the Controller IP address has not been changed. + + - Navigate to the page "Troubleshoot -> Diagnostics -> Network" + + - Find the panel `CONTROLLER PUBLIC IP `_ + + - Perform function `CONTROLLER IP MIGRATION `_ if the message in the panel "CONTROLLER PUBLIC IP" guides users to execute it. + + .. note:: + + For private link connectivity such as AWS Direct Connect or Azure Express Route case, CloudN WAN interface is assigned a private IP, thus the message in the panel "CONTROLLER PUBLIC IP" displays "The public IP of this controller is NA. Controller was not able to reach www.carmelonetworks.com through the WAN interface(eth0)." + +Step 2.5 Managed CloudN management port outbound access +-------------------------------------------------------------------------------------------------------------------------- + +You must use the specified FDQN, IP address, and ports for Managed CloudN (registered to the Controller) and Standalone CloudN (de-registered from the Controller) implementations. Please see `Required Access for External Sites `_. + + .. note:: + + You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. + + + You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. + + + To check basic connectivity to Internet from CloudN device and to troubleshoot reachability issue to these addresses, follow the steps below. + + - Navigate to the page "Troubleshoot -> Diagnostics -> Network" + + - Find the panel `Network Connectivity Utility `_ + + - Enter fields for Hostname, Port, Gateway Name, and Protocol + + +--------------+--------------------------------------------------------------------+ + | **Field** | **Value** | + +--------------+--------------------------------------------------------------------+ + | Hostname | Refer to the FQDN/IP address on the Aviatrix Support webstie. | + +--------------+--------------------------------------------------------------------+ + | Port | Refer to the PORT on the Aviatrix Support webstie. | + +--------------+--------------------------------------------------------------------+ + | Gateway Name | Controller | + +--------------+--------------------------------------------------------------------+ + | Protocol | TCP | + +--------------+--------------------------------------------------------------------+ + + - Click the button "Go" to check connectivity + +Step 2.6 Register with Aviatrix Controller FQDN Name +------------------------------------------------------- + + - Navigate to the page "Settings -> Advanced -> Registration" or click the link "Managed CloudN" under UseCases drop down menu on the top + + |cloudn_register_controller_fqdn_link_managed_cloudn| + + - Find the panel "REGISTER CLOUDN AS A GATEWAY" + + - Enter Aviatrix Controller FQDN name + + |cloudn_register_controller_fqdn| + + .. important:: + + It is highly recommended to register CloudN with Aviatrix Controller’s FQDN name instead of its IP address for allowing Controller HA operation (allows the controller to be assigned to a different IP address). + + When your Aviatrix Controller's FQDN is mapped to a private IP address, make sure that CloudN’s MGMT primary DNS server or secondary DNS server can resolve the FQDN to its private IP address. + + Registering CloudN to Aviatrix Controller via private networks is not a fully supported scenario; please discuss this with the Aviatrix team during the planning phase before you finalize the design for the Managed CloudN deployment. + + - Enter Aviatrix Controller Username/Password with an admin user credential (any users in admin RBAC Groups) + + - Enter Gateway Name to represent this CloudN device + + - Click the button "Register" + + - Click the button "OK" to confirm + + - Wait for about 40-60 seconds to complete the registration process + +Workflow on Aviatrix Controller +======================================= + +Step 3.1 Login Aviatrix Controller +----------------------------------- + + - Open a browser + + - Navigate to the Aviatrix Controller + + - Sign in with Aviatrix account + +Step 3.2 Check if a Managed CloudN device is connected to Aviatrix Controller properly +------------------------------------------------------------------------------------------- + + - Navigate to the page "CLOUDN -> List/Edit" + + - Search for the Managed CloudN device + + - Check the state to make sure it is displayed "registered" on the column "State" + + |controller_managed_cloudn_registered_state| + +Step 3.3 (Optional) Discover a Managed CloudN device WAN interface +--------------------------------------------------------------------- + +This step is for building connection over internet. If you are building connection over Direct Connect, please jump to the next step directly. + + - Navigate to the page "CLOUDN -> Attach" + + - Find the panel 1) Prepare to Attach + + - Select the Managed CloudN device + + - Click the button "DISCOVER WAN INTERFACES" + + |controller_discover_wan_interfaces| + + - Select WAN interface in the drop-down menu + + - Update WAN primary interface and IP if needed + + - Click the button "APPLY" + +Step 3.4 Attach Managed CloudN +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +This step follows the instruction at `Attach a CloudN device to Aviatrix Transit Gateway `_. + + - Navigate to the page "CLOUDN -> Attach" + + - Find the panel 2) Attach Device to Cloud + + - Select the radio button "Aviatrix Transit Gateway" + + - Enter fields for Branch Name, Aviatrix Transit Gateway, Connection Name, Aviatrix Transit Gateway BGP ASN, CloudN's BGP ASN, CloudN LAN Interface Neighbor's IP, CloudN LAN Interface Neighbor's BGP ASN, and Over DirectConnect. + + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | **Field** | **Value** | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | Device Name | Select the Managed CloudN device | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | Aviatrix Transit Gateway | Select an Aviatrix Transit Gateway | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | Connection Name | A unique name for the connection (i.e. Managed-CloudN-to-Aviatrix-Transit-GW-connection) | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | Aviatrix Transit Gateway BGP ASN | Only BGP is supported. Enter BGP ASN number on Aviatrix Transit Gateway. (i.e. 65019) | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | CloudN's BGP ASN | Only BGP is supported. Enter BGP ASN number on the Managed CloudN device. (i.e. 65056) | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | CloudN LAN Interface Neighbor's IP | Enter Managed CloudN LAN Interface Neighbor's IP | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | CloudN LAN Interface Neighbor's BGP ASN | Only BGP is supported. Enter BGP ASN number on the Neighbor's Router. (i.e. 65122) | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | Over DirectConnect | A checkbox to select whether the connection is over Direct Connect or Internet | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + + - Click the button "ATTACH" + + |controller_attach_aviatrix_transit| + +Step 3.5 Check whether the Managed CloudN device is attached to Aviatrix Transit Gateway properly +----------------------------------------------------------------------------------------------------- + + - Navigate back to the page "CLOUDN -> List/Edit" + + - Search for the Managed CloudN device + + - Check the state is displayed "attached" on the column "State" + + |controller_managed_cloudn_attached_state| + +.. note:: + + The status "attached" here reflects only the management operation state, it does not reflect the attached connection state in real time. Please go to Site2Cloud page to monitor the connection status as below step. + +Step 3.6 Check whether the connection status is Up +--------------------------------------------------- + + - Navigate to the page "SITE2CLOUD -> Setup" + + - Locate the connection which is created in the previous step (i.e. Managed-CloudN-to-Aviatrix-Transit-GW-connection) + + - Check whether the connection status is Up as below example + + |controller_managed_cloudn_s2c_up_state| + +Step 3.7 Check Transit Gateway BGP status +------------------------------------------- + + - Navigate to the page "MULTI-CLOUD TRANSIT -> Advanced Config -> BGP" + + - Locate the connection which is created in the previous step (i.e. Managed-CloudN-to-Aviatrix-Transit-GW-connection) + + - Check whether the NEIGHBOR STATUS is established + +Traffic Flow Verification +========================= + +Traffic Flow Verification example was exercised "after S2C connection(s) is up and BGP connection(s) is established. The on-premise router is Cisco IOS with network loopback address 2.2.2.2/32. Aviatrix Transit VPC is 10.1.0.0/16. Aviatrix Spoke VPC is 192.168.1.0/24 and the private IP of the testing VM is 192.168.1.36/32. + + - Traffic from on-premise router Cisco IOS to cloud VM + + - Issue ICMP traffic from on-prem loopback interface to a Virtual IP of cloud instance + + |managed_cloudn_traffic_flow_verification_on_prem_router_issue_icmp| + + - Execute packet capture on the cloud instance + + |managed_cloudn_traffic_flow_verification_cloud_vm_tcpdump_icmp| + + - Traffic from cloud VM to on-premise router Cisco IOS + + - Issue ICMP traffic from cloud instance to on-prem loopback interface address + + |managed_cloudn_traffic_flow_verification_cloud_vm_issue_icmp| + +Troubleshooting Tips +==================== + +When an CloudN registers with an Aviatrix Controller properly as a Managed CloudN device, users can perform troubleshooting on a Managed CloudN device the same way as +an Aviatrix gateway in the cloud via Aviatrix Controller GUI. + +.. note:: + + Direct access to CloudN's local HTTPs URL/UI is still allowed for only Troubleshoot/Diagnostic reasons; access to any other menu items is not recommended nor supported. + +Running diagnostics +-------------------- + + - Navigate to the page "CLOUDN -> List/Edit" on Aviatrix Controller GUI + + - Search for the Managed CloudN device and select it + + - Click on the button "DIAG" to display drop down menu + + - Click on the button "Run" + + - Wait for a couple of minutes to complete the running diagnostics process + + - Click the button "Show" to display report + + - Click the button "Submit" to upload report to Aviatrix Support + + |controller_troubleshooting_tips_running_diagnostics| + +Upload tracelog +--------------- + + - Navigate to the page "CLOUDN -> List/Edit" on Aviatrix Controller GUI + + - Search for the Managed CloudN device and select it + + - Click on the button "DIAG" to display dropdown menu + + - Click on the button "Upload Tracelog" to upload tracelog to Aviatrix Support + + |controller_troubleshooting_tips_upload_tracelog| + +Download syslogs +---------------- + + - Navigate to the page "CLOUDN -> List/Edit" on Aviatrix Controller GUI + + - Search for the Managed CloudN device and select it + + - Click on the button "DIAG" to display dropdown menu + + - Click on the button "Download Syslog" + + |controller_troubleshooting_tips_download_syslogs| + +Force upgrade +------------- + + - Refer to `Force Upgrade doc `_ + + - Navigate to the page "TROUBLESHOOT -> Diagnostics -> Gateway" on Aviatrix Controller GUI + + - Search for the panel "Force Upgrade" + + - Select the Managed CloudN device on the "Gateway" dropdown menu + + - Click on the button "UPGRADE" to force upgrade the Managed CloudN device + + |controller_troubleshooting_tips_force_upgrade| + +Upgrade +======= + +When an CloudN registers with an Aviatrix Controller properly as a Managed CloudN device, the upgrade process on the Managed CloudN device is treated the same way +as an Aviatrix gateway in the cloud when Aviatrix Controller is upgraded. Please refer to `Inline Software Upgrade doc `_ for upgrading a Managed CloudN device from Aviatrix Controller. + +.. important:: + + * Once CloudN is registered to Aviatrix controller, if you wish to check the version of Managed-CloudNs, please go to Aviatrix controller -> Settings -> Maintenance -> Upgrade -> Gateway Upgrade Status. However, the software version you see from CloudN GUI locally would not change, and it stays with the version at the time when you register CloudN to Aviatrix controller. + + * With Managed CloudN, software upgrading directly from CloudN GUI is no longer needed, unless unexpected issues occur. In such case, please open a support ticket at `Aviatrix Support Portal `_. + + + +|correct_place_to_check_cloudN_version| + + +Backup/Restore +============== + +When a CloudN registers with an Aviatrix Controller properly as a Managed CloudN device, the backup/restore process on the Managed CloudN device is processed the same way as an +Aviatrix gateway in the cloud when the backup/restore function is performed on Aviatrix Controller. Please refer to `Controller Backup and Restore doc `_ for details. + +.. note:: + + Performing backup/restore function for Managed CloudN device via CloudN GUI is not supported. + +Workflow on cleanup +=================== + +De-register a Managed CloudN device from Aviatrix Controller +------------------------------------------------------------ + +Step 4.1 Perform feature "Detach Device from Cloud" on Aviatrix Controller GUI +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + - Open a browser + + - Navigate to the Aviatrix Controller + + - Sign in with Aviatrix account + + - Navigate to the page "CLOUDN -> Attach" + + - Find the panel "Delete Function -> 3> Detach Device from Cloud" + + - Select the connection from Managed CloudN to Aviatrix Transit gateway on the Attachment Name dropdown menu + + - Click on the button "DETACH" to disconnect the connection + + |controller_cloudwan_detach| + +Step 4.2 Perform feature "De-register a Device" on Aviatrix Controller GUI +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + - Open a browser + + - Navigate to the Aviatrix Controller + + - Sign in with Aviatrix account + + - Navigate to the page "CLOUDN -> Register" + + - Find the panel "Delete Function -> 2> De-register a Device" + + - Select the Managed CloudN device on the Branch Name dropdown menu + + - Click on the button "DE-REGISTER" to convert a Managed CloudN device back to a Standalone CloudN state + + |controller_cloudwan_deregister| + + .. note:: + + If these steps cannot convert a Managed CloudN device back to a Standalone CloudN state properly, please proceed Reset Configuration feature. + +Workflow on Reset Configuration +-------------------------- + +"Reset Configuration" feature enables users to remove all configuration on a Managed CloudN device from a corrupted state to a clean state. Please follow the below steps for "Reset Configuration". +This Reset Configuration feature is the last resort if users are not able to convert a Managed CloudN device back to a Standalone CloudN state through the steps above. + +Step 4.3 Perform feature "Reset Configuration" on Aviatrix Controller GUI +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + - Open a browser + + - Navigate to the Aviatrix Controller + + - Sign in with Aviatrix account + + - Navigate to the page "CLOUDN -> List/Edit" + + - Search for the Managed CloudN device and select it + + - Click on the button "DIAG" to display dropdown menu + + - Click on the button "Reset Configuration" + + - Wait for a couple of minutes to complete the Reset Configuration process + + |controller_cloudwan_factory_reset| + + .. note:: + + Normally, when users perform feature "Reset Configuration" on Aviatrix Controller GUI, Aviatrix Controller will notify Managed CloudN to perform "Reset Configuration". If Managed CloudN does not function "Reset Configuration" properly through Aviatrix Controller, users need to execute the step 4.4 below. + +(Optional) Step 4.4 Perform feature "Reset Configuration" on CloudN GUI +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + - Open a browser + + - Navigate to the CloudN GUI with CloudN domain name/IP and port 443 + + - Sign in with CloudN login credentials + + - Navigate to the page "Settings -> Advanced -> Registration" or click the link "Managed CloudN" under UseCases dropdown menu on the top + + |cloudn_register_controller_fqdn_link_managed_cloudn| + + - Find the panel "Reset Configuration" + + - Click the button "Reset" + + - Wait for a couple of minutes to complete the Reset Configuration process + + |cloudn_factory_reset| + + .. important:: + + If users need any assistance for Reset Configuration operation, please open a support ticket at `Aviatrix Support Portal `_. + +User Guide for Redundant DX Deployment +====================================== + +Active/Active +------------- + +|deployment_dual_dx_aa| + +The `Active/Active deployment model `_ is recommended. In this deployment +model, both CloudN appliances forward traffic and the underlying network links are fully utilized. + +.. important:: + + Aviatrix topology requirements: + + - Attach two CloudN appliances to Aviatrix Transit by following the above workflows. + + - Enable `BGP ECMP function `_ on Aviatrix Transit. + + On-prem topology requirements: + + - If firewalls are deployed, make sure there is no asymmetric routing issues or the firewalls are capable of handling asymmetric routing issues. + + - LAN routers should advertise the same AS path length to both CloudN appliances and enable ECMP feature. + +Active/Standby +-------------- + +|deployment_dual_dx| + +Aviatrix solution supports `Active/Standby deployment model `_, but one of the CloudN appliances and network connections stays at standby/idle mode. + +To deploy this topology, on-prem LAN router must advertise **longer BGP AS_PATH** to the Standby CloudN to ensure traffic direction from cloud to on-prem always routes to the Active CloudN when the connection is up. Once the connection on the Active CloudN is down, traffic will be directed towards the Standby CloudN based on BGP info. When the Active CloudN is recovered, traffic will switch back to the Active CloudN as it has **shorter BGP AS_PATH** length. + +Users can utilize `Connection AS Path Prepend `_ for the traffic direction from on-prem to cloud depending on requirement. + +FAQ +==== + +Q: What is the terminology of Standalone CloudN and Managed CloudN? + +Ans: In this document, the term "Standalone CloudN" refers to a CloudN device is not managed by an Aviatrix Controller; "Managed CloudN" refers to a CloudN device that is registered/managed by an Aviatrix Controller. + +Q: Could a Managed CloudN be converted back to a Standalone CloudN? + +Ans: Yes. While this is not recommended practice, you should be able to convert a Managed CloudN device back to a Standalone CloudN by following the `Workflow on cleanup `_. + +Q: Does Managed CloudN have Aviatrix High-Performance (Insane) mode supported? + +Ans: Yes. When a Managed CloudN device attaches to an Aviatrix Transit gateway with HA function enabled, High-Performance (Insane) mode tunnels to both primary and backup transit gateways are built automatically. + +Q: Can Managed CloudN solution support Azure Express Route? + +Ans: Yes, Managed CloudN runs over Azure Express Route. + +Q: Can we build a mixed topology in the deployment where some connections are from Managed CloudN and others are from Standalone CloudN in one CloudN appliance? + +Ans: No. We don't support this mixed topology. Once you decide to deploy Managed CloudN solution, you need to make sure there is no IPsec tunnel between Aviatrix Transit Gateway and Standalone CloudN before registering the Standalone CloudN to Aviatrix Controller. + +Q: Can one Standalone/Managed CloudN appliance connect to multiple links Direct Connect or Express Route? + +Ans: Yes. A CloudN appliance can build multiple of HPE connections to different Aviatrix Transit Gateways over multiple Direct Connect or Express Route. + +Q: Can one Aviatrix Transit Gateway connect to multiple of Managed CloudNs? + +Ans: Yes. An Aviatrix Transit Gateway can build multiple of HPE connections to different Managed CloudNs. + +Q: Can one Aviatrix Transit Gateway build mixed connections to different Standalone CloudN and Managed CloudN? + +Ans: Yes. While this is not recommended practice, an Aviatrix Transit Gateway is able to build mixed connections to different Standalone CloudN and Managed CloudN. This deployment is for migration stage only. + +Q: How to update the new Aviatrix Controller public IP for Managed CloudN? + +Ans: + +- Refer to `step 2.6 Register with Aviatrix Controller FQDN Name `_. + +- Navigate to the page "Settings -> Advanced -> Registration" or click the link "Managed CloudN" under UseCases drop down menu on the top on CloudN GUI + +- Find the panel "REGISTER CLOUDN AS A GATEWAY" + +- Enter the new Aviatrix Controller public IP + + .. important:: + + It is highly recommended that a FQDN name is used instead of an IP address for enhanced security and controller HA. + +- Click the button "Register" + +- Click the button "OK" to confirm + +Q: How to migrate a Standalone CloudN to a Managed CloudN? + +Ans: + +- `Upgrade `_ Aviatrix Controller and CloudN appliance to at least version 6.2 + +- Remove/delete any Site2Cloud (IPsec) connection between Aviatrix Transit gateway and Standalone CloudN + +- Follow `Workflow on Aviatrix CloudN `_ + +- Follow `Workflow on Aviatrix Controller `_ + +.. |managed_cloudn_topology| image:: CloudN_workflow_media/managed_cloudn_topology.png + :scale: 80% + +.. |cloudn_register_controller_fqdn_link_managed_cloudn| image:: CloudN_workflow_media/cloudn_register_controller_fqdn_link_managed_cloudn.png + :scale: 80% + +.. |cloudn_register_controller_fqdn| image:: CloudN_workflow_media/cloudn_register_controller_fqdn.png + :scale: 40% + +.. |controller_managed_cloudn_registered_state| image:: CloudN_workflow_media/controller_managed_cloudn_registered_state.png + :scale: 50% + +.. |controller_discover_wan_interfaces| image:: CloudN_workflow_media/controller_discover_wan_interfaces.png + :scale: 60% + +.. |controller_attach_aviatrix_transit| image:: CloudN_workflow_media/controller_attach_aviatrix_transit.png + :scale: 60% + +.. |controller_managed_cloudn_attached_state| image:: CloudN_workflow_media/controller_managed_cloudn_attached_state.png + :scale: 50% + +.. |controller_managed_cloudn_s2c_up_state| image:: CloudN_workflow_media/controller_managed_cloudn_s2c_up_state.png + :scale: 60% + +.. |managed_cloudn_traffic_flow_verification_on_prem_router_issue_icmp| image:: CloudN_workflow_media/managed_cloudn_traffic_flow_verification_on_prem_router_issue_icmp.png + :scale: 100% + +.. |managed_cloudn_traffic_flow_verification_cloud_vm_tcpdump_icmp| image:: CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_tcpdump_icmp.png + :scale: 100% + +.. |managed_cloudn_traffic_flow_verification_cloud_vm_issue_icmp| image:: CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_issue_icmp.png + :scale: 100% + +.. |controller_troubleshooting_tips_running_diagnostics| image:: CloudN_workflow_media/controller_troubleshooting_tips_running_diagnostics.png + :scale: 50% + +.. |controller_troubleshooting_tips_upload_tracelog| image:: CloudN_workflow_media/controller_troubleshooting_tips_upload_tracelog.png + :scale: 50% + +.. |controller_troubleshooting_tips_download_syslogs| image:: CloudN_workflow_media/controller_troubleshooting_tips_download_syslogs.png + :scale: 50% + +.. |controller_troubleshooting_tips_force_upgrade| image:: CloudN_workflow_media/controller_troubleshooting_tips_force_upgrade.png + :scale: 50% + +.. |controller_cloudwan_detach| image:: CloudN_workflow_media/controller_cloudwan_detach.png + :scale: 60% + +.. |controller_cloudwan_deregister| image:: CloudN_workflow_media/controller_cloudwan_deregister.png + :scale: 60% + +.. |cloudn_factory_reset| image:: CloudN_workflow_media/cloudn_factory_reset.png + :scale: 40% + +.. |controller_cloudwan_factory_reset| image:: CloudN_workflow_media/controller_cloudwan_factory_reset.png + :scale: 60% + +.. |deployment_dual_dx| image:: insane_mode_media/deployment_dual_dx.png + :scale: 30% + +.. |deployment_dual_dx_aa| image:: insane_mode_media/deployment_dual_dx_aa.png + :scale: 30% + +.. |correct_place_to_check_cloudN_version| image:: ./CloudN_workflow_media/correct_place_to_check_cloudN_version.png + :scale: 60% + +.. disqus:: diff --git a/HowTos/CloudN_workflow_media/cloudn_factory_reset.png b/HowTos/CloudN_workflow_media/cloudn_factory_reset.png new file mode 100644 index 000000000..e09206bbf Binary files /dev/null and b/HowTos/CloudN_workflow_media/cloudn_factory_reset.png differ diff --git a/HowTos/CloudN_workflow_media/cloudn_register_controller_fqdn.png b/HowTos/CloudN_workflow_media/cloudn_register_controller_fqdn.png new file mode 100644 index 000000000..efa22fabb Binary files /dev/null and b/HowTos/CloudN_workflow_media/cloudn_register_controller_fqdn.png differ diff --git a/HowTos/CloudN_workflow_media/cloudn_register_controller_fqdn_link_managed_cloudn.png b/HowTos/CloudN_workflow_media/cloudn_register_controller_fqdn_link_managed_cloudn.png new file mode 100644 index 000000000..bad75671a Binary files /dev/null and b/HowTos/CloudN_workflow_media/cloudn_register_controller_fqdn_link_managed_cloudn.png differ diff --git a/HowTos/CloudN_workflow_media/controller_attach_aviatrix_transit.png b/HowTos/CloudN_workflow_media/controller_attach_aviatrix_transit.png new file mode 100644 index 000000000..824e16e43 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_attach_aviatrix_transit.png differ diff --git a/HowTos/CloudN_workflow_media/controller_cloudwan_deregister.png b/HowTos/CloudN_workflow_media/controller_cloudwan_deregister.png new file mode 100644 index 000000000..cbc4f05b4 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_cloudwan_deregister.png differ diff --git a/HowTos/CloudN_workflow_media/controller_cloudwan_detach.png b/HowTos/CloudN_workflow_media/controller_cloudwan_detach.png new file mode 100644 index 000000000..224e2a5a5 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_cloudwan_detach.png differ diff --git a/HowTos/CloudN_workflow_media/controller_cloudwan_factory_reset.png b/HowTos/CloudN_workflow_media/controller_cloudwan_factory_reset.png new file mode 100644 index 000000000..dc62c446e Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_cloudwan_factory_reset.png differ diff --git a/HowTos/CloudN_workflow_media/controller_discover_wan_interfaces.png b/HowTos/CloudN_workflow_media/controller_discover_wan_interfaces.png new file mode 100644 index 000000000..332563853 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_discover_wan_interfaces.png differ diff --git a/HowTos/CloudN_workflow_media/controller_managed_cloudn_attached_state.png b/HowTos/CloudN_workflow_media/controller_managed_cloudn_attached_state.png new file mode 100644 index 000000000..086bc2842 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_managed_cloudn_attached_state.png differ diff --git a/HowTos/CloudN_workflow_media/controller_managed_cloudn_registered_state.png b/HowTos/CloudN_workflow_media/controller_managed_cloudn_registered_state.png new file mode 100644 index 000000000..8633bf124 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_managed_cloudn_registered_state.png differ diff --git a/HowTos/CloudN_workflow_media/controller_managed_cloudn_s2c_up_state.png b/HowTos/CloudN_workflow_media/controller_managed_cloudn_s2c_up_state.png new file mode 100644 index 000000000..309481908 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_managed_cloudn_s2c_up_state.png differ diff --git a/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_download_syslogs.png b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_download_syslogs.png new file mode 100644 index 000000000..affd6b9c1 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_download_syslogs.png differ diff --git a/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_force_upgrade.png b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_force_upgrade.png new file mode 100644 index 000000000..8dc666402 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_force_upgrade.png differ diff --git a/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_running_diagnostics.png b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_running_diagnostics.png new file mode 100644 index 000000000..e1759f782 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_running_diagnostics.png differ diff --git a/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_upload_tracelog.png b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_upload_tracelog.png new file mode 100644 index 000000000..af97643c8 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_upload_tracelog.png differ diff --git a/HowTos/CloudN_workflow_media/correct_place_to_check_cloudN_version.png b/HowTos/CloudN_workflow_media/correct_place_to_check_cloudN_version.png new file mode 100644 index 000000000..0d315bd5e Binary files /dev/null and b/HowTos/CloudN_workflow_media/correct_place_to_check_cloudN_version.png differ diff --git a/HowTos/CloudN_workflow_media/managed_cloudn_topology.png b/HowTos/CloudN_workflow_media/managed_cloudn_topology.png new file mode 100644 index 000000000..6aa0b7cb3 Binary files /dev/null and b/HowTos/CloudN_workflow_media/managed_cloudn_topology.png differ diff --git a/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_issue_icmp.png b/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_issue_icmp.png new file mode 100644 index 000000000..d665d070a Binary files /dev/null and b/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_issue_icmp.png differ diff --git a/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_tcpdump_icmp.png b/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_tcpdump_icmp.png new file mode 100644 index 000000000..5a19c4369 Binary files /dev/null and b/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_tcpdump_icmp.png differ diff --git a/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_on_prem_router_issue_icmp.png b/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_on_prem_router_issue_icmp.png new file mode 100644 index 000000000..6bf28497b Binary files /dev/null and b/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_on_prem_router_issue_icmp.png differ diff --git a/HowTos/Cluster_Peering_Ref_Design.rst b/HowTos/Cluster_Peering_Ref_Design.rst index a3b15c537..ca51359ae 100644 --- a/HowTos/Cluster_Peering_Ref_Design.rst +++ b/HowTos/Cluster_Peering_Ref_Design.rst @@ -131,7 +131,7 @@ highlighted. 3. You can create multiple clusters in a VPC. A gateway may also belong to different clusters. -4. For support, send an email to support@aviatrix.com. +4. For support, please open a support ticket at `Aviatrix Support Portal `_ 5. Enjoy! diff --git a/HowTos/CoPilot_media/image0.png b/HowTos/CoPilot_media/image0.png new file mode 100644 index 000000000..dacbcff9f Binary files /dev/null and b/HowTos/CoPilot_media/image0.png differ diff --git a/HowTos/CompanionGateway.rst b/HowTos/CompanionGateway.rst index 334e20c38..88416f61f 100644 --- a/HowTos/CompanionGateway.rst +++ b/HowTos/CompanionGateway.rst @@ -2,12 +2,12 @@ :description: Aviatrix Companion Gateway :keywords: aviatrix, companion, gateway, v2, version 2 -================================== -Aviatrix Companion Gateway -================================== +====================================== +Aviatrix Companion Gateway in Azure +====================================== -If you need to launch a gateway in Azure ARM, you must subscribe to +If you need to launch an Aviatrix gateway in Azure, you must subscribe to **Aviatrix Companion Gateway** in **Azure Marketplace**. This model removes the requirement to download the Aviatrix gateway image into your Azure account which typically takes more than 30 minutes, thus @@ -18,56 +18,47 @@ The following steps describe how to subscribe Aviatrix Companion Gateway in Azure marketplace. -.. raw:: html - -
- -
- - Step 1: Select Aviatrix Companion Gateway ------------------------------------------ -Go to `Azure Marketplace `__, search **“aviatrix”** +Go to `Azure Marketplace `_ to subscribe to Companion Gatewaay V8. -.. important:: For Aviatrix controller version 3.0.1 or before, please select **[aviatrix-companion-gateway]**. For Aviatrix controller version 3.1 or later, please select **[aviatrix-companion-gateway-v2]**. -.. -NOTE: The following screenshots are for Companion Gateway V2 + |companion_gw| - |image0| - -| Step 2: Deploy Programmatically ----------------------------------- - If you don't have Azure subscription yet, follow the Azure guide to create your subscription. - If you already have Azure subscription, click **Want to deploy programmatically? Get started ->** at the bottom of the page, as shown below: +Click **Want to deploy programmatically? Get started ->**, as shown below: -|image1| +|get_started| -| Step 3: Enable subscription ---------------------------- - In the next step, select **[Enable subscription]**, click **[Save]**, as shown - below: +Select **[Enable]**, click **[Save]**, as shown below -|image2| +|enable_program| -| That’s it! - For support, send email to support@aviatrix.com + For support, go to Aviatrix Support at https://support.aviatrix.com and open a ticket. .. |image0| image:: CompanionGateway_media/img_01.PNG .. |image1| image:: CompanionGateway_media/img_02.PNG .. |image2| image:: CompanionGateway_media/img_03_enable_and_save.PNG +.. |companion_gw| image:: CompanionGateway_media/companion_gw.png + :scale: 30% + +.. |get_started| image:: CompanionGateway_media/get_started.png + :scale: 30% +.. |enable_program| image:: CompanionGateway_media/enable_program.png + :scale: 30% .. disqus:: diff --git a/HowTos/CompanionGateway_media/companion_gw.png b/HowTos/CompanionGateway_media/companion_gw.png new file mode 100644 index 000000000..af7a41813 Binary files /dev/null and b/HowTos/CompanionGateway_media/companion_gw.png differ diff --git a/HowTos/CompanionGateway_media/enable_program.png b/HowTos/CompanionGateway_media/enable_program.png new file mode 100644 index 000000000..0e917dba0 Binary files /dev/null and b/HowTos/CompanionGateway_media/enable_program.png differ diff --git a/HowTos/CompanionGateway_media/get_started.png b/HowTos/CompanionGateway_media/get_started.png new file mode 100644 index 000000000..972a38580 Binary files /dev/null and b/HowTos/CompanionGateway_media/get_started.png differ diff --git a/HowTos/Configuring_CloudN_Examples_media/Drawing1.png b/HowTos/Configuring_CloudN_Examples_media/Drawing1.png deleted file mode 100644 index bdb730db4..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/Drawing1.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image016.png b/HowTos/Configuring_CloudN_Examples_media/image016.png deleted file mode 100644 index 640c8e578..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image016.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image017.png b/HowTos/Configuring_CloudN_Examples_media/image017.png deleted file mode 100644 index d0727567e..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image017.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image018.png b/HowTos/Configuring_CloudN_Examples_media/image018.png deleted file mode 100644 index 413165604..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image018.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image019.png b/HowTos/Configuring_CloudN_Examples_media/image019.png deleted file mode 100644 index db6a7ed8b..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image019.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image020.png b/HowTos/Configuring_CloudN_Examples_media/image020.png deleted file mode 100644 index 14561f6a6..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image020.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image021.png b/HowTos/Configuring_CloudN_Examples_media/image021.png deleted file mode 100644 index b973c9165..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image021.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image022.png b/HowTos/Configuring_CloudN_Examples_media/image022.png deleted file mode 100644 index 557023f8f..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image022.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image024.png b/HowTos/Configuring_CloudN_Examples_media/image024.png deleted file mode 100644 index 479013d18..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image024.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image026.png b/HowTos/Configuring_CloudN_Examples_media/image026.png deleted file mode 100644 index 4767ebce1..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image026.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image028.png b/HowTos/Configuring_CloudN_Examples_media/image028.png deleted file mode 100644 index 9dac830ff..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image028.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image030.png b/HowTos/Configuring_CloudN_Examples_media/image030.png deleted file mode 100644 index be8c5b5d8..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image030.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image032.png b/HowTos/Configuring_CloudN_Examples_media/image032.png deleted file mode 100644 index a3a95ab34..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image032.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image034.png b/HowTos/Configuring_CloudN_Examples_media/image034.png deleted file mode 100644 index 2f2f74f03..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image034.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image036.png b/HowTos/Configuring_CloudN_Examples_media/image036.png deleted file mode 100644 index 442dd2bdb..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image036.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image038.png b/HowTos/Configuring_CloudN_Examples_media/image038.png deleted file mode 100644 index 52aba6c96..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image038.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image040.png b/HowTos/Configuring_CloudN_Examples_media/image040.png deleted file mode 100644 index 40779e578..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image040.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image042.png b/HowTos/Configuring_CloudN_Examples_media/image042.png deleted file mode 100644 index 1da0f96ae..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image042.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image044.png b/HowTos/Configuring_CloudN_Examples_media/image044.png deleted file mode 100644 index 35ff39593..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image044.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image046.png b/HowTos/Configuring_CloudN_Examples_media/image046.png deleted file mode 100644 index 7b55dc92b..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image046.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image048.png b/HowTos/Configuring_CloudN_Examples_media/image048.png deleted file mode 100644 index 14425add7..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image048.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image050.png b/HowTos/Configuring_CloudN_Examples_media/image050.png deleted file mode 100644 index 8ca270ad9..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image050.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image052.png b/HowTos/Configuring_CloudN_Examples_media/image052.png deleted file mode 100644 index 915804917..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image052.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image054.png b/HowTos/Configuring_CloudN_Examples_media/image054.png deleted file mode 100644 index 41ea0051a..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image054.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image056.png b/HowTos/Configuring_CloudN_Examples_media/image056.png deleted file mode 100644 index b91146315..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image056.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image058.png b/HowTos/Configuring_CloudN_Examples_media/image058.png deleted file mode 100644 index 9b69ac372..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image058.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image060.png b/HowTos/Configuring_CloudN_Examples_media/image060.png deleted file mode 100644 index 4d1fa592b..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image060.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image062.png b/HowTos/Configuring_CloudN_Examples_media/image062.png deleted file mode 100644 index 067f2da59..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image062.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image064.png b/HowTos/Configuring_CloudN_Examples_media/image064.png deleted file mode 100644 index a5538858a..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image064.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image066.png b/HowTos/Configuring_CloudN_Examples_media/image066.png deleted file mode 100644 index a47fa56c6..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image066.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image068.png b/HowTos/Configuring_CloudN_Examples_media/image068.png deleted file mode 100644 index 432f1e1c3..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image068.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image070.png b/HowTos/Configuring_CloudN_Examples_media/image070.png deleted file mode 100644 index 81c8a056b..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image070.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image072.png b/HowTos/Configuring_CloudN_Examples_media/image072.png deleted file mode 100644 index d8fd756e7..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image072.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image074.png b/HowTos/Configuring_CloudN_Examples_media/image074.png deleted file mode 100644 index e17da96d5..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image074.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image076.png b/HowTos/Configuring_CloudN_Examples_media/image076.png deleted file mode 100644 index 5d002b155..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image076.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image078.png b/HowTos/Configuring_CloudN_Examples_media/image078.png deleted file mode 100644 index 808a1659a..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image078.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image080.png b/HowTos/Configuring_CloudN_Examples_media/image080.png deleted file mode 100644 index b1df49444..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image080.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image082.png b/HowTos/Configuring_CloudN_Examples_media/image082.png deleted file mode 100644 index f7dd4d47c..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image082.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image084.png b/HowTos/Configuring_CloudN_Examples_media/image084.png deleted file mode 100644 index c4f217fb2..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image084.png and /dev/null differ diff --git a/HowTos/ContainerAccess.rst b/HowTos/ContainerAccess.rst index 9e1d44b4b..47623a2bb 100644 --- a/HowTos/ContainerAccess.rst +++ b/HowTos/ContainerAccess.rst @@ -220,7 +220,7 @@ Troubleshooting the TTL expired and the key-value store cleans up the old entry automatically. -For support, send email to support@aviatrix.com. +For support, please open a support ticket at `Aviatrix Support Portal `_ For feature request and feedback, click Make a wish at the bottom of each page. diff --git a/HowTos/Controller_Login_Okta_SAML_Config.rst b/HowTos/Controller_Login_Okta_SAML_Config.rst index afc219c1f..795d0bdf6 100644 --- a/HowTos/Controller_Login_Okta_SAML_Config.rst +++ b/HowTos/Controller_Login_Okta_SAML_Config.rst @@ -24,7 +24,7 @@ Before configuring SAML integration between Aviatrix and Okta, make sure the fol .. _aviatrix_controller: Aviatrix Controller -#################### +################### If you haven’t already deployed the Aviatrix controller, follow `the Controller Startup Guide `_. @@ -35,7 +35,6 @@ Okta Account A valid Okta account with admin access is required to configure the integration. - Configuration Steps ------------------- @@ -50,10 +49,9 @@ Follow these steps to configure Aviatrix to authenticate against your Okta IDP: .. _okta_saml_app: Create an Okta SAML App for Aviatrix -##################################### +#################################### .. note:: - This step is usually done by the Okta Admin. #. Login to the Okta Admin portal @@ -67,7 +65,7 @@ Create an Okta SAML App for Aviatrix | Sign on method | SAML 2.0 | +----------------+----------------+ - |image0| + |image0| #. General Settings @@ -85,16 +83,16 @@ Create an Okta SAML App for Aviatrix | App visibility | N/A | Leave both options unchecked | +----------------+-----------------+----------------------------------------+ - |image1| + |image1| #. SAML Settings * General - + +----------------------+----------------------------------------------------+ | Field | Value | +======================+====================================================+ - | Single sign on URL | ``https://[host]/flask/saml/sso/controller`` | + | Single sign on URL | ``https://[host]/flask/saml/sso/[Endpoint Name]`` | +----------------------+----------------------------------------------------+ | Audience URI | ``https://[host]/`` | | (SP Entity ID) | | @@ -106,52 +104,43 @@ Create an Okta SAML App for Aviatrix | Application username | Okta username | +----------------------+----------------------------------------------------+ - ``[host]`` is the hostname or IP of your Aviatrix controller. For example, ``https://controller.demo.aviatrix.live`` - - ``controller`` must be the SP name. Otherwise there will be an "SP is not present" error. + ``[host]`` is the hostname or IP of your Aviatrix controller. + ``[Endpoint Name]`` is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller. + The example uses ``aviatrix_saml_controller`` for ``[Endpoint Name]`` + ``https://[host]/#/dashboard`` must be set as the Default RelayState so that after SAML authenticates, user will be redirected to dashboard. - - |image2| - * Attribute Statements + + +----------------+-----------------+--------------------------------------+ + | Name | Name format | Value | + +================+=================+======================================+ + | FirstName | Unspecified | user.firstName | + +----------------+-----------------+--------------------------------------+ + | LastName | Unspecified | user.lastName | + +----------------+-----------------+--------------------------------------+ + | Email | Unspecified | user.email | + +----------------+-----------------+--------------------------------------+ - +----------------+-----------------+--------------------------------------+ - | Name | Name format | Value | - +================+=================+======================================+ - | FirstName | Unspecified | user.firstName | - +----------------+-----------------+--------------------------------------+ - | LastName | Unspecified | user.lastName | - +----------------+-----------------+--------------------------------------+ - | Email | Unspecified | user.email | - +----------------+-----------------+--------------------------------------+ - - |image3| + |image2| .. _okta_idp_metadata: Retrieve Okta IDP metadata -##################################### +########################## .. note:: - This step is usually completed by the Okta admin. -After the application is created in Okta, go to the `Sign On` tab for the application. Then, click on the `View Setup Instructions` button. +After the application is created in Okta, go to the `Sign On` tab for the application. +Copy the URL from the *Identity Provider metadata* link. This value will be used to configure the Aviatrix SP Endpoint. - |image4| +|image4| -Look for the section titled `Provide the following IDP metadata to your SP provider`. - - |image5| - -.. important:: - - Copy the text displayed. This value will be used to configure the SAML on the Aviatrix controller. - -You need to assign the application to your account. Please follow steps 11 through 14 at `Okta documentation `__ +Assign the application to your account +|image5| .. _aviatrix_saml_endpoint: @@ -159,30 +148,31 @@ Create Aviatrix SAML Endpoint ############################# .. note:: - This step is usually completed by the Aviatrix admin. #. Login to the Aviatrix Controller #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -#. Click `Enable` button +#. Click `ADD NEW` button |image6| - + +-------------------------+-------------------------------------------------+ | Field | Value | +=========================+=================================================+ - | IDP Metadata Type | Text | + | IDP Metadata Type | URL | +-------------------------+-------------------------------------------------+ - | IDP Metadata Text | ``Value Copied from Okta`` (Paste the value | - | | copied from Okta SAML configuration) | + | IDP Metadata URL | ``Value copied from Okta`` (Paste the value | + | | copied from Okta Sign On) | +-------------------------+-------------------------------------------------+ | Entity ID | Hostname | +-------------------------+-------------------------------------------------+ - | Access | Use either Admin or read-only | + | Access | Use either admin or read-only | | | | +-------------------------+-------------------------------------------------+ + + |image9| #. Click `OK` @@ -191,22 +181,20 @@ Create Aviatrix SAML Endpoint Test the Integration #################### +.. tip:: + You will need to assign the new Okta application to a test user's Okta account before clicking `Test`. + #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -#. Click the `Test` button next to ``controller`` - - .. tip:: - - You will need to assign the new Okta application to a test user's Okta account before clicking `Test`. +#. Click the `Test` button next to ``SAML endpoint name`` - |image7| + |image7| #. You should be redirected to Okta. Login with your test user credentials. - .. important:: - - If everything is configured correctly, once you have authenticated another windows should open with the test user's access. +.. important:: + If everything is configured correctly, once you have authenticated another windows should open with the test user's access. .. _validate_entire_process: @@ -216,14 +204,12 @@ Validate #. Logout of the Aviatrix Controller #. Login to the Aviatrix Controller by clicking the `SAML Login` button - |image8| + |image8| #. You should be redirected to Okta. Login with your test user credentials. - .. important:: - - If everything is configured correctly, once you have authenticated you will be redirected to the dashboard's controller. - +.. important:: + If everything is configured correctly, once you have authenticated you will be redirected to the dashboard's controller. Configure Okta for Multifactor Authentication (OPTIONAL) @@ -235,14 +221,13 @@ Please read this `article `__ if you're interested in using DUO in particular. - OpenVPN is a registered trademark of OpenVPN Inc. .. |logoAlias1| replace:: Aviatrix logo with red background -.. _logoAlias1: https://www.aviatrix.com/news/press-kit/logo-aviatrix.png +.. _logoAlias1: https://a.aviatrix.com/news/press-kit/logo-aviatrix-reverse.zip .. |logoAlias2| replace:: Aviatrix logo with transparent background -.. _logoAlias2: https://www.aviatrix.com/images/logo-reverse.png +.. _logoAlias2: https://a.aviatrix.com/news/press-kit/logo-aviatrix.zip .. |image0| image:: Controller_Login_Okta_SAML_media/image0.png @@ -262,5 +247,6 @@ OpenVPN is a registered trademark of OpenVPN Inc. .. |image8| image:: Controller_Login_Okta_SAML_media/image8.png +.. |image9| image:: Controller_Login_Okta_SAML_media/image9.png .. disqus:: diff --git a/HowTos/Controller_Login_Okta_SAML_media/image2.png b/HowTos/Controller_Login_Okta_SAML_media/image2.png index 74ec2fb23..1a0f387e9 100644 Binary files a/HowTos/Controller_Login_Okta_SAML_media/image2.png and b/HowTos/Controller_Login_Okta_SAML_media/image2.png differ diff --git a/HowTos/Controller_Login_Okta_SAML_media/image4.png b/HowTos/Controller_Login_Okta_SAML_media/image4.png index 6affd2855..e5eb85c11 100644 Binary files a/HowTos/Controller_Login_Okta_SAML_media/image4.png and b/HowTos/Controller_Login_Okta_SAML_media/image4.png differ diff --git a/HowTos/Controller_Login_Okta_SAML_media/image5.png b/HowTos/Controller_Login_Okta_SAML_media/image5.png index 216925d04..2117ecb33 100644 Binary files a/HowTos/Controller_Login_Okta_SAML_media/image5.png and b/HowTos/Controller_Login_Okta_SAML_media/image5.png differ diff --git a/HowTos/Controller_Login_Okta_SAML_media/image6.png b/HowTos/Controller_Login_Okta_SAML_media/image6.png index 24a17e9fa..e9c0b1758 100644 Binary files a/HowTos/Controller_Login_Okta_SAML_media/image6.png and b/HowTos/Controller_Login_Okta_SAML_media/image6.png differ diff --git a/HowTos/Controller_Login_Okta_SAML_media/image7.png b/HowTos/Controller_Login_Okta_SAML_media/image7.png index 0f018da7b..8c7408687 100644 Binary files a/HowTos/Controller_Login_Okta_SAML_media/image7.png and b/HowTos/Controller_Login_Okta_SAML_media/image7.png differ diff --git a/HowTos/Controller_Login_Okta_SAML_media/image8.png b/HowTos/Controller_Login_Okta_SAML_media/image8.png index ac3e1dc34..7a3321892 100644 Binary files a/HowTos/Controller_Login_Okta_SAML_media/image8.png and b/HowTos/Controller_Login_Okta_SAML_media/image8.png differ diff --git a/HowTos/Controller_Login_Okta_SAML_media/image9.png b/HowTos/Controller_Login_Okta_SAML_media/image9.png new file mode 100644 index 000000000..2742835a4 Binary files /dev/null and b/HowTos/Controller_Login_Okta_SAML_media/image9.png differ diff --git a/HowTos/Controller_Login_SAML_Config.rst b/HowTos/Controller_Login_SAML_Config.rst index 581789dd2..bee1c14ec 100644 --- a/HowTos/Controller_Login_SAML_Config.rst +++ b/HowTos/Controller_Login_SAML_Config.rst @@ -1,4 +1,4 @@ -.. meta:: +.. meta:: :description: Aviatrix Controller Login SAML Configuration :keywords: SAML, controller login, Aviatrix, idp, sp @@ -41,39 +41,39 @@ If you haven’t already deployed the Aviatrix controller, follow `the Controlle An IdP refers to an identity provider for SAML. This could be any provider that supports a SAML end point like `Okta <./SAML_Integration_Okta_IdP.html>`__, `OneLogin <./SAML_Integration_OneLogin_IdP.html>`__, `Google <./SAML_Integration_Google_IdP.html>`__, -`AWS SSO <./SAML_Integration_AWS_SSO_IdP.html>`__, and `Azure AD <./SAML_Integration_Azure_AD_IdP.html>`__. +`AWS SSO <./SAML_Integration_AWS_SSO_IdP.html>`__, `Azure AD <./SAML_Integration_Azure_AD_IdP.html>`__, and `PingOne <./SAML_Integration_PingOne_IdP.html>`__. You will require administrator access to create IdP endpoints for SAML. Check `IdP-specific SAML Integration <#idp-integration>`__ to see a list of guides for supported IdP's - - 3. Configuration Steps ---------------------- Follow these steps to configure Aviatrix to authenticate against IdP: - 1. Create `temporary Aviatrix SP Endpoint <#config-31>`__ for Aviatrix controller - 2. Create `SAML IdP App <#config-32>`__ with specific IdP - #. Retrieve `IdP Metadata <#config-33>`__ from IdP - #. Update `Aviatrix SP Endpoint <#config-34>`__ with IdP metadata - #. `Test the Integration <#config-35>`__ is set up correctly - #. `Validate <#config-36>`__ +1. Create `temporary Aviatrix SP Endpoint <#config-31>`__ for Aviatrix controller +2. Create `SAML IdP App <#config-32>`__ with specific IdP +#. Retrieve `IdP Metadata <#config-33>`__ from IdP +#. Update `Aviatrix SP Endpoint <#config-34>`__ with IdP metadata +#. `Test the Integration <#config-35>`__ is set up correctly +#. `Validate <#config-36>`__ .. _Config_31: 3.1 Create temporary Aviatrix SP Endpoint ######################################### -.. note:: +.. note:: This step is usually completed by the Aviatrix admin. - This endpoint will be updated later on in the guide. At this step, we will be using placeholder values. - Choose an endpoint name for your Aviatrix SAML endpoint which will be used throughout the guide. - This guide will use ``aviatrix_saml_controller`` as an example for the endpoint name. + This endpoint will be updated later on in the guide. + At this step, we will be using placeholder values. + +Choose an endpoint name for your Aviatrix SAML endpoint which will be used throughout the guide. +This guide will use ``aviatrix_saml_controller`` as an example for the endpoint name. #. Login to the Aviatrix Controller #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -#. Click `Add/Update` button +#. Click `ADD NEW` button |image3-1-1| @@ -107,8 +107,8 @@ Follow these steps to configure Aviatrix to authenticate against IdP: #. Click `OK` #. Depending on your IdP provider, you may need to upload SP metadata. After temporary SAML endpoint is created: - - Right click **SP Metadata** button next to the SAML endpoint and save file to your local machine. - - Click **SP Metadata** button, and copy the SP metadata as text +- Click **DOWNLOAD SP METADATA** button next to the SAML endpoint and save file to your local machine +- Click **SP METADATA** button, and copy the SP metadata as text .. _Config_32: @@ -116,7 +116,6 @@ Follow these steps to configure Aviatrix to authenticate against IdP: ############################################### .. note:: - This step is usually done by the IdP administrator. This section shows only a generalized process for creating a SAML application. Refer to the `IdP-specific SAML App Integration <#idp-integration>`_ section for links to detailed steps with each particular IdP. @@ -130,8 +129,8 @@ Create a SAML 2.0 app with the IdP Provider with the following values. #. Default RelayState* = .. important:: - - You can find these values in the controller under the `Settings` navigation item. Then, select `Controller` and go to the `SAML Login` tab. + You can find these values in the controller under the `Settings` navigation item. + Then, select `Controller` and go to the `SAML Login` tab. Click on the button for the respective value, and copy the URL on the new page. RelayState is currently not used by the Aviatrix SP @@ -144,17 +143,14 @@ The following SAML attributes are expected: #. Email (unique identifier for SAML) .. note:: - These values are case sensitive - .. _Idp_Integration: **IdP-specific SAML App Integration** .. note:: - - You will require administrator access to create IdP endpoints for SAML. + You will require administrator access to create IdP endpoints for SAML. These are guides with specific IdP's that were tested to work with Aviatrix SAML integration: @@ -164,10 +160,10 @@ These are guides with specific IdP's that were tested to work with Aviatrix SAML #. `Google <./SAML_Integration_Google_IdP.html>`__ #. `Okta <./SAML_Integration_Okta_IdP.html>`__ #. `OneLogin <./SAML_Integration_OneLogin_IdP.html>`__ +#. `PingOne <./SAML_Integration_PingOne_IdP.html>`__ Other tested IdP's include: -Ping Identity, VmWare VIDM, ForgeRock's OpenAM etc. - +VmWare VIDM, ForgeRock's OpenAM etc. .. _Config_33: @@ -182,6 +178,7 @@ After creating the IdP, you need to retrieve IdP Metadata either in URL or text #. Google - provides IdP metadata text #. Okta - provides IdP metadata URL #. OneLogin - provides IdP metadata URL +#. PingOne - provides IdP metadata URL .. _Config_34: @@ -189,43 +186,41 @@ After creating the IdP, you need to retrieve IdP Metadata either in URL or text ############################### .. note:: - - This step is usually completed by the Aviatrix admin. + his step is usually completed by the Aviatrix admin. Take note of the IdP Metadata type along with Text/URL your IdP provides, and if you need a custom SAML request template in the previous section. #. Login to the Aviatrix Controller #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -#. Click `Add/Update` button - - +-------------------------+-------------------------------------------------+ - | Field | Value | - +=========================+=================================================+ - | Endpoint Name | Unique name that you chose in step 3.1 | - +-------------------------+-------------------------------------------------+ - | IPD Metadata Type | Text or URL (depending on what was | - | | provided by the SAML provider) | - +-------------------------+-------------------------------------------------+ - | IdP Metadata Text/URL | IdP metadata URL/Text copied from the SAML | - | | provider configuration | - +-------------------------+-------------------------------------------------+ - | Entity ID | Select `Hostname` or `Custom` | - +-------------------------+-------------------------------------------------+ - | Custom Entity ID | Only visible if `Entity ID` is `Custom` | - +-------------------------+-------------------------------------------------+ - | Access | Select admin or read-only access | - +-------------------------+-------------------------------------------------+ - | Custom SAML Request | Depending on your specific | - | Template | IdP, you may have to check this option. | - | | Refer to `IdP-specific Integration <#idp-integration>`__ | - +-------------------------+-------------------------------------------------+ +#. Click `Edit` button + + +-------------------------+----------------------------------------------------------+ + | Field | Value | + +=========================+==========================================================+ + | Endpoint Name | Unique name that you chose in step 3.1 | + +-------------------------+----------------------------------------------------------+ + | IPD Metadata Type | Text or URL (depending on what was | + | | provided by the SAML provider) | + +-------------------------+----------------------------------------------------------+ + | IdP Metadata Text/URL | IdP metadata URL/Text copied from the SAML | + | | provider configuration | + +-------------------------+----------------------------------------------------------+ + | Entity ID | Select `Hostname` or `Custom` | + +-------------------------+----------------------------------------------------------+ + | Custom Entity ID | Only visible if `Entity ID` is `Custom` | + +-------------------------+----------------------------------------------------------+ + | Access | Select admin or read-only access | + +-------------------------+----------------------------------------------------------+ + | Custom SAML Request | Depending on your specific | + | Template | IdP, you may have to check this option. | + | | Refer to `IdP-specific Integration <#idp-integration>`__ | + +-------------------------+----------------------------------------------------------+ .. note:: - `Hostname` is the default for Entity ID, but if you have other apps using the same hostname, use a custom Entity ID. + `Hostname` is the default for Entity ID, but if you have other apps using the same hostname, use a custom Entity ID. - -#. Click `OK` +6. Click `OK` .. _Config_35: @@ -241,9 +236,8 @@ After creating the IdP, you need to retrieve IdP Metadata either in URL or text #. You should be redirected to IdP. Login with your test user credentials. - .. important:: - - If everything is configured correctly, once you have authenticated, another windows should open with the test user's access. +.. important:: + If everything is configured correctly, once you have authenticated, another windows should open with the test user's access. .. _Config_36: @@ -258,11 +252,8 @@ After creating the IdP, you need to retrieve IdP Metadata either in URL or text #. You should be redirected to IdP. Login with your test user credentials. - .. important:: - - If everything is configured correctly, once you have authenticated you will be redirected to the dashboard's controller. - - +.. important:: + If everything is configured correctly, once you have authenticated you will be redirected to the dashboard's controller. .. |logoAlias1| replace:: Aviatrix logo with red background .. _logoAlias1: https://www.aviatrix.com/news/press-kit/logo-aviatrix.png @@ -281,5 +272,4 @@ After creating the IdP, you need to retrieve IdP Metadata either in URL or text .. |image3-6| image:: Controller_Login_SAML_media/image3-6.png - .. disqus:: diff --git a/HowTos/Controller_Login_SAML_media/image3-1-1.png b/HowTos/Controller_Login_SAML_media/image3-1-1.png index c5e18061d..9853623f8 100644 Binary files a/HowTos/Controller_Login_SAML_media/image3-1-1.png and b/HowTos/Controller_Login_SAML_media/image3-1-1.png differ diff --git a/HowTos/Controller_Login_SAML_media/image3-1-2.png b/HowTos/Controller_Login_SAML_media/image3-1-2.png index ff713f744..8fd057f88 100644 Binary files a/HowTos/Controller_Login_SAML_media/image3-1-2.png and b/HowTos/Controller_Login_SAML_media/image3-1-2.png differ diff --git a/HowTos/Controller_Login_SAML_media/image3-2.png b/HowTos/Controller_Login_SAML_media/image3-2.png index 8782e383e..a4f0d31b1 100644 Binary files a/HowTos/Controller_Login_SAML_media/image3-2.png and b/HowTos/Controller_Login_SAML_media/image3-2.png differ diff --git a/HowTos/Controller_Login_SAML_media/image3-5.png b/HowTos/Controller_Login_SAML_media/image3-5.png index 0f018da7b..8c7408687 100644 Binary files a/HowTos/Controller_Login_SAML_media/image3-5.png and b/HowTos/Controller_Login_SAML_media/image3-5.png differ diff --git a/HowTos/Controller_Login_SAML_media/image3-6.png b/HowTos/Controller_Login_SAML_media/image3-6.png index 357ab8aaf..7a3321892 100644 Binary files a/HowTos/Controller_Login_SAML_media/image3-6.png and b/HowTos/Controller_Login_SAML_media/image3-6.png differ diff --git a/HowTos/CreateGCloudAccount.rst b/HowTos/CreateGCloudAccount.rst index 60f0a4209..29054c4a4 100644 --- a/HowTos/CreateGCloudAccount.rst +++ b/HowTos/CreateGCloudAccount.rst @@ -56,28 +56,11 @@ Enable Compute Engine API on the selected project, 4. click Enable. -Step 4: Enable GCloud Messaging Service -------------------------------------------- -The Aviatrix controller uses GCloud Pub/Sub messaging services to communicate -with the gateways. - -To enable Pub/Sub on the selected project, - -1. Go to your Google Cloud Platform console, at the upper left corner - left to Google Cloud Platform signage, click the 3 bars. A drop down - menu will appear. - -2. Select APIs and Services, at Dashboard, click on Enable APIs and Services - -3. On the Search box, input Cloud Pub/Sub API and select it from search result - -4. Click Enable. - -Step 5: Create Credential File +Step 4: Create Credential File ---------------------------------- -When you create a cloud account for GCloud, you are asked to upload a +When you create a cloud account Aviatrix Controller for GCloud, you will be asked to upload a GCloud Project Credentials file. Below are the steps to download the credential file from the Google Developer Console. @@ -86,20 +69,130 @@ credential file from the Google Developer Console. 2. Select the project you are creating credentials for. -3. At Credentials, Click Create credentials, select Service account key, +3. At Credentials, Click Create credentials, select Service account, as shown below - |image1| + |service_account| + +4. At the Service Accounts, enter a Service account name and click Create. For Service account permissions, select Project, Editor, as shown below. + + |iam_credential| -4. At the Service account dropdown menu, select Compute Engine default - service account, select JSON. +5. Select a service account. Click the 3 skewer bar and select Create Key. Select JSON, click Create. -5. Click Create. The credential file will be downloaded to your local +6. Click Create. The credential file will be downloaded to your local computer. -6. Upload the Project Credential file to the Aviatrix controller at the GCloud +7. Upload the Project Credential file to the Aviatrix controller at the GCloud account create page. +Note: Creating Service Account with Restricted Access +----------------------------------------------------- +It is recommended to create the service account with the Editor role as mentioned in Step 5.4 but in some cases an organization might want +to further restrict permission for the service account. In such a situation Aviatrix recommendation is to have at least following roles assigned +to service account so that Aviatrix can perform its functions properly. For instance managing the compute resources, route tables, firewall rules, shared service vpc network etc. + +1. Compute Admin +2. Service Account User +3. Organization Administrator (required for GCP Shared VPC) +4. Project IAM Admin (required for GCP Shared VPC) + + |restricted_access| + +If an organization is currently using GCP Shared VPC or planning to use in future then it is a requirement to enable Organization Administrator +and Project IAM Admin as well. + +In addition to restricting the GCP roles, you can restrict the rights for those roles. You can grant roles permission to perform the following tasks: + +:: + + compute.addresses.create + compute.addresses.createInternal + compute.addresses.delete + compute.addresses.deleteInternal + compute.addresses.get + compute.addresses.list + compute.addresses.use + compute.addresses.useInternal + compute.disks.create + compute.disks.get + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.firewalls.list + compute.firewalls.update + compute.forwardingRules.create + compute.forwardingRules.delete + compute.forwardingRules.list + compute.globalOperations.get + compute.healthChecks.create + compute.healthChecks.delete + compute.healthChecks.useReadOnly + compute.httpHealthChecks.get + compute.httpHealthChecks.useReadOnly + compute.images.list + compute.images.useReadOnly + compute.instanceGroups.create + compute.instanceGroups.delete + compute.instanceGroups.get + compute.instanceGroups.update + compute.instanceGroups.use + compute.instances.create + compute.instances.delete + compute.instances.get + compute.instances.list + compute.instances.setMachineType + compute.instances.setMetadata + compute.instances.setTags + compute.instances.start + compute.instances.stop + compute.instances.updateNetworkInterface + compute.instances.use + compute.networks.addPeering + compute.networks.create + compute.networks.delete + compute.networks.get + compute.networks.list + compute.networks.removePeering + compute.networks.updatePolicy + compute.projects.get + compute.projects.setCommonInstanceMetadata + compute.regionBackendServices.create + compute.regionBackendServices.delete + compute.regionBackendServices.get + compute.regionBackendServices.update + compute.regionBackendServices.use + compute.regionOperations.get + compute.routes.create + compute.routes.delete + compute.routes.list + compute.subnetworks.create + compute.subnetworks.delete + compute.subnetworks.get + compute.subnetworks.list + compute.subnetworks.use + compute.subnetworks.useExternalIp + compute.targetPools.addInstance + compute.targetPools.create + compute.targetPools.delete + compute.targetPools.get + compute.targetPools.removeInstance + compute.targetPools.use + compute.zoneOperations.get + compute.zones.list + iam.serviceAccounts.actAs + logging.logEntries.create + pubsub.subscriptions.consume + pubsub.subscriptions.create + pubsub.subscriptions.delete + pubsub.subscriptions.get + pubsub.topics.attachSubscription + pubsub.topics.create + pubsub.topics.delete + pubsub.topics.get + pubsub.topics.publish + resourcemanager.projects.get + Troubleshooting Tips ---------------------- @@ -107,7 +200,7 @@ If cloud account creation fails, check the error message at the Aviatrix controller console and try again with the steps provided in this document. -For additional support, send an email to support@aviatrix.com +For additional support, please open a support ticket at `Aviatrix Support Portal `_ .. |image0| image:: GCloud_media/image1.png @@ -117,4 +210,13 @@ For additional support, send an email to support@aviatrix.com .. |image3| image:: GCloud_media/gcloud-enable-apis-and-services.png +.. |service_account| image:: GCloud_media/service_account.png + :scale: 30% + +.. |iam_credential| image:: GCloud_media/iam_credential.png + :scale: 30% + +.. |restricted_access| image:: GCloud_media/restricted_access.png + :scale: 30% + .. disqus:: diff --git a/HowTos/EnvironmentStamping.rst b/HowTos/EnvironmentStamping.rst index 5c7f475b2..8475dd5aa 100644 --- a/HowTos/EnvironmentStamping.rst +++ b/HowTos/EnvironmentStamping.rst @@ -145,7 +145,7 @@ The configuration workflow is as follows. It highlights the major steps. include the domain name. For example, an instance with nickname webfrontend should be accessed as webfrontend.mydevops.com -#. For support, send email to support@aviatrix.com. +#. For support, please open a support ticket at `Aviatrix Support Portal `_ #. For feature request, click Make a wish at the bottom of each page. diff --git a/HowTos/FAQ.rst b/HowTos/FAQ.rst index aaf67d3da..67e7e7f44 100644 --- a/HowTos/FAQ.rst +++ b/HowTos/FAQ.rst @@ -98,16 +98,27 @@ communicate back to the Controller. You can use the Controller Security Management feature to automatically manage the Controller instance's inbound rules from gateways. - Go to Settings -> Controller -> Security Group Management, select the `primary account `_, and click Enable. +.. note:: + + After this feature is enabled, you can now edit the security rules that are outside gateways public IP addresses to limit the source address range. + +AWS: +^^^^ + +AWS Network ACLs are not stateful, so they are not recommended for controlling access to/from Aviatrix Controllers and Gateways. + When this feature is enabled, the Controller will immediately create 4 security groups. Since each security group can support 50 security rules, the Controller can support up to 200 gateways. -:: +AZURE: +^^^^^^ - After this feature is enabled, you can now edit the security rules that are outside gateways public IP addresses to limit the source address range. +When this feature is enabled, the Controller utilizes the associated network security group which can support up to 1,000 security rules. + +.. note:: -(If you deploy Aviatrix SAML clients for user VPN access, you can follow `this document `_ to add security to the Controller.) + If you deploy Aviatrix SAML clients for user VPN access, you can follow `this document `_ to add security to the Controller. 2. Use signed certificate ########################## @@ -166,6 +177,10 @@ You can enable `SAML authentication for Controller login. `_ +11. Enable Login Banner +####################### + +This function is explained in detail `here `_ What are the events that the Aviatrix Controller monitors? -------------------------------------------------------------- @@ -179,7 +194,7 @@ What are the events that the Aviatrix Controller monitors? #. **Guard Duty integration** Alert and block malicious IP addresses. #. **Black hole route** Alert when VPC route table has inactive routes. #. **Public subnet** Alert when there are unwanted instances launched on specific public subnets. - #. **CPU/Memory/Disk** Alert when gateway memory or disk space reaches 95% of its capacity. + #. **CPU/Memory/Disk** Alert when gateway memory usage crosses 80% or disk space reaches 90% of its capacity. @@ -251,8 +266,7 @@ The first time when you login, complete the Onboarding process. It takes a few steps. If you have a BYOL license or use a community image, you need to have a -customer ID provided by Aviatrix to be able to use the product. Contact -support@aviatrix.com if you do not have a customer ID. +customer ID provided by Aviatrix to be able to use the product. Please open a support ticket at `Aviatrix Support Portal `_ if you do not have a customer ID. What is an Aviatrix Access Account? ------------------------------------- @@ -286,12 +300,8 @@ What is the support model? ----------------------------- -For support, send email to -`support@aviatrix.com `__. We also offer premium customers with 24x7 support. -To request a -feature, click Make a wish button at the bottom of each page. - - +For support, please open a support ticket at `Aviatrix Support Portal `_ or reach out to your respective Account Executive. +We also offer `Platinum `__ customers with 24x7 support. Logging and Monitoring ====================== @@ -352,7 +362,7 @@ Yes. Accounts -> Account Users -> Add A NEW USER, at Account Name field, select Is Aviatrix FIPS 140-2 compliant? ---------------------------------- -Yes. Aviatrix has achieved FIPS 140-2 compliant status with certificate number `#3475 `_ as listed at NIST site. +Yes. Aviatrix has achieved FIPS 140-2 compliant status with certificate number `#3273 `_ as listed at NIST site. What are the FIPS 140-2 compliant algorithms? ------------------------------------------------ @@ -370,7 +380,7 @@ Phase 2 DH Groups 2, 1, 5, 14, 15, 16, 17, 18 Phase 2 Encryption AES-256-CBC, AES-192-CBC, AES-128-CBC, AES-128-GCM-64, AES-128-GCM-96, AES-128-GCM-128, 3DES ======================= ========== -SSL VPN encryption algorithm is AES-256-CBC. +SSL VPN encryption algorithm set on the server is AES-256-CBC. For OpenVPN clients running a version 2.3 or lower the negotiated algorithm would be AES-256-CBC. For OpenVPN clients running 2.4 or higher, the negotiated algorithm would be AES-256-GCM due to NCP(Negotiable Crypto Parameters) SSL VPN authentication algorithm is SHA512. @@ -444,12 +454,12 @@ represents one or more use cases. You are charged for the specific use case you The details are explained in the table below. ============================================================= =============== ============================== -**Unit Type** **Cost/Unite** **Use Case** +**Unit Type** **Cost/Unit** **Use Case** ============================================================= =============== ============================== -Number of VPC-to-VPC IPSec Tunnel Connections within AWS $0.16 TGW VPC attachment, Aviatrix Spoke VPC attachment, encrypted peering, Transit Peering -Number of User or Client SSL VPN Connections $0.03 User VPN -Number of Gateways running Security Services $0.16 Aviatrix gateways with FQDN service -Number of VPC to Site or Multi cloud IPSec Tunnel Connections $0.48 Site2Cloud use case +Number of VPC-to-VPC IPSec Tunnel Connections within AWS $0.19 TGW VPC attachment, Aviatrix Spoke VPC attachment, encrypted peering, Transit Peering +Number of User or Client SSL VPN Connections $0.04 User VPN +Number of Gateways running Security Services $0.19 Aviatrix gateway with FQDN service +Number of VPC to Site or Multi cloud IPSec Tunnel Connections $0.58 Site2Cloud use case ============================================================= =============== ============================== How is security updates handled and delivered by Aviatrix? @@ -460,34 +470,6 @@ These are the steps: 1. **Field Notice** All Aviatrix customers are notified when a security update is available. #. **Security Patch** Aviatrix Controller provides a inline software patch to fix vulnerability with the instructions from the Field Notice. The updates do not require reboot of the Controller or gateways most of the time. -Is Aviatrix tunnel price expensive? ------------------------------------------ - -Aviatrix pricing is not expensive. Majority of Aviatrix unit price, such as FQDN, TGW attachment and Spoke gateway attachment is priced at -$0.16/unit. The table below compares annual cost of an Aviatrix tunnel to an EC2. - -As you can see, a tunnel or attachment cost is less than a single c5.xlarge or m5.xlarge cost. In a VPC, you may have tens or hundreds of instances that each costs more in a year than an Aviatrix tunnel. - -For example, if you have 100 instances in a VPC, the additional network cost introduced by Aviatrix is -about 1% of your compute cost. Even when -you scale to more VPCs, this cost ratio does not change. Designing a network that optimizes on network cost is -not a good idea. On the other hand, Aviatrix solution provides you many benefits in operations. - -========================= =============== ==================== -**Type** **Unit Price** **Annual Price** -========================= =============== ==================== -Aviatrix TGW attachment $0.16/hour $1401/year -Aviatrix FQDN gateway $0.16/hour $1401/year -t3.xlarge $0.164/hour $1436/year -t3.2xlarge $0.3328/hour $2915/year -m5.xlarge $0.192/hour $1681/year -m5.2xlarge $0.384/hour $3363/year -m5.4xlarge $0.768/hour $6727/year -c5.xlarge $0.17/hour $1489/year -c5.2xlarge $0.34/hour $2978/year -c5.4xlarge $0.68/hour $5956/year -========================= =============== ==================== - How to recover when a Controller software upgrade fails? ------------------------------------------------------------ @@ -503,25 +485,17 @@ Here is the best practice procedure to follow: What IP addresses does Controller need to reach out to? --------------------------------------------------------- -============================================ ============ =================== -Outbound IP Address Port Purpose -============================================ ============ =================== -www.carmelonetworks.com (54.149.28.255) TCP 443 Software upgrade -license.aviatrix.com (52.24.131.245) TCP 443 License update -diag.aviatrix.com (54.200.59.112) TCP 443 Remote debugging -customer-bucket.s3-us-west-2.amazonaws.com TCP 443 Diagnostics tracelog -AWS SQS TCP 443 Controller to gateway message queue. sqs.region.amazonaws.com, where region is represented by us-west-2, us-east-2, etc, the region where the Aviatrix gateway is launched. -AWS API TCP 443 AWS API access. ec2.amazonaws.com -Aviatrix gateways TCP 22 gateway diagnostics (on demand) -Aviatrix gateways TCP 443 Software upgrade to gateways -============================================ ============ =================== +Please see `Required Access for External Sites `_. -Since the Controller is deployed on a public subnet, to restrict the Controller outbound access, -you should use `Aviatrix Public Subnet Filter `_ -to configure Egress Control on the Controller by allowing whitelist to only the listed domain names. +.. note:: + You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. +What IP addresses does an Aviatrix gateway need to reach out to? +---------------------------------------------------------------------- +Please see `Required Access for External Sites `_. -OpenVPN is a registered trademark of OpenVPN Inc. +.. note:: + You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix. Centralized Logging Within AWS Government Cloud --------------------------------------------------------- @@ -531,6 +505,13 @@ Aviatrix Controller hosted in AWS Public Cloud and receive logs from gateways in Cloud. In order for the Aviatrix Controller to be able to accept logs from gateways inside of the Government Cloud the Aviatrix controller must be hosted within AWS Government Cloud as well. +How does Aviatrix gateway support high availability in Azure? +--------------------------------------------------------------- + +Aviatrix support Azure Availability Zet for HA gateway that provides 99.95% of up time. + +Azure has started to introduce Availability Zone in some regions. Aviatrix will start to support this option in the future. + .. |image1| image:: FAQ_media/image1.png .. |deployment| image:: FAQ_media/deployment.png diff --git a/HowTos/FQDN_Whitelists_Ref_Design.rst b/HowTos/FQDN_Whitelists_Ref_Design.rst index 0d32ab3dd..3da5bec3e 100644 --- a/HowTos/FQDN_Whitelists_Ref_Design.rst +++ b/HowTos/FQDN_Whitelists_Ref_Design.rst @@ -88,7 +88,7 @@ However, if multiple tags are attached to the same gateway, then the mode (White Exception Rule =============== -Exception Rule is a system-wide mode. +Exception Rule is a system-wide mode. **Exception Rule only applies to whitelist**. By default, the Exception Rule is enabled. (The Exception rule box should be checked.) @@ -103,6 +103,8 @@ are dropped unless the specific destination IP address of the packet is listed in the Whitelist. The use case could be that certain old applications use hard coded destination IP address to access external services. +If blacklist is configured, client hello packets without SNI is allowed to pass as it should not match any rules. + Export ============== @@ -132,7 +134,12 @@ Edit Source Edit Source is available in Release 4.0 and later. Edit Source allows you to control which source IP in the VPC is qualified for a specific tag. The source IP -can be a subnet CIDR or host IP addresses. This provides fine-grained configuration. +can be a subnet CIDR or host IP addresses. This provides fine-grained configuration. + +.. important:: + If Edit Source is not configured, i.e., no source IP address ranges are selected, all packets arriving at the FQDN gateway + are applied to the filter tag. However if there are one or more source IP address ranges selected, any packets with + source IP addresses outside those ranges are dropped. In this regard, the distinguished Source is exclusive. For example, one use case is if you have two private subnets in a VPC: one deploys dev instances and another deploys prod instances. With the Edit Source feature, the dev instances can have different tags than @@ -141,28 +148,68 @@ the prod instances. Edit Source assumes you already attached a gateway to a tag. To go to the Edit Source page, click "Edit Source" at Egress FQDN Filter on a specific tag and follow -the example in the illustration below: +the example in the illustration below, the network appeared on the right hand of the panel go through the FQDN tag filtering while +the network on the left side of the panel are dropped. |source-edit| Enable Private Network Filtering ================================= -By checking this option, FQDN names that translate to private IP address range (RFC 1918) are subject to FQDN whitelist filtering function. The use case is if your destination hostname is indeed a private service and you wish to apply FQDN filtering, you can enable this option. +This is a global configuration that applies to all FQDN gateways. + +By checking this option, destination FQDN names that translate to private IP address range (RFC 1918) are subject to FQDN whitelist filtering function. The use case is if your destination hostname is indeed a private service and you wish to apply FQDN filtering, you can enable this option. + +To configure, go to Security -> Egress Control -> GLOBAL CONFIGS -> Enable Private Network Filtering. FQDN names that are resolved +to RFC 1918 range will be subject to FQDN filter function. Disable Private Network Filtering =================================== -By checking this option, packets with destination IP address of RFC 1918 range are also inspected. +This is a global configuration that applies to all FQDN gateways. + +By checking this option, packets with destination IP address of RFC 1918 range are not inspected. This is the default behavior. + +To configure, go to Security -> Egress Control -> GLOBAL CONFIGS -> Disable Private Network Filtering. FQDN names that are resolved +to RFC 1918 range will be subject to FQDN filter function. Customize Network Filtering ============================== +This is a global configuration that applies to all FQDN gateways. + When this option is selected, you can customize packet destination address ranges not to be filtered by FQDN. +To configure, go to Security -> Egress Control -> GLOBAL CONFIGS -> Customize Network Filtering. Select pre-defined RFC 1918 +range, or enter your own network range. + +This feature is not enabled as default. + +FQDN Name Caching +===================== + +This is a global configuration that applies to all FQDN gateways. + +If FQDN Name caching is enabled, the resolved IP address from FQDN filter is cached so that if subsequent TCP session matches the +cached IP address list, FQND domain name is not checked and the session is allowed to pass. + +We recommend you to disable Caching to prevent unwanted domain names to bypass filter as they resolve to the same IP address. For example, youtube.com shares the same destination IP address range as google.com. There is minimal performance impact by disabling the cache. + +To configure, go to Security -> Egress Control -> GLOBAL CONFIGS -> Caching -> click Enabled to disable it. + +This feature is enabled as default. + +Exact Match +============== + +This is a global configuration that applies to all FQDN gateways. + +If a FQDN rule does not have * an exact match is expected. If this global option is not enabled, FQDN rules use regex to match any FQDN names that are subset of the name. For example, if salesforce.com is a rule and Exact Match option is enabled, finance.salesforce.com is not a match and will be dropped. + +This feature is not enabled as default. -For support, send an email to support@aviatrix.com +For support, please open a support ticket at `Aviatrix Support Portal `_ Enjoy! diff --git a/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-add-domain-names.png b/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-add-domain-names.png index 24e60772e..053a6197e 100644 Binary files a/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-add-domain-names.png and b/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-add-domain-names.png differ diff --git a/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-enable-edit.png b/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-enable-edit.png index 8c4683342..3c1be9938 100644 Binary files a/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-enable-edit.png and b/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-enable-edit.png differ diff --git a/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-new-tag.png b/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-new-tag.png index b4cae3b44..af8a82269 100644 Binary files a/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-new-tag.png and b/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-new-tag.png differ diff --git a/HowTos/FQDN_Whitelists_Ref_Design_media/source-edit.png b/HowTos/FQDN_Whitelists_Ref_Design_media/source-edit.png index 2ae111ba6..866c2b662 100644 Binary files a/HowTos/FQDN_Whitelists_Ref_Design_media/source-edit.png and b/HowTos/FQDN_Whitelists_Ref_Design_media/source-edit.png differ diff --git a/HowTos/GCloud_media/iam_credential.png b/HowTos/GCloud_media/iam_credential.png new file mode 100644 index 000000000..72aac0590 Binary files /dev/null and b/HowTos/GCloud_media/iam_credential.png differ diff --git a/HowTos/GCloud_media/restricted_access.png b/HowTos/GCloud_media/restricted_access.png new file mode 100644 index 000000000..61b621f65 Binary files /dev/null and b/HowTos/GCloud_media/restricted_access.png differ diff --git a/HowTos/GCloud_media/service_account.png b/HowTos/GCloud_media/service_account.png new file mode 100644 index 000000000..e3c6e0a46 Binary files /dev/null and b/HowTos/GCloud_media/service_account.png differ diff --git a/HowTos/GeoVPN.rst b/HowTos/GeoVPN.rst index ab4409629..37f5237ac 100755 --- a/HowTos/GeoVPN.rst +++ b/HowTos/GeoVPN.rst @@ -129,9 +129,38 @@ Once you have Geo VPN enabled, you can add users. Follow these steps to add use #. Click **OK** |imageAddVPNUser| + +Manage Geo VPN configuration +++++++++++++++++++++++++++++ +Once you have Geo VPN feature enabled, you can centrally manage all the VPN gateways' configuration under the Geo VPN service. Follow these steps to configure them: +#. Click the **OpenVPN** navigation menu item +#. Click **Edit Config** +#. In the `VPC ID/VNet Name` drop down, select the Geo VPN service name created in the previous steps +#. Update the VPN configuration regarding to your requirement + +Advanced Settings - manage VPN configuration for individual DHCP setup +====================================================================== + +GeoVPN can use DHCP Setting for DNS name resolution from the cloud private network where the VPN gateway is deployed. This reduces latency as DNS service is likely to be closer to the source of the VPN user location. Follow these steps to configure DHCP configuration for individual VPN gateway: + +#. Click the **OpenVPN** navigation menu item +#. Click **Edit Config** +#. In the `VPC ID/VNet Name` drop down, select the specific VPC ID/VNet Name and LB/Gateway Name instead of Geo VPN service name +#. Update the supported VPN configuration as below regarding to your requirement in each VPN gateway + + - Additional CIDRs + + - Nameservers + + - Search Domains + + .. note:: + + The attributes “Additional CIDRs, Nameservers, and Search Domains” are able to be edited for individual LB//Gateway Name only if the split tunnel mode is selected under the Geo VPN service. +#. Check this `document `_ for more info. OpenVPN is a registered trademark of OpenVPN Inc. diff --git a/HowTos/HowTo_IAM_role.rst b/HowTos/HowTo_IAM_role.rst index 96c962af5..55dd15b28 100644 --- a/HowTos/HowTo_IAM_role.rst +++ b/HowTos/HowTo_IAM_role.rst @@ -149,6 +149,22 @@ this secondary account. e. Click Update Trust Policy +Notes for custom IAM role name feature: +======================================= + +If the primary access account is using a custom EC2 IAM role name for the controller, then any secondary IAM based access accounts must use an identical name for the EC2 IAM role. + +The primary and secondary access accounts must use identical names under the following conditions: + +- You are using custom IAM roles for the primary access account. + +- You are NOT using custom gateway IAM roles on the secondary account. + +Example: + +The controller is using 'custom-role-app' and 'custom-role-ec2' on a secondary access account. Custom role 'custom-role-ec2' also exists on the primary account because that is where the controller is hosted. + +When you launch a gateway under the secondary access account the controller takes the primary access account ec2 role name, in this case 'custom-role-ec2' and passes it to the API call to create the instance. The API call refers to a role on the secondary CSP account, not the role of the primary account. .. |image0| image:: IAM_media/image1.png :width: 6.50000in diff --git a/HowTos/HowTo_Setup_IPMotion.rst b/HowTos/HowTo_Setup_IPMotion.rst deleted file mode 100644 index 3b62262a7..000000000 --- a/HowTos/HowTo_Setup_IPMotion.rst +++ /dev/null @@ -1,330 +0,0 @@ -.. meta:: - :description: IPMotion - :keywords: IPMotion, AWS Server Migration Service, AWS Migration Hub - - -=================================================================== -Migrating VMs with Aviatrix IPMotion and AWS Migration Hub Service -=================================================================== - - - -1. Solution Overview -====================== - -This document describes how to migrate an on-prem VM to AWS while preserving its IP address. The migration tools we use are -AWS Migration Hub service (AWS Server Migration Service) and Aviatrix IPmotion, where Aviatrix IPmotion feature enables IP address preservation after a VM is migrated to AWS via AWS Server Migration Service. - -By preserving the IP address of an on-prem VM after migrating -to AWS, dependencies of this VM to other on-prems are automatically preserved, thus there is no need to discover the dependencies for migration purpose. There is no need to update on-prem security rules, AD, DNS and Load Balancers. - - - -2. Configuration Workflow -========================== - -The instructions in this section will use the following network diagram. -The CIDR and subnets may vary depending on your network setup; however, the -general principle will be the same. - -|image0| - - -2.1 Prerequisites -------------------------------- - -Before setting up Aviatrix IPMotion for migration, make sure -the following prerequisites are completed. - -1. Plan the Cloud Address and create an AWS VPC - -2. Setup AWS Server Migration Service (SMS) to create migrated AMIs - -3. Deploy an Aviatrix Virtual Appliance CloudN in On-Premise - - -These prerequisites are explained in detail below. - -2.1.1 Plan the Cloud Address and create an AWS VPC ---------------------------------------------------- - - -First identify the on-prem subnet from which you plan to migrate VMs. In this example, the subnet is 10.140.0.0/16 with two On-Prem VMs (10.140.0.45 and 10.140.0.46.) - -(In this illustration, the cloud subnet is a public subnet. There are other `design patterns `_ you can follow.) - -Then create an AWS VPC with a public subnet that has an identical CIDR as the on-prem subnet where migration is to take place. For example, create a VPC CIDR 10.140.0.0/16 with a public subnet 10.140.0.0/16 in region Oregon. Note that it is not necessary for the migrated VMs to have public IP addresses. - -=============================== ================================================================================ -**AWS Example Setting** **Value** -=============================== ================================================================================ -Cloud Type AWS -Region Oregon -VPC CIDR 10.140.0.0/16 -Public Subnet 10.140.0.0/16 -=============================== ================================================================================ - -2.1.2 Setup AWS Server Migration Service (SMS) to create a migrated AMI ------------------------------------------------------------------------- - -Please refer to "AWS Server Migration Service – Server Migration to the Cloud Made Easy!" for detail. - -`AWS Server Migration Service – Server Migration to the Cloud Made Easy! -`_ - -- Deploy the Server Migration Connector virtual appliance on On-Premise. - -=============================== ================================================================================ -**vCenter Setting** **Example** -=============================== ================================================================================ -Setup networks 10.140.0.0/16 -=============================== ================================================================================ - -- Configure the connector on On-Premise. - -=============================== ================================================================================ -**Connector Setting** **Example** -=============================== ================================================================================ -AWS Region US West (Oregon) -=============================== ================================================================================ - -- Import the server catalog on AWS SMS console - -=============================== ================================================================================ -**AWS SMS Setting** **Example** -=============================== ================================================================================ -Replication job ID VM which will be migrated to cloud (e.g. VM with ip 10.140.0.45) -=============================== ================================================================================ - -After completing the previous steps, a user is able to view and launch the migrated AMI in below console: - -i.) AWS -> Migration -> Server Migration Service - -|image1| - -ii.) AWS -> Compute -> EC2 -> Launch Instance - -|image2| - -Please confirm that the migrated AMI is ready on AWS console. -This document will describe how to integrate the migrated AMI with IPMotion feature in 3.2.2 Step b. - -2.1.3 Deploy an Aviatrix Virtual Appliance CloudN in On-Premise subnet ------------------------------------------------------------------------ - -The Aviatrix Virtual Appliance CloudN must be deployed and setup in the on-prem subnet where you plan to migrate VMs prior to configuring IPMotion. For example, the subnet is 10.140.0.0/16. Please refer to "Virtual Appliance CloudN" on how to deploy the Virtual Appliance CloudN. - -`Virtual Appliance CloudN -`_ - -Check and make sure you can access the Aviatrix Virtual Appliance CloudN dashboard and -login with an administrator account. The default URL for the Aviatrix -Virtual Appliance CloudN is: - -https:// - - -2.2 Configuration Steps ------------------------ - -Make sure the pre-configuration steps in the previous section are completed before proceeding. - - -2.2.1 Step a – Deploy Aviatrix IPMotion gateway ------------------------------------------------ - -The first step is to deploy an Aviatrix IPMotion gateway in AWS VPC. -Please refer to the "IPmotion Setup Instructions" for detail. - -`IPmotion Setup Instructions -`_ - -**Instructions:** - -a.1. Login to the Aviatrix Virtual Appliance CloudN - -a.2. Click on "IP Motion" in the left navigation bar - -a.3. For section 1> Specify the on-prem IP Address List, enter both the list of IP addresses of VMs that will be migrated and the list of IP addresses of VMs that will remain on-prem. - -=============================== ================================================================================ -**IPMotion Configuration** **Example** -=============================== ================================================================================ -On-prem Subnet IP List 10.140.0.45-10.140.0.46 -=============================== ================================================================================ - -a.4. Click “Specify”. - -a.5. Click "View" to check those specified IPs and its status. - -=============================== ================================================================================ -**Status Value** **Notes** -=============================== ================================================================================ -ON-PREM IP of VM in On-Prem -IN-CLOUD-STAGING IP of VM in staging Mode -IN-CLOUD IP of VM migrated to Cloud -=============================== ================================================================================ - -a.6. For section 2> Reserve IPmotion Gateway IP Address List, specify 10 IP addresses that are not being used by any running VMs and reserve these addresses for the Aviatrix IPmotion gateway. - -================================ ================================================================================ -**IPMotion Configuration** **Example** -================================ ================================================================================ -IPmotion Gateway Reserve IP List 10.140.0.200-10.140.0.210 -================================ ================================================================================ - -a.7. Click "View" to check those reserved IPs. - -a.8. For section 3> Launch an IPmotion Gateway in the AWS VPC, it launches an Aviatrix IPmotion gateway and builds an encrypted IPSEC tunnel between the subnet of On-Prem and AWS VPC. - -=============================== =================================================== -**Setting** **Value** -=============================== =================================================== -Cloud Type Choose AWS -Account Name Choose the account name -Region Choose the region of VPC (e.g. us-west-2) -VPC ID Choose the VPC ID of VPC -Gateway Name This name is arbitrary (e.g. IPMotion-GW) -Gateway Size t2.small is fine for testing. -Gateway Subnet Select the public subnet (e.g. 10.140.0.0/16) -=============================== =================================================== - -a.9. Click “Launch”. It will take a few minutes for the gateway to deploy. Do not proceed until the gateway is deployed. - -a.10. Done - -.. Note:: Next 2.2.2 Step b – Integrate Aviatrix IPMotion with AWS AMI will explain how to utilize section 4> Let's Move! to coordinate IP migration with the migrated AMI created by AWS SMS - -2.2.2 Step b – Integrate Aviatrix IPMotion with AWS AMI -------------------------------------------------------- - -This step explains how to integrate Aviatrix IPMotion with the AMI that a user migrated from On-Premise VM to AWS via AWS SMS earlier. - -b.1. Click on IP Motion in the left navigation bar of GUI of Aviatrix Virtual Appliance CloudN - -b.2. Navigate to section 4> Let's Move! - -b.3. Select the IP of VM which will be migrated to the cloud. (e.g. 10.140.0.45) - -b.4. Click "Staging". This is the preparation step for a user to shutdown the On-Prem VM with the selected IP and power up its corresponding cloud VM with the same IP. - -b.4.1. Shutdown the On-Prem VM via vCenter. (e.g. 10.140.0.45) - -b.4.2. Power up the AWS EC2 instance with that selected IP. (e.g. 10.140.0.45) - -b.4.2.1. Navigate to AWS -> Compute -> EC2 console - -b.4.2.2. Click "Launch Instance" - -b.4.2.3. Step 1: Choose an Amazon Machine Image (AMI) -> Click on the sidebar option "My AMIs" -> Click "Select" of the AMI which is created by AWS SMS - -b.4.2.4. Step 2: Choose an Instance Type - -b.4.2.5. Step 3: Configure Instance Details: - -b.4.2.5.1. In the first section, here is an example for the testing topology - -================================== =================================================== -**AWS Example Setting** **Value** -================================== =================================================== -Number of instances 1 -Purchasing Optional Uncheck this box is fine for testing -Network Choose the VPC ID of the planned VPC -Subnet Choose the Subnet ID of the planned Subnet -Auto-assign Public IP Enable is fine for testing -IAM role None is fine for testing -Shutdown behavior Stop is fine for testing -Enable termination protection Uncheck this box is fine for testing -Monitoring Uncheck this box is fine for testing -Tenancy Shared - Run a shared hardware instance is fine -================================== =================================================== - -b.4.2.5.2. (Important) In second section - Network interfaces, enter the selected IP (e.g. 10.140.0.45) - -|image3| - -b.4.2.6. Step 4: Add Storage: default settings is fine for testing. - -b.4.2.6. Step 5: Add Tags: default settings is fine for testing. - -b.4.2.7. Step 6: Configure Security Group -> Click "Create a new security group". For this testing topology, add a rule with a Type of "All traffic" and Source of "Custom - 10.140.0.0/16" to allow all traffic between On-Prem VM and Cloud VM. The User can further customize the firewall rules. - -|image4| - -b.4.2.8. Step 7: Review Instance Launch -> Click "Launch." It will take a few minutes for the EC2 instance to deploy. Do not proceed until the EC2 instance is deployed. - -b.5. (Optional) Click "View" in section 1> Specify the on-prem IP Address List to check status. That IP status will change from status "ON-PREM" to "IN-CLOUD-STAGING". - -b.6. Navigate back to the section 4> Let's Move! of IP Motion of GUI of Aviatrix Virtual Appliance CloudN - -b.7. Select IP "10.140.0.45" -> Click "Commit" - -b.8. (Optional) Click "View" of section 1> Specify the on-prem IP Address List to check status. That IP status will change from status "IN-CLOUD-STAGING" to "IN-CLOUD". - -b.9. Done - -2.2.3 Step c – Test Connectivity --------------------------------------------- - -This step explains how to test the connectivity between the On-Prem VM to the migrated VM in the cloud. - -**Instructions:** - -c.1. Browse the GUI of Aviatrix Virtual Appliance CloudN - -c.1.1. Click Troubleshoot in the sidebar -> Diagnostics -> Network -> Ping Utility. - -c.1.2. Enter the committed IP address -> click Ping. - -c.2. Test bi-directional end-to-end connectivity - -c.2.1. Login to the On-Prem VM (e.g. 10.140.0.46) - -c.2.2. Check ICMP protocol via command "ping 10.140.45" - -c.2.3. Login to the migrated EC2 (e.g. 10.140.0.45) - -c.2.4. Check ICMP protocol via command "ping 10.140.46" - -.. Note:: Make sure the security group of the migrated EC2 has ICMP allowed. Also make sure the migrated EC2 instance responds to Ping request. - - - -Troubleshooting -=============== - -1. Click button "View" of section 1> Specify the on-prem IP Address List of IPMotion of GUI of Aviatrix Virtual Appliance CloudN to check what state an IP address is at. - -2. Click button "Reset" if all things fail and you like to start over - -2.1. First of all, delete the IPmotion gateway by navigating to the sidebar and clicking "Gateway List" - -2.2. Select the gateway -> click Delete. It will take a few minutes to delete. Do not proceed until the gateway is deleted. - -2.3. After deletion is completed, go back to section 1> Specify the on-prem IP Address List of IPMotion and click button "Reset". - -2.4. You can then start it over by going through Step a – Deploy Aviatrix IPMotion gateway and Step b – Integrate Aviatrix IPMotion with AWS AMI again. - -3. Get Support email support@aviatrix.com for assistance. - -.. |image0| image:: ipmotion_media/image0_IPMotion_Configuration.PNG - :width: 5.03147in - :height: 2.57917in - -.. |image1| image:: ipmotion_media/image1_SMS_Console_AMI.PNG - :width: 5.03147in - :height: 2.57917in - -.. |image2| image:: ipmotion_media/image2_Launch_Instance_Console_AMI.PNG - :width: 5.03147in - :height: 2.57917in - -.. |image3| image:: ipmotion_media/image3_Network_interfaces.PNG - :width: 5.03147in - :height: 2.57917in - -.. |image4| image:: ipmotion_media/image4_SG.PNG - :width: 5.03147in - :height: 2.57917in - -.. disqus:: diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add_old.png b/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add_old.png deleted file mode 100644 index c6ce21784..000000000 Binary files a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add_old.png and /dev/null differ diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_old.png b/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_old.png deleted file mode 100644 index a61f4b299..000000000 Binary files a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_old.png and /dev/null differ diff --git a/HowTos/Ingress_Protection_Transit_FireNet_Fortigate.rst b/HowTos/Ingress_Protection_Transit_FireNet_Fortigate.rst new file mode 100644 index 000000000..76977eac2 --- /dev/null +++ b/HowTos/Ingress_Protection_Transit_FireNet_Fortigate.rst @@ -0,0 +1,521 @@ +.. meta:: + :description: Ingress Protection via Aviatrix Transit FireNet with Fortigate + :keywords: AVX Transit Architecture, Aviatrix Transit network, Transit DMZ, Ingress, Firewall, Fortigate + +============================================================== +Ingress Protection via Aviatrix Transit FireNet with Fortigate +============================================================== + +This document illustrates a widely deployed architecture for Ingress traffic inspection/protection firewall that leverages AWS Load Balancers, +`Transit FireNet for AWS `_ and +`Fortigate VM in AWS `_. + +Ingress traffic from Internet forwards to firewall instances first in Aviatrix Transit FireNet VPC and then reaches to application servers as shown +in the diagram below. In this design pattern, each firewall instance must perform + + #. Source NAT (SNAT) on its LAN interface that connects to the Aviatrix FireNet gateway + + #. Destination NAT (DNAT) to the IP of application server or application load balancer + +|transit_firenet_ingress| + +.. note:: + + This design pattern also supports multiple of firewalls (scale out fashion) for each Aviatrix Transit FireNet gateway. + +This document describes a step-by-step Ingress Protection via Aviatrix Transit FireNet with Fortigate deployment workflow for R6.1 and later. +In this note you learn how to: + + #. Workflow on Transit FireNet for AWS + + #. Workflow on AWS Application Load Balancer + + #. Workflow on Firewall instances - Fortigate + +For more information about Transit FireNet, please check out the below documents: + + `Transit FireNet FAQ `_ + + `Firewall Network Design Patterns `_ + +Prerequisite +==================== + +First of all, `upgrade `_ Aviatrix Controller to at least version 6.1 + +In this example, we are going to deploy the below VPCs in AWS + + - Aviatrix Transit FireNet VPC (i.e. 10.70.0.0/16) + + - Aviatrix Spoke VPC for Application (i.e. 10.3.0.0/16) + +Workflow on Transit FireNet for AWS +===================================== + +Refer to `Transit FireNet Workflow for AWS doc `_ for the below steps. Please adjust the topology depending on your requirements. + +Step 1.1. Deploy VPCs for Transit FireNet and Spoke for Applicaton +----------------------------------------------------------------- + + - Create an Aviatrix Transit VPC by utilizing Aviatrix feature `Create a VPC `_ with Aviatrix FireNet VPC option enabled + + - Create an Aviatrix Spoke VPC for Application by utilizing Aviatrtix feature `Create a VPC `_ as the previous step or manually deploying it in AWS portal. Moreover, feel free to use your existing VPC. + +Step 1.2. Deploy Aviatrix Multi-Cloud Transit Gateway and HA +---------------------------------------------------------- + + - Follow this step `Deploy the Transit Aviatrix Gateway `_ to launch Aviatrix Transit gateway and enable HA in Transit FireNet VPC + + - Connected Transit mode is not necessary for this Ingress inspection solution. + +Step 1.3. Deploy Spoke Gateway and HA +----------------------------------- + + - Follow this step `Deploy Spoke Gateways `_ to launch Aviatrix Spoke gateway and enable HA in Spoke VPC for Application + +Step 1.4. Attach Spoke Gateways to Transit Network +------------------------------------------------ + + - Follow this step `Attach Spoke Gateways to Transit Network `_ to attach Spoke Gateways to Transit Gateways + +Step 1.5. Configure Transit Firewall Network +------------------------------------------------ + + - `Configure Transit Firewall Network `_ + + - Adding spoke to the Inspected box for traffic inspection in 2> Manage FireNet Policy is not necessary for this Ingress solution as inbound traffic hit firewall instances first. + +Step 1.6. Launch and Associate Firewall Instance +------------------------------------------------ + + - `Subscribe Firewall Vendor in AWS Marketplace `_ for Fortigate Next Generation Firewall + + - Launch Fortigate Firewall instance for each Aviatrix Transit FireNet gateway by following this `step `_ + + +--------------------------+-------------------------------------------------------------+ + | **Example setting** | **Example value** | + +--------------------------+-------------------------------------------------------------+ + | Firewall Image | Fortinet FortiGate Next-Generation Firewall | + +--------------------------+-------------------------------------------------------------+ + | Firewall Image Version | 6.4.2 | + +--------------------------+-------------------------------------------------------------+ + | Firewall Instance Size | c5.xlarge | + +--------------------------+-------------------------------------------------------------+ + | Egress Interface Subnet | Select the subnet whose name contains "FW-ingress-egress". | + +--------------------------+-------------------------------------------------------------+ + | Key Pair Name (Optional) | The .pem file name for SSH access to the firewall instance. | + +--------------------------+-------------------------------------------------------------+ + | Attach | Check | + +--------------------------+-------------------------------------------------------------+ + + - Wait for a couple of minutes for the Fortigate Firewall instances to turn into Running Instance state + + - Will walk through how to set up basic configuration for FortiGate (Fortinet) in the later section 'Workflow on Firewall instances - Fortigate'. Please move on to the next section 'Workflow on AWS Application Load Balancer' first + +Workflow on AWS Application Load Balancer +========================================= + +This workflow example describes how to + + #. place an internet-facing AWS Load Balancer to load balance traffic to firewall instances in Transit FireNet + + #. place an internal AWS Load Balancer to load balance traffic to private application server in Application Spoke + + #. set up the related network components and private application web server with HTTP and port 8080 + +Please adjust the settings depending on your requirements. + +Step 2.1. Create an AWS Application Load Balancer with scheme Internet-facing +----------------------------------------------------------------------------- + +In Transit FireNet VPC, create an internet-facing AWS Application Load Balancer by following the steps below: + + - Select Application Load Balancer HTTP/HTTPS + + |Ingress_ALB| + + - Select items as follows in Step 1: Configure Load Balancer + + +---------------------+------------------------+-------------------------------------------------------------------+ + | **Section** | **Field** | **Value** | + +---------------------+------------------------+-------------------------------------------------------------------+ + | Basic Configuration | Scheme | internet-facing | + +---------------------+------------------------+-------------------------------------------------------------------+ + | | IP address type | ipv4 | + +---------------------+------------------------+-------------------------------------------------------------------+ + | Listeners | Load Balancer Protocol | HTTP | + +---------------------+------------------------+-------------------------------------------------------------------+ + | | Load Balancer Port | 8080 | + +---------------------+------------------------+-------------------------------------------------------------------+ + | Availability Zones | VPC | Aviatrix Transit FireNet VPC | + +---------------------+------------------------+-------------------------------------------------------------------+ + | | Availability Zones | select the subnet with *-Public-FW-ingress-egress-AZ-* in each AZ | + +---------------------+------------------------+-------------------------------------------------------------------+ + + |Ingress_Internet_ALB_Step_1_Configure_Load_Balancer| + + - Create a security group with Protocol TCP and Port 8080 in Step 3: Configure Security Groups + + |Ingress_Internet_ALB_Step_3_Configure_Security_Groups| + + - Select items as follows in Step 4: Configure Routing + + +--------------------------------+---------------+-------------------+ + | **Section** | **Field** | **Value** | + +--------------------------------+---------------+-------------------+ + | Target group | Target group | New target group | + +--------------------------------+---------------+-------------------+ + | | Target type | Instance | + +--------------------------------+---------------+-------------------+ + | | Protocol | HTTP | + +--------------------------------+---------------+-------------------+ + | | Port | 8080 | + +--------------------------------+---------------+-------------------+ + | Health checks | Protocol | HTTPS | + +--------------------------------+---------------+-------------------+ + | | Path | / | + +--------------------------------+---------------+-------------------+ + | Advanced health check settings | Port | override with 443 | + +--------------------------------+---------------+-------------------+ + | | Success codes | 302 | + +--------------------------------+---------------+-------------------+ + + |Ingress_Internet_ALB_Step_4_Configure_Routing| + + - Select firewall instances and click the button "Add to registered" in Step 5: Register Targets + + |Ingress_Internet_ALB_Step_5_Register_Targets_1| + + - Confirm the selected firewall instances are placed under the section "Registered targets" + + |Ingress_Internet_ALB_Step_5_Register_Targets_2| + + - Review the configuration in Step 6: Review + + |Ingress_Internet_ALB_Step_6_Review| + + - Wait for a couple of minutes and check firewall instances' healthy Status behind AWS Application Load Balancer + + |Internet_ALB_WEB_HTTP_8080_tg_healthcheck| + + .. note:: + + Targets healthy status behind AWS load balancer can be found on the page "EC2 -> Target groups -> selecting the target group -> Targets" in AWS portal. + +Step 2.2. Launch an Apache2 Web server in Application Spoke +----------------------------------------------------------- + +In Application Spoke, create an Ubuntu Server 18.04 LTS virtual machine and install Apache2 HTTP Server with custom port 8080 as a web application server. + ++---------------------+-------------------+ +| **Example setting** | **Example value** | ++---------------------+-------------------+ +| Protocol | HTTP | ++---------------------+-------------------+ +| Port | 8080 | ++---------------------+-------------------+ + +.. Note:: + + Refer to `Install The Latest Apache2 HTTP Server ( 2.4.34 ) On Ubuntu 16.04 | 17.10 | 18.04 LTS Servers `_ to install Apache2 HTTP Server + + Refer to `How To Change Apache Default Port To A Custom Port `_ to use custom port 8080 + +Step 2.3. Create an AWS Application Load Balancer with scheme Internal +---------------------------------------------------------------------- + +In Application Spoke VPC, create an internal AWS Application Load Balancer by refering to the steps below: + + - Select Application Load Balancer HTTP/HTTPS + + |Ingress_ALB| + + - Select items as follows in Step 1: Configure Load Balancer + + +---------------------+------------------------+-------------------------------------------------------------------+ + | **Section** | **Field** | **Value** | + +---------------------+------------------------+-------------------------------------------------------------------+ + | Basic Configuration | Scheme | internal | + +---------------------+------------------------+-------------------------------------------------------------------+ + | | IP address type | ipv4 | + +---------------------+------------------------+-------------------------------------------------------------------+ + | Listeners | Load Balancer Protocol | HTTP | + +---------------------+------------------------+-------------------------------------------------------------------+ + | | Load Balancer Port | 8080 | + +---------------------+------------------------+-------------------------------------------------------------------+ + | Availability Zones | VPC | Aviatrix Spoke VPC for application | + +---------------------+------------------------+-------------------------------------------------------------------+ + | | Availability Zones | select the subnet where private application servers locate | + +---------------------+------------------------+-------------------------------------------------------------------+ + + |Ingress_Internal_ALB_Step_1_Configure_Load_Balancer| + + - Create a security group with Protocol TCP and Port 8080 in Step 3: Configure Security Groups + + - Select items as follows in Step 4: Configure Routing + + +--------------------------------+---------------+-------------------+ + | **Section** | **Field** | **Value** | + +--------------------------------+---------------+-------------------+ + | Target group | Target group | New target group | + +--------------------------------+---------------+-------------------+ + | | Target type | Instance | + +--------------------------------+---------------+-------------------+ + | | Protocol | HTTP | + +--------------------------------+---------------+-------------------+ + | | Port | 8080 | + +--------------------------------+---------------+-------------------+ + | Health checks | Protocol | HTTP | + +--------------------------------+---------------+-------------------+ + | | Path | / | + +--------------------------------+---------------+-------------------+ + | Advanced health check settings | Port | traffic port | + +--------------------------------+---------------+-------------------+ + | | Success codes | 200 | + +--------------------------------+---------------+-------------------+ + + - Select private application server and click the button "Add to registered" in Step 5: Register Targets + + - Review the configuration in Step 6: Review + + |Ingress_Internal_ALB_Step_6_Review| + +Workflow on Firewall instances - Fortigate +========================================== + +This is just a simple example to set up Firwall for Ingress traffic. Please adjust the security settings depending on your requirements. + +Step 3.1. Set up basic configuration for FortiGate (Fortinet) +------------------------------------------------------------- + + - Refer to `Fortigate Example `_ to launch Fortigate in AWS and for more details. + + - `Reset Fortigate Next Generation Firewall Password `_ + + - `Configure Fortigate Next Generation Firewall port1 with WAN `_ + + - `Configure Fortigate Next Generation Firewall port2 with LAN `_ + + - `Create static routes for routing traffic to Spoke VPC `_ + +Step 3.2. Configure Destination NAT (DNAT) to the FQDN/IP of Internal Application Load Balancer +----------------------------------------------------------------------------------------------- + + - Login Fortigate GUI + + - Navigate to the page "Policy & Objects -> Virtual IPs" + + - Click the button "+ Create New" + + - Enter fields for Name, Comments, Interface, Type, External IP address, Mapped address, and Port Forwarding as follows: + + +-----------------+-----------------------+-----------------------------------------------+ + | **Section** | **Example setting** | **Example value** | + +-----------------+-----------------------+-----------------------------------------------+ + | Edit Virtual IP | VIP type | IPv4 | + +-----------------+-----------------------+-----------------------------------------------+ + | | Name | DNAT-to-Internal-ALB-WEB-HTTP-8080 | + +-----------------+-----------------------+-----------------------------------------------+ + | | Comments | DNAT-to-Internal-ALB-WEB-HTTP-8080 | + +-----------------+-----------------------+-----------------------------------------------+ + | Network | Interface | WAN (port1) | + +-----------------+-----------------------+-----------------------------------------------+ + | | Type | FQDN | + +-----------------+-----------------------+-----------------------------------------------+ + | | External IP address | Private IP of interface WAN (port1) | + +-----------------+-----------------------+-----------------------------------------------+ + | | Mapped address | Create a new tag 'Internal-ALB-WEB-HTTP-8080' | + +-----------------+-----------------------+-----------------------------------------------+ + | Port Forwarding | Status | enable | + +-----------------+-----------------------+-----------------------------------------------+ + | | Protocol | TCP | + +-----------------+-----------------------+-----------------------------------------------+ + | | External service port | 8080 | + +-----------------+-----------------------+-----------------------------------------------+ + | | Map to port | 8080 | + +-----------------+-----------------------+-----------------------------------------------+ + + |Ingress_Fortigate_DNAT| + + - Create a tag for Mapped address by clicking the button "+ Create" + + |Ingress_Fortigate_DNAT_Mapped_address| + + - Enter fields for Name, Type, FQDN, and Interface for Mapped address as follows: + + +---------------------+---------------------------------------------------------------------------------------------+ + | **Example setting** | **Example value** | + +---------------------+---------------------------------------------------------------------------------------------+ + | Name | Internal-ALB-WEB-HTTP-8080 | + +---------------------+---------------------------------------------------------------------------------------------+ + | Type | FQDN | + +---------------------+---------------------------------------------------------------------------------------------+ + | FQDN | DNS name of the internal AWS Application Load Balancer which is created in the previos step | + +---------------------+---------------------------------------------------------------------------------------------+ + | Interface | any | + +---------------------+---------------------------------------------------------------------------------------------+ + + |Ingress_Fortigate_DNAT_Mapped_address_2| + + .. important:: + + FQDN is the DNS name of the 'internal' AWS Application Load Balancer not 'internet-facing' AWS ALB. + + .. note:: + + DNS name of the AWS Application Load Balancer can be found on the page "EC2 -> Load Balancing -> Load Balancers -> selecting the Load balancer -> Description -> DNS name" + + +Step 3.3. Apply Destination NAT (DNAT) and configure Source NAT (SNAT) on firewall's LAN interface in Firewall Policy to allow Ingress traffic +---------------------------------------------------------------------------------------------------------------------------------------------- + + - Navigate to the page "Policy & Objects -> Firewall Policy" + + - Click the button "+ Create New" + + - Enter fields for Name, Incoming Interface, Outgoing Interface, Source, Destination, Service, Action, NAT, IP Pool Configuration as follows: + + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | **Section** | **Example setting** | **Example value** | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | Edit Policy | Name | Ingress-WEB-HTTP-8080 | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | Incoming Interface | WAN (port1) | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | Outgoing Interface | LAN (port2) | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | Source | all | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | Destination | Select the Virtual IPs 'DNAT-to-Internal-ALB-WEB-HTTP-8080' which is created in the previous step | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | Service | Create a new service for HTTP-8080 | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | Action | ACCEPT | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | Firewall / Network Options | NAT | Enable | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | IP Pool Configuration | Use Outgoing Interface Address | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + + .. important:: + + To enable DNAT function, need to select 'Virtual IPs' for Destination under Edit Policy. + + To enable SNAT function, need to enable NAT with IP Pool Configuration under Firewall / Network Options. + + |Ingress_Fortigate_Firewall_policy| + + - Create a new service for HTTP-8080 by clicking the button "+ Create" + + +------------------+---------------------+-----------------------+ + | **Section** | **Example setting** | **Example value** | + +------------------+---------------------+-----------------------+ + | New Service | Name | HTTP-8080 | + +------------------+---------------------+-----------------------+ + | | Category | Web Access | + +------------------+---------------------+-----------------------+ + | Protocol Options | Protocol Type | TCP/UDP/SCTP | + +------------------+---------------------+-----------------------+ + | | Address | IP Range with 0.0.0.0 | + +------------------+---------------------+-----------------------+ + | | Destination Port | TCP with port 8080 | + +------------------+---------------------+-----------------------+ + + |Ingress_Fortigate_Firewall_policy_service| + + - Review Firewall Policy + + |Ingress_Fortigate_Firewall_policy_review| + +Step 3.4. Repeat the above steps for all your firewall instances +---------------------------------------------------------------- + +Step 3.5. Reference +-------------------- + + - Inbound application traffic with firewall resiliency in `Amazon Web Services (AWS) Reference Architecture `_ + + - INBOUND APPLICATION TRAFFIC WITH FIREWALL RESILIENCY in `wp-aws-transit-gateway-cloud-services.pdf `_ + + - `FortiGate Cookbook `_ + +Ready to go! +============= + +Now firewall instances and private application server are ready to receive Ingress traffic! + +Open your browser and access the DNS of AWS Internet Application Load Balancer with HTTP and port 8080. + + |Ingress_private_WEB_server_access| + +.. |transit_firenet_ingress| image:: ingress_firewall_example_media/Ingress_Aviatrix_Transit_FireNet_topology.png + :scale: 30% + +.. |Ingress_ALB| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_ALB.png + :scale: 30% + +.. |Ingress_Internet_ALB_Step_1_Configure_Load_Balancer| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_1_Configure_Load_Balancer.png + :scale: 30% + +.. |Ingress_Internet_ALB_Step_3_Configure_Security_Groups| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_3_Configure_Security_Groups.png + :scale: 30% + +.. |Ingress_Internet_ALB_Step_4_Configure_Routing| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_4_Configure_Routing.png + :scale: 30% + +.. |Ingress_Internet_ALB_Step_5_Register_Targets_1| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_5_Register_Targets_1.png + :scale: 30% + +.. |Ingress_Internet_ALB_Step_5_Register_Targets_2| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_5_Register_Targets_2.png + :scale: 30% + +.. |Ingress_Internet_ALB_Step_6_Review| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_6_Review.png + :scale: 30% + +.. |Internet_ALB_WEB_HTTP_8080_tg_healthcheck| image:: ingress_protection_transit_firenet_fortigate_media/Internet_ALB_WEB_HTTP_8080_tg_healthcheck.png + :scale: 30% + +.. |Ingress_Internal_ALB_Step_1_Configure_Load_Balancer| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internal_ALB_Step_1_Configure_Load_Balancer.png + :scale: 30% + +.. |Ingress_Internal_ALB_Step_6_Review| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internal_ALB_Step_6_Review.png + :scale: 30% + +.. |Ingress_Fortigate_DNAT| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT.png + :scale: 30% + +.. |Ingress_Fortigate_DNAT_Mapped_address| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT_Mapped_address.png + :scale: 30% + +.. |Ingress_Fortigate_DNAT_Mapped_address_2| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT_Mapped_address_2.png + :scale: 30% + +.. |Ingress_Fortigate_Firewall_policy| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy.png + :scale: 30% + +.. |Ingress_Fortigate_Firewall_policy_service| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy_service.png + :scale: 30% + +.. |Ingress_Fortigate_Firewall_policy_review| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy_review.png + :scale: 30% + +.. |Ingress_private_WEB_server_access| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_private_WEB_server_access.png + :scale: 30% + +.. disqus:: + + + + +Ingress Protection via Aviatrix Transit Firenet for Multiple Applications + + +In case customer has a use case where they want to inspect traffic for multiple applications using the same FW, in that case we need to add more NAT rules on the firewall. + + +Recommended Steps + + +Create an additional subnet in the security VPC (/24) for the LB +Create additional ALB/NLB based on the number of applications +Add a SNAT/DNAT same as above for each application mapping it for the specific LB diff --git a/HowTos/Migration_From_Marketplace.rst b/HowTos/Migration_From_Marketplace.rst index 13863906d..4e1dc45ff 100644 --- a/HowTos/Migration_From_Marketplace.rst +++ b/HowTos/Migration_From_Marketplace.rst @@ -72,9 +72,7 @@ Step 4 - Launch new Aviatrix Controller Launch new Aviatrix Controller. Please refer to the `AWS Startup Guide `__ for steps. - .. tip:: - We highly recommend migrating to Metered AMI as it is more flexible and scalable as your business needs change over time. - + .. note:: To make best use of time, it is encouraged to launch the new Controller before stopping the old Controller in Step 2. @@ -86,6 +84,8 @@ Step 5 - Associate EIP On the AWS console, go to **EC2** > **Network & Security** > **Elastic IPs**, and associate the same EIP from step 3 to the new Aviatrix Controller. +If you have your old `controller behind an ELB `_, please note that you would have to remove the old controller instance from the listening group and add the new controller instance in its place. + Step 6 - Upgrade Controller =========================== diff --git a/HowTos/Quick_Tour.rst b/HowTos/Quick_Tour.rst index 3718647f1..ec3cde63d 100644 --- a/HowTos/Quick_Tour.rst +++ b/HowTos/Quick_Tour.rst @@ -77,8 +77,7 @@ design `__. Help """"" -Under the Help menu, check out FAQs and additional implementation guides. Send -an email to support@aviatrix.com to get immediate support. +Under the Help menu, check out FAQs and additional implementation guides. Please open a support ticket at `Aviatrix Support Portal `_ to get immediate support. OpenVPN is a registered trademark of OpenVPN Inc. diff --git a/HowTos/S2C_GW_ASA.rst b/HowTos/S2C_GW_ASA.rst index 5db041779..051a3c5d3 100644 --- a/HowTos/S2C_GW_ASA.rst +++ b/HowTos/S2C_GW_ASA.rst @@ -87,7 +87,7 @@ Network setup is as following: =============================== ================================================================= -For support, send an email to support@aviatrix.com. +For support, please open a support ticket at `Aviatrix Support Portal `_ .. |image0| image:: s2c_gw_asa_media/Doc1.png :width: 5.55625in diff --git a/HowTos/S2C_GW_CP.rst b/HowTos/S2C_GW_CP.rst index b1811af06..2b8f313a2 100644 --- a/HowTos/S2C_GW_CP.rst +++ b/HowTos/S2C_GW_CP.rst @@ -258,7 +258,7 @@ Refer to the `vSEC Gateway for Amazon Web Services Getting Started Guide `_ .. |image0| image:: s2c_gw_cp_media/DownloadSmartConsole.PNG :width: 5.55625in diff --git a/HowTos/S2C_GW_CP_88.rst b/HowTos/S2C_GW_CP_88.rst index cabac5ad6..7e399ea86 100644 --- a/HowTos/S2C_GW_CP_88.rst +++ b/HowTos/S2C_GW_CP_88.rst @@ -4,7 +4,7 @@ ============================================ -Aviatrix Gateway to Check Point(R88.10) +Aviatrix Gateway to Check Point(R80.10) ============================================ This document describes how to build an IPSec tunnel based site2cloud connection between Aviatrix Gateway and Check Point Firewall. To simulate an on-prem Check Point Firewall, we use a Check Point CloudGuard IaaS firewall VM at AWS VPC. diff --git a/HowTos/S2C_GW_IOS.rst b/HowTos/S2C_GW_IOS.rst index e85747a44..57b13d1b1 100644 --- a/HowTos/S2C_GW_IOS.rst +++ b/HowTos/S2C_GW_IOS.rst @@ -59,6 +59,7 @@ The network setup is as follows: 2.1 Either ssh into the Cisco router or connect to it directly through its console port. 2.2 Apply the following IOS configuration to your router: + Please note that from version 5.0, we use the gateway's public ip address as the identier, so the "match identity address" should use the public ip instead of the private ip as pointed in the picture below. |image1| @@ -81,7 +82,7 @@ The network setup is as follows: =============================== ================================================================= -For support, send an email to support@aviatrix.com. +For support, please open a support ticket at `Aviatrix Support Portal `_ .. |image0| image:: s2c_gw_ios_media/s2c_sample_config.png :width: 5.55625in diff --git a/HowTos/S2C_GW_PAN.rst b/HowTos/S2C_GW_PAN.rst index 8f7f118d6..001ef59f5 100644 --- a/HowTos/S2C_GW_PAN.rst +++ b/HowTos/S2C_GW_PAN.rst @@ -93,7 +93,7 @@ Configuration Workflow Peer Identification Peer public IP Address (if the controller version is below 5.0, it should be peer private IP) =============================== ========================================= - Note: In Palo Alto Networks offcial documents, it is not necessary to add the Peer Identification. However, to make sure the tunnel working, we recommend to add it. + Note: In Palo Alto Networks official documents, it is not necessary to add the Peer Identification. However, to make sure the tunnel working, we recommend to add it. In the event that IPSec tunnel is up but traffic is not passing between cloud and on-premises, you may want to enable NAT-T in Palo Alto Networks Firewall. |image3| diff --git a/HowTos/SAML_Integration_AWS_SSO_IdP.rst b/HowTos/SAML_Integration_AWS_SSO_IdP.rst index 1eca807f3..7f9a18089 100644 --- a/HowTos/SAML_Integration_AWS_SSO_IdP.rst +++ b/HowTos/SAML_Integration_AWS_SSO_IdP.rst @@ -14,11 +14,6 @@ Overview This guide provides an example on how to configure Aviatrix to authenticate against AWS SSO IdP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., AWS SSO) for authentication. -Visit one of the following links based on your use case: - - If integrating AWS SSO IdP with `Controller Login SAML Config `_ - If integrating AWS SSP IdP with `OpenVPN with SAML Authentication `_ - Before configuring SAML integration between Aviatrix and AWS SSO, make sure you have a valid AWS account with administrator access. .. tip:: @@ -31,24 +26,27 @@ Configuration Steps Follow these steps to configure Aviatrix to authenticate against your AWS SSO IdP: Step 1. Retrieve `Aviatrix SP Metadata <#awssso-saml-sp-metadata>`__ from the Aviatrix Controller + Step 2. Create an `AWS SSO SAML Application <#awssso-saml-app1>`__ for Aviatrix + Step 3. Retrieve `AWS SSO IdP metadata <#awssso-idp-metadata>`__ -Step 4. Continue Creating `AWS SSO SAML Application <#awssso-saml-app2>`__ for Aviatrix -Step 5. Update `Aviatrix SP Endpoint <#awssso-update-saml-endpoint>`__ in the Aviatrix Controller -Step 6. `Test the Integration <#awssso-test-integration>`__ is Set Up Correctly + +Step 4. Update `Aviatrix SP Endpoint <#awssso-update-saml-endpoint>`__ in the Aviatrix Controller + +Step 5. `Test the Integration <#awssso-test-integration>`__ is Set Up Correctly .. _awssso_saml_sp_metadata: -Retrieve Aviatrix SP Metadata from Aviatrix Controller -###################################################### +Step 1. Retrieve Aviatrix SP Metadata from Aviatrix Controller +############################################################## Before creating the AWS SSO SAML Application, AWS SSO requires the Service Provider (SP) metadata file from the Aviatrix Controller. You can create a temporary SP SAML endpoint to retrieve the SP metadata for now. Later on in the guide, the SP SAML endpoint will be updated. -Follow one of the links below according to your use case: +Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link's Configuration section: #. If integrating AWS SSO IdP with `Controller Login SAML Config `_ -#. If integrating AWS SSO IdP with `OpenVPN with SAML Authentication `_ +#. If integrating AWS SSO IdP with `OpenVPN with SAML Authentication `_ For AWS SSO, right click the **SP Metadata** button next to the SAML endpoint and save the file. @@ -57,16 +55,7 @@ For AWS SSO, right click the **SP Metadata** button next to the SAML endpoint an .. tip:: Save this XML file to your local machine. It will be uploaded to the AWS SSO IdP in the later steps. - -.. _awssso_saml_app1: - -Create an AWS SSO SAML Application (Part 1) -########################################### -.. note:: - - This step is usually done by the AWS SSO Admin. - -Before you start, pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_awssso**. But, it can be any string. +This step will ask you to pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_awssso**. It can be any string that will identify the SAML application you create in the IdP. We will use the string you select for the SAML application name to generate a URL for AWS SSO to connect with Aviatrix. This URL is defined below as **SP_ACS_URL**. This URL should be constructed as: @@ -76,6 +65,14 @@ We will use the string you select for the SAML application name to generate a UR Replace **<<>>** with the actual host name or IP address of your controller and **<<>>** with the ``[Endpoint Name]`` you chose to refer to the SAML application. +.. _awssso_saml_app1: + +Step 2. Create an AWS SSO SAML Application +########################################### +.. note:: + + This step is usually done by the AWS SSO Admin. + #. Login to your AWS console #. Go to the AWS Single Sign-On service #. Add a new Application (**Applications** > **Add a new application**) @@ -88,20 +85,6 @@ We will use the string you select for the SAML application name to generate a UR #. Enter a Display Name -.. _awssso_idp_metadata: - -Retrieve AWS SSO IdP metadata -############################# - -Copy the **AWS SSO IdP metadata file** URL. This URL will be provided to the Aviatrix SP endpoint later on. - - |imageCopyURL| - -.. _awssso_saml_app2: - -Create an AWS SSO SAML Application (Part 2) -########################################### - #. Scroll to **Application metadata** #. **Browse...** to the **SP Metadata** file saved in the `previous step (Step 1) <#awssso-saml-app>`_ #. Leave the **Application start URL** blank @@ -132,10 +115,22 @@ As shown below: #. Click **Save changes** +.. _awssso_idp_metadata: + +Step 3. Retrieve AWS SSO IdP metadata +##################################### + +Copy the **AWS SSO IdP metadata file** URL. This URL will be provided to the Aviatrix SP endpoint later on. + + |imageCopyURL| + +.. _awssso_saml_app2: + + .. _awssso_update_saml_endpoint: -Update Aviatrix SP Endpoint -########################### +Step 4. Update Aviatrix SP Endpoint +################################### .. note:: @@ -189,19 +184,22 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. _awssso_test_integration: -Test the Integration -#################### +5. Test the Integration +######################## .. tip:: Be sure to assign users to the new application in AWS Single Sign-on service prior to validating. You can use AWS SSO Directory service under AWS SSO page to assign users. If you do not assign your test user to the Aviatrix SAML application, you will receive an error. Continue with testing the integration by visiting one of the following links based on your use case: -1. If integrating AWS SSO IdP with `Controller Login SAML Config `_ +1. If integrating AWS SSO IdP with `Controller Login SAML Config `__ + #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -2. If integrating AWS SSO IdP with `OpenVPN with SAML Authentication `_ + +2. If integrating AWS SSO IdP with `OpenVPN with SAML Authentication `__ + #. Expand `OpenVPN®` in the navigation menu and click `Advanced` #. Stay on the `SAML` tab diff --git a/HowTos/SAML_Integration_Azure_AD_IdP.rst b/HowTos/SAML_Integration_Azure_AD_IdP.rst index c19c0db2a..09f9e859e 100644 --- a/HowTos/SAML_Integration_Azure_AD_IdP.rst +++ b/HowTos/SAML_Integration_Azure_AD_IdP.rst @@ -20,12 +20,7 @@ Overview This guide provides an example on how to configure Aviatrix to authenticate against Azure AD IdP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., Azure AD) for authentication. -Visit one of the following links based on your use case: - - If integrating Azure AD IdP with `Controller Login SAML Config `_ - If integrating Azure AD IdP with `OpenVPN with SAML Authentication `_ - -Before configuring SAML integration between Aviatrix and Azure AD, make sure you have a valid Azure AD account with administrator access. +Before configuring SAML integration between Aviatrix and Azure AD, make sure you have a valid Azure AD Premium subscription account with administrator access. Configuration Steps @@ -33,18 +28,29 @@ Configuration Steps Follow these steps to configure Aviatrix to authenticate against your Azure AD IdP: -Step 1. Create a `Azure AD SAML Application <#azuread-saml-app>`__ for Aviatrix -Step 2. Retrieve `Azure AD IdP metadata <#azuread-idp-metadata>`__ -Step 3. Update `Aviatrix SP Endpoint <#azuread-update-saml-endpoint>`__ in the Aviatrix Controller -Step 4. `Test the Integration <#azuread-test-integration>`__ is Set Up Correctly +Step 1. Create a `temporary Aviatrix SP Endpoint <#aviatrix-endpoint>`__ in the Aviatrix Controller +Step 2. Create an `Azure AD SAML Application <#azuread-saml-app>`__ for Aviatrix in the Azure Portal's Premium Subscription Account -.. _azuread_saml_app: +Step 3. Retrieve the `Azure AD IdP metadata <#azuread-idp-metadata>`__ + +Step 4. Update the `Aviatrix SP Endpoint <#azuread-update-saml-endpoint>`__ in the Aviatrix Controller -Create an Azure AD SAML App for Aviatrix +Step 5. `Test the Integration <#azuread-test-integration>`__ is Set Up Correctly + + +.. _aviatrix_endpoint: + +Step 1. Create an Aviatrix SP Endpoint ######################################## -Before you start, pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_azuread**. But, it can be any string. +Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link's Configuration section: + + If integrating Azure AD IdP with `Controller Login SAML Config `_ + + If integrating Azure AD IdP with `OpenVPN with SAML Authentication `_ + +This step will ask you to pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_azuread**. It can be any string that will identify the SAML application you create in the IdP. We will use the string you select for the SAML application name to generate a URL for Azure AD to connect with Aviatrix. This URL is defined below as **SP_ACS_URL**. This URL should be constructed as: @@ -54,6 +60,11 @@ We will use the string you select for the SAML application name to generate a UR Replace **<<>>** with the actual host name or IP address of your controller and **<<>>** with the ``[Endpoint Name]`` you chose to refer to the SAML application. +.. _azuread_saml_app: + +Step 2. Create an Azure AD SAML App for Aviatrix +################################################ + **Connect to Azure** Login to your Azure portal @@ -114,7 +125,7 @@ Click **Single sign-on** below **Manage** | Relay State | (leave blank) | +----------------------------+-----------------------------------------+ - |imageSAMLSettings| + The links for the SAML Identifier, Reply URL, and Sign on URL should point to the Application Gateway domain instead of the Aviatrix controller. **User Attributes** @@ -134,11 +145,14 @@ Click **Single sign-on** below **Manage** |imageUserAttrs| +#. Verify that the Namespace URI is blank like so for each claim. + + |imageAttributeURI| .. _azuread_idp_metadata: -Retrieve Azure AD IdP metadata -############################## +Step 3. Retrieve the Azure AD IdP metadata +########################################## **SAML Signing Certificate** @@ -155,18 +169,19 @@ Click **Save** .. _azuread_update_saml_endpoint: -Update Aviatrix SP Endpoint -########################### +Step 4. Update the Aviatrix SP Endpoint +####################################### .. note:: This step is usually completed by the Aviatrix admin. - Azure AD IdP provides IdP Metadata through text obtained in `Retrieve Azure AD IdP metadata (Step 2) <#azuread-idp-metadata>`_. + Azure AD IdP provides IdP Metadata through text obtained in `Retrieve Azure AD IdP metadata (Step 3) <#azuread-idp-metadata>`_. Azure AD IdP requires a custom SAML request template. Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case: #. If integrating Azure IdP with `Controller Login SAML Config `_ + #. If integrating Azure IdP with `OpenVPN with SAML Authentication `_ +----------------------------+-----------------------------------------+ @@ -197,14 +212,9 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. code-block:: xml + $Issuer - - - - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport - - .. note:: @@ -214,19 +224,19 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. _azuread_test_integration: -Test the Integration -#################### +Step 5. Test the Integration +############################ .. tip:: Be sure to assign users to the new application in Azure AD prior to validating. If you do not assign your test user to the Aviatrix SAML application, you will receive an error. Continue with testing the integration by visiting one of the following links based on your use case: -1. If integrating Azure AD IdP with `Controller Login SAML Config `_ +1. If integrating Azure AD IdP with `Controller Login SAML Config `__ #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -2. If integrating Azure AD IdP with `OpenVPN with SAML Authentication `_ +2. If integrating Azure AD IdP with `OpenVPN with SAML Authentication `__ #. Expand `OpenVPN®` in the navigation menu and click `Advanced` #. Stay on the `SAML` tab @@ -245,3 +255,4 @@ You can quickly validate that the configuration is complete by clicking on the * .. |imageUserAttrs| image:: azuread_saml_media/azure_ad_saml_user_attrs.png .. |imageSAMLSettings| image:: azuread_saml_media/azure_ad_saml_settings.png .. |imageSAMLMetadata| image:: azuread_saml_media/azure_ad_saml_metadata.png +.. |imageAttributeURI| image:: azuread_saml_media/azure_ad_claim_edit.png diff --git a/HowTos/SAML_Integration_Centrify_IdP.rst b/HowTos/SAML_Integration_Centrify_IdP.rst index fe4757fa8..65bdd1377 100644 --- a/HowTos/SAML_Integration_Centrify_IdP.rst +++ b/HowTos/SAML_Integration_Centrify_IdP.rst @@ -14,11 +14,6 @@ Overview This guide provides an example on how to configure Aviatrix to authenticate against Centrify IdP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (SP) that redirects browser traffic from client to IdP for authentication. -Visit one of the following links based on your use case: - - If integrating Centrify IdP with `Controller Login SAML Config `_ - If integrating Centrify IdP with `OpenVPN with SAML Authentication `_ - Before configuring SAML integration between Aviatrix and Centrify, make sure you have a valid Centrify account with administrator access. Configuration Steps @@ -27,15 +22,19 @@ Configuration Steps Follow these steps to configure Aviatrix to authenticate against your Azure AD IdP: Step 1. Retrieve `Aviatrix SP Metadata <#centrify-saml-sp-metadata>`__ from the Aviatrix Controller + Step 2. Create a `Centrify SAML Application <#centrify-saml-app>`__ for Aviatrix + Step 3. Retrieve `Centrify IdP metadata <#centrify-idp-metadata>`__ + Step 4. Update `Aviatrix SP Endpoint <#centrify-update-saml-endpoint>`__ in the Aviatrix Controller + Step 5. `Test the Integration <#centrify-test-integration>`__ is Set Up Correctly .. _centrify_saml_sp_metadata: -Retrieve Aviatrix SP Metadata from Aviatrix Controller -###################################################### +Step 1. Retrieve Aviatrix SP Metadata from Aviatrix Controller +############################################################### Before creating the Centrify SAML Application, Centrify requires the Service Provider (SP) metadata file from the Aviatrix Controller. You can create a temporary SP SAML endpoint to retrieve the SP metadata for now. Later on in the guide, the SP SAML endpoint will be updated. @@ -62,8 +61,8 @@ For Centrify, right click the **SP Metadata** button next to the SAML endpoint a .. _centrify_saml_app: -Create a Centrify SAML App for Aviatrix -####################################### +Step 2. Create a Centrify SAML App for Aviatrix +############################################### 1. From the Centrify App->Add New App->Custom, select SAML and click on “Add”. Click yes and close the prompt. This lets you configure the application. @@ -117,8 +116,8 @@ Create a Centrify SAML App for Aviatrix .. _centrify_idp_metadata: -Retrieve Centrify IdP metadata -############################## +Step 3. Retrieve Centrify IdP metadata +####################################### #. Copy the metadata URL from the Trust page. @@ -126,7 +125,7 @@ Retrieve Centrify IdP metadata .. _centrify_update_saml_endpoint: -Update Aviatrix SP Endpoint +Step 4. Update Aviatrix SP Endpoint ########################### .. note:: @@ -163,8 +162,8 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. _centrify_test_integration: -Test the Integration -#################### +Step 5. Test the Integration +############################# .. tip:: Be sure to assign users to the new application in Centrify prior to validating. If you do not assign your test user to the Aviatrix SAML application, you will receive an error. diff --git a/HowTos/SAML_Integration_Google_IdP.rst b/HowTos/SAML_Integration_Google_IdP.rst index 687698b46..3e82d293b 100644 --- a/HowTos/SAML_Integration_Google_IdP.rst +++ b/HowTos/SAML_Integration_Google_IdP.rst @@ -14,11 +14,6 @@ Overview This guide provides an example on how to configure Aviatrix to authenticate against a Google IdP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., Google) for authentication. -Visit one of the following links based on your use case: - - If integrating Google IdP with `Controller Login SAML Config `_ - If integrating Google IdP with `OpenVPN with SAML Authentication `_ - Before configuring SAML integration between Aviatrix and Google, make sure you have a valid Google account with administrator access. Configuration Steps @@ -26,49 +21,53 @@ Configuration Steps Follow these steps to configure Aviatrix to authenticate against your Google IdP: -Step 1. Create a `Google SAML Application <#google-saml-app1>`__ for Aviatrix +Step 1. Create a `temporary Aviatrix SP Endpoint <#aviatrix-endpoint>`__ in the Aviatrix Controller -Step 2. Retrieve `Google IdP metadata <#google-idp-metadata>`__ +Step 2. Create a `Google SAML Application <#google-saml-app1>`__ for Aviatrix -Step 3. Continue Creating `Google SAML Application <#google-saml-app2>`__ for Aviatrix +Step 3. Retrieve `Google IdP metadata <#google-idp-metadata>`__ Step 4. Update `Aviatrix SP Endpoint <#google-update-saml-endpoint>`__ in the Aviatrix Controller Step 5. `Test the Integration <#google-test-integration>`__ is Set Up Correctly +.. _aviatrix_endpoint: -.. _google_saml_app1: +Step 1. Create an Aviatrix SP Endpoint +######################################## -Create a Google SAML App for Aviatrix -##################################### +Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link's Configuration section: -.. note:: + If integrating Google IdP with `Controller Login SAML Config `_ - This step is usually done by the Google Admin. + If integrating Google IdP with `OpenVPN with SAML Authentication `_ -#. Login to the Google Admin portal -#. Follow `Google documentation `__ to create a new **custom** application. +This step will ask you to pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_google**. It can be any string that will identify the SAML application you create in the IdP. - Click on the `Setup My Own Custom App` +We will use the string you select for the SAML application name to generate a URL for Google IdP to connect with Aviatrix. This URL is defined below as **SP_ACS_URL**. This URL should be constructed as: - |imageStep1| +``https://<<>>/flask/saml/sso/<<>>`` -.. _google_idp_metadata: +.. tip:: -Retrieve Google IdP metadata -############################ + Replace **<<>>** with the actual host name or IP address of your controller and **<<>>** with the ``[Endpoint Name]`` you chose to refer to the SAML application. - Scroll down to `Option 2`. Click the `Download` button next to the `IdP metadata` label. - |imageStep2| +.. _google_saml_app1: - The IdP metadata text will be used to configure the Aviatrix SP Endpoint. +Step 2. Create a Google SAML App for Aviatrix +############################################### +.. note:: -.. _google_saml_app2: + This step is usually done by the Google Admin. -Continue Creating Google SAML App for Aviatrix -############################################## +#. Login to the Google Admin portal +#. Follow `Google documentation `__ to create a new **custom** application. + + Click on the `Setup My Own Custom App` + + |imageStep1| #. Basic Information @@ -132,15 +131,27 @@ Continue Creating Google SAML App for Aviatrix #. Open the Service Provider Details for the SAML application just created. Uncheck `Signed Response`. #. Click `Save` +.. _google_idp_metadata: + +Step 3. Retrieve Google IdP metadata +##################################### + + Scroll down to `Option 2`. Click the `Download` button next to the `IdP metadata` label. + + |imageStep2| + + The IdP metadata text will be used to configure the Aviatrix SP Endpoint. + + .. _google_update_saml_endpoint: -Update Aviatrix SP Endpoint -############################# +Step 4. Update Aviatrix SP Endpoint +################################### .. note:: This step is usually completed by the Aviatrix admin. - Google IdP provides IdP Metadata through text obtained in `Retrieve Google IdP metadata (Step 2) `_. + Google IdP provides IdP Metadata through text obtained in `Retrieve Google IdP metadata (Step 3) `_. Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case: @@ -176,8 +187,8 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. _google_test_integration: -Test the Integration -#################### +Step 5. Test the Integration +############################ .. tip:: @@ -186,17 +197,19 @@ Test the Integration Continue with testing the integration by visiting one of the following links based on your use case: 1. If integrating Google IdP with `Controller Login SAML Config `_ + #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab + 2. If integrating Google IdP with `OpenVPN with SAML Authentication `_ + #. Expand `OpenVPN®` in the navigation menu and click `Advanced` #. Stay on the `SAML` tab You can quickly validate that the configuration is complete by clicking on the **Test** button next to the SAML endpoint. - .. |logoAlias1| replace:: Aviatrix logo with red background .. _logoAlias1: https://www.aviatrix.com/news/press-kit/logo-aviatrix.png diff --git a/HowTos/SAML_Integration_Okta_IdP.rst b/HowTos/SAML_Integration_Okta_IdP.rst index 03e3ddd09..a50249d96 100644 --- a/HowTos/SAML_Integration_Okta_IdP.rst +++ b/HowTos/SAML_Integration_Okta_IdP.rst @@ -14,38 +14,45 @@ Overview This guide provides an example on how to configure Okta as an IdP for an Aviatrix SAML SP (endpoint). When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., Okta) for authentication. -Visit one of the following links based on your use case: - - If integrating Okta IdP with `Controller Login SAML Config `_ - If integrating Okta IdP with `OpenVPN with SAML Authentication `_ - Before configuring SAML integration between Aviatrix and Okta, make sure you have a valid Okta account with administrator access. - Configuration Steps ------------------- Follow these steps to configure Aviatrix to authenticate against your Okta IdP: -Step 1. Create an `Okta SAML App <#okta-saml-app>`__ for Aviatrix +Step 1. Create a `temporary Aviatrix SP Endpoint <#aviatrix-endpoint>`__ in the Aviatrix Controller + +Step 2. Create an `Okta SAML App <#okta-saml-app>`__ for Aviatrix in the Okta Portal + +Step 3. Retrieve `Okta IdP metadata <#okta-idp-metadata>`__ + +Step 4. Update `Aviatrix SP Endpoint <#okta-update-saml-endpoint>`__ in the Aviatrix Controller + +Step 5. `Test the Integration <#okta-test-integration>`__ is Set Up Correctly + +.. _aviatrix_endpoint: + +Step 1. Create an Aviatrix SP Endpoint +######################################## -Step 2. Retrieve `Okta IdP metadata <#okta-idp-metadata>`__ +Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link's Configuration section: -Step 3. Update `Aviatrix SP Endpoint <#okta-update-saml-endpoint>`__ in the Aviatrix Controller + If integrating Okta IdP with `Controller Login SAML Config `_ -Step 4. `Test the Integration <#okta-test-integration>`__ is Set Up Correctly + If integrating Okta IdP with `OpenVPN with SAML Authentication `_ .. _okta_saml_app: -Create an Okta SAML App for Aviatrix -#################################### +Step 2. Create an Okta SAML App for Aviatrix +############################################ .. note:: This step is usually done by the Okta Admin. #. Login to the Okta Admin portal -#. Follow `Okta documentation `__ to create a new application. +#. Follow `Okta documentation `__ to create a new application. (Use Okta Classic UI to create the app) +----------------+----------------+ | Field | Value | @@ -55,7 +62,7 @@ Create an Okta SAML App for Aviatrix | Sign on method | SAML 2.0 | +----------------+----------------+ - |image0| + |image0| #. General Settings @@ -73,7 +80,7 @@ Create an Okta SAML App for Aviatrix | App visibility | N/A | Leave both options unchecked | +----------------+-----------------+----------------------------------------+ - |image1| + |image1| #. SAML Settings @@ -87,63 +94,61 @@ Create an Okta SAML App for Aviatrix | Audience URI | ``https://[host]/`` | | (SP Entity ID) | | +----------------------+----------------------------------------------------+ - | Default RelayState | | + | Default RelayState | ``https://[host]/#/dashboard`` | +----------------------+----------------------------------------------------+ | Name ID format | Unspecified | +----------------------+----------------------------------------------------+ | Application username | Okta username | +----------------------+----------------------------------------------------+ - ``[host]`` is the hostname or IP of your Aviatrix controller. For example, ``https://controller.demo.aviatrix.live`` + ``[host]`` is the hostname or IP of your Aviatrix controller. - ``[Endpoint Name]`` is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller. The example uses ``dev`` for ``[Endpoint Name]`` - - |image2| + ``[Endpoint Name]`` is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller. + The example uses ``aviatrix_saml_controller`` for ``[Endpoint Name]`` + + ``https://[host]/#/dashboard`` must be set as the Default RelayState so that after SAML authenticates, user will be redirected to dashboard. * Attribute Statements - +----------------+-----------------+--------------------------------------+ - | Name | Name format | Value | - +================+=================+======================================+ - | FirstName | Unspecified | user.firstName | - +----------------+-----------------+--------------------------------------+ - | LastName | Unspecified | user.lastName | - +----------------+-----------------+--------------------------------------+ - | Email | Unspecified | user.email | - +----------------+-----------------+--------------------------------------+ - - |image3| - - -#. You need to assign the application to your account. Please follow steps 11 through 14 at `Okta documentation `__ + +----------------+-----------------+--------------------------------------+ + | Name | Name format | Value | + +================+=================+======================================+ + | FirstName | Unspecified | user.firstName | + +----------------+-----------------+--------------------------------------+ + | LastName | Unspecified | user.lastName | + +----------------+-----------------+--------------------------------------+ + | Email | Unspecified | user.email | + +----------------+-----------------+--------------------------------------+ + |image2| .. _okta_idp_metadata: -Retrieve Okta IdP metadata -########################## +Step 3. Retrieve Okta IdP metadata +################################## .. note:: - This step is usually completed by the Okta admin. #. After the application is created in Okta, go to the `Sign On` tab for the application. #. Copy the URL from the *Identity Provider metadata* link. This value will be used to configure the Aviatrix SP Endpoint. - |image4| +|image4| +3. Assign the application to your account +|image8| .. _okta_update_saml_endpoint: -Update Aviatrix SP Endpoint -########################### +Step 4. Update Aviatrix SP Endpoint +################################### .. note:: This step is usually completed by the Aviatrix admin. - Okta IdP provides IdP Metadata through text or URL obtained in `Retrieve Okta IdP metadata (Step 2) <#okta-idp-metadata>`_. + Okta IdP provides IdP Metadata through text or URL obtained in `Retrieve Okta IdP metadata (Step 3) <#okta-idp-metadata>`_. Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case: @@ -174,8 +179,8 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. _okta_test_integration: -Test the Integration -#################### +Step 5. Test the Integration +############################# .. tip:: Be sure to assign users to the new application in Okta prior to validating. If you do not assign your test user to the Aviatrix SAML application, you will receive an error. @@ -205,16 +210,16 @@ See this `article `_ - If integrating OneLogin IdP with `OpenVPN with SAML Authentication `_ - Before configuring SAML integration between Aviatrix and OneLogin, make sure you have a valid OneLogin account with administrator access. - Configuration Steps ------------------- Follow these steps to configure Aviatrix to authenticate against your OneLogin IdP: -Step 1. Create a `OneLogin SAML App <#onelogin-saml-app>`__ for Aviatrix +Step 1. Create a `temporary Aviatrix SP Endpoint <#aviatrix-endpoint>`__ in the Aviatrix Controller -Step 2. Retrieve `OneLogin IdP metadata <#onelogin-idp-metadata>`__ +Step 2. Create a `OneLogin SAML App <#onelogin-saml-app>`__ for Aviatrix in OneLogin's Portal -Step 3. Update `Aviatrix SP Endpoint <#onelogin-update-saml-endpoint>`__ in the Aviatrix Controller +Step 3. Retrieve `OneLogin IdP metadata <#onelogin-idp-metadata>`__ -Step 4. `Test the Integration <#onelogin-test-integration>`__ is Set Up Correctly +Step 4. Update `Aviatrix SP Endpoint <#onelogin-update-saml-endpoint>`__ in the Aviatrix Controller -.. _onelogin_saml_app: +Step 5. `Test the Integration <#onelogin-test-integration>`__ is Set Up Correctly -Create a OneLogin SAML App for Aviatrix -####################################### -.. note:: +.. _aviatrix_endpoint: - This step is usually done by the OneLogin Admin. +Step 1. Create an Aviatrix SP Endpoint +######################################## -Before you start, pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_onelogin**. But, it can be any string. +Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link's Configuration section: + + If integrating OneLogin IdP with `Controller Login SAML Config `_ + + If integrating OneLogin IdP with `OpenVPN with SAML Authentication `_ + +This step will ask you to pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_onelogin**. It can be any string that will identify the SAML application you create in the IdP. We will use the string you select for the SAML application name to generate a URL for OneLogin to connect with Aviatrix. This URL is defined below as **SP_ACS_URL**. This URL should be constructed as: @@ -53,6 +52,14 @@ We will use the string you select for the SAML application name to generate a UR Replace **** with the actual host name or IP address of your controller and **** with the ``[Endpoint Name]`` you chose to refer to the SAML application. +.. _onelogin_saml_app: + +Step 2. Create a OneLogin SAML App for Aviatrix +################################################ +.. note:: + + This step is usually done by the OneLogin Admin. + #. Login to OneLogin as an administrator #. To add a new app go to **Applications** > **Applications** > click **Add Apps** @@ -77,7 +84,7 @@ We will use the string you select for the SAML application name to generate a UR +====================+======================================================+ | RelayState | Blank | +--------------------+------------------------------------------------------+ - | Audience | **SP_ACS_URL** | + | Audience(Entity ID)| **SP Entity ID** | +--------------------+------------------------------------------------------+ | Recipient | **SP_ACS_URL** | +--------------------+------------------------------------------------------+ @@ -88,7 +95,7 @@ We will use the string you select for the SAML application name to generate a UR +--------------------+------------------------------------------------------+ | Single Logout URL | Blank | +--------------------+------------------------------------------------------+ - | Login URL | Blank | + | Login URL | **SP Login(Test) URL** | +--------------------+------------------------------------------------------+ | SAML not valid | 3 (default) | | before | | @@ -96,9 +103,11 @@ We will use the string you select for the SAML application name to generate a UR | SAML not valid | 3 (default) | | on or after | | +--------------------+------------------------------------------------------+ - | SAML initiator | OneLogin (default) | + | SAML initiator | Service Provider | + +--------------------+------------------------------------------------------+ + | SAML nameID format | Transient | +--------------------+------------------------------------------------------+ - | SAML nameID format | Email (default) | + | SAML issuer type | Specific (default) | +--------------------+------------------------------------------------------+ | SAML signature | Assertion | | element | | @@ -108,6 +117,8 @@ We will use the string you select for the SAML application name to generate a UR | SAML encryption | TRIPLEDES-CBC (default) | | method | | +--------------------+------------------------------------------------------+ + | Sign SLO Response | Unchecked (default) | + +--------------------+------------------------------------------------------+ | SAML | 1440 (default) | | sessionNotOnOrAfter| | +--------------------+------------------------------------------------------+ @@ -115,7 +126,11 @@ We will use the string you select for the SAML application name to generate a UR | AttributeValue tag | | | for empty values | | +--------------------+------------------------------------------------------+ - + | Sign SLO Request | Unchecked (default) | + +--------------------+------------------------------------------------------+ + + |imageConfiguration| + #. Click **Save** #. Click on the **Parameters** tab #. Add the following custom parameters (case sensitive) @@ -144,23 +159,23 @@ We will use the string you select for the SAML application name to generate a UR .. _onelogin_idp_metadata: -Retrieve OneLogin IdP metadata -############################## +Step 3. Retrieve OneLogin IdP metadata +###################################### -#. Click on **SSO** tab -#. Copy the **Issuer URL** for the next step. This URL will be provided to the Aviatrix SP Endpoint. +#. Click on **More actions** dropdown +#. Copy the URL from the **SAML Metadata** for the next step. This URL will be provided to the Aviatrix SP Endpoint. |imageOLSSOTab| .. _onelogin_update_saml_endpoint: -Update Aviatrix SP Endpoint -########################### +Step 4. Update Aviatrix SP Endpoint +################################### .. note:: This step is usually completed by the Aviatrix admin. - OneLogin IdP provides IdP Metadata through URL obtained in `Retrieve OneLogin IdP metadata (Step 2) <#onelogin-idp-metadata>`_. + OneLogin IdP provides IdP Metadata through URL obtained in `Retrieve OneLogin IdP metadata (Step 3) <#onelogin-idp-metadata>`_. Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case: @@ -175,7 +190,8 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l | IPD Metadata Type | URL | +----------------------------+-----------------------------------------+ | IdP Metadata Text/URL | Paste in the **Issuer URL** obtained | - | | from the `OneLogin app <#onelogin-idpimetadata>`_. | + | | from the `OneLogin app | + | | <#onelogin-idpimetadata>`_. | +----------------------------+-----------------------------------------+ | Entity ID | Select `Hostname` | +----------------------------+-----------------------------------------+ @@ -191,21 +207,25 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. _onelogin_test_integration: -Test the Integration -#################### +Step 5. Test the Integration +############################# .. tip:: Be sure to assign users to the new application in OneLogin prior to validating. If you do not assign your test user to the Aviatrix SAML application, you will receive an error. Continue with testing the integration by visiting one of the following links based on your use case: -1. If integrating OneLogin IdP with `Controller Login SAML Config `_ +1. If integrating OneLogin IdP with `Controller Login SAML Configuration `_ + #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -2. If integrating OneLogin IdP with `OpenVPN with SAML Authentication `_ + +2. If integrating OneLogin IdP with `OpenVPN with SAML Auth `_ + #. Expand `OpenVPN®` in the navigation menu and click `Advanced` #. Stay on the `SAML` tab + You can quickly validate that the configuration is complete by clicking on the **Test** button next to the SAML endpoint. |imageAvtxTestSAML| @@ -218,4 +238,6 @@ You can quickly validate that the configuration is complete by clicking on the * .. |imageAvtxTestSAML| image:: onelogin_saml_media/avtx_saml_endpoint_test.png .. |imageAvtxSAMLEndpoint| image:: onelogin_saml_media/avtx_saml_endpoint.png .. |imageOLAddAppsMenu| image:: onelogin_saml_media/onelogin_select_add_apps.png -.. |imageOLSSOTab| image:: onelogin_saml_media/onelogin_issuer_url.png +.. |imageOLSSOTab| image:: onelogin_saml_media/onelogin_issuer_url.png\ +.. |imageConfiguration| image:: onelogin_saml_media/onelogin_configuration.png + diff --git a/HowTos/SAML_Integration_PingOne_IdP.rst b/HowTos/SAML_Integration_PingOne_IdP.rst new file mode 100644 index 000000000..08f978628 --- /dev/null +++ b/HowTos/SAML_Integration_PingOne_IdP.rst @@ -0,0 +1,260 @@ +.. meta:: + :description: PingOne for Customers for SAML Integration + :keywords: PingOne, SAML, user vpn, PingOne saml, Aviatrix, OpenVPN, Controller + +.. toctree:: + :numbered: + +============================================================================== +PingOne for Customers IdP for SAML Integration +============================================================================== + +Overview +------------ + +This guide provides an example on how to configure PingOne for Customers as an IdP for an Aviatrix SAML SP (endpoint). When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., PingOne for Customers) for authentication. + +Before configuring SAML integration between Aviatrix and PingOne for Customers, make sure you have a valid PingOne for Customers account with administrator access. + +Configuration Steps +------------------- + +Follow these steps to configure Aviatrix to authenticate against your PingOne for Customers IdP: + +Step 1. Create a `temporary Aviatrix SP Endpoint <#aviatrix-endpoint>`__ in the Aviatrix Controller + +Step 2. Create a `PingOne Web SAML App <#pingone-web-saml-app>`__ for Aviatrix in the PingOne for Customers Portal + +Step 3. Retrieve `PingOne IdP metadata URL <#pingone-idp-metadata>`__ + +Step 4. Update `Aviatrix SP Endpoint <#pingone-update-saml-endpoint>`__ in the Aviatrix Controller + +Step 5. `Test the Integration <#pingone-test-integration>`__ is Set Up Correctly + +.. _aviatrix_endpoint: + +Step 1. Create an Aviatrix SP Endpoint +######################################## + +Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link's Configuration section: + + If integrating PingOne IdP with `Controller Login SAML Config `_ + + If integrating PingOne IdP with `OpenVPN with SAML Authentication `_ + +.. _pingone-web-saml-app: + +Step 2. Create a PingOne Web SAML App for Aviatrix +############################################### + +.. note:: + + This step is usually done by the PingOne for Customers Admin. + +#. Login to the PingOne Admin portal + +#. Follow `PingOne documentation `__ to add a Web SAML application + +#. On the top of the page, click Connections. + +#. On the left, click Applications and then + Application. + + |pingone_idp_adding_web_saml_app_01| + +#. Click WEB APP, and then for SAML, click Configure. + + |pingone_idp_adding_web_saml_app_02| + +#. Create the application profile by entering the following information: + + +----------------------+---------------------------------------------------------+ + | Field | Value | + +======================+=========================================================+ + | Application name | A unique identifier for the application. | + +----------------------+---------------------------------------------------------+ + | Description | (optional)A brief characterization of the application. | + +----------------------+---------------------------------------------------------+ + | Icon | (optional)A pictorial representation of the application.| + | | Use a file up to 1MB in JPG, JPEG, GIF, or PNG format. | + +----------------------+---------------------------------------------------------+ + +#. For Configure SAML Connection, enter the following: + + +------------------------------+---------------------------------------------------+ + | Field | Value | + +------------------------------+---------------------------------------------------+ + | ACS URLs | ``https://[host]/flask/saml/sso/[Endpoint Name]`` | + +------------------------------+---------------------------------------------------+ + | Signing certificate | PingOne SSO Certificate for Default environment | + +------------------------------+---------------------------------------------------+ + | Signing | Sign Assertion | + +------------------------------+---------------------------------------------------+ + | Signing Algorithm | RSA_SHA256 | + +------------------------------+---------------------------------------------------+ + | Encryption | DISABLED | + +------------------------------+---------------------------------------------------+ + | Entity ID | ``https://[host]/`` | + +------------------------------+---------------------------------------------------+ + | SLO endpoint | Not Specified | + +------------------------------+---------------------------------------------------+ + | SLO response endpoint | Not Specified | + +------------------------------+---------------------------------------------------+ + | SLO binding | HTTP POST | + +------------------------------+---------------------------------------------------+ + | Assertion validity duration | 300 | + +------------------------------+---------------------------------------------------+ + | Target Application URL | Not Specified | + +------------------------------+---------------------------------------------------+ + | Enforce signed Authn request | Disabled | + +------------------------------+---------------------------------------------------+ + | Verification certificate | No Verification Certificates Selected | + +------------------------------+---------------------------------------------------+ + + .. note:: + + ``[host]`` is the hostname or IP of your Aviatrix controller. For example, ``https://controller.demo.aviatrix.live`` + + ``[Endpoint Name]`` is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller. + + ``[Entity ID]`` is using ``https://[host]/`` as default if you select `Hostname` option when configuring SAML in the Aviatrix controller. + + |pingone_idp_configuring_saml_connection| + +#. Click Save and Continue. + +#. For attribute mapping, click the button "+ADD ATTRIBUTE" and then select "PingOne Attribute" to map PingOne user attribute to an attribute in this application as below. + + +------------------------+-----------------------+ + | PINGONE USER ATTRIBUTE | APPLICATION ATTRIBUTE | + +------------------------+-----------------------+ + | User ID | saml_subject | + +------------------------+-----------------------+ + | Given Name | FirstName | + +------------------------+-----------------------+ + | Family Name | LastName | + +------------------------+-----------------------+ + | Email Address | Email | + +------------------------+-----------------------+ + + .. note:: + + Notes: User ID is a default required in PingOne + + |pingone_idp_configuring_attribute_mapping| + +#. Click Save and Close. + +#. Enable the WEB SAML APP + + |pingone_idp_enable| + +.. _pingone_idp_metadata: + +Step 3. Retrieve PingOne IdP metadata +##################################### + +.. note:: + + This step is usually completed by the PingOne for Customers admin. + +#. After the application is created in PingOne, click Connections on the top of the page and then click Applications on the left. + +#. Locate the Web SAML application that we just created. + +#. Click the details icon to expand the Web SAML application and then click the button "Configuration". + +#. Copy the URL from the IDP Metadata URL from the CONNECTION DETAILS. This value will be used to configure the Aviatrix SP Endpoint. + + |pingone_idp_retrieve_idp_metadata_url| + +.. _pingone_update_saml_endpoint: + +Step 4. Update Aviatrix SP Endpoint +################################### + +.. note:: + This step is usually completed by the Aviatrix admin. PineOne IdP provides IdP Metadata through URL obtained in Retrieve `PingOne IdP metadata URL <#pingone-idp-metadata>`__ step. PingOne for Customers IdP requires a custom SAML request template. + +Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case: + +#. If integrating PineOne IdP with `Controller Login SAML Config `_ + +#. If integrating PineOne IdP with `OpenVPN with SAML Authentication `_ + + +-------------------------+-------------------------------------------------+ + | Field | Value | + +=========================+=================================================+ + | Endpoint Name | ``[Endpoint Name]`` (Use the same name you | + | | entered in the PingONe Application previously) | + +-------------------------+-------------------------------------------------+ + | IdP Metadata Type | URL | + +-------------------------+-------------------------------------------------+ + | IdP Metadata URL | ``URL copied from PingOne`` (IdP metadata URL) | + +-------------------------+-------------------------------------------------+ + | Entity ID | Select `Hostname` | + +-------------------------+-------------------------------------------------+ + | Custom SAML Request | Check the box and either copy the below format | + | Template | into the prompt text box or modify it | + +-------------------------+-------------------------------------------------+ + + |pingone_idp_reformat_custom_saml_request_template| + +.. code-block:: xml + + + + $Issuer + + urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + + + +.. _pingone_test_integration: + +Step 5. Test the Integration +############################# + +Continue with testing the integration by visiting one of the following links based on your use case: + +1. If integrating PingOne IdP with `Controller Login SAML Config `_ + + #. Click `Settings` in the left navigation menu + + #. Select `Controller` + + #. Click on the `SAML Login` tab + +2. If integrating PingOne IdP with `OpenVPN with SAML Authentication `_ + + #. Expand `OpenVPN®` in the navigation menu and click `Advanced` + + #. Stay on the `SAML` tab + +You can quickly validate that the configuration is complete by clicking on the **Test** button next to the SAML endpoint. + +OpenVPN is a registered trademark of OpenVPN Inc. + +.. |logoAlias1| replace:: Aviatrix logo with red background +.. _logoAlias1: https://www.aviatrix.com/news/press-kit/logo-aviatrix.png + +.. |logoAlias2| replace:: Aviatrix logo with transparent background +.. _logoAlias2: https://www.aviatrix.com/images/logo-reverse.png + +.. |pingone_idp_adding_web_saml_app_01| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_01.png + +.. |pingone_idp_adding_web_saml_app_02| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_02.png + +.. |pingone_idp_configuring_saml_connection| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_saml_connection.png + +.. |pingone_idp_configuring_attribute_mapping| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_attribute_mapping.png + +.. |pingone_idp_enable| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_enable.png + +.. |pingone_idp_retrieve_idp_metadata_url| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_retrieve_idp_metadata_url.png + +.. |pingone_idp_reformat_custom_saml_request_template| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_reformat_custom_saml_request_template.png + +.. |imageControllerNavOpenVPNAdvanced| image:: SAML_Integration_PingOne_IdP_media/OpenVPN_Advanced_SAML_AddNew.png + :scale: 50% + +.. disqus:: diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_01.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_01.png new file mode 100644 index 000000000..570849294 Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_01.png differ diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_02.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_02.png new file mode 100644 index 000000000..241b7bde3 Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_02.png differ diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_attribute_mapping.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_attribute_mapping.png new file mode 100644 index 000000000..f1e48333e Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_attribute_mapping.png differ diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_saml_connection.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_saml_connection.png new file mode 100644 index 000000000..bfd453c1e Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_saml_connection.png differ diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_enable.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_enable.png new file mode 100644 index 000000000..69781a7cb Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_enable.png differ diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_reformat_custom_saml_request_template.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_reformat_custom_saml_request_template.png new file mode 100644 index 000000000..462adbb99 Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_reformat_custom_saml_request_template.png differ diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_retrieve_idp_metadata_url.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_retrieve_idp_metadata_url.png new file mode 100644 index 000000000..e5e6dc98c Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_retrieve_idp_metadata_url.png differ diff --git a/HowTos/Service_Chaining_Ref_Design.rst b/HowTos/Service_Chaining_Ref_Design.rst index 7f36f0516..f50d664c6 100644 --- a/HowTos/Service_Chaining_Ref_Design.rst +++ b/HowTos/Service_Chaining_Ref_Design.rst @@ -74,7 +74,7 @@ steps highlighted. 2. Note: You can create more peering connections from VPC-1, all traffic will be inspected. -3. For support, send email to support@aviatrix.com. +3. For support, please open a support ticket at `Aviatrix Support Portal `_ 4. Enjoy! diff --git a/HowTos/Settings_CoPilot.rst b/HowTos/Settings_CoPilot.rst new file mode 100644 index 000000000..5b003f0ac --- /dev/null +++ b/HowTos/Settings_CoPilot.rst @@ -0,0 +1,19 @@ +.. meta:: + :description: Documentation for associating CoPilot with controller + :keywords: CoPilot, association + +################################### +CoPilot +################################### +This document describes the **CoPilot** configurations under Settings in Aviatrix Controller. + +CoPilot Association +=========================== +When “Status” is enabled, the CoPilot with the "IP Address/Hostname" you specify is associated with the Controller. After the association is enabled, a user can sign into the CoPilot without a username and password from the Controller homepage (by clicking on the CoPilot button in the action bar). + + |image0| + +.. |image0| image:: CoPilot_media/image0.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/Settings_Controller.rst b/HowTos/Settings_Controller.rst deleted file mode 100644 index 9a9b1cfc4..000000000 --- a/HowTos/Settings_Controller.rst +++ /dev/null @@ -1,17 +0,0 @@ -.. meta:: - :description: Documentation for System Time, License, Email, 2FA Login - :keywords: System Time, NTP, UTC, timezone, sync, License, customer id, Email, 2FA, Duo - -################################### -Controller -################################### - -- System Time - -- License - -- Email - -- 2FA Login - -.. disqus:: diff --git a/HowTos/Settings_Maintenance.rst b/HowTos/Settings_Maintenance.rst index 22d6bcb69..6770d760f 100644 --- a/HowTos/Settings_Maintenance.rst +++ b/HowTos/Settings_Maintenance.rst @@ -10,5 +10,26 @@ Maintenance - `Controller HA. `__ +- `Software Patches. `__ + +- `Security Patches. `__ + +Gateway Upgrade Status +=========================== +Gateway's information about upgrade and release can be checked in controller's console Settings -> Upgrade -> Gateways Upgrade Status. Gateway Upgrade Status shows the following: + + 1. Total number of gateways + #. Gateway Names + #. Gateway's current and previous software v`ersion and build number + #. Gateway's upgrade status + +Security and Software Patches Status +======================================= +Aviatrix System releases patches time to time to fulfil the security compliance and to block any security found in a code. The software and security patches status can be checked in Controller's console. + +For Security Patches Status go to Settings -> Maintenance -> Security Patches, select controller or gateway under Gateway / Controller Status and click Collect to check the patch status. + +For Software Patches Status go to Settings -> Maintenance -> Software Patches, select controller or gateway under Gateway / Controller Status and click Collect to check the patch status. + .. disqus:: diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute.rst b/HowTos/Setup_Okta_SAML_Profile_Attribute.rst similarity index 77% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute.rst rename to HowTos/Setup_Okta_SAML_Profile_Attribute.rst index d01bafa70..3ea512878 100644 --- a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute.rst +++ b/HowTos/Setup_Okta_SAML_Profile_Attribute.rst @@ -1,4 +1,4 @@ -.. meta:: +.. meta:: :description: Setup Okta SAML with Profile Attribute :keywords: Okta, Profile @@ -152,7 +152,7 @@ Here are the steps for setting up the example: |assign-app| -#. Follow Steps 1 and 2 in `Setup Okta Profile attribute `__ to define the **Profile** +#. Follow Steps 1 and 2 in `Setup Okta Profile attribute <#okta-setup>`__ to define the **Profile** attribute in Okta. #. Follow `Assign VPN profile <#okta-fill-attribute>`__ to @@ -173,58 +173,58 @@ Here are the steps for setting up the example: |dashboard_user_without_profile| -.. |open_profile_editor| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/open_profile_editor.png +.. |open_profile_editor| image:: Setup_Okta_SAML_Profile_Attribute_media/open_profile_editor.png :scale: 70% -.. |open_user_template| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/open_user_template.png +.. |open_user_template| image:: Setup_Okta_SAML_Profile_Attribute_media/open_user_template.png :scale: 70% -.. |profile_editor_add| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add.png +.. |profile_editor_add| image:: Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add.png :scale: 70% -.. |add_profile_attribute_to_user_template| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user_template.png +.. |add_profile_attribute_to_user_template| image:: Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user_template.png :scale: 70% -.. |add_profile_attribute_to_app| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_app.png +.. |add_profile_attribute_to_app| image:: Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_app.png :scale: 70% -.. |add_profile_attribute_to_user| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user.png +.. |add_profile_attribute_to_user| image:: Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user.png :scale: 70% -.. |dashboard_user_with_profile| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_with_profile.png +.. |dashboard_user_with_profile| image:: Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_with_profile.png :scale: 70% -.. |browser_user_with_profile| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/browser_user_with_profile.png +.. |browser_user_with_profile| image:: Setup_Okta_SAML_Profile_Attribute_media/browser_user_with_profile.png :scale: 70% -.. |dashboard_user_without_profile| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile.png +.. |dashboard_user_without_profile| image:: Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile.png :scale: 70% -.. |browser_user_without_profile| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/browser_user_without_profile.png +.. |browser_user_without_profile| image:: Setup_Okta_SAML_Profile_Attribute_media/browser_user_without_profile.png :scale: 70% -.. |vpn-5-1-okta| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/vpn-5-1-okta.png +.. |vpn-5-1-okta| image:: Setup_Okta_SAML_Profile_Attribute_media/vpn-5-1-okta.png :scale: 70% -.. |cert-sharing| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/cert-sharing.png +.. |cert-sharing| image:: Setup_Okta_SAML_Profile_Attribute_media/cert-sharing.png :scale: 70% -.. |default-profile| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/default-profile.png +.. |default-profile| image:: Setup_Okta_SAML_Profile_Attribute_media/default-profile.png :scale: 70% -.. |access-profile| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/access-profile.png +.. |access-profile| image:: Setup_Okta_SAML_Profile_Attribute_media/access-profile.png :scale: 70% -.. |vpn-user| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/vpn-user.png +.. |vpn-user| image:: Setup_Okta_SAML_Profile_Attribute_media/vpn-user.png :scale: 70% -.. |download-cert| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/download-ovpn.png +.. |download-cert| image:: Setup_Okta_SAML_Profile_Attribute_media/download-ovpn.png :scale: 70% -.. |add-person| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/add-person.png +.. |add-person| image:: Setup_Okta_SAML_Profile_Attribute_media/add-person.png :scale: 70% -.. |assign-app| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/assign-app.png +.. |assign-app| image:: Setup_Okta_SAML_Profile_Attribute_media/assign-app.png :scale: 70% .. disqus:: diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/access-profile.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/access-profile.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/access-profile.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/access-profile.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add-person.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/add-person.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add-person.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/add-person.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_app.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_app.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_app.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_app.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user_template.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user_template.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user_template.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user_template.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/assign-app.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/assign-app.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/assign-app.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/assign-app.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/browser_user_with_profile.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/browser_user_with_profile.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/browser_user_with_profile.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/browser_user_with_profile.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/browser_user_without_profile.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/browser_user_without_profile.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/browser_user_without_profile.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/browser_user_without_profile.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/cert-sharing.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/cert-sharing.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/cert-sharing.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/cert-sharing.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_with_profile.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_with_profile.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_with_profile.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_with_profile.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile2.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile2.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile2.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile2.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/default-profile.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/default-profile.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/default-profile.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/default-profile.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/download-ovpn.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/download-ovpn.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/download-ovpn.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/download-ovpn.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/open_profile_editor.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/open_profile_editor.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/open_profile_editor.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/open_profile_editor.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/open_user_template.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/open_user_template.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/open_user_template.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/open_user_template.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/vpn-5-1-okta.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/vpn-5-1-okta.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/vpn-5-1-okta.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/vpn-5-1-okta.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/vpn-user.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/vpn-user.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/vpn-user.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/vpn-user.png diff --git a/HowTos/Setup_PingOne_SAML_Profile_Attribute.rst b/HowTos/Setup_PingOne_SAML_Profile_Attribute.rst new file mode 100644 index 000000000..579e95c3b --- /dev/null +++ b/HowTos/Setup_PingOne_SAML_Profile_Attribute.rst @@ -0,0 +1,160 @@ +.. meta:: + :description: Setup PingOne for Customers web SAML app with Profile Attribute + :keywords: Profile, PingOne, PingOne for Customers, SAML, user vpn, PingOne saml, Aviatrix, OpenVPN, Controller + +=============================================================== +Setup PingOne for Customers web SAML app with Profile Attribute +=============================================================== + +This guide demonstrates the use of the **Profile** attribute in **PingOne for Customers** so each SAML user can be assigned a different VPN profile. + +How VPN profile works +--------------------- + +The VPN profiles defined at the **Controller/OpenVPN/Profiles** contain egress control policy. They are attached to the VPN users defined at **Controller/OpenVPN/VPN Users** for controlling their VPN egress traffic. Users without a profile is the same as having a profile with an **allow-all** policy, i.e., their egress traffic are unrestricted. + +For SAML VPN, the SAML user definition at the IDP has a **Profile** attribute for specifying a VPN profile, overriding the corresponding user's VPN profile assigned at the controller. If unspecified, the corresponding VPN profile assigned at the controller will be used. + +.. _pingone_for_customers_setup: + +Setup PingOne for Customers Profile attribute +--------------------------------------------- + +#. `Define a new User attribute <#pingone-for-customers-new-user-attribute>`__ in the PingOne for customers portal for storing the VPN profile name. + +#. `Define an attribute mapping <#pingone-for-customers-map-attribute>`__ for the new attribute using the name **Profile** so that the web SAML application knows how to compose the **Profile** information in the SAML response. + +#. `Assign VPN profile <#pingone-for-customers-user-fill-attribute>`__ to each SAML user. + +#. `Validate <#pingone-for-customers-validation>`__ the setup. + +.. _pingone_for_customers_new_user_attribute: + +Define a new User attribute +---------------------------- + +.. note:: + + This step is usually completed by the PingOne for Customers Admin. + +#. Login to the PingOne Admin portal + +#. Follow `PingOne documentation `__ to add an User attribute. + +#. On the top of the page, click Settings. + +#. On the left, under Directory, click Attributes. + +#. Click + Add Attribute. + + |pingone_idp_adding_attribute| + +#. Click DECLARED + + |pingone_idp_adding_attribute_declared| + +#. Click button "Next" + +#. Enter the following information to create custom user attribute: + + +-----------------------+---------------+---------------------------------------------------------------------------+ + | Field | Value | Description | + +-----------------------+---------------+---------------------------------------------------------------------------+ + | Name | accessprofile | A unique identifier for the attribute. | + +-----------------------+---------------+---------------------------------------------------------------------------+ + | Display name | accessprofile | The name of the attribute as you want it to appear in the,user interface. | + +-----------------------+---------------+---------------------------------------------------------------------------+ + | Description | (optional) | A brief characterization of the application. | + +-----------------------+---------------+---------------------------------------------------------------------------+ + | Enforce unique values | Uncheck | Option to require the attribute,values be unique across the environment | + +-----------------------+---------------+---------------------------------------------------------------------------+ + + .. note:: + + In this example, the new user attribute is named **accessprofile**. + + |pingone_idp_setting_attribute| + +#. Click Save and Close. + +.. _pingone_for_customers_map_attribute: + +Define an attribute mapping +--------------------------- + +.. note:: + + This step is usually completed by the PingOne for Customers Admin. + +#. On the top of the page, click Connections. + +#. Click Applications on the left. + +#. Locate the Web SAML application to add this custom User attribute. + +#. Click the details icon to expand the Web SAML application, and then click the pencil icon. + +#. Click the "Attribute Mappings" + +#. For updating attribute mapping, click the button "+ADD ATTRIBUTE" and then select "PingOne Attribute" to map PingOne user attribute to an application attribute as below. + + +------------------------+-----------------------+ + | PINGONE USER ATTRIBUTE | APPLICATION ATTRIBUTE | + +------------------------+-----------------------+ + | accessprofile | Profile | + +------------------------+-----------------------+ + + .. note:: + + The application attribute **Profile** is required to be an exact match so that Aviatrix Controller can process in the SAML response. + + |pingone_idp_saml_attribute_mapping| + +.. _pingone_for_customers_user_fill_attribute: + +Assign VPN profile to each SAML user +------------------------------------- + +.. note:: + + This step is usually completed by the PingOne for Customers Admin. + +For each SAML application user, edit the user profile for assigning the VPN profile + +#. On the top of the page, click Identities. + +#. Locate the user you want to edit. You can browse or search for users. + +#. Click the details icon to expand the user you want to edit, and then click the pencil icon. + +#. On the Profile tab, scroll down to the "OTHER" section + +#. Find the new User attribute "accessprofile" and assign the VPN profile + + .. note:: + + In this example, the VPN profile defined at the controller is named **access-profile**. + + |pingone_idp_vpn_profile| + +.. _pingone_for_customers_validation: + +Validation +---------- + +Please refer to this `doc `__ for more validation detail. + + +.. |pingone_idp_adding_attribute| image:: Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute.png + +.. |pingone_idp_adding_attribute_declared| image:: Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute_declared.png + +.. |profile_editor_add| image:: Setup_PingOne_SAML_Profile_Attribute_media/profile_editor_add.png + +.. |pingone_idp_setting_attribute| image:: Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_setting_attribute.png + +.. |pingone_idp_saml_attribute_mapping| image:: Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_saml_attribute_mapping.png + +.. |pingone_idp_vpn_profile| image:: Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_vpn_profile.png + +.. disqus:: diff --git a/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute.png b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute.png new file mode 100644 index 000000000..e97508001 Binary files /dev/null and b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute.png differ diff --git a/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute_declared.png b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute_declared.png new file mode 100644 index 000000000..85f89614a Binary files /dev/null and b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute_declared.png differ diff --git a/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_saml_attribute_mapping.png b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_saml_attribute_mapping.png new file mode 100644 index 000000000..3e9daeab3 Binary files /dev/null and b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_saml_attribute_mapping.png differ diff --git a/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_setting_attribute.png b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_setting_attribute.png new file mode 100644 index 000000000..82e8b81e5 Binary files /dev/null and b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_setting_attribute.png differ diff --git a/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_vpn_profile.png b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_vpn_profile.png new file mode 100644 index 000000000..49483fea3 Binary files /dev/null and b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_vpn_profile.png differ diff --git a/HowTos/Setup_Transit_Network_Terraform.rst b/HowTos/Setup_Transit_Network_Terraform.rst index ff8722222..4493924eb 100644 --- a/HowTos/Setup_Transit_Network_Terraform.rst +++ b/HowTos/Setup_Transit_Network_Terraform.rst @@ -19,7 +19,7 @@ Setup Terraform Provider # Configure Aviatrix provider provider "aviatrix" { controller_ip = "1.2.3.4" - username = "admin" + username = "username" password = "password" version = "2.2" } @@ -43,7 +43,7 @@ Manages an Aviatrix Transit Gateway. provider "aviatrix" { controller_ip = "1.2.3.4" - username = "admin" + username = "username" password = "password" version = "2.2" } @@ -90,7 +90,7 @@ Manages VGW connection provider "aviatrix" { controller_ip = "1.2.3.4" - username = "admin" + username = "username" password = "password" version = "2.2" } @@ -134,7 +134,7 @@ Manages an Aviatrix Spoke Gateway provider "aviatrix" { controller_ip = "1.2.3.4" - username = "admin" + username = "username" password = "password" version = "2.2" } @@ -184,6 +184,10 @@ Manages an Aviatrix Spoke Gateway Sample configuration to create complete transit VPC solution ============================================================ +.. Note:: + In this example, you must specify the username and password, controller_ip, account_email and other parameters. + + :: # Sample Aviatrix terraform configuration to create complete transit VPC solution @@ -195,14 +199,14 @@ Sample configuration to create complete transit VPC solution # Edit to enter your controller's IP, username and password to login with. provider "aviatrix" { controller_ip = "w.x.y.z" - username = "admin" - password = "Aviatrix123%23" + username = "username" + password = "password" version = "2.2" } resource "aviatrix_account" "test_acc" { account_name = "devops" - account_password = "Aviatrix123" + account_password = "account_password" account_email = "abc@xyz.com" cloud_type = 1 aws_account_number = "123456789012" diff --git a/HowTos/TransPeering.rst b/HowTos/TransPeering.rst index 9e301690f..01abd7045 100644 --- a/HowTos/TransPeering.rst +++ b/HowTos/TransPeering.rst @@ -96,7 +96,7 @@ with major steps highlighted. 3. Repeat step 3 above for more co-locations. -4. For support, send an email to support@aviatrix.com. +4. For support, please open a support ticket at `Aviatrix Support Portal `_. 5. For feature requests and feedback, click Make a wish at the bottom of each page. diff --git a/HowTos/Transit_ExternalDevice_CiscoRouter.rst b/HowTos/Transit_ExternalDevice_CiscoRouter.rst index 1a962add1..8ce3a4bcb 100644 --- a/HowTos/Transit_ExternalDevice_CiscoRouter.rst +++ b/HowTos/Transit_ExternalDevice_CiscoRouter.rst @@ -33,26 +33,28 @@ Transit Connection to Cisco Router over the internet. |image8| .. |image1| image:: ./S2C_TGW_CiscoRouter_media/cisco1.png - :width: 7.00000 in - :height: 5.00000 in + :scale: 30% + .. |image2| image:: ./S2C_TGW_CiscoRouter_media/cisco2.png - :width: 7.00000 in - :height: 5.00000 in + :scale: 30% + .. |image3| image:: ./S2C_TGW_CiscoRouter_media/cisco3.png - :width: 12.00000 in - :height: 5.00000 in + :scale: 30% + .. |image4| image:: ./S2C_TGW_CiscoRouter_media/cisco4.png - :width: 7.00000 in - :height: 5.00000 in + :scale: 30% + .. |image5| image:: ./S2C_TGW_CiscoRouter_media/cisco5.png - :width: 100% + :scale: 30% + .. |image6| image:: ./S2C_TGW_CiscoRouter_media/cisco6.png - :width: 100% + :scale: 30% + .. |image7| image:: ./S2C_TGW_CiscoRouter_media/cisco7.png - :width: 100% + :scale: 30% + .. |image8| image:: ./S2C_TGW_CiscoRouter_media/cisco8.png - :width: 12.00000 in - :height: 5.00000 in + :scale: 30% diff --git a/HowTos/Transit_ExternalDevice_PaloAlto.rst b/HowTos/Transit_ExternalDevice_PaloAlto.rst index 6f9f9014d..33f831c97 100644 --- a/HowTos/Transit_ExternalDevice_PaloAlto.rst +++ b/HowTos/Transit_ExternalDevice_PaloAlto.rst @@ -37,6 +37,10 @@ Configuration WorkFlow: |image2| + .. note:: + + If using private IP as remote gateway IP, please make sure to check "Over DirectConnect". + 3. Download the configuration by going to Site2Cloud -> Click on the Connection. Select generic and Download Configuration and configure on the router accordingly. @@ -87,9 +91,12 @@ Configuration WorkFlow: Interface Palo Alto Networks WAN port Peer IP Address Aviatrix Gateway public IP Pre-shared Key Key from site2cloud configuration downloaded at Step 3 - Peer Identification IP Address & Aviatrix Gateway private IP + Peer Identification IP Address & Aviatrix Gateway public IP =============================== ========================================= + .. note:: + If using remote private IP on Step 2, Peer IP Address should be the remote private IP while Peer Identification should be remote public IP. + |image9| =============================== ========================================= diff --git a/HowTos/Transit_ExternalDevice_PaloAlto_media/8.png b/HowTos/Transit_ExternalDevice_PaloAlto_media/8.png index eb29cdbac..21e8cc09f 100644 Binary files a/HowTos/Transit_ExternalDevice_PaloAlto_media/8.png and b/HowTos/Transit_ExternalDevice_PaloAlto_media/8.png differ diff --git a/HowTos/Transit_ExternalDevice_PaloAlto_media/9.png b/HowTos/Transit_ExternalDevice_PaloAlto_media/9.png index e1a7508ae..a01b305d3 100644 Binary files a/HowTos/Transit_ExternalDevice_PaloAlto_media/9.png and b/HowTos/Transit_ExternalDevice_PaloAlto_media/9.png differ diff --git a/HowTos/Troubleshoot_Diagnostics.rst b/HowTos/Troubleshoot_Diagnostics.rst index 01274c178..8d46e393d 100644 --- a/HowTos/Troubleshoot_Diagnostics.rst +++ b/HowTos/Troubleshoot_Diagnostics.rst @@ -12,6 +12,7 @@ Network This section provides tools to test the network connectivity of the controller and gateways. + Gateway Utility ~~~~~~~~~~~~~~~~~ @@ -23,6 +24,7 @@ Network Connectivity Utility The Network Connectivity (nc) tool allows you to test if the controller/gateway is able to reach a host with a specified protocol and port number. +Please note that tests using UDP protocol cannot be used to reliably determine connectivity as Load balancers or Security groups could consume the UDP packet, indicating a false positive. So a UDP test that says success does not gurantee UDP connectivity. However a UDP test showing failure means there are issues with UDP connectivity Packet Capture ~~~~~~~~~~~~~~~~ @@ -56,6 +58,13 @@ Controller IP Migration .. important:: The user MUST execute this feature after re-associating a new public IP for the controller through AWS/Azure/GCloud GUI console or API. This feature updates the configurations for the controller and gateways. .. +Remote Support +~~~~~~~~~~~~~~~~~ + +By enable Remote Support, you grant permission for Aviatrix support team to access the Controller for debugging +purpose. + +Make sure you disable the option when the debugging session is complete. Controller Public IP ~~~~~~~~~~~~~~~~~~~~~~ @@ -95,18 +104,10 @@ Keep Gateway on Error By default, the controller will roll back all the operations (gateway, EIP, security-group creations, etc...) if an error occurs during a gateway creation. However, this function allows you to keep the gateway instance for debugging purposes. In another word, this feature disables the roll back operation if the Status is set to True. -Gateway IP Migration -~~~~~~~~~~~~~~~~~~~~~~ - -.. important:: The user MUST execute this feature after re-associating a new public IP for the gateway through AWS/Azure/GCloud GUI console or API. This feature updates the configurations for controller and gateways. -.. - - Gateway Replace ~~~~~~~~~~~~~~~~~ -This feature allows you to replace a gateway by launching a new gateway and restoring the configuration and operation in the event that a gateway becomes inoperational and you have exhausted all other ways to recover. Contact support@aviatrix.com -before you use this feature. +This feature allows you to replace an existing gateway when it becomes not functional by launching a new gateway and restoring the configuration to the new gateway. Use this feature only when you have exhausted all other options. Please open a support ticket at `Aviatrix Support Portal `_ if you ahve any questions or if you need support Select a gateway in the drop down menu and click Replace. @@ -115,6 +116,32 @@ Select a gateway in the drop down menu and click Replace. Please refer to `Service Description of Diagnostic Result `__ +Note when the Controller performs a gateway replacement procedure, efforts are made to minimize the downtime. For example, +when a failed Spoke gateway is being replaced, the Controller first redirects the traffic to the healthy Spoke gateway by +modifying the Spoke VPC route table to route all instance or VM traffic to the healthy gateway, it also +move the routes from the Transit Gateways pointing to the failed Spoke gateway to the healthy Spoke gateway for traffic +moving from Transit Gateway to Spoke gateway. After the failed gateway is terminated and a new gateway is launched and +configuration installed, the Controller then programs the Spoke VPC route table to load balancing some subnets/route table +to point to the new gateway and also move the routes back on the Transit Gateways. + +Similar process happens when a Transit Gateway is being replaced. + +As a result the downtime is under 10 seconds for each gateway replacement in the Multi-cloud Transit solution. + +Similarly, when a failed gateway with Site2Cloud connections are being replaced, traffic is first redirected to +the other healthy gateway before the failed gateway is terminated and replaced. + +Session View +~~~~~~~~~~~~ + +This feature allows you to view active connection sessions running through Aviatrix gateways. This is useful for troubleshooting connectivity issue. + +To view sessions: + + - go to Troubleshoot -> Diagnostics -> Gateway -> Session View + + - or go to Security -> Stateful Firewall -> Session View + .. raw:: html @@ -162,6 +189,9 @@ The diagnostic result of this feature provides the information of a specified VP VNet Route Diagnostics ~~~~~~~~~~~~~~~~~~~~~~~~ +.. note:: This feature supports Azure Classic only. +.. + This feature provides the following operations that can be applied to a VNet: 1. Display all route tables 2. Display route table details @@ -177,6 +207,11 @@ This feature provides the following operations that can be applied to a VNet: 12. Associate a subnet to a route table 13. Dissociate a subnet from a route table +Refresh Tags +~~~~~~~~~~~~~ + +This feature syncs up AWS VPC name tags if users change the VPC name in AWS. + .. raw:: html @@ -225,14 +260,14 @@ This section provides the ability to view BGP configurations for diagnostics or System Resources ------------------ -This feature allows you to set the threshold for notifications when the disk/memory of a controller/gateway has reached certain percentage of the total usage. The default behavior is to alert administrators when the usage reaches 95% or higher. +This feature allows you to set the threshold for notifications when the disk/memory of a controller/gateway has reached certain percentage of the total usage. The default behavior is to alert administrators when the disk usage crosses 90% or if memory usage crosses 80%. -Connectivity Test --------------------- +Network Validation: Connectivity Test +--------------------------------------- When you select the Source Network and Destination Network, the Aviatrix Controller will spin up two instances -and run a connectivity test. After the test completes, you can re-run the test. There is only one pair of test endpoints that is valid at any given time. If you want to test a different endpoint, delete the current pair and launch a new pair. +and run a connectivity test. After the test completes, you can re-run the test. There is only one pair of test endpoints that is valid at any given time. If you want to test a different endpoint, delete the current pair and launch a new pair. These instances are visible in Gateway page, under "View Instances" .. |wireshark_filter| image:: troubleshoot_diag_media/wireshark_filter.png diff --git a/HowTos/Troubleshoot_ELB_Status.rst b/HowTos/Troubleshoot_ELB_Status.rst index d09463962..78d4770df 100644 --- a/HowTos/Troubleshoot_ELB_Status.rst +++ b/HowTos/Troubleshoot_ELB_Status.rst @@ -6,6 +6,7 @@ ELB Status ################################### - +This page enables users to view load balancer info including target health status after users launch an `Aviatrix OpenVPN Gateway `_ with the option `Enable ELB `_. +Additionally, users are able to delete/clean up load balancer by clicking the button "DELETE" next to the load balancer name, but usually this is not required as load balancer is automatically deleted on the last user/gateway deletion. .. disqus:: diff --git a/HowTos/Troubleshoot_Logs.rst b/HowTos/Troubleshoot_Logs.rst index 799894fa9..ad725fe54 100644 --- a/HowTos/Troubleshoot_Logs.rst +++ b/HowTos/Troubleshoot_Logs.rst @@ -6,9 +6,37 @@ Logs ################################### +Upload tracelog +--------------- +On the controller console left side menu, click Troubleshoot, click Logs and select a gateway at Upload Tracelog. The controller and gateway tracelog will be uploaded to Aviatrix. The Aviatrix support team will be alerted. If no gateway is selected, only the controller log is uploaded. - * `Upload tracelog. `__ +Please refer to `Troubleshoot `__ for troubleshooting detail. + +Display Aviatrix Command Log +---------------------------- + +DISPLAY +~~~~~~~ + +This feature enables users to view Aviatrix Command Log on GUI. + +DISPLAY AUDIT +~~~~~~~~~~~~~ + +This feature enables users to view Aviatrix Audit log on GUI. + +DOWNLOAD AUDIT +~~~~~~~~~~~~~~ + +This feature enables users to download Aviatrix Audit log to local. + +DISPLAY EVENT +~~~~~~~~~~~~~~ + +This feature enables users to view Aviatrix Event log on GUI. + + +Please refer to `Logging `__ for logging detail. - .. disqus:: diff --git a/HowTos/Troubleshooting_Diagnostics_Result.rst b/HowTos/Troubleshooting_Diagnostics_Result.rst index 2a3f2f0d7..225e0a5d7 100644 --- a/HowTos/Troubleshooting_Diagnostics_Result.rst +++ b/HowTos/Troubleshooting_Diagnostics_Result.rst @@ -23,75 +23,181 @@ Diagnostic Result |:: | | | | "controller": { | -| "SumoLogic Collector": "Not running", | | "Database": "Up", | -| "logstash-forwarder": "Not running", | -| "Rsyslog Status": "Not running", | -| "CloudWatch Service": "Not running", | -| "splunkd": "Not running", | | "Connectivity": "Up", | | "SSH": { | | "port": { | -| "22": "Down" | +| "22": [ | +| "Down", | +| ] | | }, | | "service": "Up" | | }, | -| "datadog-agent": "Not running", | | "Public IP": "Pass", | | "PKI": "Pass", | -| "rsyslogd": "Running" | -| } | +| "Rsyslog Service": "Not running", | +| "CloudWatch Service": "Not running", | +| "splunkd": "Not running", | +| "filebeat": "Not running", | +| "SumoLogic Collector": "Not running", | +| "rsyslogd": "Running", | +| "datadog-agent": "Not running", | +| "HTTPS": { | +| "port": { | +| "443": [ | +| "up", | +| "reachable" | +| ] | +| }, | +| "service": "Up" | +| }, | | | +-----------------------------+----------------------------------------------------------------+ |Indicates Controller status. | | | +| >The SSH service port 22 status "Down" is expected as Aviatrix doesn't allow user to connect | +| | +| ssh port to Controller or Gateway | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Gateway Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "SSH": { | +| "port": { | +| "22": [ | +| "up", | +| "reachable" | +| ] | +| }, | +| "service": "Up" | +| }, | +| "GatewayIamRole": "Passed", | +| "HTTPS": { | +| "port": { | +| "443": [ | +| "up", | +| "reachable" | +| ] | +| }, | +| "service": "Up" | +| }, | +| "Upload": "Pass", | ++-----------------------------+----------------------------------------------------------------+ +|Indicates Gateway port 22 and 443 status. | +| | +| > Expected value: Up and reachable | +| | +| > If Fail, please make sure the gateway has its security group port 22 & 443 open to the | +| | +| controller's EIP in AWS console. | +| | +| > It's expected that SSH port 22 is reachable as controller will use the port to do | +| | +| diagnostic on the Gateway. Please make sure HTTPS port 443 is reachable in this section | +| | +| since it indicates that controller is able to reach to Gateway for the configuration and | +| | +| software package delivery. | +| | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Netflow Output** | | +|**Upload Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Netflow Service": "Not running", | +| "Upload": "Pass", | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates Netflow service status. | -| > Default: Not running | +|Indicates that Aviatrix controller is able to upload files to the gateway. | +| | +| > Expected value: Pass | +| | +| > If fail, please check the port 443 is open in both security group and VPC ACL between | +| | +| controller and the gateway instance in AWS console. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Utility Output** | | -+-----------------------------+----------------------------------------------------------------+ +|**DNS Service** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Files not found": [ | -| "/etc/openvpn/utils.py", | -| ... (the rest is omitted.) | -| ], | +| "DNS Service": { | +| "/etc/resolvconf/resolv.conf.d/head": [ | +| "nameserver 8.8.8.8", | +| ], | +| "/etc/hosts": [ | +| "127.0.0.1\tlocalhost", | +| "::1 ip6-localhost ip6-loopback", | +| "fe00::0 ip6-localnet", | +| "ff00::0 ip6-mcastprefix", | +| "ff02::1 ip6-allnodes", | +| "ff02::2 ip6-allrouters", | +| "ff02::3 ip6-allhostsip-172-31-45-222", | +| "10.17.1.204 ip-10-17-1-204", | +| "" | +| ], | +| "/etc/hostname": [ | +| "ip-10-17-1-204", | +| "" | +| ], | +| "/etc/systemd/resolved.conf": [ | +| "[Resolve]", | +| "" | +| ], | +| "/etc/resolv.conf": [ | +| "nameserver 8.8.8.8", | +| "nameserver 127.0.0.53", | +| "search ca-central-1.compute.internal", | +| "options edns0", | +| "" | +| ] | +| }, | | | +-----------------------------+----------------------------------------------------------------+ -|N/A | +|Indicates DNS service status and related configuration on the gateway. | +| | +| > Default nameserver: 8.8.8.8 | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**LogStash Output** | | -+-----------------------------+----------------------------------------------------------------+ +|**NTP Config** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "logstash-forwarder": "Not running", | +| "NTP config": { | +| "/etc/ntp.conf": [ | +| "driftfile /var/lib/ntp/ntp.drift\n", | +| "leapfile /usr/share/zoneinfo/leap-seconds.list\n", | +| "statistics loopstats peerstats clockstats\n", | +| "filegen loopstats file loopstats type day enable\n", | +| "filegen peerstats file peerstats type day enable\n", | +| "filegen clockstats file clockstats type day enable\n", | +| "restrict -4 default kod notrap nomodify nopeer noquery limited\n", | +| "restrict -6 default kod notrap nomodify nopeer noquery limited\n", | +| "restrict 127.0.0.1\n", | +| "restrict ::1\n", | +| "restrict source notrap nomodify noquery\n", | +| "server 169.254.169.123 prefer iburst\n" | +| ] | +| }, | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates Logstash logging service status. | -| > Default: Not running | +|Indicates NTP config. | | | -| > Related Link `LogStash Integration`_. | +| > Default server: 169.254.169.123 | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**DNS Resolution Output** | | +|**DNS Resolution** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | @@ -99,6 +205,7 @@ Diagnostic Result | | +-----------------------------+----------------------------------------------------------------+ |Indicates if the gateway can resolve public domain names. | +| | | > Expected value: Pass | | | | > If the result is Fail, check whether the DNS resolution is enabled for the VPC where this | @@ -110,86 +217,192 @@ Diagnostic Result +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Hostname-filter Output** | | +|**HTTPS GET** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Hostname-filter Report": [ | -| "{\n", | -| " \"smtp.gmail.com\": {\n", | -| " \"ip_list\": [\n", | -| " \"74.125.126.109\", \n", | -| " \"74.125.126.108\", \n", | -| " \"173.194.194.109\", \n", | -| " \"173.194.205.109\"\n", | -| " ], \n", | -| " \"thread_state\": \"ALIVE\"\n", | -| " }\n", | -| "}" | +| "HTTPS GET": "Pass", | +| | ++-----------------------------+----------------------------------------------------------------+ +|Indicates connectivity for HTTPS request from gateway to the controller. | +| | +| > Expected value: Pass if GW can communicate with Controller without issue. | +| | +| When It shows “Fail” please check both Controller and Gateway security group | +| | +| > If Fail, please make sure the controller has its security group port 443 open to the | +| | +| gateway’s EIP in AWS console | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Supervisorctl Status** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "supervisorctl status": [ | +| "fqdn_stats RUNNING pid 2121, uptime 16:39:29\n", | +| "gwmon RUNNING pid 2117, uptime 16:39:29\n", | +| "local_launch EXITED Mar 25 08:47 AM\n", | +| "openvpn RUNNING pid 2123, uptime 16:39:29\n", | +| "perfmon RUNNING pid 2119, uptime 16:39:29\n", | +| "rtmon FATAL Exited too quickly (process log may have | +| details)\n", | +| "sw-wdt4perfmon RUNNING pid 2124, uptime 16:39:29\n", | +| "time_action RUNNING pid 2118, uptime 16:39:29\n" | | ], | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the Hostname filter configuration. | +|Indicates the supervisor status. | +| | +| > All services should be in RUNNING state except local_launch. | +| | +| > rtmon is the monitor process for Transit and Spoke Gateway, the status should be running | +| | +| when in transit or spoke gateway. The state can be FATAL in other type of gateway. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Rsyslog Output** | | -+-----------------------------+----------------------------------------------------------------+ +|**MsgQueue Output** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Rsyslog Status": "Disabled", | -| | +| "MsgQueue": { | +| "ApproximateNumberOfMessagesNotVisible": "0", | +| "KmsDataKeyReusePeriodSeconds": "300", | +| "KmsMasterKeyId": "alias/aws/sqs", | +| "ContentBasedDeduplication": "false", | +| "PubSubErrorCount": 0, | +| "ConnectionSuccessCount": 17, | +| "ApproximateNumberOfMessagesDelayed": "0", | +| "ApproximateNumberOfMessages": "0", | +| "ExpiredTokenErrorCount": 16, | +| "ConnectionStatus": "Connected", | +| "ReceiveMessageWaitTimeSeconds": "0", | +| "DelaySeconds": "0", | +| "FifoQueue": "true", | +| "VisibilityTimeout": "30", | +| "PollFailureCount": 16, | +| "PollingStatus": "Active", | +| "ConnectionFailureCount": 0, | +| "MaximumMessageSize": "262144", | +| "CreatedTimestamp": "1584614502", | +| "NumMessagesReceived": 0, | +| "MessageRetentionPeriod": "1209600", | +| "LastModifiedTimestamp": "1584614609", | +| "QueueArn": "arn:aws:sqs:ca-central-1:2767xxxxxxxx:aviatrix-1x-2xx-1xx-2xx.fifo" | +| }, | +| | +-----------------------------+----------------------------------------------------------------+ -|Indicates the Remote Syslog feature is enabled. | -| > Related Link `Remote Syslog Integration`_. | +|Indicates AWS SQS message queue status. | +| | +| > ApproximateNumberOfMessages indicates the number of pending messages | +| | +| in the queue. | +| | +| > Expected value is 0. | +| | +| > If this value is not 0, it means there's issue on the AWS SQS Service, please update | +| | +| your IAM policy (refer to `IAM Policy`_. and check if the DNS resolution | +| | +| passed on the gateway.) You may also check if this SQS queue is still in your AWS | +| | +| SQS Service or the IAM policy is correctly attached on the Gateway. | | | +-----------------------------+----------------------------------------------------------------+ | | -+-----------------------------+----------------------------------------------------------------+ -|**ipset Output** | | -+-----------------------------+----------------------------------------------------------------+ ++-----------------------------+----------------------------------------------------------------+ +|**Route Output** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "ipset rules": [ | -| "Name: avx_hnf_ipset_d_accept\n", | -| "Type: hash:ip,port\n", | -| "Revision: 5\n", | -| "Header: family inet hashsize ... (the rest is omitted.) | -| "Size in memory: 4564\n", | -| "References: 1\n", | -| "Number of entries: 36\n", | -| "Members:\n", | -| "64.233.181.108,tcp:25 comment \"smtp.gmail.com\"\n", | -| "108.177.111.109,tcp:25 comment \"smtp.gmail.com\"\n", | -| "108.177.121.108,tcp:25 comment \"smtp.gmail.com\"\n", | -| "173.194.198.109,tcp:25 comment \"smtp.gmail.com\"\n", | -| "209.85.144.109,tcp:25 comment \"smtp.gmail.com\"\n" | +| "route": [ | +| "Kernel IP routing table\n", | +| "Destination Gateway Genmask Flags Metric Ref Use Iface\n", | +| "0.0.0.0 10.187.64.1 0.0.0.0 UG 0 0 0 eth0\n", | +| "10.187.64.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0\n", | +| "192.168.43.0 192.168.43.2 255.255.255.0 UG 0 0 0 tun0\n", | +| "192.168.43.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0\n", | +| "10.20.0.0 0.0.0.0 255.255.0.0 U 100 0 0 tun-xxx\n" | +| "10.20.51.91 0.0.0.0 255.255.255.255 U 100 0 0 tun-xxx\n" | +| ], | +| | ++-----------------------------+----------------------------------------------------------------+ +|Indicates the route table on the gateway. | +| | +| > tun0 is the interface for OpenVPN | +| | +| > tun-xxx is the interface Transit-Spoke connection | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**IP Rule Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "ip rule": [ | +| "0:\tfrom all lookup local \n", | +| "32766:\tfrom all lookup main \n", | +| "32767:\tfrom all lookup default \n" | | ], | -| | +| | +-----------------------------+----------------------------------------------------------------+ |N/A | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**SpanPort Output** | | -+-----------------------------+----------------------------------------------------------------+ +|**IP Route Main Output** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "SpanPort Service": { | -| "port": "unknown", | -| "service": "Down" | -| }, | -| | +| "ip route main": [ | +| "default via 10.187.64.1 dev eth0 \n", | +| "10.187.64.0/20 dev eth0 proto kernel scope link src 10.187.77.1xx \n", | +| "192.168.43.0/24 via 192.168.43.2 dev tun0 \n", | +| "192.168.43.2 dev tun0 proto kernel scope link src 192.168.43.1 \n" | +| ], | +| | +-----------------------------+----------------------------------------------------------------+ -|Currently not used. | +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**iptables Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "iptables rules": [ | +| "-P INPUT ACCEPT\n", | +| "-P FORWARD ACCEPT\n", | +| "-P OUTPUT ACCEPT\n", | +| "-N RULE-LOG-ACCEPT\n", | +| "-N RULE-LOG-DROP\n", | +| "-A FORWARD -m state --state ESTABLISHED -j ACCEPT\n", | +| "-A FORWARD -s 192.168.43.6/32 -i tun0 -j ACCEPT\n", | +| "-A RULE-LOG-ACCEPT -m limit --limit 2/sec -j LOG --log-prefix \"AvxRl gw1 | +| A:\" --log-level 7\n", | +| "-A RULE-LOG-ACCEPT -j ACCEPT\n", | +| "-A RULE-LOG-DROP -m limit --limit 2/sec -j LOG --log-prefix \"AvxRl gw1 | +| D:\" --log-level 7\n", | +| "-A RULE-LOG-DROP -j DROP\n" | +| ], | +| | ++-----------------------------+----------------------------------------------------------------+ +|Indicates Stateful firewall configuration | +| | +| > mainly used for debugging | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ |**iptables nat Output** | | -+-----------------------------+----------------------------------------------------------------+ ++-----------------------------+----------------------------------------------------------------+ |:: | | | | "iptables nat rules": [ | @@ -198,67 +411,97 @@ Diagnostic Result | "-P OUTPUT ACCEPT\n", | | "-P POSTROUTING ACCEPT\n", | | "-N CLOUDN-LOG-natVPN\n", | -| "-N CLOUDX-SNAT\n", | | "-A POSTROUTING -s 192.168.43.0/24 -j CLOUDN-LOG-natVPN\n", | -| "-A POSTROUTING -m addrtype --src-type LOCAL -j ACCEPT\n", | -| "-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n", | -| "-A POSTROUTING -j CLOUDX-SNAT\n", | -| "-A CLOUDN-LOG-natVPN -j LOG --log-prefix \"AviatrixUser: \"\n", | -| "-A CLOUDN-LOG-natVPN -j MASQUERADE\n", | -| "-A CLOUDX-SNAT -o eth0 -j MASQUERADE\n" | +| "-A CLOUDN-LOG-natVPN -j LOG --log-prefix \"AviatrixUser: \"\n", | +| "-A CLOUDN-LOG-natVPN -j MASQUERADE\n" | | ], | -| | +| | +-----------------------------+----------------------------------------------------------------+ |Indicates NAT configuration. | +| | | > mainly used for debugging | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Hostname-filter Status** | | -+-----------------------------+----------------------------------------------------------------+ +|**iptables mangle Output** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Hostname-filter Status": [ | -| " avx-hostname-filter.service - Aviatrix Hostname Filter\n", | -| " Loaded: loaded (/lib/systemd/system/a ... (the rest is omitted.) | -| " Active: inactive (dead)\n" | -| | +| "iptables mangle rules": [ | +| "-P PREROUTING ACCEPT\n", | +| "-P INPUT ACCEPT\n", | +| "-P FORWARD ACCEPT\n", | +| "-P OUTPUT ACCEPT\n", | +| "-P POSTROUTING ACCEPT\n", | +| "-N MSSCLAMPING\n", | +| "-A FORWARD -j MSSCLAMPING\n", | +| "-A MSSCLAMPING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1370\n" | +| ], | +| | +-----------------------------+----------------------------------------------------------------+ -|Indicates Hostname-filter service status | -| > Default: inactive | +|Indicates iptables mangle configuration. | +| | +| > For debugging purpose | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**iptables Output** | | -+-----------------------------+----------------------------------------------------------------+ +|**ipset Output** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "iptables rules": [ | -| "-P INPUT ACCEPT\n", | -| "-P FORWARD ACCEPT\n", | -| "-P OUTPUT ACCEPT\n", | -| "-N AVX-FILTER-BASE-LOG-ACCEPT\n", | -| "-N AVX-FILTER-BASE-LOG-DROP\n", | -| "-N AVX-FILTER-CHAIN\n", | -| "-N AVX-FILTER-MATCH-LOG-ACCEPT\n", | -| "-N AVX-FILTER-MATCH-LOG-DROP\n", | -| "-N CLOUDN-AVX-NFQ\n", | -| "-N RULE-LOG-ACCEPT\n", | -| "-N RULE-LOG-DROP\n", | -| ... (the rest is omitted.) | +| "ipset rules": [ | +| "Name: avx_hnf_ipset_d_accept\n", | +| "Type: hash:ip,port\n", | +| "Revision: 5\n", | +| "Header: family inet hashsize ... (the rest is omitted.) | +| "Size in memory: 4564\n", | +| "References: 1\n", | +| "Number of entries: 36\n", | +| "Members:\n", | +| "64.233.181.108,tcp:25 comment \"smtp.gmail.com\"\n", | +| "108.177.111.109,tcp:25 comment \"smtp.gmail.com\"\n", | +| "108.177.121.108,tcp:25 comment \"smtp.gmail.com\"\n", | +| "173.194.198.109,tcp:25 comment \"smtp.gmail.com\"\n", | +| "209.85.144.109,tcp:25 comment \"smtp.gmail.com\"\n" | +| ], | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**IPlink Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "ip link display": [ | +| "1: lo: mtu 65536 qdisc noqueue state | +| UNKNOWN mode DEFAULT group default qlen 1000\n", | +| " link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n", | +| "2: eth0: mtu 9001 qdisc mq state UP | +| mode DEFAULT group default qlen 1000\n", | +| " link/ether 06:b3:ec:15:fe:bc brd ff:ff:ff:ff:ff:ff\n", | +| "3: tun0: mtu 1500 qdisc fq_codel | +| ztate UNKNOWN mode DEFAULT group default qlen 100\n", | +| " link/none \n", | +| "4: cxm0: mtu 1500 qdisc noop state DOWN mode | +| DEFAULT group default qlen 1000\n", | +| " link/ether b2:9a:79:d7:68:a8 brd ff:ff:ff:ff:ff:ff\n" | | ], | -| | +| | +-----------------------------+----------------------------------------------------------------+ -|Indicates Stateful firewall configuration | -| > mainly used for debugging | +|Indicates the ip link status of the gateway. | +| | +| > Status should be UP. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ |**ifconfig Output** | | -+-----------------------------+----------------------------------------------------------------+ ++-----------------------------+----------------------------------------------------------------+ |:: | | | | "ifconfig display": [ | @@ -268,12 +511,12 @@ Diagnostic Result | " inet6 fe80::8a4:d3ff:f... (the rest is omitted.) | | " ether 0a:a4:d3:1b:df:0... (the rest is omitted.) | | " RX packets 326021 byt... (the rest is omitted.) | -| " RX errors 0 dropped 0... (the rest is omitted.) | +| " RX errors 0 dropped 0... (the rest is omitted.) | | " TX packets 185361 byt... (the rest is omitted.) | | " TX errors 0 dropped 0... (the rest is omitted.) | | "\n", ... (the rest is omitted.) | | "lo: flags=4169 There should be very limit number of TX and RX errors/dropped. | -| | -| > If there are a lot of TX errors or dropped in tun0, it may be due to authentication | -| | -| mismatch on the tunnel. | -| | -+-----------------------------+----------------------------------------------------------------+ -| | -+-----------------------------+----------------------------------------------------------------+ -|**Disk Usage Output** | | -+-----------------------------+----------------------------------------------------------------+ -|:: | -| | -| "top disk usage": [ | -| "4.7G\t/usr\n", | -| "2.3G\t/usr/share\n", | -| "1.3G\t/var\n", | -| "1.2G\t/usr/share/doc\n", | -| "1.1G\t/usr/src\n", | -| "1.1G\t/usr/lib\n", | -| | -| ... (the rest is omitted.) | -| ], | -| | -+-----------------------------+----------------------------------------------------------------+ -|Indicates disk usage on the gateway. | -| > The maximum size of /usr should be lower than 6G, please contact | -| | -| support@aviatrix.com if you see abnormal usage in a folder. | -| | -+-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**MsgQueue Output** | | -+-----------------------------+----------------------------------------------------------------+ -|:: | -| | -| "MsgQueue": { | -| "ApproximateNumberOfMessagesNotVisible": "0", | -| | -| "ContentBasedDeduplication": "false", | -| "MessageRetentionPeriod": "345600", | -| "ApproximateNumberOfMessagesDelayed": "0", | -| "MaximumMessageSize": "262144", | -| "CreatedTimestamp": "1545101799", | -| "ApproximateNumberOfMessages": "0", | -| "ReceiveMessageWaitTimeSeconds": "0", | -| "DelaySeconds": "0", | -| "FifoQueue": "true", | -| "VisibilityTimeout": "30", | -| "LastModifiedTimestamp": "1545101878", | -| "QueueArn": "arn:aws:sqs:us-west-2:xxxxxx:aviatrix-34-xxx-xxx-16.fifo" | -| }, | +|Indicates gateway's interfaces. | | | -+-----------------------------+----------------------------------------------------------------+ -|Indicates AWS SQS message queue status. | -| > ApproximateNumberOfMessages indicates the number of pending messages | +| > There should be very limit number of TX and RX errors/dropped. | | | -| in the queue. | -| | -| > Expected value is 0. | +| > If there are a lot of TX errors or dropped in tun0, it may be due to authentication | | | -| > If this value is not 0, it means there's issue on the AWS SQS Service, please update | -| | -| your IAM policy (refer to `IAM Policy`_. and check if the DNS resolution | -| | -| passed on the gateway.) You may also check if this SQS queue is still in your AWS | -| | -| SQS Service or the IAM policy is correctly attached on the Gateway. | +| mismatch on the tunnel. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Supervisorctl Output** | | +|**Processes** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "supervisorctl status": [ | -| "gwmon RUNNING pid 2857, uptime 5:25:55\n", | -| "local_launch EXITED Dec 18 02:58 AM\n", | -| "openvpn RUNNING pid 5430, uptime 5:20:42\n", | -| "perfmon RUNNING pid 2876, uptime 5:25:53\n", | -| "sw-wdt4perfmon RUNNING pid 2894, uptime 5:25:51\n", | -| "time_action RUNNING pid 2816, uptime 5:25:56\n" | -| ], | +| "Processes": [ | +| "top - 01:27:05 up 16:39, 0 users, load average: 0.15, 0.03, 0.01\n", | +| "Tasks: 114 total, 1 running, 74 sleeping, 0 stopped, 0 zombie\n", | +| "%Cpu(s): 0.3 us, 0.1 sy, 0.0 ni, 99.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st\n", | +| "KiB Mem : 3907116 total, 2590900 free, 325604 used, 990612 buff/cache\n", | +| "KiB Swap: 0 total, 0 free, 0 used. 3295864 avail Mem \n", | +| "\n", | +| " PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND\n", | +| " 1 root 20 0 159868 9120 6680 S 0.0 0.2 0:03.61 /sbin/init\n", | +| " 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kthreadd]\n", | +| ... (the rest is omitted.) | +| ] | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the supervisor status. | -| > All services should be in RUNNING state except local_launch. | +|N/A | | | +-----------------------------+----------------------------------------------------------------+ | | @@ -397,184 +580,246 @@ Diagnostic Result | "4500": "Up" | | }, | | "service": "Up" | -| }, | +| }, | | | +-----------------------------+----------------------------------------------------------------+ |Indicates IKE daemon service and port status | +| | | > Default: Up for all | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**SumoLogic Output** | | +|**Top mem processes** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "SumoLogic Collector": "Not running", | +| "top mem processes": [ | +| " 2.2 0.2 1320032 2117 python -W ignore /home/ubuntu/cloudx-aws/gwmon.py info\n", | +| " 1.4 0.0 141076 431 /lib/systemd/systemd-journald\n", | +| " 1.3 0.2 267644 2118 python -W ignore /home/ubuntu/cloudx-aws/timer_action.py\n", | +| " 1.0 0.0 387132 2011 /usr/sbin/apache2 -k start\n", | +| ], | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates SumoLogic logging service status. | -| > Default: Not running | +|Indicates the memory and CPU usage of the gateway. | +| | +| > The memory usage of processes (first column) is changing dynamically and the overall | | | -| > Related Link `Sumologic Integration`_. | +| usage should be lower than 50% | +| | +| > Mainly used for debugging | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Upload Output** | | +|**Sysinfo CPU Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Upload": "Pass", | +| "SysInfo": [ | +| "***CPU***\n", | +| "Architecture: x86_64\n", | +| "CPU op-mode(s): 32-bit, 64-bit\n", | +| "Byte Order: Little Endian\n", | +| "CPU(s): 2\n", | +| "On-line CPU(s) list: 0,1\n", | +| "Thread(s) per core: 1\n", | +| "Core(s) per socket: 2\n", | +| ... (the rest is omitted.) | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates that Aviatrix controller is able to upload files to the gateway. | -| > Expected value: Pass | -| | -| > If fail, please check the port 443 is open in both security group and VPC ACL between | -| | -| controller and the gateway instance in AWS console. | +|N/A | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Datadog Output** | | +|**Kernel Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Datadog Service": "Not running", | +| "***Kernel***\n", | +| "Linux ip-10-187-77-159 4.15.0-1044-aws #46 SMP Sun Dec 8 00:42:58 UTC 2019 x86_64 | | | +-----------------------------+----------------------------------------------------------------+ -| Indicates Datadog logging service status. | -| > Default: Not running | -| | -| > Related Link `Datadog Integration`_. | +|N/A | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**iptables mangle Output** | | +|**Uptime Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "iptables mangle rules": [ | -| "-P PREROUTING ACCEPT\n", | -| "-P INPUT ACCEPT\n", | -| "-P FORWARD ACCEPT\n", | -| "-P OUTPUT ACCEPT\n", | -| "-P POSTROUTING ACCEPT\n", | -| "-N MSSCLAMPING\n", | -| "-A FORWARD -j MSSCLAMPING\n", | -| "-A MSSCLAMPING -p ... (the rest is omitted.) | -| ], | +| "***Uptime***\n", | +| " 01:27:05 up 16:39, 0 users, load average: 0.14, 0.03, 0.01\n", | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates iptables mangle configuration. | -| > For debugging purpose | +|Indicates Uptime of the gateway. | +| | +| > It indicates the time that the system has been working and available | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**HTTPS Output** | | +|**Reboot History** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "HTTPS": { | -| "port": { | -| | -| "443": [ | -| "up", | -| "reachable" | -| ] | -| }, | -| "service": "Up" | -| }, | +| "***Reboot History***\n", | +| "reboot system boot 4.15.0-1044-aws Wed Mar 25 08:47 still running\n", | +| "shutdown system down 4.15.0-1044-aws Wed Mar 25 08:45 - 08:47 (00:01)\n", | +| "reboot system boot 4.15.0-1044-aws Tue Mar 24 01:30 - 08:45 (1+07:14)\n", | +| "shutdown system down 4.15.0-1044-aws Mon Mar 23 10:06 - 01:30 (15:24)\n", | +| "reboot system boot 4.15.0-1044-aws Thu Mar 19 10:41 - 10:06 (3+23:24)\n", | +| "\n", | +| "wtmp begins Thu Mar 19 10:41:57 2020\n", | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the HTTPS status and reachability on the gateway. | -| > Expected value: Up and reachable | -| | -| > If Fail, please make sure the gateway has its security group port 443 open to the | +|Indicates Reboot History of the gateway. | | | -| controller's EIP in AWS console. | +| > It shows the date/time of gateway reboot history | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**HTTPS Get Output** | | +|**Memory Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "HTTPS GET": "Pass", | +| " total used free shared buff/cache available\n" | +| "Mem: 3.7G 318M 2.5G 25M 967M 3.1G\n" | +| "Swap: 0B 0B 0B\n", | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates connectivity for HTTPS request from gateway to the controller. | -| > Expected value: Pass if GW can communicate with Controller without issue. | +|Shows current memory usage | | | -| When It shows "Fail" please check both Controller and Gateway security group | +| > If memory is lower than 95%, you will receive an warning email to indicate the memory | | | -| > If Fail, please make sure the controller has its security group port 443 open to the | +| threshold is passed. Please consider to increase the instance size to have better available | | | -| gateway's EIP in AWS console. | +| memory size. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**CloudWatch Output** | | +|**Disk Usage** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "CloudWatch Service": "Not running", | +| "***Disk Usage***\n", | +| "5.4G\t/\n", | +| "2.9G\t/usr\n", | +| "1.9G\t/var\n", | +| "1.6G\t/var/log\n", | +| "1.3G\t/usr/src\n", | +| "863M\t/usr/lib\n", | +| | +| ... (the rest is omitted.) | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the AWS CloudWatch service status. | -| > Default: Not running | +|Indicates disk usage on the gateway. | | | -| > Related Link `Cloudwatch How To`_. | +| > The maximum size of /usr should be lower than 6G, please open a support ticket at | +| | +| https://support.aviatrix.com if you see abnormal usage in a folder. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Top Memory Output** | | + ++-----------------------------+----------------------------------------------------------------+ +|**File System** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "top mem processes": [ | -| "20.2 0.1 398548 432 /lib/systemd/systemd-journald\n", | -| | -| " 4.6 0.0 454976 1761 /usr/sbin/apache2 -k start\n", | -| " 4.3 0.1 807656 2857 python -W ... (the rest is omitted.) | -| " 2.8 0.0 90920 2876 python -W ... (the rest is omitted.) | -| " 2.6 0.0 84700 2816 python -W ... (the rest is omitted.) | -| " 2.2 0.0 457688 5299 /usr/sbin/apache2 -k start\n", | -| " 2.1 0.0 65268 1992 /usr/bin/p ... (the rest is omitted.) | -| " 2.1 0.0 457688 5297 /usr/sbin/apache2 -k start\n", | -| " 1.9 0.0 548016 1183 /usr/lib/snapd/snapd\n", | -| " 1.8 0.0 457452 5300 /usr/sbin/apache2 -k start\n" | -| ], | +| "***File System***\n", | +| "Filesystem Size Used Avail Use% Mounted on\n", | +| "udev 1.9G 0 1.9G 0% /dev\n", | +| "tmpfs 382M 7.1M 375M 2% /run\n", | +| "/dev/xvda1 16G 5.7G 9.8G 37% /\n", | +| "tmpfs 1.9G 0 1.9G 0% /dev/shm\n", | +| "tmpfs 5.0M 0 5.0M 0% /run/lock\n", | +| "tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup\n", | +| "tmpfs 382M 0 382M 0% /run/user/1000\n", | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the memory and CPU usage of the gateway. | -| > The memory usage of processes (first column) is changing dynamiclly and the overall | +|N/A | | | -| usage should be lower than 50% | ++-----------------------------+----------------------------------------------------------------+ | | -| > Mainly used for debugging | ++-----------------------------+----------------------------------------------------------------+ +|**Virtual Mem statistics** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "***Virtual Memory statistics***\n", | +| "procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----\n", | +| " r b swpd free buff cache si so bi bo in cs us sy id wa st\n", | +| " 0 0 0 2220768 181288 1178804 0 0 6 23 85 128 0 0 100 0 0\n", | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Software Version** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "***Software Version***\n", | +| "================================================================================\n", | +| "Branch: UserConnect-5.3\n", | +| "Commit: commit d02bf8434\n", | +| "Commit Date: Tue Mar 10 11:15:11 2020 -0700\n", | +| "Build Date: Tue Mar 10 11:31:16 PDT 2020\n", | +| "Built By: Reyweng\n", | +| "================================================================================\n", | +| "\n", | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Splunk Output** | | +|**EC2 Instance Metadata** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "splunkd": "Not running", | +| "***EC2 Instance Metadata***\n", | +| "{\n", | +| " \"architecture\" : \"x86_64\",\n", | +| " \"availabilityZone\" : \"ca-central-1b\",\n", | +| " \"billingProducts\" : null,\n", | +| " \"devpayProductCodes\" : null,\n", | +| " \"imageId\" : \"ami-01axxxxxxxxxxxxxx\",\n", | +| " \"instanceId\" : \"i-046xxxxxxxxxxxxxx\",\n", | +| " \"instanceType\" : \"t2.medium\",\n", | +| " \"kernelId\" : null,\n", | +| " \"pendingTime\" : \"2020-03-25T08:47:05Z\",\n", | +| " \"privateIp\" : \"10.187.77.159\",\n", | +| " \"ramdiskId\" : null,\n", | +| " \"region\" : \"ca-central-1\",\n", | +| " \"version\" : \"2017-09-30\"\n", | +| "}{\n", | +| " \"Code\" : \"Success\",\n", | +| " \"LastUpdated\" : \"2020-03-26T00:47:40Z\",\n", | +| " \"InstanceProfileArn\" : \"arn:aws:iam::xxxxxxxxxxxx:instance-profile/ | +| aviatrix-role-ec2\", | +| " \"InstanceProfileId\" : \"XXXXXXXXXXXXXXXXXXXXX\"\n", | +| "}{\n", | +| " \"Code\" : \"Success\",\n", | +| " \"LastUpdated\" : \"2020-03-26T00:53:47Z\",\n", | +| "}" | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates Splunk logging service status. | -| > Default: Not running | +|Indicates EC2 Instance Metadata status. | +| | +| > Aviatrix support will need AMI ID and instance type and other EC2 metadata for debugging | | | -| > Related Link `splunk Integration`_. | +| purpose. | | | +-----------------------------+----------------------------------------------------------------+ | | @@ -588,15 +833,16 @@ Diagnostic Result | | | "943": [ | | | -| "up", | +| "up", | | "reachable" | | ] | | }, | -| "service": "Down" | +| "service": "Down" | | }, | | | +-----------------------------+----------------------------------------------------------------+ |Indicates OpenVPN service status. | +| | | > Status is down if the gateway is non SSLVPN gateway | | | | > For SSLVPN gateway with ELB enabled, port 943 should be UP and the gateway's security | @@ -610,43 +856,58 @@ Diagnostic Result +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**IP Link Output** | | +|**VPN Status Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "ip link display": [ | -| "1: lo: mtu 150... (the rest is omitted.) | -| " link/ether b2:61:0b:3f:69:a3 brd ff:ff:ff:ff:ff:ff\n", | -| "13: tun0: Status should be UP. | +|Indicates the VPN configuration status. Expected value: Pass | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Route Output** | | +|**Auth Config** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "route": [ | -| "Kernel IP routing table\n", | -| "Destination Gateway Genmask Flags Metric Ref Use Iface\n" | -| "0.0.0.0 10.10.10.1 0.0.0.0 UG 0 0 0 eth0\n", | -| "10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0\n", | -| "192.168.43.0 192.168.43.2 255.255.255.0 UG 0 0 0 tun0\n", | -| "192.168.43.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0\n" | +| "Auth Config": [ | +| { | +| "cfg": "Pass", | +| "method": "SAML auth" | +| } | | ], | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the route table on the gateway. | +|Indicates the authentication method configured on the VPN gateway. | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Server Cert Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "Server Cert": "good", | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Files Not Found** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "Files not found": [ | +| "/etc/openvpn/utils.py", | +| "/home/ubuntu/cloudx-aws/boto-2.42.tar.gz" | +| ], | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | | | +-----------------------------+----------------------------------------------------------------+ | | @@ -660,7 +921,7 @@ Diagnostic Result | | | " Loaded: loaded (/lib/systemd/system/avx-nf... (the rest is omitted.) | | " Active: active (running) since Wed 2018-12... (the rest is omitted.) | -| " Main PID: 8495 (avx-nfq)\n", | +| " Main PID: 8495 (avx-nfq)\n", | | " Tasks: 1 (limit: 1149)\n", | | " CGroup: /system.slice/avx-nfq.service\n", | | " └─8495 /home/ubuntu/cloudx-aws/nfq-module/avx-nfq\n", | @@ -671,6 +932,7 @@ Diagnostic Result | | +-----------------------------+----------------------------------------------------------------+ |Indicates the FQDN Egress Control status | +| | | > Status is active when FQDN egress control is enabled. | | | | > Status is inactive when FQDN egress control is disabled or failed. | @@ -678,115 +940,233 @@ Diagnostic Result +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**SSH Output** | | +|**Hostname-filter Report** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "SSH": { | -| "port": { | +| "Hostname-filter Report": [ | +| "{\n", | +| " \"smtp.gmail.com\": {\n", | +| " \"ip_list\": [\n", | +| " \"74.125.126.109\", \n", | +| " \"74.125.126.108\", \n", | +| " \"173.194.194.109\", \n", | +| " \"173.194.205.109\"\n", | +| " ], \n", | +| " \"thread_state\": \"ALIVE\"\n", | +| " }\n", | +| "}" | +| ], | | | -| "22": [ | -| "up", | -| "reachable" | -| ] | -| }, | -| "service": "Up" | ++-----------------------------+----------------------------------------------------------------+ +|Indicates the Hostname filter configuration. | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Hostname-filter Status** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "Hostname-filter Status": [ | +| "● avx-hostname-filter.service - Aviatrix Hostname Filter\n", | +| " Loaded: loaded (/lib/systemd/system/avx-hostname-filter.service; | +| disabled; vendor preset: enabled)\n", | +| " Active: inactive (dead)\n" | +| ], | +| | ++-----------------------------+----------------------------------------------------------------+ +|Indicates Hostname-filter service status | +| | +| > Default: inactive | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**SpanPort Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "SpanPort Service": { | +| "port": "unknown", | +| "service": "Down" | | }, | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the SSH port status on the gateway. | -| > Required for gateway diagnostics to function properly. | +|Currently not used. | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Ulimit Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | | | -| > Default: Up and reachable. | +| "Ulimit": [ | +| "65536\n" | +| ], | | | -| > If Fail or unreachable, the gateway diagnostics will not produce useful results | ++-----------------------------+----------------------------------------------------------------+ +|N/A | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Auth Output** | | +|**Services Status Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Auth Config": [ | -| { | -| "cfg": "Pass", | -| "method": "LDAP auth" | -| } | -| ], | +| "Rsyslog Service": "Service: Disabled, Process: Running", | +| "Splunk Service": "Service: Disabled, Process: Not Running", | +| "Filebeat Service": "Service: Disabled, Process: Not Running", | +| "Sumologic Service": "Service: Disabled, Process: Not Running", | +| "Datadog Service": "Service: Disabled, Process: Not Running", | +| "Netflow Service": "Service: Disabled, Process: Not Running", | +| "CloudWatch Service": "Service: Disabled, Process: Not Running", | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the authentication method configured on the VPN gateway. | +|Indicates logging service status. | +| | +| > Default: Not running | +| | +| > Related Link `Remote Syslog Integration`_. | +| | +| > Related Link `Splunk Integration`_. | +| | +| > Related Link `Filebeat Integration`_. | +| | +| > Related Link `Sumologic Integration`_. | +| | +| > Related Link `Datadog Integration`_. | +| | +| > Related Link `Cloudwatch How To`_. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**VPN Status Output** | | +|**mpm_prefork Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "VPN config": "Pass", | +| "mpm_prefork config": { | +| "/etc/apache2/mods-enabled/mpm_prefork.conf": [ | +| "", | +| "\tStartServers\t\t 5", | +| "\tMinSpareServers\t\t 5", | +| "\tMaxSpareServers\t\t 10", | +| "\tMaxRequestWorkers\t3000", | +| "\tServerLimit 3000", | +| "\tMaxConnectionsPerChild 0", | +| "", | +| "" | +| ] | +| }, | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the VPN confguration status. Expected value: Pass | +|Indicates Apache MaxRequest Workers. | +| | +| >The MaxRequestWorkers directive sets the limit on the number of simultaneous requests | +| | +| that will be served. The value of MaxRequestWorkers should be 3000, if not, you'll just | +| | +| need to restart the Cloudxd service on the Controller. this can be done by the following | +| | +| steps: Controller UI > Troubleshoot > Diagnostics > Services > Restart cloudxd | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**DNS Output** | | +|**CIS Patch Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "DNS Service": { | -| "/etc/resolvconf/resolv.conf.d/head": [ | -| "nameserver 8.8.8.8\n" | -| ], | -| "/etc/hosts": [ | -| "127.0.0.1 localhost\n", | -| "\n", | -| "::1 ip6-localhost ip6-loopback\n", | -| "fe00::0 ip6-localnet\n", | -| "ff00::0 ip6-mcastprefix\n", | -| "ff02::1 ip6-allnodes\n", | -| "ff02::2 ip6-allrouters\n", | -| "ff02::3 ip6-allhosts\n", | -| "ip-10-10-10-72\n", | -| "ip-10-10-10-72\n", | -| "10.10.10.72 ip-10-10-10-72\n" | +| "CIS Patch status": { | +| "Not patched": [ | +| "Enable support for FIPS 140-2", | +| "X-XSS-Protection and X-Content-Type-Options Headers", | +| "Increase File Descriptor limit" | | ], | -| "/etc/hostname": [ | -| "ip-10-10-10-72\n" | -| ], | -| "/etc/systemd/resolved.conf": [ | -| "\n", | -| "[Resolve]\n", | -| "DNS=8.8.8.8\n" | +| "Patched": [] | +| }, | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**SW Patch status** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "SW Patch status": { | +| "Not patched": [ | +| "Apply xml file patch for Splunk year 2020 bug" | | ], | -| "/etc/resolv.conf": [ | -| "\n", | -| "nameserver 8.8.8.8\n", | -| "nameserver 10.10.0.2\n", | -| "search us-west-2.compute.internal\n" | +| "Patched": [ | +| "Mitigation for Datadog Agent installation issue on Ubuntu 14.04" | | ] | | }, | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates DNS service status and related configuration on the gateway. | +|Indicates Software status | +| | +| > The patches are good to apply - we usually try to address the vulnerabilities through our | +| | +| software upgrades, but for ones which need to be done outside of an upgrade, we use the | +| | +| patch process. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Server Cert Output** | | +|**Ingress Control Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Server Cert": "good" | +| "Ingress Control": { | +| "Routing": "disabled", | +| "GuardDuty Service": { | +| "Account": "robin-aws", | +| "Region": "ca-central-1", | +| "Account status": "disabled", | +| "AWS status": "disabled" | +| } | +| }, | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**rp_filter Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "rp_filter": [ | +| "net.ipv4.conf.all.rp_filter = 0\n", | +| "net.ipv4.conf.eth0.rp_filter = 0\n" | +| ], | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**FQDN service status** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "FQDN stats service": [ | +| "fqdn_stats RUNNING pid 2121, uptime 16:39:45\n" | +| ] | | | +-----------------------------+----------------------------------------------------------------+ |N/A | | | +-----------------------------+----------------------------------------------------------------+ - .. _LogStash Integration: https://docs.aviatrix.com/HowTos/AviatrixLogging.html#logstash-forwarder @@ -796,5 +1176,6 @@ Diagnostic Result .. _Datadog Integration: https://docs.aviatrix.com/HowTos/DatadogIntegration.html .. _Cloudwatch How To: https://docs.aviatrix.com/HowTos/cloudwatch.html .. _Splunk Integration: https://docs.aviatrix.com/HowTos/AviatrixLogging.html#splunk-logging +.. _Filebeat Integration: https://docs.aviatrix.com/HowTos/AviatrixLogging.html#filebeat-forwarder .. disqus:: diff --git a/HowTos/UCC_Release_Notes.rst b/HowTos/UCC_Release_Notes.rst index d061c6383..129b1bcc3 100644 --- a/HowTos/UCC_Release_Notes.rst +++ b/HowTos/UCC_Release_Notes.rst @@ -2,20 +2,1302 @@ Release Notes ======================================= +6.6.5224 (01/23/2022) +===================== + +**Enhanced Features in Release 6.6** + +- Added support for Aviatrix Spoke Gateway to External Device (BGP-Enabled Spoke). Introduced in Aviatrix release 6.6, you can now create spoke gateways that are BGP-enabled and NAT-enabled. Aviatrix Cloud Network Platform has always supported NAT in a way that most enterprises need in order to meet their business and technical requirements. Using BGP-enabled and NAT-enabled spoke gateways gives you yet more capabilities to implement policy based SNAT/DNAT functions in strategic places in your network architecture. For more information, see the discussion about `Aviatrix Spoke Gateway to External Device `_. +- Added support for Google Cloud Platform (GCP) BGP over LAN to support multi peer instance. This allows Aviatrix Transit Gateways to communicate with a pair of instances in the same VPC in GCP without running any tunneling protocol such as IPSec or GRE. For more information, see the discussion about `GCP Multi-cloud Transit BGP over LAN Workflow `_. +- Added support for AWS TGW Connect over Direct Connect. Amazon Web Services (AWS) enables AWS customers to integrate their Software Defined Wide Area Network (SD-WAN) devices with AWS Transit Gateway and AWS Direct Connect so they can use their existing SD-WAN devices to connect their on-premises networks to an AWS Transit Gateway. In support of this, Aviatrix enables you to create one or multiple Transit Gateway Connect attachments over Direct Connect. You can also create Transit Gateway Connect peer attachments. For instructions, see the topic `Enable AWS TGW connect over Direct Connect `_. +- Added support for Aviatrix Controller Security Assertion Markup Language (SAML) based authentication user VPN access in Azure. For instructions, see the topic `Azure SAML Authorization VPN Access `_. +- Added support for FireNet with PAN in AWS China. +- Added support for Checkpoint integration with private SSH keys. + +**UI Enhancements in Release 6.6** + +- Improved FireNet and Multi-Cloud Transit workflows reducing clicks and navigation steps. +- Decommissioning and Renaming of CLOUDWAN to CLOUDN. +- Notification bar includes message history. +- Guided “What’s New” information for first Aviatrix Controller user login. +- Launch CoPilot from the Aviatrix Controller App Drawer. +- Enable daily backup added to notification menu. +- Use consistent naming in action menu and config box for the list view of Transit Gateway. + +**Changed Behaviors in Release 6.6** + +- The primary gateway will always be active to forward traffic to on-prem, unless its tunnel to on-prem goes down. When its tunnel to on-prem comes up, it will start to forward the traffic again. This is different from 6.5 release and before where when forwarding failover to HA gateway, it won't switch back to primary gateway when its tunnel comes up. +- Before 6.6, when BGP ECMP is enabled, routes from different domain can be combined to form ECMP at gateway. This is incorrect behavior and is fixed in 6.6, such that only BGP routes from the same domain can be combined for ECMP. + +**Upgrade Behaviors and Restrictions in Release 6.6** + +- To upgrade to 6.6, you must manually enter “6.6” in the Aviatrix Controller upgrade window. +- You cannot rollback to Aviatrix version 6.5 after upgrading to 6.6. +- The 6.6 release introduces a behavior change in the Multi-Cloud Transit Active-Standby Site2Cloud behavior, if the setting is enabled. After a failover, when the primary gateway is back up, the traffic is switched over automatically back to the primary Site2Cloud connection. This brings more predictability and fits into the model of most on-prem firewalls. In 6.6, this behavior cannot be adjusted. If Active-Standby is disabled (which is the default setting), there is no behavior change. If you have questions about this behavior, please contact your Aviatrix account team. + +**Known Issues in Release 6.6** + +- Cannot add more than 2 remote and 2 local subnet pair tunnels to a Site2Cloud policy based connection with the Aviatrix Controller. + + - Workaround: Use Site2Cloud to delete or add new subnet pair tunnels to a Site2Cloud policy based connection. + +- OCI is not yet compatible with the 6.6 release. Until a new image is available, initializing your controller to the latest will fail. + + - Workaround: initialize your controller to 6.5 first and upgrade to 6.6. Controllers already installed with 6.3 or newer should be able to upgrade to 6.6 without issue. + +**Issues Corrected in Release 6.6** + +- **AVX-14515** - Exception seen when configuring vendor integration with a Palo Alto Firewall VM which has no route tables. +- **AVX-14568** - If there are any GWs that are not reachable by the controller before the Controller HA Migration starts, the control planes of these GWs will be out of sync because there will be an implicit control-plane certificate re-bootstrap as a part of Control HA Migration process. The issue exists before 6.5.2835 (exclusive) and all 6.4 releases. +- **AVX-14754** - When Controller Security Group Management is enabled and launching a gateway causes controller SG to reach limit, it will show correct error "The maximum number of rules per security group has been reached. +- **AVX-14822** - Controller Security Group Management will add gateway IP rule to customer attached controller SGs as well as controller created SGs. +- **AVX-15180** - Allows you to configure default route as destination CIDR in customized SNAT. +- **AVX-15454** - Deleted dependency of storage account for Azure China gateways. +- **AVX-15639** - When replacing a gateway using image upgrade the new gateway was missing the Aviatrix-Created-Resource tag. +- **AVX-15651** - Incorrect existing references to default Aviatrix AWS IAM role names. +- **AVX-15704** - While creating an IKEv2 enabled site2cloud connection, you will see "Failed to establish a new connection" error.snat +- **AVX-15978** - The conntrack "allow all" rule should always be placed above the "drop all" rule in the order of operations. +- **AVX-16100** - You can configure DNAT on transit GW, either ActiveMesh or non-ActiveMesh connection. +- **AVX-16375** - For policy based site2cloud connection, if one of the s2c tunnel is down on a transit gateway, traffic from attached spoke, or peering transit, or AWS TGW to the transit gateway will be dropped. +- **AVX-16450** - Addressed issues with CloudN registration in some scenarios. +- **AVX-16486** - Improved IPSec performance on high latency links. +- **AVX-16494** - Performance optimization in monitoring IPSec states. +- **AVX-16496** - When upgrading a standalone CloundN implementation: + + - For CloudN versions < 6.5.2613: Full outbound access on TCP ports 80 and 443 on CloudN Management is required. + - For CloudN versions >= 6.5.2613: Please follow the `Internet Acces `_ instructions. For a list of required FDQNs, please see `Required Access for External Sites `_. + +- **AVX-17027** - The UI upgrade progress bar getting stuck at 99% during standalone CloudN upgrade. +- **AVX-17302** - Secondary cidrs in OCI VCN not advertised to transit gateway. +- **AVX-17420** - If the account is deleted or deactivated from AWS, VPC attachment from AWS TGW is getting deleted. You must manually clean up all blackhole routes (RFC1918 or customized routes) on AWS. +- **AVX-17432** - For route based, unmapped S2C, when the connection is down, the routes for the remote CIDRs are still associated with the connection, i.e. the routes are not removed. +- **AVX-17512** - Addressed an issue in NAT programming on Spoke-HA when sync-to-ha is enabled. +- **AVX-17582** - Closed potential security issue the controller UI console. +- **AVX-17628** - Closed potential SSH security issue for users upgrading from previous releases. +- **AVX-17740** - Launching a gateway on a Native GWLB FireNet VPC is incorrectly allowed. Disabling Native GWLB FireNet before detaching the VPC from its TGW (if it was attached to one) was incorrectly allowed. +- **AVX-17849** - Existing issues in Flightpath for Azure NSG's. +- **AVX-18148** - Excessive load on cloudxd induced due to rsyslog monitoring certain user visible changes.Excessive email alerts generated about rsyslog while trying to reduce rsyslog monitoring load on core processes. +- **AVX-18149** - Controller becoming slow or non-responsive when executing large number of certain API requests. +- **AVX-18164** - The performance of the API to list the security policies of a gateway is not satisfactory. + +6.5.2898 (01/11/2022) +===================== + +**Issues Corrected in Aviatrix Release 6.5** + +- **AVX-9033** - Some logs are too big on CloudN. +- **AVX-14426** - Tunnels take a long time to become established and on occasion can flap even during establishment in IPSEC IKE interoperability. +- **AVX-14659** - Tunnel flaps when attaching spoke gateways running IPSec strongSwan to transit gateways running IPSec racoon, or transit gateways running IPSec strongSwan to transit gateways running IPSec racoon. +- **AVX-16967** - When a SNAT rule is added/removed for a gateway, it needs to check if the NAT rule is duplicated in the route tables. The checking is dependent on the NAT routes if load balanced or generic (not load balanced). You must miss the checking for duplicated routes to include the HA gateways in the interface list. It may give a wrong conclusion that some NAT rules were duplicated. +- **AVX-17214** - If any conntrack module related errors are observed in 6.5. (g's build number) and after, AVXERR format can be used for first level debugging. 'AVXERR-CONNTRACK-0001': 'Gateway Error: {}', 'AVXERR-CONNTRACK-0002': 'Required/Invalid option: {}' 'AVXERR-CONNTRACK-0003': 'Not found/File error: {}' 'AVXERR-CONNTRACK-0004': 'Not Supported: {}' +- **AVX-17349** – Closed vulnerability AVI-2021-0008, allowing an unauthenticated attacker partial access to configuration information on controllers and an unauthenticated network-adjacent attacker API access on gateways. +- **AVX-17420** - If the account is deleted or deactivated from AWS, VPC attachment from AWS TGW is getting deleted. You must manually clean up all blackhole routes (RFC1918 or customized routes) on AWS. +- **AVX-17628** - Hardened SSH security for legacy users. +- **AVX-17740** - Launching a gateway on a Native GWLB FireNet VPC was incorrectly allowed. Disabling Native GWLB FireNet before detaching the VPC from its TGW (if it was attached to one) was incorrectly allowed. +- **AVX-18149** - Controller becoming slow or non-responsive when executing large number of certain API requests. + +**Known Behaviors in Aviatrix Release 6.5** + +- If your Controller is running 6.4 and you have ControllerHA enabled, there is a very small chance that your HA recovery might fail if your Controller goes down by any chance. If that happens, you can manually restore the backup on your new Controller. To avoid this, please upgrade to the 6.5 release. +- **AVX-16496** - When upgrading a standalone CloundN implementation: + + - For CloudN versions < 6.5.2613: Full outbound access on TCP ports 80 and 443 on CloudN Management is required. + - For CloudN versions >= 6.5.2613: Please follow the instructions at Standalone `CloudN Deployment Checklist `_. For a list of required FDQNs, please see `Required Access for External Sites `_. + +- **AVX-15458** - After Controller and standalone CloudN’s are upgraded from 6.3 to 6.4, to access CloudN device in web UI: + + - Use CloudN management IP address inside on-premises network. + - Use CloudN LAN IP address from Spoke workplace in the CSP network. + +- **AVX-17221** - If you have Managed CloudN, Aviatrix requires you to follow the Managed instructions and allow access to the sites mentioned for the CloudN Managed Port. If your Managed CloudN ends up in a "config_fail" state after your Controller is upgraded, you have the following options: + + Option 1: + + #. Deregister your CloudN. Follow the instructions to allow management port outbound access. + #. Follow NTP sync instructions at `Managed CloudN Workflows `_. + #. Register your CloudN. + + Option 2: Open a ticket with `Aviatrix Support `_. + +6.4.2995 (01/11/2022) +===================== + +**Issues Corrected in Aviatrix Release 6.4** + +- **AVX-14537** - Error establishing Raccoon native CaaG attachment with larger transit instance size (Ex: c5.4xlarge, Standard_D8_v3) and number of IPSec Tunnels > 32. +- **AVX-17349** – Closed vulnerability AVI-2021-0008, allowing an unauthenticated attacker partial access to configuration information on controllers and an unauthenticated network-adjacent attacker API access on gateways. + +6.5.2835 (12/10/2021) +===================== + +**Issues Corrected in Aviatrix Release 6.5** + +- **AVX-9033** - The routing logs are not rotated on CloudN and are not included in the trace logs. +- **AVX-14298** - The following CVEs were addressed in this release: `CVE-2007-2243 `_ and `CVE-2004-1653 `_. +- **AVX-14659** - IPSec tunnel flapping between gateways running different flavors of IPSec infra. +- **AVX-16121** - After a successful image upgrade, the gateway state changes from success to config_fail after about 5 minutes. +- **AVX-16563** - Security Group Management feature fails on an Aviatrix Controller deployed in GCP after a Controller Migration operation. +- **AVX-16912** - Cannot create Transit GW with HA in OCI using Terraform scripts. +- **AVX-16967** - Deleting one or more Customized SNATs generates a “route already exists in route table” error. +- **AVX-17489** - When deleting one CIDR from the spoke customized advertise CIDR list, the CIDR should only be removed from the transit gateway and the rest of the network. However, during deletion the CIDR was removed from the spoke itself, which deletes the routes added for static S2c. + +**Known Issues in Aviatrix Release 6.5** + +- If your Controller is running 6.4 and you have ControllerHA enabled, there is a very small chance that your HA recovery might fail if your Controller goes down by any chance. If that happens, you can manually restore the backup on your new Controller. To avoid this, please upgrade to the 6.5 release. +- **AVX-16121** - In Aviatrix version 5.x, Logstash Forwarder was replaced by `Filebeat Forwarder `_ in the supported logging services. If you enabled logstash before this switch, please disable/enable logstash on the Filebeat Forwarder in “Controller/Logging” before upgrading your Aviatrix Controller, otherwise your Gateways might come up in the “config_fail” state after the upgrade. You might need to update your configuration on your collection side to accommodate this change. If you already upgraded and have Gateways in the “config_fail” state, you can do an “Image Upgrade” on the impacted Gateway to resolve the issue. +- **AVX-17221** - If you have Managed CloudN, Aviatrix requires you to follow the Managed instructions and allow access to the sites mentioned for the CloudN Managed Port. If your Managed CloudN ends up in a "config_fail" state after your Controller is upgraded, you have the following options: + + Option 1: + + #. Deregister your CloudN. Follow the instructions to allow management port outbound access. + #. Follow NTP sync instructions at `Managed CloudN Workflows `_. + #. Register your CloudN. + + Option 2: Open a ticket with `Aviatrix Support `_. + +6.4.2973 (11/19/2021) + +- If your Controller is running 6.4 and you have ControllerHA enabled, there is a very small chance that your HA recovery might fail if your Controller goes down by any chance. If that happens, you can manually restore the backup on your new Controller. To avoid this, please upgrade to the 6.5 release. +- **AVX-16121** - In Aviatrix version 5.x, Logstash Forwarder was replaced by `Filebeat Forwarder `_ in the supported logging services. If you enabled logstash before this switch, please disable/enable logstash on the Filebeat Forwarder in “Controller/Logging” before upgrading your Aviatrix Controller, otherwise your Gateways might come up in the “config_fail” state after the upgrade. You might need to update your configuration on your collection side to accommodate this change. If you already upgraded and have Gateways in the “config_fail” state, you can do an “Image Upgrade” on the impacted Gateway to resolve the issue. +- **AVX-17221** - If you have Managed CloudN, Aviatrix requires you to follow the Managed instructions and allow access to the sites mentioned for the CloudN Managed Port. If your Managed CloudN ends up in a "config_fail" state after your Controller is upgraded, you have the following options: + + Option 1: + + #. Deregister your CloudN. Follow the instructions to allow management port outbound access. + #. Follow NTP sync instructions at `Managed CloudN Workflows `_. + #. Register your CloudN. + + Option 2: Open a ticket with `Aviatrix Support `_. + +6.4.2973 (11/19/2021) + +**Issues Corrected in Aviatrix Release 6.4** + +- **AVX-15653** - Controller image migration fails to progress past the initialization state. +- **AVX-16494** - CPU overconsumption by IP processes on gateways. +- **AVX-16601** - In some corner cases, if the API enable_gateway_auto_recovery option is used on the Controller to overcome the Azure maintenance windows it causes the ethernet interfaces on the gateways to go missing. In some cases, the API failed to stop and start the affected gateways. If you have this feature enabled, please disable it and then enable it again after the upgrade or open a Support ticket at https://support.Aviatrix.com to get assistance. + +6.5.2721 (11/18/2021) +===================== + +**Issues Corrected in Aviatrix Release 6.5** + +- **AVX-15735** - CoPilot unable to display gateway active sessions from the Aviatrix Controller. +- **AVX-16494** - CPU overconsumption by IP processes on gateways. +- **AVX-16572** - Listing interfaces on a gateway takes a long time with large number of Site2Cloud connections. +- **AVX-16601** - In some corner cases, if the API enable_gateway_auto_recovery option is used on the Controller to overcome the Azure maintenance windows it causes the ethernet interfaces on the gateways to go missing. In some cases, the API failed to stop and start the affected gateways. If you have this feature enabled, please disable it and then enable it again after the upgrade or open a Support ticket at https://support.Aviatrix.com to get assistance. + +**Feature Enhancements in Aviatrix Release 6.5** + +- **AVX-9927** - Added message for unstable network connectivity prompting user to refresh page to reconnect. +- **AVX-10080** - Added support for Transit Firenet in AWS China for Checkpoint. + +6.3.2551 (11/12/2021) +===================== + +**Issues Corrected in Aviatrix Release 6.3** + +- **AVX-16569** - Controller image migration fails to progress past the initialization state. + +6.3.2548 (11/04/2021) +===================== + +**Issues Corrected in Aviatrix Release 6.3** + +- **AVX-15897** - Fixed an issue for Gateway Replace/Create/ForceUpgrade operations if Splunk logging was enabled on it, which was seen on all releases after 10/13/2021 (when Splunk behavior changed). +- **AVX-15985** - Fixed the issue where the Controller get_gateway_stats API was returning stats for deleted interfaces. +- **AVX-16017** - Users were unable to create Microsoft Azure Resource Manager (ARM) China Gateway for the 6.3 version. This issue was fixed by updating an Azure China image link for 6.3. +- This release includes a fix for the security vulnerability AVI-2021-0006 that would allow an unauthenticated attacker to execute arbitrary code on the Controller (this vulnerability was also fixed by our security patch released on 10/25/2021 as described here https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-patch-note-10-25-2021). + + +Security Patch Note for Controllers (11/01/21) +===================================================================== + +**Subject**: AVI-2021-0005 Apache Request Smuggling Vulnerability Security Patch. + +**Issues**: This patch addresses vulnerabilities fixed by Apache version 2.4.51. + +Aviatrix released new AMIs for AWS on 10/13/21 to address vulnerabilities (`CVE-2021-40438 `_ and `CVE-2021-33193 `_). You are fully covered if you migrated your Controller to use the new AMIs mentioned in `Controller Images: AWS AMI – Version 100621 `_, following the instructions for `existing customers to perform a Controller image upgrade `_. + +This patch will address the same issue without requiring a Controller migration. + +For Controllers running in AWS, Aviatrix recommends that you migrate your Controllers as instructed in `Existing Customers - Controller Image upgrade (Migration) `_. + +For Controllers running in cloud service providers other than AWS (Azure, GCP, etc.), you can apply this security patch. + +To apply the security patch: + + #. Secure a maintenance window and execute the following during the maintenance window. + + #. Go to your Controller (any version) management console. + + #. Go to Settings > Maintenance > Backup & Restore. Make sure you have a backup of your current settings. + + #. Go to Settings > Maintenance > Security Patches and click on "Update available patches". + + #. From the list of patches, apply the "AVI-2021-0005 Apache Request Smuggling Vulnerability" patch. + + #. Back up your Controller again. + + +(CloudN standalone mode) To apply the security patch if you have CloudN running in a standalone mode, Aviatrix suggests you run the following in a maintenance window: + + #. Go to CloudN > Maintenance > Security Patches and click on "Update available patches". + + #. Please make sure that CloudN has outbound access to 0.0.0.0/0 for ports 80 and 443 before applying the patch. + + #. From the list of patches, apply the "AVI-2021-0005 Apache Request Smuggling Vulnerability" patch. + + +(CloudN in CaaG mode) To apply the security patch if you have CloudN running in a CaaG mode, Aviatrix suggests you run the following during a maintenance window: + + #. Detach CaaG from the Transit Gateway. + + #. Deregister the CaaG Gateway. + + #. Reload the CloudN UI page. + + #. Go to CloudN > Maintenance > Security Patches and click on "Update available patches". + + #. Please make sure that CloudN has outbound access to 0.0.0.0/0 for ports 80 and 443 before applying the patch. + + #. From the list of patches, apply the "AVI-2021-0005 Apache Request Smuggling Vulnerability" patch. + + #. Register CaaG back to the Controller. + + #. Attach CaaG back to the Transit Gateway. + + +6.4.2945 (10/31/2021) +===================== + +**Issues Corrected in Aviatrix Release 6.4** + +- **AVX-11175** - FQDN feature will handle any case changes to the UserAgent field made by a proxy. +- **AVX-15438** - For gateways with HPE connections to other gateways or CloudN gateways, a resize-up operation will make use of excess capacity, but a later replace operation might cause gateway to go to config_fail state. This fix addresses the issue. +- **AVX-15528** - The real-time status of the gateway is not returned in GCP when there are a large number of instances in the VPC. +- **AVX-15599** - Cannot launch a gateway on private OOB Controller. +- **AVX-15897** - Fixed an issue for Gateway Replace/Create/ForceUpgrade operations if Splunk logging was enabled on it, which was seen on all releases after 10/13/2021 (when Splunk behavior changed). +- **AVX-15978** - The conntrack allow all rule should always be above DROP all rule. The order should be honored. Fixed in this release. +- **AVX-15985** - Fixed the issue where Controller get_gateway_stats API was returning stats for deleted interface. +- **AVX-16066** - Stateful-Firewall ESTABLISHED rule deleted from FORWARD chain. +- **AVX-16100** - Fix that allows configuration of DNAT on transit GW on non-active mesh connection. + + +6.5.2613 (10/28/2021) +===================== + +**Issue Corrected in Aviatrix Release 6.5** + +- **AVX-15444** - This fixes CaaG registration version check error. + + +6.5.2608 (10/27/2021) +===================== + +**Feature Enhancements in Aviatrix Release 6.5** + +- Added support for AWS BGP over LAN to support multiple peer instances. Scale up to 10 BGP over LAN peers per Transit Gateway, and 20 total per Transit Gateway pair. This provides a higher throughput, better redundancy, and a consolidation of BGP over LAN peers for on-prem connectivity on a pair of Transit Gateways. For more information, see the discussion about `BGP over LAN Multi-Peer `_. +- Added fields “ec2 role” and “app role” in the Controller UI to support custom roles for AWS IAM based accounts. It is highly recommended to use a customized name for "ec2 role" and "app role" instead of the Aviatrix default roles for better security. +- **AVX-15101** - Added support for Azure Government Cloud Availability Zones. + +**Issues Corrected in Aviatrix Release 6.5** + +- **AVX-9927** - The Controller does a page refresh automatically when detecting a network issue. +- **AVX-11175** - FQDN feature will handle any case changes to the UserAgent field made by a proxy. +- **AVX-13851** - Site2cloud edit to update Local Identifier as private IP for External Device connection will update all tunnels correctly. +- **AVX-14224** - Improvements to Spire Gateway Service for handling a large number of gateways. +- **AVX-14240** - Improved messaging for CloudN without public IP. +- **AVX-14397** - CaaG’s state changed to config_fail due to a wrong certificate name. +- **AVX-14600** - Support Palo Alto Firewall vendor integration with multiple IPs configured on the eth interfaces +- **AVX-14610** - Corrected non-ASCII characters while displaying the logs from Troubleshoot->Logs. +- **AVX-14619** - Fixed an issue causing packet drops when migrating from ActiveMesh 1.0 to 2.0. +- **AVX-14678** - Support multiple firewalls to be created and attached to Transit Gateway in Azure when Panorama vendor integration is configured. +- **AVX-14700** - Addressed an issue where some Gateways could be reported in a down state if Certificate Domain is updated. +- **AVX-14729** - Fixed an issue with cloudN upgrade failing dry run caused due to SSLError (Cert Expired). +- **AVX-14820** - Addressed an issue with Gateways being in up state during an upgrade from 6.4 to 6.5. +- **AVX-15012** - Exception error during disabling OCI transit firenet function. +- **AVX-15071** - Fixed firewall tuple setting from changing during Controller upgrade. +- **AVX-15083** - Fixed issues with Site2Cloud with “Single IP HA” feature having issues with customized SNAT features when “sync to HA gateway” configuration is enabled. +- **AVX-15138** - Fixed route table priority to deal with CIDR overlap between advertised routes from Transit and CaaG/CloudN eth2 MGMT interface. +- **AVX-15198** - Process optimization to avoid db updates when transit gateway details are listed by the Aviatrix Controller or CoPilot. +- **AVX-15238** - Fixed a CaaG registrion failure issue after the cert domain is changed from default. +- **AVX-15332** - Fixed an issue that was causing the Controller migration process to fail. +- **AVX-15454** - Deleted dependency of storage account for Azure China gateways. +- **AVX-15528** - The real-time status of the gateway is not returned in GCP when there are a large number of instances in the Project. +- **AVX-15639** - When replacing a gateway using image upgrade the new gateway was missing the Aviatrix-Created-Resource tag. This has been fixed by ensuring the tag is added while launching the new gateway. +- **AVX-15653** - Fixed an issue where Controller migration fails when custom IAM roles and limited permissions are used. +- **AVX-15704** - Fixed the issue when creating an IKEv2 enabled site2cloud connection, where "Failed to establish a new connection" error displays. +- **AVX-15897** - Fixed an issue for Gateway Replace/Create/ForceUpgrade operations if Splunk logging was enabled on it, which was seen on all releases after 10/13/2021 (when Splunk behavior changed). +- **AVX-15978** - The conntrack allow all rule should always be above DROP all rule. The order should be honored. Fixed in this release. +- **AVX-15985** - Fixed the issue where Controller get_gateway_stats API was returning stats for deleted interface. +- **AVX-16100** - Fix that allows configuration of DNAT on transit GW on non-ActiveMesh connection. +- **AVX-16130** - Fixed an issue where S2C GRE tunnel was showing it was down even though the S2C connection passing traffic with BGPoGRE was up. +- This release includes a fix for the security vulnerability AVI-2021-0006 that would allow an unauthenticated attacker to execute arbitrary code on the Controller (this vulnerability was also fixed by our security patch released on 10/25/2021 as described here https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-patch-note-10-25-2021). + + +- The following CVEs were addressed in this release: `CVE-2007-2243 `_ and `CVE-2004-1653 `_. + +**Known Behaviors in Aviatrix Release 6.5** + +- **AVX-16151** - The [NAT] incorrect tunnel is used during DNAT rule programming for Transit Gateway with HA. When DNAT is configured on non-active-mesh Transit Gateway with "Sync to HA" enabled, the DNAT rule may not be programmed correctly on HA Gateway and the Transit Gateway failover may see traffic impact. **Workaround** The workaround for this issue is that the DNAT config needs to be separately programmed on the primary and HA Gateway rather than programming on the primary Gateway side with "Sync to HA" enabled. + + +Security Patch Note (10/25/2021) +===================================================================== + +**Subject**: AVI-2021-0006 Critical Vulnerability Security Patch + +**Issues**: This security patch contains a fix for a Controller vulnerability. + +This security patch was made available Monday, October 25th, 2021 at 05:00PM PST. The critical vulnerability addressed by this patch was privately disclosed to Aviatrix and is not known to be exploited. It affects services of our Controller available on port 443 and would allow an unauthenticated attacker to execute code on the controller. This could be mitigated by limiting access to the https/port 443 of the Controller, or by running a Web Application Firewall (WAF) in front of it. + +For more information about securing Controller access, see https://docs.aviatrix.com/HowTos/FAQ.html#how-do-i-secure-the-controller-access. + +Aviatrix strongly recommends you install the **AVI-2021-0006 Critical Vulnerability Security Patch**. + +To apply a security patch, please refer to the following steps: + +* First, do a backup on your Controller in “Controller/Settings/Maintenance/Backup&Restore/Backup Now” +* Go to “Controller/Settings/Maintenance/Security Patches” and click on “Update Available Patches” +* You should see a new patch called: “AVI-2021-0006 Critical Vulnerability Security Patch” +* Apply the patch, by clicking on the icon on the right and selecting “Apply Patch” +* Take a backup again at “Controller/Settings/Maintenance/Backup&Restore/Backup Now” + +**Note:** + +* The security patch does not impact the data path or control path and can be executed without a maintenance window +* This patch can be applied on releases 6.2 and higher +* Aviatrix **strongly recommends** you to upgrade to releases 6.4 or higher. Please check out the `release notes `_ and follow the `upgrade instructions `_ + + +Security Note 6.5.1936, 6.4.2869, 6.3.2526, and 6.2.2052 (10/11/2021) +===================================================================== + +**Subject**: Security release for Aviatrix versions 6.5.1936, 6.4.2869, 6.3.2526, and 6.2.2052. + +**Issues**: The latest 6.5, 6.4, 6.3, and 6.2 versions contain fixes for two vulnerabilities. + +**AVX-15638** – Corrected vulnerability that could result in a Denial-of-Service (DoS) in Aviatrix's controller API which allows an attacker to fill the disk of the controller. The API vulnerability is blocked in the latest controller software versions. + +For more information, see `CVE-2021-40870 `_ + +**AVX-15740** - The latest version of the Aviatrix AWS CloudFormation stack improves security by removing 0.0.0.0 entry on port 443 so the Aviatrix controller is not open to the world by default. However, this means related gateway IP entries need to be added to the security group when a new gateway is deployed for the gateway to talk to controller. To achieve this automatically, the Controller Security Group Management feature will be auto enabled when a user creates the first AWS account. If you are performing the manual backup and restore procedure, please inherit all the original security groups in the newly launched controller. + +Mitigation: Please upgrade to the latest release. For detailed instructions related to this security upgrade, please see https://aviatrix.zendesk.com/hc/en-us/articles/4410621458317. + +-If you are running 6.2, upgrade to 6.2.2052 or later. Aviatrix strongly recommends you upgrade to 6.4.2869 or later, 6.2 `EoL `_ is 10/15/2021. + +-If you are running 6.3, upgrade to 6.3.2526 or later. Aviatrix strongly recommends you upgrade to 6.4.2869 or later, 6.3 `EoE `_ was 7/31/2021. + +-If you are running 6.4, upgrade to 6.4.2869 or later. + +-If you are running 6.5, upgrade to 6.5.1936 or later. + +6.4.2859 (9/22/2021) +===================== + +**Feature Enhancements in Aviatrix Release 6.4** + +- **AVX-15101** - Added support for Azure Government Cloud Availablility Zones. +- Enhanced stateful firewall functionality. +- Enhanced certificate functionality. + +**Issues Corrected in Aviatrix Release 6.4** + +- **AVX-14678** - Unable to create multiple firewalls attached to the same transit gateway in Azure environments. +- **AVX-15138** - When a spoke or transit gateway advertises a CIDR that overlaps with a CaaG or StandAlone CloudN MGMT eth2 subnet, and the client application accesses the device through the eth2 MGMT interface, the reply traffic is not returned through the eth2 MGMT interface. +- **AVX-15198** - When transit gateway details are listed by the Aviatrix Controller or CoPilot, an exception may occur because the request is in replica mode and incorrectly tries to update the Mongo DB. + +Security Note 6.2.2043, 6.3.2490, 6.4.2838, and 6.5.1922 (9/11/2021) +=================================================================== + +**Subject**: Security release for Aviatrix versions 6.5, 6.4, 6.3, and 6.2. + +**Issues**: The latest 6.5, 6.4, 6.3, and 6.2 versions contain fixes for several vulnerabilities in the controller API: + +- Several APIs used to upload configurations of certain services did not verify the authentication of the service or user executing the API call properly. +- `CVE-2021-40870 `_: Similar APIs designed to upload files from authenticated users did not properly sanitize their destination input, which could eventually allow an unauthenticated user to execute arbitrary code via directory traversal. +- Fix for Aviatrix issue AVX-14852 described in Aviatrix FN 0032: In rare occasions, Controller backup file could get corrupted, resulting in gateways being shown as “down” if used for a Controller restore. + +**Mitigation**: Please upgrade to the latest release. For instructions, go to `support.aviatrix.com `_ and search for *Aviatrix Controller Upgrade*. + + +- If you are running 6.2, upgrade to 6.2.2043 or later. Aviatrix strongly recommends you upgrade to 6.4.2838 or later, 6.2 `EoL `_ is 10/15/2021. +- If you are running 6.3, upgrade to 6.3.2490 or later. Aviatrix strongly recommends you upgrade to 6.4.2838 or later, 6.3 `EoE `_ was 7/31/2021. +- If you are running 6.4, upgrade to 6.4.2838 or later. +- If you are running 6.5, upgrade to 6.5.1922 or later. + +**Credit**: Aviatrix would like to thank the team at Tradecraft (https://www.wearetradecraft.com/) for the responsible disclosure of these issues. + +6.5.1905 (8/24/2021) +===================== + +**New Features in Aviatrix Release 6.5** + +**Selective Upgrades** + +To facilitate less disruptive upgrades and reduce maintenance windows Aviatrix provides a rolling selective upgrade process. You can choose to upgrade all Aviatrix gateways simultaneously or select specific gateways and regions to upgrade in logical groups conforming to your network update policies and maintenance windows. For more information, see `Upgrading the Aviatrix Cloud Network Platform `_. + +**Feature Enhancements in Aviatrix Release 6.5** + +- **AVX-9881** - Added support for using the same Azure Virtual Network name and resource group names under different subscriptions. +- **AVX-10188** - Added warning message when disabling the import certificate which includes the impact and effects of disabling the certificate. +- **AVX-10493** - Added support for Alibaba cloud including China regions in Aviatrix FlightPath. +- **AVX-10799** - Added support for Alibaba cloud including Global and China regions to Aviatrix VPC Tracker. +- **AVX-13615** - Added AWS GuardDuty support for AWS GovCloud monitoring. + +**Modified Behaviors in Aviatrix Release 6.5** + +- **AVX-9894** - Removed deprecated optional custom logging fields for Splunk, Sumo, and FielBeat from the user interface. +- **AVX-10113** - When you import security certificates on the gateways and controller, the certificate must include the proper FQDN. + + For example: + openssl req -new -subj "/C=GB/CN=foo" \ + -addext "subjectAltName = DNS:foo.co.uk" \ + -addext "certificatePolicies = 1.2.3.4" \ + -newkey rsa:2048 -keyout key.pem -out req.pem + +Alternatively, you can add the SubjectAlternateName (SAN) tag in the openssl.cnf file before generating the certificate. The SAN tag makes sure your certificate includes the SubjectAlternateName which is validated by the Apache server on the controller. Versions of UserConnect-6.4 and later require the proper SubjectAlternateName including altNames be set in the certificates when they are imported. If the SAN is not specified, importing the certificates fails. + +- **AVX-14009** - Added option to allow all traffic from the local VPC CIDR block to the network security group created during the OCI gateway creation process. Previously, only TCP port 443 traffic from the controller was added to the security group. By default, OCI allows all traffic from RFC1918 blocks. This change only applies to non-RFC1918 VPC CIDR block configurations. + +**Known Behaviors in Aviatrix Release 6.5** + +*Upgrading to Aviatrix Release 6.5* + +- This behavior does not affect ActiveMesh gateways. In non-ActiveMesh environments, only one transit or spoke gateway can have the image upgraded or the software rolled back at a time. If you select multiple gateways, you receive an error message. For multiple API calls to replace gateways using Terraform, only one gateway is allowed and the others fail. For Terraform calls, Aviatrix recommends you set parallelism=1. + +*Gateway Issue Discovered After Upgrade* + +In rare cases where the controller and a group of gateways are selected for upgrade and a fatal bug is discovered in the new software, a situation where the controller and gateways remain running different versions could develop. If this condition occurs assistance from Aviatrix Support is required. +For example: +A controller and gateways are running version 6.5.200. + +- You upgrade the controller and a subset of gateways to 6.5.300. +- You rollback the gateways to 6.5.200 because of a bug in the 6.5.300 software. +- Now the controller is running 6.5.300 and all gateways are running 6.5.200, and the gateways cannot successfully be upgraded to 6.5.300 because of the bug. +- The bug is resolved in controller version 6.5.400, so you want to upgrade to 6.5.400 to resolve the issue. However, this is not supported because the controller and gateways must be running the same software version before the controller can be upgraded. +- In this corner case, you must contact Aviatrix Support to upgrade the controller to the newer version. Support will diagnose the issue and provide the API operation required to perform the con-troller upgrade. + +*Gateway Rollbacks* + +Gateway rollback operations are not supported after Controller restore operations. + +**Issues Corrected in Aviatrix Release 6.5** + +- **AVX-10552** - Changed TGW VPN tunnel details response in API so list_attachment_route_table_detail returns are in dictionary format rather than a long string. + + +6.4.2830 (08/28/2021) +===================== + +**Issues Corrected** + +- **AVX-13787** Incorrect gateway status is reported for default routes when an OCI gateway in insane mode is attached to a Transit FireNet gateway. +- **AVX-14295** When on-premise routes are a injected or withdrawn, they are incorrectly removed in connected domain route tables. +- **AVX-14426** Newly deployed cloud gateways use a new IKE implementation and may cause negotiation issues when spoke or on-premise tunnels are configured with an older IKE implementation on one side and the new Aviatrix IKE implementation on the transit side. You may observe tunnels taking a long time to become established, and on occasion may observe route flapping even after the tunnel is established. +- **AVX-14689** Creating an Aviatrix gateway in the Alibaba Cloud may fail because the public IP address may not get converted to an elastic IP address. + +6.4.2791 (08/20/2021) +===================== + +- **Bug fix** The FQDN egress filtering gateway blocks traffic after adding whitelisting tags to the egress filtering gateway. + + +6.4.2783 (07/15/2021) +===================== + +- **Bug fix** This issue is related to our smallest supported instance size in AWS which is t2.micro. In 6.4 the t2.micro instances were under additional memory pressure because of new services enabled in 6.4. As a result, some customers may experience gateway down events after upgrading to 6.4. This issue resolves those issues by optimizing several scheduled jobs which burden the t2.micro appliances. +- **Enhancement** In order to alleviate memory pressure on our smallest supported AWS instance size; t2.micro, we now enable swap memory on instances with less than 1G of memory. This allows short periods of over-provision to be tolerated by the operating system ensuring continuous operations. + + +R6.4.2776 (07/13/2021) +======================== + +.. note:: + - If upgrading from 6.3 to 6.4, please make sure to upgrade the image to 6.3 latest first before upgrading it to release 6.4. + - Starting 6.4, Standalone CloudN no longer support HPE over Internet + +- **Bug fix** NAT rule is missing after replacing a gateway with and S2C mapped tunnel. +- **Bug fix** When an S2C mapped tunnel route is modified the old iptable entry is not removed. +- **Bug fix** HA Controller restorations partially fail when DataDog API is integrated. +- **Bug fix** In Azure clouds the Controller does not deploy more than one firewall instance in the same availability set as the Controller. +- **Bug fix** False license expiration alerts can be sent to subscribers. +- **Bug fix** When adding a FireNet instance to the routing path, the default value of the "Attach" flag should be "false". +- **Bug fix** In some implementations, the firewall does not block traffic to subdomains of domains that are on the whitelist. +- **Bug fix** The RBAC permissions for Site2cloud configuration download are not correct. +- **Bug fix** Failed to attach HPE Spoke to Transit due to route already exists error. +- **Bug fix** Controller unable to push RFC-1918 route to Panorama. +- **Bug fix** Azure Peering UI filter not working. +- **Bug fix** Unable to enter User VPN filter content fields on the Controller dashboard. +- **Enhancement** Reduced memory consumption for BGP event monitoring process and other processes. +- **Enhancement** Improved reliability by requiring the OVPN file to use the Global Accelerator DNS name to resolve to the 2 static IP addresses of the accelerator. +- **Enhancement** Allow changes to the MTU setting in the Aviatrix OVPN client during runtime. +- **Enhancement** Shortened execution time and memory usage for removing list_vpc and list_saml_info users. +- **Enhancement** Allow the same PSK to be used for primary and backup Aviatrix gateways based on S2C tunnel policy. +- **Enhancement** Allow use of colon in tags. + + +R6.4.2674 (06/26/2021) +======================== + +- **Bug fix** In AWS and Azure clouds, gateway and FireNet tag keys and values do not support the colon (:) and other special characters. +- **Bug fix** Added support for Azure Controller Security Group Management allowing the Network Security Group and the Azure Controller to use different Resource Groups. +- **Bug fix** Added support for Multiple Dynamic SAML Profile attributes for controller login in list format. +- **Bug fix** Added size suggestions for deploying ActiveMesh Insane Mode gateway instances in Azure India regions. +- **Bug fix** Transit list page displays exceptions during gateway deployment. + + +R6.4.2672 (06/11/2021) +======================== + +- **Bug fix** Gateway FQDN logs fail to download resulting in an error message. +- **Bug fix** Availability Domain and Fault Domain not available in OCI gateway and firewall instances. +- **Bug fix** Terraform bug fix, cannot delete all gateway tags. +- **Bug fix** SNAT cannot be disabled on Azure spoke gateway. +- **Bug fix** OCI Gateways deployed with Active Mesh are not being deployed in separate Availability Domains. +- **Bug fix** CAAG OCI, OCI tunnels missing after replacing the OCI transit gateway +- **Bug fix** Aviatrix Controller in Azure unable to push RFC-1918 route to Panorama in OCI. +- **Bug fix** Intermittent connectivity issues from CoPilot to Controller. +- **Bug fix** Enabling FQDN Discovery fails, some configuration changes are not removed, and the network connection breaks. +- **Bug fix** Upgrade fails when upgrades from 6.3 to 6.4 using the upgrade to latest release feature. +- **Bug fix** Cannot add certificates to LDAP configuration, error C:\fakepath\user.crt does not exist. +- **Enhancement** Aviatrix Controller blocks multiple simultaneous logins from one account. + + +R6.4.2618 (05/30/2021) +======================== + +.. note:: + Customers using Azure Controller Release 6.3 and managed CloudN, should hold off upgrading Controller with CloudN to 6.4 until next 6.4-patch + +- **Bug fix** Enabling segmentation caused some routes missing in the spoke routing table +- **Bug fix** Fixed exception for SAML VPN connection. +- **Bug fix** In Ali Cloud, Transit gateway showed all connections down. +- **Bug fix** In some corner cases Controller HA, backup/restore broke the control connection between the controller and CloudN. +- **Bug fix** Fixed exception when downloading the OCI OVPN file. +- **Bug fix** Fixed Managed CloudN exception during registration. +- **Enhancement** In IAM policy, enable parallel role swapping after role name change. + + +R6.4.2561 (05/18/2021) +======================== + +.. note:: + Customers should hold off upgrading Controller with CloudN to 6.4 until next 6.4-patch + +- **Bug fix** When FQDN gateways deployed in HA topologies have private route tables with the IAM deny policy applied, the default route restoration fails when the FQDN feature is disabled. Default route restoration only works only in non-HA topologies. +- **Bug fix** In the Alibaba cloud, after running for a while BGP sessions on the IPSEC tunnel can go down at random. +- **Bug fix** When using insane mode over the internet, missing Elastic IP addresses can cause some tunnels not to come up. +- **Bug fix** When a new transit gateway for FireNet is launched on Azure, a false notification indicating that interface eth1 is down and needs to be restarted manually is sent. +- **Bug fix** Disconnecting last BGP connection does not clear the IP prefix configuration. +- **Bug fix** When a new best path is selected, old routes are deleted causing traffic interruptions. +- **Bug fix** In GCP, when FireNet and FQDN Filtering are enabled the gateway is no longer associated with the existing instance group after the gateway is replaced. +- **Bug fix** Deleting then recreating transit peering connections blocks some tunnels from delivering traffic. +- **Bug fix** In GCP, after a NIC connection goes down the gateway fails to restart. +- **Bug fix** Route updates can take excessive time after upgrading to 6.4. +- **Bug fix** Unable to attach OCI spoke gateway to OCI transit gateway after upgrading to 6.4. +- **Bug fix** When a spoke is attached to an egress IP, the skip public route table update operation is not working. +- **Bug fix** Some gateways may not be upgraded during the 6.4 upgrade process. +- **Bug fix** When FQDN gateways deployed in HA topologies have private route tables with the IAM deny policy applied, the default route restoration fails when the FQDN feature is disabled. Default route restoration only works only in non-HA topologies. +- **Bug fix** Block creating a global network from AWS China controllers. +- **Bug fix** In Alibaba clouds, after deleting a transit gateway you may find invalid paths to certificates. +- **Bug fix** Enable the custom Gateway IAM role feature for AWS China and Government clouds through the API. + + +R6.4.2499 (05/10/2021) +======================== + +1. Multi-Cloud Transit Network +-------------------------------- +- **Alibaba Cloud Support** expands the Aviatrix Multi-Cloud Transit solution to support the Alibaba Cloud. This includes support for Ali Global and Ali China region. For more information, check out `Alibaba Cloud Account Credential Setup `_ + +- **China Multi-Cloud Network Architecture Support** expands the Aviatrix Multi-Cloud Transit solution to AWS, Azure, and Alibaba public clouds in China regions. For more information, check out `Aviatrix China Overview `_. Support includes: + + * Aviatrix Controller image and CoPilot image in AWS China Marketplace. + + * Multi-Cloud Transit solution in AWS China, Azure China and Alibaba China regions. + +- **Multi-Tier Transit** supports the hierarchical Multi-Cloud Transit gateway deployment model, and adds the ability to traverse more than two Aviatrix Multi-Cloud Transit gateways. This feature improves operational simplicity by aggregating multiple Aviatrix Transits. One use case is centralized firewall design for multiple Aviatrix-Transits in a single region, which allows in-region traffic without any inspection. To configure Multi-Tier Transit, go to Multi-cloud Transit -> Advance Config. Select the Transit Gateway and enable the Multi-Tier Transit feature. For more information, refer to `Multi-Tier Transit doc `_ +- **Transit Peering Insane Mode Support over Public Network** provides high performance Transit Gateway peering to multi-cloud networks with public network connectivity between AWS and Azure only. To configure Insane Mode over public networks, go to Multi-cloud Transit -> Transit Peering -> +Add New. Select the option Insane mode over Internet for a new peering connection. For more information, refer to `Peering over Public Network or Internet doc `_ +- **OCI Transit Insane Mode Support** expands our Insane Mode Encryption Service to OCI networks. The support includes Insane Mode for VCN to VCN encrypted peering and Transit Peering connections. Launch an OCI gateway with Insane Mode enabled to get started. For more information, refer to `OCI Performance Test Results `_ +- **IAM Role and Policy for Gateways** separate IAM policy for Aviatrix gateway. API support only. +- **BGP Connection Holdtime** can now be modified through the Aviatrix Controller. One use case of modifying BGP Hold Timer is to have a quicker BGP failover time. For more information, refer to `BGP Hold Time doc `_ + +2. FireNet +------------- +- **Aviatrix Transit FireNet for OCI** allows you to deploy firewall instances in OCI. The OCI FireNet can be used for East-West, North-South and Ingress-Egress inspection with Palo Alto Networks VM-Series only. For more information, check out `Transit FireNet Workflow for OCI `_ and `Example Config for Palo Alto Network VM-Series in OCI `_. +- **FireNet Fortinet Integration Enhancement** now supports Fortinet firewall integration with the Aviatrix Transit FireNet solution. This integration allows automatic route updates in Fortigate routing tables by the Aviatrix Controller. You no longer need to statically configure RFC 1918 or any other routes in Fortigate. This integration is supported for AWS, Azure, and GCP Public clouds only. For more information, check out `Transit FireNet Workflow for AWS, Azure, GCP, and OCI `_ + +- **Check Point CloudGuard in GCP** is now available when deploying Aviatrix Transit FireNet. Refer to this example `CheckPoint workflow in GCP `_ for more details. +- **Fortinet Fortigate for GCP** is now available in GCP when deploying Aviatrix Transit FireNet. +- **Custom AMI Support for Firewall Instances** allows customer to launch the special images provided by firewall vendors. API support only. + +3. Site2Cloud +--------------- +- **Dynamic routes update for Site2Cloud Connections** adds the capability to auto advertise or remove the remote subnet automatically based on the Up/Down status of the Site2Cloud tunnel. To configure dynamic routes for Site2Cloud, go to Multi-Cloud Transit -> List -> Spoke -> Select Spoke Gateway and click "Auto Advertise Spoke S2C CIDRs" to enable dynamic routes. For more information, refer to `Auto Advertise Spoke Site2Cloud CIDRs doc `_ +- **Site2Cloud Single Public IP Failover Support** enhances the HA mechanism to use a single public IP address and single tunnel from the remote site (on-prem) point of view. To configure Site2Cloud Single Public IP Failover, go to Site2Cloud -> Add New -> Enable HA. Check the box to Enable Single IP HA to activate Single Public IP Failover. This applies to AWS and Azure only. For more information, refer to `Site2Cloud IPSec VPN Instructions `_ +- **Jumbo Frame Support** adds the ability to turn on/off Insane Mode jumbo frame support for the Site2Cloud tunnel between the Aviatrix Transit Gateway and CloudN. To enable jumbo frame support, go to Site2Cloud -> Select Site2Cloud connection to CloudN. Click Edit and enable jumbo frame support. For more information, refer to `Jumbo Frame doc `_ + +4. Security +--------------- +- **Egress FQDN Enhancement** is now supported for multiple Egress FQDN gateways in GCP. This feature includes support for GCP Shared VPC as well as Distributed and Centralized Egress for FQDNs. + +5. Operations +----------------- +- **Create a VPC Enhancement** adds an option in "Create a VPC" to select an existing Resource Group for Azure under Advanced options. +- **Co-Pilot integration with Controller** delivers the operational simplicity you need by presenting Aviatrix Controller as a single-pane of glass for managing the Day 0, Day 1 and Day 2 operations of the cloud fabric. The integration with Co-Pilot brings additional capabilities including the SAML and DUO integration, and RBAC control. To configure the CoPilot Controller integration, log into the Aviatrix Controller console and go to Settings -> CoPilot -> Enable CoPilot Association to integrate CoPilot with Aviatrix Controller. For more information, refer to `CoPilot doc `_ +- **Performance and Scalability Improvements** Significant performance improvements for the Aviatrix Multi-Cloud Network Architecture (MCNA) especially for a very large enterprise networks. +- **Route Table Optimization** allows customer to skip public route table programming. This is supported in AWS only. For more information, refer to `Transit List doc `_ +- **Notification Enable/Disable Option** gives an ability to customers to disable exception emails send to Aviatrix. For more information, refer to `How to not send exception notification to Aviatrix doc `_ + +6. Behavior Change Notice +-------------------------- +- Aviatrix is setting the public IP address of a peer device as the default remote identifier for an S2C connection. If the peer device uses its private IP address as the local identifier, the user needs to manually update the private IP of the peer device to use the remote identifier. In the Aviatrix Controller, go to the Aviatrix S2C page -> Edit connection -> Remote Identifier and update the private IP of the peer device to use the remote identifier. + +- The API "get_transit_or_spoke_gateway_details" result format changed. + +- Two CaaG can’t have the same public IP, e.g. mgmt interface behind the same NAT gateway. + +7. Before you Upgrade +-------------------------- +- Gateway FQDN names (gateway_name + aviatrixnetwork.com) longer than 64 characters will prevent gateways from booting up correctly. +- Standalone CloudN cannot be upgrade to 6.4. +- Please review the latest field notices (FN#22 - 28), and take a recommended action for any `field notices `_ applicable to your environment. +- Aviatrix released new gateway and Controller images/AMIs for AWS and Azure. + +R6.3.2475 (05/22/2021) +======================= +- **End of life** Gateway images based on Ubuntu 14 and Ubuntu 16 are deprecated. You MUST replace these with Ubuntu 18 based images before upgrading to 6.4. Refer to FN28 for more details. +- **Bug fix** Fixed exception for OCI gateway launch. +- **Bug fix** Fixed bug in GCP FireNet with Palo Alto VM-Series image version listing. +- **Bug fix** In some corner cases Controller HA, backup/restore breaks the control connection between the controller and Cloudn. +- **Bug fix** Fixed an issue with BGP route advertisement after spoke attachment +- **Bug fix** When a gateway NIC goes down, an alert will be triggered and the gateway will be taken down and brought back up again after self-remediation. +- **Bug Fix** If a VNet route table is deleted unexpectedly, VNets could connect to the wrong transit gateway spoke for the subscription. When VNets under different subscriptions use the same Resource group name, and both Spoke VNets connect to different transit gateways, the controller cannot distinguish which VNet should attach to which gateway. + +R6.3.2415 (04/19/2021) +======================= + +- **Co-Pilot integration with Controller** delivers operational simplicity by presenting Aviatrix Controller and CoPilot in a single pane of glass for managing the Day 0, Day 1 and Day 2 operations of the cloud fabric. The Aviatrix Controller integration with Co-Pilot adds capabilities to the Controller including SAML and DUO integration, and RBAC control. To configure the CoPilot Controller integration, log into the Aviatrix Controller console and go to Settings -> CoPilot -> Enable CoPilot Association to integrate CoPilot with Aviatrix Controller. +- **Enhancement** Improved CloudN to controller reachability mechanism for public and private subnets. +- **Enhancement** Improved error handling for Aviatrix Controller HA process. +- **Bug fix** Fixed the backup restoration API response for Aviatrix Controller HA mechanism. +- **Bug fix** Blocked the exclude CIDR feature for Native GWLB FireNet. +- **Bug fix** Fixed exception for Site2Cloud remote subnet modifications. +- **Bug fix** Corrected invalid netflow data sent to CoPilot. +- **Bug fix** Fixed GCP security rule for Site2Cloud over private IP. +- **Bug fix** Corrected route table programming for native GWLB. +- **Bug fix** Fixed gateway creation issue when customized IAM policy is used in AWS. +- **Bug fix** Fixed default route restoration for FQDN when discovery is disabled. +- **Bug fix** Improved error messages for native GWLB egress. +- **Bug fix** Allowed ActiveMesh 2.0 migration without disabling Transit FireNet for older releases. + + + +R6.3.2364 (03/18/2021) +======================= + +- **Aviatrix Transit FireNet for GCP** allows you to deploy firewall instances in GCP. For more information, check out `Transit FireNet Workflow `_. +- **Segmentation Enhancement** Add the Multi-Cloud Transit segmentation support for CloudN +- **Site2Cloud Enhancement** Clear Session option is added in Site2Cloud connection to clear the active connection sessions running through Aviatrix gateways. +- **Multi-Cloud Transit Enhancement** New capability to attach managed CloudN with Multi-Cloud Aviatrix Transit without High Performance Encryption (HPE) for Oracle cloud only. +- **FlightPath Enhancement** Add support for IP address as a source +- **TGW Enhancement** Add support for AWS TGW connect +- **Bug fix** Enhanced AWS ENA conntrack data into the syslog +- **Bug fix** Improve the route programming mechanism for Spoke VPC to filter the customize CIDRs first before installing into the Spoke VPC route table. +- **Bug fix** Fix the Dashboard status display issue for BGP over LAN. +- **Bug fix** Fix the Aviatrix Gateways "Polling" status after Controller Backup & Restore and IP migration +- **Bug fix** Add the missing parameters in template for “Export to Terraform” feature +- **Bug fix** Fix exception for CloudN registration after controller migration. + +R6.3.2247 (03/01/2021) +======================= + +- **Bug fix** Race condition causing exception for Aviatrix Transit Gateway peering. +- **Bug fix** Fix the TGW attachment deletion issue when customize IAM policy is used in AWS. +- **Bug fix** Fix the Site2Cloud diagnostics display issue. +- **Bug fix** Missing "Aviatrix-Created-Resource" tag for Aviatrix Gateway keypair in AWS. +- **Bug fix** Fix exception for CloudN when eth0 is down. + +R6.3.2216 (2/22/2021) +======================= + +- **Enhancement** Significant improvements in failover time through a series of optimization for overlapping networks. +- **Enhancement** Add Clear Session capability in Site2Cloud connection to clear all the conntrack sessions entry. +- **Enhancement** Add the Active-Standby mode on ActiveMesh 2.0 support for BGP over LAN scenario. +- **Enhancement** Add API support to unify programming RFC1918 routes in native egress domain +- **Enhancement** New capability to split sending gateway metrics and syslog to different log management systems +- **Bug fix** Allow more than 16 network CIDRs in the Site2Cloud configuration. +- **Bug fix** Address Route programming failure in OCI VCN route entry in Site2Cloud configuration. +- **Bug fix** Unable to launch Palo Alto VM-Series in AWS GovCloud. +- **Bug fix** Revert check introduced in 6.3.2092 for ActiveMesh 2.0 that blocks the Aviatrix Transit Peering if ASN# for Aviatrix Transit Gateways are same or not set. +- **Bug fix** Fix the long security domain names display issue in Aviatrix Controller. +- **Bug fix** Fix exception when using “Export to Terraform” feature for fqdn_tag_rule. +- **Bug fix** Fix the route propagation for HPE Aviatrix Transit Gateway eth0 in Azure. +- **Bug fix** Update RFC1918 routes in OCI VCN for non-default security list. +- **Bug fix** Fix the default route entry removal issue when "Use VPC/VNET DNS Server" feature in-use. +- **Bug fix** Security patch for SAML vulnerablity + + +R6.3.2092 (1/31/2021) +======================= + +1. Multi-Cloud Transit Network +-------------------------------- + +- **Transit in Azure with Express Route** allows you to build an Aviatrix Transit and Transit FireNet solutions while leveraging the native Azure Express Route for on-prem to cloud connectivity and route propagation. One use case is to deploy in an environment where encryption between data center and cloud is not required but using native high performance Express Route is required. Both native Spoke VNet and Aviatrix Spoke gateways are supported as Spoke attachment. For configuration workflow, follow the `Multi-cloud Transit Integration with Azure Expressroute workflow `_. + +- **Transit BGP over GRE Tunnel** provides an alternative tunneling protocol to IPSec when connecting Aviatrix Transit Gateway to on-prem. One use case is for an organization that requires high performance but not encryption. With GRE tunneling, Multi-cloud Transit Gateways in AWS connects with on-prem network devices without deploying Aviatrix CloudN appliances. Only available in AWS (Azure and GCP do not support GRE). For configuration information, refer to `Aviatrix Transit Gateway to External Devices `_. For end-to-end configuration workflow and performance benchmark, refer to `GRE Tunneling workflow `_. + +- **Transit BGP to LAN** allows Aviatrix Transit Gateways to communicate with other instances in the same VPC or VNet without running any tunneling protocol. One use case is to interoperate with cloud virtual appliances such as a SD-WAN cloud gateway instances that do not have the capability to support BGP over IPSec or GRE protocols. For configuration and performance information, refer to `BGP over LAN in AWS Workflow `_. For Azure, refer to `BGP over LAN in Azure Workflow `_. + +- **Manual Advertise Routes per BGP Connection** expands the existing gateway based manual advertising routes feature to apply it to each BGP connection. One use case is to have better route advertising control for each remote BGP peer. For configuration details, refer to `Connection Base Manual BGP Advertisement `_. + +- **Transit Approval per BGP Connection** expands the existing Aviatrix Transit Gateway based Transit Approval feature to apply it to each on-prem BGP connection for fine grain control of network CIDRs admitted to the cloud network. To configure, go to Multi-cloud Transit -> Approval. Select a Transit Gateway, select Mode Connection and select a connection, enable Learned CIDRs Approval. For more information, refer to `Transit Approval `_. + +- **Private Transit Gateway Peering with Single-Tunnel Mode** expands the existing Insane Mode Transit Gateway Peering Over Private Network to apply it to single IPSec tunnel. One use case is for low speed encryption between cloud networks (up to 4Gbps). For more information, refer to `Transit Peering in Single-Tunnel mode. `_. + +- **Transit to External Device Using IKEv2** provides an option to run IKEv2 with the on-prem site. For more information, refer to `Aviatrix Transit Gateway to External Devices `_. + +- **Client Proxy** allow both the Controller and Aviatrix gateways to use external proxy server for Internet facing API access. One use case is to satisfy compliance requirements where all traffic destined to Internet is required to go through a proxy server. For configuration information, refer to `proxy configuration `_. + +- **Improve AWS t3 instances IPSec performance** to up to 6Gbps (MTU 1500 Bytes) for Multi-cloud Transit and Spoke gateway without additional license charge. The mechanism is to allow Insane Mode to be applied the t3 series without charging the Insane Mode license. For performance details on t3 series, refer to `t3 series Insane Mode performance `_. + +- **Support N2 and C2 instance types on GCP gateways** improves Insane Mode performance on GCP cloud. For new network throughput with these new instance types, refer to `GCP Insane Mode Performance. `_ + +- **Managed CloudN Appliance** supports in GCP. Refer to `Managed CloudN workflow `_. + +- **License Info** license change to inter-cloud for Aviatrix Transit to AWS VGW connection. + + +2. FireNet +============= + +- **FireNet integration with AWS Gateway Load Balancer** provides the capability where adding or removing a firewall to the FireNet does not impact the existing established network sessions. AWS Gateway Load Balancer (GWLB) integration is supported for both TGW based FireNet and Multi-cloud Transit FireNet. For configuration details on TGW based FireNet without Aviatrix FireNet gateways, refer to `Native AWS GWLB Integration `_. For configuration details on TGW based FireNet with Aviatrix FireNet gateways, refer to `FireNet with GWLB `_. For Multi-cloud Transit FireNet GWLB integration, refer to `Enable Transit FireNet `_. + +3. User VPN +============= + +- **Download Aviatrix SAML VPN Client from Controller** provides self-service ability for organizations to download Aviatrix SAML VPN Client software from the Controller directly for SAML authenticated users. This simplifies administration for on-boarding new VPN users. To enable, go to OpenVPN -> Advanced -> Global Config -> Download SAML VPN Client to enable. For more information, refer to `Self Service Download SAML Client `_. + +4. Site2Cloud +============= + +- **Route based IPSEC with IKEv2** provides an option to run route-based VPN with IKEv2. For more information, refer to `Create Site2Cloud Connection `_. +- **Change Local Identifier** provides the flexibility to update either gateway's public IP address or private IP address as local identifier. To configure, refer to `Local Identifier `_. +- **DPD Parameters** can now be modified through the Controller User Interface in additional to API and Terraform. One use case of modifying DPD parameters is to reduce tunnel failure detection time. To configure, refer to `DPD Configuration `_. +- **Event Trigger** is a new mechanism to reduce failure detection time. This is an alternative to the default setting where tunnel status change is detected by a periodic monitoring process running on the gateways. To configure, refer to `Event Triggered HA `_. +- **Failover Time Reduction for Overlapping Networks** Significant improvements in failover time reduction through a series of optimization. Refer to `Tuning For Sub-10 Seconds Failover Time in Overlapping Networks. `_. + +5. Security +============== + +- **Reduce Email API Blocking** is an enhancement for non HTTP/HTTPS traffic configured on a FQDN gateway where a set of large site's well known IP addresses are pre-populated to the FQDN gateways, thus significantly reducing the probability that applications still cannot make API calls (mostly email services) even though the FQDN rules for these sites are configured. The set of sites are: gmail.com, hotmail.com, microsoft.com, live.com, outlook.com, office.com ad office365.com. The applicable TCP ports are: 25, 465, 587, 143, 993 and 995. +- **Edit Stateful Firewall Rules Enhancement** simplifies editing and viewing IP address based stateful firewall rules, allowing large set of rules to be managed easily. To configure, go to Security -> Stateful Firewall -> Policy to edit policies. + + +R6.2.2016 (2/18/2021) +======================= + +- **Bug fix** Security patch for SAML Vulnerablity. + + +R6.2.2003 (2/15/2021) +======================= + +- **Enhancement** Add API support to turn off Jumbo frame support. +- **Bug fix** Allow more than 16 network CIDRs in the Site2Cloud configuration. +- **Bug fix** Route programming failure in OCI VCN route entry. +- **Bug fix** Unable to launch Palo Alto VM-Series in AWS GovCloud. + + +R6.2.1955 (1/16/2021) +====================== + + - **Bug fix** GCP Spoke gateway with SNAT configuration propagates route incorrectly. + - **Enhancement** Optimize Spoke gateway attach/detach functions when "Customize VPC Route table" feature is enabled. + - **Enhancement** Improve email authentication mechanism for emails generated by Controller. + - **Enhancement** Optimize Multi-cloud transit network failover time. + - **Bug fix** Unable to launch Palo Alto VM-Series with version 9.x + - **Bug fix** GCP Controller backup and restore fails. + +R6.2.1925 (12/12/2020) +======================== + +- **Enhancement** Execute all Azure Spoke VNet programming in parallel. The scope of the enhancement includes individual route entry update and multiple VNet route tables update. The result is a significant reduction in Spoke attachment time and certain failover convergence time. +- **Enhancement** Improve Controller daemon process robustness. + +R6.2.1914 (12/04/2020) +======================== + +- **Bug fix** Not able to detach a native Spoke VNet when its resource group is deleted on Azure console. +- **Bug fix** FQDN crashes when the number of FQDN rules exceed 1000. +- **Enhancement** Increase the number of FQDN rules to 1500. + +R6.2.1891 (11/20/2020) +======================== + +- **Bug fix** OCI Spoke VCN default route tables not programmed correctly. +- **Bug fix** After removing Spoke FQDN, Spoke gateway route table entries are missing. +- **Enhancement** Reduce excessive logging on Controller. +- **Enhancement** Add new regions to OCI. +- **Enhancement** Performance enhancement when interoperating with Copilot. +- **License Info** Site2Cloud license change to inter-cloud for Aviatrix Transit to AWS VGW connection. + + +R6.2.1837 (11/10/2020) +======================= + +- **Enhancement** Add conntrack_count to syslog. +- **Enhancement** FireNet LAN interface keep alive is enhancement with follow up TCP keep alive packets when ICMP ping fails, making the firewall detection more robust. Customer needs to open TCP port 443 from the gateway eth2 IP for this to take effect. No additional configuration required. +- **Enhancement** New AWS gateway AMI "hvm-cloudx-aws-102320" with the latest AWS SR-IOV device driver enhancement. +- **Bug fix** FQDN feature not working when ports are selected as all. +- **Enhancement** on interoperating with co-pilot. +- **Enhancement** Add disaster debugging capability when the Controller Apache daemon process fail to start. + + +R6.2.1742 (10/15/2020) +======================== + +1. Multi-cloud Transit Network +--------------------------------- + +- **Active-Standby Mode on ActiveMesh 2.0** provides the flexibility on Aviatrix Transit Gateways to connect to on-prem with only one active tunnel and the other one as backup. The use case is a deployment scenario where on-prem device such as firewalls does not support asymmetric routing on two tunnels. When Active-Standby mode is enabled, it applies to both BGP and Static Remote Route Based `External Device Connections `_ and for each connection, only one tunnel is active in forwarding traffic at any given time. To configure, go to Multi-cloud Transit -> Advanced Config, select the Aviatrix Transit Gateway to enable Active-Standby. For more information, refer to `Active-Standby `_. + +- **Segmentation based BGP CIDRs Advertisements** advertises only those Spoke CIDRs that have connection policy to a specific on-prem connection. For example, consider a multi-tenant deployment where Aviatrix Transit Gateway connects to multiple on-prem sites over BGP, each site connecting to a set of Spokes through `AWS TGW Edge Segmentation `_ or `Multi-cloud Segmentation `_. With this new feature, Aviatrix Transit Gateway only advertises Spoke CIDRs that are relevant to the on-prem site. This behavior is enabled as the default when launching a new Transit Gateway. For existing deployment, you can enable it by going to Multi-cloud Transit -> Advanced Config, select an Aviatrix Transit Gateway, scroll down to `Refresh BGP Advertise Network Routes`. + +- **Multi-cloud Transit Gateway Peering over Private Network** expands Transit Gateway peering over multi-cloud where there is private network connectivity cross cloud. One use case is two Aviatrix Transit Gateways deployed in two different public cloud where each has its private connectivity such as AWS Direct Connect and Azure Express Route connecting to on-prem or a co-location. By building a high performance Transit Gateway private peering, Aviatrix Transit Gateway forwards traffic over the private links to the other Aviatrix Transit Gateway and beyond with encryption for data in motion. To configure, go to Multi-cloud Transit -> Transit Peering -> +Add New. Select the option Peering over Private Network for a new peering connection. For an example configuration, refer to `Multi-cloud Transit Peering over Private Networks `_. + +- **Insane Mode in GCP** is now available for Multi-cloud Transit solution. For performance benchmark, refer to `GCP Insane Mode performance test results `_. Insane Mode is enabled when launching a new Aviatrix Transit Gateway or Spoke gateway in GCP. + +- **Managed CloudN Appliance** simplifies CloudN configuration and operation by allowing it to be managed by the Controller. Active-Active deployment model supports up to 25Gbps encryption performance. Refer to `Managed CloudN workflow `_. GCP support is in the future release. + +- **Custom Mapped Site2Cloud in Spoke** solves all issues of overlapping network addresses with remote networks by expanding Site2Cloud `Mapped `_ function in a Spoke. + +- **TGW with Multicast capability** allows you to launch an AWS TGW with multicast capability. A use case is to support applications running on multicast protocols. API support only. + +- **Update Attached Spoke VNet CIDR** allows you to update Spoke VNet CIDR when there is a change without having to detach the Spoke and attach again, thus removing any down time or outage. API support only. + +- **Default Tagging in Azure** adds Aviatrix default tag when Controller creates resources such as launching an Aviatrix gateway, create route entries, load balancer and route tables. + +- **Enhancement in Creating a VNet** defines public and private subnets and their associated route tables. This helps clarify how Aviatrix Controller manages route table and their programming. For details, refer to `Aviatrix Default Route Handling `_. + +- **Default Routing Handling** enforces rules on how Aviatrix Controller handles the propagation and programming of cloud networks. Specifically the Controller only overwrite the default route on private subnets. For details, refer to `Aviatrix Default Route Handling `_. + + +2. FireNet +------------- + +- **FireNet 2-tuple Forwarding Algorithm Support** expands FireNet forwarding algorithm to include forwarding decision based on only the source and destination IP address. One use case is to support an application where multiple TCP sessions are used for an egress Internet service therefore requiring all sessions to go through one firewall with the same source NAT IP address. To configure, go to Firewall Network -> Advanced. Select the FireNet gateway, click the 3 dots skewer, scroll down to Firewall Forwarding, select 2-Tuple. For more information, refer to `Firewall Forwarding Algorithms `_. + +- **Centralized FQDN on Azure FireNet** allows Aviatrix FQDN gateways to be deployed in FireNet solution in Azure. One use case is to consolidate egress control to reduce cost with centralized statistical multiplexing. To configure, go to Firewall Network -> Setup -> 7c. For more information, refer to `Launch & Associate Aviatrix FQDN gateway `_. + +- **Bootstrap support in Azure FireNet on Palo Alto Networks VM-Series, Check Point and FortiGate** simplifies FireNet deployment in Azure. For details, refer to `VM-Series bootstrap in Azure `_, `Check Point bootstrap in Azure `_ and `FortiGate bootstrap in Azure `_. + +- **Bootstrap support in AWS FireNet on Check Point and FortiGate** simplifies FireNet deployment in AWS. For details, refer to `Check Point bootstrap in AWS `_ and `FortiGate bootstrap in AWS `_. + + +3. Operations +------------------ + +- **Discover Unencrypted Flows** is a useful tool to provide visibility on any non TCP port 443 and port 22 traffic running in a VPC in AWS. By running, recording and analyzing VPC flow logs in an on-demand fashion, this tool helps infrastructure engineers to understand application traffic patterns without cost incurring for long running VPC Flow Logs. By excluding TCP port 443 and port 22 traffic, the tool highlights any unencrypted traffic in the network. + +- **Session Visibility** displays active connection sessions running through Aviatrix gateways. This is useful for troubleshooting connectivity issue. To view sessions, go to Troubleshoot -> Diagnostics -> Gateway -> Session View. Or go to Security -> Stateful Firewall -> Session View. + +- **16,000,000 Max Connection Session Table Size** This improves the ability of Aviatrix gateways to handle the concurrent sessions going through the gateway. + +R6.1.1425 (11/9/2020) +========================= + +- **Bug fix** CloudN failover route selection is not based on best route algorithm. +- **Bug fix** Retry when Controller DNS lookup fails intermittently. + +R6.1.1415 (10/25/2020) +======================== + +- **Enhancement** Increase the max connection session table size to 16,000,000. Also include connection track entry count in the gateway diagnostics information. + +R6.1.1409 (10/20/2020) +========================= + +- **Bug fix** FireNet VPC does not advertise its CIDR to on-prem when FireNet Management is enabled on the Aviatrix Edge Security Domain. +- **Bug fix** Custom upgrade is broken. +- **Bug fix** Site2Cloud Custom Mapped option becomes unavailable after upgrading. + +R6.1.1401 (10/4/2020) +====================== + +- **Bug fix** When attaching an Insane Mode Spoke gateway to Transit Gateway, the action succeeds even though the underlying cloud provider peering (AWS PCX and Azure VNet Peering) fails. +- **Bug fix** Controller does not update the egress default route when Spoke gateways experience a failover. +- **Bug fix** Enabling advertising transit CIDR breaks Azure transit network. +- **Bug fix** Single AZ gateway replace function is broken. +- **Enhancement** Improve IKEv2 compatibility with Cisco ASA when re-establishing a tunnel after it goes down without restarting the VPN service. +- **Enhancement** Enable multi-core processing capability on the Controller to handle co-pilot queries. API support to enable/disable multi-core processing in case of failure. + +R6.1.1338 (9/24/2020) +====================== + +- **Bug fix** Aviatrix Transit connecting to external device with 2 different ASNs doesn't work properly +- **Bug fix** TGW attaching sometimes fails due to RAM authentication timeout. +- **Bug fix** Custom SNAT is not able to select eth0 on Aviatrix Transit Gateway. +- **Bug fix** Cannot edit mapped tunnels built before 6.0 + +R6.1.1309 (9/7/2020) +====================== + +- **Gateway Rename feature removal** Gateway Rename feature has been removed from UI. +- **Account Rename feature removal** Account Rename feature has been removed from UI. +- **Enhancement** Consistent Login Banner when custom banner login is enabled. +- **Enhancement** Enable multicast option when creating an AWS Transit Gateway (TGW). API support only. +- **Bug fix** fix Insane Mode gateway replacement function bug. +- **Bug fix** fix Transit Gateway Manual Summarize route bug. +- **Bug fix** fix FireNet error programming firewall instances when they go through stop and start process. +- **Bug fix** fix gateway launch tag attachment to ensure when a gateway is launched tag is part of the AWS API call. + + +R6.1.1280 (8/17/2020) +======================= + +- **Bug fix** fix multiple issues with TGW Approval, TGW Peering inspection and FireNet integration. +- **Bug fix** Transit Peering with SNAT creates redundant rules. +- **Bug fix** FQDN with Edit Source behavior change. +- **Enhancement** Add support for Aviatrix gateway certificate import. +- **Bug fix** CloudN asymmetric routing for management interface. + + + +R6.1.1163 (8/5/2020) +===================== + +- **Bug fix** fix upgrade issue. + +R6.1.1162 (8/1/2020) +======================= + +1. Multi-cloud Network +-------------------------------- + +- **Scale out Firewalls in Azure FireNet** allows FireNet to support multiple firewall virtual machines in Azure. The use case is to support more than 2 firewall deployment to meet performance requirements. Only new FireNet gateways in Azure supports scale out firewall feature. Refer to `this document `_. + +- **Azure GovCloud** is now supported for both Controller and Aviatrix gateways. Controller can be launched from Azure GovCloud marketplace. Follow `Azure Startup Guide `_ to get started. + + +- **Prepend ASN on BGP Connection** expands Prepend ASN to specific BGP connection. Previously the ASN prepend applies to the entire Aviatrix Transit Gateway, this feature brings the flexibility to prepend different ASN for different BGP connections. The use case is to provide more flexibility on the Aviatrix Transit Gateway to influence the next hop selection of the upstream BGP neighbour. To configure, go to Multi-Cloud Transit -> Advanced Config. Select an Aviatrix Transit Gateways, scroll down to Connection AS PATH Prepend, select a connection and enter one or more enter AS numbers separated by space. For more details, refer to `Connection AS PATH Prepend `_. + +- **Multi-cloud Segmentation Enhancement** now handles egress default route in a consistent way by introducing individual route tables for each Security Domain on an Aviatrix Multi-cloud Transit Gateway. This release is not backward compatible to the implementation in Release 6.0. To migrate, `disable Multi-cloud Segmentation `_ on each Aviatrix Transit Gateway, upgrade to Release 6.1 and `enable `_ again. To learn more on deployment limitation, refer to `this link. `_ + +- **FireNet Check Point Integration Enhancement** now support Check Point firewall or security gateway automatic route updates to its routing tables by the Controller. You no longer need to statically configure RFC 1918 or any other routes. + +- **FireNet for AWS TGW Inter Region Traffic Inspection** allows you to specifically inspect traffic crossing TGW Peering regions. One use case is in certain deployment, it is not desirable to specify all traffic going in and out of a Security Domain, rather the requirement is to only inspect traffic that moves across the regions. For configuration details, refer to `Inspect Inter Region Traffic `_. + +2. Security +---------------- + +- **Auto PrivateS3** significantly improves PrivateS3 usability and security by automatically retrieving S3 bucket names for PrivateS3 filtering. One use case is to support large set of S3 buckets owned by organizations without having to manually import into the Controller. The second use case is to prevent accidental or intentional manual input S3 buckets that are not owned by organization. For workflow, check out `PrivateS3 workflow `_. + +- **Subnets Pass-through** allows you to specify certain subnets in a VPC to bypass any FQDN filter rules. One use case is that certain subnets, for example, are for Dev environment, therefore does not require to be FQDN filtered or logged. To configure, go to Security -> Egress Control -> Egress FQDN Gateway View. Select a gateway, click Actions -> Edit Pass-through. Select subnet or multi select subnets to allow bypass the filter. For more details, refer to `FQDN Source Pass-through `_. + +- **Exact Port Match** now applies to each FQDN rule. One use case is if you only specify an FQDN rule for TCP port 443, packets with the same FQDN rule for TCP port 80 are dropped unless you have the specific FQDN rule on TCP port 80. This is a bug fix, no configuration required. For more information, refer to `Exact Match `_. + +- **FQDN Option for Exact Match** is a new feature where if a FQDN rule does not have * an exact match is expected. If this global option is not enabled, FQDN rules use regex to match any FQDN names that are subset of the name. For example, if salesforce.com is a rule and Exact Match option is enabled, finance.salesforce.com is not a match and will be dropped. For configuration details, refer to `FQDN Exact Match `_. + + +3. Operations +----------------- + +- **Account Name Alias** allows you to change the account name after it is created by providing an alias name and allowing it to be modified at any given time. The use case is customers often need to change some account names after the network has been built out to certain scale. By allowing account name alias to be modified without having to delete the account and thus reduces network downtime. To change account name alias, go to Accounts -> Access Accounts, hover the mouse at a specific account, click the Pen icon and start typing. Refer to `this document `_. + +- **Gateway Name Alias** allow you to change an Aviatrix gateway name after it is created by providing an alias name and allowing it to be modified at any time. The use case is customers often need to change some gateway names after the network has been built out to certain scale. By allowing gateway name alias to be modified without having to delete the gateway and thus reduces network downtime. To change gateway name alias, go to Gateway, hover the mouse at a specific gateway name, click the Pen icon and start typing. Note the original gateway name is still maintained as "Original Name". Refer to `this document `_. Note this feature does not interoperate with Co-Pilot at this time. For customers who deploy Co-Pilot, making changes the gateway names breaks Co-Pilot. The work around is not to use this feature or change back the gateway name. + + +- **Create a VPC Enhancement** now creates multiple route tables associated with public and private subnets. One use case is to allow traffic load balancing when Aviatrix Spoke gateways are deployed. To configure, go to Useful Tools -> Create a VPC. For more details, check out `Create a VPC `_. + +- **Controller Access Security on Azure** extends the Access Security feature to Azure. When an Aviatrix gateway is launched, security rule is automatically added to the Controller inbound rule. This allows Controller admin to only open inbound TCP port 443 to Aviatrix gateways and no-prem public IP addresses, thus improving Controller security. To configure, go to Settings -> Controller -> Access Security. Select the Controller account and enable. For more details, refer to `Enable Controller Security Group Management `_. + +- **Login Banner** allows you to customize banner text for first time login for compliance. Any user who login for the first time must acknowledge the text before proceeding to Controller. To configure, go to Settings -> Controller -> Login Customization -> Login Banner. For more information, refer to `Login Banner `_. + +4. User VPN +-------------- + +- **Max Routes Pushing to VPN Client** has now been increased to 250. This allow a larger network deployment. Requires Aviatrix VPN client 2.11. No configuration change is needed. + +- **GeoVPN to use DHCP Setting** for DNS name resolution from the VPC where the VPN gateway is deployed. This reduces latency as DNS service is likely to be closer to the source of the VPN user location. For configuration examples, refer to `VPN Access Gateway Selection by Geolocation of User `_. + +R6.0.2483 (8/4/2020) +====================== + +- **Bug fix** fix upgrade jump version issue. + +R6.0.2481 (8/1/2020) +====================== + +- **Bug fix** Latest Chrome browser login issue. + + +R6.0.2466 (7/22/2020) +======================= + +- **Bug fix** Missing MSS clamping configuration resulted in egress traffic loss. +- **Bug fix** Handle VNet UDR routes programming when Azure Netapp service is deployed in the Spoke VNet. +- **Bug fix** AWS GovCloud cannot list firewall options. +- **Bug fix** Configure the system to prevent memory leak. +- **Enhancement** API support for t3a.x gateway instance types. +- **Bug fix** Missing configuration parameters in download file for Site2Cloud for Cisco ASA devices. + +R6.0.2387 (7/10/2020) +====================== + +- **Bug fix** New gateway launching is missing MSS clamping rule which affects connectivity for potentially different types of traffic including egress and multi region transit gateway peering, etc. + +R6.0.2383 (7/2/2020) +====================== + +- **Bug fix** for error out when using Diagnostics to force upgrade an gateway. + +R6.0.2373 (6/30/2020) +======================= + +- **Enhancement on TGW VPN Approval** improves TGW VPN Approval for overlapping CIDRs to prevent black holing traffic. For details, refer to `this link `_. For the enhancement to take effect, you need to first disable TGW Approval for each connection, upgrade to 6.0 and enable it again. Note you must first disable Approval before upgrading to 6.0. +- **Bug fix** for FQDN thread process stuck. +- **Bug fixes** to improve stability and use cases. + +R6.0.2269 (6/19/2020) +===================== + +1. Aviatrix Multi-Cloud Transit +----------------------------------------- + +- **ActiveMesh 2.0** unifies the Aviatrix Transit Gateway next hop route selection by conforming to BGP next hop selection algorithm for all traffic sources. The use case is to provide a predictable routing path in a multi regions, multi cloud and multi sites environments. All new Transit Network deployed is launched with ActiveMesh 2.0. For a one time migration from the existing deployment, go to Settings -> Migration -> ActiveMesh 2.0 Migration. Click Migrate. To learn more details, check out `ActiveMesh 2.0 Details `_. +- **Multi-Cloud Transit Segmentation** allows you to segment the Aviatrix multi-cloud transit network (where Aviatrix Transit Gateways and Spoke gateways are deployed) by specifying domains and connection policy across all clouds and regions. To learn more, check out `Aviatrix Transit Network Segmentation FAQ `_. +- **External Device to Support Static Remote Route-Based** provides the interoperability between a route-based Aviatrix Transit Gateway and a remote route-based IPSEC tunnel connection. The use case is to allow the remote site to participate in the ActiveMesh 2.0 route selection in a unified manner. To configure, go to Multi-Cloud Transit -> Setup -> Step 3 -> External Device -> Static Remote Route-Based. +- **Dual Transit FireNet** allows you to attach an Aviatrix Spoke gateway to two Aviatrix Transit Gateways, each with Transit FireNet service enabled but with a different purpose. One carries Egress/Ingress inspection and the other carries East-West and North-South inspection. The use case is to allow different policies to be implemented easily. To configure, go to Multi-Cloud Transit -> Transit FireNet -> `Step 1b. `_ +- **Aviatrix Transit Gateway ECMP Disable Option** allows you to turn off ECMP for next hop selection. The use case is if on-prem deploy a firewall devices that require symmetric routing. The BGP ECMP is disabled by default. To enable, go to Multi-Cloud Transit -> Advanced Config -> Edit Transit -> BGP ECMP. For more information, refer to `BGP ECMP `_. +- **Advanced NAT Function for Azure and GCP** is now available for Aviatrix Spoke gateways. The use case is to resolve overlapping network CIDRs between on-prem network and Spoke network. To learn more on Aviatrix advanced SNAT/DNAT functions, check out `Aviatrix Advanced SNAT `_ and `Aviatrix Advanced DNAT `_. +- **GCP Multi Region Transit HA** leverages the GCP capability of multi regions in a single VPC and provide Aviatrix Transit/Spoke Gateway HA in a different region. The use case is to improve regional failure by the ability to failover to a different region. +- **Azure Availability Zone Support** allows you to deploy an Aviatrix gateway in Azure in a specified availability zone where it is applicable. Not all regions support availability zones and where it is not, availability set is supported. +- **Change Aviatrix Transit Gateway AS Number** provides the ability to change AS number of Aviatrix Transit Gateways. The use case is to avoid human errors when there are multiple BGP connections. To configure, go to Multi-Cloud Transit -> Advanced Config -> Edit Transit -> LOCAL AS NUMBER, enter the desired AS number and click Change. +- **Sync Controller Best Routes to Aviatrix Transit Gateway** allows the Controller to reprogram an Aviatrix Transit Gateway route table in case they go out of sync. The use case is to recover the routes from an unforeseeable errors in the deployment. To configure, go to Multi-Cloud Transit -> Advanced Config. Select the Aviatrix Transit Gateway, scroll down to `Sync Controller Best Routes to Transit Gateway`, click Sync Routes. + + +2. Firewall Network (FireNet) +------------------------------ + +- **Firewall Instances Health Check Enhancement** checks a firewall instance's health by pinging its LAN interface from the connecting Aviatrix FireNet gateway. This is an alternative option to checking health through firewall's management interface, which improves firewall failure detection time and detection accuracy. Available for both FireNet and Transit FireNet deployment and in both AWS and Azure. To configure, go to Firewall Networks -> Advanced, select the FireNet gateway, click the 3-dot skewer, scroll to Keep Alive via Firewall LAN Interface, click Enable. To learn more, refer to `Firewall Health Check with LAN Interface `_. +- **FireNet Exclude CIDRs** allows you to exclude a list of network CIDRs to be excluded from going through firewall inspection even though its associated Security Domain or network requires inspection. One use case is to exclude the Aviatrix Controller deployed in the Shared Service VPC to be excluded from inspection while Shared Service VPC traffic is inspected. This improves the Controller reachability by not subjecting the Controller access to unintentional firewall policy errors. For details, check out `Exclude CIDR `_. +- **Check Point CloudGuard in Azure** is now available in Azure when deploying Aviatrix Transit FireNet. Refer to `this example CheckPoint workflow in Azure `_ for more details. +- **Fortinet Fortigate in Azure** is now available in Azure when deploying Aviatrix Transit FireNet. +- **Check Point Dynamic Route Update** enhances FireNet Check Point integration by dynamically updates CloudGuard route tables by the Controller. The use case is for networks with non-RFC 1918 routes that require specific route table programming on the Check Point appliance. + +3. User VPN +-------------- + +- **Signed Cert for SAML Authentication** improves security of User VPN SAML authentication when it authenticates with the IDPs by providing a signed cert. To configure, go to OpenVPN -> Advanced -> SAML -> Add a New SAML Endpoint, select the option "Sign Authn Requests". For SAML login to the Controller, go to Settings -> Controller -> SAML Login -> Add a New SAML Endpoint, select the option "Sign Authn Requests". +- **Dashboard to Display user speed** allows you to access individual User VPN client performance. To view the client VPN speed, go to Dashboard, scroll down to the Use VPN section to view. +- **Terraform for Attaching a user to profile** allows you to update the user profile in modular fashion. + +4. Site2Cloud +--------------- + +- **Route Based IPSEC** provides flexibility to configuration. One use case for selecting route based VPN is to solve overlapping network CIDRs with on-prem as referred in `this example `_. To learn more about route based VPN, check out `the FAQ `_. +- **Mapped Configuration for Route Based IPSEC** supports both SNAT and DNAT on the network address ranges. The use case is to connect two IP address overlapping networks, for example a cloud VPC and on-prem, where on-prem cannot implement any network address translation. Comparing with individual IP address based translation, this significantly simplifies configuration. Note this configuration is implemented on route based IPSEC tunnel of an Aviatrix gateway site2cloud connection. To configure, go to Site2Cloud -> Add New. For Connection Type, select `Mapped`. For an example configuration, refer to `Solving Overlapping Networks with Network Mapped IPSec. `_ For more complex solutions, read `Overlapping Network Connectivity Solutions `_. +- **Intelligent Troubleshooting** provides expert analysis to the IPSEC syslog and reduces diagnosis time. To use, go to Site2Cloud -> Diagnostics. Select one connection, select `Run Analysis`. +- **Shared the Same Pre-Shared Keys** provides an option for both primary and backup IPSEC tunnel to share the same pre-shared keys. The use case is to reduce the configuration burden for on-prem devices. To configure, go to Site2Cloud -> Add New. Check the option `Same Pre-shared Key as Primary` when creating a connection. For configuration details, check out `Site2Cloud configuration workflow `_. + +5. Egress Control +------------------- +- **FQDN Search** supports general search for a specified destination FQDN during a specified period of time. One use case is to troubleshoot on an FQDN tag entry without the need to upload tracelog. +- **Disable Caching FQDN Entries** prevents potential data leakage to large domain names that contain unrelated sites. To configure, go to Security -> Egress Control -> Egress FQDN Filter -> Global Configs -> Caching. Click to Disable. + +6. Operations +----------------- + +- **Multi Remote Syslog Servers Support** allows an Aviatrix gateway to forward its syslog to a different remote syslog server than other gateways. The use case is customer may have multiple syslog servers deployed in different regions and Aviatrix gateways deployed in regions should forward syslog data to the server it is assigned to. +- **Netflow v9 Support** adds new capability in addition to the current v5 support. +- **CloudWatch Customize Configuration** now supports group name customization. The use case is to provide flexibility for customer to name their log folders. To configure, go to Settings -> Logging -> CloudWatch -> Advanced -> Log Group Name, enter a name of your choice. +- **New User Interface** aims to reduce web interface screen load time and improve user experience. +- **Datadog multi site support** to allow Datadog agent to send syslog to a destination site. To configure, go to Settings -> Logging -> Datadog Agent -> Enable Datadog Agent. Select a site datadoghq.com or datadoghq.eu. + +7. AWS Transit Gateway (TGW) +------------------------------- + +- **Intra Domain Firewall Inspection** allows AWS VPCs in the same Security Domain to be inspected by FireNet. The use case is a Security Domain in which all VPCs can communicate with each other, but all traffic requires logging and inspection. To enable, go to TGW Orchestrator -> List -> TGW Security Domains. Select one Security Domain, click Actions -> Edit Intra Domain Inspection. For additional information, refer to `Edit Intra Domain Firewall Inspection `_. +- **Change Spoke VPC's Security Domains** provides the ability to change a Spoke VPC's Security Domain without detaching the VPC from the TGW. The use case is to reduce Spoke VPC connectivity downtime when it needs to change its associated domains. To configure, go to TGW Orchestrator -> List -> Select the attached Spoke VPC -> Actions -> Switch Security Domain. In the pop up window, select the desired Security Domain to associate. For more information, refer to `Switch Security Domain `_. +- **Update Spoke VPC Route Tables** provides the ability to update a Spoke VPC route tables without detaching the VPC from TGW. The use case is to reduce Spoke VPC connectivity downtime when its subnets and route tables are added or deleted. To configure, go to TGW Orchestrator -> List -> Select the attached Spoke VPC -> Actions -> Update VPC CIDR. For more information, refer to `Update VPC CIDR `_. +- **Edit Spoke VPC Local Route Propagation** provides the ability to enable and disable attached Spoke VPC local route propagation without detaching the VPC. The use case is to disable local route propagation after a Spoke VPC is attached to TGW. To configure, go to TGW Orchestrator -> List -> Select the attached Spoke VPC -> Actions -> Edit Spoke VPC Local Route Propagation. For more information, refer to `Edit Spoke VPC Local Route Propagation `_. + +R5.4.1290 (8/5/2020) +===================== + +- **Bug fix** fix the issue of jumping versions when upgrading. + +R5.4.1283 (7/17/2020) +===================== + +- **Bug fix** upgrade failure from R5.3 to R5.4 + +R5.4.1281 (7/15/2020) +======================= + +- **Bug fix** Gateway memory leak when rsyslog is not initialized properly. +- **Bug fix** Gateway memory configuration change to allow smaller memory footprint. +- **Bug fix** Sometimes firewall instances in FireNet become inaccessible. + + +R5.4.1251 (6/19/2020) +======================== + +- **Bug fix** nightly cron job hit exception. + +R5.4.1249 (6/15/2020) +====================== + +- **Enhancement** to support us-west-4 region in GCP. +- **Bug fix** on gateway replacement that has AWS LB deployed. + +R5.4.1240 (6/1/2020) +===================== + +- **Bug fix** Insane Mode to support Transit FireNet in Azure has an issue when the FireNet gateway is rebooted. + +R5.4.1238 (5/27/2020) +====================== + +- **Enhancement** Insane Mode to support Transit FireNet in Azure. +- **Bug fix** CloudN to work with RBAC. + +R5.4.1234 (5/20/2020) +====================== + +- **Bug fix** when importing user excel sheet for User VPN. +- **Enhancement** to support the new Palo Alto VM-Series Bundle 1 and Bundle 2. + +R5.4.1232 (5/18/2020) +======================= + +- **Enhancement to Gateway Syslog Download** allows you to a gateway syslog directly from the Gateway. API support only. +- **Bug fix** Aviatrix Transit Gateway update learned routes incorrectly in certain cases. +- **Route Update Convergence Enhancement** to improve route propagation and convergence time when routes are changed to the Transit network. + + +R5.4.1204 (5/8/2020) +====================== + +- **Bug fix** fix API bug in enable_fqdn_cache_global. + +R5.4.1201 (5/7/2020) +====================== + +- **Enhancement on FQDN** to disable learned FQDN entry IP address caching. API support only. +- **Enhancement on User VPN** to improve page load time by caching VPC tags. +- **CloudN Enhancement** to support Netflow to export logs. +- **Enhancement to Gateway page** to allow gateway AMI image name to be displayed. This is useful to identify if a gateway runs on older AMI image that needs replacement to newer AMI image. + +R5.4.1140 (4/21/2020) +====================== + +- **Support More AWS TGW Peering Regions** Newly available regions of AWS TGW Peering is now supported. +- **User VPN Customizing Notification** You can now customize pop up messages after a VPN user is connected. To configure, go to OpenvVPN -> Advanced -> System Use Notification. One use case is for customer to write their own messages for compliance. Please ensure that you are running Aviatrix VPN Client version 2.9 or higher to view the usage notification +- **VPN DPD Interval Configuration** allows you to specify DPD interval. API support only. +- **Gateway Default Memory Alert Threshold** is changed to 80% to provide earlier warning to the Controller admin. +- **Change Gateway Default Size** at launch time to t3.small. +- **Bug fix** User VPN to Save Configuration Template to allow multiple gateways to have the same configuration when attached to the same NLB. +- **Performance Optimization** in handling the route programming time for large deployment of Aviatrix Transit Gateway peering. +- **CloudN Enhancement** in handling tunnel down message with Insane Mode. + +R5.4.1074 (4/3/2020) +===================== + +- **Bug fix** Restore a list of APIs that was deleted incorrectly. + +R5.4.1066 (4/1/2020) +===================== + +1. Operations +------------------ + +- **Role Based Access Control** allows you to both limit access to the Controller functions and enable self-service for users with different permission privileges. Read `RBAC FAQ `_ for more details. + +2. Networking +---------------- + +- **User VPN Performance Improvements** improves gateway performance when User VPN is enabled on the gateway. To receive enhanced performance, replace an existing gateway or launch a new gateway with `VPN Access `_ enabled. +- **Aviatrix Transit Network Spoke Gateways to Support SNAT/DNAT Functions** enable you to support additional use cases in Aviatrix Transit network. These use cases are `"accessing cloud applications with virtual IP addresses" `_ and `"connecting overlapping addresses from on-prem to Spoke VPCs in ActiveMesh network" `_. +- **Azure Virtual WAN Integration with CloudWAN** expands Aviatrix CloudWAN solution to allow branch office Cisco IOS routers to automatically connect to Azure Virtual WAN by automatically programming IPSEC and BGP on IOS routers. +- **Azure Gateways Enhancement** Azure gateways is now launched by the Controller managed disk option instead of storage account for enhanced security. +- **User VPN Profile Multi Attribute Support** allows multiple attributes to be specified in the SAML IDP user database. Simply include a list of the names of User VPN Profiles in the user data profile field at the IDP database. + +3. Security Integration +------------------------- + +- **CheckPoint CloudGuard Integration** now supports CloudGuard All-In-One R80.40. In addition, the initial SSH access process is removed for all CloudGuard AMIs. Check out `CheckPoint CloudGuard Configuration Examples `_ for more details. +- **FortiGate Bootstrap Configuration** is now supported. For details on how to configure, read `Bootstrap Configuration Example for FortiGate Firewall `_. + +R5.3.1551 (6/4/2020) +====================== + +- **Bug fix** Change user password should require login CID. +- **Enhancement** Multiple enhancement back porting to 5.3. + + +R5.3.1524 (4/26/2020) +======================== + +- **Bug fix** Enhancement for Controller migration. +- **Bug fix** CloudN missing routes after Transit gateway is rebooted. + +R5.3.1516 (4/3/2020) +====================== + +- **Bug fix** Transit Peering not learning routes correctly when remote transit peering configured static routes. +- **Bug fix** Back out auto refresh of BGP sessions after upgrading. +- **Enhancement** to the ability to update Aviatrix Transit VPC CIDR. + +R5.3.1499 (3/17/2020) +======================= + +- **Bug fix** FQDN statistics on the dashboard could cause the Controller to freeze. +- **Bug fix** Cannot edit network CIDRs in Site2Cloud configuration. +- **Bug fix** Azure FireNet firewall instance launch with enforcement for username/password. + +R5.3.1491 (3/11/2020) +======================= + +- **Bug fix** Gateway launch failure triggered rollback function delete all VPC routes. +- **Bug fix** GCP VPN gateway shows in unhealthy state when it is still forwarding traffic. +- **Bug fix** Azure gateway floods with IPSEC keep alive messages. + +R5.3.1468 (3/4/2020) +====================== + +- **Bug fix** for Controller Migration feature. + R5.3.1428 (2/21/2020) ======================= -**Bug fix** AWS GovCloud IAM roles is broken. +- **Bug fix** AWS GovCloud IAM roles is broken. R5.3.1399 (2/20/2020) ====================== -**Bug fix** CloudWAN gateway instance not programming ingress security group. -**Enhancement** to support Azure Africa region. +- **Bug fix** CloudWAN gateway instance not programming ingress security group. +- **Enhancement** to support Azure Africa region. R5.3.1391 (2/17/2020) ======================== +**Important Notice** +---------------------- + +Release 5.3 is the last software version that supports older Controller AMIs. If your Controller AMI is one of the following, we have +provided an `one click migration `_ to migrate to a new Controller after the Controller is upgraded to 5.3. The following Controller AMIs requires +migration beyond release 5.3: + + - Controller AMI ID contains "aviatrix_cloud_services_gateway_081517" + - Controller AMI ID contains "aviatrix_cloud_services_gateway_111517" + - Controller AMI ID contains "aviatrix_cloud_services_gateway_043018" + 1. AWS Transit Gateway (TGW) Orchestrator -------------------------------------------- @@ -63,7 +1345,7 @@ R5.2.2153 (2/7/2020) R5.2.2122 (1/25/2020) ======================== - - **Enhancement** Allow site2cloud gateways to support Active-Active mode where both tunnels are up and packets are routed to both gateways via respective VPC route tables. To enable, go to Site2Cloud, click on the connection, scroll down to Actitve Active HA and click Enable. + - **Enhancement** Allow site2cloud gateways to support Active-Active mode where both tunnels are up and packets are routed to both gateways via respective VPC route tables. To enable, go to Site2Cloud, click on the connection, scroll down to Active Active HA and click Enable. - **Enhancement** Allow the service account credential to be re-used by GCP projects. - **Bug fix** Fix Azure gateway memory leak issue. - **Bug fix** Enhancement to FQDN warning messages. @@ -134,6 +1416,11 @@ R5.1.1183 (12/2/2019) - **Bug fix** BGP learned routes parsing error. - **Bug fix** Transit Peering filter not updating new learned routes. +R5.1.1169 (11/25/2019) +======================= + +- **Bug fix** Transit gateway filter does not work properly + R5.1.1016 (11/21/2019) ======================= @@ -183,9 +1470,9 @@ R5.1.935 (10/19/2019) Transit Gateway Enhancement ------------------------------ - - **Transit Gateway Peering with Network Filter** allows you block route propagation from one transit gateway side to the other. This use case is to allow two regions of transit network to connect with each other when there are exact overlapping network CIDRs by blocking on each Transit Gateway these CDIRs. To configure, go to Transit Network -> Transit Peering -> Add New, or Edit an existing peer. For more info, refer to `Filtered CIDRs `_. + - **Transit Gateway Peering with Network Filter** allows you block route propagation from one transit gateway side to the other. This use case is to allow two regions of transit network to connect with each other when there are exact overlapping network CIDRs by blocking on each Transit Gateway these CIDRs. To configure, go to Transit Network -> Transit Peering -> Add New, or Edit an existing peer. For more info, refer to `Filtered CIDRs `_. - - **Route Table Selection** allows VPC route tables to be selected when attaching attaching a Spoke VPC gateway. Only the selected route tables are programmed for learning routes and reprogramming routes at failover time. `API support `_ only. + - **Route Table Selection** allows VPC route tables to be selected when attaching attaching a Spoke VPC gateway. Only the selected route tables are programmed for learning routes and reprogramming routes at failover time. API support only. - **TGW DXGW and VPN Enhancment** allows DXGW and VPN to be deployed in any Security Domain. One use case is if you have multiple VPN connection and do not wish to have the remote sites to have connectivity with each other, you can now create VPN connections in different Security Domains. - **ASN Path Prepend** adds ASN number when Aviatrix transit gateway redistribute routes to its BGP peer. For new Transit connection, the Aviatrix Transit gateway automatically inserts its ASN number. To insert ASN path in an existing connection, go to Transit Network -> Advanced Config -> Prepend AS Path @@ -252,7 +1539,7 @@ R5.0.2667 (9/9/2019) ---------------------------- - **Official Terraform Provider** Aviatrix has become the official Terraform provider! Visit `Aviatrix Provider `_. Terraform v0.12 is needed, please visit `Compatibility Chart `_, `Terraform Provider 2.x Upgrade Guide `_. - - **New REST API site** visit `api.aviatrix.com `_ to see our brand new API doc site! + - **New API site** visit `api.aviatrix.com `_ to see our brand new API doc site! - **Access Account Audit** continuously monitors the health of Controller and individual access account. The Controller sends email alert to the admin user and logs the event when errors in the account setting are detected. - **Gateway Audit** continuously monitors the status of gateway cloud credentials and security groups. For AWS, this credential is the gateway's IAM roles and policies. The Controller sends email alert to the admin user and logs the event when errors of gateway cloud credentials are detected. To view the health of the gateway, go to Gateway page and check the field `Audit. `_ - **Logs display the source IP address when a user login** to improve visibility. @@ -352,7 +1639,7 @@ R4.7.378 (6/16/2019) - **Customize Spoke VPC Route Table** allows you to program route entries in Spoke VPC route table that points to TGW as target. By default, Aviatrix Orchestrator programs RFC 1918 routes in the VPC route table to point to TGW, any routes that are outside of this range is dynamically programmed into the VPC route table. When you enable this feature, all dynamic route propagation will be stopped. One use case is if you simply want to program the default route to point to TGW. Another use case is if you do not wish Aviatrix Orchestrator to program any VPC routes, in which case you should enter 0.0.0.0/32 for the "Customizing Spoke VPC Rotues" field. To configure, enter a list of comma separated CIDRs at `Attach VPC to TGW `_ during TGW Orchestrator Build. - - **Customize TGW VPN Creation** with additional parameters, such as inside_ip_cidr and pre_shared_key. For more information, checkout the API `Attach Native VPN to TGW `_. + - **Customize TGW VPN Creation** with additional parameters, such as inside_ip_cidr and pre_shared_key. 2. Insane Mode Enhancement ---------------------------- @@ -415,8 +1702,8 @@ R4.3.1230 (5/5/2019) - **User Accelerator Preview** integrates AWS Global Accelerator with Aviatrix User VPN to reduce user access latency. - **Azure Native Peering** supports VNET to VNET native peering in the same Azure subscription. Cross subscription is not supported. To configure, go to Peering -> Azure Peering. - **C5n Instance** is now supported. With C5n.18xlarge, InsaneMode IPSEC performance reaches 25Gbps. - - **Select Subnets for TGW Attachment** provides by REST API the flexibility to select which subnet to attach to AWS Transit Gateway (TGW). - - **Reuse Azure Resource Group** provides by REST API the ability to reuse the VNET resource group when launching an Azure gateway. + - **Select Subnets for TGW Attachment** provides by API the flexibility to select which subnet to attach to AWS Transit Gateway (TGW). + - **Reuse Azure Resource Group** provides by API the ability to reuse the VNET resource group when launching an Azure gateway. 2. Routing Policies --------------------- @@ -704,7 +1991,7 @@ R3.3 (6/10/2018) - **Access Account Name** is now searchable. -- **New REST APIs** are available for all features in 3.3. +- **New APIs** are available for all features in 3.3. - **List Spoke Gateways** allows you to easily see what are the Spoke gateways are attached to a selected Transit gateway. To view, scroll down to Step 9 at Transit Network workflow, select a Transit GW and view the attached Spoke gateways. @@ -737,10 +2024,10 @@ R3.2 (4/18/2018) - **UCC Controller Public IP Migration** can be used after Controller's public IP is changed. To migrate, go to Troubleshoot -> Diagnostics -> Network -> Migrate. -4. REST API +4. API ------------ -- 50 REST APIs have been added to the Controller. For details, refer to `API Doc `_ +- 50 APIs have been added to the Controller. R3.1 (3/6/2018) @@ -800,7 +2087,7 @@ R3.0 (12/1/2017) 3. Controller -------------- -- **Audit** user actions on the Controller. All commands from web console or REST API are now logged to syslog and can be forwarded to integrated log services. +- **Audit** user actions on the Controller. All commands from web console or API are now logged to syslog and can be forwarded to integrated log services. - **Name your controller** for ease of use. Click "Your controller name goes here" on the Controller console and start typing a new name. Hit return to save the name. @@ -862,7 +2149,7 @@ R2.7 - Support resizing UDP based OpenVPN® gateway instance. -5. NEW REST APIs +5. NEW APIs ------------------ - Set VPC Access Base Policy. @@ -888,7 +2175,7 @@ Security - FQDN blacklist. In addition to FQDN whitelist, FQDN whitelist is added as a base configuration for each FQDN tag. To configure, go to Advanced Config -> FQDN Filter. After you create a new tag, you can select either White List or Black List. With Black List, the URLs on the Black List will be rejected. -REST API +API --------- - New APIs are published. list active VPN users, edit Open VPN configuration, backup and restore, list vpc peers, list image. For API details, click `this link. `_ for details. @@ -1111,8 +2398,7 @@ Controller Administration user, go to Accounts -> Account Users -> "New User". Select "read\_only" from the dropdown list of "Account Name". -- CloudN's console password can be changed from the default - "Aviatrix123#". To do so, type "enable" to enter config mode and then +- CloudN's console password can be changed from the default. To do so, type "enable" to enter config mode and then issue "change\_console\_password" command. - Capability has been added for HTTPS certificate check for control @@ -1401,7 +2687,7 @@ UserConnect-102416 the specific cloud provider VPN gateways to ensure encrypted tunnel work correctly. -- Add REST API for CloudN64 Join features: allow subnet to VPC and +- Add API for CloudN64 Join features: allow subnet to VPC and delete subnet to VPC. For the complete APIs, refer to `API Document `__ @@ -1411,13 +2697,13 @@ UserConnect-101016 - Add Mumbai (ap-south-1) to AWS region support list. - Support multiple Splunk indexers by importing Splunk config file. - This enables Aviatrix controller and gateway logs to be integrated + This enables Aviatrix Controller and gateway logs to be integrated with multiple Splunk servers that many enterprises deploy. To configure, go to Settings -> Loggings -> Splunk. Select Import files to import a Splunk configuration file. You may also choose Manual Input, in this case each indexer must be listening on the same port. -- Support DataDog agent for both controller and gateways. To enable, go +- Support DataDog agent for both Controller and gateways. To enable, go to Settings -> Loggings -> DataDog, provide an API Key. - Enhancement for VPN user profile editing: when adding a user to a @@ -1468,7 +2754,7 @@ UserConnect-090416 - Support HA for GCloud gateways with a zone selection option. -- Update REST API to accommodate GUI 2.0 development +- Update API to accommodate GUI 2.0 development UserConnect-082116 ================== @@ -1936,12 +3222,12 @@ UserConnect-082515 - Detailed display of VPC/gateway on Dashboard. Clicking on the gateway name displays the complete configuration of the gateway. -- Support REST API for all CloudOps commands. +- Support API for all CloudOps commands. - Support the option to launch gateway when creating CloudOps VPC pool. - Support CloudOps Access IP address map history and initiator (from - Console or from REST API). + Console or from API). - Hash all password. @@ -2048,7 +3334,7 @@ UserConnect-051515 - Support configurable base policy for user profiles -- REST API to change a VPN user’s profile +- API to change a VPN user’s profile UserConnect-050915 ================== diff --git a/HowTos/UserSSL_VPN_Azure_AD_SAML_Config.rst b/HowTos/UserSSL_VPN_Azure_AD_SAML_Config.rst index 078f45cbc..a70883aab 100644 --- a/HowTos/UserSSL_VPN_Azure_AD_SAML_Config.rst +++ b/HowTos/UserSSL_VPN_Azure_AD_SAML_Config.rst @@ -155,6 +155,10 @@ Click **Single sign-on** below **Manage** |imageUserAttrs| +Note: Recently Azure change to New UI "attributes & claims". The following picture is the new reference setting example. + + |imageUserClaims| + **SAML Signing Certificate** #. Find the **Metadata XML** link @@ -199,15 +203,10 @@ Aviatrix Controller SAML Endpoint #. Copy the following into the **Custom SAML Request Template** field: .. code-block:: xml - + + $Issuer - - - - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport - - .. note:: @@ -233,6 +232,7 @@ You can quickly validate that the configuration is complete by clicking on the * .. |imageAddAppSetName| image:: azuread_saml_media/azure_ad_add_new_step_1.png .. |imageAssignUser| image:: azuread_saml_media/azure_ad_assign_user.png .. |imageUserAttrs| image:: azuread_saml_media/azure_ad_saml_user_attrs.png +.. |imageUserClaims| image:: azuread_saml_media/azure_ad_saml_user_claims.png .. |imageSAMLSettings| image:: azuread_saml_media/azure_ad_saml_settings.png .. |imageSAMLMetadata| image:: azuread_saml_media/azure_ad_saml_metadata.png diff --git a/HowTos/UserSSL_VPN_Okta_SAML_Config.rst b/HowTos/UserSSL_VPN_Okta_SAML_Config.rst index 12ccf8f00..6183ac3d4 100755 --- a/HowTos/UserSSL_VPN_Okta_SAML_Config.rst +++ b/HowTos/UserSSL_VPN_Okta_SAML_Config.rst @@ -284,10 +284,10 @@ See this `article `__ is setup and running - #. You haveHave a valid `IdP account <#pdc-22>`__ with admin access + #. You have a valid `IdP account <#pdc-22>`__ with admin access #. You have `Downloaded and installed <#pdc-23>`__ the Aviatrix SAML client @@ -40,11 +40,10 @@ If you haven’t already deployed the Aviatrix controller, follow `these instruc 2.2 IdP Account ############### -An IdP refers to an identity provider for SAML. This could be any provider that supports a SAML endpoint like `Okta <./SAML_Integration_Okta_IdP.html>`__, +An identity provider (IdP) is any provider that supports a SAML endpoint like `Okta <./SAML_Integration_Okta_IdP.html>`__, `OneLogin <./SAML_Integration_OneLogin_IdP.html>`__, `Google <./SAML_Integration_Google_IdP.html>`__, -`AWS SSO <./SAML_Integration_AWS_SSO_IdP.html>`__, and `Azure AD <./SAML_Integration_Azure_AD_IdP.html>`__. -You will require administrator access to create IdP endpoints for SAML. Check `IdP-specific SAML Integration <#IdP-integration>`__ to see a list of guides for supported IdP's - +`AWS SSO <./SAML_Integration_AWS_SSO_IdP.html>`__, `Azure AD <./SAML_Integration_Azure_AD_IdP.html>`__, and `PingOne <./SAML_Integration_PingOne_IdP.html>`__. +Administrator access is required to create IdP endpoints for SAML. For a list of supported IdPs, see `IdP-specific SAML App Integration `_. .. _PDC_23: @@ -105,7 +104,10 @@ The configuration consists of 8 parts: +-------------------------+--------------------------------------------------------+ | Entity ID | Select `Hostname` for now | +-------------------------+--------------------------------------------------------+ - | Access | Select admin or read-only access | + | Sign Authn Requests | Sign the cert when requesting to IDP from client | + +-------------------------+--------------------------------------------------------+ + | Access | (Removed from 6.0 and later) Select admin or read-only | + | | access | +-------------------------+--------------------------------------------------------+ | Custom SAML Request | For now leave blank, depending on your specific | | Template | IdP, you may have to check this option | @@ -181,9 +183,10 @@ These are guides with specific IdP's that were tested to work with Aviatrix SAML #. `Google <./SAML_Integration_Google_IdP.html>`__ #. `Okta <./SAML_Integration_Okta_IdP.html>`__ #. `OneLogin <./SAML_Integration_OneLogin_IdP.html>`__ +#. `PingOne <./SAML_Integration_PingOne_IdP.html>`__ Other tested IdP's include: -Ping Identity, VmWare VIDM, ForgeRock's OpenAM etc. +VmWare VIDM, ForgeRock's OpenAM etc. .. _Config_33: @@ -198,7 +201,7 @@ After creating the IdP, you need to retrieve IdP Metadata either in URL or text #. Google - provides IdP metadata text #. Okta - provides IdP metadata text #. OneLogin - provides IdP metadata URL - +#. PingOne - provides IdP metadata URL .. _Config_34: @@ -330,10 +333,17 @@ Note that if the IDP sends an invalid or empty Profile attribute, the default pr This way Profile associations can be configured at IDP instead of configuring at the controller. -Currently only a single Profile is supported when using Profile as attributes. +Multiple Profiles is supported when using Profile as attribute starting with `release 5.4 `__ + +Multiple profiles can be added seperated by commas. Note that mixing of base rules is not allowed. The profile association can be verified from the Dashboard page after the VPN user has connected. +These are guides with specific IdP's that were tested to work with Aviatrix SAML integration: + +#. `Okta <./Setup_Okta_SAML_Profile_Attribute.html>`__ +#. `PingOne <./Setup_PingOne_SAML_Profile_Attribute.html>`__ + OpenVPN is a registered trademark of OpenVPN Inc. .. |image3-1-1| image:: SSL_VPN_SAML_media/image3-1-1.png diff --git a/HowTos/account_audit.rst b/HowTos/account_audit.rst index cca1b8fe9..32a885475 100644 --- a/HowTos/account_audit.rst +++ b/HowTos/account_audit.rst @@ -16,13 +16,25 @@ The Aviatrix Controller periodically checks the accounts it manages to make sure #. An access account IAM role aviatrix-role-ec2 has associated policies. #. An access account IAM role aviatrix-role-app has associated policies. #. An access account has trust relationship to the primary account (the Controller's AWS account). + #. An access account has expired, deleted or invalid credential. If any of the above condition fails, the Controller sends out alert email and logs the event. In addition, the controller will also send alert email on behalf of any of the above condition failures reported by a gateway upon the first detection and subsequently every 24 hours until the problem is rectified. Note the event requires immediate attention; otherwise, it can lead to catastrophic operation outage. Go through the above conditions to repair the configuration. -If you need help, email to support@aviatrix.com. +If you need help, please open a support ticket at `Aviatrix Support Portal `_ + + +.. Note:: + + - Account auditing does not work with the new enhancement "customized IAM role name" in 6.4. In the current design, the account auditing feature looks for the Aviatrix standard IAM role names which are aviatrix-role-app and aviatrix-role-ec2 and the Aviatrix standard policy name which is aviatrix-app-policy. + + - The account auditing feature also does not work if the IAM app role has more than one policy attached because only the first policy is used. + +.. + + .. |secondary_account| image:: adminusers_media/secondary_account.png :scale: 50% diff --git a/HowTos/activemesh_design_notes.rst b/HowTos/activemesh_design_notes.rst index 480d05ff4..cf76cb863 100644 --- a/HowTos/activemesh_design_notes.rst +++ b/HowTos/activemesh_design_notes.rst @@ -15,12 +15,33 @@ ActiveMesh is the default mode when launching an Aviatrix Transit gateway. This While AWS Transit Gateway (TGW) does not propagate routes to Spoke VPCs, TGW Direct Connect via DXGW and TGW VPN have full functions of failover, multi-path and ECMP in supporting connection to on-prem. This includes: - - TGW DXGW prefers to TGW VPN when both advertising the same network. When DXGW goes down, one of the VPN routes take over. + - TGW prefers DXGW to TGW VPN when both advertising the same network. When DXGW goes down, one of the VPN routes take over. - When there are multiple VPN routes, TGW routing policy selects the shortest AS_PATH length. - When there are multiple VPN routes with identical AS_PATH length, TGW VPN distributes traffic with ECMP when it is enabled. In this case, Aviatrix Controller performs the orchestration function in managing route propagation and Aviatrix Transit gateways are used to connect two TGWs. +Design Note: Implementing TGW with VPN backup design could lead to asymmetric routing i.e with traffic from AWS to on-premises +traversing the DX as inteneded while traffic from on-premises to AWS traversing the IPSec VPN tunnel instead. + +Traffic from AWS to on-premise prefers the AWS DXGW over the VPN connection because the TGW effectively sets a higher “local +preference” (LOCAL_PREF) on the DXGW BGP sessions (refer to Route Evaluation Order as outlined in the AWS Transit Gateway +documentation). + +For traffic from on-premises to AWS, the DX path should be preferred because AWS sets a Multi Exit Discriminator (MED) value +of 100 on BGP sessions over VPN links as compared to the default value of 0 over the DX path. This works well in the case DX +and VPN are used with a Virtual Private Gateway (VGW) as the same AS is announced over both connections but in case of the +TGW, the DX path uses a different ASN compared to the VPN path. + +The advertised ASN over VPN is the TGW AS while the ASN over DX is the ASN of the DXGW. Note that in case of TGW, the AS path +over the DXGW path only consists of the DXGW AS instead of AS path length of two with TGW AS + DXGW AS. This is the result of +manually setting the CIDRs to be announced by the AWS DXGW towards on-premises which effectively causes DXGW to originate the +routes resulting in a reduced path length of one over DX which is the same AS path length as over the VPN link but different +AS path. + +To ensure that the on-premises routers always cosnider the MED value, set the “bgp always-compare-med” knob. This forces the +router to compare the MED if multiple routes to a destination have the same local preference and AS path length. + The deployment is shown in the diagram below. |activemesh_tgw_onprem| @@ -84,8 +105,7 @@ learned by the local Aviatrix Transit Gateway. 2.4 Overlapping Spoke VPC CIDRs ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -If there are overlapping Spoke VPCs CIDRs attached to the TGWs in two regions and you wish to connect them via Aviatrix Transit Gateway Pee -ring, use `Exclude Network CIDRs `_ on both +If there are overlapping Spoke VPCs CIDRs attached to the TGWs in two regions and you wish to connect them via Aviatrix Transit Gateway Peering, use `Exclude Network CIDRs `_ on both Aviatrix Transit Gateways to exclude these overlapping Spoke VPC CIDRs. 3. NAT Functions @@ -93,7 +113,15 @@ Aviatrix Transit Gateways to exclude these overlapping Spoke VPC CIDRs. SNAT function is supported on the individual connection between the Aviatrix Transit Gateway and the remote sites. -SNAT function is not supported on the Spoke gateway tunnel interface to the Aviatrix Transit Gateway. +Starting Release 5.4, SNAT and DNAT functions are supported on the Spoke gateway tunnel interface to the Aviatrix Transit Gateway. + +4. Egress Routes Propagation Behavior +---------------------------------------- + +If Firewalls are deployed for Internet bound Egress traffic in either FireNet and Transit FireNet deployment, the default routes are propagated +to the remote peer by Transit Gateway peering. This allows Firewalls to be shared across regions. + +If you have regional Firewalls for Egress traffic, make sure you apply filter to filter out the default routes. 4. Configuration Notes ----------------------- diff --git a/HowTos/activemesh_faq.rst b/HowTos/activemesh_faq.rst index 660d72a84..d27df5d69 100644 --- a/HowTos/activemesh_faq.rst +++ b/HowTos/activemesh_faq.rst @@ -54,15 +54,28 @@ What are the advantages of ActiveMesh? The key benefits of ActiveMesh are improved network resiliency, failover convergence time and performance. -How to enable ActiveMesh? --------------------------- +How to enable ActiveMesh 1.0? +-------------------------------- -ActiveMesh is not enabled by default. Follow the `Aviatrix Encrypted Transit Network workflow `_ to enable ActiveMesh mode. +ActiveMesh enabled by default. For Aviatrix Transit or Spoke gateway launched before ActivMesh +mode become available, follow the `Aviatrix Encrypted Transit Network workflow `_ to enable ActiveMesh mode. -How to troubleshoot ActiveMesh deployment? --------------------------------------------- +How to troubleshoot ActiveMesh Transit Gateway? +------------------------------------------------- + + 1. **Check IPSec Tunnel**. For BGP learned routes, check if the IPSEC tunnel is up. Go to Site2Cloud -> Setup. Find the connection and make sure it is in Up state. If it is not, go to Site2Cloud -> Diagnostics and run "Show log". Since all BGP sessions run inside IPSEC tunnel, this is the first thing you should check. + #. **Check BGP Session**. For BGP learned routes, check if BGP session is established. Go to (Multi-Cloud) Transit Network -> Advanced Config -> BGP. Look for the BGP session and make sure it is in Established State. If it is not, go to (Multi-Cloud) Transit Network -> Advanced Config -> Diagnostics. Select the transit gateway, run commands, such as "show ip bgp". + #. **Check BGP Learned Routes** For BGP learned routes, check if routes are learned. Go to (Multi-Cloud) Transit Network -> Advanced Config -> Diagnostics. Select the transit gateway, run "show ip bgp" to make sure the transit gateway under inspection has learned the routes you are looking for. + #. **Check Route Database** For all routes, check if the Controller see all the learned routes from TGW, BGP, Transit Peering and Static. Go to Multi-Cloud Transit -> List. Select the Transit Gateway, click Show Details. Scroll down and refresh `Route Info DB Details`. This table contains learned routes from all sources. + #. **Check Aviatrix Transit Gateway Programmed Routes** Go (Multi-Cloud) Transit Network -> List. Select the Transit Gateway, click Actions -> Show Details. Scroll down to the Gateway Routing Table and click to open. Make sure the routes you are looking for is in the table and has a next hop with metric 100 or lower. + #. **Sync Routes** If for any reason the Route Database on the Controller become inconsistent with the Aviatrix Transit Gateway route table, sync the routes to force program the routes on the gateway again. Go to Multi-Cloud Transit -> Advanced Config. Select the Aviatrix Transit Gateway in question, scroll down to the `Sync Controller Best Routes to Transit Gateway`, click `Sync Routes`. + +If any of the above steps show failure, there is an error, please open a support ticket at `Aviatrix Support Portal `_ for more debugging assistance. + +If all above steps succeed, the connectivity issue lies somewhere else. Check Spoke VPC route table and TGW route table if applicable. + +If this is TGW based deployment, run an Audit by going to TGW Orchestrator -> Audit. Any missing routes in either VPC route table or TGW route table should be discovered. -Go to Transit Network -> List. Select either the Transit GW or a spoke gateway, click Show Details. How to migrate from the encrypted transit network to ActiveMesh mode? ---------------------------------------------------------------------- @@ -73,8 +86,8 @@ Here are the steps: 1. Launch a new Transit GW and enable ActiveMesh on it. #. Detach a current spoke and attach it to the new Transit GW. -Can ActiveMesh be applied to Azure? -------------------------------------- +Can ActiveMesh be applied to Azure, GCP and OCI? +---------------------------------------------------- Yes. @@ -98,7 +111,11 @@ Does ActiveMesh support route based VPN or policy based VPN? ActiveMesh enables the Aviatrix Transit GW to connect to multiple remote sites over IPSec VPN tunnels. -When you configure VPN to remote sites from Transit Network -> Setup -> Step 3 (Connect to VGW/External Device/Aviatrix CloudN) in the `Transit Network workflow Step 3 `_, the VPN tunnel is built with route based VPN. +When you configure VPN to remote sites from Transit Network -> Setup -> Step 3 (Connect to VGW/External Device/Aviatrix CloudN) in the `Transit Network workflow Step 3 `_, the VPN tunnel is built with route based VPN on the Aviatrix Transit Gateway. + +Starting from Release 6.0, ActiveMesh Transit Gateway supports both remote route based VPN and remote policy based VPN tunnels. In both cases, +the Aviatrix Transit Gateway operates in route based mode. Note if the remote site is policy based static VPN, +traffic must be initiated from the remote site. On the other hand, when you configure VPN to remote sites from Site2Cloud page and select a Transit GW, the VPN tunnel is built with policy based VPN. @@ -112,6 +129,52 @@ it participates in packet forwarding again. To stop an ActiveMesh gateway, you should disable the Gateway Single AZ HA feature. Highlight the gateway at the Gateway page, click Edit. Scroll down to Gateway Single AZ HA, click Disable. +What is ActiveMesh 2.0? +------------------------- + +ActiveMesh 2.0 is a new iteration of ActiveMesh. The main advancement of ActiveMesh 2.0 is its deterministic nature of Next Hop selection. + +Here is how Aviatrix Transit Gateway routing engine treats the following types of routes. + +======================================================== =============== ========== +**Networks** **Route Type** **Aviatrix Transit Gateway Route Propagation** +======================================================== =============== ========== +Local TGW attached VPC CIDR tgwvpc Local +Aviatrix Spoke gateway associated VPC/VNet CIDR vpc Local +Azure Native Spoke associated VNet CIDR vpc Local +Local TGW VPN dynamically learned network CIDR tgwedge Advertises TGW VPN ASN and its remote peer ASN to a remote BGP peer if it's the best route. +Local TGW DXGW learned network CIDR tgwedge Advertises TGW DXGW ASN and its remote peer ASN to a remote BGP peer if it's the best route. +Remote Aviatrix Transit Gateway Peering learned routes peer Advertises remote Aviatrix peer's network CIDRs to a remote BGP peer if it's the best route. +Aviatrix Transit Gateway BGP learned from on-prem bgp Advertises to its remote peers by Aviatrix Transit Gateway peering if it's the best route. +Aviatrix Transit Gateway statically learned from on-prem static Local +Aviatrix Transit Gateway associated VPC/VNet CIDR linklocal Local +Local Firewall Egress route (0.0.0.0/0) transit Local +Aviatrix Transit Gateway SNAT IP address linklocal Local +======================================================== =============== ========== + +With this approach, there is more visibility on learned routes regarding what paths the routes are learned from. + +The next hop best path selection follows the priorities listed below. + + 1. Local + #. Shortest number of ASN list + #. For two identical length ASN routes, select the next hop with the lowest Metric Value + #. For two identical ASN length and Metric Value routes, if ECMP is disabled (this is the default configuration), select the current best route. If there is no current best route, the next hop IP addresses are compared, the lower integer IP address is selected. + #. For two identical ASN length and Metric Value routes, if ECMP is enabled, traffic is distributed to both routes using ECMP. + +How to migrate to ActiveMesh 2.0? +-------------------------------------- + +There are 3 scenarios: + +================================= =============================================================================================== ========== +**Deployment** **Notes** **ActiveMesh 2.0 Migration** +================================= =============================================================================================== ========== +Non ActiveMesh deployment the Aviatrix Transit Gateway in the deployment has been launched before Release 5.1 (10/1/2019) follow `this instructions `_ +ActiveMesh 1.0 deployment the Aviatrix Transit Gateway was launched with ActiveMesh option enabled prior to Release 6.0 migrate to ActiveMesh 2.0 by going to Settings -> Maintenance -> Migration -> ActiveMesh 2.0 Migration, click Migrate. +New ActiveMesh 2.0 deployment the Aviatrix Transit Gateway was launched with ActiveMesh option enabled after Release 6.0 ActiveMesh 2.0 is automatically enabled for brand new deployment on a Controller. +================================= =============================================================================================== ========== + .. |activemesh_spoke_transit| image:: activemesh_faq_media/activemesh_spoke_transit.png :scale: 30% diff --git a/HowTos/activemesh_migration.rst b/HowTos/activemesh_migration.rst index 5729a8b2f..c2c5bd504 100644 --- a/HowTos/activemesh_migration.rst +++ b/HowTos/activemesh_migration.rst @@ -42,8 +42,9 @@ The steps are documented in detail below. 9. Repeat steps 5 through 8 for all spokes -10. You can go to "Controller/Gateway" and select your old Transit and Transit-HA gateways and delete them -11. Please check your network routes and connectivity and open a ticket if you run into any issues, by sending an email to support@aviatrix.com +10. Prior to Deleteing the old gateways please go to Multi Cloud Network >> Advanced and select the old gateway from the drop down. Make sure that the option Advertise Transit VPC CIDR is disabled. Once this is verified you can go to "Controller/Gateway" and select your old Transit and Transit-HA gateways and delete them. + +11. Please check your network routes and connectivity and open a ticket on `Aviatrix Support Portal `_ if you run into any issues .. |image1| image:: ./activemesh_migration_media/image1.png diff --git a/HowTos/adminusers_media/account_name_alias.png b/HowTos/adminusers_media/account_name_alias.png new file mode 100644 index 000000000..ff2c9ae65 Binary files /dev/null and b/HowTos/adminusers_media/account_name_alias.png differ diff --git a/HowTos/advanced_config.rst b/HowTos/advanced_config.rst index 49790ad3e..412ade2f9 100644 --- a/HowTos/advanced_config.rst +++ b/HowTos/advanced_config.rst @@ -14,13 +14,64 @@ tunnel down detection time. Aviatrix gateways samples the tunnel status every 10 seconds. +Anti-replay Window +------------------ + +Specify the IPSec tunnel anti-replay window size. + +- The size range is 0 to 4096. +- The default value is 0. +- Set the size to 0 to disable anti-replay protection. +- If “controller” of “Aviatrix Entity” is selected, all gateways share the same tunnel anti-replay window. + Keepalive ------------- +--------- In normal state, Aviatrix gateways send keep alive messages to the Controller. Keep Alive Speed determines when Controller determines if a gateway is down. See `Gateway State `_ for more information. +Password Requirements +---------------------- + +Aviatrix uses a password meter to enforce password requirements. The default password requirements are: + +- Minimum characters - 4. +- Maximum characters - 16,777,216 or 16MB. +- At least 1 upper and 1 lower case character. +- At least 1 numeral character. +- At least one special character. + +Password Management +---------------------- + +By default, password management is disabled for controller's account users which means there is no restriction for password length and expiration validity check. + +If company's requires strict regulation for passwords then password restriction can be managed and enabled in Controller's console. + +Navigate to Settings -> Advanced -> Password Management to enable password management. Password Management allows to put the following restriction for account's user: + + #. Minimum Password Length + #. Maximum Password Age(Days) and + #. Enforce Password History which force users to use new strong password. + +If you are using the Password Management option, the policy default values are: + +- Minimum characters – 8. +- Age limit - 180 days. +- Not repeatable times – 5. + +If you are using the Password Management option, the policy ranges are: + +- Minimum characters – 8. +- Maximum characters – 32. +- Age limit is 1 - 365 days. +- Not repeatable times is 1 – 12. + +Credentials +--------------- +In order to exercise 90 days security compliance requirement for key rotation policy, API key pair and other internal passwords for company IAM account needs to be refreshed frequently. + BGP Config ------------ @@ -59,10 +110,59 @@ Overlapping Alert Email Aviatrix, by default, will alert you if you add a spoke that overlaps with your on-premise network (or, if you start advertising a network from on-premise that overlaps with a spoke). However, there are some cases where you expect overlaps and the alert emails are not helpful. For these cases, you can disable the overlap checking. To do this go to -**Advanced Config** > **BGP Alert Email** > **BGP Overlapping Alert Email** +**Settings** > **Controller** > **Alert Bell** > **Overlapped CIDR Check** Toggle the switch to **Disabled** to disable overlap checking. +Proxy +-------- + +Proxy configuration is available for Release 6.3 and later. It is a global setting that applies to Controller and all gateways. + +There are scenarios where a corporation requires all Internet bound web traffic be inspected by a proxy server before being allowed +to enter Internet. Such requirement may apply to cloud deployment, and when it happens, both Controller and gateways need to comply to +the policy. This is accomplished by enabling and configuring proxy server on the Controller. + +When a proxy server is configured on the Aviatrix platform (Controller and gateways), all Internet bound HTTP and HTTPS traffic initiated by +the Controller and gateways is forwarded to the proxy server first before entering Internet. Such traffic includes all cloud provider +API calls made by the Controller and gateways. + +.. important:: + + The domain name .aviatrix.com must be excluded by the proxy server from SSL or HTTPS termination. + +Configuration +################ + +========================================= ========================= +**Field** **Value** +========================================= ========================= +HTTP Proxy proxy server IP address for HTTP traffic +HTTPS Proxy proxy server IP address for HTTPS traffic (usually the same as HTTP Proxy field) +(Optional) Proxy CA Certificate This field is optional. When a CA Certificate is uploaded, the Controller and gateway expect that the proxy server will terminate a HTTPS request initiated by them and will initiate a new HTTPS request on behalf of them. When this option is not used, the proxy server simply forwards HTTP/HTTPS traffic. +========================================= ========================= + +Test +~~~~~~ + +The Test option runs a few HTTPS request to make sure your proxy configuration is correct. + +Once all fields are configured, click Test to validate if your configuration is correct. If not, results are displayed. Correct the +configuration and try again. + +Apply +~~~~~~~ + +Apply is clickable only after Test is passed. When Apply is applied, the proxy configuration takes effect. + +Delete +~~~~~~~ + +To disable proxy, click Delete. + + + + .. |imageGrid| image:: advanced_config_media/grid.png .. disqus:: diff --git a/HowTos/alert_and_email.rst b/HowTos/alert_and_email.rst index 236eb99b6..938502468 100644 --- a/HowTos/alert_and_email.rst +++ b/HowTos/alert_and_email.rst @@ -15,6 +15,8 @@ By default, the alert email is sent to the admin of the Controller. The email ca By default, the source email address is no-reply@aviatrix.com. +By default, the SMTP service is provided by a third-party, Sendgrid. Even though Aviatrix implements third-party risk monitoring, we are not responsible for Sendgrid controls. Aviatrix recommend customer to configure your own SMTP service. + How to change alert email configuration ---------------------------------------- @@ -28,6 +30,20 @@ If you would like the alert messages to be sent to a different email, |change_alert_email| +How to manage Alert Bell notification? +------------------------------------------------------ + +The Alert Bell notification can be managed under Settings -> Controller -> Alert Bell. + +By default, Alert Bell notification is enabled for the following features: + 1. **Overlapped CIDR Check** - Alert when BGP routes overlap in Site2Cloud. + #. **Guard Duty Check** - Alert gets logged as Alert Bell notification and block malicious IP addresses when offending IPs are detected by Guard Duty. To learn more about Guard Duty integration with Aviatrix click `here `_. + #. **Log Service Check** - This alarm generates a warning as a Alert Bell notification for remote syslog server down event. + #. **Reach of Route Limit Check** - Alert when VPC and BGP route limits reach a threshold. + #. **Blackhole Route Entry Check** - Alert when VPC route table has inactive routes. To learn more about Blackhole Routes click `here `_. + +|alert_bell_notify| + How to Change Email Notification Source ----------------------------------------- @@ -66,8 +82,11 @@ Note that newly created SES accounts are placed in an "AWS SES Sandbox" and will g. Protocol: TLS h. Click “Save” +How to not send exception notification to Aviatrix +------------------------------------------------------------- - +Software exception notification button gives an ability to customers to disable exception emails send to Aviatrix. To disable notification, go to Settings -> Controller -> Email, scroll down to find the software exception field and click Disable. +  @@ -86,5 +105,7 @@ Note that newly created SES accounts are placed in an "AWS SES Sandbox" and will .. |aws_verify_email| image:: alert_and_email_media/aws_verify_email.png :scale: 30% +.. |alert_bell_notify| image:: alert_and_email_media/alert_bell_notify.png + :scale: 30% .. disqus:: diff --git a/HowTos/alert_and_email_media/alert_bell_notify.png b/HowTos/alert_and_email_media/alert_bell_notify.png new file mode 100644 index 000000000..6929dbef5 Binary files /dev/null and b/HowTos/alert_and_email_media/alert_bell_notify.png differ diff --git a/HowTos/aviatrix_account.rst b/HowTos/aviatrix_account.rst index 813ebafe0..c2391902e 100644 --- a/HowTos/aviatrix_account.rst +++ b/HowTos/aviatrix_account.rst @@ -74,12 +74,15 @@ The CloudFormation is necessary to create IAM roles, policies and establish a tr .. |secondary_account| image:: adminusers_media/secondary_account.png - :scale: 50% + :scale: 30% .. |account_structure| image:: adminusers_media/account_structure.png - :scale: 50% + :scale: 30% .. |access_account_35| image:: adminusers_media/access_account_35.png - :scale: 50% + :scale: 30% + +.. |account_name_alias| image:: adminusers_media/account_name_alias.png + :scale: 30% .. disqus:: diff --git a/HowTos/aviatrix_account_alibaba.rst b/HowTos/aviatrix_account_alibaba.rst new file mode 100644 index 000000000..77196806d --- /dev/null +++ b/HowTos/aviatrix_account_alibaba.rst @@ -0,0 +1,62 @@ +.. meta:: + :description: Aviatrix Cloud Account for Alibaba + :keywords: Aviatrix account, Alibaba, Aviatrix Alibaba account credential, API credential + +=========================================================== +Alibaba Cloud Account Credential Setup +=========================================================== + +Creating an Alibaba Primary Access Account +===================================================== + +1. Access your Alibaba account info in the Alibaba UI. Click on the User Icon so you can access the Alibaba Cloud Account ID, Cloud Access Key ID, and Cloud Secret Key. You need the Alibaba account information to create the Alibaba Primary Access Account in the Aviatrix Controller. + + |alibaba_user_icon| + +2. In the Alibaba UI, create an AccessKey pair for authenticating the Aviatrix Controller. Click on the User Icon and navigate to AccessKey Management > Create Access Key. + + |alibaba_accesskey| + +3. In the Aviatrix Controller, navigate to Accounts > Access Accounts and select Alibaba Cloud. Add an Account Name and enter the Alibaba Cloud Account ID, Cloud Access Key ID, and Cloud Secret Key. Optional - add any RBAC Groups that should have access to the Primary Access Account. + + +Deploying the Aviatrix Gateway in your Alibaba Cloud +===================================================== + +You must satisfy the prerequisites in “Creating an Alibaba Primary Access Account” before Deploying the Aviatrix Gateway in your Alibaba Cloud. + +1. Access your Alibaba account info in the Alibaba UI. Click on the User Icon and record your Alibaba Account ID. + +2. Communicate your Alibaba Account ID to your Aviatrix Support representative. + +3. Your Aviatrix Support representative shares the Aviatrix gateway image with your Alibaba account. + +4. Verify your Alibaba account can access the Aviatrix gateway image. Go to Elastic Compute Service > Instances & Images > Images > Shared Image to view the image. + + |alibaba_share_image| + +5. Create an Alibaba Primary Access Account in the Aviatrix Controller. + +6. Deploy the Aviatrix Gateway in the Alibaba cloud. + +Alibaba Cloud Default Limitations +================================= + +- The EIP bandwidth limit is 200 Mbit/s. The Aviatrix Spoke to Transit and Transit to Spoke connections maximum bandwidth is 400 Mbit/s. You can purchase different plans to increase throughput and bandwidth. + +- A maximum of 48 routes in each route table is supported by default. If you require more routes in each route table, contact Alibaba Support. + +- The Alibaba API takes 1-2 seconds to add or delete one route in one VPC route table. No route update requests are accepted while a route is being added or deleted. + +- Outgoing traffic to public non-RFC1918 IP address from an instance with a public IP does not look at the VPC route table. Even non-RFC1918 routes are configured on VPC route table. If you want to improve this non-RFC1918 traffic routing behavior on public instance, contact Alibaba Support. + +.. |alibaba_user_icon| image:: aviatrix_account_alibaba_media/alibaba_user_icon.png + :scale: 50% + +.. |alibaba_accesskey| image:: aviatrix_account_alibaba_media/alibaba_accesskey.png + :scale: 50% + +.. |alibaba_share_image| image:: aviatrix_account_alibaba_media/alibaba_share_image.png + :scale: 50% + +.. disqus:: diff --git a/HowTos/aviatrix_account_alibaba_media/alibaba_accesskey.png b/HowTos/aviatrix_account_alibaba_media/alibaba_accesskey.png new file mode 100644 index 000000000..2c91f0504 Binary files /dev/null and b/HowTos/aviatrix_account_alibaba_media/alibaba_accesskey.png differ diff --git a/HowTos/aviatrix_account_alibaba_media/alibaba_share_image.png b/HowTos/aviatrix_account_alibaba_media/alibaba_share_image.png new file mode 100644 index 000000000..42bbee675 Binary files /dev/null and b/HowTos/aviatrix_account_alibaba_media/alibaba_share_image.png differ diff --git a/HowTos/aviatrix_account_alibaba_media/alibaba_user_icon.png b/HowTos/aviatrix_account_alibaba_media/alibaba_user_icon.png new file mode 100644 index 000000000..4e0f19b34 Binary files /dev/null and b/HowTos/aviatrix_account_alibaba_media/alibaba_user_icon.png differ diff --git a/HowTos/aviatrix_apis_datacenter_extension.rst b/HowTos/aviatrix_apis_datacenter_extension.rst deleted file mode 100644 index 2394f18ca..000000000 --- a/HowTos/aviatrix_apis_datacenter_extension.rst +++ /dev/null @@ -1,207 +0,0 @@ -.. meta:: - :description: Datacenter extension API reference design - :keywords: datacenter extension, Aviatrix API, Aviatrix, VLAN stretching - -================================================= - REST API Example -================================================= - - - -Introduction -============ - -The APIs for Aviatrix can be used for the tasks -that are done through the Web UI. - -The following is an example of utilizing the APIs to create a VPC/VNet -under Datacenter Extension. For the complete REST API documentation, check out `this link. `_ - -Datacenter Extension capability manages your cloud address range. It -creates VPC/VNet, subnets, routing tables and creates an IPSec tunnel to -the virtual appliance (ACX), so that on-premise VMs and -servers can communicate with instances in the created VPC with packet -encryption and private IP addresses. - -Workflow for Datacenter Extension -================================= - -Make sure the latest version of Aviatrix software is installed or -upgraded before you start. You should see the alert for software upgrade -on the menu bar of the controller if a newer version is available. Click -**Upgrade** and wait for the upgrade to complete. - -Here are the steps to successfully use the APIs to achieve the same -result without the Web UI. - -1. Log in to get the session ID - -2. Enter the license (customer ID) - -3. Set up the maximum number of VPC/VNet - -4. Create a user account - -5. Create a VPC/VNet for Datacenter Extension - -Use the APIs to Create a VPC/VNet -================================= - -The APIs in this section are to demonstrate how to use them to accomplish the steps described above. -The data used here is for demonstration purposes only. Replace the values in your case. - -For more information, refer to “Cloud Services Gateway Controller API -reference” for details. You can retain a copy of this document under -**?Help > API Reference** on the menu bar after you log on the Web -console. - -1. Log in to get the session ID - - :: - - https://IP_Address_of_ACX/v1/api?action=login&username=admin&password=password - - Replace IP_Address_of_ACX with your own IP address of ACX. - Replace the values of username and password with the credentials you use to log in the Web console. - - It should return a CID upon successful login. - :: - - { - "return": true, - "results": "User login:admin in account:admin has been authorized - successfully - Please check email confirmation.", - "CID": "584b4b57a42f2" - } - -Note the value of the CID for the API calls hereafter. - -2. Enter the license - - Obtain a valid license (customer ID) from Aviatrix in advance then enter the value in the API - - :: - - https://IP_Address_of_ACX/v1/api? - CID=584b4b57a42f2&action=setup_customer_id&customer_id=carmelodev-1234567898.64 - -Replace the value of CID with the one in step 1. -Replace the value of customer_id with your license. -Make sure the license is successfully entered and it returns the license information correctly. - - :: - - { - "return": true, - "results": { - "license_list": [ - { - "Lic-1436678987.59": { - "Verified": 0, - "Type": "c4.4xlarge", - "Expiration": "2017-12-09", - "Allocated": 0, - "IssueDate": "2016-12-09", - "Quantity": 20 - } - } - ], - "CustomerID": "carmelodev-1234567898.64" - } - } - -3. Set up the maximum number of VPC/VNet :: - - https://IP_Address_of_ACX/v1/api?CID=584b4b57a42f2&action=setup_max_vpc_containers&vpc_num=4 - -| Replace the value of CID with the one in step 1. -| Replace the value of vpc_num with the number you desire to set up. - - :: - - { - "return": true, - "result": { - "cidr_list": [ - "10.16.32.0\/19", - "10.16.64.0\/19", - "10.16.96.0\/19", - "10.16.128.0\/19" - ] - } - } - -4. Create a User Account - - Before calling the API to set up an account that enables ACX to access the cloud, gather the account information from the cloud - provider. - - | AWS ( cloud_type = 1 ): Account Number, Access key and Secret Key - | Azure ( cloud_type = 2 ): Azure Subscription ID - | Azure RM ( cloud_type = 8 ): Azure Subscription ID, Application Endpoint, Application Client ID and Application Client Secret - - This API needs to use POST method of HTTP to send the account information. Use any tool of your preference to send the POST HTTP - request - - :: - - POST https://192.168.0.251/v1/api - - Body - - { - "CID": "584b4b57a42f2", - "action": "setup_account_profile", - "account_name": "user2", - "account_password": "12345", - "account_email": "user2@123abc.com", - "cloud_type": "1", - "aws_account_number": "982805288348", - "aws_access_key": "AKIAIQDAABCPKKKWQA", - "aws_secret_key": "9ttSESnQvb\/OlWZKCjyPsbcdYgamthksK2+1G" - } - - | The above example is to set up an AWS account (cloud_type is 1 ). - | The others are the account information from AWS. - -:: - - { - "return": true, - "results": "An email with instructions has been sent to - user2@123abc.com" - } - -5. Create a VPC/VNet for Datacenter Extension - - | Currently, two cloud types are available for Datacenter Extension. - | They are AWS and Azure ARM. Hence, it either to create a VPC or VNet. - - | The CIDR of this VPC/VNet can only be one of the available CIDRs you set up in step 3. - - Enter the CIDR as the value of vpc_net in this API. :: - - POST https://172.16.150.15/v1/api - - Body - - { - "CID": "584b4b57a42f2", - "action": "create_container", - "cloud_type": "1", - "account_name": "user2", - "vpc_name": "dc-us-west-1", - "vpc_reg": "us-west-2", - "vpc_size": "t2.micro", - "vpc_net": "10.16.96.0\/19" - } - -| The result is expected to return after a while. - -| There are other options you can specify when you use this API to create a VPC/VNet. -| Refer to the reference document for more details about the options. - - -.. add in the disqus tag - -.. disqus:: diff --git a/HowTos/aviatrix_aws_outposts.rst b/HowTos/aviatrix_aws_outposts.rst new file mode 100644 index 000000000..b6c0ff3d5 --- /dev/null +++ b/HowTos/aviatrix_aws_outposts.rst @@ -0,0 +1,161 @@ +.. meta:: + :description: Aviatrix in AWS Outposts + :keywords: Outposts, AWS Transit Network, AWS LGW, Local Gateway, Aviatrix Outposts + + +========================================================= +Aviatrix in AWS Outposts +========================================================= + +AWS Outposts is a fully managed service that offers the same AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. AWS Outposts is ideal for workloads that require low latency access to on-premises systems, local data processing, data residency, and migration of applications with local system interdependencies. + +AWS compute, storage, database, and other services run locally on Outposts, and you can access the full range of AWS services available in the Region to build, manage, and scale your on-premises applications using familiar AWS services and tools. + +The Aviatrix platform runs on Outposts. This brings the repeatable multi-cloud network architecture to Outposts with the common control plane that supports native cloud APIs and advanced networking and security capabilities needed to form a common data plane with visibility and control required for an enterprise-class multi-cloud network. + +1. Architecture +================ + +The Aviatrix controller remains in the public region of any cloud. It deploys, manages and monitors Aviatrix gateways that physically reside in Outposts. An ActiveMesh Aviatrix transit network is built using those gateways in Outposts. This allows Aviatrix to provide networking and security in the following use cases: + + - Intra-Outposts. + - Inter-Outposts. + - Outposts to non-Outposts on-prem data center. + - Outposts to public AWS regions. + - Outposts to Azure. + - Outposts to GCP. + +|architecture| + +2. Intra-Outposts +=================== + +Using Aviatrix inside Outposts brings the following benefits: + + - Complete automation of Outposts networking. + - Simplified network management at the application layer. + - Higher scalability. + - Easy-to-use segmentation domains. + - Consistent operations, control plane, and data plane with the public cloud. + +An Aviatrix controller is already deployed in a public AWS region. Using the Aviatrix controller, an Aviatrix ActiveMesh network can be deployed in Outposts: + + - Redundant pairs of Aviatrix spoke gateways are launched in the spoke VPCs. + - A redundant pair of Aviatrix transit gateways is launched in the transit VPC. + - Redundant ActiveMesh peerings are established between the spoke gateways and the transit gateways. + +|intra-outposts| + +An Aviatrix controller is already deployed in a public AWS region. Using the Aviatrix controller, an Aviatrix ActiveMesh network can be deployed in Outposts: + - Redundant pairs of Aviatrix spoke gateways are launched in the spoke VPCs. + - A redundant pair of Aviatrix transit gateways are launched in the transit VPC. + - Redundant ActiveMesh peerings are established between the spoke gateways and the transit gateways. + +The Aviatrix control plane is learning and propagating the routes to the spoke gateways accordingly per Aviatrix segmentation domains. This enables encrypted, high-speed connectivity between workloads in Outposts-Spoke1-VPC and workloads in Outposts-Spoke2-VPC. + +Currently the ActiveMesh tunnels between the Aviatrix spoke gateways and transit gateways are established over public IPs. Support for private IP ActiveMesh tunnels in Outposts is under development. + + +3. Inter-Outposts +=================== + +The same Aviatrix ActiveMesh transit network can be deployed in multiple Outposts racks. Then, an encrypted transit peering can be established between Aviatrix transit gateways across different Outpost racks. The Aviatrix control plane propagates the VPC CIDRs across the Outposts racks, enabling inter-Outposts connectivity. Data plane traffic goes over the Outposts Local Gateways (LGWs). + +|inter-outposts| + +4. Outposts to non-Outposts on-prem data center +================================================== + +Aviatrix provides a NAT gateway functionality for traffic going from Outposts to on-prem, which brings the following benefits: + + - No need to allocate customer-owned IPs to instances. + - Scalability advantage. + - Operational advantage. + +The Aviatrix control plane automates the propagation of on-prem subnets to Outposts spoke VPCs. This can optionally be controlled by Aviatrix segmentation domains. + +Redundant Site2Cloud connections are established between the Aviatrix transit gateways and the on-prem router. BGP runs on top to exchange the routes in both directions. + +|outposts_to_non-outposts_dc| + + +5. Outposts to Public AWS regions +======================================= + +Aviatrix enables Outposts connectivity to public AWS regions. It offers the following benefits: + + - Repeatable architecture. + - Outposts connectivity to public AWS region with extreme simplicity: 1-click peering. + - Encrypted peering over Direct Connect or over the public Internet. + - Same user experience and feature-set. + - Consistent, end-to-end automated control plane. + +Using the Aviatrix controller, the same Aviatrix network architecture can be deployed in any public AWS region. An Aviatrix encrypted transit peering can be established between Aviatrix transit gateways across Outposts and the public region. The Aviatrix control plane propagates the VPC CIDRs across the Outposts racks and the region, enabling end-to-end connectivity. Data plane traffic can go over Direct Connect or over the public Internet. + +|outposts_to_public_aws| + +6. Outposts to Azure +======================== + +Aviatrix enables Outposts connectivity to Azure with the following benefits: + + - Repeatable architecture + - Outpost connectivity to Azure with extreme simplicity: 1-click peering. + - Encrypted peering over private or public connections. + - Same user experience and feature-set. + - Consistent, end-to-end automated control plane. + +Using the Aviatrix controller, the same Aviatrix network architecture can be deployed in any public Azure region. An Aviatrix encrypted transit peering can be established between Aviatrix transit gateways across Outposts and the public Azure region. The Aviatrix control plane propagates the VPC and VNet CIDRs across the Outposts racks and Azure, enabling Outposts multi-cloud connectivity. Data plane traffic can go the public Internet, or over private peering on AWS Direct Connect and Azure Express Route connected in a colocation facility. + +|outposts_to_azure| + +7. Outposts to GCP +==================== + +Aviatrix enables Outposts connectivity to GCP with the following benefits: + + - Repeatable architecture + - Outpost connectivity to GCP with extreme simplicity: 1-click peering. + - Encrypted peering over private or public connections. + - Same user experience and feature-set. + - Consistent, end-to-end automated control plane. + +Using the Aviatrix controller, the same Aviatrix network architecture can be deployed in any public GCP region. An Aviatrix encrypted transit peering can be established between Aviatrix transit gateways across Outposts and the public GCP region. The Aviatrix control plane propagates the VPC and VNet CIDRs across the Outposts racks and GCP, enabling Outposts multi-cloud connectivity. Data plane traffic can go the public Internet, or over private peering on AWS Direct Connect and GCP Cloud Interconnect connected in a colocation facility + +|outposts_to_gcp| + +8. Visibility and Troubleshooting +=================================== + +Aviatrix provides deep visibility and troubleshooting into the Outposts network. Aviatrix CoPilot is supported for Aviatrix networking in Outposts and offers the following functionalities for Outposts: + + - Network Health Monitor – Real-time cloud network resource inventory and status. + - Dynamic Topology Map – Accurate, multi-cloud network topology, layout control and search. + - FlowIQ – Detailed application traffic flow analysis, global heat map and trends. + - CloudRoutes – Detailed searchable routing tables. + - Notifications – Alert on resources status/utilization. + + +.. |architecture| image:: aws_outposts_media/architecture.png + :scale: 30% + +.. |intra-outposts| image:: aws_outposts_media/intra-outposts.png + :scale: 70% + +.. |inter-outposts| image:: aws_outposts_media/inter-outposts.png + :scale: 70% + +.. |outposts_to_non-outposts_dc| image:: aws_outposts_media/outposts_to_non-outposts_dc.png + :scale: 70% + +.. |outposts_to_public_aws| image:: aws_outposts_media/outposts_to_public_aws.png + :scale: 70% + +.. |outposts_to_azure| image:: aws_outposts_media/outposts_to_azure.png + :scale: 70% + +.. |outposts_to_gcp| image:: aws_outposts_media/outposts_to_gcp.png + :scale: 70% + + +.. disqus:: diff --git a/HowTos/aviatrix_china_overview.rst b/HowTos/aviatrix_china_overview.rst new file mode 100644 index 000000000..ffaeea8c1 --- /dev/null +++ b/HowTos/aviatrix_china_overview.rst @@ -0,0 +1,169 @@ +.. meta:: + :description: Aviatrix China Product Overview + :keywords: cloud networking, aviatrix, IPsec VPN, Global Transit Network, site2cloud + +============================================= +Aviatrix China Overview +============================================= + +What Features Are Supported in Which China Region Cloud? +======================================================== + ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| **Feature** | **AWS China** | **Azure China** | **Alibaba China Regions** | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Controller Marketplace Launch | Yes | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| CoPilot Marketplace Launch | Yes | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Transit Gateway Peering | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Multi Accounts | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Transit Network Spoke and Transit Gateways | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Transit to External IPsec Devices | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Site2Cloud VPN for All Gateways | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Create a VPC | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Terraform | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Backup and Restore | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Logging Service Integration (Rsyslog, Netflow, and CloudWatch) | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Native Peering | Yes | Yes | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| FlightPath Expert Diagnostics | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| VPC Tracker | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Controller Security Group Management | Yes | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Launch Controller with CloudFormation | Yes | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Firewall Network | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Firenet | No | Yes | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Insane Mode Encryption | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Managed CloudN | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Transit to AWS VGW | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| BGP over LAN | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| BGP over GRE | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| AWS TGW | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| FQDN Egress Control | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Stateful Firewall | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Advanced NAT | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Remote Access User VPN (OpenVPN) | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| PrivateS3 | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| IPv6 | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Controller Migrate | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Logging Service Integration (Splunk, Firebeat, Sumologic, and Datadog) | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ + +What is Aviatrix China Design Assumption? +============================================ + +- Aviatrix Controller in Global cannot deploy China gateway + +- Aviatrix Controller in China cannot deploy Global gateway + + +What is China Multi-Cloud Network Coverage? +============================================ + +You must overcome performance limitations and satisfy government requirements to create a global multi-cloud network that includes the China region. +Slow connection speeds and high-latency associated with the China region can be overcome by using a dedicated line to create an Aviatrix transit connection +and deploying services close to the China region. To satisfy legal regulations in China you must have an Internet Content Provider (ICP) license. + +For more information, see What is a China ICP License. + +What is a China ICP License? +============================ + +Regulations in China require you to acquire an Internet Content Provider (ICP) license from the government and register the license with your CSP +to provide internet services in China. In China, an ICP license is required to establish SSL connections between different regions, ISPs, CSPs, or to +cross national borders. Aviatrix supports transit gateways using AWS China, Azure China, and Alibaba multi-cloud networks in the China region. +Obtaining and implementing an ICP is a process and you should follow the directions of your compliance experts. + +There are some general guidelines Aviatrix recommends following to implement a multi-cloud network in the China region. + + - Create or use a Legal Entity in China to apply for the ICP license. + + - Apply for a Legal Domain name in the China Registration. + + - Acquire the ICP certificate from the China Ministry of Industry and Information Technology (MIIT). + + - Register the ICP certificate with your to CSP in the China region. + + - Use dedicated lines from certified telecom carries for connections between China and the rest of the world. + + - Deploy the Aviatrix Controller, CoPilot, and Multi-Cloud Network in China. + +What issue will hit if the company doesn't follow China Regulation? +=================================================================== + +Both Aviatrix Controller and Gateway in the China region cannot communicate to each other properly. + +How to find Aviatrix Controller and CoPilot on China Marketplace? +=================================================================== + +- Login AWS China Portal + +- Navigate to AWS marketplace for Ningxia and Beijing Region + +- Search for the keyword "Aviatrix" + + |aviatrix_aws_china_marketplace| + +.. Note:: Both Aviatrix Controller and CoPilot are published on AWS China Marketplace only. +.. + +Where is the URL for Aviatrix Controller and CoPilot on China Marketplace? +=========================================================================== + +- `Aviatrix Secure Networking Platform - BYOL `_ + +- `Aviatrix CoPilot - BYOL `_ + +Where is the URL to launch Aviatrix Controller from AWS CloudFormation in AWS China? +===================================================================================== + +- `aws-china-cloudformation-aviatrix-controller-and-IAM-setup-BYOL.template `_ + +What is the design recommendation for China region? +==================================================== + + |aviatrix_design_recommendation_china| + +What is the design recommendation to build connectivity between China and Global regions? +========================================================================================= + + |aviatrix_design_recommendation_china_global| + +.. |aviatrix_design_recommendation_china| image:: aviatrix_china_overview_media/aviatrix_design_recommendation_china.png + :scale: 50% + +.. |aviatrix_design_recommendation_china_global| image:: aviatrix_china_overview_media/aviatrix_design_recommendation_china_global.png + :scale: 50% + +.. |aviatrix_aws_china_marketplace| image:: aviatrix_china_overview_media/aviatrix_aws_china_marketplace.png + :scale: 50% + +.. disqus:: diff --git a/HowTos/aviatrix_china_overview_media/aviatrix_aws_china_marketplace.png b/HowTos/aviatrix_china_overview_media/aviatrix_aws_china_marketplace.png new file mode 100644 index 000000000..cfb9d7ddc Binary files /dev/null and b/HowTos/aviatrix_china_overview_media/aviatrix_aws_china_marketplace.png differ diff --git a/HowTos/aviatrix_china_overview_media/aviatrix_design_recommendation_china.png b/HowTos/aviatrix_china_overview_media/aviatrix_design_recommendation_china.png new file mode 100644 index 000000000..90e67a7bd Binary files /dev/null and b/HowTos/aviatrix_china_overview_media/aviatrix_design_recommendation_china.png differ diff --git a/HowTos/aviatrix_china_overview_media/aviatrix_design_recommendation_china_global.png b/HowTos/aviatrix_china_overview_media/aviatrix_design_recommendation_china_global.png new file mode 100644 index 000000000..fbd13db82 Binary files /dev/null and b/HowTos/aviatrix_china_overview_media/aviatrix_design_recommendation_china_global.png differ diff --git a/HowTos/aviatrix_iam_policy_requirements.rst b/HowTos/aviatrix_iam_policy_requirements.rst index 0473619f9..e82563094 100644 --- a/HowTos/aviatrix_iam_policy_requirements.rst +++ b/HowTos/aviatrix_iam_policy_requirements.rst @@ -43,8 +43,7 @@ permission applies to all use cases where there is an Aviatrix gateway. "sqs:SendMessage", "sqs:SetQueueAttributes", "sqs:TagQueue" - ], - "Resource": "*" + ] } @@ -113,8 +112,7 @@ Aviatrix gateway deployment requires permissions from the following categories: "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" - ], - "Resource": "*" + ] } @@ -140,8 +138,7 @@ The Aviatrix TransitNetwork feature requires the following additional permission "ec2:DeleteVpcPeeringConnection", "ec2:EnableVgwRoutePropagation", "ec2:DisableVgwRoutePropagation" - ], - "Resource": "*" + ] }, { "Effect": "Allow", @@ -165,8 +162,7 @@ The Aviatrix TransitNetwork feature requires the following additional permission "ec2:ReplaceTransitGatewayRoute", "ec2:EnableRoutePropagation", "ec2:*TransitGatewayPeeringAttachment" - ], - "Resource": "*" + ] }, { "Effect": "Allow", @@ -180,8 +176,7 @@ The Aviatrix TransitNetwork feature requires the following additional permission "ram:UntagResource", "ram:AcceptResourceShareInvitation", "ram:EnableSharingWithAwsOrganization" - ], - "Resource": "*" + ] }, { "Effect": "Allow", @@ -193,8 +188,7 @@ The Aviatrix TransitNetwork feature requires the following additional permission "directconnect:DeleteDirectConnectGatewayAssociation", "directconnect:DeleteDirectConnectGatewayAssociationProposal", "directconnect:AcceptDirectGatewayAssociationProposal" - ], - "Resource": "*" + ] } @@ -214,8 +208,7 @@ Aviatrix features such as Transit Network, Encrypted Peering, Transitive Peering "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:ReplaceRoute" - ], - "Resource": "*" + ] } @@ -234,8 +227,7 @@ An Aviatrix gateway needs to be in the STOP state before the instance type/size "Action": [ "ec2:StartInstances", "ec2:StopInstances" - ], - "Resource": "*" + ] } @@ -275,8 +267,7 @@ An Aviatrix gateway needs to be in the STOP state before the instance type/size "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeregisterTargets", "iam:CreateServiceLinkedRole" - ], - "Resource": "*" + ] } @@ -312,8 +303,7 @@ In order to enable a VPN with the AWS-Global-Accelerator feature, the following "globalaccelerator:UpdateAcceleratorAttributes", "globalaccelerator:UpdateEndpointGroup", "globalaccelerator:UpdateListener" - ], - "Resource": "*" + ] } @@ -338,8 +328,7 @@ In order to enable the Guardduty feature, the following permissions are needed. "ec2:CreateNetworkAclEntry", "ec2:ReplaceNetworkAclEntry", "ec2:DeleteNetworkAclEntry" - ], - "Resource": "*" + ] } @@ -357,8 +346,7 @@ In order to enable the Aviatrix Gateway Single AZ HA feature, the following perm "Effect": "Allow", "Action": [ "ec2:RebootInstances" - ], - "Resource": "*" + ] } @@ -380,8 +368,7 @@ In order to enable the Controller Backup & Restore feature, the following permis "s3:Get*", "s3:PutObject", "s3:DeleteObject" - ], - "Resource": "*" + ] } @@ -410,8 +397,7 @@ In order to enable the EBS Volume Encryption feature, the following permissions "ec2:CopySnapshot", "ec2:CreateSnapshot", "ec2:DeleteSnapshot" - ], - "Resource": "*" + ] } @@ -431,8 +417,7 @@ In order to create an AWS Peering, the following permissions are needed. "ec2:CreateVpcPeeringConnection", "ec2:AcceptVpcPeeringConnection", "ec2:DeleteVpcPeeringConnection" - ], - "Resource": "*" + ] } @@ -453,7 +438,7 @@ In order to enable the IAM Policy Scanning feature, the following permissions ar "iam:Get*", "iam:DeletePolicyVersion", "iam:CreatePolicyVersion" - ], + ] "Resource": "arn:aws:iam::*:policy/aviatrix-*" } @@ -473,8 +458,7 @@ In order to enable the UDP Load-Balancer feature, the following permissions are "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" - ], - "Resource": "*" + ] } diff --git a/HowTos/aviatrix_terraform.rst b/HowTos/aviatrix_terraform.rst deleted file mode 100644 index 2c346ef87..000000000 --- a/HowTos/aviatrix_terraform.rst +++ /dev/null @@ -1,111 +0,0 @@ -.. meta:: - :description: Aviatrix Terraform Provider - :keywords: terraform, terraform provider, api - -=========================== -Aviatrix Terraform Provider -=========================== - -Aviatrix `Terraform `_ Provider is used to interact with Aviatrix resources. - -Read the `Aviatrix Terraform Provider Tutorial `_ to setup the environment. - -The provider allows you to manage Aviatrix resources such as account, gateway, peering, etc. It needs to be configured with valid Aviatrix UCC/CloudN's IP, and account credentials. For Aviatrix Transit Network deployment, please click `here `_ to read how to setup transit VPC using Terraform. - -.. note:: - Aviatrix is now an official Terraform provider! The Terraform setup procedure has been significantly simplified and the documentation below has been updated accordingly. Customers who have previously set up our provider following our previous instructions may transition to our official provider by following Step 5 in the setup tutorial `here `_ - -Example Usage -============= - -:: - - # Configure Aviatrix provider - provider "aviatrix" { - controller_ip = "1.2.3.4" - username = "admin" - password = "password" - version = "2.2" - } - - # Create a record - resource "aviatrix_account" "myacc" { - # ... - } - -Documentation -============= -The complete documentation for all available Aviatrix resources and data sources may be viewed on the Hashicorp Terraform doc site `here `_. - - -Sample configuration to launch a full-mesh network on AWS -========================================================= - -:: - - # Sample Aviatrix terraform configuration to create a full mesh network on AWS - # This configuration creates a cloud account on the Aviatrix controller, - # launches 3 gateways with the created account and establishes tunnels - # between each gateway. - - - # Edit to enter your controller's IP, username and password to login with. - provider "aviatrix" { - controller_ip = "w.x.y.z" - username = "admin" - password = "Aviatrix123" - version = "2.2" - } - - # Increase count default value to add more VPCs and subnets to launch more gateways together. - - variable "count" { - default = 3 - } - - # Enter VPCs where you want to launch gateways. - variable "vpcs" { - description = "Launch gateways in different VPCs." - type = "list" - default = ["vpc-7a6b2513", "vpc-2ee4a147", "vpc-0d7b3664"] - } - - # Enter Subnets within VPCs added above. - variable "vpc_nets" { - description = "Launch gateways in different VPC Subnets." - type = "list" - default = ["10.1.0.0/24", "10.2.0.0/24", "10.3.0.0/24"] - } - - resource "aviatrix_account" "test_acc" { - account_name = "devops" - cloud_type = 1 - aws_account_number = "123456789012" - aws_iam = "true" - aws_role_app = "arn:aws:iam::123456789012:role/aviatrix-role-app" - aws_role_ec2 = "arn:aws:iam::123456789012:role/aviatrix-role-ec2" - } - - # Create count number of gateways - resource "aviatrix_gateway" "test_gw" { - count = var.count - cloud_type = 1 - account_name = "devops" - gw_name = "avtxgw-${count.index}" - vpc_id = "${element(var.vpcs, count.index)}" - vpc_reg = "ap-south-1" - gw_size = "t2.micro" - subnet = "${element(var.vpc_nets, count.index)}" - depends_on = ["aviatrix_account.test_acc"] - } - - # Create tunnels between above created gateways. - resource "aviatrix_tunnel" "test_tunnel" { - count = "${var.count * (var.count - 1)/2}" - gw_name1 = "avtxgw-${count.index}" - gw_name2 = "avtxgw-${(count.index+1)%3}" - depends_on = ["aviatrix_gateway.test_gw"] - } - - -.. disqus:: diff --git a/HowTos/avx_tgw_migration.rst b/HowTos/avx_tgw_migration.rst index c347ebbda..488185f09 100644 --- a/HowTos/avx_tgw_migration.rst +++ b/HowTos/avx_tgw_migration.rst @@ -3,7 +3,7 @@ :keywords: Transit Gateway, AWS Transit Gateway, TGW, Migration ======================================================================== -Migrating an Aviatrix Global Transit Network to Next Gen Transit for AWS +Migrating an Aviatrix Transit Network to AWS Transit Gateway (TGW) ======================================================================== This document assumes that you have deployed an `Aviatrix Global Transit Network solution `_ with Aviatrix Transit Gateway and VGW. diff --git a/HowTos/aws_dis_getting_started.rst b/HowTos/aws_dis_getting_started.rst new file mode 100644 index 000000000..7741382d1 --- /dev/null +++ b/HowTos/aws_dis_getting_started.rst @@ -0,0 +1,84 @@ +.. meta:: + :description: Aviatrix Controller and Gateway Deployment Guide in AWS Discrete Regions + :keywords: Aviatrix, AWS + + +===================================================================================== +Aviatrix Controller and Gateway Deployment Guide in Discrete Regions +===================================================================================== + +The Aviatrix Secure Networking Platform consists of two components: Aviatrix Controller and Gateway. The Aviatrix Controller manages the Aviatrix Gateway and orchestrates all connectivities. + +Launch Aviatrix Controller +=========================== + +These instructions apply when deploying in discrete regions in AWS. This guide takes you through the 3 steps to launch the Controller instance. + +Step 1. Subscribe to Aviatrix Secure Networking Platform - BYOL on AWS ICMP +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +If you have already subscribed the Aviatrix Secure Networking Platform - BYOL on AWS ICMP, skip this step and proceed to Step 2. + +Step 2. Launch the Controller +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Two options to search and deploy Aviatrix Controller: + +- (Option 1) Search the product “Aviatrix Secure Networking Platform - BYOL” on ICMP website + +- (Option 2) Log in to AWS ICMP console and navigate to EC2 dashboard page + +- (Option 2) Click the button “Launch Instances” and select the product “Aviatrix Secure Networking Platform - BYOL” on AWS ICMP + +- Follow EC2 configuration workflow to deploy Aviatrix Controller + + - Select the instance size “t3.large” of 8GB of memory, which is the recommended instance type + + - Select the VPC where the controller will be launched + + - Make sure the subnet you select is a public subnet with IGW as its default gateway, otherwise the controller will not be accessible as it won’t have a public IP address. + + - Edit security groups to allow inbound TCP port 443 open to anywhere + +- Assign an Elastic Public IP address to Aviatrix Controller + +- After launching the instance, note down the instance’s Private IP and Public IP. You can find that info by going to AWS EC2 console, clicking the Controller instance, and locating its private IP and public IP address + +Step 3. Onboarding +^^^^^^^^^^^^^^^^^^^ + +Now that Aviatrix Controller instance has been launched, let’s login and go through the onboarding process. + +- Access the Controller console by going to https://[*Controller_Public_IP*] on a browser + +- Log in with the username "admin" and the default password of your *Controller_Private_IP* + +- Enter your email address + +- Change password + +- Click the button Run to upgrade software version with latest + +.. tip:: + The Controller upgrade takes about 3-5 minutes. Once complete, the login prompt will appear. Use the username `admin` and your new password to login. + +Launch Aviatrix Gateway +=========================== + +To deploy Aviatrix Secure Companion Gateway from AWS ICMP successfully, make sure you follow the instructions as follows. When complete, you'll be ready to deploy use cases. + +Step 1. Follow the step Launch Aviatrix Controller above +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Step 2. Subscribe to Aviatrix Secure Companion Gateway on AWS ICMP +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Step 3. Start a Use Case +^^^^^^^^^^^^^^^^^^^^^^^^^ + +Congratulations! You are now ready to deploy use cases. + +- `Build Aviatrix Transit Network Solution `__ + + +.. disqus:: diff --git a/HowTos/aws_outposts_media/architecture.png b/HowTos/aws_outposts_media/architecture.png new file mode 100644 index 000000000..f0c245593 Binary files /dev/null and b/HowTos/aws_outposts_media/architecture.png differ diff --git a/HowTos/aws_outposts_media/inter-outposts.png b/HowTos/aws_outposts_media/inter-outposts.png new file mode 100644 index 000000000..88bea915a Binary files /dev/null and b/HowTos/aws_outposts_media/inter-outposts.png differ diff --git a/HowTos/aws_outposts_media/intra-outposts.png b/HowTos/aws_outposts_media/intra-outposts.png new file mode 100644 index 000000000..3c3cb6720 Binary files /dev/null and b/HowTos/aws_outposts_media/intra-outposts.png differ diff --git a/HowTos/aws_outposts_media/outposts_to_azure.png b/HowTos/aws_outposts_media/outposts_to_azure.png new file mode 100644 index 000000000..88336dba4 Binary files /dev/null and b/HowTos/aws_outposts_media/outposts_to_azure.png differ diff --git a/HowTos/aws_outposts_media/outposts_to_gcp.png b/HowTos/aws_outposts_media/outposts_to_gcp.png new file mode 100644 index 000000000..7cf2e78a9 Binary files /dev/null and b/HowTos/aws_outposts_media/outposts_to_gcp.png differ diff --git a/HowTos/aws_outposts_media/outposts_to_non-outposts_dc.png b/HowTos/aws_outposts_media/outposts_to_non-outposts_dc.png new file mode 100644 index 000000000..44f8d4bc8 Binary files /dev/null and b/HowTos/aws_outposts_media/outposts_to_non-outposts_dc.png differ diff --git a/HowTos/aws_outposts_media/outposts_to_public_aws.png b/HowTos/aws_outposts_media/outposts_to_public_aws.png new file mode 100644 index 000000000..73fa99e27 Binary files /dev/null and b/HowTos/aws_outposts_media/outposts_to_public_aws.png differ diff --git a/HowTos/azure_custom_role.rst b/HowTos/azure_custom_role.rst new file mode 100644 index 000000000..d1173012a --- /dev/null +++ b/HowTos/azure_custom_role.rst @@ -0,0 +1,225 @@ +.. meta:: + :description: Describe how to customize Azure IAM role + :keywords: account, aviatrix, AWS IAM role, Azure API credentials, Google credentials + + +================================= +Use Azure IAM Custom Role +================================= + +When Aviatrix Controller uses Azure API to manage networking and gateway resources, an application must be first created in +Azure AD with an identity of Service Principal. This service principal requires an Azure IAM role assignment together with a set of +permissions required by the Aviatrix Controller to provide service. By default we use the Azure built-in "Contributor" role. Contributor +roles has access to all resources of the subscription. + +If you wish to limit the Controller access permissions, you can do so by creating a custom role with a set of permissions required +by the Controller as shown below. This document describes how to accomplish this task through Azure portal. + +1. Aviatrix required custom role permissions +------------------------------------------------ + +:: + + { + "properties": { + "roleName": "Aviatrix Controller Custom Role", + "description": "Custom role for Aviatrix Controller", + "assignableScopes": [], + "permissions": [ + { + "actions": [ + "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/*", + "Microsoft.Compute/*/read", + "Microsoft.Compute/availabilitySets/*", + "Microsoft.Compute/virtualMachines/*", + "Microsoft.Compute/disks/*", + "Microsoft.Network/*/read", + "Microsoft.Network/publicIPAddresses/*", + "Microsoft.Network/networkInterfaces/*", + "Microsoft.Network/networkSecurityGroups/*", + "Microsoft.Network/loadBalancers/*", + "Microsoft.Network/routeTables/*", + "Microsoft.Network/virtualNetworks/*", + "Microsoft.Storage/storageAccounts/*", + "Microsoft.Resources/*/read", + "Microsoft.Resourcehealth/healthevent/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/tags/*", + "Microsoft.Resources/marketplace/purchase/*", + "Microsoft.Resources/subscriptions/resourceGroups/*" + ], + "notActions": [], + "dataActions":[], + "notDataActions":[] + } + ] + } + } +* For Azure China please remove "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/*" and "Microsoft.Resources/marketplace/purchase/*" from "actions" + +2. Create a Custom Role +---------------------------------------------------- + + a. Login to Azure portal. Go to Subscriptions. Select the subscription whose network already managed by Aviatrix Controller and click in. + b. Next click Access control (IAM) + c. Next click Roles as shown below. + + |iam_role| + + d. Next click +Add Role and select "Add custom role". + e. Next select Start from scratch and click Next, as shown below. + + |start_from_scratch| + + f. Next click JSON, click Edit. + + |click_json| + + g. Next remove the existing JSON template and copy and paste the above Aviatrix required permissions JSON into the Editor box, as shown below. Click Save. + + |aviatrix_custom_role| + + h. Next click Permissions. You should see the permissions have been populated, as shown below. + + |show_permission| + + i. Next click Assignable scopes, click Add assignable scopes, select the subscription. + + j. Next click JSON, you should say the subscription has been added to the assignableScopes, as shown below. + + |subscription_scope| + + k. Next click Review + create, click Create. + +3. Replace the Contributor Role +-------------------------------- + + a. (This step is optional, it is only applicable if you have already assigned "Contributor" role to the Aviatrix Controller service principal. If not, skip this step and proceed to the next step.) Now that you have created a custom role called Aviatrix Controller Custom Role, go ahead replace the Contributor role, as shown below. + + |remove_contributor| + + b. Click +Add, select Add role assignment. Fill in the fields as shown below + + |replace_role| + +Done. + +4. Multiple Custom Roles Approach +---------------------------------- + +The Aviatrix role permissions can be split into multiple custom roles each with a subset of permissions. Subscription permission must +be at the subscription scope. The additional permission may have +the scope of one or more Resource Groups. + +Below is an example where the "Aviatrix Custom Role for subscription" has the scope of subscription and the remaining permissions has the scope of +Resource Group. + +4.1 Subscription Scope IAM Custom Role +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + { + "properties": { + "roleName": "Aviatrix Custom Role for subscription", + "description": "Aviatrix Custom role for gateway subscription permission", + "assignableScopes": [], + "permissions": [ + { + "actions": [ + "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/*" + ], + "notActions": [], + "dataActions":[], + "notDataActions":[] + } + ] + } + } + + +4.2 Resource Group Scope IAM Custom role +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Note when creating a custom role for a resource group on Azure portal, start at Subscription -> Resource groups, select one resource group +and click "Access Control (IAM). Then follow the role creation process with the permission described in the file below +to create the role. When configuring Assignable scopes, select one or more resource groups (it is multi selectable) for this role. After the role is created, assign the role to the Service principal of the Aviatrix Controller application. + +.. note:: + + It takes a few minutes for the display to appear for the custom role just created. Once it can be displayed, you can find it by going to + Subscription -> Resource groups -> select one resource group assigned to the role, then click Access Control (IAM), then click Roles. + Then search for the role you just created. + +:: + + { + "properties": { + "roleName": "Aviatrix Custom Role for services", + "description": "Aviatrix Custom role for the network and gateway services", + "assignableScopes": [], + "permissions": [ + { + "actions": [ + "Microsoft.Compute/*/read", + "Microsoft.Compute/availabilitySets/*", + "Microsoft.Compute/virtualMachines/*", + "Microsoft.Network/*/read", + "Microsoft.Network/publicIPAddresses/*", + "Microsoft.Network/networkInterfaces/*", + "Microsoft.Network/networkSecurityGroups/*", + "Microsoft.Network/loadBalancers/*", + "Microsoft.Network/routeTables/*", + "Microsoft.Network/virtualNetworks/*", + "Microsoft.Storage/storageAccounts/*", + "Microsoft.Resources/*/read", + "Microsoft.Resourcehealth/healthevent/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/tags/*", + "Microsoft.Resources/marketplace/purchase/*", + "Microsoft.Resources/subscriptions/resourceGroups/*" + ], + "notActions": [], + "dataActions":[], + "notDataActions":[] + } + ] + } + } + +.. tip :: + + If you wish to use Contributor role for the above part of the permission, ignore the json file listed above. Simply use + Azure portal, Resource groups -> select the resource group. Click Access Control (IAM) -> +Add -> Add Role assignment. Then + select Contributor as Role and assign the Contributor role to the Aviatrix Controller service principal. + + +5. Additional References +-------------------------- + +To learn more on Azure custom role and how to configure it, refer to `Azure Custom Roles. `_ + +To view the complete Azure role permissions, refer to `Azure resource provider operations. `_. + +.. |aviatrix_custom_role| image:: azure_custom_role_media/aviatrix_custom_role.png + :scale: 30% + +.. |iam_role| image:: azure_custom_role_media/iam_role.png + :scale: 30% + +.. |remove_contributor| image:: azure_custom_role_media/remove_contributor.png + :scale: 30% + +.. |start_from_scratch| image:: azure_custom_role_media/start_from_scratch.png + :scale: 30% +.. |click_json| image:: azure_custom_role_media/click_json.png + :scale: 30% +.. |replace_role| image:: azure_custom_role_media/replace_role.png + :scale: 30% +.. |subscription_scope| image:: azure_custom_role_media/subscription_scope.png + :scale: 30% + +.. |show_permission| image:: azure_custom_role_media/show_permission.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/azure_custom_role_media/aviatrix_custom_role.png b/HowTos/azure_custom_role_media/aviatrix_custom_role.png new file mode 100644 index 000000000..911f12952 Binary files /dev/null and b/HowTos/azure_custom_role_media/aviatrix_custom_role.png differ diff --git a/HowTos/azure_custom_role_media/click_json.png b/HowTos/azure_custom_role_media/click_json.png new file mode 100644 index 000000000..f32223e40 Binary files /dev/null and b/HowTos/azure_custom_role_media/click_json.png differ diff --git a/HowTos/azure_custom_role_media/iam_role.png b/HowTos/azure_custom_role_media/iam_role.png new file mode 100644 index 000000000..f5c64b0a2 Binary files /dev/null and b/HowTos/azure_custom_role_media/iam_role.png differ diff --git a/HowTos/azure_custom_role_media/remove_contributor.png b/HowTos/azure_custom_role_media/remove_contributor.png new file mode 100644 index 000000000..1bcd38040 Binary files /dev/null and b/HowTos/azure_custom_role_media/remove_contributor.png differ diff --git a/HowTos/azure_custom_role_media/replace_role.png b/HowTos/azure_custom_role_media/replace_role.png new file mode 100644 index 000000000..2e0fbe506 Binary files /dev/null and b/HowTos/azure_custom_role_media/replace_role.png differ diff --git a/HowTos/azure_custom_role_media/show_permission.png b/HowTos/azure_custom_role_media/show_permission.png new file mode 100644 index 000000000..01ea97923 Binary files /dev/null and b/HowTos/azure_custom_role_media/show_permission.png differ diff --git a/HowTos/azure_custom_role_media/start_from_scratch.png b/HowTos/azure_custom_role_media/start_from_scratch.png new file mode 100644 index 000000000..ab21d71a9 Binary files /dev/null and b/HowTos/azure_custom_role_media/start_from_scratch.png differ diff --git a/HowTos/azure_custom_role_media/subscription_scope.png b/HowTos/azure_custom_role_media/subscription_scope.png new file mode 100644 index 000000000..4b777d8d1 Binary files /dev/null and b/HowTos/azure_custom_role_media/subscription_scope.png differ diff --git a/HowTos/azure_saml_auth_vpn_access.rst b/HowTos/azure_saml_auth_vpn_access.rst new file mode 100644 index 000000000..544df5cf9 --- /dev/null +++ b/HowTos/azure_saml_auth_vpn_access.rst @@ -0,0 +1,173 @@ +====================================================================== +Azure Controller Security for SAML Based Authentication VPN Deployment +====================================================================== + +The best security practice for the Aviatrix Controller is to prevent the controller from being widely accessible from the internet. Access on TCP port 443 should be limited to: + +- The range of management IPs coming from the enterprise or the datacenter. +- Ingress and egress access for basic communications and keep-alive signals from each gateway. + +The exception to this best practice is when the Aviatrix Controller is used for Security Assertion Markup Language (SAML) based authentication user VPN access. In this case, the VPN user first contacts the Aviatrix Controller which then redirects user browser traffic to an Identity Provider (IdP) system, Okta for example. The initial VPN authentication traffic runs on Aviatrix Controller TCP port 443 for VPN users located off-site, so controller TCP port 443 needs to be open to all which may cause security concerns. + +You must configure Aviatrix SAML authentication for your user VPN access. The SAML authentication should be configured through the Azure Application Gateway (AppGW) so the URLs generated for use in the IdP and domain information in the ovpn file point to the domain of the AppGW. The URLs generated use the AppGW domain instead of controller domain. VPN users should not access the controller directly, they should access the controller through the AppGW where access rules are enforced. + +In order prevent the controller from being widely accessible and allow SAML authentication user VPN access, please follow the instructions in this section to secure your controller when Security Assertion Markup Language (SAML) based authentication is being used. + +Azure Application Gateways and the Aviatrix Controller +====================================================== + +The Azure Application Gateway is a generic, workload agnostic reverse proxy and load balancer that includes a web application firewall (WAF). + +- The service consists of Azure-managed VMs running Nginx in a VNET. Unless restricted, these VMs have access to the public internet, the VNET address space, and anything else a VM in that VNET can talk to. +- In addition to VMs, backends can be IP addresses. +- The Application Gateway is also an Ingress Controller option for the Azure Kubernetes Service. + +From an Application Gateway perspective, the Aviatrix Controller is just another workload. The configurations in this section can be applied to any other HTTP or HTTPS workload. For example, you can use the Azure Application Gateway to: + +- Protect an application running in an on-prem datacenter. +- Protect a hosted PaaS web application injected into the VM. +- Add HTTPS support to an older application that can only run HTTP. +- Restrict or redirect URL patterns within an application. + +Prerequisites +============= + +You need to understand how to configure OpenVPN SAML authentication. For more information, see `OpenVPN with SAML Authentication `_. + +Securing the Aviatrix Controller for SAML Based Authentication Behind an Azure Application Gateway +================================================================================================== + +To secure your controller when Security Assertion Markup Language (SAML) based authentication is being used: + +1. Create valid SSL certificates for the Aviatrix Controller and Azure Application Gateway virtual machine. Use any valid SSL certificate generation application. +2. On the Azure portal, create a subnet for the Azure Application Gateway. Create the subnet in your Aviatrix Controller’s VNET for the Azure Application Gateway. The Azure Application Gateway requires its own subnet. +3. Apply the certificates to the Controller. + + A. On the Aviatrix Controller, go to the Controller Settings > Security > Advanced > Controller Certificate Import Methods. The preferred method is to select “Import Certificate with Key”, you can also select “Generate CSR and Import Certificate”. + B. Import the certificate files. + C. After you click OK, the Aviatrix Controller browser refreshes using the new certificate. Verify the correct certificates are in use with your favorite SSL validation site. + +For more information, see `Controller Certificate Management `_. + +4. On the Aviatrix Controller, go to Settings > Controller > Access Security > Security. Enable the Controller Primary Access Account on the Controller Security Group Management card to only allow access to the Controller Public IP from Aviatrix Gateways. In the Azure Portal, the Network Security Group (NSG) assigned to the Controller is usually -nsg. +5. On the Azure portal, create a new Azure Application Gateway: + + A. Specify the Basic details. + B. Configure Frontends and create a Public IP. + C. Create 2 backend pools. Create one pool to allow VPN user requests on the flask endpoint and the other pool to block access to any other endpoints on the Aviatrix controller. + + - Specify the NIC of the controller virtual machine as the target. + - Chose HTTP Settings: . + + - **** - Select the controller instance as target. + - **** - This backend pool is used to block endpoints on the controller except for ‘flask’. + + - Create a path based rule in listener rules. + + - Choose Backend target as , so that the App GW returns “502 Bad Gateway” response to any paths other than ‘/flask*’. + - Create a path based rule for the path “/flask*“, with the backend target set to . + + D. Add a Routing Rule. Create a rule Name and enter the required values on the Listener tab. + E. Enter the required values on the Backend targets tab. The Backend Target is the backend pool created earlier. + F. Click Add new and configure the HTTP Settings. + G. Set the Request timeout value to 3600. Otherwise, timeouts on legitimate requests may occur. + H. Set the "Override with new hostname" setting to "No". + +6. On the Azure portal, modify the associated Azure Network Security Group to allow the Azure Application Gateway subnet. +7. On the Azure portal, enable monitoring of the Application Gateway. Add a diagnostic setting and configure the desired logging settings. +8. On the Azure portal, disable rules for the Application Gateway to prevent errors with onboarding accounts. + + A. Enable advanced rule configuration. + B. Disable rules 200004, 931130, and 942430. + +9. On the Azure portal, enable URL Rewrite to avoid Cross-Origin Resource Sharing (CORS) errors. + + A. Create a Rewrite set. + B. Name the Rewrite set and assign it to the Aviatrix Controller routing rule. + C. Rename the rule to something descriptive. + D. On the Azure portal, enable URL Rewrite to avoid Cross-Origin Resource Sharing (CORS) errors. + +10. On the Azure portal, put the Aviatrix Controller behind the Application which includes a web application firewall (WAF). The WAF will block requests with special entity names. Do not create entity name with special strings because the API will be blocked with a 403 error. +11. Create SAML endpoint. For more information see OpenVPN with SAML Authentication https://docs.aviatrix.com/HowTos/VPN_SAML.html. + +After the Azure AppGW is configured and the Aviatrix Controller is placed behind the AppGW, you are ready to test your SAML based authentication for user VPN access. + + +.. Note:: For the HTTP Settings, when using the "Use well known CA certificate" option you may see a message about the root certificate of the server certificate used by the backend not matching the trusted root certificate added to the application gateway. To resolve this issue, use the fullchain certificate when importing the server certificate into the controller. +.. + +.. Note:: While authenticating the VPN user with an IdP and when sending the SAML response to the controller, you may see an error message about an invalid SAML response and the subject or username 'NoneType'. To resolve this issue, disable "override hostname" in the application gateway's HTTP settings. +.. + +Example +-------- + +The following example demonstrates securing the Aviatrix Controller for SAML based authentication behind an Azure application gateway with the Okta IdP. + +The objective is to limit access to Aviatrix Controller port 443 to authorized IPs and at the same time allow a VPN client to contact the controller for SAML authentication. In the following example, the Aviatrix Controller is placed and Azure application gateway with WAF enabled. All the steps used to create the Azure application gateway are not included, the example focuses on the special steps to implement the configuration. + +1. Create domain names for controller and App GW. For example: + + - Controller: azure-ctlr.customertest.com. + - App GW: azure-ctlr-appgw.customertest.com. + +2. Create certificates for controller and App GW. For example: + + - Let’s encrypt to create certificates. + - Validate using DNS validation. + +3. Import certificates into controller. For example: + + - Import certs at Controller > Settings > Advanced > Security > “Controller Imported Certificate Status”. + - Use ‘fullchain’ cert for server cert as well as controller seems to not send the full chain and App GW fails to validate the backend controller certs. + +4. Create the Application Gateway (App GW). Then access the controller through App GW for the configuration. + +5. When configuring SAML authentication and setting up App in Okta IdP: + + - set the Default Backend target in App GW rules to ‘controller’, + - set the WAF’s Firewall mode to ‘Detection.’ + - create HTTP Settings: + + - Name: controller-settings + - Backend port: 443 + - Use well known CA cert: Yes + - Cookie-based policy, Connection draining: Disable + - Request time-out: 3600 + - Override with new host name: No. Otherwise, the Backend Health status is bad. + - Custom probe: Create a custom probe. + +6. Create a custom health probe because the default probe checks that the Hostname matches what is seen in the certificate. + + - Name: + - Set protocol as “HTTPS” + - Set Host to the controller Domain name + - Pick host name from backend HTTP settings: No + - Pick port from backend HTTP settings: Yes + - Path: / + - interval, timeout, unhealthy threshold: Can leave these as defaults. + - Chose HTTP Settings: controller-settings + +7. Create 2 Backend pools. + + - Choose Backend target as ‘dont-allow‘, so that the App GW returns “502 Bad Gateway” response to any paths other than ‘/flask*’. + - Create a path based rule for the path “/flask*“, with the backend target set to . + +8. Create a path based rule in listener rules. + + - Choose Backend target as ‘dont-allow’, so that the App GW returns “502 Bad Gateway” response to any paths other than ‘/flask*’. + - Create a path based rule for the path “/flask*“, with Backend target set to . + +9. Setup SAML authentication by accessing the controller through the App GW domain name. + + - In the Okta application: + + - set the SSO, Destination, Recipient URLs to https://azure-ctlr.customertest.com/flask/saml/sso/aviatrix_saml_controller + - set Audience restriction and Default relay state to https://azure-ctlr-appgw.customertest.com/ + +10. Verify the SAML configuration by verifying VPN client authentication is successful. + + - In the App GW ‘rules’ section, set the Backend target to ‘dont-allow’ to not allow access endpoints that VPN users shouldn’t be able to access. + - In WAF section, set the Firewall mode to ‘Prevention’. + +11. Verify that when accessing through App GW, the VPN user is not able to access paths other than ‘/flask*’. diff --git a/HowTos/azure_transit_designs.rst b/HowTos/azure_transit_designs.rst new file mode 100644 index 000000000..21e14094d --- /dev/null +++ b/HowTos/azure_transit_designs.rst @@ -0,0 +1,104 @@ +.. meta:: + :description: Azure Transit Network + :keywords: Azure Transit Network, Transit hub, AWS Global Transit Network, Encrypted Peering, Transitive Peering + + +======================================= +Azure Transit Network Design Patterns +======================================= + +There are many design patterns for networking and networking security deployment in the cloud. +This document summarizes these design patterns that apply to Azure networks. + +Aviatrix Encrypted Transit Network +------------------------------------- + +In this design, all packets in flight between Spoke VNets and Transit to on-prem are encrypted. + +|aviatrix_transit_azure| + +.. Tip:: + + Aviatrix Transit supports high performance (Insane Mode) IPSEC performance over ExpressRotue and Azure Peering. + +Aviatrix Transit with Native Spokes +-------------------------------------- + +Aviatrix Transit also supports Azure native spoke VNets. + +|aviatrix_transit_native_spoke| + + +Transit FireNet with Aviatrix Spokes +------------------------------------ + +You can apply firewall inspections for east-west, north-south and ingress/egress traffic. + +|transit_firenet_aviatrix_spokes| + + +Transit FireNet with Native Spokes +------------------------------------------- + +Firewall inspections can be applied to native Spoke VNet, on-prem to transit and north-south traffic. + +|transit_firenet_native_spokes| + +Please refer to `Transit FireNet Workflow for Azure Native Spoke VNets `_ for more details. + +SD-WAN Integration +-------------------- + +If you have multiple sites to connect to the cloud, you can use an Aviatrix Transit Gateway to terminate the many site2cloud to branch offices. + +Alternatively, you can use a SD-WAN termination point in the VNets to connect to the branches. + +Both options can be described in the diagram below. + +|transit_sdwan| + +Aviatrix Transit Gateway for Azure Spoke to Spoke Connectivity +--------------------------------------------------------------- + +If you use Azure ExpressRoute gateway to connect Spoke VNets to on-prem, you can use Aviatrix Transit Gateway for Spoke to Spoke connectivity, +as shown in the diagram below. To connect Spoke VNet, follow the `Step 6b in the Multi-Cloud Transit Network workflow `_. + +|transit_azure_native_spoke| + +Multi-Cloud Transit with Native Spokes +---------------------------------------- + +Use Aviatrix Transit Gateways to inter-connect transit network for a multi cloud network deployment, as shown in the diagram below. + +|multi_cloud_transit_native| + +.. |aviatrix_transit_azure| image:: azure_transit_designs_media/aviatrix_transit_azure.png + :scale: 30% + +.. |aviatrix_transit_native_spoke| image:: azure_transit_designs_media/aviatrix_transit_native_spoke.png + :scale: 30% + +.. |transit_firenet_aviatrix_spokes| image:: azure_transit_designs_media/transit_firenet_aviatrix_spokes.png + :scale: 30% + +.. |transit_firenet_native_spokes| image:: azure_transit_designs_media/transit_firenet_native_spokes.png + :scale: 30% + +.. |transit_sdwan| image:: azure_transit_designs_media/transit_sdwan.png + :scale: 30% + +.. |transit_azure_native_spoke| image:: transitvpc_designs_media/transit_azure_native_spoke.png + :scale: 30% + +.. |multi_cloud_transit_native| image:: transitvpc_designs_media/multi_cloud_transit_native.png + :scale: 30% + +.. |transit_firenet| image:: transit_firenet_media/transit_firenet.png + :scale: 30% + +.. |transit_firenet_aviatrix_egress| image:: transit_firenet_media/transit_firenet_aviatrix_egress.png + :scale: 30% + + + +.. disqus:: diff --git a/HowTos/azure_transit_designs_media/aviatrix_transit_azure.png b/HowTos/azure_transit_designs_media/aviatrix_transit_azure.png new file mode 100644 index 000000000..bb7f4bd46 Binary files /dev/null and b/HowTos/azure_transit_designs_media/aviatrix_transit_azure.png differ diff --git a/HowTos/azure_transit_designs_media/aviatrix_transit_native_spoke.png b/HowTos/azure_transit_designs_media/aviatrix_transit_native_spoke.png new file mode 100644 index 000000000..f053a1bfe Binary files /dev/null and b/HowTos/azure_transit_designs_media/aviatrix_transit_native_spoke.png differ diff --git a/HowTos/azure_transit_designs_media/transit_firenet_aviatrix_spokes.png b/HowTos/azure_transit_designs_media/transit_firenet_aviatrix_spokes.png new file mode 100644 index 000000000..94646f8dd Binary files /dev/null and b/HowTos/azure_transit_designs_media/transit_firenet_aviatrix_spokes.png differ diff --git a/HowTos/azure_transit_designs_media/transit_firenet_native_spokes.png b/HowTos/azure_transit_designs_media/transit_firenet_native_spokes.png new file mode 100644 index 000000000..b1e1b6b27 Binary files /dev/null and b/HowTos/azure_transit_designs_media/transit_firenet_native_spokes.png differ diff --git a/HowTos/azure_transit_designs_media/transit_sdwan.png b/HowTos/azure_transit_designs_media/transit_sdwan.png new file mode 100644 index 000000000..06bc3621b Binary files /dev/null and b/HowTos/azure_transit_designs_media/transit_sdwan.png differ diff --git a/HowTos/azuread_saml_media/azure_ad_saml_user_claims.png b/HowTos/azuread_saml_media/azure_ad_saml_user_claims.png new file mode 100644 index 000000000..b3ead07d9 Binary files /dev/null and b/HowTos/azuread_saml_media/azure_ad_saml_user_claims.png differ diff --git a/HowTos/azuregwlaunch.rst b/HowTos/azuregwlaunch.rst index 6afd11b1d..ca4a8a4f2 100644 --- a/HowTos/azuregwlaunch.rst +++ b/HowTos/azuregwlaunch.rst @@ -47,7 +47,7 @@ From the Controller console, launch the gateway again and observe the failure. 4. Get Help from Aviatrix Support --------------------------------- -If you still cannot figure out the problem, send an email to support@aviatrix.com to get help. +If you still cannot figure out the problem, lease open a support ticket at `Aviatrix Support Portal `_ to get help. .. |image0| image:: azuregwlaunch_media/azuregwlaunch.png diff --git a/HowTos/beta_ipmotion.rst b/HowTos/beta_ipmotion.rst deleted file mode 100644 index d8f4ae5cf..000000000 --- a/HowTos/beta_ipmotion.rst +++ /dev/null @@ -1,25 +0,0 @@ -.. meta:: - :description: IP motion Ref Design - :keywords: AWS Migration, DR, Disaster Recovery, aviatrix, Preserving IP address, IPmotion, ip motion - - -============================================ -IPmotion Early Customer Trial Instructions -============================================ - - 1. **Get a trial license** Obtain a customer ID from Aviatrix support. Email to support@aviatrix.com - #. **Read** `IPmotion Setup Instructions `_ - #. **Complete the "Prerequisites"** in the above document that include download, install and bootup Aviatrix virtual appliance CloudN. - #. **Download IPmotion beta software** Login to the web console of CloudN. Go to Settings -> Maintenance -> Upgrade to Custom Release field, enter **3.0**, click "Upgrade to a custom release". This will download the IPmotion beta software. When it finishes, repeat this step to upgrade again. - #. **Setup IPmotion** Once upgrade is successful, login to the console, at the left navigation menu, click IPmotion, follow the step by step `instruction `_ to starting moving IP addresses! - - -.. |image0| image:: ipmotion_media/ipmotion.png - :width: 5.55625in - :height: 3.26548in - -.. |image1| image:: ipmotion_media/ipmotion-range-display.png - :width: 5.55625in - :height: 3.26548in - -.. disqus:: diff --git a/HowTos/bgp_transitive_instructions.rst b/HowTos/bgp_transitive_instructions.rst index 91811c940..da6261ad5 100644 --- a/HowTos/bgp_transitive_instructions.rst +++ b/HowTos/bgp_transitive_instructions.rst @@ -8,7 +8,7 @@ Transit Network with BGP Setup Instructions .. Important:: - this document is obsolete with 3.1 release. Follow `Transit Network workflow instructions `__ to setup a Transit Network. + This document is obsolete for release 3.1 and later releases. Follow `Transit Network workflow instructions `__ to setup a Transit Network. Introduction ============= diff --git a/HowTos/bootstrap_example.rst b/HowTos/bootstrap_example.rst index 75d243fb6..5e3445ec2 100644 --- a/HowTos/bootstrap_example.rst +++ b/HowTos/bootstrap_example.rst @@ -4,7 +4,7 @@ ========================================================= -Bootstrap Configuration Example for VM-Series +Bootstrap Configuration Example for VM-Series in AWS ========================================================= Using bootstrap option significantly simplifies VM-Series initial configuration setup. @@ -55,7 +55,7 @@ Attach an IAM policy with the name, for example, "bootstrap-VM-S3-policy". The p 2. Create bootstrap bucket structure ------------------------------------- -In AWS S3, at the top level create a bucket for bootstrap with a **unique** name, for example "bootstrap_bucket", with the following structure: +In AWS S3, at the top level create a bucket for bootstrap with a **unique** name, for example "bootstrap-bucket", with the following structure: :: @@ -77,8 +77,8 @@ In AWS S3, at the top level create a bucket for bootstrap with a **unique** name **3.2** For the example init-cfg.txt file, click :download:`init-cfg.txt `. .. Note:: + In the example bootstrap.xml, you must specify custom usernames and passwords for the and , and generate hash strings for the passwords. - In the example bootstrap.xml, the API admin user name is avxadmin and the password is Aviatrix123#. You can customize it. **3.3** upload these two files to your config folder in the bootstrap-bucket. @@ -99,7 +99,7 @@ Bootstrap Bucket Name bootstrap-bucket (must be a unique name in S3) Launch the VM-Series instance. Wait for 15 minutes for it to boot up and initialize. -Login to the HTTPS interface of VM-Series management public IP with username "admin", password "Aviatrix123#" +Login to the HTTPS interface of VM-Series management public IP with the username and password specified in the bootstrap.xml file. 5. Configure API Vendor Integration @@ -109,10 +109,10 @@ In order for the Aviatrix Controller to automatically update firewall instance r Go to Controller -> Firewall Network -> Vendor Integration -> Firewall. Note the following fields. - - Firewall Login User Name field, use "avxadmin" without the double quotes. - - Firewall Login Password field, use "Aviatrix123#" without the double quotes. + - Firewall Login User Name field, use the username specified in the bootstrap.xml file. + - Firewall Login Password field, use the password specified in the bootstrap.xml file. -Follow `the instructions here `_ to enable API access. +If you are manually configuring the firewall from scratch, follow `the instructions here `_ to enable API access. 6. Ready to go! diff --git a/HowTos/bootstrap_example_media/bootstrap-azure.xml b/HowTos/bootstrap_example_media/bootstrap-azure.xml new file mode 100644 index 000000000..59ef3a37d --- /dev/null +++ b/HowTos/bootstrap_example_media/bootstrap-azure.xml @@ -0,0 +1,506 @@ + + + + + + * + + + yes + + + + + password_hash + + + yes + + + + + + yes + 8 + + + + + + + + + + + + yes + 5 + + + yes + 5 + + + yes + 5 + + + yes + 10 + + + yes + 5 + + + + yes + + + + 10 + 10 + + 100 + 50 + + + + 10 + 10 + + 100 + 50 + + + + + + 100 + yes + + + + + + + + + + + + + + + + + + + no + + + no + + HCheck + + no + + + + + + + no + + + no + + + no + + + + + + + + + 3 + 5 + wait-recover + + + + + yes + + + + + + + + + aes-128-cbc + 3des + + + sha1 + + + group2 + + + 8 + + + + + aes-128-cbc + + + sha256 + + + group19 + + + 8 + + + + + aes-256-cbc + + + sha384 + + + group20 + + + 8 + + + + + + + + aes-128-cbc + 3des + + + sha1 + + + group2 + + 1 + + + + + + aes-128-gcm + + + none + + + group19 + + 1 + + + + + + aes-256-gcm + + + none + + + group20 + + 1 + + + + + + + aes-128-cbc + + + sha1 + + + + + + + + + + + + + real-time + + + high + + + high + + + medium + + + medium + + + low + + + low + + + low + + + + + + + + + + + + no + + + 1.25 + 0.5 + 900 + 300 + 900 + yes + + + + + + ethernet1/2 + ethernet1/1 + + + + + + + 10.26.0.81 + + + None + + ethernet1/2 + + no + any + 2 + + 10 + 172.16.0.0/12 + + + + + + + 10.26.0.81 + + + None + + ethernet1/2 + + no + any + 2 + + 10 + 192.168.0.0/16 + + + + + + + 10.26.0.81 + + + None + + ethernet1/2 + + no + any + 2 + + 10 + 168.63.129.16/32 + + + + + + + 10.26.0.81 + + + None + + ethernet1/2 + + no + any + 2 + + 10 + 10.0.0.0/8 + + + + + + + + + + + + + + + yes + no + no + no + + + updates.paloaltonetworks.com + + + + + wednesday + 01:02 + download-only + + + + + US/Pacific + + yes + yes + + PAN-Azure-Firenet + + + + yes + + + FQDN + + + + yes + no + no + no + + + PAN-Azure-Firenet + ahmed + + + + + + + + + + + + + ethernet1/2 + + + + + + + ethernet1/1 + + + + + + + + + + + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + + application-default + + + any + + allow + + + + + + + + ethernet1/2 + ethernet1/1 + + + + + + + + diff --git a/HowTos/bootstrap_example_media/bootstrap.xml b/HowTos/bootstrap_example_media/bootstrap.xml index 4becf77ed..559a6d5b8 100644 --- a/HowTos/bootstrap_example_media/bootstrap.xml +++ b/HowTos/bootstrap_example_media/bootstrap.xml @@ -2,16 +2,16 @@ - - $1$hsyqpcpu$1kuBjBkoDzFdKA0Is2540/ + + https_interface_admin_password_hash/ yes - c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDUXNMUjhOOFhhRWtkVTJKT0t6TXF5N21SSEx5aFMrc01reUh2dHl4Ni8xc2dtQU0wQ1N3WXdYcmhoeG4wYnpNdDl4TFl2V0taaGUrektmeCszdWhySHg5Yi83djhEUzlZbmVudzQ5ejl1MTJUaEFSV3BMUUxHRU9SdnpwK0FGTGlmSjhRR3lSR0hIMnU2NTA2amNFTkNqRy9mbnVPSTA0NTZHdnZ6ZlM5ejVPOXkzYnRtWUZZM3ZqQU43WEtKNksxd1UyRExLZXFMcVo0S25WMjZ1T1dBbFMvL1c0bGtYTHhBNjVLc01PMjc4TnNWR3JSRlNBOXFjRGFNdEpQMUtJd201T0grWmF4R2VOUVNISm9Zd083KzVNTk9iZ0xHbVZNb0JTOXRod1ROY1RYZFN1Tkd3czNURVU0eWdVMEVWUWIvU2E0bm1kdEptT1pHWXJpd29FSmYgd2VzdC1zZXJ2ZXItMQ== + https_interface_public_key - + @@ -19,7 +19,7 @@ - $1$snyiktft$0c6C0a4SnkT4K37tqdmY00 + api_admin_password_hash diff --git a/HowTos/bootstrap_example_media/bootstrap_all.xml b/HowTos/bootstrap_example_media/bootstrap_all.xml index 4becf77ed..c754a8114 100644 --- a/HowTos/bootstrap_example_media/bootstrap_all.xml +++ b/HowTos/bootstrap_example_media/bootstrap_all.xml @@ -2,16 +2,16 @@ - - $1$hsyqpcpu$1kuBjBkoDzFdKA0Is2540/ + + password_hash/ yes - c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDUXNMUjhOOFhhRWtkVTJKT0t6TXF5N21SSEx5aFMrc01reUh2dHl4Ni8xc2dtQU0wQ1N3WXdYcmhoeG4wYnpNdDl4TFl2V0taaGUrektmeCszdWhySHg5Yi83djhEUzlZbmVudzQ5ejl1MTJUaEFSV3BMUUxHRU9SdnpwK0FGTGlmSjhRR3lSR0hIMnU2NTA2amNFTkNqRy9mbnVPSTA0NTZHdnZ6ZlM5ejVPOXkzYnRtWUZZM3ZqQU43WEtKNksxd1UyRExLZXFMcVo0S25WMjZ1T1dBbFMvL1c0bGtYTHhBNjVLc01PMjc4TnNWR3JSRlNBOXFjRGFNdEpQMUtJd201T0grWmF4R2VOUVNISm9Zd083KzVNTk9iZ0xHbVZNb0JTOXRod1ROY1RYZFN1Tkd3czNURVU0eWdVMEVWUWIvU2E0bm1kdEptT1pHWXJpd29FSmYgd2VzdC1zZXJ2ZXItMQ== + key - + @@ -19,7 +19,7 @@ - $1$snyiktft$0c6C0a4SnkT4K37tqdmY00 + password_hash diff --git a/HowTos/bootstrap_example_media/cp-bootstrap-example.png b/HowTos/bootstrap_example_media/cp-bootstrap-example.png new file mode 100644 index 000000000..da3750d57 Binary files /dev/null and b/HowTos/bootstrap_example_media/cp-bootstrap-example.png differ diff --git a/HowTos/bootstrap_example_media/file-share-folder-example.png b/HowTos/bootstrap_example_media/file-share-folder-example.png new file mode 100644 index 000000000..aeb7eeed9 Binary files /dev/null and b/HowTos/bootstrap_example_media/file-share-folder-example.png differ diff --git a/HowTos/changelog.rst b/HowTos/changelog.rst index e7cd35a90..d851702b1 100755 --- a/HowTos/changelog.rst +++ b/HowTos/changelog.rst @@ -1,9 +1,54 @@ Aviatrix VPN Client Changelog ----------------------------- +2.14.14 - April 27 2021 + - Support non-ASCII Windows user login account + - Support non-ASCII VPN connection profile name on the client UI + - Support Ubuntu 20.04.01 deb format installer + - `Enhance the Windows client security `_ + +2.13.12 - Jan 28 2021 + - Provide a MD5 checksum along with every single installer + - Support MacOS Big Sur + - Verify the settings before exiting the Settings UI + +2.12.10 - September 3 2020 + - Support Ubuntu 20.04 FIPS + - A toggle to support Cisco Umbrella DNS servers or the VPC DNS servers on MacOS + - Support multiple MacOS system login accounts + - Allow override of manually set DNS flag to be enabled by default on MacOS + +2.11.6 - July 22 2020 + - OpenSSL lib of the MacOS client is updated to 1.1.11g + - OpenSSL lib of the Windows client is updated to 1.1.11f + - Enhance the security to prevent Man-in-the-middle attack + - Boost the Windows client data throughput + - Improve the connectivity of the MacOS client under the unstable WiFi connection + - Improve the connectivity of the Windows client under the high data throughput + - New clients to support Ubuntu 20.4 LTS + +2.10.8 - May 14 2020 + - Address client vulnerabilities of elevation in privilege and arbitrary file write. + +2.9.6 - April 23 2020 + - Support displaying system use notifications + + +2.8.2 - April 10 2020 + - Boost VPN throughput + + +2.7.9 - March 4 2020 + - UI enhancements for password-based authentication + - Support the OVPN parameter: 'route' + - Fixed issue where tray icon sometimes did not accurately reflect the VPN status + - Fixed issue where VPN client becomes unresponsive if quit from the MacOS taskbar + - VPN client will now no longer erroneously prompt for another authentication retry after previous fail + - Fixed issue where the old VPN client will not quit, and crashes, if not uninstalled prior to the installation of a newer client + 2.6.6 - Jan 29 2020 - Improve the user experience to add a new VPN profile - - Security fixes for the OpenVPN params + - `Security fixes for the OpenVPN params `_ 2.5.7 - Nov 20 2019 @@ -15,7 +60,7 @@ Aviatrix VPN Client Changelog 2.4.10 - Nov 2 2019 - Security fixes - - Remove config caching causing issues on MacOS + - Remove config caching causing issues on MacOS - Fixes an issue preventing connection after switching between auth types @@ -64,7 +109,7 @@ Aviatrix VPN Client Changelog 1.8 - Jun 22 2018 - Windows VPN Service to run the client without Admin access - - Graceful VPN exit on windows(8.0 and above) disconnect + - Graceful VPN exit on windows(8.0 and above) disconnect - Add platform, GUI version and peer info - Add resolvconf dependency for Ubuntu18 - Fix some connection issues on Mac @@ -90,48 +135,47 @@ Aviatrix VPN Client Changelog - Debian installation files - Fixed viewing logs in Linux - + 1.4 - Aug 8 2017 - Signed Mac application - Parallel windows execution fix - - + + 1.3 - Jun 15 2017 - Disconnection fixes - Timeout fixes - Connection profile is displayed - IE support for SAML - Signed Windows application - - + + 1.2 - Mar 15 2017 - HTTPS Version for SAML - Multiple Profiles - Linux version - Connection status detection - Unblock disconnection while connecting - - Retry prompt for LDAP - - Multi process feature for Mac/Linux. + - Retry prompt for LDAP + - Multi process feature for Mac/Linux. - Removed VPN Lockdown - Permissions fixes - Fixes in logging - + 1.1 - Jan 30 2017 - Settings window for troubleshooting - Mac default application behavior - Bug fixes for hangs - In built resources - - Connection timeout issues fixed + - Connection timeout issues fixed - Kill other OpenVPN® on start - Connection status fix - - VPN lockdown feature + - VPN lockdown feature + - 1.0 - Dec 15 2016 - Initial release - HTTP Version OpenVPN is a registered trademark of OpenVPN Inc. - diff --git a/HowTos/checkpoint_bootstrap_azure.rst b/HowTos/checkpoint_bootstrap_azure.rst new file mode 100644 index 000000000..0867c2155 --- /dev/null +++ b/HowTos/checkpoint_bootstrap_azure.rst @@ -0,0 +1,73 @@ +.. meta:: + :description: Firewall Network + :keywords: Azure Transit Gateway, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Bootstrap, Check Point, Security Gateway + + +=============================================================================== +Bootstrap Configuration Example for Check Point Security Gateway in AWS/Azure +=============================================================================== + +This document applies to both AWS and Azure. + +Using bootstrap option significantly simplifies Check Point Security Gateway initial configuration setup. + +In this document, we provide a basic bootstrap example for Check Point. Bootstrap Configuration can be a vendor specific script or configuration. + +For a manual setup, follow `manual setup example. `_ + + +Configure Check Point Security Gateway using Custom Data +--------------------------------------------------------- + +Follow the Aviatrix Firewall Network (FireNet) workflow +to `Step 7a. `_ to launch the firewall instance. + +To Configure Check Point Security Gateway using Custom Data, go to the Aviatrix Controller -> Firewall Network -> Setup -> Launch & Associate Firewall Instance. + +Fill in the required fields. Click Advanced. Fill in the following parameters. You must specify a custom username and password, and generate a hash string for the password. + +================================ ====================== +**Advanced Field** **Example Value** +================================ ====================== +User Data Bootstrap Configuration +================================ ====================== + +Sample Check Point Bootstrap Configuration to configure firewall "Allow-all" policy, health check policy and RFC 1918 static routes is shown below: + + :: + + #!/bin/bash + + clish -c "set user password-hash <100+ character hash string>" -s + clish -c 'set interface eth1 state on' -s + clish -c 'set hostname checkpoint' -s + blink_config -s 'upload_info=false&download_info=false&install_security_gw=true&install_ppak=true&install_security_managment=false&ipstat_v6=off&ftw_sic_key=' + + +|cp_bootstrap_example| + +Launch the instance. Wait for 15 minutes for it to boot up and initialize. + +Login to the HTTPS interface of the public IP with the username and password specified in the Bootstrap Configuration file. + + + +Ready to go! +---------------- + +Now your firewall instance is ready to receive packets! + +Next step is to validate your configurations in the Check Point Security Gateway, and configure polices for Ingress and Egress inspection. + +By default, all traffic is allowed in Check Point that can be verfied by launching one instance in PROD Spoke VNET and DEV Spoke VNET. Start ping packets from a instance in DEV Spoke VNET to the private IP of another instance in PROD Spoke VNET. The ICMP traffic should go through the Check Point and be inspected in Security Gateway. + + +Additional References +-------------------------- + +Check Point Reference `Custom Data `_ + +.. |cp_bootstrap_example| image:: bootstrap_example_media/cp-bootstrap-example.png + :scale: 40% + +.. disqus:: diff --git a/HowTos/cloud_wan_faq.rst b/HowTos/cloud_wan_faq.rst index 45697d93b..67f3c6384 100644 --- a/HowTos/cloud_wan_faq.rst +++ b/HowTos/cloud_wan_faq.rst @@ -10,12 +10,18 @@ Aviatrix CloudWAN FAQ What is the Aviatrix CloudWAN? --------------------------------------- -Aviatrix CloudWAN is a feature where Aviatrix Controller manages and help connect on-prem Cisco IOS Routers to the cloud directly. +Aviatrix CloudWAN manages and automates secure connectivity of on-prem Cisco IOS Routers to the cloud. The IPSEC connection terminates with +AWS Transit Gateway (TGW), Aviatrix Transit Gateway or Azure Virtual WAN. + +Starting in Release 6.2, CloudWAN also manages Aviatrix CloudN appliance for high performance encryption connection (up to 25Gbps) from on-prem to the cloud. + +This document focuses on CloudWAN for Cisco IOS devices. For configuration information on CloudN +appliance, refer to `Managed CloudN Workflow `_. CloudWAN can be used to fulfill the following tasks. 1. Manage multiple Cisco IOS Routers from the Aviatrix Controller. This includes uploading and viewing the IOS configuration, making configuration changes and monitoring the health and stats of these routers. - #. Auto connect Cisco IOS routers to the Aviatrix Transit Gateway or AWS TGW with IPSEC VPN over the Internet, thus allowing them to be part of the Transit Network where they gain connectivity to Spoke VPCs. + #. Automate secure connection of Cisco IOS routers to the Aviatrix Transit Gateway or AWS TGW with IPSEC VPN over the Internet, thus allowing them to be part of the Transit Network where they gain connectivity to Spoke VPCs. What are the CloudWAN deployment architectures? -------------------------------------------------- @@ -43,16 +49,31 @@ In this deployment IPsec tunnels are built directly to TGW VPN. |cloud_wan_3| +CloudWAN Deployment on Azure +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +CloudWAN can terminate branch router IPSEC connection with Aviatrix Transit Gateway deployed in Azure, as shown in +the diagram below. + +|cloud_wan_azure| + +CloudWAN Deployment on Azure Virtual WAN +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +CloudWAN is integrated with Azure Virtual WAN, as shown in the diagram below. For configuration example, refer to `CloudWAN on Azure vWAN Configuration Example `_. + +|cloudwan_azure_vwan| + What are the benefits of CloudWAN? ----------------------------------------- - **No Friction** Leverage what you have already invested in the on-prem edge router for connecting to the cloud. - - **Shortest Latency** Leverage AWS Global Accelerator to connect your on-prem routers to the nearest AWS edge and route through the AWS backbone with the optimal path. + - **Shortest Latency** Leverage AWS Global Accelerator or Azure backbone to connect your on-prem routers to the nearest cloud provider edge and route through the their backbone with the optimal path. - **Automation** Avoid human errors and the complexity of VPN configuration when building VPN connections to the cloud. - **Centrally Managed** Use the single pane of glass to both provision and monitor router health and stats. -How does CloudWAN work? --------------------------- +How does CloudWAN work in AWS? +--------------------------------- CloudWAN leverages AWS Global Accelerator and the AWS backbone for the shortest latency path to the cloud. @@ -160,6 +181,12 @@ Cisco routers that run IOS Classic and IOS XE are supported. For example, ISR G2 .. |cloud_wan_3| image:: cloud_wan_faq_media/cloud_wan_3.png :scale: 30% +.. |cloud_wan_azure| image:: cloud_wan_faq_media/cloud_wan_azure.png + :scale: 30% + +.. |cloudwan_azure_vwan| image:: cloud_wan_faq_media/cloudwan_azure_vwan.png + :scale: 30% + .. |global_accelerator| image:: cloud_wan_faq_media/global_accelerator.png :scale: 30% diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_check_connection_status.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_check_connection_status.png new file mode 100644 index 000000000..6453d7ea5 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_check_connection_status.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_check_status_branch_router.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_check_status_branch_router.png new file mode 100644 index 000000000..c0e038a3f Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_check_status_branch_router.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_click_discover_wan_interfaces_button.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_click_discover_wan_interfaces_button.png new file mode 100644 index 000000000..b2d3e9794 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_click_discover_wan_interfaces_button.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_attach_branch_to_cloud.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_attach_branch_to_cloud.png new file mode 100644 index 000000000..042399249 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_attach_branch_to_cloud.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_prepare_to_attach.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_prepare_to_attach.png new file mode 100644 index 000000000..b4946fbea Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_prepare_to_attach.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_register_branch_router.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_register_branch_router.png new file mode 100644 index 000000000..a13883e02 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_register_branch_router.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_azure_check_connection_status.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_azure_check_connection_status.png new file mode 100644 index 000000000..4fa1646de Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_azure_check_connection_status.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_azure_troubleshoot_effective_route.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_azure_troubleshoot_effective_route.png new file mode 100644 index 000000000..601e366f6 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_azure_troubleshoot_effective_route.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_hub.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_hub.png new file mode 100644 index 000000000..450828354 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_hub.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_virtual_network_connections.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_virtual_network_connections.png new file mode 100644 index 000000000..152fd450a Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_virtual_network_connections.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_vpngw.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_vpngw.png new file mode 100644 index 000000000..1ff1995cb Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_vpngw.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_vwan.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_vwan.png new file mode 100644 index 000000000..b8d32c8c8 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_vwan.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_click_hub.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_click_hub.png new file mode 100644 index 000000000..39e00450d Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_click_hub.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_confirm_vwan.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_confirm_vwan.png new file mode 100644 index 000000000..08c6a5f91 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_confirm_vwan.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_create_hub.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_create_hub.png new file mode 100644 index 000000000..67f4cc5be Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_create_hub.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_create_vwan.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_create_vwan.png new file mode 100644 index 000000000..e2ce37d7f Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_create_vwan.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_example_hub.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_example_hub.png new file mode 100644 index 000000000..480d818a9 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_example_hub.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_example_site2site.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_example_site2site.png new file mode 100644 index 000000000..344c95ead Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_example_site2site.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_example_virtual_network_connections.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_example_virtual_network_connections.png new file mode 100644 index 000000000..cad57f71f Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_example_virtual_network_connections.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_example_vpngw.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_example_vpngw.png new file mode 100644 index 000000000..55a2f2a62 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_example_vpngw.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_link_hub.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_link_hub.png new file mode 100644 index 000000000..507de4c44 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_link_hub.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_link_virtual_network_connections.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_link_virtual_network_connections.png new file mode 100644 index 000000000..55036fc53 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_link_virtual_network_connections.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_verification_cloud_vm_issue_icmp.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_verification_cloud_vm_issue_icmp.png new file mode 100644 index 000000000..64710a169 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_verification_cloud_vm_issue_icmp.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_verification_cloud_vm_tcpdump_icmp.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_verification_cloud_vm_tcpdump_icmp.png new file mode 100644 index 000000000..812cfd4a6 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_verification_cloud_vm_tcpdump_icmp.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_verification_on_prem_router_issue_icmp.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_verification_on_prem_router_issue_icmp.png new file mode 100644 index 000000000..081a2be34 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_verification_on_prem_router_issue_icmp.png differ diff --git a/HowTos/cloud_wan_faq_media/cloud_wan_azure.png b/HowTos/cloud_wan_faq_media/cloud_wan_azure.png new file mode 100644 index 000000000..561d32a42 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/cloud_wan_azure.png differ diff --git a/HowTos/cloud_wan_faq_media/cloudwan_azure_vwan.png b/HowTos/cloud_wan_faq_media/cloudwan_azure_vwan.png new file mode 100644 index 000000000..1c062f8bc Binary files /dev/null and b/HowTos/cloud_wan_faq_media/cloudwan_azure_vwan.png differ diff --git a/HowTos/cloud_wan_workflow.rst b/HowTos/cloud_wan_workflow.rst index c2de7193f..32ec968f6 100644 --- a/HowTos/cloud_wan_workflow.rst +++ b/HowTos/cloud_wan_workflow.rst @@ -31,10 +31,11 @@ In the drop down menu, select the branch device. Click Upload Config. After the Attach Branch to Cloud ----------------------------------------- -This step creates an IPSEC tunnel between the IOS router and the Aviatrix Transit Gateway or between the IOS router and TGW VPN. . +This step has 3 options. +It creates an IPSEC tunnel between the IOS router and the Aviatrix Transit Gateway, between the IOS router and TGW VPN or IOS router and Azure vWAN. -Attach to an Aviatrix Transit Gateway -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Option 1: Attach to an Aviatrix Transit Gateway +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If you connect the branch router to an Aviatrix Transit Gateway, refer to the following fields to attach the branch router. @@ -56,10 +57,10 @@ Local Tunnel IP Optional parameter. Leave Remote Tunnel IP Optional parameter. Leave it unchecked. ========================================= ========================== -Attach to TGW VPN -^^^^^^^^^^^^^^^^^^ +Option 2: Attach to TGW VPN +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -If you connect the branch router to TGW VPN, refer to the following fields to attach the branch router. +To connect a branch router to TGW VPN, refer to the following fields to attach the branch router. ========================================= ========================== Input Field Value @@ -73,6 +74,23 @@ Security Domain Name An Aviatrix TGW Orchestra Enable Global Accelerator Check the box to enable AWS Global Accelerator for the branch router to hop onto the nearest AWS edge and traverse the AWS backbone to get to the AWS TGW. ========================================= ========================== +Option 3: Attach to Azure vWAN +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To connect a branch router to Azure vWAN, select Azure Virtual WAN. For a detailed example, refer to `CloudWAN on Azure vWAN Configuration Example `_. + +========================================= ========================== +Input Field Value +========================================= ========================== +Branch A registered branch router. +Azure Virtual WAN Azure vWAN option +Access Account Name The Access Account for Azure subscription +Resource Group The resource group on Azure +Hub Name Azure vWAN Hub created on Azure portal +Connection Name A unique name for the connection. +Branch Router's BGP ASN Only BGP is supported. Enter BGP ASN number on the branch router. +========================================= ========================== + List/Edit ------------ diff --git a/HowTos/config_CheckPointAzure.rst b/HowTos/config_CheckPointAzure.rst new file mode 100644 index 000000000..8bda67aae --- /dev/null +++ b/HowTos/config_CheckPointAzure.rst @@ -0,0 +1,483 @@ +.. meta:: + :description: Firewall Network + :keywords: Azure Transit Gateway, Aviatrix Transit network, Transit DMZ, Egress, Firewall + + +========================================================= +Example Config for Check Point VM in Azure +========================================================= + +In this document, we provide an example to set up the Check Point Security Gateway instance for you to validate that packets are indeed sent to the Check Point Security Gateway for VNET to VNET and from VNET to internet traffic inspection. + +.. note:: + Firewall and Security Gateway word will be used interchangeably in this document. Both refers to Check Point Security Gateway product. + +Prerequisites +---------------- + +Before you start, make sure you have understanding on + + - Basic Check Point Architecture + - Check Point Security Management + +The following Check Point AMIs and software versions are supported in Azure by Aviatrix. + +================================================================================== ==================== +**Supported AMI Name** **Software Version** +================================================================================== ==================== +CloudGuard IaaS Single Gateway - BYOL R80.40, R80.30 +CloudGuard IaaS Single Gateway Threat Prevention & SandBlast (NGTX) - PAYG R80.40, R80.30 +CloudGuard IaaS Single Gateway with Thread Prevention (NGTP) - PAYG R80.40, R80.30 +CloudGuard IaaS Standalone (Gateway + Management) - BYOL R80.40 +================================================================================== ==================== + +.. important:: + + - Check Point Standalone does not require Security Management to manage polices. + - Gateway NGTP and NGTX both requires Security Management to configure Security Gateway Polices + +Check Point Reference Architecture +---------------------------------------- +It is absolutely paramount at this stage to understand the basic Check Point architecture to configure Check Point Security Gateway properly. Please see a reference architure: + +|cp_arch_reference| + +As per the reference shown above the following steps will be required to configure security polices successfully: + + 1. Launch Check Point Security Gateway - Configure Interfaces and Static Routes and other specific Security Gateway configuration. + #. Download, install and configure Check Point Security Management (Optional) + #. Download, install and configure Check Point Smart Console - Launch Smart Console using Security Manager IP, add/authenticate one or more security gateways, configure security rules/polices, and push it to security gateways. + +Please follow the below steps to launch and configure Check Point Security Gateway in Azure. + +If you are looking to deploy Check Point in AWS environment, your starting point is `here `_. + +1. Launch Check Point Firewall from Aviatrix Controller +---------------------------------------------------------- + +The Aviatrix Firewall Network (FireNet) workflow launches a Check Point Security Gateway instance at `Step 7a `_. + +Go to Aviatrix Controller's console, Firewall Network -> Setup -> Step 7a. Here is the Security Gateway information in this example for your reference. Please adjust it depending on your requirements. + +========================================== ========== +**Example setting** **Example value** +========================================== ========== +Firewall Image Check Point CloudGuard IaaS Single Gateway R80.40 - PAYG (NGTP) +Firewall Image Version 8040.900294.0593 +Firewall Instance Size Standard_D3_v2 +Egress Interface Subnet Select the subnet whose name contains "Public-FW-ingress-egress". +Username admin (no alternatives) +Authentication Method Password +Password Input a good password of your choice +SIC Key Input a good SIC Key. +Attach Check +========================================== ========== + +.. important:: + SIC (Secure Inter-communication) Key needs to be noted somewhere and will be required to add Security Gateway inside the Security Manager. + +.. note:: + + Check Point Security Gateway instance has only 2 interfaces as described below. Additionally, firewall instance eth1 is on the same subnet as FireNet gateway eth2 interface. + +======================================================== =============================== ================================ +**Check Point VM instance interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress) Egress or Untrusted interface Allow ALL +eth1 (on subnet -dmz-firewall-lan) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +After the launch is complete, Aviatrix Controller automatically initiates the Security Gateway on-boarding process, configure interfaces and program RFC 1918 routes in Check Point Security Gateway. + +2. Login to Check Point Firewall Gaia Portal +---------------------------------------------- + +After launch is complete, the controller's displays the Check Point Security Gateway with its public IP address of management/egress interface to login to the Check Point Gaia's console. + +Go back to the Controller's console, Firewall Network -> Setup -> Step 7a and Click on the `Management UI` as shown below. + +The URL takes you to the Check Point Security Gateway Gaia Portal you just launched. + +|avx-firewall-step7a_UI| + +.. note:: + + Please try to use different browser (e.g. Firefox) if the Management UI link is not opening on your default browser. + +Login Gaia Portal with admin and password specified at launch time. + +Go to the page “Network Management -> Network Interfaces” to review eth0 (WAN) and eth1 (LAN) configuration as shown below. + +|cp_firewall_interfaces| + +Review static routes RFC 1918 which is configured on LAN port, the purpose of those static route is to send the packets back to the Gateway (GW). + +Those static routes could be reviewed on the page “Network Management -> IPv4 Static Routes” + +|cp_firewall_static_routes| + +Routes can also be reviewed by clicking the button “Monitoring” on the page “Network Management -> IPv4 Static Routes” + +|cp_firewall_routes_monitoring| + +.. important:: + Please make sure HTTPS (TCP 443 port) must be allowed in Check Point Security Gateway. By default, TCP 443 port is enabled in Security Gateay. This port will be used for Security Gateway health check. + + +3. (Optional) Firewall Vendor Integration +------------------------------------------------- +Go to Aviatrix Controller --> Firewall Network --> Vendor Integration and complete the step as shown below: + +|cp_firewall_vendor_integration| + +Click **Save**, **Show** and **Sync** respectively. + +This automatically set up the non-RFC 1918 routes between Aviatrix Gateway and Vendor’s firewall instance in this case Check Point. This can also be done manually through Cloud Portal and/or Vendor’s Management tool. + + +4. Download and install the SmartConsole +------------------------------------------------- + +4.1 Deploy and Install Check Point Security Management +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Check Point Security Gateway launched in the step 1 requires a management console (Check Point Security Manager) for managing one or more Security Gateways. + +Deploy and install the **Check Point Security Management** from Azure Marketplace in Azure's Console. + +.. important:: + + Check Point Security Management CloudGuard version should be R80.40. Check Point Security Manager deployment and installation steps are not part of this guide, and it has to be done manually. + +Login to Check Point Security Manager and download the SmartConsole on Windows-based computer. + + Option 1: click on the button "Download Now!" with message "Manage Software Blades using SmartConsole" on the Overview page as below. + +|cp_security_manager| + + Option 2: download it by using this link `R80.40 `_ + +4.2 Install SmartConsole and Login +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Check Point's SmartConsole is a Windows-based application used to configure and manage polices. These polices can be applied to one or more Security Gateways. + +Install the SmartConsole and login into it with the Gaia Portal username, password and IP Address of **Check Point's Security Manager**. + +|smart_console_login| + + +5. Configure and Add Check Point Gateway in SmartConsole +-------------------------------------------------------- + +5.1 (Optional) Configure Security Gateway Secure Inter-Communication (SIC) Key +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Please skip this step if you remember the SIC Key provided during the Security Gateway launch from Aviatrix Controller. + +If you do not remember or wants to generate a new SIC Key then please follow this step. + +Check Point Gateway needs to be configured with one-time secure password in order to establish the secure communication with Check Point Security Management Portal. + +SSH to Check Point Gateway in order to configure One-time Secure Password. + +:: + + %ssh admin@ip-address + The authenticity of host 'ip-address' can't be established. + ECDSA key fingerprint is SHA256:1S6wQF4xI6YtieM1te0lnI2wXoRDiDfa85ctsDHd1N4. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Failed to add the host to the list of known hosts (/Users/ahmednaail/.ssh/known_hosts). + This system is for authorized use only. + Password: + You have logged into the system. + By using this product you agree to the terms and conditions + as specified in https://www.Check Point.com/download_agreement.html + CLINFR0771 Config lock is owned by admin. Use the command 'lock database override' to acquire the lock. + + cp-firewall-sc-azure> lock database override + cp-firewall-sc-azure> set expert-password + Enter new expert password: + Enter new expert password (again): + cp-firewall-sc-azure> expert + Enter expert password: + + + Warning! All configurations should be done through clish + You are in expert mode now. + + [Expert@cp-firewall-sc-azure:0]# cpconfig + This program will let you re-configure + your Check Point products configuration. + + + Configuration Options: + ---------------------- + (1) Licenses and contracts + (2) SNMP Extension + (3) PKCS#11 Token + (4) Random Pool + (5) Secure Internal Communication + (6) Enable cluster membership for this gateway + (7) Check Point CoreXL + (8) Automatic start of Check Point Products + + (9) Exit + + Enter your choice (1-9) :5 + + Configuring Secure Internal Communication... + ============================================ + The Secure Internal Communication is used for authentication between + Check Point components + + Trust State: Initialized but Trust was not established + + Would you like to change the Activation Key? (y/n) [n] ? y + + + Note: This operation will stop all Check Point Services (cpstop). + Are you sure you want to continue? (y/n) [n] ? y + Enter Activation Key: + Retype Activation Key: + initial_module: + Compiled OK. + initial_module: + Compiled OK. + + Hardening OS Security: Initial policy will be applied + until the first policy is installed + + + The Secure Internal Communication was successfully initialized + + + Configuration Options: + ---------------------- + (1) Licenses and contracts + (2) SNMP Extension + (3) PKCS#11 Token + (4) Random Pool + (5) Secure Internal Communication + (6) Enable cluster membership for this gateway + (7) Check Point CoreXL + (8) Automatic start of Check Point Products + + (9) Exit + + Enter your choice (1-9) :9 + + Thank You... + +Terminate SSH session. + +5.2 Add Check Point Security Gateway in SmartConsole +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +At this point, we have a One-time secure password (SIC Key) which will be used to add a Gateway inside Check Point Security Manager. + +Now go back to SmartConsole and Add a Gateway as shown below: + +|smartconsole_add_gateway| + +Click on Wizard Mode + +|cp_gw_creation_wizard| + +Next provide the GW information as shown in the table: + +======================= =============================================== +**Field** **Value** +======================= =============================================== +Gateway Name Configure any name +Gateway Platform Select CloudGuard IaaS +Gateway IP + * Static IP Address Provide Check Point Gateway IP address +======================= =============================================== + +|gw_general_properties| + + +Next step is to establish a secure communication with a Gateway. + +======================= =============================================== +**Field** **Value** +======================= =============================================== +Gateway' Name Provide you Gateway Name (Case-Sensitive) +One-time Password Use same Password which you set during SSH session with Gateway +Trust State Default Values +======================= =============================================== + +.. important:: + If you see an error during communication establishment process that says, "Failed to connect to Security Gateway. SIC has not been established ...". Please SSH to your Gateway again and follow the same process mentioned in step 4, and try again to establish a communication with Security Gateway. + +|trusted_communication| + +Click "OK" and "Finish". + +|get_topology| + +|cp_wizard_summary| + +Review the Gateway Summary and Click "OK" + +|cp_gw_summary| + +At this point if all the steps are followed properly then you should see a Gateway under GATEWAYS & SERVERs tab. + +|cp_gw_added| + +6. Configure basic traffic policy to allow traffic VNET to VNET +------------------------------------------------------------------ + +In this step, we will configure a basic traffic security policy that allows traffic to pass through the Security Gateway. + +Go to the page "SECURITY POLICIES -> Access Control -> Policy" and configure a policy by either modifying the default "Cleanup rule" or Add a new rule above the default rule. + +======================= =============================================== +**Field** **Value** +======================= =============================================== +Name Configure any name for this policy (i.e. allow-all) +Source Any +Destination Any +VPN Any +Service & Applications Any +Action Accept +Track Log +======================= =============================================== + +|basic_allowall_policy| + +Click on the button "Install Policy" in Smart Console on top left corner, and then "Install" to commit the settings. + +|install_allowall_policy| + +|policy_installed| + +After validating that your traffic is being routed through your Security Gateway instances, you can customize the security policy to tailor to your requirements. + +7. [Optional] Configure basic traffic policy to allow traffic VNET to Internet +---------------------------------------------------------------------------------- + +In this step, we will configure a basic traffic security policy that allows internet traffic to pass through the firewall. + +.. important:: + Enable `Egress inspection `_ feature on FireNet + +First of all, go back to the Aviatrix Controller Console. Navigate to the page "Firewall Network -> Advanced". Click the skewer/three dot button. Scroll down to “Egress through Firewall” and click Enable. Verify the Egress status on the page "Firewall Network -> Advanced". + +|cp_egress_inspection| + +Secondly, go back to the Check Point SmartConsole. Navigate to the page "GATEWAYS&SERVERS" and then double-click on the gateway itself to enable NAT function as the following screenshot. + +- Click on the button "NAT" +- Enable the checkbox "Hide internal networks behind the Gateway's external IP" +- Click the button "OK" +- Click the button "Install Policy" + +|cp_policy_vpc_to_internet_nat_enabled| + +.. important:: + + NAT function needs to be enabled on the Check Point FW interface eth0 for this VNET to Internet policy. Please refer to `Check Point's NAT instruction `_ for detail. + +**[Optional]** If you have default "Cleanup rule", then navigate to the page "SECURITY POLICIES -> Access Control -> Policy" and inject a new rule for Internet Policy on top of the default "Cleanup rule". + +======================= =============================================== +**Field** **Value** +======================= =============================================== +Name Configure any name for this policy (i.e. Internet-Policy) +Source Any +Destination Select the object with All_internet +VPN Any +Service & Applications Any +Action Accept +Track Log +======================= =============================================== + +Click on the button "Install Policy" and then "Install" to commit the settings. + +|cp_policy_vpc_to_internet| + +After validating that your traffic is being routed through your Security Gateway instances, you can customize the security policy to tailor to your requirements. + +8. Ready to go! +---------------- + +Now your Security Gateway instance is configured and ready to receive packets! + +Next step is to validate your configurations and polices using FlightPath and Diagnostic Tools (ping, traceroute etc.). + + +9. View Traffic Log +---------------------- + +You can view if traffic is forwarded to the firewall instance by logging in to the Check Point Firewall SmartConsole. Go to the page "LOGS & MONITOR". + +For VNET to VNET traffic: +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Launch one instance in PROD Spoke VNET and DEV Spoke VNET. Start ping packets from a instance in DEV Spoke VPC to the private IP of another instance in PROD Spoke VPC. The ICMP traffic should go through the firewall and be inspected in firewall. + +|cp_view_traffic_log_vpc_to_vpc| + +[Optional] For VNET to Internet traffic: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Launch a private instance in the Spoke VNET (i.e. PROD Spoke VNET) and start ping packets from the private instance towards Internet (e.g 8.8.8.8) to verify the egress function. The ICMP traffic should go through, and get inspected on firewall. + +.. important:: + The Egress Inspection is only applicable to all VNets that deploys non public facing applications. If you have any Spoke VNet that has public facing web services, you should not enable Egress Inspection. This is because Egress Inspection inserts a default route (0.0.0.0/0) towards Transit GW to send the Internet traffic towards firewall to get inspected. Azure's System Default Route pointing towards Internet will be overwritten by User-defined default route inserted by the Controller. + +|cp_view_traffic_log_vpc_to_internet| + + +.. |cp_arch_reference| image:: config_Checkpoint_media/cp_arch_reference.png + :scale: 40% +.. |avx-firewall-step7a_UI| image:: config_Checkpoint_media/avx-firewall-step7a_UI.png + :scale: 35% +.. |cp_firewall_interfaces| image:: config_Checkpoint_media/cp_firewall_interfaces.png + :scale: 35% +.. |cp_firewall_static_routes| image:: config_Checkpoint_media/cp_firewall_static_routes.png + :scale: 35% +.. |cp_firewall_routes_monitoring| image:: config_Checkpoint_media/cp_firewall_routes_monitoring.png + :scale: 35% +.. |cp_firewall_vendor_integration| image:: config_Checkpoint_media/cp_firewall_vendor_integration.png + :scale: 40% +.. |cp_security_manager| image:: config_Checkpoint_media/cp_security_manager.png + :scale: 35% +.. |smart_console_login| image:: config_Checkpoint_media/smart_console_login.png + :scale: 40% +.. |smartconsole_add_gateway| image:: config_Checkpoint_media/smartconsole_add_gateway.png + :scale: 35% +.. |cp_gw_creation_wizard| image:: config_Checkpoint_media/cp_gw_creation_wizard.png + :scale: 50% +.. |gw_general_properties| image:: config_Checkpoint_media/gw_general_properties.png + :scale: 40% +.. |trusted_communication| image:: config_Checkpoint_media/trusted_communication.png + :scale: 40% +.. |get_topology| image:: config_Checkpoint_media/get_topology.png + :scale: 40% +.. |cp_wizard_summary| image:: config_Checkpoint_media/cp_wizard_summary.png + :scale: 40% +.. |cp_gw_summary| image:: config_Checkpoint_media/cp_gw_summary.png + :scale: 40% +.. |cp_gw_added| image:: config_Checkpoint_media/cp_gw_added.png + :scale: 40% +.. |basic_allowall_policy| image:: config_Checkpoint_media/basic_allowall_policy.png + :scale: 35% +.. |install_allowall_policy| image:: config_Checkpoint_media/install_allowall_policy.png + :scale: 30% +.. |policy_installed| image:: config_Checkpoint_media/policy_installed.png + :scale: 35% +.. |cp_egress_inspection| image:: config_Checkpoint_media/cp_egress_inspection.png + :scale: 30% +.. |cp_policy_vpc_to_internet_nat_enabled| image:: config_Checkpoint_media/cp_policy_vpc_to_internet_nat_enabled.png + :scale: 30% +.. |cp_policy_vpc_to_internet| image:: config_Checkpoint_media/cp_policy_vpc_to_internet.png + :scale: 30% +.. |cp_view_traffic_log_vpc_to_vpc| image:: config_Checkpoint_media/cp_view_traffic_log_vpc_to_vpc.png + :scale: 35% +.. |cp_view_traffic_log_vpc_to_internet| image:: config_Checkpoint_media/cp_view_traffic_log_vpc_to_internet.png + :scale: 30% +.. disqus:: diff --git a/HowTos/config_CheckPointVM.rst b/HowTos/config_CheckPointVM.rst new file mode 100644 index 000000000..d2688c49c --- /dev/null +++ b/HowTos/config_CheckPointVM.rst @@ -0,0 +1,397 @@ +.. meta:: + :description: Firewall Network + :keywords: AWS Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network, Transit DMZ, Egress, Firewall + + +========================================================= +Example Config for Check Point VM in AWS +========================================================= + +In this document, we provide an example to set up the Check Point Security Gateway instance for you to validate that packets are indeed sent to the Check Point Security Gateway for VPC to VPC and from VPC to internet traffic inspection. + +.. note:: + Firewall and Security Gateway word will be used interchangeably in this document. Both refers to Check Point Security Gateway product. + +Prerequisites +---------------- + +Before you start, make sure you meet the basic requirement: + + - Basic Check Point Architecture Understanding + - Check Point CloudGuard IaaS product is subscribed in AWS Marketplace + + +The following CheckPoint AMIs and software versions are supported. + +========================================================================== ========== +**Supported AMI Name** **Software Version** +========================================================================== ========== +CloudGuard IaaS Next-Gen Firewall with Threat Prevention & SandBlast BYOL R80.40, R80.30 +CloudGuard IaaS Next-Gen Firewall with Thread Prevention R80.40, R80.30 +CloudGuard IaaS All-In-One R80.40 R80.40 +========================================================================== ========== + +Basic Check Point architecture is shown below: + +|cp_arch_reference| + +In this document, we provide an example to set up the CheckPoint Firewall instance for you to validate that packets are indeed sent to the CheckPoint Firewall for VPC to VPC and from VPC to internet traffic inspection. + +The Aviatrix Firewall Network (FireNet) workflow launches a CheckPoint Firewall instance at `Step 7a `_. + +After the launch is complete, the console displays the CheckPoint Firewall instance with its public IP address of management/egress interface for you to login to the console. + +Here is the Firewall information in this example for your reference. Please adjust it depending on your requirements. + +.. note:: + Firewall Image other then CheckPoint CloudGuard IaaS All-In-One requires a Check Point Security Management to manage firewall polices. See CheckPoint Azure Example for more information. + + +========================================== ========== +**Example setting** **Example value** +========================================== ========== +Firewall Image Check Point CloudGuard IaaS All-In-One R80.40 +Firewall Image Version R80.40-294.581 +Firewall Instance Size m5.large +Egress Interface Subnet Select the subnet whose name contains "FW-ingress-egress". +Key Pair Name (Optional) The .pem file name for SSH access to the firewall instance. +Attach Check +========================================== ========== + +.. note:: + + CheckPoint Firewall instance has 2 interfaces as described below. Additionally, firewall instance eth1 is on the same subnet as FireNet gateway eth2 interface. + +======================================================== =============================== ================================ +**CheckPoint VM instance interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress-AZ-a) Egress or Untrusted interface Allow ALL +eth1 (on subnet -dmz-firewall) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +Below are the steps for initial setup. + +1. Download CheckPoint Firewall Access Key +---------------------------------------------- + +After `Step 7a `_ is completed, you'll see the Download button as shown below. Click the button to download the .pem file. + +If you get a download error, usually it means the CheckPoint Firewall instance is not ready. Wait until it is ready, refresh the browser and then try again. + +|v2_avx_pem_file_download| + +2. Setup CheckPoint Gateway (Firewall) SSH login using Password +--------------------------------------------------------------------------- + +For Metered AMI, open a terminal and run the following command. + +.. tip :: + + Once you download the .pem file, change the file permission to 600. It usually takes 5 to 10 minutes for the Check Point Gateway to be ready. Once SSH into the Check Point Gateway using the proper keys and the user “admin”, only few commands will be required to enable ssh for user "admin". + +:: + + ssh -i admin@ + set expert-password + Enter new expert password: + Enter new expert password (again): + gw-358e82> expert + Enter expert password: + + + Warning! All configurations should be done through clish + You are in expert mode now. + + [Expert@gw-358e82:0]# sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config + [Expert@gw-358e82:0]# sed -i 's/PermitRootLogin forced-commands-only/PermitRootLogin yes/' /etc/ssh/sshd_config + [Expert@gw-358e82:0]# service sshd reload + Reloading sshd: [ OK ] + [Expert@gw-358e82:0]# exit + +Terminate the SSH session. + +3. Login to CheckPoint Firewall Gaia Portal +---------------------------------------------- + +After launch is completed, go back to the Controller, Firewall Network -> Setup -> `Step 7a `_ and Click on the `Management UI` as shown below. + +|v2_avx_management_UI| + +The URL takes you to the CheckPoint Firewall Gaia Portal you just launched. + +|v2_cp_login_UI| + +.. note:: + + + For initial Checkpoint login information, go to `Credentials for Checkpoint Initial Login `_. You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. + + +Starting from Release 5.4, launching CheckPoint firewall instances from the Aviatrix Controller automatically initiates its onboarding process. For initial login information, go to `Credentials for Checkpoint Initial Login `_. You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. + + +4. Initialize and Login CheckPoint Firewall via Gaia Portal +------------------------------------------------------------- + +First time login shows the **"Check Point First Time Configuration Wizard"** screen as shown below. + +|v2_CheckPoint_Gaia_Portal_Wizard_01| + +Click **"Next"**, **"Next"** and continue until the **"Finish"** button, no need to configure anything in the configuration wizard. + +|v2_CheckPoint_Gaia_Portal_Wizard_02| + +|v2_CheckPoint_Gaia_Portal_Wizard_12| + +.. important:: + Aviatrix Controller automatically configures the Checkpoint interfaces and RFC1918 static routes which is required for FireNet feature, so, initialize wizard configurations are no longer required but we need to click Next on each window to initialize the firewall properly. + +After the initialization is completed, users will be navigated to the CheckPoint Firewall Gaia Portal Overview page as below. + +|v2_CheckPoint_Gaia_Portal_Overview| + +Go to the page “Network Management -> Network Interfaces” to review eth0 (WAN) and eth1 (LAN) configuration as shown below. + +|cp_firewall_interfaces_aws| + +Review static routes RFC 1918 which is configured on LAN port, the purpose of those static route is to send the packets back to the Gateway (GW). + +Those static routes could be reviewed on the page “Network Management -> IPv4 Static Routes” + +|cp_firewall_static_routes_aws| + +Routes can also be reviewed by clicking the button “Monitoring” on the page “Network Management -> IPv4 Static Routes” + +|cp_firewall_routes_monitoring_aws| + +5. (Optional) Firewall Vendor Integration +------------------------------------------- + +Go to Aviatrix Controller –> Firewall Network –> Vendor Integration and complete the step as shown below: + +|v2_vendor_integration_AWS| + +Click **Save**, **Show** and **Sync** respectively. + +This automatically set up the non-RFC 1918 routes between Aviatrix Gateway and Vendor’s firewall instance in this case CheckPoint. This can also be done manually through Cloud Portal and/or Vendor’s Management tool. + + +6. Download and Install the SmartConsole +------------------------------------------------- + +.. important:: + Check Point Single Gateway 'All-In-One' image is used in this example which do not require Check Point Security Manager. All other Gateway images require Check Point Security Manager. If you are not using 'All-In-One' image then skip this step and follow the `Step 4 & Step 5 `_ in a given link. + + +6.1 Download Check Point SmartConsole +**************************************** + +Login to the Check Point Gateway and download the SmartConsole with version R80.40 on Windows-based computer + + Option 1: click on the button "Download Now!" with message "Manage Software Blades using SmartConsole" on the Overview page as below. + +|v2_CheckPoint_Gaia_Portal_SmartConsole_DL| + + Option 2: download it by using this link `R80.40 `_ + + +6.2 Install and Login SmartConsole +**************************************** + +Install the SmartConsole and login into it with the Gaia Portal username, password and IP Address of Check Point Gateway. + +|smart_console_login_aws| + +|smartconsole_gateway_login_aws| + +Moreover, execute the function "Get Interfaces With Topology" to sync up the settings that we have configured via Gaia Portal. + +- Click on the link "GATEWAYS&SERVERS" on the left side +- Double click on the CheckPoint Firewall +- Click on the link "Network Management" on left side +- Click on the button "Get Interfaces.." to expand options +- Click on the button "Get Interfaces With Topology" +- Click on the button "Yes" +- Review the "Get Topology Results" which should match to the settings that we have configured via Gaia Portal +- Click on the button "Accept" + +|v2_CheckPoint_SmartConsole_syncup_01| + +|v2_CheckPoint_SmartConsole_syncup_02| + +Go to the page "SECURITY POLICIES -> Access Control -> Policy" and click on the button "Install Policy" and then "Install" to commit the settings. + +|install_policy_aws| + +7. Configure basic traffic policy to allow traffic VPC to VPC +------------------------------------------------------------------ + +In this step, we will configure a basic traffic security policy that allows traffic to pass through the firewall. + +From the page "SECURITY POLICIES -> Access Control -> Policy", configure a policy by either modifying the default "Cleanup rule" or Add a new rule above the default rule. + +======================= =============================================== +**Field** **Value** +======================= =============================================== +Name Configure any name for this policy (i.e. allow-all) +Source Any +Destination Any +VPN Any +Service & Applications Any +Action Accept +Track Log +======================= =============================================== + +|v2_CheckPoint_policy_vpc_to_vpc| + +Click on the button "Install Policy" and then "Install" to commit the settings. + +|v2_CheckPoint_policy_vpc_to_vpc_install| + +8. [Optional] Configure basic traffic policy to allow traffic VPC to Internet +---------------------------------------------------------------------------------- + +In this step, we will configure a basic traffic security policy that allows internet traffic to pass through the firewall. Given that Aviatrix gateways will only forward traffic from the TGW to the LAN port of the Firewall, we can simply set our policy condition to match any packet that is going in of LAN interface and going out of WAN interface. + +.. important:: + Enable `Egress inspection `_ feature on FireNet + +First of all, go back to the Aviatrix Controller Console. Navigate to the page "Firewall Network -> Advanced". Click the skewer/three dot button. Scroll down to “Egress through Firewall” and click "Enable" button. Verify the Egress status on the page "Firewall Network -> Advanced". + +|cp_egress_inspection_aws| + +Secondly, go back to the CheckPoint Firewall SmartConsole. Navigate to the page "GATEWAYS&SERVERS" and then double-click on the gateway itself to enable NAT function as the following screenshot. + +- Click on the button "NAT" +- Enable the checkbox "Hide internal networks behind the Gateway's external IP" +- Click the button "OK" +- Click the button "Install Policy" + +|v2_CheckPoint_policy_vpc_to_internet_nat_enabled| + +.. important:: + + NAT function needs to be enabled on the CheckPoint FW interface eth0 for this VPC to Internet policy. Please refer to `Check Point's NAT instruction `_ for detail. + +**[Optional]** If you have default "Cleanup rule", then navigate to the page "SECURITY POLICIES -> Access Control -> Policy" and inject a new rule for Internet Policy on top of the default "Cleanup rule". + +======================= =============================================== +**Field** **Value** +======================= =============================================== +Name Configure any name for this policy (i.e. Internet-Policy) +Source Any +Destination Select the object with All_internet +VPN Any +Service & Applications Any +Action Accept +Track Log +======================= =============================================== + +Click on the button "Install Policy" and then "Install" to commit the settings. + +|cp_policy_vpc_to_internet_aws| + +After validating that your traffic is being routed through your firewall instances, you can customize the security policy to tailor to your requirements. + +9. Ready to go! +---------------- + +Now your firewall instance is configured and ready to receive packets! + +Next step is to validate your configurations and polices using FlightPath and Diagnostic Tools (ping, traceroute etc.). + +10. View Traffic Log +---------------------- + +You can view if traffic is forwarded to the firewall instance by logging in to the CheckPoint Firewall SmartConsole. Go to the page "LOGS & MONITOR". + +For VPC to VPC traffic: +*********************** + +Launch one instance in PROD Spoke VPC and DEV Spoke VPC. Start ping packets from a instance in DEV Spoke VPC to the private IP of another instance in PROD Spoke VPC. The ICMP traffic should go through the firewall and be inspected in firewall. + +|v2_CheckPoint_view_traffic_log_vpc_to_vpc| + +[Optional] For VPC to Internet traffic: +*************************************** + +Launch a private instance in the Spoke VPC (i.e. PROD Spoke VPC) and start ping packets from the private instance towards Internet (e.g 8.8.8.8) to verify the egress function. The ICMP traffic should go through, and get inspected on firewall. + +|v2_CheckPoint_view_traffic_log_vpc_to_internet| + + +.. |cp_arch_reference| image:: config_Checkpoint_media/cp_arch_reference.png + :scale: 35% +.. |cp_policy_vpc_to_internet_aws| image:: config_Checkpoint_media/cp_policy_vpc_to_internet_aws.png + :scale: 30% +.. |cp_egress_inspection_aws| image:: config_Checkpoint_media/cp_egress_inspection_aws.png + :scale: 40% +.. |policy_installed_aws| image:: config_Checkpoint_media/policy_installed_aws.png + :scale: 40% +.. |smartconsole_gateway_login_aws| image:: config_Checkpoint_media/smartconsole_gateway_login_aws.png + :scale: 30% +.. |install_policy_aws| image:: config_Checkpoint_media/install_policy_aws.png + :scale: 30% +.. |smart_console_login_aws| image:: config_Checkpoint_media/smart_console_login_aws.png + :scale: 40% +.. |v2_avx_pem_file_download| image:: config_Checkpoint_media/v2_avx_pem_file_download.png + :scale: 20% +.. |v2_vendor_integration_AWS| image:: config_Checkpoint_media/v2_vendor_integration_AWS.png + :scale: 30% +.. |v2_pem_file_download| image:: config_Checkpoint_media/v2_pem_file_download.png + :scale: 40% +.. |v2_avx_management_UI| image:: config_Checkpoint_media/v2_avx_management_UI.png + :scale: 30% +.. |v2_cp_login_UI| image:: config_Checkpoint_media/v2_cp_login_UI.png + :scale: 40% +.. |v2_CheckPoint_change_password| image:: config_Checkpoint_media/v2_CheckPoint_change_password.png + :scale: 60% +.. |v2_CheckPoint_Gaia_Portal_Wizard_01| image:: config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_01.png + :scale: 40% +.. |v2_CheckPoint_Gaia_Portal_Wizard_02| image:: config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_02.png + :scale: 40% +.. |cp_firewall_interfaces_aws| image:: config_Checkpoint_media/cp_firewall_interfaces_aws.png + :scale: 40% +.. |cp_firewall_static_routes_aws| image:: config_Checkpoint_media/cp_firewall_static_routes_aws.png + :scale: 40% +.. |cp_firewall_routes_monitoring_aws| image:: config_Checkpoint_media/cp_firewall_routes_monitoring_aws.png + :scale: 40% +.. |v2_CheckPoint_Gaia_Portal_Wizard_12| image:: config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_12.png + :scale: 40% +.. |v2_CheckPoint_Gaia_Portal_Overview| image:: config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Overview.png + :scale: 40% +.. |v2_CheckPoint_Gaia_Portal_Configuration_eth0_WAN| image:: config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Configuration_eth0_WAN.png + :scale: 40% +.. |v2_CheckPoint_Gaia_Portal_Configuration_eth1_LAN| image:: config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Configuration_eth1_LAN.png + :scale: 40% +.. |v2_CheckPoint_static_routes_01| image:: config_Checkpoint_media/v2_CheckPoint_static_routes_01.png + :scale: 40% +.. |v2_CheckPoint_static_routes_02| image:: config_Checkpoint_media/v2_CheckPoint_static_routes_02.png + :scale: 40% +.. |v2_CheckPoint_static_routes_review_01| image:: config_Checkpoint_media/v2_CheckPoint_static_routes_review_01.png + :scale: 40% +.. |v2_CheckPoint_static_routes_review_02| image:: config_Checkpoint_media/v2_CheckPoint_static_routes_review_02.png + :scale: 40% +.. |v2_CheckPoint_Gaia_Portal_SmartConsole_DL| image:: config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_SmartConsole_DL.png + :scale: 40% +.. |v2_CheckPoint_Gaia_Portal_SmartConsole_install| image:: config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_SmartConsole_install.png + :scale: 40% +.. |v2_CheckPoint_SmartConsole_syncup_01| image:: config_Checkpoint_media/v2_CheckPoint_SmartConsole_syncup_01.png + :scale: 40% +.. |v2_CheckPoint_SmartConsole_syncup_02| image:: config_Checkpoint_media/v2_CheckPoint_SmartConsole_syncup_02.png + :scale: 30% +.. |v2_CheckPoint_policy_vpc_to_vpc| image:: config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_vpc.png + :scale: 20% +.. |v2_CheckPoint_policy_vpc_to_vpc_install| image:: config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_vpc_install.png + :scale: 20% +.. |v2_avx_egress_inspection| image:: config_FortiGate_media/v2_avx_egress_inspection.png + :scale: 20% +.. |v2_CheckPoint_policy_vpc_to_internet_nat_enabled| image:: config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_internet_nat_enabled.png + :scale: 30% +.. |v2_CheckPoint_policy_vpc_to_internet| image:: config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_internet.png + :scale: 20% +.. |v2_CheckPoint_view_traffic_log_vpc_to_vpc| image:: config_Checkpoint_media/v2_CheckPoint_view_traffic_log_vpc_to_vpc.png + :scale: 30% +.. |v2_CheckPoint_view_traffic_log_vpc_to_internet| image:: config_Checkpoint_media/v2_CheckPoint_view_traffic_log_vpc_to_internet.png + :scale: 30% +.. disqus:: diff --git a/HowTos/config_Checkpoint_media/avx-firewall-step7a_UI.png b/HowTos/config_Checkpoint_media/avx-firewall-step7a_UI.png new file mode 100644 index 000000000..9c8031ef2 Binary files /dev/null and b/HowTos/config_Checkpoint_media/avx-firewall-step7a_UI.png differ diff --git a/HowTos/config_Checkpoint_media/avx_firewall_step7a_UI_a.png b/HowTos/config_Checkpoint_media/avx_firewall_step7a_UI_a.png new file mode 100644 index 000000000..e763f1e5f Binary files /dev/null and b/HowTos/config_Checkpoint_media/avx_firewall_step7a_UI_a.png differ diff --git a/HowTos/config_Checkpoint_media/basic_allowall_policy.png b/HowTos/config_Checkpoint_media/basic_allowall_policy.png new file mode 100644 index 000000000..96f323d93 Binary files /dev/null and b/HowTos/config_Checkpoint_media/basic_allowall_policy.png differ diff --git a/HowTos/config_Checkpoint_media/cp_arch_reference.png b/HowTos/config_Checkpoint_media/cp_arch_reference.png new file mode 100644 index 000000000..9acaaf3ef Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_arch_reference.png differ diff --git a/HowTos/config_Checkpoint_media/cp_egress_inspection.png b/HowTos/config_Checkpoint_media/cp_egress_inspection.png new file mode 100644 index 000000000..229734b13 Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_egress_inspection.png differ diff --git a/HowTos/config_Checkpoint_media/cp_egress_inspection_aws.png b/HowTos/config_Checkpoint_media/cp_egress_inspection_aws.png new file mode 100644 index 000000000..042b71cda Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_egress_inspection_aws.png differ diff --git a/HowTos/config_Checkpoint_media/cp_firewall_interfaces.png b/HowTos/config_Checkpoint_media/cp_firewall_interfaces.png new file mode 100644 index 000000000..3a57d0639 Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_firewall_interfaces.png differ diff --git a/HowTos/config_Checkpoint_media/cp_firewall_interfaces_aws.png b/HowTos/config_Checkpoint_media/cp_firewall_interfaces_aws.png new file mode 100644 index 000000000..961b63a6c Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_firewall_interfaces_aws.png differ diff --git a/HowTos/config_Checkpoint_media/cp_firewall_routes_monitoring.png b/HowTos/config_Checkpoint_media/cp_firewall_routes_monitoring.png new file mode 100644 index 000000000..9122b6ac7 Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_firewall_routes_monitoring.png differ diff --git a/HowTos/config_Checkpoint_media/cp_firewall_routes_monitoring_aws.png b/HowTos/config_Checkpoint_media/cp_firewall_routes_monitoring_aws.png new file mode 100644 index 000000000..983763ecd Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_firewall_routes_monitoring_aws.png differ diff --git a/HowTos/config_Checkpoint_media/cp_firewall_static_routes.png b/HowTos/config_Checkpoint_media/cp_firewall_static_routes.png new file mode 100644 index 000000000..79c3f5d27 Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_firewall_static_routes.png differ diff --git a/HowTos/config_Checkpoint_media/cp_firewall_static_routes_aws.png b/HowTos/config_Checkpoint_media/cp_firewall_static_routes_aws.png new file mode 100644 index 000000000..96007abc1 Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_firewall_static_routes_aws.png differ diff --git a/HowTos/config_Checkpoint_media/cp_firewall_vendor_integration.png b/HowTos/config_Checkpoint_media/cp_firewall_vendor_integration.png new file mode 100644 index 000000000..87e6df89e Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_firewall_vendor_integration.png differ diff --git a/HowTos/config_Checkpoint_media/cp_gw_added.png b/HowTos/config_Checkpoint_media/cp_gw_added.png new file mode 100644 index 000000000..48a148f24 Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_gw_added.png differ diff --git a/HowTos/config_Checkpoint_media/cp_gw_creation_wizard.png b/HowTos/config_Checkpoint_media/cp_gw_creation_wizard.png new file mode 100644 index 000000000..ae29d599f Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_gw_creation_wizard.png differ diff --git a/HowTos/config_Checkpoint_media/cp_gw_summary.png b/HowTos/config_Checkpoint_media/cp_gw_summary.png new file mode 100644 index 000000000..ca134ea0b Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_gw_summary.png differ diff --git a/HowTos/config_Checkpoint_media/cp_policy_vpc_to_internet.png b/HowTos/config_Checkpoint_media/cp_policy_vpc_to_internet.png new file mode 100644 index 000000000..c6afbb7ea Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_policy_vpc_to_internet.png differ diff --git a/HowTos/config_Checkpoint_media/cp_policy_vpc_to_internet_aws.png b/HowTos/config_Checkpoint_media/cp_policy_vpc_to_internet_aws.png new file mode 100644 index 000000000..da1bbc36a Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_policy_vpc_to_internet_aws.png differ diff --git a/HowTos/config_Checkpoint_media/cp_policy_vpc_to_internet_nat_enabled.png b/HowTos/config_Checkpoint_media/cp_policy_vpc_to_internet_nat_enabled.png new file mode 100644 index 000000000..c6bd05c10 Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_policy_vpc_to_internet_nat_enabled.png differ diff --git a/HowTos/config_Checkpoint_media/cp_security_manager.png b/HowTos/config_Checkpoint_media/cp_security_manager.png new file mode 100644 index 000000000..c62a472a6 Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_security_manager.png differ diff --git a/HowTos/config_Checkpoint_media/cp_view_traffic_log_vpc_to_internet.png b/HowTos/config_Checkpoint_media/cp_view_traffic_log_vpc_to_internet.png new file mode 100644 index 000000000..ad35d4540 Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_view_traffic_log_vpc_to_internet.png differ diff --git a/HowTos/config_Checkpoint_media/cp_view_traffic_log_vpc_to_vpc.png b/HowTos/config_Checkpoint_media/cp_view_traffic_log_vpc_to_vpc.png new file mode 100644 index 000000000..ed3989fc4 Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_view_traffic_log_vpc_to_vpc.png differ diff --git a/HowTos/config_Checkpoint_media/cp_wizard_summary.png b/HowTos/config_Checkpoint_media/cp_wizard_summary.png new file mode 100644 index 000000000..8623ad5cb Binary files /dev/null and b/HowTos/config_Checkpoint_media/cp_wizard_summary.png differ diff --git a/HowTos/config_Checkpoint_media/get_topology.png b/HowTos/config_Checkpoint_media/get_topology.png new file mode 100644 index 000000000..3cc9c3f2d Binary files /dev/null and b/HowTos/config_Checkpoint_media/get_topology.png differ diff --git a/HowTos/config_Checkpoint_media/gw_general_properties.png b/HowTos/config_Checkpoint_media/gw_general_properties.png new file mode 100644 index 000000000..2399e8bec Binary files /dev/null and b/HowTos/config_Checkpoint_media/gw_general_properties.png differ diff --git a/HowTos/config_Checkpoint_media/install_allowall_policy.png b/HowTos/config_Checkpoint_media/install_allowall_policy.png new file mode 100644 index 000000000..cd741a33f Binary files /dev/null and b/HowTos/config_Checkpoint_media/install_allowall_policy.png differ diff --git a/HowTos/config_Checkpoint_media/install_policy_aws.png b/HowTos/config_Checkpoint_media/install_policy_aws.png new file mode 100644 index 000000000..e3d9f9ae8 Binary files /dev/null and b/HowTos/config_Checkpoint_media/install_policy_aws.png differ diff --git a/HowTos/config_Checkpoint_media/policy_installed.png b/HowTos/config_Checkpoint_media/policy_installed.png new file mode 100644 index 000000000..93fafb163 Binary files /dev/null and b/HowTos/config_Checkpoint_media/policy_installed.png differ diff --git a/HowTos/config_Checkpoint_media/policy_installed_aws.png b/HowTos/config_Checkpoint_media/policy_installed_aws.png new file mode 100644 index 000000000..80e039694 Binary files /dev/null and b/HowTos/config_Checkpoint_media/policy_installed_aws.png differ diff --git a/HowTos/config_Checkpoint_media/smart_console_login.png b/HowTos/config_Checkpoint_media/smart_console_login.png new file mode 100644 index 000000000..213a8d4a4 Binary files /dev/null and b/HowTos/config_Checkpoint_media/smart_console_login.png differ diff --git a/HowTos/config_Checkpoint_media/smart_console_login_aws.png b/HowTos/config_Checkpoint_media/smart_console_login_aws.png new file mode 100644 index 000000000..89a4b6b28 Binary files /dev/null and b/HowTos/config_Checkpoint_media/smart_console_login_aws.png differ diff --git a/HowTos/config_Checkpoint_media/smartconsole_add_gateway.png b/HowTos/config_Checkpoint_media/smartconsole_add_gateway.png new file mode 100644 index 000000000..b277b8dca Binary files /dev/null and b/HowTos/config_Checkpoint_media/smartconsole_add_gateway.png differ diff --git a/HowTos/config_Checkpoint_media/smartconsole_gateway_login_aws.png b/HowTos/config_Checkpoint_media/smartconsole_gateway_login_aws.png new file mode 100644 index 000000000..b0996b610 Binary files /dev/null and b/HowTos/config_Checkpoint_media/smartconsole_gateway_login_aws.png differ diff --git a/HowTos/config_Checkpoint_media/trusted_communication.png b/HowTos/config_Checkpoint_media/trusted_communication.png new file mode 100644 index 000000000..37e58adaa Binary files /dev/null and b/HowTos/config_Checkpoint_media/trusted_communication.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Configuration_eth0_WAN.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Configuration_eth0_WAN.png new file mode 100644 index 000000000..c19fe2fa7 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Configuration_eth0_WAN.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Configuration_eth1_LAN.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Configuration_eth1_LAN.png new file mode 100644 index 000000000..3a64dcf32 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Configuration_eth1_LAN.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Configuration_review.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Configuration_review.png new file mode 100644 index 000000000..66fc4a684 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Configuration_review.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Overview.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Overview.png new file mode 100644 index 000000000..f781ef67a Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Overview.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_SmartConsole_DL.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_SmartConsole_DL.png new file mode 100644 index 000000000..4e9e39f4e Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_SmartConsole_DL.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_SmartConsole_install.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_SmartConsole_install.png new file mode 100644 index 000000000..d585682a2 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_SmartConsole_install.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_01.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_01.png new file mode 100644 index 000000000..6dd42f37a Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_01.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_02.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_02.png new file mode 100644 index 000000000..cfb0223df Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_02.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_03_eth0.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_03_eth0.png new file mode 100644 index 000000000..9f5803498 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_03_eth0.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_04_eth1.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_04_eth1.png new file mode 100644 index 000000000..d037de194 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_04_eth1.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_05.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_05.png new file mode 100644 index 000000000..7dcc1ba3b Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_05.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_06.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_06.png new file mode 100644 index 000000000..a03082e02 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_06.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_07.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_07.png new file mode 100644 index 000000000..fbe14a4e1 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_07.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_08.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_08.png new file mode 100644 index 000000000..2def67363 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_08.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_09.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_09.png new file mode 100644 index 000000000..721643c32 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_09.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_10.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_10.png new file mode 100644 index 000000000..bdfa028ed Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_10.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_11.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_11.png new file mode 100644 index 000000000..69ef7672c Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_11.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_12.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_12.png new file mode 100644 index 000000000..2da5509f2 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_Gaia_Portal_Wizard_12.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_SmartConsole_syncup_01.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_SmartConsole_syncup_01.png new file mode 100644 index 000000000..a3c263e8b Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_SmartConsole_syncup_01.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_SmartConsole_syncup_02.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_SmartConsole_syncup_02.png new file mode 100644 index 000000000..4b7bc94d5 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_SmartConsole_syncup_02.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_change_password.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_change_password.png new file mode 100644 index 000000000..e95635276 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_change_password.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_internet.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_internet.png new file mode 100644 index 000000000..fe1873555 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_internet.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_internet_nat_enabled.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_internet_nat_enabled.png new file mode 100644 index 000000000..51286f6d0 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_internet_nat_enabled.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_vpc.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_vpc.png new file mode 100644 index 000000000..0c935bed0 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_vpc.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_vpc_install.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_vpc_install.png new file mode 100644 index 000000000..b8124244a Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_policy_vpc_to_vpc_install.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_static_routes_01.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_static_routes_01.png new file mode 100644 index 000000000..ba4ad4e2e Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_static_routes_01.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_static_routes_02.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_static_routes_02.png new file mode 100644 index 000000000..7dde93cdf Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_static_routes_02.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_static_routes_review_01.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_static_routes_review_01.png new file mode 100644 index 000000000..6197804c4 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_static_routes_review_01.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_static_routes_review_02.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_static_routes_review_02.png new file mode 100644 index 000000000..01b62e213 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_static_routes_review_02.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_view_traffic_log_vpc_to_internet.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_view_traffic_log_vpc_to_internet.png new file mode 100644 index 000000000..d10eb131b Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_view_traffic_log_vpc_to_internet.png differ diff --git a/HowTos/config_Checkpoint_media/v2_CheckPoint_view_traffic_log_vpc_to_vpc.png b/HowTos/config_Checkpoint_media/v2_CheckPoint_view_traffic_log_vpc_to_vpc.png new file mode 100644 index 000000000..42bd06094 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_CheckPoint_view_traffic_log_vpc_to_vpc.png differ diff --git a/HowTos/config_Checkpoint_media/v2_avx_management_UI.png b/HowTos/config_Checkpoint_media/v2_avx_management_UI.png new file mode 100644 index 000000000..727a8bb9b Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_avx_management_UI.png differ diff --git a/HowTos/config_Checkpoint_media/v2_avx_pem_file_download.png b/HowTos/config_Checkpoint_media/v2_avx_pem_file_download.png new file mode 100644 index 000000000..142308e9a Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_avx_pem_file_download.png differ diff --git a/HowTos/config_Checkpoint_media/v2_cp_login_UI.png b/HowTos/config_Checkpoint_media/v2_cp_login_UI.png new file mode 100644 index 000000000..c21797b11 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_cp_login_UI.png differ diff --git a/HowTos/config_Checkpoint_media/v2_pem_file_download.png b/HowTos/config_Checkpoint_media/v2_pem_file_download.png new file mode 100644 index 000000000..37f789166 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_pem_file_download.png differ diff --git a/HowTos/config_Checkpoint_media/v2_vendor_integration_AWS.png b/HowTos/config_Checkpoint_media/v2_vendor_integration_AWS.png new file mode 100644 index 000000000..45a2ffd23 Binary files /dev/null and b/HowTos/config_Checkpoint_media/v2_vendor_integration_AWS.png differ diff --git a/HowTos/config_FortiGateAzure.rst b/HowTos/config_FortiGateAzure.rst new file mode 100644 index 000000000..dc7b78c80 --- /dev/null +++ b/HowTos/config_FortiGateAzure.rst @@ -0,0 +1,281 @@ +.. meta:: + :description: Firewall Network + :keywords: Azure Transit Gateway, Azure, TGW orchestrator, Aviatrix Transit network, Transit DMZ, Egress, Fortigate + + +========================================================= +Example Config for FortiGate VM in Azure +========================================================= + +In this document, we provide an example to set up the Fortigate Next Generation Firewall instance for you to validate that packets are indeed sent to the Fortigate Next Generation Firewall for VNET to VNET and from VNET to internet traffic inspection. + +The Aviatrix Firewall Network (FireNet) workflow launches a Fortigate Next Generation Firewall instance at `Step 7a `_. + +After the launch is complete, the console displays the Fortigate Next Generation Firewall instance with its public IP address of management/egress interface and allows you to access the FortiGate web page. + +Here is the Firewall information in this example used during launch (Aviatrix Controller's console, Firewall Network -> Setup -> Step 7a) for your reference. Please adjust it depending on your requirements. + +========================================== ========== +**Example setting** **Example value** +========================================== ========== +Firewall Image Fortinet FortiGate Next-Generation Firewall +Firewall Image Version 6.4.1 +Firewall Instance Size Standard_D3_v2 +Egress Interface Subnet Select the subnet whose name contains "FW-ingress-egress". +Username Any username except admin, sys and root +Authentication Method Select Password. Input a good password of your choice +Attach Check +========================================== ========== + +.. note:: + + Fortigate Next Generation Firewall instance has 2 interfaces as described below. Additionally, firewall instance eth1 is on the same subnet as FireNet gateway eth2 interface. + +======================================================== =============================== ================================ +**Fortigate VM instance interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress) Egress or Untrusted interface Allow ALL +eth1 (on subnet -dmz-firewall-lan) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + + +Below are the steps for initial setup. + +1. Login to Fortigate Next Generation Firewall +------------------------------------------------- + +After `Step 7a `_ is completed, Go back to the Aviatrix Controller Console. + +Go to Firewall Network workflow `Step 7a `_, click on the `Management UI`. It takes you to the Fortigate Next Generation Firewall you just launched as shown below. + +|az_avx_management_UI| + +.. note:: + + Please try to use different browser (e.g. Firefox/Chrome) if the Management UI link is not able to open on your default browser. + +2. Fortigate Next Generation Firewall Initial Setup +--------------------------------------------------------- + +Once logged in with username and password provided during launch, it will ask you to do an initial setup as shown below: + +|fg_first_login_1| + +|fg_first_login_2| + +|fg_first_login_3| + +Go to "Network -> Interfaces" and review the interface configuration before move forward. This interface configuration is done by Aviatrix Controller during the launch. + +|review_fg_interfaces| + +3. Create static routes for routing of traffic VNET to VNET +----------------------------------------------------------------- + +For simplicity, in this example we configure the firewall to send all RFC 1918 packets to LAN port. + +Go to the page "Network -> State Routes" to create a Static Route as the following screenshot. + + - Click on the button "Create New" + - Enter the destination route in the "Destination" box + - In the "Gateway Address" box, you will need to enter the Azure default gateway IP on subnet -dmz-firewall-lan + i.e. subnet CIDR for -dmz-firewall-lan is 10.20.0.80/28, thus the Azure default gateway IP on this subnet is 10.20.0.81 + + .. note:: + dmz-firewall-lan subnet can be found in Aviatrix Controller. Go to Aviatrix Controller's console -> Gateway -> Select Gateway and click Edit -> click More details to check all subnets. + + - Interface will be the LAN (port2) + - Configure an appropriate admin distance if you expect overlapping routes that need to be prioritized + - Enter comments as necessary. + - Repeat the above steps for RFC 1918 routes + +|az_fortigate_static_routes| + +.. important:: + Load Balancer static route 168.63.129.16/32 needs to be added manually pointing to the lan interface (port 2). 168.63.129.16/32 is the health probe source address. + +Those static routes could also be reviewed on the page "Dashboard -> Network -> Routing". + +RFC 1918 routes are highlighted in RED where as load balancer static route is highlighted in GREEN. + +|az_fortigate_static_routes_review| + +(Optional) Firewall Vendor Integration +------------------------------------------------- + +Integrating a FortiGate firewall with the Aviatrix controller enables the controller to make automatic route updates to the FortiGate routing tables. You may also manually enable the integration with your CSP management tools. FortiGate integration is supported in AWS, Azure, and GCP clouds. + +Integrate the FortiGate firewall with the Aviatrix controller. + +- Generate a Firewall API Token from FortiGate. This token is required to integrate the FortiGate firewall with the controller. + + - In the FortiGate GUI, go to System > Admin Profiles > Create New. + + - Enter the information to create the token. You must enable the Read/Write option for the network to router connection. + + - Generate the token. + +- Go to Aviatrix Controller > Firewall Network > Vendor Integration. + +- Enter the vendor firewall information in the controller. + +- Click Save, then Show, then Sync to enable the Aviatrix Controller and FortiGate firewall integration. + +The Aviatrix controller is now enabled to make automatic route updates to the FortiGate routing tables. + +4. Enable Health Check Policy in Firewall +------------------------------------------------ + +Aviatrix Controller uses HTTPS (TCP 443 port) to check the health of firewall every 5 seconds. User needs to enable this port in firewall as per given instruction. + +Please follow the steps to allow HTTPS in FortiGate: + + 1. Login to FortiGate's console using username and password + #. Go to Network -> Interfaces, select **port 2** and click "Edit". + #. Check HTTPS checkbox under Administrative access -> IPv4 and click "OK". + +**Example Fortigate Port 2 Interface** + +|health-check| + +The health check probes can be verified in FortiGate by navigating to Log & Report -> Local Traffic. + +**Example Health-Check Logs in Fortigate** + +|health-probe-logs| + + +5. Configure basic traffic policy to allow traffic VNET to VNET +------------------------------------------------------------------------- + +In this step, we will configure a basic traffic security policy that allows traffic to pass through the firewall. Given that Aviatrix gateways will only forward traffic from the TGW to the LAN port of the Firewall, we can simply set our policy condition to match any packet that is going in/out of LAN interface. + +Go to the page "Policy & Objects -> Firewall Policy -> Create New / Edit" to configure policy as the following screenshot. + +================== =============================================== +**Field** **Value** +================== =============================================== +Name Configure any name for this policy +Incoming Interface LAN (port2) +Outgoing Interface LAN (port2) +Source Click on the + sign and add all +Destination Click on the + sign and add all +Schedule always +Service ALL +Action ACCEPT +NAT Disabled +================== =============================================== + +|az_fortigate_policy_vpc_to_vpc| + +After validating that your traffic is being routed through your firewall instances, you can customize the security policy to tailor to your requirements. + +6. [Optional] Configure basic traffic policy to allow traffic VNET to Internet +---------------------------------------------------------------------------------- + +In this step, we will configure a basic traffic security policy that allows internet traffic to pass through the firewall. Given that Aviatrix gateways will only forward traffic to the LAN port of the Firewall, we simply set our policy condition to match any packet that is going in of LAN interface and going out of WAN interface. + +.. important:: + Enable `Egress inspection `_ feature on FireNet + +First of all, go back to the Aviatrix Controller Console. Navigate to the page "Firewall Network -> Advanced". Click the skewer/three dot button. Scroll down to “Egress through Firewall” and click Enable. Verify the Egress status on the page "Firewall Network -> Advanced". + +|az_avx_egress_inspection| + +Secondly, go back to the Fortigate Next Generation Firewall console and navigate to the page "Policy & Objects -> IPv4 Policy -> Create New / Edit" to configure policy as the following screenshot. + +================== =============================================== +**Field** **Value** +================== =============================================== +Name Configure any name for this policy +Incoming Interface LAN (port2) +Outgoing Interface WAN (port1) +Source Click on the + sign and add all +Destination Click on the + sign and add all +Schedule always +Service ALL +Action ACCEPT +NAT Enable +================== =============================================== + +.. important:: + + NAT function needs to be enabled on this VNET to Internet policy + +|az_fortigate_policy_vpc_to_internet| + +After validating that your traffic is being routed through your firewall instances, you can customize the security policy to tailor to your requirements. + +7. Ready to go! +---------------- + +Now your Security Gateway instance is configured and ready to receive packets! + +Next step is to validate your configurations and polices using FlightPath and Diagnostic Tools (ping, traceroute etc.). + +8. View Traffic Log +---------------------- + +You can view if traffic is forwarded to the firewall instance by logging in to the Fortigate Next Generation Firewall console. Go to the page **Dashboard -> FortiView Sessions or FortiView Destinations**. Traffic can also be viewed from **Logs & Report** + +.. note:: + To view Forward Traffic logs under Logs & Report, go to Policy & Objects -> Firewall Policy -> Select a Policy and click Edit -> Logging Options -> Select All Sessions for Log Allowed Traffic. + +For VNET to VNET traffic: +***************************** + +Launch one instance in PROD Spoke VNET and DEV Spoke VNET. Start ping packets from a instance in DEV Spoke VNET to the private IP of another instance in PROD Spoke VNET. The ICMP traffic should go through the firewall and be inspected in firewall. + +|az_fortigate_view_traffic_log_vpc_to_vpc| + +|az_fortigate_view_traffic_log_vpc_to_vpc_2| + + +[Optional] For VNET to Internet traffic: +*********************************************** + +Launch a private instance in the Spoke VNET (i.e. PROD Spoke VNET) and start ping packets from the private instance towards Internet (e.g 8.8.8.8) to verify the egress function. The ICMP traffic should go through, and get inspected on firewall. + +.. important:: + The Egress Inspection is only applicable to all VNets that deploys non public facing applications. If you have any Spoke VNet that has public facing web services, you should not enable Egress Inspection. This is because Egress Inspection inserts a default route (0.0.0.0/0) towards Transit GW to send the Internet traffic towards firewall to get inspected. Azure's System Default Route pointing towards Internet will be overwritten by User-defined default route inserted by the Controller. + +|az_fortigate_view_traffic_log_vpc_to_internet| + +|az_fortigate_view_traffic_log_vpc_to_internet_2| + + +.. |review_fg_interfaces| image:: config_FortiGate_media/review_fg_interfaces.png + :scale: 35% +.. |az_avx_management_UI| image:: config_FortiGate_media/az_avx_management_UI.png + :scale: 30% +.. |fg_first_login_1| image:: config_FortiGate_media/fg_first_login_1.png + :scale: 40% +.. |fg_first_login_2| image:: config_FortiGate_media/fg_first_login_2.png + :scale: 40% +.. |fg_first_login_3| image:: config_FortiGate_media/fg_first_login_3.png + :scale: 30% +.. |az_fortigate_static_routes| image:: config_FortiGate_media/az_fortigate_static_routes.png + :scale: 35% +.. |az_fortigate_static_routes_review| image:: config_FortiGate_media/az_fortigate_static_routes_review.png + :scale: 35% +.. |az_fortigate_policy_vpc_to_vpc| image:: config_FortiGate_media/az_fortigate_policy_vpc_to_vpc.png + :scale: 30% +.. |az_fortigate_policy_vpc_to_internet| image:: config_FortiGate_media/az_fortigate_policy_vpc_to_internet.png + :scale: 30% +.. |az_avx_egress_inspection| image:: config_FortiGate_media/az_avx_egress_inspection.png + :scale: 40% +.. |az_fortigate_view_traffic_log_vpc_to_vpc| image:: config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_vpc.png + :scale: 30% +.. |az_fortigate_view_traffic_log_vpc_to_vpc_2| image:: config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_vpc_2.png + :scale: 30% +.. |az_fortigate_view_traffic_log_vpc_to_internet| image:: config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_internet.png + :scale: 40% +.. |az_fortigate_view_traffic_log_vpc_to_internet_2| image:: config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_internet_2.png + :scale: 30% +.. |health-check| image:: config_FortiGate_media/health-check.png + :scale: 30% +.. |health-probe-logs| image:: config_FortiGate_media/health-probe-logs.png + :scale: 30% + + +.. disqus:: diff --git a/HowTos/config_FortiGateVM.rst b/HowTos/config_FortiGateVM.rst new file mode 100644 index 000000000..b11994acf --- /dev/null +++ b/HowTos/config_FortiGateVM.rst @@ -0,0 +1,267 @@ +.. meta:: + :description: Firewall Network + :keywords: AWS Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network, Transit DMZ, Egress, Firewall + + +========================================================= +Example Config for FortiGate VM in AWS +========================================================= + +In this document, we provide an example to set up the Fortigate Next Generation Firewall instance for you to validate that packets are indeed sent to the Fortigate Next Generation Firewall for VPC to VPC and from VPC to internet traffic inspection. + +The Aviatrix Firewall Network (FireNet) workflow launches a Fortigate Next Generation Firewall instance at `Step 7a `_. +After the launch is complete, the console displays the Fortigate Next Generation Firewall instance with its public IP address of management/egress interface and allows you either to download the .pem file for SSH access to the instance or to access the FortiGate web page. + +Here is the Firewall information in this example for your reference. Please adjust it depending on your requirements. + +========================================== ========== +**Example setting** **Example value** +========================================== ========== +Firewall Image Fortinet FortiGate Next-Generation Firewall +Firewall Image Version 6.2.3 +Firewall Instance Size c5.xlarge +Egress Interface Subnet Select the subnet whose name contains "FW-ingress-egress". +Key Pair Name (Optional) The .pem file name for SSH access to the firewall instance. +Attach Check +========================================== ========== + +.. note:: + + Fortigate Next Generation Firewall instance has 2 interfaces as described below. Additionally, firewall instance eth1 is on the same subnet as FireNet gateway eth2 interface. + +======================================================== =============================== ================================ +**Fortigate VM instance interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress-AZ-a) Egress or Untrusted interface Allow ALL +eth1 (on subnet -dmz-firewall) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + + +Below are the steps for initial setup. + +1. Download Fortigate Next Generation Firewall Access Key +---------------------------------- + +After `Step 7a `_ is completed, you'll see the Download button as below. Click the button to download the .pem file. + +If you get a download error, usually it means the Fortigate Next Generation Firewall instance is not ready. Wait until it is ready, refresh the browser and then try again. + +|v2_avx_pem_file_download| + +2. Login to Fortigate Next Generation Firewall +---------------------------------- + +Go back to the Aviatrix Controller Console. +Go to Firewall Network workflow, `Step 7a `_. Click on the `Management UI`. It takes you to the Fortigate Next Generation Firewall you just launched. + +|v2_avx_management_UI| + +.. note:: + + Please try to use browser Firefox if the Management UI link is not able to open on your default browser. + +3. Reset Fortigate Next Generation Firewall Password +-------------------------------- + +Once logged in with the default password, it will ask you to set a new password. + +.. note:: + + Login with Username "admin". Default password is the instance-id. + +4. Configure Fortigate Next Generation Firewall port1 with WAN +------------------------------------------------- + +Once logged in with the new password, go to the page "Network -> Interfaces" to configure Physical Interface port1 as the following screenshot. + + - Select the interface with port 1 and click on "Edit" + - Enter an Alias (i.e.: WAN) for the interface + - Specify appropriate role (WAN) + - Enable DHCP to ensure FW retrieve private IP information from AWS console + - Enable “Retrieve default gateway from server" + +|v2_fortigate_interface_wan| + +5. Configure Fortigate Next Generation Firewall port2 with LAN +------------------------------------------------- + +Go to the page "Network -> Interfaces" to configure Physical Interface port2 as the following screenshot. + + - Select the interface with port 2 and click on "Edit" + - Enter an Alias (i.e.: LAN) for the interface + - Specify appropriate role (LAN) + - Enable DHCP to ensure FW retrieve private IP information from AWS console + - Enable Administrative Access . IPv4 > HTTPS + - Disable “Retrieve default gateway from server" + +|v2_fortigate_interface_lan| + +6. Create static routes for routing of traffic VPC to VPC +------------------------------------------------- + +Packets to and from TGW VPCs, as well as on-premises, will be hairpinned off of the LAN interface. As such, we will need to configure appropriate route ranges that you expect traffic for packets that need to be forward back to TGW. +For simplicity, you can configure the FW to send all RFC 1918 packets to LAN port, which sends the packets back to the TGW. + +In this example, we configure all traffic for RFC 1918 to be sent out of the LAN interface. + +Go to the page "Network -> Static Routes" to create a Static Route as the following screenshot. + + - Click on the button "Create New" + - Enter the destination route in the "Destination" box + - In the "Gateway Address" box, you will need to enter the AWS default gateway IP on subnet -dmz-firewall + + .. note:: + + i.e. subnet CIDR for -dmz-firewall is 10.66.0.96/28, thus the AWS default gateway IP on this subnet is 10.66.0.97 + + - Interface will be the LAN (port2) + - Configure an appropriate admin distance if you expect overlapping routes that need to be prioritized + - Enter comments as necessary. + - Repeat the above steps for RFC 1918 routes + +|v2_fortigate_static_routes| + +Those static routes also could be reviewed on the page "Monitor -> Routing Monitor" + +|v2_fortigate_static_routes_review| + +(Optional) Firewall Vendor Integration +------------------------------------------------- + +Integrating a FortiGate firewall with the Aviatrix controller enables the controller to make automatic route updates to the FortiGate routing tables. You may also manually enable the integration with your CSP management tools. FortiGate integration is supported in AWS, Azure, and GCP clouds. + +Integrate the FortiGate firewall with the Aviatrix controller. + +- Generate a Firewall API Token from FortiGate. This token is required to integrate the FortiGate firewall with the controller. + + - In the FortiGate GUI, go to System > Admin Profiles > Create New. + + - Enable the Read/Write option for Network and click OK. + + - Navigate to System > Administrators > Create New > REST API Admin. + + - Supply a Username and choose the Admin Profile from the previous step, and press OK. + + - Copy the generated token. It will only be displayed once. + +- Go to Aviatrix Controller > Firewall Network > Vendor Integration. + +- Enter the vendor firewall information in the controller. + +- Click Save, then Show, then Sync to enable the Aviatrix Controller and FortiGate firewall integration. + +The Aviatrix controller is now enabled to make automatic route updates to the FortiGate routing tables. + +7. Configure basic traffic policy to allow traffic VPC to VPC +------------------------------------------------- + +In this step, we will configure a basic traffic security policy that allows traffic to pass through the firewall. Given that Aviatrix gateways will only forward traffic from the TGW to the LAN port of the Firewall, we can simply set our policy condition to match any packet that is going in/out of LAN interface. + +Go to the page "Policy & Objects -> IPv4 Policy -> Create New / Edit" to configure policy as the following screenshot. + +================== =============================================== +**Field** **Value** +================== =============================================== +Name Configure any name for this policy +Incoming Interface LAN (port2) +Outgoing Interface LAN (port2) +Source Click on the + sign and add all +Destination Click on the + sign and add all +Schedule always +Service ALL +Action ACCEPT +NAT Disabled +================== =============================================== + +|v2_fortigate_policy_vpc_to_vpc| + +After validating that your TGW traffic is being routed through your firewall instances, you can customize the security policy to tailor to your requirements. + +8. [Optional] Configure basic traffic policy to allow traffic VPC to Internet +------------------------------------------------- + +In this step, we will configure a basic traffic security policy that allows internet traffic to pass through the firewall. Given that Aviatrix gateways will only forward traffic from the TGW to the LAN port of the Firewall, we can simply set our policy condition to match any packet that is going in of LAN interface and going out of WAN interface. + +.. important:: + Enable `Egress inspection `_ feature on FireNet + +First of all, go back to the Aviatrix Controller Console. Navigate to the page "Firewall Network -> Advanced". Click the skewer/three dot button. Scroll down to “Egress through Firewall” and click Enable. Verify the Egress status on the page "Firewall Network -> Advanced". + +|v2_avx_egress_inspection| + +Secondly, go back to the Fortigate Next Generation Firewall console and navigate to the page "Policy & Objects -> IPv4 Policy -> Create New / Edit" to configure policy as the following screenshot. + +================== =============================================== +**Field** **Value** +================== =============================================== +Name Configure any name for this policy +Incoming Interface LAN (port2) +Outgoing Interface WAN (port1) +Source Click on the + sign and add all +Destination Click on the + sign and add all +Schedule always +Service ALL +Action ACCEPT +NAT Enable +================== =============================================== + +.. important:: + + NAT function needs to be enabled on this VPC to Internet policy + +|v2_fortigate_policy_vpc_to_internet| + +After validating that your TGW traffic is being routed through your firewall instances, you can customize the security policy to tailor to your requirements. + +9. Ready to go! +---------------- + +Now your firewall instance is ready to receive packets! + +The next step is to specify which Security Domain needs packet inspection by defining a connection policy that connects to +the firewall domain. This operation is done by `Step 8 `_ in the Firewall Network workflow. In addition, attach VPC to TGW by `Step 1 `_ in the TGW Orchestrator Build workflow. + +For example, deploy Spoke-1 VPC in Security_Domain_1 and Spoke-2 VPC in Security_Domain_2. Build a connection policy between the two domains. Build a connection between Security_Domain_2 to Firewall Domain. + +10. View Traffic Log +---------------------- + +You can view if traffic is forwarded to the firewall instance by logging in to the Fortigate Next Generation Firewall console. Go to the page "FortiView -> Destinations". + +For VPC to VPC traffic: +*********************** + +Launch one instance in Spoke-1 VPC and Spoke-2 VPC. Start ping packets from a instance in Spoke-1 VPC to the private IP of another instance in Spoke-2 VPC where one or both of Security Domains are connected to Firewall Network Security Domain. The ICMP traffic should go through and be inspected on firewall. + +|v2_fortigate_view_traffic_log_vpc_to_vpc| + +[Optional] For VPC to Internet traffic: +*************************************** + +Launch a private instance in the Spoke VPC (i.e. Spoke-2 VPC) where the Security Domain (i.e. Security_Domain_2) is connected to Firewall Network Security Domain. Start ping packets from the private instance to Internet service to verify egress function. The ICMP traffic should go through and be inspected on firewall. + +|v2_fortigate_view_traffic_log_vpc_to_internet| + +.. |v2_avx_pem_file_download| image:: config_FortiGate_media/v2_pem_file_download.png + :scale: 40% +.. |v2_avx_management_UI| image:: config_FortiGate_media/v2_avx_management_UI.png + :scale: 40% +.. |v2_fortigate_interface_wan| image:: config_FortiGate_media/v2_fortigate_interface_wan.png + :scale: 40% +.. |v2_fortigate_interface_lan| image:: config_FortiGate_media/v2_fortigate_interface_lan.png + :scale: 40% +.. |v2_fortigate_static_routes| image:: config_FortiGate_media/v2_fortigate_static_routes.png + :scale: 40% +.. |v2_fortigate_static_routes_review| image:: config_FortiGate_media/v2_fortigate_static_routes_review.png + :scale: 40% +.. |v2_fortigate_policy_vpc_to_vpc| image:: config_FortiGate_media/v2_fortigate_policy_vpc_to_vpc.png + :scale: 40% +.. |v2_fortigate_policy_vpc_to_internet| image:: config_FortiGate_media/v2_fortigate_policy_vpc_to_internet.png + :scale: 40% +.. |v2_avx_egress_inspection| image:: config_FortiGate_media/v2_avx_egress_inspection.png + :scale: 40% +.. |v2_fortigate_view_traffic_log_vpc_to_vpc| image:: config_FortiGate_media/v2_fortigate_view_traffic_log_vpc_to_vpc.png + :scale: 40% +.. |v2_fortigate_view_traffic_log_vpc_to_internet| image:: config_FortiGate_media/v2_fortigate_view_traffic_log_vpc_to_internet.png + :scale: 40% +.. disqus:: diff --git a/HowTos/config_FortiGate_media/az_avx_egress_inspection.png b/HowTos/config_FortiGate_media/az_avx_egress_inspection.png new file mode 100644 index 000000000..8e9731c4f Binary files /dev/null and b/HowTos/config_FortiGate_media/az_avx_egress_inspection.png differ diff --git a/HowTos/config_FortiGate_media/az_avx_management_UI.png b/HowTos/config_FortiGate_media/az_avx_management_UI.png new file mode 100644 index 000000000..d4bdc5e5a Binary files /dev/null and b/HowTos/config_FortiGate_media/az_avx_management_UI.png differ diff --git a/HowTos/config_FortiGate_media/az_fortigate_policy_vpc_to_internet.png b/HowTos/config_FortiGate_media/az_fortigate_policy_vpc_to_internet.png new file mode 100644 index 000000000..c1bb94dbf Binary files /dev/null and b/HowTos/config_FortiGate_media/az_fortigate_policy_vpc_to_internet.png differ diff --git a/HowTos/config_FortiGate_media/az_fortigate_policy_vpc_to_vpc.png b/HowTos/config_FortiGate_media/az_fortigate_policy_vpc_to_vpc.png new file mode 100644 index 000000000..4aa5425a8 Binary files /dev/null and b/HowTos/config_FortiGate_media/az_fortigate_policy_vpc_to_vpc.png differ diff --git a/HowTos/config_FortiGate_media/az_fortigate_static_routes.png b/HowTos/config_FortiGate_media/az_fortigate_static_routes.png new file mode 100644 index 000000000..b4fbcb27e Binary files /dev/null and b/HowTos/config_FortiGate_media/az_fortigate_static_routes.png differ diff --git a/HowTos/config_FortiGate_media/az_fortigate_static_routes_review.png b/HowTos/config_FortiGate_media/az_fortigate_static_routes_review.png new file mode 100644 index 000000000..dd96274a7 Binary files /dev/null and b/HowTos/config_FortiGate_media/az_fortigate_static_routes_review.png differ diff --git a/HowTos/config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_internet.png b/HowTos/config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_internet.png new file mode 100644 index 000000000..20610ca37 Binary files /dev/null and b/HowTos/config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_internet.png differ diff --git a/HowTos/config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_internet_2.png b/HowTos/config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_internet_2.png new file mode 100644 index 000000000..da539f6a1 Binary files /dev/null and b/HowTos/config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_internet_2.png differ diff --git a/HowTos/config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_vpc.png b/HowTos/config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_vpc.png new file mode 100644 index 000000000..45eec4630 Binary files /dev/null and b/HowTos/config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_vpc.png differ diff --git a/HowTos/config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_vpc_2.png b/HowTos/config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_vpc_2.png new file mode 100644 index 000000000..5fbfef490 Binary files /dev/null and b/HowTos/config_FortiGate_media/az_fortigate_view_traffic_log_vpc_to_vpc_2.png differ diff --git a/HowTos/config_FortiGate_media/fg_first_login_1.png b/HowTos/config_FortiGate_media/fg_first_login_1.png new file mode 100644 index 000000000..600a6bbb9 Binary files /dev/null and b/HowTos/config_FortiGate_media/fg_first_login_1.png differ diff --git a/HowTos/config_FortiGate_media/fg_first_login_2.png b/HowTos/config_FortiGate_media/fg_first_login_2.png new file mode 100644 index 000000000..698172d4b Binary files /dev/null and b/HowTos/config_FortiGate_media/fg_first_login_2.png differ diff --git a/HowTos/config_FortiGate_media/fg_first_login_3.png b/HowTos/config_FortiGate_media/fg_first_login_3.png new file mode 100644 index 000000000..accc5f52f Binary files /dev/null and b/HowTos/config_FortiGate_media/fg_first_login_3.png differ diff --git a/HowTos/config_FortiGate_media/health-check.png b/HowTos/config_FortiGate_media/health-check.png new file mode 100644 index 000000000..ee5416a84 Binary files /dev/null and b/HowTos/config_FortiGate_media/health-check.png differ diff --git a/HowTos/config_FortiGate_media/health-probe-logs.png b/HowTos/config_FortiGate_media/health-probe-logs.png new file mode 100644 index 000000000..687c5f219 Binary files /dev/null and b/HowTos/config_FortiGate_media/health-probe-logs.png differ diff --git a/HowTos/config_FortiGate_media/review_fg_interfaces.png b/HowTos/config_FortiGate_media/review_fg_interfaces.png new file mode 100644 index 000000000..440a2f61a Binary files /dev/null and b/HowTos/config_FortiGate_media/review_fg_interfaces.png differ diff --git a/HowTos/config_FortiGate_media/v2_avx_egress_inspection.png b/HowTos/config_FortiGate_media/v2_avx_egress_inspection.png new file mode 100644 index 000000000..c68666026 Binary files /dev/null and b/HowTos/config_FortiGate_media/v2_avx_egress_inspection.png differ diff --git a/HowTos/config_FortiGate_media/v2_avx_management_UI.png b/HowTos/config_FortiGate_media/v2_avx_management_UI.png new file mode 100644 index 000000000..79453433a Binary files /dev/null and b/HowTos/config_FortiGate_media/v2_avx_management_UI.png differ diff --git a/HowTos/config_FortiGate_media/v2_fortigate_interface_lan.png b/HowTos/config_FortiGate_media/v2_fortigate_interface_lan.png new file mode 100644 index 000000000..ed80223e3 Binary files /dev/null and b/HowTos/config_FortiGate_media/v2_fortigate_interface_lan.png differ diff --git a/HowTos/config_FortiGate_media/v2_fortigate_interface_wan.png b/HowTos/config_FortiGate_media/v2_fortigate_interface_wan.png new file mode 100644 index 000000000..b706dfdee Binary files /dev/null and b/HowTos/config_FortiGate_media/v2_fortigate_interface_wan.png differ diff --git a/HowTos/config_FortiGate_media/v2_fortigate_policy_vpc_to_internet.png b/HowTos/config_FortiGate_media/v2_fortigate_policy_vpc_to_internet.png new file mode 100644 index 000000000..24ffd2208 Binary files /dev/null and b/HowTos/config_FortiGate_media/v2_fortigate_policy_vpc_to_internet.png differ diff --git a/HowTos/config_FortiGate_media/v2_fortigate_policy_vpc_to_vpc.png b/HowTos/config_FortiGate_media/v2_fortigate_policy_vpc_to_vpc.png new file mode 100644 index 000000000..71b2f6100 Binary files /dev/null and b/HowTos/config_FortiGate_media/v2_fortigate_policy_vpc_to_vpc.png differ diff --git a/HowTos/config_FortiGate_media/v2_fortigate_static_routes.png b/HowTos/config_FortiGate_media/v2_fortigate_static_routes.png new file mode 100644 index 000000000..db2484f4d Binary files /dev/null and b/HowTos/config_FortiGate_media/v2_fortigate_static_routes.png differ diff --git a/HowTos/config_FortiGate_media/v2_fortigate_static_routes_review.png b/HowTos/config_FortiGate_media/v2_fortigate_static_routes_review.png new file mode 100644 index 000000000..47fc7beb4 Binary files /dev/null and b/HowTos/config_FortiGate_media/v2_fortigate_static_routes_review.png differ diff --git a/HowTos/config_FortiGate_media/v2_fortigate_view_traffic_log_vpc_to_internet.png b/HowTos/config_FortiGate_media/v2_fortigate_view_traffic_log_vpc_to_internet.png new file mode 100644 index 000000000..fcd2eb358 Binary files /dev/null and b/HowTos/config_FortiGate_media/v2_fortigate_view_traffic_log_vpc_to_internet.png differ diff --git a/HowTos/config_FortiGate_media/v2_fortigate_view_traffic_log_vpc_to_vpc.png b/HowTos/config_FortiGate_media/v2_fortigate_view_traffic_log_vpc_to_vpc.png new file mode 100644 index 000000000..24a50df99 Binary files /dev/null and b/HowTos/config_FortiGate_media/v2_fortigate_view_traffic_log_vpc_to_vpc.png differ diff --git a/HowTos/config_FortiGate_media/v2_pem_file_download.png b/HowTos/config_FortiGate_media/v2_pem_file_download.png new file mode 100644 index 000000000..6d03ed9dd Binary files /dev/null and b/HowTos/config_FortiGate_media/v2_pem_file_download.png differ diff --git a/HowTos/config_PFsense.rst b/HowTos/config_PFsense.rst index e98523dc7..3e3d60431 100644 --- a/HowTos/config_PFsense.rst +++ b/HowTos/config_PFsense.rst @@ -11,7 +11,7 @@ *2* Currently we do not have a full integration between the Aviatrix dashboard and the Netgate pfSense, which means that you will not be able to dynamically update the firewall routing table, as it is currently possible with the Palo Alto VM-Series. ========================================================= -Setup Firewall Network(Firenet) +Setup Firewall Network(Firenet) for Netgate PFSense ========================================================= Complete steps 1-6 of the Firewall Network Workflow in Aviatrix controller to prepare your Firewall VPC (FireNet VPC). This will also set up the subnets that you will need for launching your PFsense instance. diff --git a/HowTos/config_PaloAltoAzure.rst b/HowTos/config_PaloAltoAzure.rst new file mode 100644 index 000000000..6bc2f429e --- /dev/null +++ b/HowTos/config_PaloAltoAzure.rst @@ -0,0 +1,236 @@ +.. meta:: + :description: Firewall Network + :keywords: AWS Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network, Transit DMZ, Egress, Firewall, VM Series + + +========================================================= +Example Config for Palo Alto Networks VM-Series in Azure +========================================================= + +In this document, we provide an example to set up the VM-Series for you to validate that packets are indeed +sent to the VM-Series for VNET to VNET and from VNET to internet traffic inspection. + +Please follow the below steps to launch and configure Palo Alto Networks VM-Series in Azure. + +If you are looking to deploy VM-Series in AWS environment, your starting point is `here `_. + +1. Launch Palo Alto Networks Firewall from Aviatrix Controller +-------------------------------------------------------------------------- + +The Aviatrix Firewall Network (FireNet) workflow launches a VM-Series at `Step 7a. `_ After the launch is complete, the console displays the +VM-Series instance with its public IP address of management interface. + +Go to Aviatrix Controller's console, Firewall Network -> Setup -> Step 7a. Here is the VM-Series information in this example for your reference. Please adjust it depending on your requirements. + +========================================== ========== +**Example setting** **Example value** +========================================== ========== +VPC ID Select VPC (e.g. TR-Firenet-VNET) +Gateway Name Select correct Transit FireNet Gateway +Firewall Instance Name Give any Good Name (e.g. PAN-Azure-Firenet) +Firewall Image Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1 +Firewall Image Version 9.1.0 +Firewall Instance Size Standard_D3_v2 +Management Interface Subnet Select the subnet whose name contains "Public-gateway-and-firewall-mgmt". +Egress Interface Subnet Select the subnet whose name contains "Public-FW-ingress-egress". +Username Any Good Name (e.g. panadmin). Note that 'admin' is not allowed. Please refer to https://docs.microsoft.com/en-us/azure/virtual-machines/linux/faq for the requirements behing setting this name +Authentication Method Password or SSH Public Key +Password Input a good password of your choice +Attach Check +Advanced Uncheck +========================================== ========== + +Palo Alto Networks VM-Series instance has 3 interfaces as described below. + +======================================================== =============================== ================================ +**Palo Alto VM interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-gateway-and-firewall-mgmt) Management interface Allow SSH, HTTPS, ICMP, TCP 3978 +eth1 (on subnet -Public-FW-ingress-egress) Egress or Untrusted interface Allow ALL +eth2 (on subnet -dmz-firewall_lan) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +Note that firewall instance eth2 is on the same subnet as FireNet gateway eth2 interface. + +2. Login to VM-Series +------------------------ + +Go back to the Aviatrix Controller Console. +Go to Firewall Network workflow, Step 7a. Click on the `Management UI`. It takes you the VM-Series you just launched. + +Login with Username "panadmin". Password is the password you set at the previous step. + +|avx-firewall-step7a_UI| + +3. Activate VM license +------------------------ + +4. Dynamic updates +------------------------ + +Go to Device > Dynamic Updates > Click on "Check Now" + + #. Download and Install latest versions of Applications and Threats. + #. Wildfire updates > Click on "Check Now" again > download and then install latest version of Antivirus + +|pan_dynamic_updates| + + +5. Configure VM-Series ethernet1/1 with WAN Zone +------------------------------------------------- + +Once logged in, click on the Network tab and you should see a list of ethernet interfaces. Click ethernet1/1 and +configure as the following screenshot. + + - Click Network tab + - Click ethernet1/1 + - Select "layer3" for Interface Type + - Click Config tab in the pop up Ethernet Interface window. + - Select default for Virtual Router at Config tab + - Click New Zone for Security Zone to create a WAN zone. + - At the next pop up screen, name the new zone "WAN" and click OK + +|new_zone| + +Continue, + + - Select IPV4 tab in the pop up Ethernet Interface window. + - Select DHCP Client + - Uncheck "Automatically create default route pointing to default gateway provided by server, as shown below. + +|ipv4| + +Click **Commit**. Once Commit is complete, you should see the Link State turn green at the Network page for ethernet1/1. + +6. Configure VM-Series ethernet1/2 with LAN Zone +--------------------------------------------------- + +Repeat Step 5 for ethernet1/2. Name the new zone LAN. + +Click **Commit**. Once Commit is complete, you should see the Link State turn green at the Network page for ethernet1/2. + +7. Vendor Firewall Integration +--------------------------------- + +This step automatically configures the RFC 1918 and non-RFC 1918 routes between Aviatrix Gateway and Vendor’s firewall instance in this case Palo Alto Networks VM-Series. This can also be done manually through Cloud Portal and/or Vendor’s Management tool. + +1. Go to Firewall Network -> Vendor Integration -> Select Firewall, fill in the details of your Firewall instance. +2. Click Save, Show and Sync. + +|vendor_integration_example| + +8. Enable VM-Series Health Check Policy +---------------------------------------------- + +By default, VM-Series do not allow HTTPS or TCP 443 port. Pleas follow the given steps to enable it: + + 1. Go to Network -> Interface Mgmt under Network Profiles and click "Add". + #. Give any name in "Interface Management Profile", check HTTPS checkbox under Administrative Management Service and click "OK". + #. Attach Profile with LAN interface. Network -> Interfaces -> Select LAN Ethernet Interface -> Advanced -> Management Profile -> Select appropiate profile. + +|PAN-health-check| + +See an example screenshot below how to attach profile to an interface. + +|pan_hcheck_attach| + +Firewall health check probes can be verified in Monitor -> Traffic. + +|pan-health-probe| + + +9. Configure basic traffic policy to allow traffic VNET to VNET +------------------------------------------------------------------ + +In this step, we will configure a basic traffic security policy that allows traffic to pass through the VM-Series firewall. + + 1. Click Policies tab. + #. Click +Add at the bottom left corner to create a new policy. + #. Click General tab. Name the policy Allow-all. + #. Click Source tab. Select Any for both panels. + #. Click Destination tab. Select Any for both panels. + #. Click Application tab. Select Any + #. Click OK + #. Click Commit to commit the Allow-all policy. + + +10. [Optional] Configure basic traffic policy to allow traffic VNET to Internet +---------------------------------------------------------------------------------- + +If you would also like to enable NAT to test egress, follow these steps. + +Policies > NAT > Click "Add" > Click General tab, give it a name > Click Original Packet. At Source Zone, click Add, select "LAN". At Destination Zone, select WAN. At Destination Interface, select Ethernet1/1, as shown below. + + |nat_original_packet| + + Click Translated Packet. At Translation Type, select "Dynamic IP And Port". At Address Type, select "Interface Address". At Interface, select "ethernet1/1", as shown below. + + |nat_translated_packet| + + +11. Ready to go! +-------------------- + +Now your firewall instance is ready to receive packets! + +Next step is to validate your configurations and polices using FlightPath and Diagnostic Tools (ping, traceroute etc.). + +12. View Traffic Log +---------------------- + +You can view if traffic is forwarded to the firewall instance by logging in to the VM-Series console. Go to Monitor --> Traffic. + +VNET to VNET traffic: +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Launch one instance in Spoke VNET-1 and one in Spoke VNET-2. Start ping packets from a instance in Soke VNET-1 to the private IP of another instance in Spoke VNET-2. The ICMP traffic should go through the firewall and can be inspected in firewall. + +|traffic_log_vnet_to_vnet| + +[Optional] For VNET to Internet traffic: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Similarly, VNET to internet traffic can be also inspected by launching a private instance in the Spoke VNET and start ping packets from the private instance towards Internet (e.g 8.8.8.8) to verify the egress function. + +.. important:: + The Egress Inspection is only applicable to all VNets that deploys non public facing applications. If you have any Spoke VNet that has public facing web services, you should not enable Egress Inspection. This is because Egress Inspection inserts a default route (0.0.0.0/0) towards Transit GW to send the Internet traffic towards firewall to get inspected. Azure's System Default Route pointing towards Internet will be overwritten by User-defined default route inserted by the Controller. + + +.. |avx-firewall-step7a_UI| image:: config_paloaltoVM_media/avx-firewall-step7a_UI.png + :scale: 35% + +.. |pan_dynamic_updates| image:: config_paloaltoVM_media/pan_dynamic_updates.png + :scale: 35% + +.. |vendor_integration_example| image:: config_paloaltoVM_media/vendor_integration_example.png + :scale: 35% + +.. |new_zone| image:: config_paloaltoVM_media/new_zone.png + :scale: 30% + +.. |ipv4| image:: config_paloaltoVM_media/ipv4.png + :scale: 30% + +.. |nat_original_packet| image:: config_paloaltoVM_media/nat_original_packet.png + :scale: 30% + +.. |nat_translated_packet| image:: config_paloaltoVM_media/nat_translated_packet.png + :scale: 30% + +.. |PAN-health-check| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/PAN-health-check.png + :scale: 35% + +.. |health-probe-logs| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/health-probe-logs.png + :scale: 40% + +.. |pan-health-probe| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/pan-health-probe.png + :scale: 40% + +.. |pan_hcheck_attach| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/pan_hcheck_attach.png + :scale: 40% + +.. |traffic_log_vnet_to_vnet| image:: config_paloaltoVM_media/traffic_log_vnet_to_vnet.png + :scale: 40% + + +.. disqus:: diff --git a/HowTos/config_paloaltoGCP.rst b/HowTos/config_paloaltoGCP.rst new file mode 100644 index 000000000..12ce332bc --- /dev/null +++ b/HowTos/config_paloaltoGCP.rst @@ -0,0 +1,184 @@ +.. meta:: + :description: Firewall Network + :keywords: GCP Transit Gateway, Aviatrix Transit network, Transit DMZ, Egress, Firewall, PAN, Palo Alto, VM Series, GCP, GCP FireNet + + +========================================================= +Example Config for Palo Alto Network VM-Series in GCP +========================================================= + +In this document, we provide an example to set up the VM-Series for you to validate that packets are indeed +sent to the VM-Series for VPC to VPC and from VPC to internet traffic inspection. + +For using bootstrap method to setup the VM-Series, follow `this document. `_ + +VM-Series in AWS can be setup using the guide `Palo Alto Networks VM-Series AWS Example `_. + +VM-Series in Azure can be setup using the guide `Palo Alto Networks VM-Series Azure Example `_. + +The Aviatrix Firewall Network (FireNet) workflow launches a VM-Series at `Step 7a. `_ After the launch is complete, the console displays the +VM-Series instance with its public IP address of management interface and allows you to download the .pem file +for SSH access to the instance. + +Below are the steps for initial setup. + +1. Download VM-Series Access Key +---------------------------------- + +After `Step 7a `_ is completed, you'll see the Download button as below. Click the button to download the .pem file. + +If you get a download error, usually it means the VM-Series is not ready. Wait until it is ready, refresh the browser and then try again. + +|access_key| + +2. Reset VM-Series Password +-------------------------------- + +For Metered AMI, open a terminal and run the following command. + +.. tip :: + + Once you download the .pem file, change the file permission to 400. If you are asked to enter a password during the login, the VM-Series is still not ready. Wait and try again. It usually takes up to 15 minutes for the VM-Series to be ready. When the VM-Series is ready, you will not be asked for a password anymore. + + +:: + + ssh -i admin@ + configure + set mgt-config users admin password + commit + +For BYOL, open a terminal and run the following command. + +:: + + ssh -i admin@ + configure + set mgt-config users admin password + set deviceconfig system dns-setting servers primary + commit + +Terminate the SSH session. + +3. Login to VM-Series +------------------------ + +Go back to the Aviatrix Controller Console. +Go to Firewall Network workflow, Step 7a. Click on the `Management UI`. It takes you the VM-Series you just launched. + +Login with Username "admin". Password is the password you set at the previous step. + +4. Activate VM license +------------------------ + +5. Dynamic updates +------------------------ + +From Device > Dynamic Updates > Click on "Check Now" > download and then install latest versions of a. Applications and Threats b. Wildfire updates > Click on "Check Now" again > download and then install latest version of Antivirus + +6. Configure VM-Series ethernet1/1 with WAN Zone +------------------------------------------------- + +Once logged in, click on the Network tab and you should see a list of ethernet interfaces. Click ethernet1/1 and +configure as the following screenshot. + + - Click Network tab + - Click ethernet1/1 + - Select "layer3" for Interface Type + - Click Config tab in the pop up Ethernet Interface window. + - Select default for Virtual Router at Config tab + - Click New Zone for Security Zone to create a WAN zone. + - At the next pop up screen, name the new zone "WAN" and click OK + +|new_zone| + +Continue, + + - Select IPV4 tab in the pop up Ethernet Interface window. + - Select DHCP Client + - Uncheck "Automatically create default route pointing to default gateway provided by server, as shown below. + +|ipv4| + +Click Commit. Once Commit is complete, you should see the Link State turn green at the Network page for ethernet1/1. + +7. Configure VM-Series ethernet1/2 with LAN Zone +--------------------------------------------------- + +Repeat Step 6 for ethernet1/2. Name the new zone LAN. + +Click Commit. Once Commit is complete, you should see the Link State turn green at the Network page for ethernet1/2. + + +8. GCP VM-Series Health Check +--------------------------------- + +First configure DNAT rule for Health Check is a mandatory required in GCP. Go to Polices -> NAT -> Add NAT. See example below for NAT configurations. + + +|health_check_dnat| + + +Also, follow `VM-Series Health Check Steps `_ to allow Google Load Balancer to check firewall instance health at regular intervals. + + +9. Configure Basic Allow-all Policy +------------------------------------ + +In this step, we will configure a basic traffic security policy that allows traffic to pass through the VM-Series firewall. + + 1. Click Policies tab. + #. Click +Add at the bottom left corner to create a new policy. + #. Click General tab. Name the policy Allow-all. + #. Click Source tab. Select Any for both panels. + #. Click Destination tab. Select Any for both panels. + #. Click Application tab. Select Any + #. Click OK + +Click "Commit" to install the Allow-all policy. + +10. Configure NAT for egress +------------------------------ + +If you would also like to enable NAT to test egress, follow these steps. + +Policies > NAT > Click "Add" > Click General tab, give it a name > Click Original Packet. At Source Zone, click Add, select "LAN". At Destination Zone, select WAN. At Destination Interface, select Ethernet1/1, as shown below. + + |nat_original_packet| + + Click Translated Packet. At Translation Type, select "Dynamic IP And Port". At Address Type, select "Interface Address". At Interface, select "ethernet1/1", as shown below. + + |nat_translated_packet| + +11. Ready to go! +----------------- + +Now your firewall instance is ready to receive packets! + +Next step is to validate your configurations and polices using FlightPath and Diagnostic Tools (ping, traceroute etc.). + +12. View Traffic Log +---------------------- + +You can view if traffic is forwarded to the firewall instance by logging in to the VM-Series console. Click Monitor. Start ping packets from one Spoke VPC to another Spoke VPC where one or both of Security Domains are connected to Firewall Network Security Domain + + +.. |access_key| image:: config_paloaltoVM_media/gcp/access_key.png + :scale: 45% + +.. |health_check_dnat| image:: config_paloaltoVM_media/gcp/health_check_dnat.png + :scale: 45% + +.. |new_zone| image:: config_paloaltoVM_media/new_zone.png + :scale: 30% + +.. |ipv4| image:: config_paloaltoVM_media/ipv4.png + :scale: 30% + +.. |nat_original_packet| image:: config_paloaltoVM_media/nat_original_packet.png + :scale: 30% + +.. |nat_translated_packet| image:: config_paloaltoVM_media/nat_translated_packet.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/config_paloaltoOCI.rst b/HowTos/config_paloaltoOCI.rst new file mode 100644 index 000000000..84e58b619 --- /dev/null +++ b/HowTos/config_paloaltoOCI.rst @@ -0,0 +1,180 @@ +.. meta:: + :description: Firewall Network + :keywords: OCI Transit Gateway, Aviatrix Transit network, Transit DMZ, Egress, Firewall, OCI Palo Alto, VM-Series + + +========================================================= +Example Config for Palo Alto Network VM-Series in OCI +========================================================= + +In this document, we provide an example to set up the VM-Series for you to validate that packets are indeed +sent to the VM-Series for VCN to VCN and from VCN to internet traffic inspection. + +VM-Series in AWS can be setup using the guide `Palo Alto Networks VM-Series AWS Example `_. + +VM-Series in Azure can be setup using the guide `Palo Alto Networks VM-Series Azure Example `_. + +The Aviatrix Firewall Network (FireNet) workflow launches a VM-Series at `Step 7a. `_ After the launch is complete, the console displays the +VM-Series instance with its public IP address of management interface and allows you to download the .pem file +for SSH access to the instance. + +Below are the steps for initial setup. + +1. Download VM-Series Access Key +---------------------------------- + +After `Step 7a `_ is completed, you'll see the Download button as below. Click the button to download the .pem file. + +If you get a download error, usually it means the VM-Series is not ready. Wait until it is ready, refresh the browser and then try again. + +|access_key| + +2. Reset VM-Series Password +-------------------------------- + +For Metered AMI, open a terminal and run the following command. + +.. tip :: + + Once you download the .pem file, change the file permission to 600. If you are asked to enter a password during the login, the VM-Series is still not ready. Wait and try again. It usually takes up to 15 minutes for the VM-Series to be ready. When the VM-Series is ready, you will not be asked for a password anymore. + + +:: + + ssh -i admin@ + configure + set mgt-config users admin password + commit + +For BYOL, open a terminal and run the following command. + +:: + + ssh -i admin@ + configure + set mgt-config users admin password + set deviceconfig system dns-setting servers primary + commit + +Terminate the SSH session. + +3. Login to VM-Series +------------------------ + +Go back to the Aviatrix Controller Console. +Go to Firewall Network workflow, Step 7a. Click on the `Management UI`. It takes you the VM-Series you just launched. + +Login with Username "admin". Password is the password you set at the previous step. + +4. Activate VM license +------------------------ + +5. Dynamic updates +------------------------ + +From Device > Dynamic Updates > Click on "Check Now" > download and then install latest versions of a. Applications and Threats b. Wildfire updates > Click on "Check Now" again > download and then install latest version of Antivirus + +6. Configure VM-Series ethernet1/1 with WAN Zone +------------------------------------------------- + +Once logged in, click on the Network tab and you should see a list of ethernet interfaces. Click ethernet1/1 and +configure as the following screenshot. + + - Click Network tab + - Click ethernet1/1 + - Select "layer3" for Interface Type + - Click Config tab in the pop up Ethernet Interface window. + - Select default for Virtual Router at Config tab + - Click New Zone for Security Zone to create a WAN zone. + - At the next pop up screen, name the new zone "WAN" and click OK + +|new_zone| + +Continue, + + - Select IPV4 tab in the pop up Ethernet Interface window. + - Select Static + - Add Private IP of eth1 firewall WAN NIC, as shown below. + +|ipv4| + +Click Commit. Once Commit is complete, you should see the Link State turn green at the Network page for ethernet1/1. + +7. Configure VM-Series ethernet1/2 with LAN Zone +--------------------------------------------------- + +Repeat Step 6 for ethernet1/2. Name the new zone LAN. Also, allow ICMP on LAN interface for health check, as shown below. + + 1. Go to Network -> Interface Mgmt under Network Profiles and click "Add". + #. Give any name in "Interface Management Profile", check Ping or ICMP checkbox under Administrative Management Service and click "OK". + #. Attach Profile with LAN interface. Network -> Interfaces -> Select LAN Ethernet Interface -> Advanced -> Management Profile -> Select appropriate profile. + + +|ipv4_2| + +Click Commit. Once Commit is complete, you should see the Link State turn green at the Network page for ethernet1/2. + + +8. Configure Allow All Policies +--------------------------------- + +Policies > Security > Click "Add" + + 1. Name the policy -> Allow-All + #. Source tab -> Any + #. Destination tab -> Any + #. Applicatio tab -> Any + #. Click "OK" + +9. Configure NAT for egress +------------------------------ + +If you would also like to enable NAT to test egress, follow these steps. + +Policies > NAT > Click "Add" > Click General tab, give it a name > Click Original Packet. At Source Zone, click Add, select "LAN". At Destination Zone, select WAN. At Destination Interface, select Ethernet1/1, as shown below. + + |nat_original_packet| + + Click Translated Packet. At Translation Type, select "Dynamic IP And Port". At Address Type, select "Interface Address". At Interface, select "ethernet1/1", as shown below. + + |nat_translated_packet| + +11. Setup API access +---------------------- + +In order for the Aviatrix Controller to automatically update firewall instance route tables, monitor the firewall instance health and manage instance failover, you need to setup API access permissions. + +Follow `the instructions here `_ to enable API access. + +12. Ready to go! +------------------- + +Now your firewall instance is ready to receive packets! + +For example, launch one instance in Spoke-1 VCN and Spoke-2 VCN. From one instance, ping the other instance. The ping should go through. + +13. View Traffic Log +---------------------- + +You can view if traffic is forwarded to the firewall instance by logging in to the VM-Series console. Click Monitor. Start ping packets from one Spoke VCN to another Spoke VCN. + + +.. |access_key| image:: config_paloaltoVM_media/oci/access_key.png + :scale: 40% + +.. |new_zone| image:: config_paloaltoVM_media/new_zone.png + :scale: 30% + +.. |ipv4| image:: config_paloaltoVM_media/oci/ipv4.png + :scale: 40% + +.. |ipv4_2| image:: config_paloaltoVM_media/oci/ipv4_2.png + :scale: 40% + +.. |nat_original_packet| image:: config_paloaltoVM_media/oci/nat_original_packet.png + :scale: 40% + +.. |nat_translated_packet| image:: config_paloaltoVM_media/oci/nat_translated_packet.png + :scale: 40% + +.. disqus:: diff --git a/HowTos/config_paloaltoVM.rst b/HowTos/config_paloaltoVM.rst index 376b5ef76..3956c4f0b 100644 --- a/HowTos/config_paloaltoVM.rst +++ b/HowTos/config_paloaltoVM.rst @@ -4,7 +4,7 @@ ========================================================= -Example Config for Palo Alto Network VM-Series +Example Config for Palo Alto Network VM-Series in AWS ========================================================= In this document, we provide an example to set up the VM-Series for you to validate that packets are indeed @@ -12,6 +12,8 @@ sent to the VM-Series for VPC to VPC and from VPC to internet traffic inspection For using bootstrap method to setup the VM-Series, follow `this document. `_ +VM-Series in Azure can be setup using the guide `Palo Alto Networks VM-Series Azure Example `_. + The Aviatrix Firewall Network (FireNet) workflow launches a VM-Series at `Step 7a. `_ After the launch is complete, the console displays the VM-Series instance with its public IP address of management interface and allows you to download the .pem file for SSH access to the instance. @@ -101,10 +103,17 @@ Click Commit. Once Commit is complete, you should see the Link State turn green 7. Configure VM-Series ethernet1/2 with LAN Zone --------------------------------------------------- -Repeat Step 4 for ethernet1/2. Name the new zone LAN. +Repeat Step 6 for ethernet1/2. Name the new zone LAN. Click Commit. Once Commit is complete, you should see the Link State turn green at the Network page for ethernet1/2. +.. tip :: + +If Keepalive via Firewall LAN Interface is enabled in Firewall Network > Advanced, ensure that ping is allowed in the Firewall LAN interface configuration: +https://docs.aviatrix.com/HowTos/firewall_advanced.html?#keep-alive-via-firewall-lan-interface + +:: + 8. Configure Allow Outbound Policies --------------------------------- @@ -123,18 +132,6 @@ Policies > NAT > Click "Add" > Click General tab, give it a name > Click Origina |nat_translated_packet| -10. Configure Default Virtual Router ------------------------------- -Under Network > Virtual Routers > Static Routes > Click on "Default" - -Destination : 0.0.0.0/0 - -Interface : ethernet1/1 - -Next Hop : None - -Click "Commit" - 11. Setup API access ---------------------- diff --git a/HowTos/config_paloaltoVM_media/avx-firewall-step7a_UI.png b/HowTos/config_paloaltoVM_media/avx-firewall-step7a_UI.png new file mode 100644 index 000000000..19384e956 Binary files /dev/null and b/HowTos/config_paloaltoVM_media/avx-firewall-step7a_UI.png differ diff --git a/HowTos/config_paloaltoVM_media/gcp/access_key.png b/HowTos/config_paloaltoVM_media/gcp/access_key.png new file mode 100644 index 000000000..445b64936 Binary files /dev/null and b/HowTos/config_paloaltoVM_media/gcp/access_key.png differ diff --git a/HowTos/config_paloaltoVM_media/gcp/health_check_dnat.png b/HowTos/config_paloaltoVM_media/gcp/health_check_dnat.png new file mode 100644 index 000000000..19dbcd5c1 Binary files /dev/null and b/HowTos/config_paloaltoVM_media/gcp/health_check_dnat.png differ diff --git a/HowTos/config_paloaltoVM_media/oci/access_key.png b/HowTos/config_paloaltoVM_media/oci/access_key.png new file mode 100644 index 000000000..9a6424fce Binary files /dev/null and b/HowTos/config_paloaltoVM_media/oci/access_key.png differ diff --git a/HowTos/config_paloaltoVM_media/oci/ipv4.png b/HowTos/config_paloaltoVM_media/oci/ipv4.png new file mode 100644 index 000000000..ddf7bee76 Binary files /dev/null and b/HowTos/config_paloaltoVM_media/oci/ipv4.png differ diff --git a/HowTos/config_paloaltoVM_media/oci/ipv4_2.png b/HowTos/config_paloaltoVM_media/oci/ipv4_2.png new file mode 100644 index 000000000..7e9eb1711 Binary files /dev/null and b/HowTos/config_paloaltoVM_media/oci/ipv4_2.png differ diff --git a/HowTos/config_paloaltoVM_media/oci/nat_original_packet.png b/HowTos/config_paloaltoVM_media/oci/nat_original_packet.png new file mode 100644 index 000000000..287aae404 Binary files /dev/null and b/HowTos/config_paloaltoVM_media/oci/nat_original_packet.png differ diff --git a/HowTos/config_paloaltoVM_media/oci/nat_translated_packet.png b/HowTos/config_paloaltoVM_media/oci/nat_translated_packet.png new file mode 100644 index 000000000..8c465c1ed Binary files /dev/null and b/HowTos/config_paloaltoVM_media/oci/nat_translated_packet.png differ diff --git a/HowTos/config_paloaltoVM_media/pan_dynamic_updates.png b/HowTos/config_paloaltoVM_media/pan_dynamic_updates.png new file mode 100644 index 000000000..2a8aa0346 Binary files /dev/null and b/HowTos/config_paloaltoVM_media/pan_dynamic_updates.png differ diff --git a/HowTos/config_paloaltoVM_media/traffic_log_vnet_to_vnet.png b/HowTos/config_paloaltoVM_media/traffic_log_vnet_to_vnet.png new file mode 100644 index 000000000..32f9813a7 Binary files /dev/null and b/HowTos/config_paloaltoVM_media/traffic_log_vnet_to_vnet.png differ diff --git a/HowTos/config_paloaltoVM_media/vendor_integration_example.png b/HowTos/config_paloaltoVM_media/vendor_integration_example.png new file mode 100644 index 000000000..31e6f5981 Binary files /dev/null and b/HowTos/config_paloaltoVM_media/vendor_integration_example.png differ diff --git a/HowTos/configuring_cloudN_examples.rst b/HowTos/configuring_cloudN_examples.rst deleted file mode 100644 index 9847a07c7..000000000 --- a/HowTos/configuring_cloudN_examples.rst +++ /dev/null @@ -1,373 +0,0 @@ -.. meta:: - :description: Configuring CloudN using ESXi 5.0 or later - :keywords: configure cloudN, cloudN, configure cloudN ESXi, aviatrix - - -====================================================== -Configuring CloudN using ESXi 5.0 or later (EST mode) -====================================================== - -This document describes the step-by-step procedures to configure CloudN -and Ubuntu server that will connect to external devices in access mode. -CloudN will use one physical NIC and Ubuntu will use another physical -NIC on the host. Both physical may connect to the same or different -router/firewall/switch in access mode. In this example, all ESXi host -does not see any VLAN tags nor handle any VLAN tagging. All VLAN tagging -is done by the external physical switch and ESXi virtual switch is not -aware about it. - -|Drawing1| - -First, we will download Aviatrix CloudN zip file and extract it to a -local folder on your computer. The folder will include a CloudN OVF -image that will be used to instantiate Aviatrix CloudN. - -**Step 1: Creating the Networks** - -1.1 From the vSphere Client, select the host and click on Configuration - tab. In the Hardware section, select Networking > Add Networking tab - to create a vSwitch with a single vmnic port assigned to it. - -|image16| - -|image18| - -1.2 Select the vmnic that you plan to use to connect the CloudN from the -ESXi host to external network devices. In our example here, we use -vmnic1 to reach our firewall device that has an integrated switch -ports. Click Next. - -|image20| - -1.3 Provide a Network Label “Net-10.152.0.0”. Note that we are using the -default None (0) in the VLAN ID field. This implies that ESXi will not -handle any VLAN tagging. Click Next and Finish. You may use a different -Network Label of your choice based on your network design. - -|image22| -|image24| - -1.4 Aviatrix CloudN has -two network interfaces which are required to be in the same network. We -will need to enable the promiscuous mode on the network adapter used by -CloudN. Select the vSwitch created in the previous step and select the -Properties. - -|image26| - -1.5 Select the port “Net-10.152.0.0” and click Edit. - -|image28| - -1.6 Click on Security tab. Check the box and select Accept for both -Promiscuous Mode and Forged Transmits. Click OK to apply the changes. - -|image30| - -1.7 Repeat Step 1.1 through 1.5 to create another vSwitch for Ubuntu but -use a different physical adapter. In our example here, we will use -vmnic3 for this Ubuntu server. - -|image32| -|image34| - -Now we have created two Virtual Machine Port Group that will utilize two -physical adapters (vmnic2 and vmnic3 in our example here). - -**Step 2: Creating Aviatrix CloudN Virtual Machine** - -2.1 At the vSphere Client, click on Flie > Deploy OVF Template. - -|image36| - -2.2 Browse to the CloudN OVF image that is previously extracted. CloudN -OVF image usually has a naming convention of “CloudN-ovf-\ *date*\ ” -where *date* is the time when the image was built. Click Next to -continue through the rest of the installation. - -|image38| - -|image40| - -2.3 Provide the Name of your CloudN, select the Disk Format. - -|image42| - -|image44| - -2.4 At the Network Mapping section, choose Net-10.152.0.0 and click Next -and Finish. - -|image46| - -|image48| - -2.5 vSphere Client will start creating the CloudN VM. Once it complete, -power it on to start the deploy the CloudN. - -|image50| - -**Step 3: Initializing CloudN** - -3.1 Click on CloudN VM “Sandbox3-CloudN” and select the Console tab. -Once the boot up process completes, login to CloudN with the “admin” and -password “Aviatrix123#”. - -|image52| - -3.2 Assign ip address to CloudN interface. CloudN supports manually -assigned static ip address and auto generated ip address. For more -details about CloudN initial configuration, please refer to `Aviatrix -Hybrid Controller 2.0 Getting Started -Guide `__. -In this example, we will manually configure the CloudN interface ip -address to 10.152.0.2/16. - -Command: - -setup\_interface\_static\_address 10.152.0.2 255.255.0.0 10.152.0.1 -8.8.8.8 8.8.4.4 - -Syntax: - -setup\_interface\_static\_address [static\_ip\_address] [net\_mask] -[default\_gateway\_ip\_address] [primary\_dns\_server\_ip\_address] -[secondary\_dns\_server\_ip\_address] - -CloudN will automatically download the latest official CloudN software -from Aviatrix. When the console prompt shows “Interface and network have -been successfully configured, software is ready”, you may access the -Aviatrix Cloud Controller Web GUI to complete the initialization. - -|image54| - -|image56| - -3.3 Connect a PC that has the connectivity to 10.152.0.2. Launch a -browser and enter https://10.152.0.2. There maybe a warning message that -says “Your connection is not private”. Click Advanced and Proceed to -10.152.0.2. Login to Aviatrix CloudN Web GUI with Username “admin” and -password “10.152.0.2”. Note that the initial password upon CloudN -installation is the private IP address of the instance. - -|image58| - -3.4 Enter the email address to be used for admin and change the default -password for security reasons. When you see the Onboarding page, your -CloudN installation and initialization has complete and ready for use. - -|image60| - -|image62| - -**Step 4: Creating Ubuntu VM** - -4.1 The following screen shots are steps to create a Ubuntu VM on a -separate Net-10.162.0.0 with its interface ip address as 10.162.0.2/16. -In this example, we assume that you have already uploaded an Ubuntu ISO -image to the datastore of the ESXi host. - -|image64| - -|image66| - -|image68| - -|image70| - -|image72| - -|image74| - -|image76| - -|image78| - -|image80| - -4.2 After the Ubuntu VM is created, power it on and click on the Console -tab to proceed with the typical Ubuntu installation process. In this -example, we will configure Ubuntu interface to 10.162.0.2/16 with a -default gateway of 10.162.0.1. - -|image82| - -Once the Ubuntu installation completes, you may to ping to your gateway -and Aviatrix CloudN ip address 10.152.0.2 with the assumption that you -have preconfigure your network routing between the two ports from the -ESXi host to your network device. - -**Step 5: Validating the connectivity between CloudN and Ubuntu** - -5.1 Ssh login to Ubuntu that you created in Step 4 with the password. - -.. code:: - - cksoon:~ cksoon$ ssh ubuntu@10.162.0.2 - - The authenticity of host '10.162.0.2 (10.162.0.2)' can't be established. - - ECDSA key fingerprint is - SHA256:jnphHrRH6wHfcJh1WGGHTvOWKwa7S1bE3I0PBt+yK3I. - - Are you sure you want to continue connecting (yes/no)? yes - - Warning: Permanently added '10.162.0.2' (ECDSA) to the list of known - hosts. - - ubuntu@10.162.0.2's password: - - Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.16.0-30-generic x86\_64) - - \* Documentation: https://help.ubuntu.com/ - - System information as of Thu Oct 27 10:50:35 PDT 2016 - - System load: 0.01 Processes: 79 - - Usage of /: 8.5% of 14.38GB Users logged in: 0 - - Memory usage: 6% IP address for eth0: 10.162.0.2 - - Swap usage: 0% - - Graph this data and manage this system at: - - https://landscape.canonical.com/ - - 174 packages can be updated. - - 95 updates are security updates. - - Last login: Thu Oct 27 10:50:35 2016 - - ubuntu@ubuntu:~$ ping 10.152.0.2 - - PING 10.152.0.2 (10.152.0.2) 56(84) bytes of data. - - 64 bytes from 10.152.0.2: icmp\_seq=1 ttl=64 time=1.76 ms - - 64 bytes from 10.152.0.2: icmp\_seq=2 ttl=64 time=1.73 ms - - 64 bytes from 10.152.0.2: icmp\_seq=3 ttl=64 time=1.72 ms - - ^C - - --- 10.152.0.2 ping statistics --- - - 3 packets transmitted, 3 received, 0% packet loss, time 2003ms - - rtt min/avg/max/mdev = 1.727/1.742/1.762/0.037 ms - - ubuntu@ubuntu:~$ - - -.. |Drawing1| image:: Configuring_CloudN_Examples_media/Drawing1.png - :width: 6.50000in - :height: 4.0in -.. |image16| image:: Configuring_CloudN_Examples_media/image016.png - :width: 6.50000in - :height: 4.0000in - :scale: 125% -.. |image18| image:: Configuring_CloudN_Examples_media/image018.png - :width: 6.50000in - :height: 4.25278in -.. |image20| image:: Configuring_CloudN_Examples_media/image020.png - :width: 6.48611in - :height: 4.50000in -.. |image22| image:: Configuring_CloudN_Examples_media/image022.png - :width: 6.50000in - :height: 4.51389in -.. |image24| image:: Configuring_CloudN_Examples_media/image024.png - :width: 6.48611in - :height: 4.29167in -.. |image26| image:: Configuring_CloudN_Examples_media/image026.png - :width: 6.48611in - :height: 4.88889in -.. |image28| image:: Configuring_CloudN_Examples_media/image028.png - :width: 6.48611in - :height: 4.12778in -.. |image30| image:: Configuring_CloudN_Examples_media/image030.png - :width: 6.48611in - :height: 4.00278in -.. |image32| image:: Configuring_CloudN_Examples_media/image032.png - :width: 6.50000in - :height: 4.56944in -.. |image34| image:: Configuring_CloudN_Examples_media/image034.png - :width: 6.48611in - :height: 4.25278in -.. |image36| image:: Configuring_CloudN_Examples_media/image036.png - :width: 6.50000in - :height: 4.37778in -.. |image38| image:: Configuring_CloudN_Examples_media/image038.png - :width: 6.50000in - :height: 4.37778in -.. |image40| image:: Configuring_CloudN_Examples_media/image040.png - :width: 6.50000in - :height: 4.32222in -.. |image42| image:: Configuring_CloudN_Examples_media/image042.png - :width: 6.50000in - :height: 4.25278in -.. |image44| image:: Configuring_CloudN_Examples_media/image044.png - :width: 6.50000in - :height: 4.37778in -.. |image46| image:: Configuring_CloudN_Examples_media/image046.png - :width: 6.50000in - :height: 4.25278in -.. |image48| image:: Configuring_CloudN_Examples_media/image048.png - :width: 6.50000in - :height: 4.0in -.. |image50| image:: Configuring_CloudN_Examples_media/image050.png - :width: 6.50000in - :height: 4.25278in -.. |image52| image:: Configuring_CloudN_Examples_media/image052.png - :width: 6.50000in - :height: 4.25278in -.. |image54| image:: Configuring_CloudN_Examples_media/image054.png - :width: 6.50000in - :height: 4.25278in -.. |image56| image:: Configuring_CloudN_Examples_media/image056.png - :width: 6.50000in - :height: 4.25278in -.. |image58| image:: Configuring_CloudN_Examples_media/image058.png - :width: 6.50000in - :height: 4.25278in -.. |image60| image:: Configuring_CloudN_Examples_media/image060.png - :width: 6.50000in - :height: 4.25278in -.. |image62| image:: Configuring_CloudN_Examples_media/image062.png - :width: 6.50000in - :height: 4.25278in -.. |image64| image:: Configuring_CloudN_Examples_media/image064.png - :width: 6.50000in - :height: 4.25278in -.. |image66| image:: Configuring_CloudN_Examples_media/image066.png - :width: 6.50000in - :height: 4.25278in -.. |image68| image:: Configuring_CloudN_Examples_media/image068.png - :width: 6.50000in - :height: 4.25278in -.. |image70| image:: Configuring_CloudN_Examples_media/image070.png - :width: 6.50000in - :height: 4.25278in -.. |image72| image:: Configuring_CloudN_Examples_media/image072.png - :width: 6.50000in - :height: 4.25278in -.. |image74| image:: Configuring_CloudN_Examples_media/image074.png - :width: 6.50000in - :height: 4.25278in -.. |image76| image:: Configuring_CloudN_Examples_media/image076.png - :width: 6.50000in - :height: 4.25278in -.. |image78| image:: Configuring_CloudN_Examples_media/image078.png - :width: 6.50000in - :height: 4.25278in -.. |image80| image:: Configuring_CloudN_Examples_media/image080.png - :width: 6.50000in - :height: 4.25278in -.. |image82| image:: Configuring_CloudN_Examples_media/image082.png - :width: 6.50000in - :height: 4.25278in - - -.. disqus:: \ No newline at end of file diff --git a/HowTos/connect_overlap_cidrs_media/ios_config_template.png b/HowTos/connect_overlap_cidrs_media/ios_config_template.png new file mode 100644 index 000000000..823b6176d Binary files /dev/null and b/HowTos/connect_overlap_cidrs_media/ios_config_template.png differ diff --git a/HowTos/connect_overlap_cidrs_media/overlap_rbi.png b/HowTos/connect_overlap_cidrs_media/overlap_rbi.png new file mode 100644 index 000000000..00b425a1c Binary files /dev/null and b/HowTos/connect_overlap_cidrs_media/overlap_rbi.png differ diff --git a/HowTos/connect_overlap_cidrs_media/s2c_connection.png b/HowTos/connect_overlap_cidrs_media/s2c_connection.png new file mode 100644 index 000000000..e5d4a0824 Binary files /dev/null and b/HowTos/connect_overlap_cidrs_media/s2c_connection.png differ diff --git a/HowTos/connect_overlap_cidrs_media/s2c_overlapping_cidr_topology.png b/HowTos/connect_overlap_cidrs_media/s2c_overlapping_cidr_topology.png new file mode 100644 index 000000000..19683d67c Binary files /dev/null and b/HowTos/connect_overlap_cidrs_media/s2c_overlapping_cidr_topology.png differ diff --git a/HowTos/connect_overlap_cidrs_media/vpc1_to_vpc2_rbipsec.png b/HowTos/connect_overlap_cidrs_media/vpc1_to_vpc2_rbipsec.png new file mode 100644 index 000000000..b89a09a81 Binary files /dev/null and b/HowTos/connect_overlap_cidrs_media/vpc1_to_vpc2_rbipsec.png differ diff --git a/HowTos/connect_overlap_cidrs_media/vpc2_to_vpc1_rbipsec.png b/HowTos/connect_overlap_cidrs_media/vpc2_to_vpc1_rbipsec.png new file mode 100644 index 000000000..d7c00756c Binary files /dev/null and b/HowTos/connect_overlap_cidrs_media/vpc2_to_vpc1_rbipsec.png differ diff --git a/HowTos/connect_overlap_cidrs_media/vpc_to_onprem_rbipsec.png b/HowTos/connect_overlap_cidrs_media/vpc_to_onprem_rbipsec.png new file mode 100644 index 000000000..b9f3b0d7a Binary files /dev/null and b/HowTos/connect_overlap_cidrs_media/vpc_to_onprem_rbipsec.png differ diff --git a/HowTos/connect_overlap_cidrs_routebasedipsec.rst b/HowTos/connect_overlap_cidrs_routebasedipsec.rst new file mode 100644 index 000000000..b6f2b0b92 --- /dev/null +++ b/HowTos/connect_overlap_cidrs_routebasedipsec.rst @@ -0,0 +1,213 @@ + + +.. meta:: + :description: Create site2cloud connection with overlap network address ranges + :keywords: site2cloud, VGW, SNAT, DNAT, Overlap Network CIDR, overlap CIDRs, Route Based IPSec + + +=========================================================================================== +Solving Overlapping Networks with Network Mapped IPSec +=========================================================================================== + +The Scenario +------------------ + +This tech note illustrates an example solution to a specific use case. In this use case, a customer needs to connect certain +on-prem hosts to certain EC2 instances in a VPC over an IPSEC tunnel over the Internet, but the on-prem network range overlaps with the VPC CIDR range, and the requirement from the customer is that no NAT function will be performed on the customer side. In addition, traffic can be initiated from either side. + +The scenario is described in the following diagram: + +|overlap_rbi| + + +:: + + VPC CIDR = 10.20.0.0/20, instance-1 in VPC-1 has an IP address 10.24.1.4. + On-Prem CIDR = 10.20.0.0/20, host-1 in On-Prem has an IP address 10.24.7.101. + +The traditional solution is to build IPSEC tunnel between the two networks and use SNAT/DNAT rules to translate each addresses, as +demonstrated in this `example. `_. Such solution requires a potentially +large number of SNAT/DNAT rules which is difficult to configure and maintain. + +The Solution +------------------ + +The new solutions uses a new "network mapped" feature in Site2Cloud that removes the need to configure individual SNAT/DNAT rules. + +This solution uses a site2cloud route-based IPSEC tunnel using Virtual Tunnel Interface (VTI) between VPC and On-Prem Router. The packet flow is demonstrated as below: + + 1. instance-1 sends a packet to host-1 with a virtual destination IP address, for example 192.24.7.101. From instance-1's point of view, the destination instance is a virtual address - 192.24.7.101. + #. When the packet arrives at the VPC-1 gateway, the gateway does DNAT on the packet to translate the virtual destination IP address to 10.24.7.101 which is the host-1 physical IP address. + #. The gateway at VPC then translates the packet source IP address (10.24.1.4) to a virtual source IP address, say it is 172.24.1.4. + #. The packet then arrives at On-Prem Cisco IOS Router with destination IP address 10.24.7.101 and source IP address 172.24.1.4. From host-1's point of view, instance-1's address is a virtual IP address - 172.24.1.4. + #. When host-1 sends a packet to instance-1, the destination is the virtual IP address 172.24.1.4. + #. When the packet arrives at the VPC-1 gateway over the IPSEC tunnel, the VPC gateway translates its destination IP address from virtual address 172.24.1.4 to 10.24.1.4. + #. The VPC gateway then translates the source IP address of the packet from 10.24.7.101 to virtual address 192.24.7.101. + + +The Configuration Steps +---------------------------- + +Step 1: Follow the Site2Cloud workflow to launch gateways +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Log in to the Controller console, go to Site2Cloud. Follow step 1 to launch a gateway in the VPC. + +(You can follow the `gateway launch instructions in this `_. Leave optional parameters unchecked.) + + +Step 2: Create a Site2Cloud tunnel +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Go to Controller Console -> Site2Cloud. + +Click "+Add New". Fill the form and click OK. Select "Mapped" for the Connection Type field. + +|s2c_connection| + + +2.1 VPC-1 gateway-1 side +######################### + +For the VPC gateway side, the Local Subnet field should be the subnet of VPC-1 (e.g. 10.24.0.0/20), and the Remote Subnet field should be the subnet of OnPrem Router (e.g. 10.24.0.0/20), as shown below. + +================================================== ======================================================================= + **Field** **Value** +================================================== ======================================================================= + VPC ID/VNet Name Choose VPC ID + Connection Type Mapped + Connection Name Arbitrary (e.g. S2C-VPC-OnPrem) + Remote Gateway Type Generic + Tunnel Type Route-based + Algorithms Uncheck this box + Encryption over ExpressRoute/DirectConnect Uncheck this box + Enable HA Check this box if HA is required + Primary Cloud Gateway Select the Aviatrix Gateway created above + Remote Gateway IP Address Public IP of IOS Router WAN port (52.40.45.197 in this example) + Pre-shared Key Optional (auto-generated if not entered) + Remote Subnet (Real) 10.24.0.0/20 (On-Prem Network CIDR) + Remote Subnet (Virtual) Any/20 (On-Prem Network Virtual CIDR) + Local Subnet (Real) 10.24.0.0/20 (VPC-Cloud Network CIDR) + Local Subnet (Virtual) Any/20 (VPC-Cloud Network Virtual CIDR) +================================================== ======================================================================= + + +|vpc_to_onprem_rbipsec| + +.. important:: + Local & Remote Subnet (virtual) IP range could be anything but subnet should be same as Physical/Real subnet. + +2.2 Configure On-Prem Cisco Router +################################### + +Go to the **Site2Cloud** page. From the Site2Cloud connection table, select the connection created above (e.g. S2C-VPC-OnPrem) and click "Edit". + - Select **Cisco** from **Vendor** drop down list, select **ISR, ASR, or CSR** from **Platform** drop down list and select **IOS(XE)** from **Software** drop down list. + - Click the **Download Configuration** button to download the **Cisco IOS** Site2Cloud configuration + - Save the configuration file as a reference for configuring your Cisco IOS router + +The following is a sample configuration based on the Site2Cloud configuration above. + +|ios_config_template| + +Either ssh into the Cisco router or connect to it directly through its console port. + +Apply the following IOS configuration to your router: + +:: + + ! Aviatrix Site2Cloud configuration template + ! + ! You need to populate these values throughout the config based on your setup: + ! : the isakmp policy number + ! : the IPSec tunnel interface number + ! : the source interafce of tunnel packets + ! : any un-used IPv4 address for the tunnel interface + ! when static routing is used + ! + ! -------------------------------------------------------------------------------- + ! IPSec Tunnel + ! -------------------------------------------------------------------------------- + ! #1: Internet Key Exchange (IKE) Configuration + ! A policy is established for the supported ISAKMP encryption, + ! authentication, Diffie-Hellman, lifetime, and key parameters. + ! + crypto keyring 52.40.45.197-20.42.145.156 + pre-shared-key address 20.42.145.156 key + ! + crypto isakmp policy 1 + encryption aes 256 + hash sha256 + authentication pre-share + group 14 + lifetime 28800 + crypto isakmp keepalive 10 3 periodic + crypto isakmp profile 52.40.45.197-20.42.145.156 + keyring 52.40.45.197-20.42.145.156 + self-identity address + match identity address 20.42.145.156 255.255.255.255 + ! + !--------------------------------------------------------------------------------- + ! #2: IPSec Configuration + ! The IPSec transform set defines the encryption, authentication, and IPSec + ! mode parameters. + ! + crypto ipsec transform-set 52.40.45.197-20.42.145.156 esp-aes 256 esp-sha256-hmac + mode tunnel + crypto ipsec df-bit clear + ! + crypto ipsec profile 52.40.45.197-20.42.145.156 + set security-association lifetime seconds 3600 + set transform-set 52.40.45.197-20.42.145.156 + set pfs group14 + set isakmp-profile 52.40.45.197-20.42.145.156 + ! + !--------------------------------------------------------------------------------------- + ! #3: Tunnel Interface Configuration + ! The virtual tunnel interface is used to communicate with the remote IPSec endpoint + ! to establish the IPSec tunnel. + ! + interface Tunnel1 + ip address 10.10.10.10 255.255.255.255 + ip mtu 1436 + ip tcp adjust-mss 1387 + tunnel source GigabitEthernet1 + tunnel mode ipsec ipv4 + tunnel destination 20.42.145.156 + tunnel protection ipsec profile 52.40.45.197-20.42.145.156 + ip virtual-reassembly + ! + !--------------------------------------------------------------------------------------- + ! #4: Static Routing Configuration + ! The static route directs the traffic to the Aviatrix remote subnets via the tunnel + ! interface. + ! + ip route 172.24.0.0 255.255.240.0 Tunnel1 + !--------------------------------------------------------------------------------------- + + +Wait for the tunnel to come up. + + +Step 3. Test site2cloud Connection +--------------------------------------------------------- + +Make sure your instance's Security Groups inbound rules are configured properly. + +From instance-1, you should be able to ping host-1 by "ping 192.24.7.101". +From host-1, you should be able to ping instance-1 by "ping 172.24.1.4" + +Done. + +.. |s2c_connection| image:: connect_overlap_cidrs_media/s2c_connection.png + :scale: 35% + +.. |overlap_rbi| image:: connect_overlap_cidrs_media/overlap_rbi.png + :scale: 40% + +.. |vpc_to_onprem_rbipsec| image:: connect_overlap_cidrs_media/vpc_to_onprem_rbipsec.png + :scale: 35% + +.. |ios_config_template| image:: connect_overlap_cidrs_media/ios_config_template.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/connect_overlap_vpc_via_VGW_medium/site2cloud.png b/HowTos/connect_overlap_vpc_via_VGW_medium/site2cloud.png index 673e09e48..c448aee38 100644 Binary files a/HowTos/connect_overlap_vpc_via_VGW_medium/site2cloud.png and b/HowTos/connect_overlap_vpc_via_VGW_medium/site2cloud.png differ diff --git a/HowTos/connecting_openvpn_to_onprem.rst b/HowTos/connecting_openvpn_to_onprem.rst new file mode 100644 index 000000000..367ca7e83 --- /dev/null +++ b/HowTos/connecting_openvpn_to_onprem.rst @@ -0,0 +1,76 @@ +.. meta:: + :description: Connecting OpenVPN users to Onprem + :keywords: site2cloud user vpn openvpn routing onprem on-prem client + + +============================================ +Connecting OpenVPN Users to Onprem +============================================ + +In this tutorial we will cover the basic routing needed to allow users connected to Aviatrix's OpenVPN service to access On-prem. This documentation assumes that there is an existing OpenVPN Gateway and a configured Site2Cloud tunnel. + +For more information on creating either, please refer to these links: + +- `Creating an OpenVPN Gateway `_ +- `Creating Site2Cloud Connection `_ + + +Topology +-------------- +=============================== ================================================================= + **Network** **CIDR** +=============================== ================================================================= +Client Network 192.168.43.0/24 +OpenVPN Gateway Network 10.99.245.0/24 +On-prem Network 10.200.0.0/16 +=============================== ================================================================= + +Configuration +-------------- + +1. Add the On-prem Networks to the OpenVPN Configuration +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Controller > OpenVPN > Edit Config > MODIFY SPLIT TUNNEL + +- Add the Onprem CIDR block (ig, 10.200.0.0/16) to Additional CIDR +- If Split Tunnel is set to "No" then no changes need to be made + +2. Establish Connectivity Between the OpenVPN Gateway and the Site2Cloud or Transit Gateway +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Depending on your network's use case, please refer to the links below: + +- `TGW Orchestration `_ +- `Aviatrix Transit Network `_ + + +3. Add the OpenVPN Gateway CIDR to the Site2Cloud Configuration +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +A. The Site2Cloud Connection is built on a Spoke Gateway + +Controller > Site2Cloud > select tunnel > Local Subnet(s) + +- Add the OpenVPN Gateway Network to Local Subnets(s) (ig, 10.99.245.0/24) +- The remote Firewal/Router will need to add the OpenVPN Gateway's network (10.99.245.0/24) to it's IPSec policy +- The User VPN client network (ig, 192.168.43.0/24) will be SNAT'ed off of the OpenVPN Gateway's local IP (ig, 10.99.245.x) + +B. The Site2Cloud Connection is Built on a Transit Gateway with BGP + +- Transit Gateways configured with BGP should advertise the OpenVPN network automatically + +Conclusion +-------------- + +Users connected to the SSL VPN should now be able to route through the OpenVPN Gateway back to On-prem. + +Troubleshooting +-------------- + +- Confirm the VPN User policy allows for connectivity to the On-prem network +- Log out of the Aviatrix VPN client and reconnect - this will refresh your device's local routes +- If this a TGW solution, confirm that the OpenVPN Gateway's Security Domain is connected to the S2C Security Domain +- If this is a BGP solution confirm that Transit Gateway is advertising the OpenVPN Gateway network (ig, 10.99.245.0/24) +- On the remote firewall or router check for any ACLs that would block the OpenVPN Gateway Network +- In AWS confirm there are no NACLs or Security Groups blocking the traffic diff --git a/HowTos/controller_backup.rst b/HowTos/controller_backup.rst index 7270e454c..6f2abc860 100644 --- a/HowTos/controller_backup.rst +++ b/HowTos/controller_backup.rst @@ -85,6 +85,8 @@ Once you are past the initial configuration steps: |imageRestoreAWS| + If Aviatrix Managed CloudN exists in the backup controller, after the restore operation on the new controller, you will need to go to the Aviatrix Managed CloudN UI and follow the steps of 2.2 and 2.5 in https://docs.aviatrix.com/HowTos/CloudN_workflow.html?highlight=managed%20CloudN by entering the new FQDN or IP of the new controller to complete the restore. You will be required to repeat 2.2 and 2.5 on other Aviatrix Managed CloudN if you have more than one Managed CloudN device. + How to backup configuration with AWS encrypted storage ------------------------------------------------------ @@ -125,6 +127,34 @@ AWS S3 allows uploaded backup files to be encrypted in the server side for more |KMSKeyAddUser| +How to backup Controller configuration privately with Azure Private Link +------------------------------------------------------------------------ + +Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network. Traffic between your virtual network and the service travels the Microsoft backbone network. Exposing your service to the public internet is no longer necessary. + +By leveraging Azure private link, the controller backups will happen privately from your VNET so that your blob storage account does not need to be exposed to the outside world. + +1. Create an Azure Storage Account +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + |AzureStorage| + +2. Setup the Storage Account for Private Link +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + a. On the 'Networking' tab for the storage account creation, select Private endpoint for the connectivity method. + + b. Add a new private endpoint with the target of the blob storage resource and enable DNS Integration + + |AzurePrivateEndpoint| + +.. note:: + + If you currently have exisisting private endpoints deployed, you may need to leverage an existing private zone in another subsciption. This must be completed through the dedicated private endpoint creation workflow. For additional assistance with this setup please reach out to an Aviatrix Solution Engineer for assistance. + +3. Verify Backup through Controller +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Once successful, backup traffic from the controller will be performed privately across private link so that associated storage account does not need to be accessible publicly. + OpenVPN is a registered trademark of OpenVPN Inc. .. |imageBackupAWS| image:: controller_backup_media/backup_restore_backup_aws.png @@ -145,6 +175,12 @@ OpenVPN is a registered trademark of OpenVPN Inc. .. |KMSKeyAddUser| image:: controller_backup_media/KMSKeyAddUser.png :scale: 30% :align: middle +.. |AzureStorage| image: controller_backup_media/AzureStorage.png + :scale: 30% + :align: middle +.. |AzurePrivateEndpoint| image: controller_backup_media/AzurePrivateEndpoint.png + :scale: 30% + :align: middle .. disqus:: diff --git a/HowTos/controller_certificate.rst b/HowTos/controller_certificate.rst index 990032ff3..7566b1c29 100644 --- a/HowTos/controller_certificate.rst +++ b/HowTos/controller_certificate.rst @@ -1,6 +1,15 @@ .. meta:: - :description: controller Certificate Management - :keywords: Controller Certificate Management + :description: Certificate Management + :keywords: Controller Certificate Management, Gateway Certificate Management + +################################### +Certificate Management Overview +################################### + +Customer can choose to use Aviatrix certificate created at the time of installation for the Controller and Gateway or customize the Controller and Gateway certificate to use an organization specific certificate. Both type are certificate issued locally through the Aviatrix Controller's automated processes. To customize the Controller or Gateway certificate, refer to the below steps. + +.. note:: Please make sure there are no special characters including space in the file name. + ################################### Controller Certificate Management @@ -18,7 +27,7 @@ Import Certificate with Key ----------------------------- This is the **preferred approach** compared to the next approach detailed below. Simply import ca.crt, server.crt and server.key to the Controller and -you are done. In this method, the private key file server.key must match the server.crt. +you are done. In this method, the private key file server.key must match the server.crt. Please refer to the configuration example `here `_ . Generate CSR and Import Certificate ------------------------------------- @@ -52,6 +61,32 @@ as shown below. If everything works, you now have a signed certificate on the Controller! +################################### +Gateway Certificate Management +################################### + +The Gateway Certificate is created when each Gateway is launched thru the Controller console. At the time of Gateway launch, an Aviatrix self-signed certificate is issued to the Gateway to make sure all data transmission to and from the Gateway is authenticated. If you don't customize the certificate, your Gateway will continue to operate with the default certificate. If you choose to customize the certificate with your organization credentails, then you must apply the below steps to customize all existing and new Gateway. + +In addition, you can confirm and monitor each Gateway certificate type in the Aviatrix Controller Console > Gateway > reference column Cert Type. Please note, when customizing Gateway Certificates, all existing Gateways will get the custom certificate if the Gateway is on software version 6.0 or higher. If you're on version 14.04-GCP GWs, Gateway certificate is not supported. + + +Setup Custom Gateway Certificate +------------------------------------- + +Step 1. Navigate to the Setting +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Go to Settings > Advanced > Security subtab. Scroll down to the section Gateway Certificate Import Method. + +Step 2. Upload file and key +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +In the input field, upload the CA Certificate and CA Private Key. Click Ok. + + +Once you click ok, you will get a confirmation box to show that only R6.0 or higher will apply. Earlier version will failed the deployment for custom cert. If this happens, you will need to update the Gateway to the latest version before applying custom certificate. + +Step 3. Check the Gateway Cert Type to Confirm Deployment +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +When the deployment completes, go to your Gateway list and display the column name Cert Type. Check to make sure each of the Cert Type is Custom. diff --git a/HowTos/controller_certificate_media/Gateway-certificate-setting.png b/HowTos/controller_certificate_media/Gateway-certificate-setting.png new file mode 100644 index 000000000..101abc45c Binary files /dev/null and b/HowTos/controller_certificate_media/Gateway-certificate-setting.png differ diff --git a/HowTos/controller_certificate_media/gateway-cert-confirmation.png b/HowTos/controller_certificate_media/gateway-cert-confirmation.png new file mode 100644 index 000000000..236cbcfbb Binary files /dev/null and b/HowTos/controller_certificate_media/gateway-cert-confirmation.png differ diff --git a/HowTos/controller_config.rst b/HowTos/controller_config.rst index 5002bc1a7..317ade4bd 100644 --- a/HowTos/controller_config.rst +++ b/HowTos/controller_config.rst @@ -16,6 +16,25 @@ where it is launched. The DHCP option contains DNS server which could be on-prem When "Use VPC/VNET DNS Server" is disabled, the controller uses Google public DNS server, therefore making the controller's DNS reachability independent of customer's configuration. This is recommended configuration. +Login Customization +---------------------- + +Enable/Disable Admin Login +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The “admin” account login can be disabled to instead use account user. + +To disable admin login to the Controller, go to Settings -> Controller -> Login Customization. Click Disable. + +Note that you need a local user with admin privileges to be created first, before you can disable the “admin” account. + +Login Banner +~~~~~~~~~~~~~~ + +Customize banner text for first time login for compliance. Any user who login for the first time must acknowledge the text before proceeding to Controller. + +To configure, go to Settings -> Controller -> Login Customization -> Login Banner. Enter the desired login banner text. Click Status to Enable and Click Save. The next time when a user login to the Controller, the user will be prompted with the banner text. Once the user clicks OK, the banner text does not show in the following logins. + .. |imageGrid| image:: advanced_config_media/grid.png diff --git a/HowTos/controller_ha.rst b/HowTos/controller_ha.rst index 7d6a0a60c..43ca94e6b 100644 --- a/HowTos/controller_ha.rst +++ b/HowTos/controller_ha.rst @@ -21,7 +21,7 @@ Overview Aviatrix Controller HA in AWS leverages an auto scaling group and a Lambda function to perform monitoring the health of the current Controller, launching a new controller and restoring the configuration when the active controller instance become unreachable. -When a new controller is launched, the existing controller is terminated and its EIP is associated to the newly launched controller. Existing configuration is restored, resulting in a seamless experience when failover happens. +When a new controller is launched, the existing controller is terminated, its EIP is associated to the newly launched controller, and the private IP is created in the new controller subnet. Existing configuration is restored, resulting in a seamless experience when failover happens. Prerequisites ------------- @@ -41,12 +41,14 @@ Prerequisites Controller HA Details --------------------- -Aviatrix Controller HA operates by relying on an AWS Auto Scaling Group. This ASG has a desired capacity of 1. If the Controller EC2 instance is stopped or terminated, it will be automatically re-deployed by the ASG. +Aviatrix Controller HA operates by relying on an AWS Auto Scaling Group. This ASG has a desired capacity of 1 (and minimum capacity = 0 and maximum capacity = 1). If the Controller EC2 instance is stopped or terminated, it will be automatically re-deployed by the ASG. An AWS Lambda script is notified via SNS when new instances are launched by the Auto Scaling Group. This script handles configuration using a recent Controller backup file. The Aviatrix Controller manages these backups once `enabled `__. Restoring the Aviatrix Controller from a newly built instance requires access to the S3 bucket to retrieve the latest backup file. In order to do this, the newly built EC2 Controller instance must be granted permission to read files in the bucket. The simplest method of doing this is via an `IAM user with programmatic access to the S3 bucket <#create-iam-user>`__. +The lambda script also requires access to the S3 bucket. It is recommended that the backup bucket is used in the same account that was used to launch the controller. + Steps to Enable Controller HA ----------------------------- @@ -66,9 +68,9 @@ Launch CloudFormation Stack | Enter VPC of existing | Select the VPC in this region where the | | controller instance. | AVX Controller is installed. | +-------------------------------+------------------------------------------+ - | Enter one or more subnets in | Select the subnet where the Controller | - | different Availability zones | is installed and optionally one | - | within that VPC. | additional subnet for redundancy. | + | Enter one or more subnets in | Select a PUBLIC subnet of the controller | + | different Availability zones | VPC. Optionally one additional subnet for| + | within that VPC. | redundancy. | +-------------------------------+------------------------------------------+ | Enter Name tag of the existing| Enter the **Name** tag for the existing | | Aviatrix Controller instance. | Controller EC2 instance. | @@ -95,29 +97,75 @@ Launch CloudFormation Stack .. note:: This stack creates the following: - * An Autoscaling group of size 1 and associated security group + * An Autoscaling group of size 1 (minimum capacity=0, maximum capacity=1, desired capacity=1) and associated security group * A SNS topic with same name as of existing controller instance * An email subscription to the SNS topic (optional) * A Lambda function for setting up HA and restoring configuration automatically * An AWS Role for Lambda and corresponding role policy with required permissions +.. note:: + Please note that if you change the Controller name or change the backup destination bucket on S3, your Controller HA will not work as expected. You would have to delete the Controller HA CloudFormation Stack and redeploy it. + + .. tip:: Additional instructions and code are available `here `__. + + .. note:: + During spinning up the HA after the current active controller stops or being terminated by accident, you won't see a new controller for a few minutes on AWS console, it is expected. Steps to Disable Controller HA ------------------------------ You can disable Controller HA by deleting the Controller HA CloudFormation stack. -Log in to AWS Console, go to CloudFormation Service, identify the CloudFormation stack you used to enable Controller HA and delete the stack. + * Please take a backup from the Controller first - Controller/Settings/Maintenance/Backup&Restore/BackupNow. Please check in your S3 bucket to make sure that there is new backup files were generated and saved + * Check the ASG capacity first, it should be minimum capacity=0, maximum capacity=1, desired capacity=1. If these are changed, deleting the Controller HA Cloudformation stack could have an impact on your current Controller + * Log in to AWS Console, go to CloudFormation Service, identify the CloudFormation stack you used to enable Controller HA and delete the stack + * **Please be careful,** and delete the cloudformation stack associated with the controller HA - and do not delete your controller launch cloudformation stack FAQ --- +* How can I know which version of HA script I am running? + + versions.py file found in the AWS Lambda function with the name -ha would show the information. You can also see the version in the cloudwatch logs. Only versions from 1.5 and above are visible. + +* How can I get notification for H/A events? + + Enter an email address to receive notifications for autoscaling group events while launching the CFT. You would receive an email to subscribe to SNS. Click on the link from the email to accept SNS event notifications + +* My H/A event failed. What can I do? + + You can manually restore the saved backup to a newly launched controller. Please ensure controller H/A is disabled and re-enabled by deleting and re-creating the CFT stack to ensure that lambda is pointing to the right backup + +* How do I ensure that lambda is pointing to the right backup? + + In the AWS Lambda, verify if the INST_ID environment variable is updated correctly to the current controller instance ID and the PRIV_IP environment variable is updated to the current controller private IP. + +* Where do I find logs related to controller H/A ? + + All logs related to H/A can be found in AWS Cloudwatch under the log group -ha + +* How do I make lambda talk to the controller privately within the VPC? + + Launch CFT with Private access set to True. Attach lambda to the VPC from the AWS console. Ensure that the VPC that you have attached the lambda to has internet access via NAT gateway or VPC endpoints. You can also ensure that lambda has internet access by attaching an EIP(Elastic IP) to the lambda ENI(Network Interface). Please ensure that everything is reverted before you destroy the stack. Otherwise the lambda will not have internet access to respond to the CFT(CFT may get stuck on destroy). + * Can two controllers in two different regions be linked such that they can detect if one or the other is down? Is this possible? Our Controller HA script leverages EC2 auto scaling. EC2 auto scaling doesn’t support cross regions but it does support cross AZs. The script will automatically bring up a new Controller in case the existing Controller enters an unhealthy state. * Could a controller in a different region be used to restore a saved configuration in case of disaster recovery? Will the change in controller’s IP cause any issues? A controller can be manually launched from a different region and the backed up configuration can be restored on it. The controller’s new EIP shouldn’t cause any issue unless SAML VPN authentication is being used. (All peering tunnels will still work). In that case, SAML VPN client will need reach the controller IP address. If FQDN hostname is used for the controller for SAML, then it should work after changing the Route 53 to resolve to the correct EIP in the different region. +* How do I manage the controller HA stack if the controller instance's disk is encrypted? + If EBS Encryption using Customer managed key is enabled, the Autoscaling Group created may not have permissions to launch the instance. You will need to allow the service-linked role created for the Autoscaling group to have permissions to use this key for the cryptographic operation. To do so, go to AWS KMS->Customer managed keys->select the key and add the "AWSServiceRoleForAutoScaling" role to the list of Key Users. + +* What do I need to do after I change the controller name? + Please delete the CFT stack and then create a new CFT stack using the new controller name. + +Changelog +--------- +The changes from various releases can be viewed from `here `_ + + + .. disqus:: diff --git a/HowTos/controller_migration.rst b/HowTos/controller_migration.rst index ec47b092c..7daf42364 100644 --- a/HowTos/controller_migration.rst +++ b/HowTos/controller_migration.rst @@ -7,76 +7,80 @@ Controller Migration in AWS Introduction -=============== +-------------- + This feature is released in 5.3. It consists of 2 sub-features: - - Migrate - - Restore + * Migrate + * Restore + +This feature will migrate your controller to run from the latest AMI. A controller migration might be needed for the following reasons: -| -| + * If your controller is running an old AMI and you are trying to upgrade to version 5.4, your upgrade will be blocked as a new AMI is required for 5.4 + * If you are looking to move to a newer AMI for your controller on recommendation from Aviatrix Support to pick up any new fixes Migrate -===================== +########### -Intro --------- - -+ This feature mainly is to perform "One Click" operation to migrate the current Aviatrix controller to a new one. -+ The EIP will be migrated from old controller to the new one. -+ The whole migration process will take around 10 to 15 minutes. +Introduction +-------------- ++ This feature mainly is to perform one click "Migrate" operation under "Settings->Maintenance->Migration" tab to migrate the current Aviatrix controller to a new one. ++ The EIP will be migrated from old controller to the new controller. ++ The whole migration process will take around 10 to 15 minutes. Prerequisites ----------------- -+ The feature only supports AWS and AWS-Gov at the moment -+ User needs to enable controller backup using an AWS based access-account. -+ User must disable controller HA. (User can enable HA again on the new controller once migration is fully completed) ++ The feature is supported in AWS and AWS-Gov for the "BYOL" and "Metered" AMI's. ++ An `account audit `_ on the controller account and all secondary accounts also should be done to make sure that the `IAM roles and policies `_ are setup as suggested. ++ User needs to `enable controller backup `_ using an AWS based access-account. + User should not make any config change during the migration as these config will be lost once new controller takes over. - - - ++ This activity should be scheduled during a maintenance window and a walk through `pre-op checklist `_ is highly recommended. ++ Please upgrade to the latest build of your current release. For example, if running 5.3, goto "Settings/Maintenance/Upgrade/UpgradeToACustomRelease" and enter "5.3" and click on "Upgrade to a custom release". Please follow the `upgrade instructions `_. ++ **PLEASE NOTE:** User must `disable controller HA `_. (User can `enable HA again `_ on the new controller once migration is fully completed) ++ **PLEASE NOTE:** If you are using SAML login for either the controller login(Settings/Controller/SAMLLogin) and/or for openvpn authentication(OpenVPN/Advanced/SAML), the newer AMI's are much more stricter in validating the EntityId - please make sure that they are configured to be exactly same on the endpoints configured on the controller and the SAML applications in the IdP Controller Migration feature does the following in sequence --------------------------------------------------------------- 1. User executes the "Migrate" feature on old controller -2. Old controller enables controller "BackUp Now" feature to make sure the backup config file is up-to-date -3. Old controller creates a new cloud virtual machine which has the latest Aviatrix controller image +2. Old controller executes "Controller/Settings/Maintenance/Backup&Restore/BackUpNow" to take a new backup to ensure that the backup is up-to-date +3. Old controller creates a new Aviatrix Controller using the latest Aviatrix controller AMI 4. New controller extends disk partition to the max of the disk space available -5. New controller initialize itself to match the version of old controller +5. New controller initializes itself to match the software version of old controller 6. New controller restores configuration file from backup of step 2 7. New controller invokes cloud API to transfer its old controller's EIP to itself 8. New controller invokes cloud API to stop old controller - - +Note: A temparory EIP is created for business continuity during migration. A new private IP will be created on the new controller. Status --------- -+ The migration status will be displayed in a tag named "MigrationStatus" of the new controller instance. Sample status messages are "Initializing", "Migrating", "Successful". ++ The migration status will be displayed in a tag named "MigrationStatus" of the new controller instance on AWS console. Sample status messages are "Initializing", "Migrating", "Successful". After "Successful" appears around 15 minutes of migration, you may prepare to access the same EIP. +Post Migration Tasks +--------------------------- +* If you have your old `controller behind an ELB `_, please note that you would have to remove the old controller's instance from the ELB's listening group and add the new controller's instance in its place. -| -| +* Once all the tests are done to ensure that the controller migration is complete and successful, you can delete the old controller. It can be left in "stopped" status for a while, but it should never be started - else, it will reach out to the gateways and the network could have issues with two controllers trying to monitor/modify the gateways. Restore -======================================== +############ Intro -------------------------------------------------------------------------------- + This feature is being performed in the new controller. -+ This feature mainly is to perform "One Click" then give/return EIP from new controller back to the old controller if user decides to revert the "Migration" process. ++ This feature mainly is to perform one click "Restore" operation under "Settings->Maintenance->Migration" tab to restore EIP from new controller back to the old controller if user decides to revert the "Migration" process. @@ -91,4 +95,31 @@ Logic Workflow 4. New controller invokes cloud API to stop itself + +Controller Migration in Azure +################################## + +Workflow + +1. Old controller perform "Settings->Maintenance->Backup&Restore->Backup->Backup Now" +2. Launch the new controller(for 5.3 to 5.4 controller migration, , when prompted to upgrade to "latest", replace latest with 5.3) + New controller perform "Settings->Maintenance->Backup&Restore->Restore->Restore(with latest backed up file) +3. Skip this step if you are NOT migrating from 5.3 to 5.4, but for 5.3 to 5.4 controller migration, upgrade new controller to 5.4 +4. If you want to keep the old controller public ip, detach it from the old controller and reattch to new controller. Otherwise perform "Troubleshoot->Diagnostics->Network->Controller IP Migration->Migrate" + +Controller Migration in GCP +################################## +GCP controller image in 5.3 and previous releases are based of 14.04 ubuntu distribution. 5.4 versions and higher versions of controller image will be based of 18.04 ubuntu distribution. Controller upgrade from 5.3 to 5.4 is not supported, instead the following workflow needs to be used. + +Controller Migration from 5.3 to 5.4 + +1. On old controller (with version 5.3) perform "Settings->Maintenance->Backup&Restore->Backup->Backup Now" +2. Create a new controller based of latest GCP controller image following instructions at + https://docs.aviatrix.com/StartUpGuides/google-aviatrix-cloud-controller-startup-guide.html +3. When prompted to upgrade to "latest", replace latest with 5.3 +4. On the new controller perform "Settings->Maintenance->Backup&Restore->Restore->Restore(with latest backed up file) +5. If you want to keep the old controller public ip, detach it from the old controller and reattach to new controller. + Otherwise perform "Troubleshoot->Diagnostics->Network->Controller IP Migration->Migrate" +6. Upgrade new controller to 5.4. + .. disqus:: diff --git a/HowTos/controller_ssl_using_elb.rst b/HowTos/controller_ssl_using_elb.rst index 5f32835d0..d7b51a41e 100644 --- a/HowTos/controller_ssl_using_elb.rst +++ b/HowTos/controller_ssl_using_elb.rst @@ -72,6 +72,9 @@ Follow the steps below to put the Aviatrix Controller behind an AWS ALB: |imageRoute53Example| + +#. The Controller's security groups should have inbound allow policy for port 443 for the VPC CIDR, so that the ELB can talk to the Controller + .. |imageConfigureStep1| image:: controller_ssl_elb_media/configure_lb_step1.png :scale: 75% diff --git a/HowTos/copilot_faq.rst b/HowTos/copilot_faq.rst new file mode 100644 index 000000000..e7f6a169f --- /dev/null +++ b/HowTos/copilot_faq.rst @@ -0,0 +1,117 @@ +.. meta:: + :description: Aviatrix CoPilot FAQs + :keywords: CoPilot,visibility + + +============================================================ +Aviatrix CoPilot FAQs +============================================================ + + +What is the default login for CoPilot? +==================================================== + +Today CoPilot authenticates against aviatrix controller’s list of local users. + +Are the traffic flow records coming from controller or gateways? +=============================================================================== + +The flows are sent from the Aviatrix gateways directly to CoPilot's instance. + +How do ThreatGuard firewall policies interact with existing/new firewall policies applied to the same gateways? +============================================================================================================== + +The ThreatGuard drop policies are in addition to the existing firewall policies applied to the same gateways. + +What protocol does CoPilot use to talk to its controller? +=============================================================================== + +RestAPI and HTTPS + +How long does it take for data to start showing in FlowIQ? +=============================================================================== + +It may take ~5 Minutes for flow data to appear in the UI + +How are updates handled? Can I configure it? +=============================================================================== + +Updates are downloaded and applied automatically. The update process runs every 60 Mins. In order to stop updates, you can stop updates service under the services tab + +What is the smallest recommended Instance/VM size? +=============================================================================== + +For production deployments, minimum requirement is 8vCPU and 32G of Memory + +Can I configure flows to be sent over private IPs? +=============================================================================== + +CoPilot does not set up a private overlay between the gateways and itself. If a private communication path between the gateways and CoPilot is available, then you can use CoPilot’s private IP when you input the collector IP in the controller. +For example, if you have an Aviatrix transit gateway, and you put CoPilot in one of the spokes, then you can use CoPilot’s private IP as the destination. + + + +Does CoPilot hold any user or sensitive data? +=============================================================================== + +CoPilot does not hold any user-identifiable or payment processing information. As of this release, it also does not hold any credentials on the appliance’s storage. However, it is a recommended to ensure all security best practices are followed. + +Can I Encrypt Volumes for CoPilot ? +=============================================================================== + +In AWS, you can use EBS encryption should this be a requirement. To encrypt the disk for CoPilot, you will need to ensure encryption option is checked during launch of the VM. +If this is not done at time of launch, you will then have to create a snapshot and recreate a new instance from that snapshot with encryption option checked. + +How does CoPilot get its data? +=============================================================================== + +1.Controller APIs + + CoPilot dials into controller to retrieve information from CoPilot. + +2.Flow records + + Aviatrix Gateways generate and export information about network traffic. Flows come directly from Gateways to CoPilot. + + +If Controller IP changes and if copilot is associated with an old controller IP, how to login into Copilot? +============================================================================================================ + +If you are logged in to copilot go to Copilot UI -> Settings and click on the 'Reset controller IP' button. It will prompt you to enter the new Controller IP address and service account credentials. + +If you are logged out of Copilot, please open a support ticket at `Aviatrix Support Portal `_ for a solution. + + +Is FlowIQ showing realtime traffic? +=============================================================================== + +Flow records are generated by the Gateways. The agent on the Gateways observes and keeps track of the flows and as soon as a particular flow ends, or if the flow expiry interval is reached, the flow record is sent to CoPilot. + +How long is the data retained ? +=============================================================================== + +This will depend on the nature of traffic and volume. The answer to this question will vary depending on different environment. + +Can the data retention be adjusted ? +=============================================================================== + +Today you can set a threshold based on disk space available, so that you can remove the old records. + +Can we turn topology tunnels Red/Green based on tunnel status ? +=============================================================================== +The tunnels are responsive to the state of the link. + +Can we provide bandwidth details of links/tunnels ? +=============================================================================== +If you can specify source and destination for the two endpoints of the path, i.e gateways, you will be able to obtain this information from FlowIQ by using filters. + + +Why do I get an error Failed to fetch Topology when I open the Topology page? +=============================================================================== + +If you get the error **Failed to fetch Topology data** when opening the Topology page, CoPilot was unable to access the data it needs for topology. If the issue persists, Contact Aviatrix Support. + +How I can get my additional questions answered ? +=============================================================================== + +Visit Aviatrix.com and use the live chat icon to talk to a live expert. diff --git a/HowTos/copilot_getting_started.rst b/HowTos/copilot_getting_started.rst new file mode 100644 index 000000000..06ef22aa3 --- /dev/null +++ b/HowTos/copilot_getting_started.rst @@ -0,0 +1,316 @@ +.. meta:: + :description: Aviatrix Getting Started + :keywords: CoPilot,visibility + + +============================================================ +Aviatrix CoPilot Deployment Guide +============================================================ + + +Launch CoPilot +================== + +Aviatrix CoPilot is available as an all-in-one virtual appliance that is hosted in a user's own IaaS cloud environment. +It can be launched as an EC2 instance in AWS, a virtual machine in Azure, or a VM instance in GCP and OCI. Please make sure default configurations for resources settings that are recommended by marketplaces are applied during launch. +After successfully launching the instance, follow these steps to configure CoPilot instance parameters and launch. +Please note that you will need an Aviatrix Controller to use CoPilot. CoPilot works in tandem with Aviatrix Controller. Aviatrix Controller and CoPilot are not required to be collocated. It is possible to run them in separate VPCs/VNETs or separate cloud providers (in multi-cloud environments). + + +Instance Configuration Details +------------------------------ + +- Configure your CoPilot security group as shown below to allow the following: + + - 443 from anywhere user access (User Interface) + + - UDP port 5000 from specific gateway IPs + + - UDP port 31283 from specific gateway IPs + +.. tip:: + You can leverage Aviatrix Controller's security group management to copy the IP addresses of the gateways. + + +Subscribe to a CoPilot Offer +============================ + +Subscribe to an Aviatrix CoPilot offer in a cloud provider marketplace. + +For licensing and trials, CoPilot is offered with a BYOL model. Before subscribing to CoPilot in a cloud marketplace, obtain a license key for CoPilot by contacting your Aviatrix Sales representative. Since CoPilot works in tandem with Aviatrix Controller to provide visibility into your cloud resources managed by the controller, it is assumed that you already have a controller. + +To subscribe to a CoPilot offer: + +1. Log in to the marketplace of your chosen cloud provider using your provider user account credentials. CoPilot is available in the marketplaces for: + + - Amazon Web Services (AWS) + - Google Cloud Platform + - Microsoft Azure Marketplace + - Oracle Cloud Infrastructure (OCI) + +2. Locate the Aviatrix CoPilot software offer you want to subscribe to and click **Subscribe**. + + For information about Aviatrix CoPilot image versions, see `Aviatrix CoPilot Image Release Notes `_. + + +3. When prompted, review the subscription pricing information and accept the terms and conditions. You may be prompted to confirm your subscription before moving on to configuration. + +4. Each marketplace will prompt you to configure and launch the CoPilot software. Apply the default configurations for resource settings that are recommmended by your chosen marketplace. For CoPilot instance configurations, you can accept the defaults or change them to suit your business needs. Note the following required CoPilot instance specifications: + + - **(Storage & Instance) Aviatrix Copilot 1.5.1 image release**: + + When deploying the Aviatrix CoPilot 1.5.1 image release: + + - During instance creation, you must attach at least one data disk (data volume) to your CoPilot instance to be used for expandable storage (see CoPilot Disk (Volume) Management). This is in addition to the 25GB root disk that comes with CoPilot. Create your disk (volume) and attach the disk (volume) to your CoPilot instance. You can choose the disk type (volume type) that meets your business needs given the size of your environment and performance requirements. There is no minimum requirement for the storage you add at this stage. + - Attach the disk (volume) to your CoPilot instance. Later, when you newly launch CoPilot, CoPilot will format and attach your disks (a logical disk/volume is created from all physical disks) as part of the initial setup. + - CoPilot supports automatic memory sizing for the ETL and datastore based on the physical memory of the instance at boot. The base image will default to these automatic settings. Memory settings are located in CoPilot under Settings > Configuration > Options. + + - **(Storage & Instance) Pre-1.5.1 image releases ONLY**: + - For machine/instance/VM type, CoPilot requires a minimum of 8 vCPUs and 32 GB Memory. + - CoPilot requires 2 TB of storage (SSD recommended) + + - CoPilot requires a static public IP address (for example, an Elastic IP address in AWS) + - Copilot requires the following service ports: + + - TCP port 443 for Web UI (to reach CoPilot public IP via HTTPS using your web browser) + - UDP port 31283 for FlowIQ (port is configurable) + - UDP port 5000 for Remote Syslog Service + + For the UDP ports, change the default inbound rule of 0.0.0.0/0 to only the IP addresses of your Aviatrix gateways. For port 443, you can allow only your and other trusted user's IP addresses. + + +5. After specifying all values for the marketplace configuration prompts, deploy/launch the CoPilot instance/virtual machine. + + For example, in AWS, you select the region and click **Continue to Launch**. + + You should receive a message from the cloud provider stating that the instance of CoPilot software is launched/deployed. + +6. Assign a static public IP address to the CoPilot software instance/virtual machine. For example, in the AWS EC2 console, you would go to the Elastic IP section and assign an EIP to the CoPilot instance. + + Take note of the IP address to use later during initial setup of CoPilot. + +7. Start the CoPilot instance/virtual machine. + + For example, in the AWS EC2 Dashboard, check the instance checkbox and from the Actions menu, choose Start Instance. + + You are now ready to launch CoPilot in a web browser or from the Aviatrix Controller homepage and perform your initial setup. + + +Initial Setup of CoPilot +======================== + +Perform an initial setup of Aviatrix CoPilot after you deploy/launch the CoPilot software in the cloud provider of your choice. + +For initial setup of CoPilot, have the following information available: + +- The static public IP address of your recently deployed CoPilot software instance/virtual machine (obtained from the cloud provider portal). +- The static IP address for your Aviatrix Controller. +- The login credentials of your Aviatrix Controller user account. +- The login credentials for the user account to be used as the CoPilot service account. If you plan to use the ThreatGuard feature, the CoPilot service account must have a minimum of `all_firewall_write` permissions. +- The CoPilot licence key (obtained from your Aviatrix representative). + +This procedure assumes your Aviatrix Controller is up and running and the controller instance's inbound rules have port 443 open to the public static IP address of the CoPilot instance (so that CoPilot can reach your controller). Your CoPilot software instance/virtual machine must also be up and running. + +To perform an initial setup of CoPilot: + +1. Launch CoPilot in your web browser: + + `https:///` + + where `` is the static IP address of your newly deployed CoPilot software instance/virtual machine. + + Alternatively, you can launch CoPilot from Aviatrix Controller as described in the next step. + +2. (Optional) Launch CoPilot from Aviatrix Controller: + + a. In Aviatrix Controller, under Settings, select CoPilot. + + b. For the CoPilot Association, set the status to **Enabled** and enter the static IP address for your running CoPilot instance. + + c. From the controller homepage, click the CoPilot button in the action bar. + +3. When prompted, enter the login and password of a valid Aviatrix Controller user account and the static IP address for your controller. + + |copilot_login_user_account| + +4. When prompted for a **CoPilot Service Account**, enter the login credentials for a valid user account in Aviatrix Controller to be used as the CoPilot service account. + + The CoPilot service account is used to run CoPilot services such as alerts, topology replay, and ThreatGuard (without any user logged in). + + |copilot_login_service_account| + +5. When prompted for **CoPilot Customer ID**, enter your CoPilot licence key. + + |copilot_login_customer_id| + + **Note:** If you plan to terminate your current instance of CoPilot and deploy a new instance using the same license key, release the CoPilot license of the current instance first. To release the license, in CoPilot under Settings->Licensing, click the **RESET** button. + +6. **(If you are **NOT** prompted to add a data disk)** If you are not prompted to add a data disk, skip to step 8 (to verify connectivity with your controller). + +7. **(If you are prompted to add a data disk**) If you are prompted to add a data disk, select the disk/volume you created for storage for CoPilot and click START. When the process is complete, click FINISH. + +8. (Verify connectivity with your controller) To verify Copilot has connected successfully to your controller, from the CoPilot dashboard, confirm that you can see the inventory of all resources across all clouds in your multi-cloud network that are managed by Aviatrix Controller. Confirm that the inventory tiles show the number and status of each of your managed resources and the global location of your managed VPCs/VPNs/VNETs are represented on the geographic map. + +9. (For FlowIQ feature) To use the FlowIQ feature in CoPilot, ensure that the controller is configured to forward NetFlow logs to CoPilot. + + a. Log in to Aviatrix Controller. + + b. Go to Settings -> Loggings -> NetFlow Logging. + + c. Use the static IP address of CoPilot as the server and UDP port 31283 (default, port is configurable). + + You should start seeing NetFlow in CoPilot after a few minutes. + +10. (For remote syslog service) To enable syslog for performance monitoring in CoPilot, ensure that the controller is configured to specify CoPilot as the loghost server. + + a. Log in to Aviatrix Controller. + + b. Go to Settings -> Loggings -> Remote Syslog. + + c. Enable the Service, choose a Profile Index (ie. 0), and use the static IP address of CoPilot as the server and UDP port 5000 (default). + + +About CoPilot User Accounts +============================================= + +This section describes user accounts for CoPilot and permissions required for some features. + +You can use any valid user account defined on the controller to log in to CoPilot. + +During initial setup of CoPilot, you specify a user account defined on the controller to be used as the CoPilot service account. The CoPilot service account is used to run CoPilot services, such as alerts, topology replay, and ThreatGuard (without any user logged in). If you plan to use the ThreatGuard feature, the CoPilot service account must have a minimum of `all_firewall_write` permissions. + +For a user to enable ThreatGuard alerts or ThreatGuard blocking in CoPilot, they must log in to CoPilot with a user account that has `all_write` or `all_security_write` or `admin` permissions. + +Users who will not enable ThreatGuard alerts or blocking can log in to CoPilot with an account that has `read_only` permissions and use all of its other features. + +Users should be granted only the permissions needed to perform their work. Review user privileges on a routine basis to confirm they are appropriate for current work tasks. + + +Configure Controller's access for CoPilot +============================================= + +- Assign a static public IP address to CoPilot. For example, in EC2 console, you go to the Elastic IP section and assign an EIP to the CoPilot instance. + +- On Controller security groups, ensure 443 is open to the public IP of the CoPilot instance. + +- Configure a dedicate user account on Aviatrix Controller for CoPilot. + +- You should now be able to log in to CoPilot with the credentials we configured above. + +.. note:: + If you are using RBAC, as of 1.1.5 CoPilot requires read-only access + access to ping and traceroute functions for diagnostic capabilities. + + +Enable Syslog for Performance Monitoring +============================================== + +- Log in to Aviatrix Controller. + +- Go to Settings -> Loggings -> Remote Syslog. + +- Enable the Service, choose a Profile Index (ie. 0), and use the EIP of CoPilot as the server and UDP port 5000 (default). + + +Enable FlowIQ +================= + +- Log in to Aviatrix Controller. + +- Go to Settings -> Loggings -> NetFlow Logging. + +- Use the EIP of CoPilot as the server and UDP port 31283 (default). + + +Deployment is complete. At this point your CoPilot is set up and ready to use. You should start seeing NetFlow in less than 5 minutes. Note that when you launch CoPilot at first your version number will be based on the version in the image. Within an hour, the CoPilot version will be updated. + + +CoPilot Disk (Volume) Management +================================ + +Allocate data disks (volumes) to your Aviatrix CoPilot deployment to be used for expandable storage. + +When you initially provision CoPilot (from your cloud service provider), you add a disk (volume) to be used for CoPilot storage. You are required to add at least one disk (volume). You create the data disk (volume) in your CSP account and attach it to your CoPilot instance. During instance provisioning, there is no minimum requirement for the disk/volume you add. You can choose the disk type (volume type) you want. You will be able to add more storage after deployment. + +When you newly launch the CoPilot instance, the initial setup process automatically detects the disk/volume you attached during instance provisioning. An add-disk process prompts you to confirm the disk/volume to use and then formats and attaches your disk(s). A logical disk/volume is created from all physical disks (volumes) you added during provisioning. Note that CoPilot comes with a 25GB root disk. + +The storage you need for CoPilot can increase based on several factors including the number of Aviatrix gateways launched and the type and volume of traffic in your network. When you need more storage, you can add additional disks (volumes) by using the CoPilot > Settings > Resources page (Add Additional Disks). For instructions, see `Add a Disk (Volume) for CoPilot Storage after Deployment `_. + +After you allocate new disks (volumes), you can only increase storage (you cannot decrease storage). + +Disk (volume) management for expandable storage became available with the release of Aviatrix CoPilot image version 1.5.1. Prior to CoPilot image version 1.5.1, images had a static disk of 2 TB. + + +Add a Disk (Volume) for CoPilot Storage after Deployment +======================================================== + +Add a data disk (volume) to your Aviatrix CoPilot deployment to be used for expandable storage. For information about expandable storage, see `CoPilot Disk (Volume) Management `_. + +This procedure assumes you have a running CoPilot and want to add more storage (add a data disk/volume) above and beyond the storage you added when you first provisioned the CoPilot instance (from your CSP). + +To add a data disk (volume) for CoPilot expandable storage after deployment: + +1. Log in to your CSP account and create the disk (volume) you want to add. Choose the disk type (volume type) that meets your business needs given the size of your environment and performance requirements. + +2. Attach the disk (volume) to your CoPilot instance. Do *not* reboot the instance (a disk can be dynamically added to an instance on any CSP without rebooting). + +3. After you receive confirmation from the CSP that the disk is attached, log in to CoPilot. + +4. Go to CoPilot > Settings > Resources and click Add Additional Disk. If you do not see the disk (volume) you created in the list, press the refresh icon. + +5. Select the disk/volume you created and click START. + +6. When the process is complete, click FINISH. + + +System Design Considerations +================================== + +- For production, it is best practice to inspect your gateways sizing and load prior to enabling flow logging. +- You have the option of selecting which gateways generate flows should you want to enable visibility in subsections of the network. + +Example - Deploy Aviatrix CoPilot in GCP +======================================== + +- Go to GCP marketplace. + +- Find the product "Aviatrix CoPilot - BYOL". + +- Click the button "LAUNCH". + +|gcp_copilot_1| + +- Make sure the selected Machine type has at least 8 vCPUs with 32 GB memory. + +- Boot Disk is SSD Persistent Disk with 2000 GB. + +|gcp_copilot_2| + +- 443 from anywhere user access (User Interface). + +- UDP port 31283 from specific gateway IPs (remove 0.0.0.0/0). + +- UDP port 5000 from specific gateway IPs (remove 0.0.0.0/0). + +|gcp_copilot_3| + +- Click the button "Deploy". + +.. |gcp_copilot_1| image:: copilot_getting_started_media/gcp_copilot_1.png + :scale: 50% + +.. |gcp_copilot_2| image:: copilot_getting_started_media/gcp_copilot_2.png + :scale: 50% + +.. |gcp_copilot_3| image:: copilot_getting_started_media/gcp_copilot_3.png + :scale: 50% + +.. |copilot_login_customer_id| image:: copilot_getting_started_media/copilot_login_customer_id.png + :scale: 100% + +.. |copilot_login_service_account| image:: copilot_getting_started_media/copilot_login_service_account.png + :scale: 100% + +.. |copilot_login_user_account| image:: copilot_getting_started_media/copilot_login_user_account.png + :scale: 100% + +.. disqus:: diff --git a/HowTos/copilot_getting_started_media/copilot_login_customer_id.png b/HowTos/copilot_getting_started_media/copilot_login_customer_id.png new file mode 100644 index 000000000..b7ac4cae4 Binary files /dev/null and b/HowTos/copilot_getting_started_media/copilot_login_customer_id.png differ diff --git a/HowTos/copilot_getting_started_media/copilot_login_service_account.png b/HowTos/copilot_getting_started_media/copilot_login_service_account.png new file mode 100644 index 000000000..3a2369ea2 Binary files /dev/null and b/HowTos/copilot_getting_started_media/copilot_login_service_account.png differ diff --git a/HowTos/copilot_getting_started_media/copilot_login_user_account.png b/HowTos/copilot_getting_started_media/copilot_login_user_account.png new file mode 100644 index 000000000..216557bfa Binary files /dev/null and b/HowTos/copilot_getting_started_media/copilot_login_user_account.png differ diff --git a/HowTos/copilot_getting_started_media/gcp_copilot_1.png b/HowTos/copilot_getting_started_media/gcp_copilot_1.png new file mode 100644 index 000000000..748ac3825 Binary files /dev/null and b/HowTos/copilot_getting_started_media/gcp_copilot_1.png differ diff --git a/HowTos/copilot_getting_started_media/gcp_copilot_2.png b/HowTos/copilot_getting_started_media/gcp_copilot_2.png new file mode 100644 index 000000000..5a0d5cc43 Binary files /dev/null and b/HowTos/copilot_getting_started_media/gcp_copilot_2.png differ diff --git a/HowTos/copilot_getting_started_media/gcp_copilot_3.png b/HowTos/copilot_getting_started_media/gcp_copilot_3.png new file mode 100644 index 000000000..3483ac150 Binary files /dev/null and b/HowTos/copilot_getting_started_media/gcp_copilot_3.png differ diff --git a/HowTos/copilot_getting_started_media/tmp.txt b/HowTos/copilot_getting_started_media/tmp.txt new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/HowTos/copilot_getting_started_media/tmp.txt @@ -0,0 +1 @@ + diff --git a/HowTos/copilot_overview.rst b/HowTos/copilot_overview.rst new file mode 100644 index 000000000..f74828ea0 --- /dev/null +++ b/HowTos/copilot_overview.rst @@ -0,0 +1,42 @@ +.. meta:: + :description: Aviatrix CoPilot Overview + :keywords: CoPilot,visibility + + +============================================================ +Aviatrix CoPilot Overview +============================================================ + +Overview +---------------------- + +Aviatrix CoPilot provides a global operational view of your multi-cloud network. Enterprise IT teams use CoPilot’s dynamic topology mapping to maintain an accurate topology of their global multi-cloud networks, FlowIQ to analyze global network traffic flows and global heat maps and time series trend charts to easily pinpoint and troubleshoot traffic anomalies. CoPilot leverages the intelligence and advanced network and security services delivered by Aviatrix’s multi-cloud network platform to provide enterprise cloud network operations teams both familiar day-two operational features such as packet capture, trace route and ping and new operational capabilities specifically built for multi-cloud network environments. + + +Key Benefits +---------------------- + + +- **Network Health Monitor** – Real-time cloud network resource inventory and status +- **Dynamic Topology Map** – Accurate, multi-cloud network topology, layout control and search +- **FlowIQ** – Detailed application traffic flow analysis, global heat map and trends +- **Multi-Cloud Tagging** – Tag multi-cloud resources, search by tag, filter traffic data by tag +- **CloudRoutes** – Detailed searchable routing tables across cloud providers +- **Notifications** – Alert on resources status/utilization across multi-Cloud +- **AppIQ** – Comprehensive reports to analyze network path between any two cloud instances +- **ThreatIQ with ThreatGuard** – Monitor for security threats from malicious sites, set alerts when threats are detected, and block threat-IP associated traffic +- **Inventory Reports** – Create detailed reports showing your inventory of managed resources in a single cloud or across all clouds in your multi-cloud network + + +Deployment Model +------------------ + +CoPilot is deployed as an all-in-one virtual appliance and is available on AWS, Azure, GCP, and OCI MarketPlaces. +CoPilot works in tandem with Aviatrix Controller; in order to use CoPilot, you must have an operational +Aviatrix Controller. Aviatrix Controller and CoPilot are not required to be collocated. It is possible to run them in separate VPCs/VNETs or separate cloud providers (in multi-cloud environments). + +Licensing and Trials +--------------------- + +CoPilot is offered with BYOL model. If you are interested in a trial of CoPilot, contact us through our chat window below, or contact your +Aviatrix Sales representative. \ No newline at end of file diff --git a/HowTos/copilot_overview_media/avatrix_log.png b/HowTos/copilot_overview_media/avatrix_log.png new file mode 100644 index 000000000..f2f826778 Binary files /dev/null and b/HowTos/copilot_overview_media/avatrix_log.png differ diff --git a/HowTos/copilot_reference_guide.rst b/HowTos/copilot_reference_guide.rst new file mode 100644 index 000000000..99132fb79 --- /dev/null +++ b/HowTos/copilot_reference_guide.rst @@ -0,0 +1,867 @@ +.. meta:: + :description: Aviatrix CoPilot FAQs + :keywords: CoPilot,visibility + + +==================================== +Aviatrix CoPilot User Reference Guide +==================================== + +Aviatrix CoPilot is a component of Aviatrix platform offering that extends visibility into complex, multi-cloud networks deployed and managed by Aviatrix Controller. +CoPilot delivers, end-to-end, in-depth, historical analytics of multi cloud networks with a single pane of glass that offers application flows, inventory, health, and complete topological view of the network. + +This guide will provide descriptions and definitions of functionalities that are available in Aviatrix CoPilot. + + +CoPilot Dashboard +================= + +This section describes the Aviatrix CoPilot dashboard. + +The CoPilot Dashboard offers a broad perspective on the inventory and status of your deployment. CoPilot Dashboard shows an inventory of all resources across all clouds in your multi-cloud network that are managed by Aviatrix Controller. The Dashboard shows the number and status of these managed resources as well as a breakdown of each on a per cloud basis. A topology geographic map shows where the managed VPCs/VPNs/VNETs are located across the globe. + +First displayed in Dashboard are inventory chips providing information about managed resources across your cloud networks. Inventory chips show the number and status of each managed resource. + +The number on the inventory chip represents the total number of instances of that managed resource that exists across your multi-cloud network. + +To view the status of a managed resource, click the status marker in its associated inventory chip. The status marker is: + +- A green checkmark when all instances of that resource type are on (connected, running). +- A red exclamation mark when one or more instances of that resource type are off (disconnected, shut down). + +- Virtual Data Center + + A Virtual Data Centers (VDC) is a logical “walled garden” that binds different resources together using a shared network space. This is synonymous to VPC in AWS and GCP, vNETs in Azure, and so forth + +- Gateway by type: + + It returns distribution of gateways by type. Each pie support on-hover to display the number for that slice represents + +- Accounts per cloud + + This chart shows the number of access accounts per cloud + +- Gateway per Cloud + + This chart shows distribution of Aviatrix gateways per Cloud + +- Total Bytes + + Offers total bytes seen over the network in the past 24 hours + + + +Working with Topology +===================== + +This section describes the Topology feature of Aviatrix CoPilot. + +Topology provides a visual representation of deployed networks, gateways, instances, and gateway connections. + +The Topology feature gives you visibility into your network as follows: + +- **Network Graph - Network View** + + In Network Graph, in Network view, CoPilot displays a network topology map that shows the logical and physical layout of how managed network resources are connected across multiple clouds. Topology provides a visual representation of deployed networks (VPCs/VNETs/VCNs), gateways, instances, and gateway connections. CoPilot automatically draws the map when it connects to Aviatrix Controller. + + The Aviatrix Gateways running in your multi-cloud network enable you to run diagnostics from them directly from Topology. When highlighting a gateway, click on the DIAG button to see options available for performing diagnostics from the gateway that is in focus. + +- **Network Graph - Transit View** + + In Network Graph, in Transit view, CoPilot shows the topology of your Aviatrix transit network in relation to your deployed Aviatrix transit gateways. By clicking on the Aviatrix transit icon, you can see all of the transit VPCs/VNETs, VPNs that are managed by Aviatrix Controller. By clicking on a region icon, you can see the spoke VPCs/VNETs/VPNs that the controller currently manages. By clicking on a spoke VPC/VNET/VPN, you can see all network constructs inside of that spoke. You can use the search field to find specific resources. + +- **Latency Monitor** + + In Latency Monitor, CoPilot shows detailed latencies, historically for the last hour, last day, last week, and last month, for all links (connections) between managed resources. You can use the date picker to view historical latencies for a custom timeframe. You can filter the historical latency information by search field, such as by the name of a specific gateway to view historical latencies that relate only to that gateway. + +- **Topology Replay** + + In Topology Replay, CoPilot shows what changed in your environment and when it changed. CoPilot shows when route, credential, and other metrics in your cloud network constructs have changed over time. A timeline panel shows you all of the changes (as change sets) that were recorded over the last month. You can analyze the additions, modifications, and deletions recorded in each change set. You can delete change sets when you no longer need them. + +Highlights of Topology capabilities +------------------------------------- + +- Stateful representations + + Connectivity elements in Topology reflect the state of the object: + + - Connections between Aviatrix gateways are drawn with color codes representing the status of their connections. + - Aviatrix gateway icons represent the state of the gateway. A gateway that is down is shown as a black line. + - Tunnels statuses are shown with green or red lines, representing the status of the link. +- Search for any objects and their properties + + In Topology, you can search for any objects that are plotted. This allows you to quickly isolate and identify + resources that you are looking for in your entire environment and across clouds. + + +Interacting with Topology +--------------------------- +Objects on the topology maps support drag and drop. You can click, drag and drop resources to reorganize the objects. + +.. tip:: You can multi-select objects for drag and drop by holding control/command key and selecting. + +- Search + + The search box allows you to filter the objects that are plotted on the topology. + +- Filter + + Filter menu offers the option to hide/show different categories of the objects to ensure the topology shows only what you care about. + +- Layout + + You can save and reload layouts in the topology using the layout menu. If you prefer the topology to load a default + layout, you can select one as the default. + +- Physics options + + By default topology objects are organized using physics engines. This menu allows you to configure physical + gravity settings that manage the placement of objects. You can adjust different parameters, or turn the physics off + completely for complete control over placement of the objects. + +Topology Physics Options +------------------------ + +This section describes the physics options that control how objects move in the network topology map. + ++-------------------------+------------------------------------------------------------------------------------+ +|Topology Physics Option | Description | ++=========================+====================================================================================+ +|Physics Enabled | Enable or disable physics effects in the topology map. | +| | Deselect this option if you do not want objects to move on their own and have | +| | them stay in the location you place them (when you click and drag them there). | ++-------------------------+------------------------------------------------------------------------------------+ +|Smooth Edges | Enable or disable smooth edges for objects in the topology map. | +| | Deselect this option if you do not want the lines between the nodes to be | +| | smoothed. | +| | Smooth edges are more computationally expensive but they produce better layouts. | ++-------------------------+------------------------------------------------------------------------------------+ +|Node Repulsion | Controls how strongly the objects in the map repulse other objects that come | +| | near them. The higher the value, the more force applies to the repulsion field | +| | around each object. | ++-------------------------+------------------------------------------------------------------------------------+ +|Central Gravity | Controls the force by which all objects in the network are pulled to a center of | +| | gravity in the topology map. | ++-------------------------+------------------------------------------------------------------------------------+ +|Spring Length | Controls how far apart objects appear from each other when they are moving or at | +| | rest. The edges are modelled as springs. | ++-------------------------+------------------------------------------------------------------------------------+ +|Spring Constant | Controls how quickly objects go back (spring back) to their original position | +| | after they are dragged and released. The higher the value, the more quickly | +| | the objects spring back into place. | ++-------------------------+------------------------------------------------------------------------------------+ +|Dampening | Controls how much the moving of objects (in one physics simulation iteration) | +| | carries over into moving objects again (next physics simulation iteration). The | +| | higher the value, the more velocity of movement carries over into moving | +| | subsequent objects. | ++-------------------------+------------------------------------------------------------------------------------+ +|Max Velocity | Controls how long it takes for objects to stop moving after they are dragged | +| | and released. The higher the value, the more time it takes for objects to | +| | stabilize (stop moving) after having been dragged. | ++-------------------------+------------------------------------------------------------------------------------+ +|Min Velocity | Controls how long it takes for objects to stop moving after they are dragged | +| | and released. The higher the value, the less time it takes for objects to stop | +| | moving after having been dragged. | ++-------------------------+------------------------------------------------------------------------------------+ + + +Performing diagnostics from Topology +------------------------------------- + +The Aviatrix gateways running in your multi-cloud network enable you to run diagnostics from them directly from Topology. Performing diagnostics from Topology can dramatically reduce the time spent troubleshooting issues. + +To perform diagnostics from Topology (from an Aviatrix Gateway): + +1. In Topology, click on an Aviatrix Gateway in the topology map to select it. + +2. Click the DIAG button. + +3. Perform any of the following diagnostic tasks for the gateway: + + a. PING: Run pings directly from the gateway to outside of the Aviatrix managed network or to any resource inside the network. + + b. TRACEROUTE: Run trace route. + + c. Test Connectivity: Test the connectivity of the gateway to a specified host running on a specified TCP or UDP port. + + d. ACTIVE SESSIONS: View sessions that are active on the selected gateway. You can filter active sessions by search criteria. For example, a search on a specific port to see if the gateway has an action session on that port. + + e. INTERFACE STATS: View interface statistics about the gateway. The number of interfaces or tunnels associated with the gateway is displayed. Click on the name of an interface or tunnel to see its statistical information. + +View Topology Changes (Topology Replay) +--------------------------------------- + +This section describes how to use the Topology Replay feature of Aviatrix CoPilot. You use Topology Replay to see what changed in your environment and when it changed. See also Topology Replay Properties. + +Topology Replay shows when route, credential, and other metrics in your cloud network constructs changed. The changes are shown for all constructs regardless if they are located in one or multiple clouds. You can view the changes (additions, modifications, and deletions) that were made to the properties of subnets, gateways, and gateway connections. A time series visualization graphs change-set data as points (blue dots) with each change set collected at one-minute intervals. Clicking on a change set in the time series panel loads it into the topology map and changes details pane where you can inspect the data. For more information about UI controls in topology replay, see Topology Replay Properties. + +To view topology changes in your environment: + +1. Log in to CoPilot. + +2. From the sidebar, click Topology, and then click the Topology Replay tab. + + The topology replay page opens showing a topology map, a changes details pane, and a time series panel. + +3. Locate and load the changes you want to inspect: + + - (**To locate the most recent changes**) When the page first opens or is refreshed, the most recent change set is automatically loaded in the topological map and details pane. In the time series panel, the change set is shown as a dark blue box that indicates the number of changes within it. For example, **120 Changes** (this is the default title of the change set). + + - (**To locate earlier changes**) By default, in the time series panel, CoPilot shows changes that occurred within one-minute increments. Each Expand icon has a number which represents the number of change sets that exist in that focused time period. Click on an Expand icon to zoom into that time period. + + **Note:** Alternatively, on the track pad, pinch or stretch out two fingers to quickly zoom out of or zoom into a time period. + + The bottom of the time series visualization shows changes that were recorded over the last week. There, you can drag the time-window control lines (blue vertical lines) to encompass a day (or multiple days) to quickly zoom into change sets for that time period. + + Keep zooming into a time period until you see a View icon. The View icon indicates a change set at that point in time. Click on the View icon to load the change set. It may take a few seconds to load. After it loads, the View icon is replaced by a blue box with the title of the change set (the title reflects the number of changes in the change set). Hovering over the blue box displays the end time of the change set. + + - (**To locate a specific change by title or note**) You can change the titles of change sets. You can also associate notes with them. To search for a specific change set based on a previously applied title or note, click the search icon in the changes details pane, enter any text that is part of the title or note, and then click Search. Change sets matching the search criteria are listed. Click on one from the list to load it. + +4. **Inspect changes for a loaded change set.** + + You inspect changes for a change set in the changes details pane. + + When inspecting changes: + + - Network constructs are organized by construct type in a tree view. Expand the tree for each contruct type to drill down to properties of that construct that were added, modified, or deleted. Changes are shown as green for additions, orange for modifications, and red for deletions. + + - Click on a network construct in the topology map to bring its change details into focus in the details pane. + + - For each selected construct in the changes details pane, select or deselect the eyeball icon to toggle between showing only changed data for a construct or showing all data for a construct (to put the changes in context). + + - Click the AUDIT button to open the Audit tab of the Security section where you can see which users made API calls to Aviatrix Controller during the time period of the change set. +5. (**To modify the title of a change set**) To modify the title of a change set that is loaded in the changes details pane, click on the red notepad icon to open note view. The title is displayed over the dates (the default title is the number of changes in the change set). Click the blue pen icon. Select the title and change it, and then click the Save icon. When you search the timeline for change sets, you can now search by your title text. + +6. (**To associate a note with a change set**) To associate a note with a change set that is loaded in the changes details, pane, click on the red notepad icon to open note view. Click the blue pen icon, type your note, and then click the Save icon. When you search the timeline for change sets, you can now search by your note text. + + +Topology Replay Properties +-------------------------- + +This section describes properties of the Topology Replay feature in Aviatrix CoPilot. + +Topology Replay - Topology Map ++++++++++++++++++++++++++++++++++++++++++ + +The topology map shows network constructs that were changed in the environment for changes associated with the currently loaded change set. + +Properties of the topology map include: + +- Show full topology + + Click **Show full topology** to see how the changed constructs relate to all constructs in your Aviatrix managed environment (the full topology is shown at that point in time). + +- Disable physics + + Click **Disable physics** if you do not want objects to move on their own and have them stay in the location you place them (when you click and drag them there). + +- Hide Highlights + + Click **Hide highlights** to remove the circles from the objects in the map that denote they represent changed constructs. + + +Topology Replay - Changes Details Pane ++++++++++++++++++++++++++++++++++++++++++ + +The changes details pane shows all details for the currently loaded change set, including: + +- The name of the change set (reflecting the total number of changes in it). +- The start time and end time for which changes were recorded. +- The number of changes by type that were made to the properties of constructs: + - Additions + - Deletions + - Modifications +- The network constructs that are associated with the changes organized by construct type in a tree view. Detailed information about what metrics changed for each construct is shown. For modifications, the old value is shown striked out near the new value. + + +Properties of the changes details pane include: + +- **AUDIT** + + Click the **AUDIT** button to open the Audit tab (of the CoPilot Security page) where you can view the users that made API calls to Aviatrix Controller during the time period of the change set. + +- **NOTES** + + Click the red notepad icon to associate a note with the loaded change set or to change the change set's title. Click the blue pen icon, then edit the title or add/edit a note, and then click the Save icon. The title is displayed over the dates (the default title is the number of Changes in the change set). When you search the timeline for change sets, you search by your title or note text. + +- Search + + Use the search to search for change sets by your custom change-set title or note text (for notes you associated with changes sets). + +- Show only changed data/ Show all changes + + Use the eyeball icon to toggle between showing only changed data for a construct or showing all data for a construct (to put the changes in context). This option can be set per construct, per construct type, or globally. + + +Topology Replay - Time Series Panel ++++++++++++++++++++++++++++++++++++++++++ + +The time series visualization graphs change-set data as points (blue dots) with each change-set collected at one-minute intervals shown in the change timeline (top half of the panel). The overview timeline in the time series panel (bottom half of the panel) shows the duration of all replay data (from the first replay date to the current date). The most recently recorded change set is shown as a dark blue box labeled with the number of changes in that change set. + +Properties of the time series panel include: + +- Currently loaded change set + + The time series panel highlights the current change set as a dark blue box labeled with the number of changes the change set contains. Hover over the box to view the end time of the change set. The green box represents the base of the currently loaded change set. + +- **Expand** controls to zoom into a time period + + In the change timeline (top half of the panel) each Expand icon has a number which represents the number of change sets that exist in that change-set cluster. On your track pad, pinch or stretch out two fingers to quickly zoom into or zoom out of a time period to view change sets that occurred within a more narrow timeframe. You can also zoom into a time period by clicking on the Expand icons. You can click on and drag the top of the panel backward and forward to view changes that happened minutes earlier/later. + +- Time-window control lines + + In the overview timeline (bottom half of the panel), after you zoom into a time period by clicking on the Expand icons or by using your track pad, two time-window control lines (blue vertical lines) display near the current time (the red line). Drag the time-window control lines where needed to focus in on the day or days you want to locate change sets in. + +- **View** controls to load a change set + + The View icon indicates a change set at that point in time. Click on a View control to load a change set; this populates the network constructs associated with the changes in the topology map and displays the details for their changes in the changes details pane. The constructs associated with the changes are circled in the map. + + +Working with FlowIQ +=================== + +This section describes the FlowIQ feature of Aviatrix CoPilot. + +FlowIQ provides visualization of traffic flows that traverse Aviatrix gateways. In FlowIQ, you can find any network traffic that is moving across any gateway managed by the Aviatrix Controller in your Aviatrix transit network (multi-cloud or single cloud network). CoPilot displays metadata about traffic that flows across each link in your Aviatrix transit network. FlowIQ enables you to identify where data in your network is going to and where it is coming from and you can filter for detailed information about the traffic down to the packet level. + +Flows provides you with critical visibility capability to that traffic that traverses your network. + +Interacting with the flows +-------------------------- +FlowIQ provides various views for visualizing traffic records. The views respond to filters that are selected. +The filters that you set are carried across all of the views. + + +Working with Performance +======================== + +This section describes the Performance feature of Aviatrix CoPilot. + +In Performance, CoPilot displays the resource utilization (telemetry) data for all managed resources across your Aviatrix transit network (multi-cloud and single cloud). You can filter telemetry data based on one or more resources (hosts) located in any cloud. When choosing multiple resources, CoPilot displays the telemetry data for those resources in a comparative graph. + +The telemetry data CoPilot displays for managed resources includes: + +- Free memory +- CPU utilization +- Disk free +- Rx rate of the interface +- Tx rate of the interface +- Rx Tx rate combined of the interfaces + +Working with Cloud Routes +========================= + +This section describes the Cloud Routes feature of Aviatrix CoPilot. + +In Cloud Routes, you can view all routing information for managed resources spanning your Aviatrix transit network, including resources across clouds (multi-cloud) and on-prem (for Site 2 Cloud connections). For multi-cloud, cloud engineers can view the information in a central place without having to log in to individual cloud provider consoles. + +In Cloud Routes, you can view routing information for: + +- Gateway Routes: Tunnel information for all Aviatrix gateways managed by the Controller across clouds. + + You can view the detailed routing table of each gateway, the state (up or down status) of the route (tunnel/interface), and more detailed information. + + You can filter routes based on gateway name to view the routing table of that specific gateway. + + You can filter routes based on a specific subnet to view all gateways across which the subnet is propagated. + + You can filter routes based on a specific IP address to view all gateways across which a subnet is propagated that includes the specific IP address. + +- VPC/VNET/VCN Routes: Routing tables for all virtual data centers (VPC/VNET/VCN) in any cloud provider. + + You can filter routing tables based on a specific route table name. + + You can filter routing tables based on a specific subnet to view all routes across which the subnet is propagated. + + You can filter routing tables based on a specific IP address to view all routes across which a subnet is propagated that includes the specific IP address. + +- Site 2 Cloud: Data center connections into the cloud. + + You can view the tunnel status and the gateway to which it is connected. + + You can view the remote IP address and the type of tunnel. + +- BGP Info: BGP connections from on-prem into the cloud. + + You can view advertised routes being sent to the remote site, learned routes that are being received from the remote site, and a map showing how the BGP connection is connected. The map shows the gateway the BGP connection is established on, the local ASN and IP, the connection name you defined, the remote ASN IP and the remote ASN. + +Working with Notifications +========================== + +This section describes the Notifications feature of Aviatrix CoPilot. + +In Notifications, you can configure alerts so that you can be notified about changes in your Aviatrix transit network. The alerts can be based on common telemetry data monitored in the network. For example, you can receive an alert when the status of any Aviatrix Gateway in your network changes. + +CoPilot supports Webhook alerts. Webhooks allow you to send notifications to third-party automation systems such as Slack. You can send a Webhook to any system that can take an HTTPS callback. A single alert can notify multiple systems/people. + +You can pause alerts. For example, if you are going to perform maintenance tasks on the network that you know will trigger pre-configured alerts, you can pause the alerts temporarily and unpause them when the maintenance is complete. + +In the Notification tab, CoPilot lists all alerts and shows if they are in a triggerd (open) or closed state. You can open an alert from the list to view its lifecycle. CoPilot closes the alert automatically when the alert metric no longer meets the condition to trigger the alert. The alert lifecycle provides a history for every alert that happens in your network environment. + +Configure Notifications +----------------------- + +Configure notifications in CoPilot so you can be alerted to events that occur in your network. + +When configuring notifications, you can choose email or Webhook destinations. Before you begin, specify the email or Webhook addresses in the Notifications tab of CoPilot Settings. For more information about Webhooks, see `CoPilot Webhooks Customization `_. + +To configure notifications: + +1. From the sidebar, click Notifications. +#. In Define Alert, type the name you want to use for the alert. +#. In Condition, select the metric or condition that must be met to trigger the alert. +#. Click Add Recipients and select the email address or Webhook destination where you want the alert to be sent. Repeat this step for each recipient you want to receive the alert. +#. Click Save. The alert is enabled. When the condition is met for the metric you specified, CoPilot will now send an alert to the email or Webhook system you specified. + +Working with AppIQ +================== + +This section describes the AppIQ feature of Aviatrix CoPilot. + +In AppIQ, you can generate a report that gives you visibility into security domain and traffic information between any two cloud instances that are connected by way of your Aviatrix transit network. For the source instance and destination instance you specify, CoPilot analyzes network traffic, security domain settings, and route table configurations to provide details that help you understand any problems with the network path between the two instances. + +Working with Security +===================== + +This section describes the Security feature of Aviatrix CoPilot. + +In Security, CoPilot uses visual elements to demonstrate the segments in your Aviatrix transit network that can and cannot communicate with each other. The segments are enabled by way of security domains and their ability to communicate with each other is dictated by security domain policies. You enable security domains and set security domain policies in Aviatrix Controller. CoPilot shows the logical and physical view of the domain segments and their connection relationships. + +Working with ThreatIQ +===================== + +This section describes the ThreatIQ feature of Aviatrix CoPilot. + +ThreatIQ enables you to monitor for security threats in your Aviatrix cloud network, set alerts when threats are detected in the network traffic flows, and block traffic that is associated with threats. All of these capabilities apply to your entire cloud network (multi-cloud or single cloud) that is managed by Aviatrix Controller. + +ThreatIQ provides visibility into known malicious threats that have attempted to communicate to your cloud network. Aviatrix Cloud Network Platform communicates with a well known threat-IP source to stay abreast of malicious sites or IP addresses known to be bad actors (*threat IPs*). Netflow data is sent to CoPilot from Aviatrix Gateways in real time and CoPilot analyzes the traffic and compares it with a database of known malicious hosts to quickly detect traffic from threat IPs. + +In ThreatIQ Threats view, a geographical map shows you the approximate locations of known malicious IPs that have communicated with your network within the specified time period selected. You can view the severity level of threat IPs detected and their associated attack classifications (as categorized by the well known threat-IP source). + +In ThreatIQ, you can view detailed information about each threat record including the source IP of the threat, the destination IP, the gateways where the threat-IP traffic traversed, the associated traffic flow data (date and time, source and destination ports, and so on), and threat information such as why it was deemed a threat. For each threat record, you can open a network topology map where the associated compromised gateway is highlighted. You can drill down into the map to the instance level where the compromised instance (that is communicating and egressing to the threat IP) is highlighted. This topology view makes it easy to identify the subnet the compromised server was deployed on and the transit gateway it was using to communicate with the threat IP. + +While the ThreatIQ Threats view provides visibility into the threats detected in your network, the ThreatGuard view enables you to take actions on those threats: + +- **Enable alerts.** In ThreatGuard view, you can enable alerts so you are notified when threat-IP traffic is first detected. You can configure your preferred communication channel (email) for sending these ThreatGuard alerts. In CoPilot, in the Notifications option, you can view historical information about when the alerts were triggered, including the names of the gateways within the threat-IP traffic flow. ThreatGuard alerts are based on threat-IP data stored in a database that is regularly updated with the most current threats (new or removed). When a threat IP is removed from the threat-IP source (that is, the IP is no longer deemed malicious), the update is automatically pushed to Aviatrix Cloud Network Platform + +- **Block threat-IP traffic.** In ThreatGuard, you can enable blocking of threat-IP traffic. To block threat-IP traffic, alerts must first be enabled. When blocking is enabled, the Controller upon first detecting a threat IP in a traffic flow, instantiates security rules (stateful firewall rules) on all gateways that are within that flow (all gateways within the VPC/VNET/VCN) to immediately block the threat-IP associated traffic. If the threat IP is removed from the database of the threat-IP source, the Controller automatically removes the security rules for that specific threat IP from the affected gateways and associated traffic is no longer blocked. Otherwise, the security rules for that specific threat IP remain enforced. NOTE: If you disable ThreatGuard blocking, the action removes all existing firewall rules instantiated by Aviatrix Controller for all threats (that is, all threat IPs) detected up to that point. + +You must have a CoPilot user account that has ``all_write`` or ``all_security_write`` permissions to be able to enable/disable ThreatGuard alerts and blocking. + +Enable ThreatGuard Alerts +--------------------------- + +Enable ThreatGuard alerts to receive notifications when threat IPs are detected in your network traffic. + +To enable ThreatGuard alerts, you must log in to CoPilot with a user account that has ``all_write`` or ``all_security_write`` permissions. + +To enable ThreatGuard alerts: + +1. Log in to CoPilot. +2. From the sidebar, click ThreatIQ, and then click the ThreatGuard tab. +3. Click the **Send Alert** button and then click the Send Alert slider so that it slides to the right. +4. In the ThreatGuard Configuration dialog, click Add Recipients. Select the email address destination to which you want to send ThreatGuard alerts. Repeat this for each recipient you want to receive the alert. +5. Click **CONFIRM**. ThreatGuard alerts are enabled. When a threat IP is detected in a traffic flow, CoPilot will now send a notification to the email you specified. The notification will state the threat IP that was detected in the blocked traffic. +6. (Optional) Verify that ThreatGuard alerts are enabled: A) From the sidebar, click Notifications. B) In the Configured Alerts list, locate the entry with the name **ThreatGuard Alert** that has the condition **When Threat IP Detected**. This entry validates that alerts are enabled. +7. (Optional) Enable ThreatGuard blocking. After alerts are enabled, you can opt to enable ThreatGuard blocking. See Enable ThreatGuard Blocking for instructions. When ThreatGuard blocking is enabled, Aviatrix Controller pushes down firewall policies to block threat-IP associated traffic as soon as it is detected. + +Enable ThreatGuard Blocking +--------------------------- + +Enable ThreatGuard blocking to block traffic at Aviatrix Gateways where threat IPs have traversed. When blocking is enabled, Aviatrix Controller pushed down firewall policies to block threat-IP associated traffic as soon as it is detected. All gateways in the VPC/VNET/VCN will block. + +To enable ThreatGuard blocking, you must log in to CoPilot with a user account that has ``all_write`` or ``all_security_write`` permissions. + +To enable ThreatGuard blocking: + +1. Log in to CoPilot. +2. From the sidebar, click ThreatIQ, and then click the ThreatGuard tab. +3. Verify that ThreatGuard alerts are enabled. The alerts are enabled when the Send Alert status has a green checkmark. ThreatGuard alerts must be enabled before blocking can be enabled. See *Enable ThreatGuard Alerts* for instructions. +4. Click the **Block Traffic** button and then click the Block Threats slider so that it slides to the right. ThreatGuard blocking is enabled. Aviatrix Controller now enforces firewall policies to block threat-IP associated traffic as soon as it is detected. Each time a different IP threat is detected, a new firewall rule is instantiated on the gateway. All gateways in a VPC/VNET/VCN will block the associated traffic. You can be selective about which VPCs/VNets/VCNs block threat IPs when ThreatGuard blocking is enabled. By default, all VPCs/VNets/VCNs block. You can then use the Allow/Deny List to specify which ones will not block. +5. (Optional) Disable blocking. **Note:** When you disable ThreatGuard blocking, the action removes all existing firewall rules instantiated by Aviatrix Controller for all threats detected up to that point. + + +Working with Reports +===================== + +This section describes the Reports feature of Aviatrix CoPilot. + +In Reports, you can create detailed reports showing your inventory of managed resources (resources managed by Aviatrix Controller) in a single cloud or across all clouds in your multi-cloud network. + +You can quickly create reports that show on which cloud, region, and VPC/VNET/VCN specific managed resources are running. You can add columns to the report for different properties associated with resource types. You can apply complex filters to customize the data that gets included in the report for each resource type. + +Create an Inventory Report +-------------------------- + +Create a report showing inventory of managed resources (resources managed by Aviatrix Controller) in a single cloud or across all clouds in your multi-cloud network. + +You can create a custom report by answering questions that guide you to include only those managed resources you want in your report. You can apply complex filters to further narrow down the contents of the report. + +To create an inventory report: + +1. Log in to CoPilot + +2. From the sidebar, click Reports. + +3. In **Select the cloud(s)**, CoPilot shows icons for the clouds in which you have managed resources. Select one of the following: + + - (Multi-cloud) If the report is to include managed resources that span across all of your clouds, click **All clouds**. + - If the report is to include managed resources for a single cloud, click the icon of the applicable cloud provider. +4. In **Select the region(s)**, CoPilot shows the regions in which you have managed resources for the cloud(s) you specified in the previous step. Select each region that includes managed resources you want to include in your report. If the types of managed resources to include are within all regions, click **Select All**. + +5. In **Select the VPC(s)**, CoPilot shows all the VPCs/VNETs/VCNs in which you have managed resources for the region(s) you specified in the previous step. Select each VPC/VNET/VCN that includes managed resources to include in your report. If the types of managed resources to include are within all VPCs/VNETs/VCNs, click **Select All**. + +6. In **Select resource type(s)**, select the resource type icons to specify the resource types to include in the report. + +7. In **Select the properties**, CoPilot shows various properties that are associated with the resource types you specified in the previous step. Select a property to include it as a column in the report. The report preview pane automatically includes the *name* property of the managed resource and its *cloud*, *region*, and *VPC/VNET/VCN* properties (you can deselect them to remove them from the report). You can use the Search box to locate a property associated with data to include in the report. For example, for the gateway resource type, typing *size* in the search box returns a result `vpc_size`. By including `vpc_size` in the report, you can view what size instance each of those gateways are currently running on (the `vpc_size` property signifies the size of gateways). As another example, typing *trans* in the search box returns properties that include `transit` in the name, such as `transit_vpc`. By including the `transit_vpc` property in the report, you can view which of those gateways are transit gateways. + +8. In **Add filters**, you can optionally use filters to narrow down the managed resources to include in your report. For any property, you can set a filter using the property's value (TIP: When you include a property in the report, the value of it is listed in its associated report column). For example, if you have hundreds of gateways in your environment and want to narrow down the contents of the report to only transit gateways, add a filter with the rule to show only transit gateways (click ADD FILTERS, click ADD RULE, and then set field `gateway.transit.vpc` with the filter operator ``==`` set to value `yes` and click APPLY FILTERS). If you add a filter on a property you did not previously select to be included (displayed) in the report, the filter is applied but the property is not added to the report. In this case, it may be helpful to take note of your applied filter for future reference. NOTE: Currently, filters cannot be saved. + +9. (Optional) Save, download, or print the report. For printing, select the paper size and page orientation. + +10. (Optional) To generate another report, clear filters (click CLEAR FILTERS if you created filters) and deselect any criteria that does not apply to your next report. Deselect the properties, deselect the resource types, deselect the VPCs/VNETs/VCNs, deselect the regions, and deselect the clouds as needed to report only on the data you want. + + +CoPilot WebHooks Customization +============================== + +You can customize the webhooks Aviatrix CoPilot generates for sending to external systems (such as Slack) by using the Handlebars templating language. Examples are provided in this topic for high level variables that are exposed in CoPilot notification alerts. + +CoPilot alerts expose the following high level variables (objects): + +- **alert** +- **event** +- **webhook** + +Each object exposes additional variables that can be accessed. + +Alert +------- + +The alert object exposes :: + + "alert": { + "closed": false, + "metric": "CPU Utilization", + "name": "High CPU Usage", + "status": "OPEN", + "threshold": 80, + "unit": "%" + } + +Event +------- + +The event object exposes :: + + "event": { + "receiveSeparateAlert": false, + "exceededOrDropped": "Exceeded", + "newlyAffectedHosts": ["spoke1", "spoke1-hagw"], + "recoveredHosts": ["spoke2"], + "message": "Alert Updated", + "timestamp": "2021-05-22T17:49:20.547Z" + } + +where: + +- ``newlyAffectedHosts`` represents the hosts that are now affected but were not affected before. These hosts usually need the user’s attention the most. +- ``recoveredHosts`` represents the hosts that are now recovered. +- ``receiveSeparateAlert`` is for individual host alerts. + +Webhook +--------- + +The webhook object exposes :: + + "webhook": { + "name": "", + "secret": "", + "tags": [], + "url": "" + } + +Creating a custom webhook and accessing individual fields +----------------------------------------------------------- + +Example 1: If individual alerts for hosts is ON, receive a string. Else receive an array. :: + + { + "status": "{{#if alert.closed}}ok{{else}}critical{{/if}}", + "check": {{alert.name}}, + "copilotstatus": {{alert.status}}, + "host": {{#if event.receiveSeparateAlert}} + {{#if event.newlyAffectedHosts}} + {{event.newlyAffectedHosts.[0]}} + {{else}} + {{event.recoveredHosts.[0]}} + {{/if}} + {{else}} + {{#if event.newlyAffectedHosts}} + {{event.newlyAffectedHosts}} + {{else}} + {{event.recoveredHosts}} + {{/if}} + {{/if}}, + "alert_timestamp": "Received <> at <>" + } + + +Example 2 :: + + { + "myAlert": {{alert.name}}, + "triggeredAt": {{event.timestamp}}, + "eventMessage": {{event.message}}, + "triggeredMetric": {{alert.metric}}, + "status": {{alert.status}}, + "webHookName": {{webhook.name}}, + "webHookTags": {{webhook.tags}} + }​ + +Output: :: + + { + "myAlert": "High CPU Usage", + "triggeredAt": "2021-05-22T18:06:34.143Z", + "eventMessage": "Alert Updated", + "triggeredMetric": "CPU Utilization", + "status": "OPEN", + "webHookName": "test", + "webHookTags": [ + "customTag" + ] + }​ + +Templates support JSON and String formatted output as values. + +In situations where you want to specifically format the value of an output, it needs to be converted from JSON (default) to a string value. + +“webhook”: {{webhook}}→ produces JSON: :: + + { + "webhook": { + "name": "", + "secret": "", + "tags": [ + "test", + "123", + "emergency" + ], + "url": "" + } + }​ + +“webhook”: “<>” → produces STRING: :: + + { + "webhook": "{\n \"name\": \"\",\n \"secret\": \"\",\n \"tags\": [\n \"test\",\n \"123\",\n \"emergency\"\n ],\n \"url\": \"\"\n}" + } + +String escaped values allow for custom messages to be used in values. :: + + { + "webhook": "My Custom Webhook message <>" + } + +Output: :: + + { + "webhook": "My Custom Webhook message {\n \"name\": \"\",\n \"secret\": \"\",\n \"tags\": [\n \"test\",\n \"123\",\n \"emergency\"\n ],\n \"url\": \"\"\n}" + } + +Looping over lists in templates using #attribute... . .../attribute. Any content between the # and / is expanded once for each list item, and the special attribute ``.`` can be used to refer to it. + +Some attributes refer to a list of results: + +- ``webhook.tags`` list of optional user-defined strings, configured on a per-webhook basis. +- ``event.newlyAffectedHosts`` represents the hosts that are now affected but were not affected before. These hosts usually need the user’s attention the most. +- ``event.recoveredHosts`` represents the hosts that are now recovered. + +:: + + { + "webHookTags": {{webhook.tags}} + } + +Output: :: + + { + "webHookTags": [ + "customTag", + "Slack", + "Emergency" + ] + } + +If you want to customize the output for list items: :: + + { + "webhook": "<<#webhook.tags>> tag:<<.>> <>" + } + +Output: :: + + { + "webhook": " tag:test tag:123 tag:emergency " + } + +Escaping quotes for return values when creating custom values is performed automatically for strings within << >>. + +``{{{some_quoted_var}}}`` disables escapes altogether, which should be avoided, as it can unexpectedly cause embedded strings to form invalid JSON, for example, an alert name of ``A “great” alert``, quotes, newlines, tabs, and so on are not allowed in JSON strings. + +Input: :: + + { + "alertStatus": "Name:{{{alert.name}}} Metric:{{{alert.metric}}} alert" + } + +Output: :: + + { + "alertStatus": "Name:High CPU Usage Metric:CPU Utilization alert" + } + +Custom Slack Webhook example (slack document: https://app.slack.com/block-kit-builder/): :: + + { + "blocks":[ + { + "type":"header", + "text":{ + "type":"plain_text", + "text":":fire:<>:fire:" + } + }, + { + "type":"divider" + }, + { + "type":"section", + "text":{ + "type":"mrkdwn", + "text":"newly affected hosts:\n <<#event.newlyAffectedHosts>>:arrow_down:<<.>>\n<>" + } + }, + { + "type":"actions", + "elements":[ + { + "type":"button", + "text":{ + "type":"plain_text", + "text":"Confirm", + "emoji":true + }, + "value":"click_me_123", + "action_id":"actionId-0" + } + ] + }, + { + "type":"section", + "text":{ + "type":"mrkdwn", + "text":"status: <>\nthreshold: <><>\ntime: <>\nmesssage: <>" + } + } + ] + } + + +**Webhook Example** + +|webhook_image| + + +Settings +====================== + +This section describes the Settings options of Aviatrix CoPilot. + +The Settings page allows you to configure various CoPilot settings. The default entries are usually sufficient. Ensure that you understand the impact of changing an option before making the change. Typically, you only need to set the Controller IP options by specifying the controller IP address and the controller service account. + +Configuration +--------------- + +Options +~~~~~~~~~~~~~~~ + +============================ =================================================================== + netflowPort Allows you to change the port on which flows are sent/received +---------------------------- ------------------------------------------------------------------- + etlHeapSize Memory allocation for ETL +---------------------------- ------------------------------------------------------------------- + dataStoreHeapSize Memory allocation for Data Store +============================ =================================================================== + +DNS Lookup Server +~~~~~~~~~~~~~~~~~~~~~~~~ + +============================ =================================================================== + server_1 Primary DNS Server +---------------------------- ------------------------------------------------------------------- + server_2 Backup DNS Server +============================ =================================================================== + + +Disk Space Management +~~~~~~~~~~~~~~~~~~~~~~~~ +**Min. disk space % avail. threshold** + Allows you to set a threshold based on available disk space, at which point automatic + data deletion start. When this threshold is reached, CoPilot will start deleting records in order of + first in first out. +**Set threshold** + This option defines at what time of the day this check is run + +**Reset Controller IP** + The resets the IP to which CoPilot is tied to + +Services +---------- +This page allows you stop/start/restart various services. + +Use **Services Download Log Bundle Locally** to download the support log bundle to your local system. Submit a support ticket first. + +Use **Services Upload Log Bundle to Support** to send your support log bundle directly to Aviatrix Support (the log bundle is uploaded to s3). + + +Resources +----------- +The Resources page helps you understand the resource utilization levels in your appliances (to determine if you need to take necessary actions). + + +Licensing +----------- +This page provides functionality for viewing your current license key or releasing the license. + +If you plan to terminate your current instance of CoPilot and deploy a new instance using the same license key, release the CoPilot licence of the current instance first. To release the license, click the RESET button. + +Index Management +----------------- + +Managing Your Appliance +======================================== + + +**Backup and recovery** + In order to provide backup to your data, you can leverage instance snapshot methodology in the cloud. + You can configure periodic snapshots + ,based on your preferred interval, to be able retain data in case of corruption or disk loss on EBS + + + +.. |dashboard_image| image:: CoPilot_reference_guide_media/CoPilot_dashboard.png + :width: 200 + +.. |topology_image| image:: CoPilot_reference_guide_media/CoPilot_topology.png + :width: 200 + + +.. |flowIQ_image| image:: CoPilot_reference_guide_media/CoPilot_flowiq.png + :width: 200 + +.. |webhook_image| image:: copilot_reference_guide_media/webhookImage.png + :scale: 50% + + diff --git a/HowTos/copilot_reference_guide_media/copilot_dashboard.png b/HowTos/copilot_reference_guide_media/copilot_dashboard.png new file mode 100644 index 000000000..3c7b26df0 Binary files /dev/null and b/HowTos/copilot_reference_guide_media/copilot_dashboard.png differ diff --git a/HowTos/copilot_reference_guide_media/copilot_flowiq.png b/HowTos/copilot_reference_guide_media/copilot_flowiq.png new file mode 100644 index 000000000..d200ae2d5 Binary files /dev/null and b/HowTos/copilot_reference_guide_media/copilot_flowiq.png differ diff --git a/HowTos/copilot_reference_guide_media/copilot_topology.png b/HowTos/copilot_reference_guide_media/copilot_topology.png new file mode 100644 index 000000000..95f3e84a8 Binary files /dev/null and b/HowTos/copilot_reference_guide_media/copilot_topology.png differ diff --git a/HowTos/copilot_reference_guide_media/webhookImage.png b/HowTos/copilot_reference_guide_media/webhookImage.png new file mode 100644 index 000000000..eb8c34ae2 Binary files /dev/null and b/HowTos/copilot_reference_guide_media/webhookImage.png differ diff --git a/HowTos/copilot_release_notes.rst b/HowTos/copilot_release_notes.rst new file mode 100644 index 000000000..3b976bb5d --- /dev/null +++ b/HowTos/copilot_release_notes.rst @@ -0,0 +1,415 @@ +.. meta:: + :description: Aviatrix CoPilot Release Notes + :keywords: CoPilot,visibility, monitoring, performance, operations + + +============================================================ +Aviatrix CoPilot Release Notes +============================================================ + +This section describes new features and enhancements for Aviatrix CoPilot software releases. + +For information about Aviatrix CoPilot image releases, see `Aviatrix CoPilot Image Release Notes `_. + +CoPilot Release 1.5.1 (1/12/2022) +--------------------------------- + +- (Performance) Performance Charts now have cross hairs that are synced across all visible charts for easy correlation between metrics. + +- (Topology) Run VPC/VNET/VCN diagnostics and submit them to Aviatrix Support from Topology. From Topology, click on any VPC/VNET/VCN in a topology map, and then click DIAG in the node properties pane. + +- (Notifications>Configure) Use new input box to type in a value (instead of using the slider) for configuring notification thresholds. + +- Performance improvements. + +If you deploy Aviatrix CoPilot image version 1.5.1 from the marketplace, the following disk volume and auto-scaling features are now available: + +- New disk (volume) support — You can now allocate data disks (volumes) to your Aviatrix CoPilot deployment to be used for expandable storage. During instance creation in the marketplace, you can attach a data disk (data volume) to be used for CoPilot storage. When you deploy the instance, the initial setup process will automatically detect the disk/volume you attached during instance creation and format and attach your disks (a logical disk/volume is created from all physical disks). As your storage needs increase later (after deploying), you can also add more disks (volumes) as needed. See `CoPilot Disk (Volume) Management `_ for more information. + +- Auto-scaling memory support — CoPilot now supports automatic memory sizing for the ETL and datastore based on the physical memory of the instance at boot. New base images will default to these automatic settings, but existing deployments will keep their current configuration unless updated. Memory settings are still located under Settings > Configuration > Options. + + +CoPilot Release 1.5.0 (1/12/2022) +--------------------------------- + +- **ThreatIQ map in dashboard** — The CoPilot Dashboard now includes the ThreatIQ map showing any threats over the last 24 hours. + +- **New gateway diagnostic features** + + You can now perform the following diagnostic tasks for Aviatrix gateways (from Topology, click on any gateway in a topology map, and then click DIAG in the node properties pane): + + - (TRACEPATH tab) Discover the MTU on the path (if router supports it). + - (TRACELOG tab) Upload a gateway's tracelog directly to Aviatrix Support. The controller and gateway tracelog is uploaded and the support team notified. + - (SERVICE ACTIONS tab) Check the status of gateway services and restart services. + +- Performance improvements and bug fixes. + +Release 1.4.9.3 (12/28/2021) +----------------------------- +- UI improvements. + + - You can now open Aviatrix Controller from CoPilot. From the CoPilot dashboard, click the Apps icon in the action bar, and then select **Controller**. The controller opens in a new browser tab. + + - Improvements were made to the ThreatIQ dashboard. + +- Performance improvements. +- Minor bug fixes. + +Releases 1.4.9.1, 1.4.9.2 +------------------------- +- **Bug fix** Minor bug fixes. + +Release 1.4.9 +----------------- +- **New: Inventory Reports** You can now create customized, detailed reports for all or specific inventory (resources managed by Aviatrix Controller) running across your multi-cloud network. To create a custom report, you answer questions that guide you to include only the information you want in the report. Each time you specify your criteria, the PDF report view updates in real time in an adjacent pane. You first specify the cloud provider(s) to include information about a single cloud or multiple clouds. You then specify the regions you have resources in that you want to include. You can further specify the VPCs/VNETs/VCNs in the region(s) and drill down further to specify the resource types (for example, gateways and instances). You can save and download the report. Currently, you cannot save a report filter. +- **Enhancement** (ThreatGuard) Now only users logged in to CoPilot who have Admin/Firewall Admin permissions can enable/disable ThreatGuard blocking. +- **Enhancement** (ThreatGuard) Selective Threat Blocking. You can now be selective about which VPCs/VNets/VCNs block threat IPs when ThreatGuard blocking is enabled. By default, all VPCs/VNets/VCNs block when ThreatGuard blocking is enabled. You can then use the Allow/Deny List to specify which ones will not block. +- **Enhancement** (Topology) Support for filtering on your own tags you created in the CSP (supported for tags added to gateways only at this time, not instances). +- **Enhancement** (Egress) For Egress, CoPilot now shows Rule and Action when a request hits a rule. +- **Enhancement** Performance improvements. +- **Bug fix** Minor bug fixes. + +Release 1.4.8 +----------------- +- **New: ThreatGuard** You can now block and get alerted on the threats detected in your network. A dashboard to configure and view ThreatGuard in action. +- **Enhancement** Improved alerts. +- **Enhancement** More metrics. All of Performance V2 metrics are now supported for receiving alerts. +- **Enhancement** Ability to pick and choose one/more/all hosts and one/more/all of interfaces to receive telemetry and node status alerts. +- **Enhancement** Support for filtering domains and hosts in Network Segmentation graphs. +- **Enhancement** Faster Cloud Routes pages and faster Notifications page. +- **Enhancement** Performance improvements. +- **Bug fix** Minor bug fixes. + +Release 1.4.7.4 +----------------- +- **Bug fix** Fixes to latencies in Topology. + +Release 1.4.7.3 +----------------- +- **Enhancement** Improvements to GW, Tunnel, S2C alerts. +- **Enhancement** Performance improvements in backend tasks. +- **Enhancement** Configurable settings for Network Segmentation charts. +- **Bug fix** Fix in V2 Telemetry alerts. + + +Release 1.4.7.2 +----------------- +- **Bug fix** Fixes to Legend in Network Segmentation Page. +- Revert ETL migration for Customers with older than 6.4 Controllers +- **Bug fix** Minor improvements to Performance V2 Charts. + + +Release 1.4.7.1 +----------------- +- **Bug fix** Minor bug fixes in Performance Monitor V2. + +Release 1.4.7 +----------------- +- **New: ThreatIQ** Real time identification of threats in ThreatIQ. +- **Enhancement** Performance V2. Many more metrics to monitor performance of hosts, interfaces and tunnels. In the Performance Page, click on **Switch to V2**. +- **Enhancement** Latencies for Site 2 Cloud links. +- **Enhancement** You can now filter topology data by node type. +- **Enhancement** Improved Cloud Routes Search and show only the routes with longest prefix. +- **Enhancement** Upgraded AppIQ with V2 performance metrics. +- **Enhancement** Performance improvements. +- **Bug fix** Minor bug fixes. + + +Release 1.4.6.4 +----------------- +- **Bug fix** Fixes to SSO login. + + +Release 1.4.6.3 +----------------- +- **Enhancement** Improvements to individual alerts per host. +- **Enhancement** In Dashboard, added a chart for instances per region. +- **Bug fix** Fixes to topology replay. +- **Bug fix** Fixes to topology saved layouts. + + +Release 1.4.6.3 +----------------- +- **Enhancement** Improvements to individual alerts per host. +- **Enhancement** In Dashboard, added a chart for instances per region. +- **Bug fix** Fixes to topology replay. +- **Bug fix** Fixes to topology saved layouts. + + +Release 1.4.6.2 +----------------- +- **Bug fix** Fix to the offline upgrade process. + + +Release 1.4.1 +----------------- +- **Bug fix** Fix in Webhooks test button. + +Release 1.4.6 +----------------- +- **Enhancement** You can now receive individual alert notifications for each host. +- **Enhancement** AppIQ now works across all clouds. +- **Enhancement** In Topology, you can show and hide latencies. +- **Bug fix** Fixes for Dashboard Charts. +- **Bug fix** Fixes for Security Charts. + +Release 1.4.5.3 +----------------- +- **Enhancement** In Dashboard, new chart for Instances Per Cloud. +- **Bug fix** Fixes for Gateways Active Sessions and Interfaces. +- **Bug fix** Fixes for Security Charts. + +Release 1.4.5.2 +----------------- +- **Enhancement** Security updates. +- **Bug fix** Webhook templates bug fix. + + +Release 1.4.5.1 +----------------- +- **Bug fixes** Minor bug fixes in Dashboard pie charts and VPC Routes. + +Release 1.4.5 +----------------- +- **Enhancement** Support for offline upgrade and offline installation of CoPilot. +- **Enhancement** Support for templates in Webhooks. +- **Enhancement** Support for Alibaba Cloud. +- **Settings -> Index Management** Support for searching and filtering indices. +- **Bug fixes** Minor bug fixes. + + +Release 1.4.4 +----------------- +- **Bug fix** Performance Fixes for Dashboard - Overview and Traffic Pages load faster. +- **Bug fix** Security fixes +- **Improvement** Topology loads better +- **Enhancement** Latencies can now be refreshed at user specified intervals +- **Enhancement** Topology Replay - loads much faster for bigger changes + +Release 1.4.3.3 +----------------- +- **Bug fix** Security fixes + +Release 1.4.3 +----------------- +- **Dashboard -> Traffic page** Detailed metrics on data sent and received in the last hour and day for instances, regions, GWs and VPCs/VNETs/VCNs. Also shows the trend and detailed traffic chart for each cloud construct. Ties into FlowIQ for deeper visibility. +- **Security -> Audit** End to end audit on every API call (with response status, user who made the call, arguments for the call), aggregated hourly, daily, monthly and fully searchable, filterable and sortable. +- **Search for titles/notes in the topology replay timeline across timestamps** Replay now ties into Audit so that you know who made the infrastructure change(s) and when it was (they were) made. +- **SSO** Configure CoPilot in the Controller UI and login into CoPilot from the Controller directly without having to enter the credentials. +- **Cloud Routes and BGP** section now scale to work with Controller 6.4 API changes, backward compatible with pre-6.4 APIs. +- **Cloud Routes Search** Search, filter and highlight across routes/GWs for anything you see on the page (name, routes, cloud provider, status, tunnels). Search for IP in Subnet also highlights which CIDR the IP is part of. +- Look and feel improvements for Settings Pages and Notifications page. +- **Bug fix** Good number of UX enhancements and bug fixes. + + +Release 1.4.2.1 +----------------- +- A patch update to the release 1.4.2 +- **Improvement** in scalability and security. Support 100k+ changes in topology diff and more than 250k tunnels in the cloud routes section (which is about 40MB of tunnels data rendered in less than 5 secs). We also made improvements to our middleware to secure CoPilot. We now logout the user immediately from accessing copilot data, if the user gets deleted from the Controller. + + +Release 1.4.2 +---------------- +- **Scale** Scaled the cloud routes section to handle any number of routes, so for GWs with 10ks of routes is blazing fast. The Latency charts are scaled too to handle 1000s of charts each for one topology edge. +- **Search** You can even search and highlight across 1000s of routes across GWs. +- **Bug fix** We fixed our disk cleanup logic that periodically frees up space in the copilot instance for a user specified threshold percentage of free disk. +- **Bug fix** We fixed some bugs in topology replay, talking of which, you can now hide/show highlited nodes to clear the clutter while viewing changed nodes. +- **Enhancement** When you receive a ‘closed’ alert (email or webhook) it also contains what hosts were previously affected, so customers can use third party tools (like OpsGenie) to parse for fields of their interest. +- **Improvement** Minor UX improvements + +Release 1.4.1 +----------------- +- **Bug Fixes** +- **Scale** Large environment support in Latency Monitor and in Replay. +- **Topology Replay** Ability to now add notes and a tag to a change in replay. + +Releases 1.4.0.1, 1.4.0.2 +---------------------------- + +- **Enhancement** Enhanced Topology Replay to add zoom and move to preview timeline +- **Enhancement** Throttle Latency Calls to reduce Controller cpu usage (for large scale env), removed duplicate latency calls for edges +- **Bug fix** Topology Transit View - Single node clusters for VPC, Fix for Spokes with Peering Connections, Connect S2C to regions +- **Bug fix** Dashboard not showing OCI in Geo Map +- **Bug fix** Segments not showing up randomly on Domain Segmentation. Truncate long labels and add tooltip + + +Release 1.4.0 +------------------- + +- **CoPilot Theme** New Dark Mode The moon icon in the CoPilot header can be toggled to switch between light mode and dark mode. +- **Topology Replay** Full view of what’s changed in your infrastructure. Instantly see any change (for ex: GWs go up/down, tunnels flap, peerings added) to your topology at any timestamp and manage your changesets. +- **Multi Cloud Network Segmentation** Now in Security tab, Logical view -> you can visualize which spoke (or Site2Cloud instance) can reach which other spokes based on the security domains they are part of. In the physical view -> you can visualize the spokes (or S2C instances) grouped by the transit gateways and their reachability based on the security domains they are attached to. +- **Transit View for Topology** Topology Revamped. Clear the clutter and visualize multi-cloud topology with just the Aviatrix transits connected to regions. Double click to open/close VPC/VNET clusters. +- **Improved FlowIQ Filters** Use “not equal to” in a filter rule to specify negation. Group filter rules using “NOT” to specify negation of all the filter rules together. +- **Interface Stats** Use the Diag button in topology to view interface statistics for a gateway + +Releases 1.3.2.1, 1.3.2.2, 1.3.2.3 +----------------------------------- + +- **Bug fix** Fixes to saved filter groups in FlowIQ +- **Bug fix** Fixes to pie charts in FlowIQ Trends +- **Bug fix** Fixes to top navigation header to always show it +- **Enhancement** Better error checking for dashboard APIs +- **Enhancement** Changes to slider step while defining alerts for Rx, Tx and RxTx metrics + +Release 1.3.2 +------------------- + +- **Enhanced FlowIQ Filters** Now filter FlowIQ results by performing complex queries by doing logical ANDs and ORs between different filters. Filter groups can now be searched and selected in FlowIQ +- **Alerts** Now get alerted when a Site2Cloud tunnel or BGP connection status changes +- **Enhanced Diagnosis in Topology** Test connectivity from a selected gateway to a host IP +- **Session Visibility** Active Sessions for a selected Gateway +- **Enhanced Index Management and Data Retention policies** Now you can better control how long you want to retain data for each of FlowIQ, Performance, FlowIQ, latencies. +- **Multi-Cloud AppIQ Support** AppIQ supports all clouds (FlightPath may not work across all clouds) +- **Performance Monitoring** A much cleaner legend for performance monitoring charts +- **Topology Enhancement** New Truncate/expand labels in topology + +Release 1.3.1.2 +------------------- + +- **Bug fix** to flight path in AppIQ report +- **Enhancement** Change Cluster Labels in Topology to VPC Labels +- **Enhancement** Gov Cloud icons show up in Topology + +Release 1.3.1.1 +------------------- + + - **Bug fix** Fixes to latency tracker + +Release 1.3.1 +------------------- + +- **Enhancement** Receive email and webhook alerts when a Gateway or Tunnel is down +- **Latencies** View historical latencies and perform search to filter latencies of interest +- **Enhancement** Cleaner topology with truncated labels and latency numbers align along edges +- **Enhancement** Cleaner topology in AppIQ +- **Enhancement** Filter table columns in GW Routes and VPC Routes + +Release 1.3.0 +------------------- + +- **Security** Egress FQDN Dashboard, search and live monitoring +- **Alerts** Webhooks integration for alerts - Use Webhooks to alert on telemetry data + +Release 1.2.1.2 +------------------- + +- **Bug fix** A fix to AppIQ inconsistency in topology instances + +Release 1.2.1.1 +------------------- + +- **Enhancements** Compressed the AppIQ report file size for easier download +- **Bug fix** in BGP routes and AppIQ charts + +Release 1.2.1 +------------------- +- **AppIQ** generates a comprehensive report of control plane connectivity between any two cloud endpoints connected with Aviatrix Transit Network which includes link status, latency, bandwidth, traffic, and performance monitoring data. + + |appIQ_1| |appIQ_2| |appIQ_3| + +- **BGP Info** shows detailed BGP connections information with routes, map and status inside Cloud Routes + + |bgp_1| |bgp_2| |bgp_3| + +- **Continuous Latency Monitoring** allows to see the continuous historical latencies data on Topology in Multi-Cloud environment between Transit and Spoke. + + |latency_1| |latency_2| + + +- **Performance Improvements** for Cloud Routes and Scheduled Tasks that run behind the scenes. + +Release 1.2.0.5 +------------------- +- **Topology Enhancement** Search and Filter capability and Customize Topology Layout options +- **Site2Cloud** shows detailed S2C connections information with routes and status inside Cloud Routes +- **Notification** allows to pause alerts and delete old alert notifications +- **Operational Enhancements** auto delete flowIQ and Perfmon indexes to save disk space + +Release 1.2.0.3 +------------------- +Version 1.2.0.3 requires users to enter valid credentials for the Controller that CoPilot will store as a **Service Account**. This Service Account is needed +so CoPilot can process and send alerts based on configured thresholds. This Service Account can be a read-only account the user created on +the controller. This dialog will only show one time when no service account has been configured. +The Service Account can be changed in **Settings** . + +|service_account_modal| + + +- Notifications + Ability to configure and receive alerts when CPU Utilization, Free Disk, Free Memory, Rx, Tx, Rx Tx of any host exceeds a user specified threshold + Add email addresses of recipients in settings -> notifications to receive alerts + Monitor and manage the lifecycle of alerts from the time they first triggered to the time they are resolved in the notifications page + +- CloudRoutes + Multi cloud GW Routes and VPC/VNET Routes with search functionality + +- Topology + Cluster Latency Click on connections between 2 clusters and start latency monitor for all connections between clusters + +- FlowIQ + Support for CSV export in records page + Added support for filtering of instances using tags + Now showing Flow Throughput and Flow Duration data in the records page + +- Bug Fixes + Few Bug fixes and performance improvements to load topology and instances faster + +Release 1.1.9 +------------------- +- Security Updates + +Release 1.1.8 +------------------- +- Topology Clustering +- Enhancements to Perf Mon charts with time period support +- Saving of Filter Groups in Flow IQ + +Release 1.1.7.1 +------------------- +- Topology Highlight +- Performance Monitoring Charts with multiple hosts +- && and || support for FlowIQ Filters + +Release 1.1.6.1 +------------------- +- Tagging functionality extended, Tag Manager in Settings Pages, Latency Charts, Filtering in Flow IQ improved + +Release 1.1.5.2 +------------------- +- Added support for tagging in Topology +- Added support for custom SSL certificate import + + +Release 1.1.4.2 +------------------- +- Addressed the issue with license key validation + +Release 1.1.4 (GA) +------------------- + +- Enabled license management +- Added support for multi-select +- Added ability to delete indexes +- Added storage auto-delete threshold configuration +- Added diagnostics (ping/traceroute) to topology + +.. disqus:: + +.. |service_account_modal| image:: copilot_releases/service_account_modal.png +.. |appIQ_1| image:: copilot_releases/appIQ_1.png + :width: 30% +.. |appIQ_2| image:: copilot_releases/appIQ_2.png + :width: 30% +.. |appIQ_3| image:: copilot_releases/appIQ_3.png + :width: 30% +.. |bgp_1| image:: copilot_releases/bgp_1.png + :width: 35% +.. |bgp_2| image:: copilot_releases/bgp_2.png + :width: 30% +.. |bgp_3| image:: copilot_releases/bgp_3.png + :width: 30% +.. |latency_1| image:: copilot_releases/latency_1.png + :width: 40% +.. |latency_2| image:: copilot_releases/latency_2.png + :width: 40% diff --git a/HowTos/copilot_release_notes_images.rst b/HowTos/copilot_release_notes_images.rst new file mode 100644 index 000000000..79708ce18 --- /dev/null +++ b/HowTos/copilot_release_notes_images.rst @@ -0,0 +1,30 @@ +.. meta:: + :description: Aviatrix CoPilot Image Release Notes + :keywords: CoPilot,visibility, monitoring, performance, operations + + +==================================== +Aviatrix CoPilot Image Release Notes +==================================== + +Aviatrix CoPilot is delivered via one image that should be maintained with the latest version for managing security and support for the product. You launch the Aviatrix CoPilot image instance in the AWS, Azure, or respective cloud marketplace. + +For information about new features and enhancements for CoPilot software releases, see `Aviatrix CoPilot Release Notes `_. + +CoPilot Image: Version 1.5.1 (01/14/22) +--------------------------------------- + +- Aviatrix CoPilot image version 1.5.1 released on 01/14/2022. If you are deploying the 1.5.1 image version from the marketplace, the following disk volume and auto-scaling features are now available. + + **Note:** These feature are available only if you deploy the new 1.5.1 image version. + +- **New disk (volume) support** — You can now allocate data disks (volumes) to your Aviatrix CoPilot deployment to be used for expandable storage. During instance creation in the marketplace, you can attach a data disk (data volume) to be used for CoPilot storage. When you deploy the instance, the initial setup process will automatically detect the disk/volume you attached during instance creation and format and attach your disks (a logical disk/volume is created from all physical disks). As your storage needs increase later (after deploying), you can also add more disks (volumes) as needed. See `CoPilot Disk (Volume) Management `_ for more information. + +- **Auto-scaling memory support** — CoPilot now supports automatic memory sizing for the ETL and datastore based on the physical memory of the instance at boot. New base images will default to these automatic settings, but existing deployments will keep their current configuration unless updated. Memory settings are still located under Settings > Configuration > Options. + + +.. disqus:: + +.. |service_account_modal| image:: copilot_releases/service_account_modal.png +.. |appIQ_1| image:: copilot_releases/appIQ_1.png + :width: 30% diff --git a/HowTos/copilot_releases/appIQ_1.png b/HowTos/copilot_releases/appIQ_1.png new file mode 100644 index 000000000..682bc48c1 Binary files /dev/null and b/HowTos/copilot_releases/appIQ_1.png differ diff --git a/HowTos/copilot_releases/appIQ_2.png b/HowTos/copilot_releases/appIQ_2.png new file mode 100644 index 000000000..8c60e903b Binary files /dev/null and b/HowTos/copilot_releases/appIQ_2.png differ diff --git a/HowTos/copilot_releases/appIQ_3.png b/HowTos/copilot_releases/appIQ_3.png new file mode 100644 index 000000000..28c2418e1 Binary files /dev/null and b/HowTos/copilot_releases/appIQ_3.png differ diff --git a/HowTos/copilot_releases/bgp_1.png b/HowTos/copilot_releases/bgp_1.png new file mode 100644 index 000000000..0b132fb3c Binary files /dev/null and b/HowTos/copilot_releases/bgp_1.png differ diff --git a/HowTos/copilot_releases/bgp_2.png b/HowTos/copilot_releases/bgp_2.png new file mode 100644 index 000000000..193922708 Binary files /dev/null and b/HowTos/copilot_releases/bgp_2.png differ diff --git a/HowTos/copilot_releases/bgp_3.png b/HowTos/copilot_releases/bgp_3.png new file mode 100644 index 000000000..77a061084 Binary files /dev/null and b/HowTos/copilot_releases/bgp_3.png differ diff --git a/HowTos/copilot_releases/latency_1.png b/HowTos/copilot_releases/latency_1.png new file mode 100644 index 000000000..31b23055b Binary files /dev/null and b/HowTos/copilot_releases/latency_1.png differ diff --git a/HowTos/copilot_releases/latency_2.png b/HowTos/copilot_releases/latency_2.png new file mode 100644 index 000000000..ee1f27bc4 Binary files /dev/null and b/HowTos/copilot_releases/latency_2.png differ diff --git a/HowTos/copilot_releases/service_account_modal.png b/HowTos/copilot_releases/service_account_modal.png new file mode 100644 index 000000000..04e9a3741 Binary files /dev/null and b/HowTos/copilot_releases/service_account_modal.png differ diff --git a/HowTos/create_vpc.rst b/HowTos/create_vpc.rst index bd49bac47..106e39f5a 100644 --- a/HowTos/create_vpc.rst +++ b/HowTos/create_vpc.rst @@ -1,39 +1,71 @@ .. meta:: :description: VPC Network CIDR Management Tool - :keywords: Aviatrix VPC Tracker, AWS VPC + :keywords: Aviatrix VPC Tracker, AWS VPC, AZURE VNet ################################### Create a VPC ################################### -Use this tool to create a `VPC `_ that consists of a public subnet and a private subnet in two AZs and an IGW in the region and account of your choice. +Use this tool to create a `VPC `_ in AWS or a `VNet `_ in AZURE in the region and account of your choice. In addition, starting from 6.1, this tool creates multiple route tables associated with public and private subnets. One use case is to allow traffic load balancing when Aviatrix Spoke gateways are deployed. -The VPC CIDR range is from /16 to /24. The VPC name cannot contain underscore character ("_"). +To configure, go to Useful Tools at the main navigation on the left panel, select Create a VPC -> +Create. -Go to Useful Tools at the main navigation on the left panel, select Create a VPC -> +Create. +The VPC/VNet CIDR range is from /16 to /24. -.. tip:: +Advanced +--------- + +When the "Advanced" option is selected, users are able to customize subnet size and number of pair of subnets (public subnet and private subnet). For example, entering 1 for Number of Availability Zones/Number of Subnets means that this tool will create 1 public subnet and 1 private subnet in the VPC/VNet. + +The VPC/VNet CIDR range is from /16 to /24. - Select the option Aviatrix Transit VPC if you deploy the Next Gen Transit Network. All necessary subnets and route tables will be fully populated. - Aviatrix Transit VPC ---------------------- -When the "Aviatrix Transit VPC" option is selected, Create a VPC creates the following AWS VPC subnets. +When the "Aviatrix Transit VPC" option is selected, all necessary subnets and route tables will be fully populated as below: + +The VPC CIDR range for a Transit VPC is from /16 to /23. ========================================== =================== **Subnet name** **Suggested usage** ========================================== =================== -Public-gateway-and-firewall-mgmt-az1 Use this subnet to launch Aviatrix primary transit gateway.Use this subnet to launch firewall instance in DMZ deployment. -Public-gateway-and-firewall-mgmt-az2 Use this subnet to launch backup Aviatrix transit gateway. Use this subnet to launch backup firewall instance in a second availability zone in DMZ deployment. +Public-gateway-and-firewall-mgmt-az1 Use this subnet to launch Aviatrix primary transit gateway. Use this subnet to launch firewall instance in DMZ deployment. +Public-gateway-and-firewall-mgmt-az2 Use this subnet to launch Aviatrix backup transit gateway. Use this subnet to launch backup firewall instance in a second availability zone in DMZ deployment. Private-FW-north-az1 Use this subnet to create an interface on primary firewall instance that interacts with Aviatrix Main gateway in DMZ deployment. Private-FW-north-az2 Use this subnet to create an interface on backup firewall instance that interacts with Aviatrix Main gateway in DMZ deployment. -Private-FW-sorth-az1 Use this subnet to create an interface on primary firewall instance that interacts with Aviatrix Companion gateway in DMZ deployment. -Private-FW-sorth-az2 Use this subnet to create an interface on backup firewall instance that interacts with Aviatrix Companion gateway in DMZ deployment. -Private-FW-ingress-egress-az1 Use this subnet to create an interface on primary firewall instance handles ingress and egress traffic in DMZ deployment. -Private-FW-ingress-egress-az2 Use this subnet to create an interface on backup firewall instance handles ingress and egress traffic in DMZ deployment. +Private-FW-south-az1 Use this subnet to create an interface on primary firewall instance that interacts with Aviatrix Companion gateway in DMZ deployment. +Private-FW-south-az2 Use this subnet to create an interface on backup firewall instance that interacts with Aviatrix Companion gateway in DMZ deployment. +Public-FW-ingress-egress-az1 Use this subnet to create an interface on primary firewall instance handles ingress and egress traffic in DMZ deployment. +Public-FW-ingress-egress-az2 Use this subnet to create an interface on backup firewall instance handles ingress and egress traffic in DMZ deployment. ========================================== =================== +Aviatrix FireNet VPC/VNet +------------------------- + +When the "Aviatrix FireNet VPC" or "Aviatrix FireNet VNet" option is selected, all necessary subnets and route tables will be fully populated as below: + +The VPC/VNet CIDR range for a FireNet VPC/VNet is from /16 to /24. + +========================================== =================== +**Subnet name** **Suggested usage** +========================================== =================== +Public-gateway-and-firewall-mgmt-1 Use this subnet to launch Aviatrix primary firenet gateway. Use this subnet to launch firewall instance in a DMZ deployment. +Public-gateway-and-firewall-mgmt-2 Use this subnet to launch Aviatrix backup firenet gateway. Use this subnet to launch backup firewall instance in a DMZ deployment. +Public-FW-ingress-egress-1 Use this subnet to create an interface on primary firewall instance handles ingress and egress traffic in DMZ deployment. +Public-FW-ingress-egress-2 Use this subnet to create an interface on backup firewall instance handles ingress and egress traffic in DMZ deployment. +========================================== =================== + +Cloud type: Azure +------------------ + +Starting from R6.2, Create a VPC tool programs a default route 0.0.0.0 pointing to the next hop type "None" in User Defined Route Table (UDR) for all private subnets it creates. +Any public subnet it creates does not have such UDR default route entry. + ++----------+--------------------+-------------------+ +| **Name** | **Address prefix** | **Next hop type** | ++----------+--------------------+-------------------+ +| default | 0.0.0.0/0 | None | ++----------+--------------------+-------------------+ .. |edit-designated-gateway| image:: gateway_media/edit-designated-gateway.png :scale: 50% diff --git a/HowTos/custom_mapped_solution.rst b/HowTos/custom_mapped_solution.rst new file mode 100644 index 000000000..9cc61833a --- /dev/null +++ b/HowTos/custom_mapped_solution.rst @@ -0,0 +1,271 @@ + + +.. meta:: + :description: Create site2cloud connection with overlap network address ranges + :keywords: Mapped site2cloud, VGW, SNAT, DNAT, Overlap Network CIDR, overlap CIDRs + + +=========================================================================================== +Site2Cloud (S2C) Custom Network Mapped Solutions Workflow +=========================================================================================== + +This document describes a solution to solving network connectivity issues where there are overlapping network CIDRs. The solution uses the Custom Mapped under the `Mapped` option +of Aviatrix `Site2Cloud `_ feature when building IPSEC tunnels. + +Custom Mapped Site2Cloud provides the advantage of not having to configure individual SNAT/DNAT rules, also +it gives flexibility to build address translations of all scenarios. (e.g. Many-to-Many, Many-to-One etc.) + +This document covers examples with Aviatrix Transit Gateway only and below topology will be used for all scenarios. + +|cmap_topology| + +.. note:: + Same virtual CIDR for multiple customer sites cannot be used. + +.. important:: + This document applies to both Aviatrix Transit and AWS Transit Gateway (TGW). "Forward Traffic to Transit Gateway" needs to be enabled under S2C connection in Aviatrix Transit Gateway case. + +Terminology Definitions +-------------------------- + +The primary reason for terminology definitions is that in connecting overlapping networks with IPSec tunnels, the address translation +requirements are +often not symmetric. For example, Remote Initiated Traffic may all require to be source NATed to a single or small range of addresses, while +Local Initiated Traffic may require to have a 1-1 DNAT and SNAT. By separating different traffic directions, address translations can +be done specifically for the direction, thus providing the ultimate flexibility. + +Remote Initiated Traffic +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +From the point of view of an Aviatrix gateway where site2cloud (with IPSec tunnel) connection is established, traffic initiating from the +remote end of the IPSec tunnel is called Remote Initiated Traffic. + +Local Initiated Traffic +~~~~~~~~~~~~~~~~~~~~~~~~~ + +From the point of view of an Aviatrix gateway where site2cloud (with IPSec tunnel) connection is established, traffic initiating from the +Aviatrix gateway side of the IPSec tunnel is called Local Initiated Traffic. This traffic may originally come from an Aviatrix Transit Gateway +to the Aviatrix Spoke gateway where IPSec tunnels are established. + + + +Problem Statement +------------------------------------------------------------------------- +In this use case, a customer needs to connect certain on-prem hosts to certain EC2 instances in a VPC over an IPSEC tunnel over the Internet, but the on-prem network range overlaps with the customer's VPC CIDR range, and the requirement from the customer is that traffic can be initiated from either side. + +:: + + VPC CIDR = 10.10.0.0/16, instance-1 in Client-1 has an IP address 10.10.43.145 + CIDR = 10.10.0.0/16, instance-1 in Client-2 has an IP address 10.10.35.41 + On-Prem CIDR = 10.10.0.0/16, host-1 in On-Prem has an IP address 10.10.0.212. + + +Aviatrix offers multiple solutions to this requirement. The solutions uses in this document to solve this scenario is called "custom mapped" feature in Site2Cloud that removes the need to configure individual SNAT/DNAT rules and gives flexibility to map Real CIDRs to small Virtual CIDRs range. + +.. note:: + The maximum number of CIDRs for Site2Cloud network maps is 32. + +This solution uses a site2cloud route-based IPSEC tunnel using Virtual Tunnel Interface (VTI) between VPC and On-Prem Router. The packet flow is demonstrated as below: + + 1. Client-1 instance-1 sends a packet to host-1 with a virtual destination IP address, for example 11.10.0.212. From Client-1 instance-1's point of view, the destination instance is a virtual address - 11.10.0.212. + #. When the packet arrives at the Aviatrix Spoke gateway, the gateway does DNAT on the packet to translate the virtual destination IP address to 10.10.0.212 which is the host-1 physical IP address. + #. The Spoke gateway then translates the packet source IP address (10.10.43.145) to a virtual source IP address, say it is 100.64.101.17. + #. The packet then arrives at On-Prem Cisco IOS Router with destination IP address 10.10.0.212 and source IP address 100.64.101.17. From host-1's point of view, instance-1's address is a virtual IP address - 100.64.101.17. + #. When host-1 sends a packet to instance-1, the destination is the virtual IP address 100.64.101.17. + #. When the packet arrives at the Spoke gateway over the IPSEC tunnel, the Spoke gateway translates its destination IP address from virtual address 100.64.101.17 to 10.10.43.145. + #. The Spoke gateway then translates the source IP address of the packet from 10.10.0.212 to virtual address 11.10.0.212. + + +Scenarios: +-------------- + +Use Case 1: Customer's Multi-Sites CIDRs overlaps with on-prem CIDRs +------------------------------------------------------------------------- + +Traffic Initiated from either sides. + +Traffic initiated from customer's side +######################################## + +Traffic initiated from Client's side means it is a remote initiated traffic from Aviatrix Gateway perspective as shown below. + +Furthermore, requirement is to map customer's Real CIDR into the smaller Virtual CIDRs of 16 IP addresses range. + +SNAT is only required to translate 10.10.0.0/16 to small range of ip address 100.64.0.16/28, 100.64.0.32/28 respectively. + +================================================== ======================================================================= + **Client 1 S2C CIDR** **Remote Initiated** +================================================== ======================================================================= + Source (Real) 10.10.0.0/16 + Source (Virtual) 100.64.0.16/28 + Destination (Real) 10.10.0.212/32 + Destination (Virual) 11.10.0.212/32 +================================================== ======================================================================= + +Traffic initiated from on-prem's side +######################################## + +Traffic initiated from the on-prem's side means it is a local initiated traffic from Aviatrix Gateway perspective as shown below. + + +================================================== ======================================================================= + **Client 1 S2C CIDR** **Remote Initiated** +================================================== ======================================================================= + Source (Real) 10.10.0.0/16 + Source (Virtual) 11.11.1.5/32 + Destination (Real) 10.10.43.144/28 + Destination (Virual) 100.64.101.16/28 +================================================== ======================================================================= + + +Use Case 2: Customer's Multi-Sites CIDRs overlaps each other and on-prem CIDRs is non-overlapping +-------------------------------------------------------------------------------------------------- + +SNAT is only required to translate 10.10.0.0/16 to small range of ip address 100.64.0.16/28, 100.64.0.32/28 respectively, and DNAT will not be required. + +Traffic initiated from customer's side +######################################## + +Traffic initiated from Client's side means it is a remote initiated traffic from Aviatrix Gateway perspective as shown below. + +Furthermore, requirement is to map customer's Real CIDR into the smaller Virtual CIDRs of 16 IP addresses range. + + +================================================== ======================================================================= + **Client 1 S2C CIDR** **Remote Initiated** +================================================== ======================================================================= + Source (Real) 10.10.0.0/16 + Source (Virtual) 100.64.0.16/28 + Destination (Real) 99.99.99.75/32 + Destination (Virual) 99.99.99.75/32 +================================================== ======================================================================= + +Traffic initiated from on-prem's side +######################################## + +Traffic initiated from the on-prem's side means it is a local initiated traffic from Aviatrix Gateway perspective as shown below. + + +================================================== ======================================================================= + **Client 1 S2C CIDR** **Remote Initiated** +================================================== ======================================================================= + Source (Real) 10.10.0.0/16,99.99.99.102/32 + Source (Virtual) 11.11.1.5/32,99.99.99.102/32 + Destination (Real) 10.10.43.144/28 + Destination (Virual) 100.64.101.16/28 +================================================== ======================================================================= + + + + + +The Configuration Steps +========================== + +Step 1: Launch Transit Gateway +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Log in to the Controller console, go to Multi-Cloud Network. Follow step 1 to launch a gateway in the VPC. + +Transit Aviatrix Gateway can be deployed using the `Transit Gateway Workflow `_ + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #1 Launch an Aviatrix Transit Gateway** +#. Choose instance size **C5x.large** +#. Enable **ActiveMesh Mode (Mandatory)** +#. Enable InsaneMode for higher throughputs (optional) +#. Enable Transit VPC GW HA by navigating to **MULTI-CLOUD TRANSIT -> Setup -> #2 (Optional) Enable HA to an Aviatrix Transit Gateway** + +.. note:: + Instance size of c5.xlarge will be required for Insane Mode Encryption for higher throughput. + + +Step 2: Deploy Spoke Gateways +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Now that we have Aviatrix Transit Gateway, we can deploy Aviatrix Spoke Gateways in the spoke VPCs using `Aviatrix Spoke Gateway Workflow `_. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #4 Launch an Aviatrix Spoke Gateway** +#. Deploy a Spoke Gateway (GW) in the spoke VPCs using defaults while choose correct Account and VPC info +#. Choose the Public Subnet +#. Enable Spoke Gateway HA by navigating to Transit network -> Setup -> #5 (Optional) Enable/Disable HA at Spoke GW + +.. note:: + Instance size of c5.xlarge will be required for Insane Mode Encryption for higher throughput. + +Step 3: Attach Spoke Gateways to Transit Network +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Transit and spoke gateways are deployed, next step is to connect them. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #6a Attach Spoke Gateway to Transit Network** + +Step 4: Connect Transit Gateway to On-Prem +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Aviatrix Transit Gateway can be connected to On-Prem Cisco IOS from Multi-Cloud Transit using `Connect Transit Gateway to External Device workflow `_ + + +Step 5: Create a Site2Cloud tunnel +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Before creating a S2C tunnel, it is important to understand few terms here: + + +Go to Controller Console -> Site2Cloud. + +Click "+Add New". Fill the form and click OK. Select "Mapped" for the Connection Type field. + +|s2c_connection| + + +5.1 VPC-1 gateway-1 side +######################### + +For the VPC gateway side, the Local Subnet field should be the subnet of VPC-1 (e.g. 10.24.0.0/20), and the Remote Subnet field should be the subnet of OnPrem Router (e.g. 10.24.0.0/20), as shown below. + +================================================== ======================================================================= + **Field** **Value** +================================================== ======================================================================= + VPC ID/VNet Name Choose VPC ID + Connection Type Mapped + Connection Name Arbitrary (e.g. S2C-VPC-OnPrem) + Remote Gateway Type Generic + Tunnel Type Route-based + Algorithms Uncheck this box + Encryption over ExpressRoute/DirectConnect Uncheck this box + Enable HA Check this box if HA is required + Primary Cloud Gateway Select the Aviatrix Gateway created above + Remote Gateway IP Address Public IP of IOS Router WAN port (52.40.45.197 in this example) + Pre-shared Key Optional (auto-generated if not entered) + Remote Subnet (Real) 10.24.0.0/20 (On-Prem Network CIDR) + Remote Subnet (Virtual) Any/20 (On-Prem Network Virtual CIDR) + Local Subnet (Real) 10.24.0.0/20 (VPC-Cloud Network CIDR) + Local Subnet (Virtual) Any/20 (VPC-Cloud Network Virtual CIDR) +================================================== ======================================================================= + + + + + + + +.. |cmap_topology| image:: custom_mapped_solution_media/cmap_topology.png + :scale: 35% + +.. |scenario1_overlapping_cidr| image:: custom_mapped_solution_media/scenario1_overlapping_cidr.png + :scale: 35% + +.. |scenario1_remote_initiated| image:: custom_mapped_solution_media/scenario1_remote_initiated.png + :scale: 35% + +.. |scenario1_local_initiated| image:: custom_mapped_solution_media/scenario1_local_initiated.png + :scale: 35% + +.. |scenario2_remote_initiated| image:: custom_mapped_solution_media/scenario2_remote_initiated.png + :scale: 35% + +.. |scenario2_local_initiated| image:: custom_mapped_solution_media/scenario2_local_initiated.png + :scale: 35% + +.. |s2c_connection| image:: connect_overlap_cidrs_media/s2c_connection.png + :scale: 35% + +.. disqus:: diff --git a/HowTos/custom_mapped_solution_media/cmap_topology.png b/HowTos/custom_mapped_solution_media/cmap_topology.png new file mode 100644 index 000000000..649f036bc Binary files /dev/null and b/HowTos/custom_mapped_solution_media/cmap_topology.png differ diff --git a/HowTos/customize_aws_iam_policy.rst b/HowTos/customize_aws_iam_policy.rst index 9cd7ce4d7..c403c8a14 100644 --- a/HowTos/customize_aws_iam_policy.rst +++ b/HowTos/customize_aws_iam_policy.rst @@ -10,11 +10,7 @@ Customize AWS-IAM-Policy for Aviatrix Controller Introduction ============ -Aviatrix provides the `default -Aviatrix-AWS-IAM-Policy `__ -for its solution. This document provides examples on how to customize -these IAM policies. The customization reduces the scope of resource -privileges and helps you meet your organization's security requirements. +Aviatrix provides the `default Aviatrix-AWS-IAM-Policy `__ for its solution. This document provides examples on how to customize these IAM policies. The customization reduces the scope of resource privileges and helps you meet your organization's security requirements. Please do understand that without the right access and permissions, Aviatrix Controller and Gateways will not be able to function as designed and any changes you might make could disrupt your network - **we strongly request you to test all changes, thoroughly, in your sandbox/preprod/test environment before you push them to your production environment**. Please open a support ticket at `Aviatrix Support Portal `_, if you have any questions or issues. You can remove some of the policy rules by using this `default IAM-Policy `__ if you only plan on using the following Aviatrix features... 1. Gateway creation without ELB (Elastic Load Balancer) diff --git a/HowTos/default_route_faq.rst b/HowTos/default_route_faq.rst new file mode 100644 index 000000000..98e6c2bea --- /dev/null +++ b/HowTos/default_route_faq.rst @@ -0,0 +1,199 @@ +.. meta:: + :description: Default Route FAQ + :keywords: AWS Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network, Firewall, DMZ, Cloud DMZ, Firewall Network, FireNet + + +========================================================= +Aviatrix Default Route Handling +========================================================= + +This document explains how Aviatrix handles the default route 0.0.0.0/0 starting from R6.2. + + +1. Public subnet vs. Private subnet +================================================================ + +A public subnet is different from a private subnet in a VPC/VNet by way of how the default route is managed. + +In AWS, a public subnet is well defined. If the subnet associated route table has a route entry 0.0.0.0/0 pointing to IGW, the subnet is a public subnet. On the other hand, if 0.0.0.0/0 does not point to IGW, this is a private subnet. + +In Azure, such distinction is less defined via explicit route entries. By default any VM in Azure is a public instance +with direct Internet access and can be reached +from the Internet as long as it has a public IP address. This is because Azure automatically programs a system route entry with 0.0.0.0/0 pointing to Internet, as shown in the screenshot below after a VM is launched. Azure's `system programmed default route` is displayed in Effective Routes. + +|system_default_route| + +Since Aviatrix Controller programs route table extensively and there are use cases that deal with egress control, it is important that the Controller follow well defined rules when handling different types of subnets. + +Below are what Aviatrix Controller defines as public or private subnet. + + ++--------------------------------------+--------------------------------------+---------------------------------------------+ +| **Aviatrix definition table 1** | **AWS** | **Azure** | ++--------------------------------------+--------------------------------------+---------------------------------------------+ +| **Public** cloud subnet/route table | 0.0.0.0/0 to IGW | UDR does not exist | +| | +---------------------------------------------+ +| | | UDR is associated with a subnet: | +| | +---------------------------------------------+ +| | | - UDR: 0.0.0.0/0 entry doesn't exist | +| | +---------------------------------------------+ +| | | - UDR: 0.0.0.0/0 to Cloud Internet | ++--------------------------------------+--------------------------------------+---------------------------------------------+ +| **Private** cloud subnet/route table | 0.0.0.0/0 route entry does not exist | UDR is associated with a subnet: | +| +--------------------------------------+---------------------------------------------+ +| | 0.0.0.0/0 to non-Aviatrix NVA | - UDR: 0.0.0.0/0 to None | +| +--------------------------------------+---------------------------------------------+ +| | 0.0.0.0/0 to VGW | - UDR: 0.0.0.0/0 to non-Aviatrix NVA | +| +--------------------------------------+---------------------------------------------+ +| | 0.0.0.0/0 to TGW | - UDR: 0.0.0.0/0 to Virtual Network | +| +--------------------------------------+---------------------------------------------+ +| | 0.0.0.0/0 to AWS NAT gateway | - UDR: 0.0.0.0/0 to Virtual Network Gateway | +| +--------------------------------------+---------------------------------------------+ +| | overall: 0.0.0.0/0 to non-IGW | | ++--------------------------------------+--------------------------------------+---------------------------------------------+ +| Notes: | IGW: Internet gateways | UDR: User Defined Routing | +| +--------------------------------------+---------------------------------------------+ +| | NVA: Network Virtual Appliance | NVA: Network Virtual Appliance | +| +--------------------------------------+---------------------------------------------+ +| | VGW: Virtual private gateway | | +| +--------------------------------------+---------------------------------------------+ +| | TGW: AWS Transit Gateway | | ++--------------------------------------+--------------------------------------+---------------------------------------------+ + +.. important:: + + In Azure, the rule of thumb of classifying a subnet as private is that the subnet's associated route table has a UDR (User Defined Routes) route entry of 0.0.0.0/0 pointing to None, an NVA appliance, Virtual Network or Virtual Network Gateway. + + +2. Changes made on **Azure** in R6.2 +========================================================================= + +Prior to 6.2, Aviatrix Controller blindly overwrites the default route to point to Aviatrix gateway in every route table whenever egress control is involved. This can bring +outages if the deployment +has public facing application or VMs. In 6.2, the rules for Aviatrix Controller to overwrite the default route becomes well defined. + +.. tip:: + + Use Useful Tool `create a VPC tool` to create an Spoke and Transit Azure VNet. For Spoke VNet, the Controller will program a UDR default route 0.0.0.0 pointing to next hop type "None" to the route table associated with the private subnets. Check `Create a VPC `_ for more info. + +If you created Azure VNet via `create a VPC tool` prior R6.2 or created Azure VNet via your own scrip, make sure you inject a UDR route 0.0.0.0 pointing to next hop type +"None" to signal to the Aviatrix Controller that this is a private subnet and its default route can be overwritten. + +If you have already deploy Transit FireNet with Egress Control, upgrading to 6.2 does not impact the existing traffic. However if you detach a Spoke VNet and re-attach it or +disable Egress Inspection and re-enable it, the new rules will kick in. + +3. Testing +=================== + +When testing egress control from a VM in Azure VNet, make sure this VM is on a private subnet as defined in this document. Since this VM is on a private subnet without a public IP +address, you cannot directly SSH into the VM. You can use `Azure Bastion Service `_ or `Aviatrix User VPN gateway `_ to connect to the private IP address of the VM via SSH. + + + +4. Use case: Single SNAT or FQDN in a VPC/VNet +======================================================== + +Users can launch Aviatrix gateways within the network, and enable Single SNAT or FQDN feature on the gateway. Aviatrix gateway will discover 'private' subnets/route tables, then program default route 0.0.0.0/0 pointing to Aviatrix gateway into it. Furthermore, to reduce friction and to shorten downtime when users remove default route in their cloud environment by themselves, Aviatrix performs overwriting default route logic by default. By doing this, private instances/VMs internet traffic will go through Aviatrix gateway, and inspected by FQDN (if enabled). + + +Rule 4.1: Overwrite default route entry 0.0.0.0/0 in subnet/route table where Aviatrix defines it as “Private” when the below features are enabled: +--------------------------------------------------------------------------------------------------------------------------------------------------- + +Features: +^^^^^^^^^ + +- Single SNAT + +- FQDN discovery + +- FQDN + +High-level logic: +^^^^^^^^^^^^^^^^^ + +- Utilize the definition in this document above to discover private subnet/route table  + +- Save customer's original route entry 0.0.0.0 configuration + +- Overwrite route entry 0.0.0.0 to Aviatrix + +- Restore back customer's original route entry 0.0.0.0 configuration if users disable the above features + +Rule 4.2: Load balance the route entry 0.0.0.0/0 between Aviatrix gateways when users attempt to enable the same type of feature such as Single SNAT/FQDN which is already deployed in the same network. +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +- Refer to `NAT GW Load-balance with AZ affinity `_ for Aviatrix load balance detail + +5. Use case: Aviatrix Centralized Egress or on-prem advertising default route 0.0.0.0/0 +======================================================================================== + +In Aviatrix Transit Network solution, for private instances/VMS in spoke networks, users can choose centralized Egress by using Aviatrix FireNet, or using onprem Egress. In either case, Aviatrix transit gateway propagates 0.0.0.0/0 route to Aviatrix spoke gateways, and program 0.0.0.0/0 route in spoke private subnets/route tables. Thus, all private instances/VMs internet traffic are forwarded to transit gateway, and then forwarded to FireNet or onprem networks. + +How Aviatrix defines public or private subnet/route table in each cloud and what are the rules/scenarios for use case 2? +------------------------------------------------------------------------------------------------------------------------ + +Here we only discuss AWS and Azure. + +.. _aviatrixdefinitiontable2: + ++--------------------------------------+--------------------------------------+---------------------------------------------+ +| **Aviatrix definition table 2** | **AWS** | **Azure** | ++--------------------------------------+--------------------------------------+---------------------------------------------+ +| **Public** cloud subnet/route table | 0.0.0.0/0 to IGW | UDR does not exist | +| | +---------------------------------------------+ +| | | UDR is associated with a subnet: | +| | +---------------------------------------------+ +| | | - UDR: 0.0.0.0/0 entry doesn't exist | +| | +---------------------------------------------+ +| | | - UDR: 0.0.0.0/0 to Cloud Internet | ++--------------------------------------+--------------------------------------+---------------------------------------------+ +| **Private** cloud subnet/route table | 0.0.0.0/0 route entry does not exist | UDR is associated with a subnet: | +| | +---------------------------------------------+ +| | | - UDR: 0.0.0.0/0 to None | +| | +---------------------------------------------+ +| | | - UDR: 0.0.0.0/0 to Virtual Network | ++--------------------------------------+--------------------------------------+---------------------------------------------+ + +Rule 5.1: Aviatrix Transit Gateway on route 0.0.0.0/0 +------------------------------------------------------------------------------ + +Scenarios: +^^^^^^^^^^ + +- Learning default route 0.0.0.0/0 from on-prem + +- Learning default route 0.0.0.0/0 from Aviatrix Transit peering + +- Enabling Central Egress feature + +High-level logic: +^^^^^^^^^^^^^^^^^ + +- Utilize the `Aviatrix definition table 2 <#aviatrixdefinitiontable2>`_ above to discover private subnet/route table  + +- Program '0.0.0.0/0 to Aviatrix Spoke Gateway' into private subnet/route table of Spoke network, but it has a slightly different implementation for each cloud as below table. + +- Program '0.0.0.0/0 to Aviatrix Transit Gateway' into private subnet/route table of Spoke network by following Azure implementation as below table if Azure ARM Spoke through Native Peering feature is deployed + ++--------------------------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------+ +| **Aviatrix definition** | **AWS** | **Azure** | ++--------------------------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------+ +| **Private** cloud subnet/route table | Silently ignore if there is a route 0.0.0.0/0 existed. | Silently ignore most of the route 0.0.0.0/0 if it is existed, but Aviatrix overwrites the default route 0.0.0.0/0 as follows: | +| +--------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------+ +| | Aviatrix does NOT overwrite 0.0.0.0/0 in this case. | - UDR: 0.0.0.0/0 to None | +| +--------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------+ +| | | - UDR: 0.0.0.0/0 to Virtual Network | ++--------------------------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------+ + +Rule 5.2: Error out a warning message when users attempt to enable single SNAT/FQDN in a Spoke network where default route 0.0.0.0/0 is already programmed by Rule 3.1. +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +Example: +^^^^^^^^ + +If there is a default route 0.0.0.0/0 learned from on-prem already existed in Aviatrix Transit solution, then Aviatrix will pop out a warning message when users attempt to enable single SNAT/FQDN features in Spoke network. + +.. |system_default_route| image:: default_route_faq_media/system_default_route.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/default_route_faq_media/system_default_route.png b/HowTos/default_route_faq_media/system_default_route.png new file mode 100644 index 000000000..bba132af4 Binary files /dev/null and b/HowTos/default_route_faq_media/system_default_route.png differ diff --git a/HowTos/design_pattern_ipmotion.rst b/HowTos/design_pattern_ipmotion.rst deleted file mode 100644 index 37c43a277..000000000 --- a/HowTos/design_pattern_ipmotion.rst +++ /dev/null @@ -1,89 +0,0 @@ -.. meta:: - :description: IP motion Ref Design - :keywords: AWS Migration, DR, Disaster Recovery, aviatrix, Preserving IP address, IPmotion, ip motion - - -================================= -IPmotion Design Patterns -================================= - -This guide describes different design patterns, it assumes you have read `IPmotion Setup Instructions. `_ - -IPmotion connects an on-prem subnet and a cloud subnet with identical CIDR block, it is flexible to deploy. - -The cloud subnet can be a private subnet or a public subnet in AWS. -The connections can be over Internet or private links such as Direct Connect. There may be multiple cloud subnets in one VPC with each on-cloud subnet connecting to one on-prem subnet. - -1. IPmotion over Internet --------------------------- - -IPmotion over Internet is convenient as it requires no additional private link infrastructure such as Direct Connect, all you need is Internet access. This deployment model well suits applications whose bandwidth throughput requirement is less than 1Gbps. - -When IPmotion is deployed over the Internet, packets are encrypted in flight with IPSEC. - -If the cloud subnet is a public subnet, the IPmotion gateway subnet can be the same as the migrate subnet. - -If the cloud subnet is a private subnet, the IPmotion gateway subnet must be on a public subnet whose CIDR block does not overlap with any on-prem datacenter range, as displayed -in the diagram below. - -|image-internet| - - -2. IPmotion over Private Links --------------------------------- - -IPmotion over private link such as Direct Connect provides consistent bandwidth and -latency as well as regulatory compliance for certain industries. - -When IPmotion is deployed over Direct Connect, data is not encrypted in flight. - -The IPmotion gateway subnet must be an non-overlapping subnet with an on-prem datacenter. -This subnet must be routable to on-prem via AWS VGW. The route propagation should be enabled. - -Below is a deployment diagram. - - - |image-DX| - - -3. Migrating multiple subnets to one VPC ------------------------------------------ - -Multiple on-prem subnets can be migrated into one VPC with identical cloud subnets. -In this case, you need to identify one subnet that is not overlapping with any -on-prem datacenter CIDRs and use that as an IPmotion gateway subnet. -A deployment diagram is shown below. - - |image-multi| - - -4. IPmotion HA ----------------- - -The Aviatrix virtual appliance CloudN should be deployed in a VMware HA cluster for on-prem HA protection. - -The IPmotion gateway is monitored by CloudN for gateway health. If the gateway -becomes unreachable, CloudN will stop the gateway instance and start it again. -The default gateway failure detection and failover time is 3 minutes. -You can change this setting -by going to CloudN console, Settings -> Advanced -> KeepAlive and changing to a different setting. - - -5. Simultaneously migrate multiple VMs on multiple subnets -------------------------------------------------------------- - -You can simultaneously migrate multiple VMs on multiple subnets, deploy multiple Aviatrix virtual appliance CloudN and build connections. You can move on-prem IP addresses to a Staging state before the AWS AMI is ready, as long as you do not power down the on-prem corresponding VM (meaning the on-prem VM is still in operational state.) - -.. |image-internet| image:: ipmotion_media/ipmotion-internet.png - :width: 5.55625in - :height: 3.26548in - -.. |image-DX| image:: ipmotion_media/ipmotion-DX.png - :width: 5.55625in - :height: 3.26548in - -.. |image-multi| image:: ipmotion_media/ipmotion-multi.png - :width: 5.55625in - :height: 3.26548in - -.. disqus:: diff --git a/HowTos/discover_flows.rst b/HowTos/discover_flows.rst new file mode 100644 index 000000000..56c4fb5f8 --- /dev/null +++ b/HowTos/discover_flows.rst @@ -0,0 +1,29 @@ +.. meta:: + :description: Discover unencrypted flows in a VPC + :keywords: AWS VPC, VPC flow log, unencrypted traffic + +################################### +Discover Unencrypted Traffic +################################### + +If you think all the application instances in an AWS VPC run on TLS protocol, think again. `DevOps Tools Survey `_ shows that majority of the DevOps tools are not encrypted. + +This useful tool applies to an AWS VPC. + +The tool leverages AWS VPC flow log to discover all traffic sent and received by instances in the VPC via VPC flow log, it then +downloads the VPC flow log files +and displays them. When you run the tool, it enables VPC flow log in the specified VPC, region and account, it also creates a S3 bucket to +store the flow log files. Once the tool receives the first batch of flog log files, it returns the findings and also disables vpc flow log and +removes the S3 bucket created. + +Traffic sessions that destined to TCP port 443 (HTTPS) and TCP port 22 (SSH) are excluded from the display. + +Note traffic that runs on UDP port 500/4500 are known as IPSEC protocol and as such is indeed encrypted, but the tool displays them. + +The tool typically takes 5 - 6 minutes to complete. + + +.. |edit-designated-gateway| image:: gateway_media/edit-designated-gateway.png + :scale: 50% + +.. disqus:: diff --git a/HowTos/diy_tgw_migrate_to_aviatrix_tgw_media/default.profraw b/HowTos/diy_tgw_migrate_to_aviatrix_tgw_media/default.profraw new file mode 100644 index 000000000..e69de29bb diff --git a/HowTos/encrypt_ebs_volume.rst b/HowTos/encrypt_ebs_volume.rst index 96d032806..a143b0c60 100644 --- a/HowTos/encrypt_ebs_volume.rst +++ b/HowTos/encrypt_ebs_volume.rst @@ -7,6 +7,9 @@ Encrypt EBS Volume ############################ +.. note:: + + Aviatrix starts to support enabling EBS encryption by default when users launch gateway since release 6.0. Description ------------ @@ -100,6 +103,7 @@ How to encrypt gateway EBS volume via Aviatrix controller? .. note:: You can see that the gateway EBS volume was encrypted. Also, the previous unencrypted volume will be kept. + Please make sure to add "aviatrix-role-app" to the CMK as Key users in KMS when you want to replace or resize the gateway later. | diff --git a/HowTos/error-msgs.rst b/HowTos/error-msgs.rst index f25fbf0c7..86bd7c945 100644 --- a/HowTos/error-msgs.rst +++ b/HowTos/error-msgs.rst @@ -229,9 +229,26 @@ You may have exceeded GCP IN_USE_ADDRESSES limits on this account. By default in Error: [Aviatrix Error] LAN interface is not in demo1-oregon-firenet-gw firewall subnet subnet-09f70b0922e5878ce. When you try to associate firewall instance to FireNet gateway, the firewall's LAN instance must stay in the same subnet with FireNet gateway's firewall subnet. It is recommended to use Aviatrix controller to launch and associate firewall, which guarentee all the subnets and interfaces are correct. If you launch your own firewall, you need to make sure the firewall interfaces are correct. -The firewall subnets/interfaces are created when enable FireNet function on the gateway. If you create firewall instance before enable FireNet function, those instances can not associate with gateway due to mismatched interface. One way to solve this is to use REST-API to enable FireNet function, and provide existing subnets as option. Please refer to API doc. +The firewall subnets/interfaces are created when enable FireNet function on the gateway. If you create firewall instance before enable FireNet function, those instances can not associate with gateway due to mismatched interface. One way to solve this is to use API to enable FireNet function, and provide existing subnets as option. Please refer to API doc. +-------------------------------------------------------------------- + +:: + + Error: TCP: connect to [AF_INET] failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive. + +This error may be found in Aviatrix VPN Client logs. It will be returned in the event a TCP OpenVPN Gateway is deployed behind an AWS NLB, but port 943 is not open to the preserved source IP's. We recommend opening port 943 to 0.0.0.0/0 to prevent connectivity issues like this. Please refer to the following documentation for OpenVPN required ports: + +https://docs.aviatrix.com/Support/support_center_openvpn_gateway.html#which-ports-should-i-have-open-in-my-firewall-to-allow-openvpn-users-to-come-in +-------------------------------------------------------------------- + +:: + + Error: [Aviatrix Error] An error occurred (InsufficientFreeAddressesInSubnet) when calling the CreateTransitGatewayVpcAttachment operation: Insufficient Free IP Addresses in subnet. + +This error will be returned when there are 0 available IP addresses in a subnet that is being attached to the TGW. You must have at least one available IP address in each subnet that will be attached. + -------------------------------------------------------------------- :: diff --git a/HowTos/field_notices.rst b/HowTos/field_notices.rst index ed411b147..614367ebd 100644 --- a/HowTos/field_notices.rst +++ b/HowTos/field_notices.rst @@ -5,6 +5,524 @@ Field Notices .. Note:: These field notices are provided as a service to our customers to proactively update them on major issues. This service is provided without any changes in our SLA. The information in this field notice will be updated as we learn more. + + + +Field Notice 0036 (2022/01/11) +-------------------------------- + +**High and Medium Severity Vulnerability - AVI-2021-0008** + +A new software release with a fix for this vulnerability was made available on Tuesday, January 11th, 2022. Aviatrix is strongly recommending you to upgrade to the new release at your earliest convenience. This vulnerability was discovered by Aviatrix engineering team and is not known to be exploited. Please refer to `Release Notes `_ and `Security Bulletin `_ for more information. + +The upgrade mechanism is described in our documentation: + +* For 6.4 release, refer to `these instructions `_ +* For 6.5 release, start `here `_ + +Please subscribe to the Security Alerts mailing lists at securityalerts@aviatrix.com to get notified earlier on any future vulnerabilities. To subscribe, send an email to securityalerts@aviatrix.com with "Subscribe" in subject line. + +If you run into any issues during upgrade, you can reach out to Aviatrix Support by opening a ticket at Support Portal at https://support.aviatrix.com + + + + +Field Notice 0035 (2021/10/25) +-------------------------------- + +**Critical Vulnerability Security Patch - AVI-2021-0006** + +This security patch was made available Monday, October 25th, 2021 at 05:00PM PST. The critical vulnerability addressed by this patch was privately disclosed to Aviatrix. It affects services of Controller available on port 443 and would allow an unauthenticated attacker to execute code on the Controller. This could be mitigated by limiting access to the https/port 443 of the Controller, or by running a Web Application Firewall (WAF) in front of it. Please refer to our documentation to `secure the Controller access `_. + +Aviatrix is strongly recommending you to apply this patch at your earliest convenience. To apply a security patch, please refer to the following steps: + +* First, do a backup on your Controller in “Controller/Settings/Maintenance/Backup&Restore/Backup Now” +* Go to “Controller/Settings/Maintenance/Security Patches” and click on “Update Available Patches” +* You should see a new patch called: “AVI-2021-0006 Critical Vulnerability Security Patch” +* Apply the patch, by clicking on the icon on the right and selecting “Apply Patch” +* Take a backup again at “Controller/Settings/Maintenance/Backup&Restore/Backup Now” + +**Note:** + +* The security patch does not impact the data path or control path and can be executed without a maintenance window +* This patch can be applied on releases 6.2 and higher +* Aviatrix **strongly recommends** you to upgrade to releases 6.4 or higher. Please check out the `release notes `_ and follow the `upgrade instructions `_ + + + + +Field Notice 0034 (2021/10/11) +-------------------------------- + +**Security Fixes for 6.2, 6.3, 6.4, and 6.5 versions to improve security** + +These releases address a Denial-of-Service vulnerability and also improve the security on Controllers by automatically enabling `security group management `_ when the first account is added to the Controller, to deal with security updates in CloudFormation when launching new Controllers. + +Please upgrade to latest release: + +- 6.2: 6.2.2052 or later +- 6.3: 6.3.2526 or later +- 6.4: 6.4.2869 or later +- 6.5: 6.5.1936 or later + +Refer to the `Security Alert `_ for more details on these updates. + +Please upgrade to these builds, following the `upgrade instructions `_, as soon possible. + + + +Field Notice 0033 (2021/10/02) +-------------------------------- + +**The latest 6.5, 6.4, 6.3, and 6.2 versions contain fixes for several vulnerabilities in the controller API** + +**Problem:** + +Several APIs used to upload configurations of certain services did not verify the authentication of the service or user executing the API call properly. Similar APIs designed to upload files from authenticated users did not properly sanitize their destination input, allowing directory traversal attacks which could eventually allow an authenticated attacker to execute code on the controller. + +**Recommended Solution:** + +Please upgrade to latest release: + +* 6.2: 6.2.2043 or later +* 6.3: 6.3.2490 or later +* 6.4: 6.4.2838 or later +* 6.5: 6.5.1922 or later +Credit: Aviatrix would like to thank the team at Tradecraft ( https://www.wearetradecraft.com/ ) for the responsible disclosure of these issues. + +Release notes also available on: https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html + +Please upgrade to these builds, following the `upgrade instructions `_, as soon possible. + + + +Field Notice 0032 (2021/09/09) +-------------------------------- + +**In rare occasions, Controller backup file could get corrupted, resulting in gateways being shown as “down” if used for a Controller restore** + +**Problem:** + +We have observed, on one occasion, that the Controller’s backups were corrupt. If the backup file does get corrupt, the size of the backup file will be much larger than expected (in tens of MB or larger - much larger than the typical sizes ≤1 MB). The size would be the only indication of the backup file corruption. This issue is being tracked as AVX-14852 + +**Recommended Solution:** + +A fix for this issue is in works and will be released for the supported releases (6.2, 6.3, 6.4, 6.5) on 9/11/2021. Please upgrade to these builds, following the `upgrade instructions `_, as soon possible. + +We request that you inspect your backup file size and if it is larger than expected, please go to Controller/Settings/Backup and click on “backup now” while not running any other operation on the Controller - and compare the backup file sizes. +* If the new backup file size is as expected, please save a copy. And upgrade to the new builds with fix for AVX-14852 +* If the new backup file size continues to be large, please reach out to Aviatrix Support at https://support.aviatrix.com + + + + + + +Field Notice 0031 (2021/08/06) +-------------------------------- + +**After a Gateway Replace operation on version 6.4 or later, the Site2Cloud connections on the Gateway might not come up** + +**Problem:** + +If you run a "Gateway Replace" operation from a Controller running version 6.4 or later, on a gateway which was created when this Controller was running on 6.3 or earlier, the Site2Cloud connections on this Gateway might not be able to come up + +The default IPSec tunnel management software was changed in the `Gateway Images `_ associated with `version 6.4 `_ and later. Any Gateway which might have been created while running version 6.3 or older will be using the older IPSec tunnel management software. While the Controller ported the config from the old Gateway to the new Gateway, one of the field's default setting has changed. This setting could come into play based on the devices that this Gateway has established Site2Cloud tunnels and might result in the Site2Cloud tunnel not coming up. This was `documented in the 6.4.2499 release notes `_. You can find `more information `_ on our `Support Portal `_ about this issue + +**Recommended Solution:** + +If the Site2Cloud tunnel(s) does/do not come up on a Gateway after a "Gateway Replace" operation in 6.4, please go to Controller/Site2Cloud, select the tunnel, click on edit and update the "Remote Identifier" field. If you have any issues, please open a ticket on our `Support Portal `_. + + + + + + + + +Field Notice 0030 (2021/07/19) +-------------------------------- +**Upgrade from 6.3 to 6.4 could cause gateways to be in down/polling state if any of them have more than 44 characters** + +**Problem:** + +We had announced in Field Notice 0027(https://docs.aviatrix.com/HowTos/field_notices.html#field-notice-0027-2021-04-29) that gateway names are required to be 50 characters or less. We have noticed that during upgrade operations, from 6.3 to 6.4, we are further limited on the gateway name length to 44 characters due to a new default behavior introduced in 6.4. + +From 6.4, we started using self-signed certs to authenticate management/control communication between controller and gateways. The default cert domain used is "aviatrixnetwork.com". This ends up using 20 characters from our internal max of 64 characters - leaving only 44 characters for the gateway names(including "-hagw", if the gateway has an HA gateway). If the controller has any gateways with names longer than 44 characters, that gateway and the following gateways in the upgrade process could show up as "down/polling" state on the gateway page. + +**Recommended Solution:** + +* If all your gateway names(including ha gateways) have less than 44 characters, you are not impacted by this issue +* If the name length of any of your gateways is 45 to 50 characters, you have two options + + * While in 6.3, you can delete them and recreate them with names shorter than 44 characters (39 chars max, if you plan to have HA gateway, to account for 5 extra characters in "-hagw" which will be appended to the HA gateway name) + * Upgrade to 6.4. Some gateways will not be in "green/up". To recover, head to Controller/Onboarding and click in "AWS" icon and enter "av.com". All gateways should come up in "green/up" status. If not, please perform "Troubleshoot/Diagnostics/Gateway/ForceUpgrade" on the affected gateways. +* If any of your gateway names have more than 50 characters (including "-hagw") please schedule a downtime, delete them, and create them again with shorter names(<44 chars, <39 chars if you have an HA for them). + +If you need further support, please head to our support portal at https://support.avaiatrix.com and open a new ticket. + + + +Field Notice 0029 (2021/05/11) +-------------------------------- +**Do not upgrade Controllers to R6.4.2499 if you have CloudN’s in your network** + +Due to some unresolved issues in R6.4.2499, we strongly ask that you do not upgrade your Aviatrix Controller or CloudN devices to R6.4.2499. If you upgrade to this build, your CloudNs could fail, impacting your network operations. + +Please look to our `release notes `_ on future 6.4 builds for guidance on upgrading your network when CloudN devices are involved. We apologize for any inconvenience. + + + +Field Notice 0028 (2021/05/03) +-------------------------------- +**End of Life (EOL) announcement for Gateway AMI's** + +Gateway AMI's based on Ubuntu 14 and Ubuntu 16 are designated EOL effective 5/3/2021. Aviatrix is discontinuing support because these operating systems have reached their end of standard support from the provider. Please see the Ubuntu release information at https://wiki.ubuntu.com/Releases and https://ubuntu.com/about/release-cycle. + +What is the impact if you remain on a deprecated release that is designated EOL? + + * The Aviatrix Support team does not provide assistance on EOL releases. + * Patches for known issues and vulnerabilities are no longer provided. + +**Recommendation** + +Replace the deprecated gateways and use the new AMIs. To update your Aviatrix gateways, you may need to upgrade your Aviatrix Controller first. The Gateway page lists the AMIs for all your gateways. Go to "Gateway->Column View->Select Gateway Image Name->Apply Columns". For more information, see https://docs.aviatrix.com/HowTos/image_release_notes.html. + +Discover all deprecated AMIs. Download the "Generate list of Aviatrix Gateways using deprecated AMIs" utility from "Settings->Maintenance->Software Patches->Update Available Patches". Run this utility to send an email to the admin with a list of all gateways running deprecated AMI's. + +We recommend that you replace gateways running Ubuntu14 and Ubuntu16 based AMIs before upgrading to 6.4. + +Upgrade your Aviatrix Controller to the latest 6.3 release following the instructions at https://docs.aviatrix.com/HowTos/inline_upgrade.html and replace these gateways using the procedures at https://docs.aviatrix.com/HowTos/image_release_notes.html#existing-customers-gateway-image-upgrade. + +You can also use the following Aviatrix API's to replace your gateways programmatically: + + * Login and generate CID: curl --location -g --request POST 'https://{{controller_hostname}}/v1/api' --form 'action="login"' --form 'username="admin"' --form 'password="{{admin_password}}"' + * Use the CID generated above to resize gateway and wait till it is complete, before running on another gateway : curl --location -g --request POST 'https://{{controller_hostname}}/v1/api' --form 'action="replace_gateway"' --form 'CID="{{CID}}"' --form 'gateway_name="{{gateway_name_in_controller}}"' + * Check the Gateway AMI information: curl --location -g --request GET 'https://{{controller_hostname}}/v1/api?action=get_gateway_info&CID={{CID}}&gateway_name={{gateway_name_in_controller}}' + +Aviatrix strongly recommends that you keep your Aviatrix Network up to date with the latest releases. We also strongly suggest that you periodically check the AMI versions on all your gateways and update them to get the latest fixes for known issues and vulnerabilities. + +If you have any difficulties in upgrading your Gateways or have any questions about your Aviatrix network, please open a `support ticket `_. + + + + +Field Notice 0027 (2021/04/29) +-------------------------------- +**Gateway names longer than 50 bytes can cause issues** + +**Problem** + +In Version 6.2 and prior, customer may create a spoke or transit gateway name exceeding 50 Bytes. During peer creation a failure may occur if the peering name (concatenation of spoke-to-transit, spoke-to-spoke, etc) exceeds 120 Bytes and throws an error. + +(example) +Error: command create_peer_xx_gw failed due to exception errors fully qualified namespace peering_info.xxxxxxxx is too long (max is 120 bytes) + + +**Recommended Solution** + +Version 6.2 and prior: If spoke or transit name exceeds 50 Bytes, manually delete and re-create gateway with name limited to 50 Bytes or less. + +Version 6.3 and higher: Newly created spoke and transit gateway names are checked and limited to 50 Bytes or less. However, if there are any residual gateways (6.2 and prior) with name exceeding 50 Bytes they must be deleted and re-created to avoid this issue. + + + +Field Notice 0026 (2021/04/28) +-------------------------------- +**End of Life (EOL) announcement for Aviatrix VPN Clients for Ubuntu 14.04 and Ubuntu 16.04** + +VPN Clients running on Ubuntu 14.04 are designated EOL effective immediately. VPN Clients running on Ubuntu 16.04 are designated EOL effective 6/1/2021. Aviatrix is discontinuing support because these operating systems have reached their end of standard support from the provider. Please see the Ubuntu release information at https://wiki.ubuntu.com/Releases and https://ubuntu.com/about/release-cycle. + +What is the impact if you remain on a deprecated release that is designated EOL? +The Aviatrix Support team does not provide assistance on EOL releases. +Patches for known issues and vulnerabilities are not provided. + +Recommendation +Please upgrade to one of the supported `Aviatrix VPN Clients `_. + +If you have any difficulties in upgrading your Aviatrix VPN Client, please contact your Aviatrix Network Admin and have them open a `support ticket `_. + + + +Field Notice 0025 (2021/04/26) +-------------------------------- +**End of Life (EOL) announcement for 5.4, 6.0, 6.1 releases** + +Following up on Field Notice `0012 `_ and `0016 `_, we are announcing EOL and End of Support for releases 5.4, 6.0 and 6.1. The R5.4 EOL date is 6/1/2021, the R6.0 EOL date is 6/19/2021 and the R6.1 EOL date is 8/31/2021. + +What is the impact if you remain on a deprecated release that is designated EOL? + + * The Aviatrix Support team does not provide assistance on EOL releases. + * Patches for known issues and vulnerabilities are not provided. + * Enabling the remote SSH support option as well as sending logs and diagnostics to Aviatrix Support may not work. + * The default SMTP on the Controller cannot send Alerts. + +**Recommendation:** +Please use the following processes to upgrade your Aviatrix network: + +* https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html +* https://docs.aviatrix.com/Support/support_center_operations.html#pre-op-procedures +* https://docs.aviatrix.com/HowTos/inline_upgrade.html + +If you have any difficulties upgrading your Aviatrix network, please open a `support ticket `_. + + + + +Field Notice 0024 (2021/04/25) +-------------------------------- +**Controller HA Code Improvements for release R6.3 and R6.4** + +Problem: +Improved Controller HA process to avoid corner cases related to Controller HA restore failures. + +What is Impacted? +Controllers deployed in AWS with the "Controller HA" process enabled. + +Recommendation +For Controllers running in AWS with the Controller HA process enabled, Aviatrix strongly recommends that you `disable `_ and `reenable `_ the "Controller HA" process as soon as possible to pick up the latest version of the software. This operation should not impact the Controller that is in operation but we do recommend that you follow our `pre-operation recommendations `_. Please see https://docs.aviatrix.com/HowTos/controller_ha.html for more information on Controller HA. Please verify that your `Controller HA `_ version is 1.6 or higher. Please check `Controller HA release notes `_. + + +Please note that enabling and disabling the Controller HA process is a prerequisite for upgrading to release R6.4, which is scheduled to be released soon. + +* https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html +* https://docs.aviatrix.com/Support/support_center_operations.html#pre-op-procedures +* https://docs.aviatrix.com/HowTos/inline_upgrade.html + + + +Field Notice 0023 (2021/04/24) +-------------------------------- +**Default SMTP Service Down on releases < 6.2.1955** + + +**Problem:** + +The default SMTP service used by Aviatrix has been impacted in releases older than 6.2.1955. Alerts generated from the Controller will fail to reach the admin by email. Gateways are not impacted. Password recovery by email and sending OpenVPN profiles via email will also be impacted. + + +**Who is impacted?** + +Any Controller running versions older than R6.2.1955 that also does not have an SMTP server configured to override the default service. + + +**Recommended Solution:** + +To resolve this issue, please upgrade your Controller to the latest R6.2(>=6.2.1955) or R6.3 software version following the instructions at https://docs.aviatrix.com/HowTos/inline_upgrade.html, or configure your own SMTP service to override the default SMTP service using the instructions at https://docs.aviatrix.com/HowTos/alert_and_email.html. + +This issue will not be addressed in 5.4, 6.0 and 6.1 releases so if your Controller is running one of these releases, Aviatrix strongly encourages you to upgrade to the 6.3 release. + + +Field Notice 0022 (2021/04/19) +-------------------------------- + +**Deprecated build 6.3.2405** + +Last week, Aviatrix published R6.3.2405 and due to the incorrect handling of a corner case issue we decided to deprecate R6.3.2405. If you upgraded to R6.3.2405 your controller might incorrectly notify you that there is a newer release, since you are not running the current R6.3.2364 release. We request that you ignore this upgrade notification. We will be releasing a new build > R6.3.2405 later today. You can safely upgrade to the new release. + +**Recommendation:** +Please use the following processes to upgrade your Aviatrix network: + +* https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html +* https://docs.aviatrix.com/Support/support_center_operations.html#pre-op-procedures +* https://docs.aviatrix.com/HowTos/inline_upgrade.html + +If you have any questions about your Aviatrix network, please open a `support ticket `_. + + +Field Notice 0016 (2020/12/22) +---------------------------------- +**EOL update for release 5.3 and older** + +This Field Notice is a follow up to an earlier Field Notice 0012 we published in August 2020 on Security vulnerabilities in R5.3 and older and our recommendation to upgrade. + +**Support for R5.3 or earlier will end on January 31st , 2021** + +Aviatrix has decided to extend the date to January 31st, 2021 to aid any customers who are unable to upgrade to release 5.4 or newer due to the upcoming holiday / freeze period. + +Please refer back to Field Notice 0012 for detailed instructions on how to upgrade. + +On January 31st, 2021, as a security measure, Aviatrix will change credentials on our auth server. This applies to ALL customers and will have no impact to customers who are on release 5.4 and newer. + +**What is the impact if customer remains on R5.3 or older code on/after Jan 31st 2021:** + +a. Customer will be unable to send logs to support + +b. Customer cannot enable Remote SSH support option and send diagnostics to support + +c. Customer will be unable to get the latest default SMTP credential for Controller to send Alerts + +d. Customer will not be able to get assistance from Aviatrix Support on EOL code + +**Recommendation:** Please follow guidance specified in Field Notice 0012 and upgrade immediately. + + +Field Notice 0015 (2020/12/07) +---------------------------------- +**Default SMTP Service Down** + +Aviatrix is performing maintenance on our default SMTP service. Email alerts are down for older Controller versions. Gateways are not impacted. + +**Who is impacted?** + +Controller with older version before R5.4.1201 + +All GCP Controllers + +**Resolution** + +To resolve this issue, upgrade your Controller to the latest software version or configure your own SMTP service. Please see instructions: https://docs.aviatrix.com/HowTos/alert_and_email.html?highlight=smtp + +For GCP Controllers, please monitor the latest release notes for the patch. + + +Field Notice 0014 (2020/10/06) +---------------------------------- +**Recommended Controller version for enabling Copilot** + +• Customers running or planning to deploy Copilot should upgrade their controller to latest 6.1 patch (R6.1.1401, released on 10/4/2020) or newer. R6.1.1401 enables multi-core processing capability on the controller to handle Copilot queries. + +https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#r6-1-1401-10-4-2020 + +• Please reach out to your AE/SE to identify the appropriate sizing requirements for your controller based on your network. + +• If you are unable to upgrade to the latest 6.1 patch (R6.1.1401) and are experiencing slowness or long response times from the controller with Copilot enabled in your environment then we recommend either of the following remediation: + + o Shutdown Copilot + + o Update Security Group to block (443) Copilot from talking to controller + +• Once you upgrade controller to R6.1.1401 or newer, we recommend the following default interval settings on the Copilot: + +|imagefn14| + + +Field Notice 0013 (2020/09/04) +---------------------------------- +**Products Affected** + +• Aviatrix CoPilot + +**Problem Description:** + +Aviatrix Software Release 6.1 introduced a feature to support gateway name change from the Controller Dashboard which breaks Topology Map and tagging feature available in CoPilot. + +**Recommended Solution:** + +• If you have deployed Aviatrix software release 6.1 on the controller and have not made any changes to gateway names, please refrain from making any changes. The gateway name change feature has been removed from the software in the latest 6.1 patch release and thereafter. Please upgrade your software to the latest 6.1 release 6.1.1309 +https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#r6-1-1309-9-7-2020 + +• If you are running both Aviatrix 6.1 release (older than patch 1309) and CoPilot in your environment, and if you have made changes to a gateway name already, please change it back to its original name to restore the topology and tagging functions in CoPilot. +Then, upgrade the software to release 6.1.1309 + +• If you haven’t upgraded Aviatrix Software release to 6.1, please upgrade to the latest 6.1 release 6.1.1309 + +Field Notice 0012 (2020/08/07) +---------------------------------- +**Security Vulnerabilities in R5.3 and Earlier** + +**Problem** +In May 2020, Aviatrix worked with Critical Start, a Security Researcher firm, on some security vulnerabilities on Aviatrix Controller R5.3. The vulnerabilities were identified in the lab. The discoveries had some critical severity issues. These issues were considered critical under the assumption that there were no other safeguards in place. + +Aviatrix addressed all the issues that were identified. All the resolutions have also been validated by the reporter. Details about these issues are published in our PSIRT Advisory at https://docs.aviatrix.com/HowTos/security_bulletin_article.html + +**Recommended Solution** +We request our customers to upgrade their Controller to 5.4.1290 or higher, following the instructions at https://docs.aviatrix.com/HowTos/inline_upgrade.html to get the above fixes. We strongly recommend that the Controller be upgraded to 6.0.2483 or higher. + +Please note that if the Controller is running an older AMI, it needs to be migrated to run on the latest AMI before upgrading to 5.4. If the Controller is already running 5.4 or above, a Controller AMI migration is not needed. More information about the Controller AMI migration is at https://docs.aviatrix.com/HowTos/controller_migration.html + +**Procedure** + +Check if the controller is running an older AMI or a newer AMI + +* Go to "ControllerUI/Troubleshoot/Diagnostics/Gateway/Diagnostics", select "none" under "Gateway" and check the box next to controller and click on "Run" + +* After the operation is complete, click on "Show" + +* Do a browser search for "Ubuntu SMP" to find out if the controller is running a 14.0.4 AMI or an 18.0.4 AMI as show below. + + +If the controller is running a 14.0.4 AMI + +* Please follow the upgrade instructions at https://docs.aviatrix.com/HowTos/inline_upgrade.html carefully to upgrade to 5.3 + +* Once you reach 5.3, please upgrade the Controller AMI following the instructions at https://docs.aviatrix.com/HowTos/controller_migration.html + +* Please continue upgrading to at least 5.4.1290 following the above instructions + +* It is highly recommended that you upgrade your controller to 6.0.2483 or higher + + +If the controller is running an 18.0.4 AMI + +* Please follow the upgrade instructions at https://docs.aviatrix.com/HowTos/inline_upgrade.html carefully to upgrade to 5.4.1290 + +* It is highly recommended that you upgrade your controller to 6.0.2483 or higher + +Please consider upgrading your controller instance size if your workload has increased since you have deployed your Controller. We recommend an instance with at least 8GB of memory (t2/t3 large, c5.xlarge or larger) + +Please open a ticket with the Support Team by sending a new email to support@aviatrix.com or at https://aviatrix.zendesk.com if you need have any further questions or if you need us to review your upgrade plans or if you need any other assistance for these upgrades. + +**Support for R5.3 or earlier will end December 31, 2020** +Although we try to minimize impact, security is Aviatrix’s top priority. The Aviatrix terms of use require customers to stay on the current release. Support for R5.3 or earlier will end December 31,2020. + +**Sample image for 14.04 Controller** + +|image1404Controller| + +**Sample image for 18.04 Controller** + +|image1804Controller| + +Field Notice 0011 (2020/08/02) +---------------------------------- + +**Unable to log into Controller with Chrome browser** + +**Problem:** +After upgrading to 6.0 or above, users were not able to log into Controller with Chrome browser using SAML or admin user/password + +**Recomended Solution:** +Upgrade to 6.0.2481 or 6.1.1162 release + +**Work around:** +1. Go to url chrome://flags/; +2. Search for keyword “samesite” and Disabled all three; and Relaunch; +3. Or try using Firefox or any browser other than Chrome + + +Field Notice 0010 (2020/05/12) +---------------------------------- + +**VPN Client Security Vulnerability** + +**Problem** +We have found defects that was introduced in VPN Client 2.8.9. The Aviatrix VPN client on Linux, macOS, and Windows is vulnerable to elevated access. See details in our PCIRT Advisory links below. + + - AVX-IR-20-005 OpenVPN Client 2.8.2 - Elevation of Privilege on macOS, Linux and Windows + + - AVX-IR-20-004 OpenVPN Client 2.8.2 - Arbitrary File Write + +**Recommended Solution:** +VPN Client upgrade to 2.10.7 and Controller version should be at least 5.3 or higher. + +In addition, you must configure your Controller under OpenVPN > Edit Config > Minimum VPN Client Version setting to version 2.10.7 to enforce the client’s upgrade. + +Field Notice 0009 (2020/03/11) +-------------------------------- + +**New Gateway deployment failure can delete routes** + +**Problem:** +We have found a defect that was introduced in release 5.3. When a gateway creation fails due to limited resource, the gateway rollback procedure incorrectly deletes existing routes ​in the VPC where the gateway is deployed. It has now been fixed in 5.3.1491. 5.2 and earlier releases are NOT impacted with this issue. + +**Recommended Solution:** +Upgrading to the latest 5.3 release (5.3.1491 or above) will address this issue. + +One of the common causes of a gateway deployment failure is not having enough EIP's available in your account. We strongly recommend that you upgrade to the latest 5.3 release (5.3.1491 or above) if you are running an earlier 5.3 release. Releases 5.2 and earlier are NOT impacted. You can safely upgrade to 5.3 latest. + +Please follow the instructions at https://docs.aviatrix.com/HowTos/inline_upgrade.html to upgrade your Aviatrix software. You can create a new support ticket by sending a new email to support@aviatrix.com or by registering at https://aviatrix.zendesk.com, if you need assistance for this upgrade. + @@ -180,5 +698,13 @@ For further information, or to open a support ticket, please visit https://www.a OpenVPN is a registered trademark of OpenVPN Inc. - +.. |image1404Controller| image:: field_notices_media/1404Controller.png + :width: 600 + +.. |image1804Controller| image:: field_notices_media/1804Controller.png + :width: 600 + +.. |imagefn14| image:: field_notices_media/fn14.png + :width: 600 + .. disqus:: diff --git a/HowTos/field_notices_media/1404Controller.png b/HowTos/field_notices_media/1404Controller.png new file mode 100644 index 000000000..f80aac183 Binary files /dev/null and b/HowTos/field_notices_media/1404Controller.png differ diff --git a/HowTos/field_notices_media/1804Controller.png b/HowTos/field_notices_media/1804Controller.png new file mode 100644 index 000000000..dc0e7d37f Binary files /dev/null and b/HowTos/field_notices_media/1804Controller.png differ diff --git a/HowTos/field_notices_media/fn14.png b/HowTos/field_notices_media/fn14.png new file mode 100644 index 000000000..1f3f079ba Binary files /dev/null and b/HowTos/field_notices_media/fn14.png differ diff --git a/HowTos/field_notices_media/temp.txt b/HowTos/field_notices_media/temp.txt new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/HowTos/field_notices_media/temp.txt @@ -0,0 +1 @@ + diff --git a/HowTos/fips140-2.rst b/HowTos/fips140-2.rst index 7dde63c52..4c515bd6c 100644 --- a/HowTos/fips140-2.rst +++ b/HowTos/fips140-2.rst @@ -8,9 +8,9 @@ FIPS 140-2 Module Staring Release 4.6, Aviatrix supports FIPS 140-2 crypto module. -The Aviatrix Certificate number is #3475 which you can find from the `NIST site `_. +The Aviatrix Certificate number is #3273 which you can find from the `NIST site `_. -The Aviatrix FIPS 140-2 Security Policy can be found at this `link. `_ +The Aviatrix FIPS 140-2 Security Policy can be found at this `link. `_ Before enabling FIPS 140-2, the FIPS 140-2 Security patch needs to be applied , @@ -18,9 +18,7 @@ To apply FIPS patch go to the Controller Console, Settings -> Maintainence -> Se To enable, go to the Controller Console, Settings -> Advanced -> FIPS 140-2. Click Enable. -When it is enabled, the Controller and all gateways will be installed with the FIPS 140-2 module. - - +When it is enabled, the Controller and all gateways will be installed with the FIPS 140-2 module. OpenVPN services will be restarted and this will cause your VPN clients to disconnect and reconnect to the gateways. diff --git a/HowTos/firewall_advanced.rst b/HowTos/firewall_advanced.rst new file mode 100644 index 000000000..cdb49f402 --- /dev/null +++ b/HowTos/firewall_advanced.rst @@ -0,0 +1,181 @@ +.. meta:: + :description: Firewall Network Advanced Config + :keywords: AWS Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Firewall Network, FireNet + + +========================================================= +Firewall Network (FireNet) Advanced Config +========================================================= + +Firewall Network (FireNet) Advanced Config applies to both AWS TGW based FireNet and Aviatrix Transit FireNet. + +For questions about FireNet, check out `FireNet FAQ. `_ +For questions on FireNet workflow, check out `FireNet Workflow `_ + +For questions about Aviatrix Transit FireNet, check out `Transit FireNet FAQ. `_ +For questions on Aviatrix FireNet workflow, check out `Transit FireNet Workflow `_ + + +Traffic Inspection +------------------------------------------------ + +You can enable and disable traffic inspection. When traffic inspection is disabled, FireNet gateway loops back all packets. + +Egress through Firewall +----------------------- + +This is to enable Internet bound egress traffic for inspection. + +To configure, go to Controller -> Firewall Network -> Advanced. Select one firewall domain, click the 3-dots skewer to the detail page. +At `Egress through Firewall`, click Enable. + +Egress Static CIDRs +----------------------- + +You can allow egress to a subset of your IP address space from your on-prem data center to the Internet with Aviatrix Egress FireNet. Static CIDR egress is supported on Aviatrix Transit and AWS Transit Gateways (TGW). Up to 20 subnets are supported. + + +Fail Close +------------- + +Fail Close feature applies to the scenario where there are no firewalls attached to the FireNet gateways. Fail Close +is disabled by default. + +When Fail Close is disabled, east-west traffic that requires inspection +can pass through the FireNet gateways without having any attached firewalls, making the FireNet gateway behave +as a lookback interface. This is useful as it allows you to isolate and test network connectivity +during troubleshooting. + +When Fail Close is enabled, FireNet gateway drops all traffic when there are no firewalls +attached to the FireNet gateways. + + +Network List Excluded From East-West Inspection +--------------------------------------------------- + +By default, FireNet inspects all East-West (VPC to VPC) traffic but you may have an instance in the VPC which you do not want to be inspected. For example, the Aviatrix Controller deployed in the Shared Service VPC to be excluded from inspection while Shared Service VPC traffic is inspected. This improves the Controller reachability by not subjecting the Controller access to unintentional firewall policy errors. + +Put the CIDRs in the field **"Network List Excluded From East-West Inspection"** to exclude from being inspected by the firewall. + +.. Note:: + + 1. Maximum 50 CIDRs coma-separated are supported. + 2. CIDRs are excluded from East-West inspections only. + 3. In Transit FireNet, if Egress inspection is enabled, all the Egress traffic will get inspected by the firewall even for the CIDRs excluded for East-West inspection. + + +Firewall Hashing +-------------------- + +Firewall Network solution supports two hashing types: + - Five-tuple and + - Two-tuple. + +By default, AWS TGW based FireNet and Aviatrix Transit FireNet use 5-tuple hashing algorithm (source IP, source port, destination IP, destination port and protocol type) to load balance the traffic across different firewall. However, user has an option to select two-tuple (source IP and destination IP) hashing algorithm to map traffic to the available firewalls. + + +Keep Alive via Firewall Lan Interface +--------------------------------------------------------------------- + +For AWS, LAN or Management interface can be used for firewall health check and failure detection. + +By default, Aviatrix Controller check the firewall's health by pinging the firewall's management IP address. Starting 6.0, firewall instance’s health can also be checked by pinging its LAN interface from the connecting Aviatrix FireNet gateway. This is an alternative approach which improves firewall failure detection time and detection accuracy. + +The mechanism is that the FireNet gateway pings the firewall instance's LAN interface every 5 seconds with a ping time out of 20ms. If the first ping times out, it +immediately pings again. Two consecutive ping failures indicates the firewall is in down state and it is detached from the FireNet gateway pool. The ping functions continues +and it detects the firewall instance has come up by successful pings, it is attached back to the FireNet gateway pool. + +With LAN interface pinging, the firewall instance fail over time is reduced. + +The following details describe how to enable ping on the firewall instance LAN interface. + + +Step 1: Enable ICMP on Firewall Devices +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + +**Palo Alto Network** +~~~~~~~~~~~~~~~~~~~~~~ + +Go to Network -> Network Profiles -> Interface Mgmt, create profile to allow ping + +|pan_network_profile| + +Next, Go to Network -> Interfaces, select **"Ethernet 1/2"**, go to Advanced tab -> Management Profile and select the profile just created in above step + +|pan_lan_attach| + +Commit changes + +**Panoroma** +~~~~~~~~~~~~~~~~~ + +Configure stack similar to Palo Alto Network shown above. + +**Check Point** +~~~~~~~~~~~~~~~~~~~~~ + +Go to SmartConsole -> Global Properties -> Firewall -> Accept ICMP requests. + +|cp_ping_enable_1| + +|cp_ping_enable_2| + +**Fortigate (Fortinet)** +~~~~~~~~~~~~~~~~~~~~~~~~~~` + +Go to Network -> Interfaces -> Edit Interface -> Check "PING" box + +|fortigate_example_ping| + +Step 2: Configure Aviatrix Controller +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Go to Firewall Network --> Advanced --> Click the 3 vertical dots as shown below: + +|firewall_advanced_lan_1| + +The expanded view shows the firewall deployed by the Aviatrix controller and towards the end of screen shot, one can enable/disable LAN side Health Check. + +|firewall_advanced_lan_ping| + + +Step 3: Verify LAN Side ICMP Health Check +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +In this example, AWS and Check Point used to demonstrate the functionality as shown below: + +|example_topology_lan_ping| + +Go to Check Point logs and Monitoring section, notice that the ICMP health check is initiated every 5 second from the Aviatrix Transit FireNet gateways. The 5 second setting is the default and cannot be changed. + +|cp_icmp_lan_example| + + +.. |firewall_advanced_lan_1| image:: firewall_network_workflow_media/firewall_advanced_lan_1.png + :scale: 30% + +.. |firewall_advanced_lan_ping| image:: firewall_network_workflow_media/firewall_advanced_lan_ping.png + :scale: 30% + +.. |example_topology_lan_ping| image:: firewall_network_workflow_media/example_topology_lan_ping.png + :scale: 30% + +.. |cp_icmp_lan_example| image:: firewall_network_workflow_media/cp_icmp_lan_example.png + :scale: 30% + +.. |pan_network_profile| image:: firewall_network_workflow_media/pan_network_profile.png + :scale: 30% + +.. |pan_lan_attach| image:: firewall_network_workflow_media/pan_lan_attach.png + :scale: 30% + +.. |cp_ping_enable_1| image:: firewall_network_workflow_media/cp_ping_enable_1.png + :scale: 30% + +.. |cp_ping_enable_2| image:: firewall_network_workflow_media/cp_ping_enable_2.png + :scale: 30% + +.. |fortigate_example_ping| image:: firewall_network_workflow_media/fortigate_example_ping.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/firewall_network.rst b/HowTos/firewall_network.rst index c630f2e1a..2fb71e088 100644 --- a/HowTos/firewall_network.rst +++ b/HowTos/firewall_network.rst @@ -51,7 +51,7 @@ AWS Transit Gateway (TGW) supports VPN with ECMP load balancing. With its capabi for Egress Inspection and VPC to VPC traffic inspection. The problem with this deployment is performance. The IPSEC tunnel limits each firewall instance to be capped at 1Gbps. When this architecture is deployed for VPC to VPC inspection, traffic goes through VGW (the other end of the IPSEC tunnel) twice, further reducing its throughput to 400Mbps. What this implies is that each firewall instance can only operate at 400Mpbs throughput. This is -much lower than what firewall instances can do without IPSEC tunnel. +much lower than what firewall instances can do without IPSEC tunnel. .. |firenet| image:: firewall_network_media/firenet.png diff --git a/HowTos/firewall_network_advanced_config_media/firewall_advanced_lan_1.png b/HowTos/firewall_network_advanced_config_media/firewall_advanced_lan_1.png new file mode 100644 index 000000000..dfccc879f Binary files /dev/null and b/HowTos/firewall_network_advanced_config_media/firewall_advanced_lan_1.png differ diff --git a/HowTos/firewall_network_advanced_config_media/firewall_advanced_lan_ping.png b/HowTos/firewall_network_advanced_config_media/firewall_advanced_lan_ping.png new file mode 100644 index 000000000..4065b0221 Binary files /dev/null and b/HowTos/firewall_network_advanced_config_media/firewall_advanced_lan_ping.png differ diff --git a/HowTos/firewall_network_design_patterns.rst b/HowTos/firewall_network_design_patterns.rst index 2be96cc54..a5deee40c 100644 --- a/HowTos/firewall_network_design_patterns.rst +++ b/HowTos/firewall_network_design_patterns.rst @@ -74,8 +74,44 @@ manner as shown in the diagram below. |fqdn_in_firenet| +9. Ingress Directly through Firewall +--------------------------------------- + +Another often configured Ingress Egress design pattern is to have the traffic forward to firewall instances +directly as shown in the diagram below. In this design pattern, each firewall instance must configure SNAT on its LAN interface +that connects to the Aviatrix FireNet gateway. The draw back of this design is source IP address is not preserved when traffic reaches +the application. If you need to preserve source IP address, refer to `this recommended design for Ingress `_. + +|firenet_ingress_egress| + For more information, follow the `FireNet workflow `_. +10. Central Egress in a Multi Region Deployment +-------------------------------------------------------- + +Since the default routes are propagated over the Aviatrix Transit Gateway peering, you can consolidate the Internet bound egress traffic to the +firewalls in one region, as shown in the diagram below. + +|central_egress| + +11. Distributed Egress in a Multi Region Deployment +------------------------------------------------------ + +If you need to have a distributed egress for each region, make sure you filter out the default route 0.0.0.0/0 when you build +the Aviatrix Transit Gateway peering, as shown in the diagram below. + +|multi_egress| + +12. Ingress Protection via Aviatrix Transit FireNet +------------------------------------------------------ + +This Ingress Protection design pattern is to have the traffic forward to firewall instances directly in Aviatrix Transit FireNet VPC as shown in the diagram below. In this design pattern, each firewall instance must configure (1) SNAT on its LAN interface that connects to the Aviatrix FireNet gateway and (2) DNAT to the IP of application server/load balancer. The draw back of this design is source IP address is not preserved when traffic reaches the application. + +For example configuration workflow, check out `Ingress Protection via Aviatrix Transit FireNet with Fortigate `_. + +|transit_firenet_ingress| + + .. |firewall_network| image:: firewall_network_faq_media/firewall_network.png :scale: 30% @@ -94,7 +130,7 @@ For more information, follow the `FireNet workflow 500Mbps Up to 6Gbps 40Gbps +Total FireNet performance > 500Mbps Up to 6Gbps up to 75Gbps Multiple firewalls (scale out) Yes No (Active/Standby) Yes Integrated solution Yes No (requires external script) Yes Solution complexity High Medium Low @@ -66,6 +66,15 @@ For enterprises that wish to deploy a firewall in AWS, Aviatrix’s FireNet depl - **Vendor Integration** Launch Palo Alto Networks VM-Series from the Aviatrix Controller console to simplify deployment. - **Automation** The Aviatrix Controller automatically updates Palo Alto VM-Series route tables when on-prem route changes or VPC attachment changes. +Does FireNet support other firewalls? +-------------------------------------------------------------- + +The following firewalls are supported: +- Palo Alto VM-Series +- Check Point CloudGuard +- Fortinet FortiGate + + Is the FireNet solution recommended by Palo Alto Networks? -------------------------------------------------------------- @@ -95,8 +104,8 @@ There are situations where additional security measures such as packet inspectio to deploy a firewall for certain VPCs. FireNet provides the network solution that simplifies firewall deployment and scale. 1. Deploy the Aviatrix FireNet in a special Security Domain with a Firewall Domain attribute. - #. If a Security Domain has a connection policy to the Firewall Domain, then traffic going in and out of each VPC member in that Security Domain will first be forwarded to the Firewall for inspection. In other words, the connection policy specifies which domain (or a group of VPCs) will be inspected by the firewall. - #. VPC to VPC traffic in the same Security Domain is not inspected. + #. If a Security Domain has a connection policy to the Firewall Domain, then traffic going in and out of each VPC member in that Security Domain will first be forwarded to the Firewall for inspection. In other words, the connection policy specifies which domain (or a group of VPCs) will be inspected by the firewall. See `Domain-based inspection `_. + #. Alternatively, starting in Release 6.3 you can specify inspection based on pairs of Connection Policies. See `Connection-based inspection `_. What are the use cases for FireNet? ------------------------------------- @@ -117,8 +126,6 @@ domain to the firewall domain. What are the limitations of FireNet? ------------------------------------- -In Release 4.3, FireNet only supports the AWS Transit Gateway (TGW) deployment scenario. It does not support the encrypted transit deployment scenario. - You can have multiple Firewall Domains. However a Security Domain cannot be connected to two Firewall Domains except the case when one is for Ingress/Egress and another is for East-West and North-South inspection. @@ -131,7 +138,7 @@ for Egress Inspection and VPC to VPC traffic inspection. One problem with this deployment is performance. The IPSEC tunnel limits each firewall instance to be capped at 1Gbps. When this architecture is deployed for VPC to VPC inspection, traffic goes through the VGW (the other end of the IPSEC tunnel) twice, -further reducing its throughput to 500Mbps. What this implies is that each firewall instance can only operate at 400Mpbs throughput. This is +further reducing its throughput to 500Mbps. What this implies is that each firewall instance can only operate at 400Mbps throughput. This is much lower than what firewall instances can do without an IPSEC tunnel. Another problem is that for east west traffic inspection, the firewall instance must NAT the source address, otherwise the return traffic is not guaranteed to go through the same firewall instance. This is because ECMP @@ -212,8 +219,20 @@ If the FireNet deployment is for both Egress and Ingress traffic, you need to SNAT on the firewall instance to its LAN or Trusted Interface IP (eth2 interface). The rule is that for a source IP address that comes from NLB or a vendor load balancer such as F5 private IP address, it is translated to firewall interface eth2 private IP address. +How to exclude specific CIDRs from being inspected by the firewall? +-------------------------------------------------------------------- + +By default, FireNet inspects all East-West (VPC to VPC) traffic but you may have an instance in the VPC which you do not want to be inspected. For example, the Aviatrix Controller deployed in the Shared Service VPC to be excluded from inspection while Shared Service VPC traffic is inspected. This improves the Controller reachability by not subjecting the Controller access to unintentional firewall policy errors. + +Go to **Firewall Network --> Advanced** and put the CIDRs in the field **"Network List Excluded From East-West Inspection"** to exclude from being inspected by the firewall. + +**Note:** + 1. Maximum 20 CIDRs coma-separated are supported. + 2. CIDRs are excluded from East-West inspections only. + 3. In AWS TGW FireNet, if Egress inspection is enabled, Egress traffic originated from an excluded CIDRs will be dropped. If excluded CIDRs needs to be inspected then use a separate FireNet for Egress Traffic and separate FireNet for East-West Traffic. + Is there an example guide to setup Palo Alto VM-Series policies? ------------------------------------------------------------------- +---------------------------------------------------------------- Yes. Follow `Example Config for Palo Alto VM-Series `_ to setup an "ALLOW ALL" policy for test validation. @@ -253,16 +272,11 @@ Can Firewall Network work with Panorama? Yes. Follow the instructions for `Panorama integration. `_ -What is the failover time? ----------------------------- +What is the FireNet gateway failover time? +---------------------------------------------- Aviatrix FireNet gateway failure detection time is 8 - 10 seconds. The switch over to alternative gateway (primary or backup) is about the same time. -The Aviatrix Controller monitors the health of the firewall instances. For Pal Alto VM-Series, the Controller -uses Palo Alto API to periodically check the firewall instance health. The polling time is 10 seconds. However depending -on how the instance fails, it can take over a minutes for the failure condition to be detected. For example, -if you stop the instance from AWS console, it can take a minute before the API access fails. On the other hand, if the firewall instance interface is shutdown, the failure detection is 10 seconds. - Why does the primary gateway send packets to backup gateway instead of sending to firewall directly? ------------------------------------------------------------------------------------------------------- @@ -288,6 +302,80 @@ How does Aviatrix Controller know which Panorama is the primary one if there are The primary IP address is configured at the `Vendor Integration `_ function. +Aviatrix FireNet Security Groups +---------------------------------- + +On firewall LAN interface. + +Eth2 on PAN; or Eth1 on Fortigate and Checkpoint. This interface accepts all data traffic to be inspected or going to internet (if egress is enabled). The traffic originates from an internal instance, which is destinated to other internal instance or internet. Therefore, it is OK to limit this SG to RFC1918 only. But if there are non-RFC1918 CIDR’s inside your network, those may not work. + + +On firenet gateway, there are 4 interfaces. + +Eth0: this interface is used for all internet traffic (DNS, NTP, etc), communication with controller (TCP, SSH, etc), encrypted tunnels, etc. This interface is under Aviatrix controller’s control, it’s SG is already limited to the minimum. User should NOT change it. Even if user changes it, the Aviatrix controller will always try to change back. + +Eth1: this interface is used to send/receive traffic to AWS TGW. It accepts data traffic from TGW. So it is OK to limit SG to RFC1918 only. + +Eth2: this interface is used to send/receive traffic to firewalls (through firewall’s LAN interface). So it expects traffic originated from both internal and external. It might be OK to limit to RFC1918 since AWS SG is stateful. + +Eth3: this interface is used to exchange traffic between primary and backup gateway, this is part of our uniform hashing algorithm. Same as eth2, it expects traffic originated from both internal and external. It might be OK to limit to RFC1918, since AWS SG is stateful. + +What are the integration points with Fortinet firewall? +--------------------------------------------------------- + + 1. Managing Life Cycle of Fortinet firewall instances + + a. Aviatrix Controller launches and deletes Fortinet firewall instances. + #. Supports `Fortinet Bootstrap mechanism `_ to simplifying firewall instance launching and preload any firewall configurations. + + 2. Managing Fortinet firewall instances pool + + a. Aviatrix Controller monitors individual firewall health by periodically pining the LAN interface of each firewall instances. Ping period is every 5 second with a 20ms ping time out. The failure detection is maximum 5 seconds and 40ms. Aviatrix Controller automatically detaches a unhealthy firewall instance. When the firewall instance is reachable again, it automatically attaches it back to the pool. + #. You can initiate a new firewall instance to be launched and attached to pool at any given time. + #. You can initiate to remove a firewall instance from the pool at any given time.. + + 3. Static Route Configuration + + Currently there is no API integration to automatically populate Fortinet route table entries. Customer needs to configure these entries. We recommend you to configure the 3 RFC 1918 routes to point to the firewall LAN interface. For FireNet deployment, the RFC 1918 routes should point to the LAN interface subnet cloud provider's default gateways. For Transit FireNet deployment, the RFC 1918 routes should point to the FireNet gateway LAN interface IP, as shown in this `example. `_. + + +What is Intra Domain inspection? +--------------------------------- + +Intra Domain inspection allows traffic between VPCs in the same Security Domain to be redirected to Firewall Domain for inspection before reaching to the destination. + + +How to migrate from FireNet to FireNet with AWS GWLB or vice versa? +--------------------------------------------------------------------------------- + +Starting from Release 6.3, Multi-cloud Transit FireNet added support for AWS Gateway Load Balancer (GWLB). The key +advantage of this integration is to allow firewalls to be scaled up and down without affecting established sessions +(except sessions associated with the failed firewalls). + + 1. Save firewall configuration + #. Disassociate firewall instance -> Go to Aviatrix Controller's console -> FIREWALL NETWORK -> Setup -> Step 10. + #. Delete firewall instance -> Go to Aviatrix Controller's console -> FIREWALL NETWORK -> Setup -> Step 7a. + #. Disable FireNet function -> Go to Aviatrix Controller's console -> FIREWALL NETWORK -> Step 11a to disable Aviatrix Gateway FireNet Function. + #. Enable Transit FireNet function -> Go to Aviatrix Controller's console -> FIREWALL NETWORK -> Step 5a to enable the Aviatrix Gateway for FireNet Function. Check "Use AWS GWLB" if migrating from Aviatrix FireNet to FireNet with AWS GWLB. + #. Launch and associate firewall -> Go to Aviatrix Controller's console -> FIREWALL NETWORK -> Step 7a. + #. Restore firewall configuration + +Can we migrate from FireNet solution to Native FireNet with GWLB solution ? +---------------------------------------------------------------------------------------------------------------- + +Native FireNet refers to a deployment scenario where Aviatrix FireNet gateways are not deployed. + +To migrate use the following steps for migration: + + 1. Save firewall configuration + #. Disassociate firewall instance -> Go to Aviatrix Controller's console -> FIREWALL NETWORK -> Setup -> Step 10. + #. Delete firewall instance -> Go to Aviatrix Controller's console -> FIREWALL NETWORK -> Setup -> Step 7a. + #. Disable FireNet function -> Go to Aviatrix Controller's console -> FIREWALL NETWORK -> Step 11a to disable Aviatrix Gateway FireNet Function. + #. Delete Transit FireNet Gateway + #. Enable Transit FireNet function -> Go to Aviatrix Controller's console -> FIREWALL NETWORK -> Step 5b to enable the Native AWS GWLB for FireNet Function. + #. Launch and associate firewall -> Go to Aviatrix Controller's console -> FIREWALL NETWORK -> Step 7a. + #. Restore firewall configuration + .. |firewall_network| image:: firewall_network_faq_media/firewall_network.png :scale: 30% diff --git a/HowTos/firewall_network_faq_media/firenet_packet_flow.png b/HowTos/firewall_network_faq_media/firenet_packet_flow.png index c4fcebf9f..3171fa990 100644 Binary files a/HowTos/firewall_network_faq_media/firenet_packet_flow.png and b/HowTos/firewall_network_faq_media/firenet_packet_flow.png differ diff --git a/HowTos/firewall_network_faq_media/firewall_deploy.png b/HowTos/firewall_network_faq_media/firewall_deploy.png index fa3daf078..4fa371c22 100644 Binary files a/HowTos/firewall_network_faq_media/firewall_deploy.png and b/HowTos/firewall_network_faq_media/firewall_deploy.png differ diff --git a/HowTos/firewall_network_faq_media/firewall_network.png b/HowTos/firewall_network_faq_media/firewall_network.png index 1b4bb1296..b03ef178f 100644 Binary files a/HowTos/firewall_network_faq_media/firewall_network.png and b/HowTos/firewall_network_faq_media/firewall_network.png differ diff --git a/HowTos/firewall_network_faq_media/multi_firewall.png b/HowTos/firewall_network_faq_media/multi_firewall.png index 4b82edb95..9e64fbd76 100644 Binary files a/HowTos/firewall_network_faq_media/multi_firewall.png and b/HowTos/firewall_network_faq_media/multi_firewall.png differ diff --git a/HowTos/firewall_network_faq_media/multi_region_aviatrix_edge.png b/HowTos/firewall_network_faq_media/multi_region_aviatrix_edge.png index 92dc1e4e6..11721d7de 100644 Binary files a/HowTos/firewall_network_faq_media/multi_region_aviatrix_edge.png and b/HowTos/firewall_network_faq_media/multi_region_aviatrix_edge.png differ diff --git a/HowTos/firewall_network_faq_media/multi_region_firewall.png b/HowTos/firewall_network_faq_media/multi_region_firewall.png index c066762eb..7769145ae 100644 Binary files a/HowTos/firewall_network_faq_media/multi_region_firewall.png and b/HowTos/firewall_network_faq_media/multi_region_firewall.png differ diff --git a/HowTos/firewall_network_media/central_egress.png b/HowTos/firewall_network_media/central_egress.png new file mode 100644 index 000000000..2c587cfb9 Binary files /dev/null and b/HowTos/firewall_network_media/central_egress.png differ diff --git a/HowTos/firewall_network_media/firenet.png b/HowTos/firewall_network_media/firenet.png index db5ac2f9b..22bfe42c2 100644 Binary files a/HowTos/firewall_network_media/firenet.png and b/HowTos/firewall_network_media/firenet.png differ diff --git a/HowTos/firewall_network_media/multi_egress.png b/HowTos/firewall_network_media/multi_egress.png new file mode 100644 index 000000000..790876e75 Binary files /dev/null and b/HowTos/firewall_network_media/multi_egress.png differ diff --git a/HowTos/firewall_network_workflow.rst b/HowTos/firewall_network_workflow.rst index 6c6d7f327..a1f6ad66f 100644 --- a/HowTos/firewall_network_workflow.rst +++ b/HowTos/firewall_network_workflow.rst @@ -7,6 +7,11 @@ Firewall Network (FireNet) Workflow ========================================================= +FireNet is a solution for integrating firewalls in the AWS TGW deployment. + +If you are looking for firewall integration solution on Azure or in Aviatrix Multi-Cloud transit architecture, +your starting point is `here `_. + For questions about FireNet, check out `FireNet FAQ. `_ 1. Create a Security VPC @@ -86,26 +91,104 @@ eth2 Allow ALL (Do not change) eth3 Allow ALL (Do not change) Private interface for traffic to FireNet HA gateway ========================================== ============================================== ================= + .. important:: Please do not change the security group inbound and outbound rules on eth1, eth2 and eth3 of a FireNet gateway. If FireNet gateway HA is enabled, the HA gateway shares the same route table as the primary for its eth1 interface. -The new subnets created by the Controller at this steps are listed below. +The new subnets created by the Controller at these steps are listed below. + +========================================== ============================ +**Aviatrix FireNet VPC Private Subnet** **Description** +========================================== ============================ +-tgw-egress for FireNet gateway eth1 to TGW +-hagw-tgw-egress for FireNet HA gateway eth1 to TGW +-tgw-ingress for TGW to the ENI of eth1 of FireNet gateway +-hagw-tgw-ingress for TGW to the ENI of eth1 of the FireNet HA gateway +-dmz-firewall for FireNet gateway eth2 +-hagw-dmz-firewall for FireNet HA gateway eth2 +-dmz-exchange for FireNet gateway eth3 +-hagw-dmz-exchange for FireNet HA gateway eth3 +========================================== ============================ + +5a. Enable the Aviatrix Gateway for FireNet Function +############################################################# + +This step configures the gateway launched in Step 4 for FireNet function with AWS Gateway Load Balancer (GWLB). If you have HA enabled, it +automatically sets up the HA gateway for FireNet deployment. + +In the drop down menu, select one Aviatrix Transit Gateway, check "Use AWS GWLB" and click "Enable". + +In this step, the Aviatrix Controller creates 2 more Ethernet interfaces with associated subnets on the FireNet gateways. + +========================================== ============================================== ================= +**FireNet gateway instance interfaces** **Inbound Security Group Rule** **Description** +========================================== ============================================== ================= +eth0 Allow SSH and HTTPS from Aviatrix Controller Public interface for communication with Controller +eth1 Allow ALL (Do not change) Private interface for traffic to/from TGW +eth2 Allow ALL (Do not change) Private interface for traffic to firewall instances +========================================== ============================================== ================= + + +.. important:: + + Please do not change the security group inbound and outbound rules on eth1 and eth2 of a FireNet gateway. + +If FireNet gateway HA is enabled, the HA gateway shares the same route table as the primary for its eth1 interface. + +The new subnets created by the Controller at these steps are listed below. + +========================================== ============================ +**Aviatrix FireNet VPC Private Subnet** **Description** +========================================== ============================ +-tgw-egress for FireNet gateway eth1 to TGW +-hagw-tgw-egress for FireNet HA gateway eth1 to TGW +-tgw-ingress for TGW to the ENI of eth1 of FireNet gateway +-hagw-tgw-ingress for TGW to the ENI of eth1 of the FireNet HA gateway +-dmz-firewall for FireNet gateway eth2 +-hagw-dmz-firewall for FireNet HA gateway eth2 +-gwlb-pool for GWLB and Firewalls +-gwlb-pool-ha for GWLB and Firewalls in different AZ +-gwlb-egress for FireNet gateway (if egress inspection is enabled) +-gwlb-egress-ha for FireNet HA gateway (if egress inspection is enabled) +========================================== ============================ + +|gwlb_tgw_avxgw| + +.. note:: + HTTPS needs to be opened on firewall appliance for health check. See `firewall health check `_ for more information. -========================================== ================= -**Aviatrix FireNet VPC Private Subnet** **Description** -========================================== ================= --gw-tgw-egress for FireNet gateway eth1 to TGW --gw-hagw-tgw-egress for FireNet HA gateway eth1 --gw-tgw-ingress for TGW to the ENI of eth1 of FireNet gateway --gw-hagw-tgw-ingress for TGW to the ENI of eth1 of the FireNet HA gateway --gw-dmz-firewall for FireNet gateway ethh2 --gw-hagw-dmz-firewall for FireNet HA gateway eth2 --gw-dmz-exchange for FireNet gateway eth3 --gw-hagw-dmz-exchange for FireNet HA gateway eth3 -========================================== ================= + +5b. Enable Native AWS GWLB for FireNet Function +############################################################# + +This step integrates the AWS Transit Gateway (TGW) with AWS Gateway Load Balancer (GWLB) for native FireNet solution. + +In the drop down menu, select the right AWS Account and region, provide the right security VPC and click "Enable". + +The Aviatrix Controller will automatically create the new subnets, GWLB and GWLBe. + +The new subnets created by the Controller at these steps are listed below. + +========================================== ============================ +**Aviatrix FireNet VPC Private Subnet** **Description** +========================================== ============================ +-tgw-ingress for TGW ENI to the GWLBe +-hagw-tgw-ingress for TGW ENI to the GWLBe in different AZ +-dmz-firewall for GWLBe +-hagw-dmz-firewall for GWLBe in different AZ +-gwlb-pool for GWLB and Firewalls +-gwlb-pool-ha for GWLB and Firewalls in different AZ +-gwlb-egress for NATGW gateway (if egress inspection is enabled) +-gwlb-egress-ha for NATGW HA gateway (if egress inspection is enabled) +========================================== ============================ + +|gwlb_native| + +.. note:: + HTTPS needs to be opened on firewall appliance for health check. Check `Firewall Health Check `_ for more information. 6. Attach Aviatrix FireNet gateway to TGW Firewall Domain @@ -123,12 +206,14 @@ This step programs the relative route tables, described as below. ========================================== ===================== ================= **Aviatrix FireNet VPC route table** **key route entry** **Description** ========================================== ===================== ================= --gw-tgw-egress 0.0.0.0/0 -> tgw for FireNet gateway and HA gateway eth1 to TGW --gw-tgw-ingress 0.0.0.0/0 -> eth1 for TGW to eth1 of FireNet gateway and ha gateway --gw-dmz-firewall 0.0.0.0/0 -> eth2 for firewall instance to eth2 of FireNet gateway --gw-hagw-dmz-firewall 0.0.0.0/0 -> eth2 for firewall instance to eth2 of FireNet HA gateway --gw-dmz-exchange 0.0.0.0/0 -> eth1 for eth3 of FireNet gateway to eth1 of HA gateway --gw-hagw-dmz-exchange 0.0.0.0/0 -> eth1 for eth3 of FireNet HA gateway to eth1 of primary gateway +-tgw-egress 0.0.0.0/0 -> tgw for FireNet gateway eth1 to TGW +-hagw-tgw-egress 0.0.0.0/0 -> tgw for FireNet HA gateway eth1 to TGW +-tgw-ingress 0.0.0.0/0 -> eth1 for TGW to eth1 of FireNet gateway +-hagw-tgw-ingress 0.0.0.0/0 -> eth1. for TGW to eth1 of FireNet HA gateway +-dmz-firewall 0.0.0.0/0 -> tgw for firewall instance LAN interface to TGW +-hagw-dmz-firewall 0.0.0.0/0 -> tgw for firewall instance LAN interface to TGW +-dmz-exchange 0.0.0.0/0 -> eth3 for eth3 of FireNet gateway to eth3 of HA gateway +-hagw-dmz-exchange 0.0.0.0/0 -> eth3 for eth3 of FireNet HA gateway to eth3 of primary gateway ========================================== ===================== ================= @@ -137,11 +222,12 @@ This step programs the relative route tables, described as below. This approach is recommended if this is the first Firewall instance to be attached to the gateway. -This step launches a VM-Series and associates it with one of the FireNet gateways. +This step launches a Firewall instance and associates it with one of the FireNet gateways. + .. important:: -The VM-Series and the associated Aviatrix FireNet gateway above must be in the same AZ, and, we recommend that the Management Interface Subnet and Egress (untrust dataplane) Interface Subnet should not be in the same subnet. +The Firewall instance and the associated Aviatrix FireNet gateway above must be in the same AZ, and, we recommend that the Management Interface Subnet and Egress (untrust dataplane) Interface Subnet should not be in the same subnet. 7a.1 Launch and Attach ########################## @@ -153,8 +239,8 @@ VPC ID The Security VPC created in Step Gateway Name The primary FireNet gateway. Firewall Instance Name The name that will be displayed on AWS Console. Firewall Image The AWS AMI that you have subscribed in Step 2. -Firewall Image Version VM-Series current supported software versions. -Firewall Instance Size VM-Series instance type. +Firewall Image Version Firewall instance current supported software versions. +Firewall Instance Size Firewall instance type. Management Interface Subnet. Select the subnet whose name contains "gateway and firewall management" Egress Interface Subnet Select the subnet whose name contains "FW-ingress-egress". Username Applicable to Azure deployment only. "admin" as a username is not accepted. @@ -162,23 +248,26 @@ Password Applicable to Azure deployment o Key Pair Name (Optional) The .pem file name for SSH access to the firewall instance. Attach (Optional) By selecting this option, the firewall instance is inserted in the data path to receive packet. If this is the second firewall instance for the same gateway and you have an operational FireNet deployment, you should not select this option as the firewall is not configured yet. You can attach the firewall instance later at Firewall Network -> Advanced page. Advanced (Optional) Click this selection to allow Palo Alto firewall bootstrap files to be specified. -IAM Role In advanced mode, create an IAM Role on the AWS account that launched the FireNet gateway. Create a policy to attach to the role. The policy is to allow access to "Bootstrap Bucket". -Bootstrap Bucket Name In advanced mode, specify a bootstrap bucket name where the initial configuration and policy file is stored. +IAM Role In advanced mode, create an IAM Role on the AWS account that launched the FireNet gateway. Create a policy to attach to the role. The policy is to allow access to "Bootstrap Bucket". This option is not supported on Check Point. +Bootstrap Bucket Name In advanced mode, specify a bootstrap bucket name where the initial configuration and policy file is stored. This option is not supported on Check Point. +User Data In advanced mode and applicable to Check Point and FortiGate. For FortiGate in Azure, refer to `FortiGate User Data in Azure `_. For Check Point in Azure, refer to `Check Point User Data in Azure `_. ========================================== ========== -Note that Palo instance has 3 interfaces as described below. +1. Palo Alto VM-Series Specifications +************************************** + +Palo instance has 3 interfaces as described below. ======================================================== =============================== ================================ **Palo Alto VM instance interfaces** **Description** **Inbound Security Group Rule** ======================================================== =============================== ================================ eth0 (on subnet -Public-FW-ingress-egress-AZ-a) Egress or Untrusted interface Allow ALL eth1 (on subnet -Public-gateway-and-firewall-mgmt-AZ-a) Management interface Allow SSH, HTTPS, ICMP, TCP 3978 -eth2 (on subnet -gw-dmz-firewall) LAN or Trusted interface Allow ALL (Do not change) +eth2 (on subnet -dmz-firewall) LAN or Trusted interface Allow ALL (Do not change) ======================================================== =============================== ================================ Note that firewall instance eth2 is on the same subnet as FireNet gateway eth2 interface. - .. important:: For Panorama managed firewalls, you need to prepare Panorama first and then launch a firewall. Check out `Setup Panorama `_. When a VM-Series instance is launched and connected with Panorama, you need to apply a one time "commit and push" from the Panorama console to sync the firewall instance and Panorama. @@ -188,6 +277,43 @@ Note that firewall instance eth2 is on the same subnet as FireNet gateway eth2 i If VM-Series are individually managed and integrated with the Controller, you can still use Bootstrap to save initial configuration time. Export the first firewall's configuration to bootstrap.xml, create an IAM role and Bootstrap bucket structure as indicated above, then launch additional firewalls with IAM role and the S3 bucket name to save the time of the firewall manual initial configuration. +2. Fortigate Specifications +******************************* + +Fortigate Next Generation Firewall instance has 2 interfaces as described below. + +======================================================== =============================== ================================ +**Fortigate VM instance interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress-AZ-a) Egress or Untrusted interface Allow ALL +eth1 (on subnet -dmz-firewall) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +Note that firewall instance eth1 is on the same subnet as FireNet gateway eth2 interface. + +.. Tip:: + + Starting from Release 5.4, Fortigate bootstrap configuration is supported. + + +3. CheckPoint Specification +****************************** + +CheckPoint Firewall instance has 2 interfaces as described below. + +======================================================== =============================== ================================ +**CheckPoint VM instance interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress-AZ-a) Egress or Untrusted interface Allow ALL +eth1 (on subnet -dmz-firewall) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +Note that firewall instance eth1 is on the same subnet as FireNet gateway eth2 interface. + +.. important:: + + Starting from Release 5.4, launching CheckPoint firewall instances from the Aviatrix Controller automatically initiates its onboarding process. For initial login information, go to `Credentials for Checkpoint Initial Login `_. You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. + 7a.2 Launch and Associate More ################################# @@ -199,13 +325,23 @@ Or repeat this step to launch more firewall instances to associate with the same ########################################### After a firewall instance is launched, wait for 15 minutes for it to come up. +In addition, please follow example configuration guides as below to build a simple policy on the firewall instance for a test validation that traffic is indeed being routed to firewall instance. -You can follow `this example configuration guide `_ to build -a simple "Allow All" policy on the firewall instance for a test validation that traffic is indeed being routed -to firewall instance. +Palo Alto +********** +For basic configuration, please refer to `this example configuration guide `_. For implementation details on using Bootstrap to launch and initiate VM-Series, refer to `Bootstrap Configuration Example `_. +FortiGate +********** +For basic configuration, please refer to `this example configuration guide `_. + +CheckPoint +********** +For basic configuration, please refer to `this example configuration guide `_ + + 7b. Associate an Existing Firewall Instance -------------------------------------------- @@ -222,6 +358,14 @@ If you perform 7a or 7b, then you must be using a third party firewall instance. This option is to deploy `Aviatrix FQDN gateway `_ in a FireNet environment for a centralized scale out egress whitelist solution, as shown below. +.. important:: + + If a deployed Aviatrix FQDN gateway has no FQDN whitelist attached to it, the FQDN gateway acts as a NAT gateway and it will pass all traffic to all destination sites. To add whitelist policies, follow `how to configure FQDN instructions `_. + +This option is available in AWS and Azure. It applies to multi-cloud transit, Azure native Spoke transit and TGW based transit. + +|fqdn_egress| + |fqdn_in_firenet| ========================================== ========== @@ -242,12 +386,64 @@ Attach Attach this FQDN gateway to the 8. Specify Security Domain for Firewall Inspection ----------------------------------------------------- -The method to specify a Spoke VPC that needs inspection is to define a connection policy of the Security Domain where the Spoke VPC is a member to the Firewall Domain. +There are two inspection modes, one is Domain based inspection which is the default and the other is Connection Policy based inspection. +The Connection Policy based inspection mode (connection based inspection) is available in Release 6.3 and later. + +8a. Domain-based inspection +############################### + +In domain-based inspection, to specify a Spoke VPC that needs inspection is to define a connection policy of the Security Domain, where the Spoke VPC is a member, +to the Firewall Domain. For example, if you wish to inspect traffic between on-prem to VPC, connect Aviatrix Edge Domain to the Firewall Domain. This means on-prem traffic to any Spoke VPC is routed to the firewall first and then it is forwarded to the destination Spoke VPC. Conversely, any Spoke VPC traffic destined to on-prem is routed to the firewall first and then forwarded to on-prem. +8b. Connection-based inspection +################################# + +Connection-based inspection only applies to TGW based Transit solution. + +Connection-based inspection is available from Release 6.3 and later. Connection-based inspection allows you to inspect traffic going +across a specific pair of Security Domains. For example, Domain A has connection policy to Domain B and Domain C, you can specify to +inspect traffic between Domain A and Domain B, but not Domain A and Domain C. This inspection mode reduces the amount of traffic being +inspected and reduces the instances size requirements on both FireNet gateways and firewalls. + +.. note:: + + Connection-based inspection is not applicable to `intra-domain inspection `_ where all VPC to VPC traffic in the same domain is inspected. + +Here are the steps to enable and configure connection based inspection. + +Step 1. Enable Connection-Based Inspection +********************************************* + +Go to Controller -> TGW Orchestrator -> List. Click TGW, select one TGW, click Action -> Edit Inspection Mode. Select Connection-based, click Update. + +Step 2. Configure East-West Inspection +****************************************** + +`A firewall security domain `_ must be created first before configuring east-west inspection. + +Go to Controller -> TGW Orchestrator -> List. Click Connection which displays all Connection Policies in rows. Select on Connection Policy, +click Action -> Enable Inspection. In the pop up drop down menu, select a firewall domain to associate the Connection Policy with. +Click Update. + +Repeat this step for other Connection Policies. + +Step 3. Configure Egress Inspection +************************************* + +The Firewall Domain must have `Egress Inspection `_ enabled before configuring Egress Inspection. + +Go to Controller -> TGW Orchestrator -> List. Click Security Domains which displays all Security Domains configured on the TGW. +Select one domain, click Action -> Enable Egress Inspection. In the pop up drop down menu, select a firewall domain to +associate the domain with. Click Update. + +Done. + + + .. |firewall_domain| image:: firewall_network_workflow_media/firewall_domain.png @@ -265,4 +461,14 @@ to the destination Spoke VPC. Conversely, any Spoke VPC traffic destined to on-p .. |fqdn_in_firenet| image:: firewall_network_workflow_media/fqdn_in_firenet.png :scale: 30% +.. |fqdn_egress| image:: transit_firenet_design_patterns_media/fqdn_egress.png + :scale: 30% + +.. |gwlb_tgw_avxgw| image:: firewall_network_workflow_media/gwlb_tgw_avxgw.png + :scale: 40% + +.. |gwlb_native| image:: firewall_network_workflow_media/gwlb_native.png + :scale: 40% + + .. disqus:: diff --git a/HowTos/firewall_network_workflow_media/cp_icmp_lan_example.png b/HowTos/firewall_network_workflow_media/cp_icmp_lan_example.png new file mode 100644 index 000000000..073e99cdb Binary files /dev/null and b/HowTos/firewall_network_workflow_media/cp_icmp_lan_example.png differ diff --git a/HowTos/firewall_network_workflow_media/cp_ping_enable_1.png b/HowTos/firewall_network_workflow_media/cp_ping_enable_1.png new file mode 100644 index 000000000..950cdbb9a Binary files /dev/null and b/HowTos/firewall_network_workflow_media/cp_ping_enable_1.png differ diff --git a/HowTos/firewall_network_workflow_media/cp_ping_enable_2.png b/HowTos/firewall_network_workflow_media/cp_ping_enable_2.png new file mode 100644 index 000000000..962f1ef59 Binary files /dev/null and b/HowTos/firewall_network_workflow_media/cp_ping_enable_2.png differ diff --git a/HowTos/firewall_network_workflow_media/example_topology_lan_ping.png b/HowTos/firewall_network_workflow_media/example_topology_lan_ping.png new file mode 100644 index 000000000..d70b63af5 Binary files /dev/null and b/HowTos/firewall_network_workflow_media/example_topology_lan_ping.png differ diff --git a/HowTos/firewall_network_workflow_media/firewall_advanced_lan_1.png b/HowTos/firewall_network_workflow_media/firewall_advanced_lan_1.png new file mode 100644 index 000000000..d0df471b2 Binary files /dev/null and b/HowTos/firewall_network_workflow_media/firewall_advanced_lan_1.png differ diff --git a/HowTos/firewall_network_workflow_media/firewall_advanced_lan_ping.png b/HowTos/firewall_network_workflow_media/firewall_advanced_lan_ping.png new file mode 100644 index 000000000..e0ec454a5 Binary files /dev/null and b/HowTos/firewall_network_workflow_media/firewall_advanced_lan_ping.png differ diff --git a/HowTos/firewall_network_workflow_media/fortigate_example_ping.png b/HowTos/firewall_network_workflow_media/fortigate_example_ping.png new file mode 100644 index 000000000..e7493aa86 Binary files /dev/null and b/HowTos/firewall_network_workflow_media/fortigate_example_ping.png differ diff --git a/HowTos/firewall_network_workflow_media/gwlb_native.png b/HowTos/firewall_network_workflow_media/gwlb_native.png new file mode 100644 index 000000000..fb851f6cf Binary files /dev/null and b/HowTos/firewall_network_workflow_media/gwlb_native.png differ diff --git a/HowTos/firewall_network_workflow_media/gwlb_tgw_avxgw.png b/HowTos/firewall_network_workflow_media/gwlb_tgw_avxgw.png new file mode 100644 index 000000000..d9473340d Binary files /dev/null and b/HowTos/firewall_network_workflow_media/gwlb_tgw_avxgw.png differ diff --git a/HowTos/firewall_network_workflow_media/pan_lan_attach.png b/HowTos/firewall_network_workflow_media/pan_lan_attach.png new file mode 100644 index 000000000..01b8de18f Binary files /dev/null and b/HowTos/firewall_network_workflow_media/pan_lan_attach.png differ diff --git a/HowTos/firewall_network_workflow_media/pan_network_profile.png b/HowTos/firewall_network_workflow_media/pan_network_profile.png new file mode 100644 index 000000000..712a3d89a Binary files /dev/null and b/HowTos/firewall_network_workflow_media/pan_network_profile.png differ diff --git a/HowTos/flightpath.rst b/HowTos/flightpath.rst index 58c2c7e89..6d7c2cfd9 100644 --- a/HowTos/flightpath.rst +++ b/HowTos/flightpath.rst @@ -6,14 +6,14 @@ FlightPath ################################### -FlightPath is a troubleshooting tool. It retrieves and displays, in a side by side fashion, AWS EC2 related information such as Security Groups, +FlightPath is a troubleshooting tool. It retrieves and displays, in a side by side fashion, cloud provider's network related information such as Security Groups, Route table and route table entries and network ACL. This helps you to identify connectivity problems. What you need -------------- You do not need to launch Aviatrix gateways to use this tool, but you need to create Aviatrix accounts -so that the Controller can use the account credentials to execute AWS APIs to retrieve relevant information. +so that the Controller can use the account credentials to execute cloud provider's APIs to retrieve relevant information. diff --git a/HowTos/fortigate_bootstrap_example.rst b/HowTos/fortigate_bootstrap_example.rst new file mode 100644 index 000000000..e76a51c91 --- /dev/null +++ b/HowTos/fortigate_bootstrap_example.rst @@ -0,0 +1,125 @@ +.. meta:: + :description: Firewall Network + :keywords: AWS Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network, Transit DMZ, Egress, Firewall + + +================================================================= +Bootstrap Configuration Example for FortiGate Firewall in AWS +================================================================= + +Using bootstrap option significantly simplifies Fortinet FortiGate initial configuration setup. + +In this document, we provide a bootstrap example to set up an "Allow All" and Egress NAT policy for the FortiGate to validate +that traffic is indeed sent to the FortiGate for VPC to VPC traffic inspection. + +For a manual setup, follow `manual setup example. `_ + +FortiGate also supports "User Data" method as an alternative bootstrap mechanism. This mechanism is same for both +AWS and Azure. If "User Data" method is desired, refer to +`Bootstrap with User Data on FortiGatew in Azure `_. + + +1. Create IAM Role and Policy +-------------------------------- + +Login to AWS console, create an IAM role with the name, for example, "bootstrap-FortiGate-S3-role". +Attach an IAM policy with the name, for example, "bootstrap-FortiGate-S3-policy". The policy has the following statements. + +:: + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject" + ], + "Resource": [ + "arn:aws:s3:::*" + ] + } + ] + } + + +2. Create bootstrap bucket structure +------------------------------------- + +In AWS S3, at the top level create a bucket for bootstrap with a **unique** name, for example "bootstrap-fortigate-bucket", with the following structure: + +:: + + bootstrap-fortigate-bucket/ + init.conf + license.lic + + +3. Upload config files +------------------------ + +**3.1** The example init.conf file contains the "Allow All" setup. To downloady the file, click :download:`init.conf `. + +**3.2** For the example license.lic file, click :download:`license.lic `. For Metered AMI, this file is not required. + +.. Note:: + + You must specify the password in the example init.conf file. For initial Fortigate login information, go to `Credentials for FortiGate Initial Login `_. You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. + + +**3.3** upload these two files to your config folder in the bootstrap-fortigate-bucket. + +4. Launch the Fortigate instance +----------------------------------- + +Follow the Aviatrix Firewall Network (FireNet) workflow +to `Step 7a. `_. + +Fill in the required fields. Click Advanced. Fill in the following parameters. + +================================ ====================== +**Advanced Field** **Example Value** +================================ ====================== +IAM Role bootstrap-FortiGate-S3-role +Bootstrap Bucket Name fortigate-bootstrap-bucket (must be a unique name in S3) +================================ ====================== + +Launch the instance. Wait for 15 minutes for it to boot up and initialize. + +Login to the HTTPS interface of the public IP with username "admin" and the password specified in the example init.conf file. You should change the username and password after the initial login. + + +5. Configure Static Routes +-------------------------------------- + +Follow `the instructions here `_ to configure the static +routes. + + +6. Ready to go! +--------------- + +Now your firewall instance is ready to receive packets! + +The next step is to specify which Security Domain needs packet inspection by defining a connection policy that connects to +the firewall domain. This is done by `Step 8 `_ in the Firewall Network workflow. + +For example, deploy Spoke-1 VPC in Security_Domain_1 and Spoke-2 VPC in Security_Domain_2. Build a connection policy between the two domains. Build a connection between Security_Domain_2 to Firewall Domain. + +Launch one instance in Spoke-1 VPC and Spoke-2 VPC. From one instance, ping the other instance. The ping should go through. + + +.. |bootstrap_bucket| image:: bootstrap_example_media/bootstrap_bucket.png + :scale: 30% + + +.. disqus:: diff --git a/HowTos/fortigate_bootstrap_example_azure.rst b/HowTos/fortigate_bootstrap_example_azure.rst new file mode 100644 index 000000000..3bbec344b --- /dev/null +++ b/HowTos/fortigate_bootstrap_example_azure.rst @@ -0,0 +1,177 @@ +.. meta:: + :description: Firewall Network + :keywords: Azure Transit Gateway, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Bootstrap, Fortigate + + +================================================================= +Bootstrap Configuration Example for FortiGate Firewall in Azure +================================================================= + +Using bootstrap option significantly simplifies Fortinet FortiGate initial configuration setup. + +In this document, we provide a bootstrap example to set up an "Allow All" firewall policy, firewall health check policy and static routes for the FortiGate to validate +that traffic is indeed sent to the FortiGate for VNET to VNET traffic inspection. + +For a manual setup, follow `manual setup example. `_ + +There are two ways to configure Fortinet Fortigate via Bootstrap Configuration: + +Method 1: Configure Fortigate Firewall via User Data +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Follow the Aviatrix Firewall Network (FireNet) workflow +to `Step 7a. `_. to launch the firewall instance. + +To Configure FortiGate using Custom Data, go to the Aviatrix Controller -> Firewall Network -> Setup -> Launch & Associate Firewall Instance. + +Fill in the required fields. Click Advanced. Fill in the following parameters. + +================================ ====================== +**Advanced Field** **Example Value** +================================ ====================== +User Data Bootstrap Configuration +================================ ====================== + +Sample Fortigate Bootstrap Configuration to configure firewall "Allow-all" policy, health check policy and RFC 1918 static routes is shown below: + + :: + + # Simple Example Fortigate Bootstrap Configuration + # Not Necessary Fulfill the Requirement for any Customer + + # Login Username and Password + config system admin + edit admin + set password + end + + # System Hostname + config system global + set hostname myhost + set timezone 04 + end + + # Important HTTPS needs to be allowed on LAN interface for Firewall Health Check + config system interface + edit port2 + set allowaccess https + next + end + + #RFC 1918 Routes and Subnet Default Gateway + config router static + edit 1 + set dst 10.0.0.0 255.0.0.0 + set gateway 10.26.0.81 + set device port2 + next + edit 2 + set dst 192.168.0.0 255.255.0.0 + set gateway 10.26.0.81 + set device port2 + next + edit 3 + set dst 172.16.0.0 255.240.0.0 + set gateway 10.26.0.81 + set device port2 + next + # LoadBalancer IP + edit 4 + set dst 168.63.129.16 255.255.255.255 + set gateway 10.26.0.81 + set device port2 + next + end + + # Firewall Allow All Policy Example + config firewall policy + edit 1 + set name allow_all + set srcintf port2 + set dstintf port2 + set srcaddr all + set dstaddr all + set action accept + set schedule always + set service ALL + next + end + + + +|fortigate_bootstrap_example| + +Launch the instance. Wait for 15 minutes for it to boot up and initialize. + +Login to the HTTPS interface of the public IP with username "admin" and the password specified in the example Fortigate Bootstrap Configuration. For initial Fortigate login information, go to `Credentials for FortiGate Initial Login `_. You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. + +Method 2: Configure Fortigate using Azure Blob +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +1. Create Storage Account and Private Container +-------------------------------------------------- + +Login to Azure's console and create a storage account, and private container in the Azure blob for bootstrap with a **unique** name, for example "bootstrap-fortigate", using this `guide `_ Step 2 and 3 with the following structure: + +:: + + Storage Account + Container + fortigatebootstrap/ + init.txt + license.txt + + +2. Upload config files +------------------------ + +**2.1** The example init.conf file contains the "Allow All" setup. To download the file, click :download:`init.txt `. + +**2.2** For the example license.lic file (optional), click :download:`license.txt `. + +**2.3** upload these two files in the blob. Please follow Step 4 in `this `_ guide. + +3. Launch the Fortigate instance +----------------------------------- + +First follow `Step 5 `_ to get the SAS URL for Configuration and License. + +Follow the Aviatrix Firewall Network (FireNet) workflow +to `Step 7a. `_ + +Fill in the required fields. Click Advanced. Fill in the following parameters. + +================================ ====================== +**Advanced Field** **Example Value** +================================ ====================== +Bootstrap Storage Name Azure Storage Name (e.g. transitbootstrapsotrage) +Container Folder Private Container Name (e.g. fortigatebootstrap) +SAS URL Config SAS Config URL (Follow the given guide) +SAS URL License SAS License URL (Follow the given guide) +================================ ====================== + +Example Screenshot: +|fortigate_method2_example| + +Launch the instance. Wait for 15 minutes for it to boot up and initialize. Please make sure to verify the RFC 1918 and Internet static route in Fortigate firewall. + +Login to the HTTPS interface of the public IP with username "admin" and the password specified in the example Fortigate Bootstrap Configuration. For initial Fortigate login information, go to `ZENDESK_TITLE `_. You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. + + +Ready to go! +~~~~~~~~~~~~~~~ + +Now your firewall instance is ready to receive packets! + +Next step is to validate your configurations and polices using FlightPath and Diagnostic Tools (ping, traceroute etc.). + +Launch one instance in PROD Spoke VNET and DEV Spoke VNET. Start ping packets from a instance in DEV Spoke VNET to the private IP of another instance in PROD Spoke VNET. The ICMP traffic should go through the firewall and be inspected in firewall. + + +.. |fortigate_bootstrap_example| image:: fortigate_bootstrap_example_media/fortigate_bootstrap_example.png + :scale: 40% + +.. |fortigate_method2_example| image:: fortigate_bootstrap_example_media/fortigate_method2_example.png + :scale: 40% + +.. disqus:: diff --git a/HowTos/fortigate_bootstrap_example_media/fortigate_bootstrap_example.png b/HowTos/fortigate_bootstrap_example_media/fortigate_bootstrap_example.png new file mode 100644 index 000000000..cb087f5c5 Binary files /dev/null and b/HowTos/fortigate_bootstrap_example_media/fortigate_bootstrap_example.png differ diff --git a/HowTos/fortigate_bootstrap_example_media/fortigate_method2_example.png b/HowTos/fortigate_bootstrap_example_media/fortigate_method2_example.png new file mode 100644 index 000000000..34cb2199e Binary files /dev/null and b/HowTos/fortigate_bootstrap_example_media/fortigate_method2_example.png differ diff --git a/HowTos/fortigate_bootstrap_example_media/init-azure.txt b/HowTos/fortigate_bootstrap_example_media/init-azure.txt new file mode 100644 index 000000000..ea1e71ed1 --- /dev/null +++ b/HowTos/fortigate_bootstrap_example_media/init-azure.txt @@ -0,0 +1,52 @@ +# Simple Example Fortigate Bootstrap Configuration +# Not Necessary Fullfil the Requirement for any Customer +config system admin + edit admin + set password Aviatrix123# +end +config system global + set hostname myhost + set timezone 04 +end +# Important for Firewall Health Probe +config system interface + edit port2 + set allowaccess https + next +end +#RFC 1918 Routes and Subnet Default Gateway +config router static + edit 1 + set dst 10.0.0.0 255.0.0.0 + set gateway 10.26.0.81 + set device port2 + next + edit 2 + set dst 192.168.0.0 255.255.0.0 + set gateway 10.26.0.81 + set device port2 + next + edit 3 + set dst 172.16.0.0 255.240.0.0 + set gateway 10.26.0.81 + set device port2 + next + # LoadBalancer IP + edit 4 + set dst 168.63.129.16 255.255.255.255 + set gateway 10.26.0.81 + set device port2 + next +end +config firewall policy + edit 1 + set name allow_all + set srcintf port2 + set dstintf port2 + set srcaddr all + set dstaddr all + set action accept + set schedule always + set service ALL + next +end diff --git a/HowTos/fortigate_bootstrap_example_media/init.conf b/HowTos/fortigate_bootstrap_example_media/init.conf new file mode 100644 index 000000000..ecb7495d8 --- /dev/null +++ b/HowTos/fortigate_bootstrap_example_media/init.conf @@ -0,0 +1,20 @@ +config system admin + edit admin + set password +end +config system global + set hostname myhost + set timezone 04 +end +config firewall policy + edit 1 + set name allow_all + set srcintf port2 + set dstintf port2 + set srcaddr all + set dstaddr all + set action accept + set schedule always + set service ALL + next +end diff --git a/HowTos/fortigate_bootstrap_example_media/license.lic b/HowTos/fortigate_bootstrap_example_media/license.lic new file mode 100644 index 000000000..e69de29bb diff --git a/HowTos/fqdn_faq.rst b/HowTos/fqdn_faq.rst index 7611f0b50..26ed7820e 100644 --- a/HowTos/fqdn_faq.rst +++ b/HowTos/fqdn_faq.rst @@ -99,25 +99,33 @@ Her are the steps to enable 3 AZ HA FQDN gateways: Following the above instructions, Aviatrix Controller will try to load balance the route tables to point to the gateways with AZ affinity. When a gateway fails, the Controller will reprogram the VPC route table to redistribute the traffic to the remaining gateways. -How does Aviatrix Egress FQDN compare to Squid Solution? -============================================================== +How does Aviatrix Egress FQDN compare to Squid and other solutions? +=============================================================================== Squid is a popular open source software that can be configured to do transparent HTTP/HTTPS filtering. Squid does not process non HTTP/HTTPS traffic. For example, if you need to filter on a SFTP site that runs on TCP port 22, Squid does not work. Below is a more comprehensive comparison between Aviatrix FQDN and Squid. -========================================== ============================================================= ============= -**Functions** **Aviatrix FQDN** **Squid** -========================================== ============================================================= ============= -Requires instance configuration No No -HTTP and HTTPS FQDN filter Yes Yes -non HTTP/HTTPS FQDN filter Yes No -Multi AZ High Availability Yes (load balanced) No -Centrally Managed Yes No -Egress Discovery `Yes `_ No -Rest API support Yes No -Terraform support Yes No -Out-of-box log integration Yes No -Vendor support Yes No -========================================== ============================================================= ============= +The table below also compares with other solutions such as AWS NAT Gateway, AWS Network Firewall and Azure Firewall. + +============================================= ============================================================= =============== ===================== ================ ============= +**Functions** **Aviatrix FQDN** AWS NAT Gateway AWS Network Firewall Azure Firewall **Squid** +============================================= ============================================================= =============== ===================== ================ ============= +Requires instance configuration No No No No No +HTTP and HTTPS FQDN filter Yes (support wildcard) No Yes Yes Yes +non HTTP/HTTPS FQDN filter Yes No No No No +Requires dedicated subnet No No Yes Yes No +Multi AZ High Availability Yes (load balanced) Yes Yes Yes No +Centrally Managed Yes Yes Yes Yes No +Egress Discovery `Yes `_ No No No No +API support Yes Yes Yes Yes No +Terraform support Yes Yes Yes No No +Out-of-box log integration Yes No Yes Yes No +Allow specified destination to bypass filter Yes No No No No +Allow specified source CIDR to apply to rule Yes No No No No +Allow specified source CIDR to bypass filter Yes No No No No +Out of box visibility on sessions Yes No No No No +Search a specified rule match history Yes No No No No +Vendor product support Yes Yes Yes Yes No +============================================= ============================================================= =============== ===================== ================ ============= How do I Troubleshoot FQDN Problems? @@ -168,6 +176,34 @@ Yes. Available in Release 5.0 and later, Aviatrix FQDN gateway can be deployed c One use case is if you need to limit the public IP addresses to a third party public service. Follow the `Firewall Network workflow `_ to deploy. +How does FQDN and Stateful Firewall work together? +---------------------------------------------------- + +If FQDN service is enabled on a gateway for any TCP port 80 and 443 traffic, all forwarding traffic to destination +TCP port 80 and 443 are processed by FQDN engine +and the decision to drop or accept the session is reached by FQDN engine. Stateful firewall can only process traffic destined +to non TCP port 80 and 443. + +How does FQDN rules are processed in order? +---------------------------------------------- + +Since you can create multiple tags with each consisting of a list of FQDN rules, the Controller must merge these rules in a specific order before sending these rules to FQDN gateway for processing. + +The Controller merges all FQDN rules by this order: + + 1. If the rule ACTION is `Deny`, it is placed in the first block for processing, that is, they are processed first. + #. Within each block (`Deny`, `Allow`, `Base Policy`), the more specific rules are processed or examined first. For example, salesforce.com is more specific than *.salesforce.com therefore salesforce.com is processed first. + #. Each rule has a verdict, Accept or Drop. When the FQDN processing engine finds a match, the verdict is reached and the packet is either dropped or accepted. The processing engine does not continue on to the next rule. + + +FQDN Option for Exact Match +---------------------------------------------------- + +This is a new feature where if a FQDN rule does not have * an exact match is expected. If this global option is not enabled, FQDN rules use regex to match any FQDN names that are subset of the name. For example, if salesforce.com is a rule and Exact Match option is enabled, finance.salesforce.com is not a match and will be dropped. + + + + .. |egress_overview| image:: FQDN_Whitelists_Ref_Design_media/egress_overview.png :scale: 30% diff --git a/HowTos/fqdn_viewlog.rst b/HowTos/fqdn_viewlog.rst index 92d265ef2..7153701be 100644 --- a/HowTos/fqdn_viewlog.rst +++ b/HowTos/fqdn_viewlog.rst @@ -12,6 +12,37 @@ or passed on the `FQDN gateway. `_ +Thee are additional functions associated with the FQDN View page. + +Detach or Disable FQDN +-------------------------- + +To disable FQDN function for a specific VPC, select the gateway, click Actions -> Detach/Disable FQDN. + +Remove Tag +----------- + +If you like to remove a specific tag associated with a FQDN tag, select the gateway, click Actions -> Remove Tag. + +Download Logs +-------------- + +For FQDN log on a specific gateway, select the gateway, click Actions -> Download Logs. + +Edit Pass-through +-------------------- + +This feature allows you to specify traffic originated from certain subnets to only be NATed and bypass FQDN filter function. + +This configuration applies to a specific FQDN gateway. + +To configure, go to Security -> Egress Control -> Egress FQDN Gateway View. Select a gateway, +click Actions -> Edit Pass-through. Select subnet or multi select subnets to allow bypass the filter. + +To configure, select one gateway, click Actions -> Edit Pass-through. Select one or multiple source subnets in the VPC and click Add to allow these subnets to be bypassed. You can also enter IP address range manually. Enter a list of IPs separated by comma.. + + + .. |discovered_sites| image:: fqdn_discovery_media/discovered_sites.png :scale: 50% diff --git a/HowTos/gateway.rst b/HowTos/gateway.rst index e3e85e564..e82a56ac1 100644 --- a/HowTos/gateway.rst +++ b/HowTos/gateway.rst @@ -23,7 +23,7 @@ Click "Gateway" on the navigation panel. Click "New" to set up launching a new g Public Subnet -------------- -Aviatrix gateways must be launched in a public subnet. +Aviatrix gateways are launched in a public subnet. A public subnet in AWS VPC is defined as a subnet whose associated route table has a default route entry that points to IGW. To learn @@ -35,34 +35,48 @@ Select Gateway Size ------------------- When selecting the gateway size, note the following guidelines of IPsec performance -based on iperf tests conducted between two gateways of the same size: +based on IPERF tests conducted between two gateways of the same size: -AWS Performance Numbers: +AWS Performance numbers: +----------------------------+-------------------------------------------------+ | AWS Instance Size | Expected Throughput | +============================+=================================================+ | T2 series | Not guaranteed; it can burst up to 130Mbps | +----------------------------+-------------------------------------------------+ -| M3 series | 300 - 500Mbps | -+----------------------------+-------------------------------------------------+ -| m4.xlarge, c4.xlarge | approximately 500Mbps | +| c5.2xlarge, c5.4xlarge | 2Gbps - 2.5Gbps | +----------------------------+-------------------------------------------------+ -| c3.2xlarge, m4.2xlarge | approximately 1Gbps | +| c5n.4xlarge | 25Gbps (with InsaneMode) | +----------------------------+-------------------------------------------------+ -| c3.4xlarge | approximately 1.2Gbps | +| c5n.9xlarge | 70Gbps (with InsaneMode) | +----------------------------+-------------------------------------------------+ -| c4.2xlarge | 1.2Gbps - 1.5Gbps | +| c5n.18xlarge | 70Gbps (with InsaneMode) | +----------------------------+-------------------------------------------------+ -| c5.2xlarge, c5.4xlarge | 2Gbps - 2.5Gbps | + + +Azure Performance Numbers (without Insane mode): + + +----------------------------+-------------------------------------------------+ -| c5n.4xlarge | 50Gbps | +| Azure Instance Size | Expected Throughput | ++============================+=================================================+ +| B series | Not guaranteed; it can burst up to 260Mbps | +----------------------------+-------------------------------------------------+ -| c5n.9xlarge | 70Gbps | +| D/Ds series | 480Mbps - 1.2Gbps | +----------------------------+-------------------------------------------------+ -| c5n.18xlarge | 70Gbps | +| F Series | approximately 450Mbps - 1.2Gbps | +----------------------------+-------------------------------------------------+ +GCP Performance numbers (without Insane mode): + ++--------------------------------------------+-----------------------+ +| GCP Instance Size | Expected Throughput | ++============================================+=======================+ +| n1-standard-1, n1-standard-2, n1-highcpu-2 | 1.0 - 1.2 Gbps | ++--------------------------------------------+-----------------------+ +| n1-standard-4, n1-highcpu-2 | 2.3 - 2.5 Gbps | ++--------------------------------------------+-----------------------+ + OCI Expected Throughput Numbers: +----------------------------+--------------------------------------+------------------------------------------+ @@ -71,6 +85,20 @@ OCI Expected Throughput Numbers: | VM.Standard2.2 or larger | 1.8G | 900 Mbps | +----------------------------+--------------------------------------+------------------------------------------+ + +With OCI you can choose a flexible shape to modify the Oracle CPU (OCPU) and memory configurations of your shape after it is deployed. + ++-----------------------+--------------------+ +| OCI Flex Shape | OCPU and RAM | ++=======================+====================+ +| FLEX4.16 | E3 4 OCPU 8G RAM | ++-----------------------+--------------------+ +| FLEX8.32 | E3 8 OCPU 32G RAM | ++-----------------------+--------------------+ +| FLEX16.32 | E3 16 OCPU 32G RAM | ++-----------------------+--------------------+ + + .. note:: If you need IPSec performance beyond 2Gbps, refer to `Aviatrix Insane Mode. `_ @@ -86,7 +114,7 @@ to enter an alternative DNS IP address. Enable NAT ------------- -The Aviatrix gateway will perform Source NAT (SNAT) function when this option is selected. All VPC routing tables for +The Aviatrix gateway performs Source NAT (SNAT) function when this option is selected. All VPC routing tables for private subnets are automatically programmed with 0.0.0.0/0 points to the gateway. The function can be enabled at gateway launch time, or any time afterwards. @@ -97,6 +125,11 @@ For example, you may already have a NAT gateway configured for the VPC. To minim #. Go to AWS Console to remove the existing 0.0.0.0/0 route entry from the route table. #. Go to the Gateway page, highlight the desired gateway, click Edit, Scroll down to SNAT and click Enable. +Enable BGP +---------- + +If this option is selected, the Aviatrix Spoke gateway is enabled with BGP. In the current release (6.6), BGP must be enabled at the creation of the Spoke gateway. Spoke gateways created pre-6.6 cannot be enabled with BGP. A Spoke gateway enabled with BGP has a few restrictions compared to a non-BGP Spoke. See `Aviatrix Spoke Gateway to External Devices (BGP-Enabled Spoke) `_for information about restrictions. + Allocate New EIP ----------------- @@ -133,12 +166,14 @@ with your VPN virtual IP address. On the other hand, if your desktop is on a LAN your VPN virtual IP address might conflict with your LAN address. In this case, change the VPN CIDR Block to a different address range, for example, 10.10.0.0/24. +Note a /24 VPN CIDR block supports about 64 simultaneous VPN clients. This is because for each connected VPN client, VPN gateways reserves 3 virtual addresses. For larger number of clients per VPN gateway, consider making the VPN CIDR block to a /22 or /20 network. + MFA Authentication ===================== You can select either Duo or Okta for the VPN gateway to authenticate to these two services on behalf of a VPN user. -In this case, you can use OpenVPN® clients such as Tunnelblick for iOS and OpenVPN for Windows. +When either option is selected, you can use native OpenVPN® client software such as Tunnelblick for iOS and OpenVPN for Windows. For how to configure Duo, check out: `How to configure Duo. `_ @@ -240,7 +275,7 @@ Enable Client Certificate Sharing This is disabled by default. -By enabling the client certificate sharing, all VPN users share one .ovpn file. You must have MFA (such as DUO + LDAP) configured to make VPN access secure. +By enabling the client certificate sharing, all VPN users share one .ovpn file. You must have MFA (such as SAML, DUO + LDAP) configured to make VPN access secure. Enable Duplicate Connections @@ -294,7 +329,7 @@ Available for Aviatrix VPN client only. Add/Edit Tags --------------- -The Aviatrix gateway is launched with a default tag name avx-gateway@private-ip-address-of-the-gateway. This option allows you to add additional AWS tags at gateway launch time that you +The Aviatrix gateway is launched with a default tag name avx-gateway@private-ip-address-of-the-gateway. This option allows you to add additional AWS/Azure tags at gateway launch time that you can use for automation scripts. Designated Gateway @@ -389,6 +424,11 @@ You can change Gateway Size if needed to change gateway throughput. The gateway To configure, click Gateway on the left navigation panel, select the desired gateway, click Edit. Scroll down to "Gateway Resize" and in the drop down menu, select the new gateway instance size. Click "Change". The gateway instance will be stopped and restarted again with the new instance size. +o + +:: + + If you use Availability Set when launching Azure gateways, different classes of VM sizes can be resized interchangeably. Source NAT ------------ @@ -417,20 +457,24 @@ When "Customized SNAT" is selected, the gateway can translate source IP address |SNAT-customize| -=========================== ======================= -**Field** Value -=========================== ======================= -Src CIDR This is a qualifier condition that specifies a source IP address range where the rule applies. When left blank, this field is not used. -Src Port This is a qualifier condition that specifies a source port that the rule applies. When left blank, this field is not used. -Dst CIDR This is a qualifier condition that specifies a destination IP address range where the rule applies. When left blank, this field is not used. -Dst Port This is a qualifier condition that specifies a destination port where the rule applies. When left blank, this field is not used. -Protocol This is a qualifier condition that specifies a destination port protocol where the rule applies. When left blank, this field is not used. -Interface This is a qualifier condition that specifies output interface where the rule applies. When left blank, this field is not used. -Mark This is a qualifier condition that specifies a tag or mark of a TCP session where the rule applies. When left blank, this field is not used. -SNAT IPs This is a rule field that specifies the changed source IP address when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule fields must be specified for this rule to take effect. -SNAT Port This is a rule field that specifies the changed source port when all specified qualifier conditions meet.. When left blank, this field is not used. One of the rule fields must be specified for this rule to take effect. -Exclude Route Table This field specifies which VPC private route table will not be programmed with the default route entry. -=========================== ======================= +Sync to HA Gateway feature is an option to help users automatically duplicating NAT rules to HA peer gateway. By default, this function is disabled on Customized SNAT meaning users need to configure NAT rules manually on HA peer gateway even NAT rules are same. + +================================ ======================= +**Field** Value +================================ ======================= +SRC CIDR This is a qualifier condition that specifies a source IP address range where the rule applies. When left blank, this field is not used. +SRC PORT This is a qualifier condition that specifies a source port that the rule applies. When left blank, this field is not used. +DST CIDR This is a qualifier condition that specifies a destination IP address range where the rule applies. When left blank, this field is not used and a default route 0.0.0.0/0 pointing to Aviatrix Gateway will be programmed into Cloud platform routing table. +DST PORT This is a qualifier condition that specifies a destination port where the rule applies. When left blank, this field is not used. +PROTOCOL This is a qualifier condition that specifies a destination port protocol where the rule applies. When left blank, this field is not used. +INTERFACE This is a qualifier condition that specifies output interface where the rule applies. When left blank, this field is not used. +CONNECTION This is a qualifier condition that specifies output connection where the rule applies. When left blank, this field is not used. +MARK This is a qualifier condition that specifies a tag or mark of a TCP session where the rule applies. When left blank, this field is not used. +SNAT IPS This is a rule field that specifies the changed source IP address when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule fields must be specified for this rule to take effect. Multiple translated source IP addresses are supported, they are specified as a range, for example, 100.100.1.5 - 100.100.1.10 +SNAT PORT This is a rule field that specifies the changed source port when all specified qualifier conditions meet.. When left blank, this field is not used. One of the rule fields must be specified for this rule to take effect. +APPLY ROUTE ENTRY This is an option to program the route entry "DST CIDR pointing to Aviatrix Gateway" into Cloud platform routing table. +EXCLUDE ROUTE TABLE This field specifies which VPC private route table will not be programmed with the default route entry. Users can combine this with APPLY ROUTE ENTRY enabled. +================================ ======================= Destination NAT ---------------- @@ -441,28 +485,24 @@ There are multiple optional parameters you can configure to meet your requiremen |dnat-port-mapping| -=========================== ======================= -**Field** Value -=========================== ======================= -Source CIDR This is a qualifier condition that specifies a source IP address range where the rule applies. When left blank, this field is not used. -Source Port This is a qualifier condition that specifies a source port that the rule applies. When left blank, this field is not used. -Destination CIDR This is a qualifier condition that specifies a destination IP address range where the rule applies. When left blank, this field is not used. -Destination Port This is a qualifier condition that specifies a destination port where the rule applies. When left blank, this field is not used. -Protocol This is a qualifier condition that specifies a destination port protocol where the rule applies. When left blank, this field is not used. -Interface This is a qualifier condition that specifies output interface where the rule applies. When left blank, this field is not used. -Mark This is a rule field that specifies a tag or mark of a TCP session when all qualifier conditions meet. When left blank, this field is not used. -DNAT IPs This is a rule field that specifies the translated destination IP address when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule field must be specified for this rule to take effect. -DNAT Port This is a rule field that specifies the translated destination port when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule field must be specified for this rule to take effect. -=========================== ======================= - -Network Mapping ------------------ - -Networking mapping is a destination address translation scheme where the destination address range is one to one mapped to -a virtual address range. A configuration example can be shown below, where "Real Destination CIDR" 10.10.10.0/24 is mapped to -"Virtual Destination CIDR" 100.100.10.0/24. - -|network_mapping| +Sync to HA Gateway feature is an option to help users automatically duplicating NAT rules to HA peer gateway. By default, this function is enabled on DNAT. + +================================ ======================= +**Field** Value +================================ ======================= +SRC CIDR This is a qualifier condition that specifies a source IP address range where the rule applies. When left blank, this field is not used. +SRC PORT This is a qualifier condition that specifies a source port that the rule applies. When left blank, this field is not used. +DST CIDR This is a qualifier condition that specifies a destination IP address range where the rule applies. When left blank, this field is not used and a default route 0.0.0.0/0 pointing to Aviatrix Gateway will be programmed into Cloud platform routing table. +DST PORT This is a qualifier condition that specifies a destination port where the rule applies. When left blank, this field is not used. +PROTOCOL This is a qualifier condition that specifies a destination port protocol where the rule applies. When left blank, this field is not used. +INTERFACE This is a qualifier condition that specifies output interface where the rule applies. When left blank, this field is not used. +CONNECTION This is a qualifier condition that specifies output connection where the rule applies. When left blank, this field is not used. +MARK This is a rule field that specifies a tag or mark of a TCP session when all qualifier conditions meet. When left blank, this field is not used. +DNAT IPS This is a rule field that specifies the translated destination IP address when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule field must be specified for this rule to take effect. Multiple translated source IP addresses are supported, they are specified as a range, for example, 100.101.2.5 - 100.101.2.10 +DNAT PORT This is a rule field that specifies the translated destination port when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule field must be specified for this rule to take effect. +APPLY ROUTE ENTRY This is an option to program the route entry "DST CIDR pointing to Aviatrix Gateway" into Cloud platform routing table. +EXCLUDE ROUTE TABLE This field specifies which VPC private route table will not be programmed with the default route entry. Users can combine this with APPLY ROUTE ENTRY enabled. +================================ ======================= Monitor Gateway Subnet ----------------------- @@ -516,7 +556,7 @@ An Aviatrix Gateway could be in any of the following states over its lifetime. -**CONFIG-FAIL**: Gateway could not process a configuration command from the controller successfully. Please contact support@aviatrix.com for assistance. +**CONFIG-FAIL**: Gateway could not process a configuration command from the controller successfully. Please open a support ticket at `Aviatrix Support Portal `_ for assistance. If a gateway is not in **UP** state, please perform the following steps. @@ -647,7 +687,7 @@ One use case is if you have Spoke VPCs that have multiple CIDR blocks, among whi you attach these Spoke VPCs, the Aviatrix Controller will reject them as there are overlapping CIDRs. By excluding the overlapping CIDRs, you will be able to attach the Spoke VPCs. -When this policy is applied to an Aviatrix Transit Gateway, the list is an "Exclude list" meaning the CIDRs in the input fields will be exclude. +When this policy is applied to an Aviatrix Transit Gateway, the list is an "Exclude list" meaning the CIDRs in the input fields will be excluded from advertising to on-prem. When this policy is applied to an Aviatrix Spoke gateway, the list is an "Include list" meaning only the CIDRs in the input fields are advertised to on-prem. In Release 4.7 and later, the "Include list" can be network ranges that are outside of the Spoke VPC CIDR. @@ -690,10 +730,10 @@ OpenVPN is a registered trademark of OpenVPN Inc. .. |edit-designated-gateway| image:: gateway_media/edit-designated-gateway.png :scale: 50% -.. |SNAT-customize| image:: gateway_media/SNAT-customize.png +.. |SNAT-customize| image:: gateway_media/SNAT-customize-6-1.png :scale: 30% -.. |dnat-port-mapping| image:: gateway_media/dnat-port-mapping.png +.. |dnat-port-mapping| image:: gateway_media/dnat-port-mapping-6-1.png :scale: 30% .. |additional_cidr| image:: gateway_media/additional_cidr.png @@ -701,5 +741,8 @@ OpenVPN is a registered trademark of OpenVPN Inc. .. |network_mapping| image:: gateway_media/network_mapping.png :scale: 30% + +.. |gateway_name_alias| image:: gateway_media/gateway_name_alias.png + :scale: 30% .. disqus:: diff --git a/HowTos/gateway_audit.rst b/HowTos/gateway_audit.rst index 4343f1aa8..74eafc66e 100644 --- a/HowTos/gateway_audit.rst +++ b/HowTos/gateway_audit.rst @@ -26,7 +26,15 @@ Error(SG) The gateway instance's security Error(IAM) The gateway instance's aviatrix-role-ec2 is detached from the instance profile or aviatrix-role-app does not have associated policy. ========================================== ================= -If you need help, email to support@aviatrix.com +Cloud Message Queue Failure +----------------------------- + +If the alert message has a title "Cloud Message Queue Failure", it implies the following: + + 1. The gateway runs periodic APIs calls to retrieve SQS messages if any sent by the Controller. For 15 minutes, the specific gateway has been experiencing API calls failures. This does not necessarily mean the gateway has missed any messages. There may be a temporary interruption for gateway to make API calls. + #. If the failure continues, a new message will be sent once a day. + +Please checkout this `document `_ to look for ways to debug and address this issue. If you need help, please open a support ticket at `Aviatrix Support Portal `_ .. |secondary_account| image:: adminusers_media/secondary_account.png :scale: 50% diff --git a/HowTos/gateway_media/SNAT-customize-6-1.png b/HowTos/gateway_media/SNAT-customize-6-1.png new file mode 100644 index 000000000..eecc7eae5 Binary files /dev/null and b/HowTos/gateway_media/SNAT-customize-6-1.png differ diff --git a/HowTos/gateway_media/dnat-port-mapping-6-1.png b/HowTos/gateway_media/dnat-port-mapping-6-1.png new file mode 100644 index 000000000..e6a23f8c1 Binary files /dev/null and b/HowTos/gateway_media/dnat-port-mapping-6-1.png differ diff --git a/HowTos/gateway_media/gateway_name_alias.png b/HowTos/gateway_media/gateway_name_alias.png new file mode 100644 index 000000000..0a588c01e Binary files /dev/null and b/HowTos/gateway_media/gateway_name_alias.png differ diff --git a/HowTos/gcp_inter_region_latency.rst b/HowTos/gcp_inter_region_latency.rst index 99d92012d..1442ccb56 100644 --- a/HowTos/gcp_inter_region_latency.rst +++ b/HowTos/gcp_inter_region_latency.rst @@ -11,7 +11,7 @@ Google Cloud supports 18 regions for its cloud services. Understanding latency b the regions is important as performance starts to have noticeable degradation when the latency is more than 150 - 200ms between a client and server or between two servers in two different regions. -Below is our measurement of Google Cloud inter region latencies measured in milliseconds. +Below is our measurement of Google Cloud inter region latencies measured in milliseconds as of **December 2018**. The measurement is done by taking an average to multiple pings. The accuracy is +/- 1ms. @@ -22,4 +22,6 @@ The measurement is done by taking an average to multiple pings. The accuracy is :scale: 30% +Please note that **the most up to date information** for the above is now available as a part of the `Network Intelligence, Performance Dashboard feature `_. + .. disqus:: diff --git a/HowTos/guardduty.rst b/HowTos/guardduty.rst index 8aa27a661..6e0220c67 100644 --- a/HowTos/guardduty.rst +++ b/HowTos/guardduty.rst @@ -42,13 +42,18 @@ Integration and Enforcements The Aviatrix Controller provides additional monitoring, logging and enforcement services when you enable Amazon GuardDuty from the Aviatrix Controller Console, as listed below. - - Aviatrix Controller periodically polls Amazon `GuardDuty findings `_. + - Aviatrix Controller periodically polls Amazon `GuardDuty findings `_. The polling time is configurable between 5 minutes to 60 minutes. - Findings from Amazon GuardDuty are `logged `__ to the Controller syslog. (Syslog can be exported to `Aviatrix supported Logging services `__.) - Findings from Amazon GuardDuty are displayed in Alert Bell on the Controller console. - In addition, if a finding is about instances in a VPC being probed by a malicious IP address, this IP address is blocked by deploying `Public Subnet Filtering Gateway `_, as shown in the diagram below. |public_subnet_filter| +Polling Time +------------- + +Go to Security -> AWS GuardDuty -> Change Scanning Interval. Select a time and click Apply. + .. |guardduty_config| image:: guardduty_media/guardduty_config.png diff --git a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts.rst b/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts.rst deleted file mode 100644 index 42c1c38f8..000000000 --- a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts.rst +++ /dev/null @@ -1,146 +0,0 @@ -.. meta:: - :description: Customize Aviatrix IAM Role Names for Secondary Accounts - :keywords: access account, cloud account, iam role, secondary account, custom - -============================================================= -Customize Aviatrix IAM Role Names for Secondary Accounts -============================================================= - - -Step 1: Navigate to AWS CloudFormation with Aviatrix CFT --------------------------------------------------------------------- - -+ Login to Aviatrix controller GUI console - -+ Navigate to **Access-Account** page by clicking [Accounts] --> [Account Users] on the left - -+ Click [+ Add new] and [Launch CloudFormation Script] - - - |image1| - - -| - - -Step 2: Download Aviatrix CFT ----------------------------------- - -+ Use the URL shown in the screenshot below to download Aviatrix CFT to your local computer - - - |image2| - - -| - - -Step 3: Modify/Customize CFT ---------------------------------- - -+ Modify/Replace the following highlighted string with your desired role name in order to create your own IAM role, which is equivalent to **"aviatrix-role-ec2"** - - - |image3| - - |image4| - - -+ Modify/Replace the following highlighted string with your desired role name in order to create your own IAM role, which is equivalent to **"aviatrix-role-app"** - - - |image5| - - -+ If your new "aviatrix-role-app" role name doesn't have the prefix string, "aviatrix" then you need to replace the following highlited string with your role name. - - - |image11| - - -.. Important:: We recommend to have the prefix string, "aviatrix" for Aviatrix IAM resources. However, if your new "aviatrix-role-app" role name doesn't have the prefix, make sure the the IAM policy, **"aviatrix-assume-role-policy"** in **both controller and secondary AWS accounts** allows you to assume both **exisiting** "aviatrix-role-app" and the **new** "aviatrix-role-app" that you create. -.. - - -| - - -Step 4: Create CFT Stack ------------------------------ - -+ Use the CFT you customized from the previous step to create a CFT-Stack - - - |image6| - - -+ Enter AWS-Account-ID of the controller - - - |image7| - - -+ Click [Next] then use default configurations to create the stack - - -| - - -Step 5: Save the 2 IAM role ARNs ------------------------------------- - -+ After stack creation has been completed, click [Outputs] tab and copy the 2 ARNs for your roles - - - |image8| - - -| - - -Step 6: Invoke Aviatrix API to Create Access Account --------------------------------------------------------- - -`Click here to refer Aviatrix API documentation for API example `_ - - - |image9| - - -| - - -Step 7: Verify the work by creating an Encrypted Peering ------------------------------------------------------------- - -+ `Click here to refer Aviatrix documentation for Encrypted Peering `_ - -+ After peering, the status should be UP and Green within 1-5 minutes! - - - |image10| - - -| - - -END - - - - -.. |image1| image:: ./img/img_01_click_2ndary_cft_from_ucc_gui.png -.. |image2| image:: ./img/img_02_copy_url_to_aviatrix_cft.png -.. |image3| image:: ./img/img_03_customize_cft_for_ec2_role_01.png -.. |image4| image:: ./img/img_04_customize_cft_for_ec2_role_02.png -.. |image5| image:: ./img/img_05_customize_cft_for_app_role.png -.. |image11| image:: ./img/img_11_role_name_to_assume.png -.. |image6| image:: ./img/img_06_create_cft_stack_using_custom_cft_01.png -.. |image7| image:: ./img/img_07_enter_controller_aws_account_id.png -.. |image8| image:: ./img/img_08_save_2_iam_role_ARNs.png -.. |image9| image:: ./img/img_09_aviatrix_api_doc.png -.. |image10| image:: ./img/img_10_successfully_created_encrypted_peering.png - - - -.. disqus:: diff --git a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_01_click_2ndary_cft_from_ucc_gui.png b/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_01_click_2ndary_cft_from_ucc_gui.png deleted file mode 100644 index bea0edafe..000000000 Binary files a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_01_click_2ndary_cft_from_ucc_gui.png and /dev/null differ diff --git a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_02_copy_url_to_aviatrix_cft.png b/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_02_copy_url_to_aviatrix_cft.png deleted file mode 100644 index 18ebc5c38..000000000 Binary files a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_02_copy_url_to_aviatrix_cft.png and /dev/null differ diff --git a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_03_customize_cft_for_ec2_role_01.png b/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_03_customize_cft_for_ec2_role_01.png deleted file mode 100644 index a652ac475..000000000 Binary files a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_03_customize_cft_for_ec2_role_01.png and /dev/null differ diff --git a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_04_customize_cft_for_ec2_role_02.png b/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_04_customize_cft_for_ec2_role_02.png deleted file mode 100644 index 3a38f3619..000000000 Binary files a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_04_customize_cft_for_ec2_role_02.png and /dev/null differ diff --git a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_05_customize_cft_for_app_role.png b/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_05_customize_cft_for_app_role.png deleted file mode 100644 index cf1f4b957..000000000 Binary files a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_05_customize_cft_for_app_role.png and /dev/null differ diff --git a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_06_create_cft_stack_using_custom_cft_01.png b/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_06_create_cft_stack_using_custom_cft_01.png deleted file mode 100644 index bd238891e..000000000 Binary files a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_06_create_cft_stack_using_custom_cft_01.png and /dev/null differ diff --git a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_07_enter_controller_aws_account_id.png b/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_07_enter_controller_aws_account_id.png deleted file mode 100644 index acdcd9cbb..000000000 Binary files a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_07_enter_controller_aws_account_id.png and /dev/null differ diff --git a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_08_save_2_iam_role_ARNs.png b/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_08_save_2_iam_role_ARNs.png deleted file mode 100644 index d0be3c0a6..000000000 Binary files a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_08_save_2_iam_role_ARNs.png and /dev/null differ diff --git a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_09_aviatrix_api_doc.png b/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_09_aviatrix_api_doc.png deleted file mode 100644 index a3f10e178..000000000 Binary files a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_09_aviatrix_api_doc.png and /dev/null differ diff --git a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_10_create_aviatrix_gateway.png b/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_10_create_aviatrix_gateway.png deleted file mode 100644 index 1150d1a47..000000000 Binary files a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_10_create_aviatrix_gateway.png and /dev/null differ diff --git a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_10_successfully_created_encrypted_peering.png b/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_10_successfully_created_encrypted_peering.png deleted file mode 100644 index 0b0ef8d80..000000000 Binary files a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_10_successfully_created_encrypted_peering.png and /dev/null differ diff --git a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_11_role_name_to_assume.png b/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_11_role_name_to_assume.png deleted file mode 100644 index aaf7f7e02..000000000 Binary files a/HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/img/img_11_role_name_to_assume.png and /dev/null differ diff --git a/HowTos/image_release_notes.rst b/HowTos/image_release_notes.rst new file mode 100644 index 000000000..cce4b2019 --- /dev/null +++ b/HowTos/image_release_notes.rst @@ -0,0 +1,118 @@ +======================================= +Image Release Notes +======================================= + +Controller Images: AWS AMI – Version 110421 (11/8/2021) +====================================================== + +- Added support for AWS IMDSv2. + +- Corrected issue with the Aviatrix Controller initialization hanging after image migrating to a new image. + +- Closed potential vulnerability in Ubuntu. + +Controller Images: AWS AMI – Version 100621 (10/13/2021) +====================================================== + +This release addresses vulnerabilities fixed by Apache version 2.4.51. + +- Controller image version 100621 includes Apache version 2.4.51 which closed vulnerabilities `CVE-2021-40438 `_, `CVE-2021-33193 `_ and vulnerabilities closed in previous Apache releases. + +- Controller image version 100621 closes a potential denial-of-service vulnerability and corrects an issue with launching controller HA. + + +Gateway Images: hvm-cloudx-aws- 022021, hvm-cloudx-aliyun-122520 (5/10/2021) +============================================================================ + +- R6.4.2499 Software Version is required + +- Support new IPSec encryption mechanism + +- Update security patches to date + +- Introduced the gateway in AWS China and Ali Cloud + +- Fix and pass vulnerabilities scan to Feb/2021 + + +Controller Images: AWS AMI – 050120 (8/17/2020) +=============================================== + +- R6.1.1280 Software Version is required + +- Update Linux kernel and packages versions + +- Remove packages no longer used by the product + +- Set X-XSS-Protection and X-Content-Type-Options by default + +- Fix all vulnerabilities up to Jun/2020 (mid ref: 15727) + +Gateway Images: hvm-cloudx-aws-102320 (11/10/2020) +================================================== + +- R6.2.1837 Software Version is required + +- New image fetch mechanism + +- Update security patches to date + +- Linux Kernel update and package upgrade + +- New network drivers + +- Fix and pass vulnerabilities scan to Sep/2020 (mid ref: 18262) + +======================================= +Overview +======================================= + +Aviatrix multi-cloud networking platform is delivered via two images, a Controller image and a gateway image, +both should be maintained with the latest version for managing security +and support for the product. Aviatrix intends to publish 2 new images per year. + +New Customer Installation Procedures +==================================== + +- Customer launches the Aviatrix Controller image instance in the AWS, Azure, or respective cloud marketplace. + +- Customer launches new gateways from the Controller. The Controller will automatically pull the latest compatible Gateway version. + +Existing Customers - Controller Image upgrade (Migration) +========================================================= + +- Customer is responsible for migrating their existing Controller to the latest image. See image list below. + +- To implement the **latest Controller image**, perform the following steps: + + #. Go to your Controller management console + + #. Go to Settings > Maintenance > Software Upgrade. Make sure you are on the right software version for the migration. If not, upgrade your software version. + + #. Go to Settings > Maintenance > Backup & Restore. Make sure you have a backup of your current settings. + + #. Go to Settings > Maintenance > Migration. Migrate your controller to the latest image. + + |controller_migration| + +Note: Migrating your Controller does not impact your network data plane. Your existing Gateways should continue operating during migration. + +Existing Customers- Gateway Image upgrade +=========================================== + +- To implement the **latest Gateway image**, perform the following steps: + + #. Go to your Controller management console + + #. Go to Troubleshoot > Diagnostics > Gateway -> Gateway Replace. Select each Gateway and click Replace. (`More info on Gateway Replace operation `_) + + |gateway_replace| + + +.. |controller_migration| image:: image_release_notes_media/controller_migration.png + :scale: 50% + +.. |gateway_replace| image:: image_release_notes_media/gateway_replace.png + :scale: 50% + +.. disqus:: diff --git a/HowTos/image_release_notes_media/controller_migration.png b/HowTos/image_release_notes_media/controller_migration.png new file mode 100644 index 000000000..a9bd3bb2a Binary files /dev/null and b/HowTos/image_release_notes_media/controller_migration.png differ diff --git a/HowTos/image_release_notes_media/gateway_replace.png b/HowTos/image_release_notes_media/gateway_replace.png new file mode 100644 index 000000000..bd5c3dafa Binary files /dev/null and b/HowTos/image_release_notes_media/gateway_replace.png differ diff --git a/HowTos/ingress_firewall_example.rst b/HowTos/ingress_firewall_example.rst index 9e524aead..a7b18ee75 100644 --- a/HowTos/ingress_firewall_example.rst +++ b/HowTos/ingress_firewall_example.rst @@ -4,7 +4,7 @@ ========================================================= -Ingress Firewall Setup Solution +AWS Ingress Firewall Setup Solution ========================================================= This document illustrates a simple architecture for Ingress traffic inspection firewall that leverages AWS Load Balancers, `Aviatrix TGW Orchestrator `_ and `Aviatrix Firewall Network `_. The solution also allows diff --git a/HowTos/ingress_firewall_example_media/Ingress_Aviatrix_Transit_FireNet_topology.png b/HowTos/ingress_firewall_example_media/Ingress_Aviatrix_Transit_FireNet_topology.png new file mode 100644 index 000000000..6d20b2823 Binary files /dev/null and b/HowTos/ingress_firewall_example_media/Ingress_Aviatrix_Transit_FireNet_topology.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_application_gw_backend.png b/HowTos/ingress_firewall_example_media/azure_application_gw_backend.png new file mode 100644 index 000000000..3768b7bcd Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_application_gw_backend.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_application_gw_creation.png b/HowTos/ingress_firewall_example_media/azure_application_gw_creation.png new file mode 100644 index 000000000..9bc7b0038 Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_application_gw_creation.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_application_gw_frontend.png b/HowTos/ingress_firewall_example_media/azure_application_gw_frontend.png new file mode 100644 index 000000000..dccb33074 Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_application_gw_frontend.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_application_gw_frontend_public_IP.png b/HowTos/ingress_firewall_example_media/azure_application_gw_frontend_public_IP.png new file mode 100644 index 000000000..94576e730 Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_application_gw_frontend_public_IP.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_application_gw_health_check.png b/HowTos/ingress_firewall_example_media/azure_application_gw_health_check.png new file mode 100644 index 000000000..8e5049650 Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_application_gw_health_check.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_application_gw_routing_rule_backend_target.png b/HowTos/ingress_firewall_example_media/azure_application_gw_routing_rule_backend_target.png new file mode 100644 index 000000000..f70fc217a Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_application_gw_routing_rule_backend_target.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_application_gw_routing_rule_backend_target_02.png b/HowTos/ingress_firewall_example_media/azure_application_gw_routing_rule_backend_target_02.png new file mode 100644 index 000000000..893e22d76 Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_application_gw_routing_rule_backend_target_02.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_application_gw_routing_rule_http_setting.png b/HowTos/ingress_firewall_example_media/azure_application_gw_routing_rule_http_setting.png new file mode 100644 index 000000000..c48644b7c Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_application_gw_routing_rule_http_setting.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_application_gw_routing_rule_listener.png b/HowTos/ingress_firewall_example_media/azure_application_gw_routing_rule_listener.png new file mode 100644 index 000000000..11b2e87ee Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_application_gw_routing_rule_listener.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_application_server_apache2_accesslog.png b/HowTos/ingress_firewall_example_media/azure_application_server_apache2_accesslog.png new file mode 100644 index 000000000..c56cdea7d Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_application_server_apache2_accesslog.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_application_server_tcpdump.png b/HowTos/ingress_firewall_example_media/azure_application_server_tcpdump.png new file mode 100644 index 000000000..7fde72a3b Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_application_server_tcpdump.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_application_server_wireshark.png b/HowTos/ingress_firewall_example_media/azure_application_server_wireshark.png new file mode 100644 index 000000000..6643df3e5 Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_application_server_wireshark.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_avx_deploy_firewall.png b/HowTos/ingress_firewall_example_media/azure_avx_deploy_firewall.png new file mode 100644 index 000000000..e3e01702a Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_avx_deploy_firewall.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_avx_manage_firenet_policy.png b/HowTos/ingress_firewall_example_media/azure_avx_manage_firenet_policy.png new file mode 100644 index 000000000..b0cfae650 Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_avx_manage_firenet_policy.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_avx_transit_gw.png b/HowTos/ingress_firewall_example_media/azure_avx_transit_gw.png new file mode 100644 index 000000000..3a743bb1b Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_avx_transit_gw.png differ diff --git a/HowTos/ingress_firewall_example_media/azure_browser.png b/HowTos/ingress_firewall_example_media/azure_browser.png new file mode 100644 index 000000000..480ec2d8d Binary files /dev/null and b/HowTos/ingress_firewall_example_media/azure_browser.png differ diff --git a/HowTos/ingress_firewall_example_media/ingress_firewall.png b/HowTos/ingress_firewall_example_media/ingress_firewall.png index ac431e29a..5654c30ef 100644 Binary files a/HowTos/ingress_firewall_example_media/ingress_firewall.png and b/HowTos/ingress_firewall_example_media/ingress_firewall.png differ diff --git a/HowTos/ingress_firewall_example_media/transit_firenet_vnet.png b/HowTos/ingress_firewall_example_media/transit_firenet_vnet.png new file mode 100644 index 000000000..bed69a400 Binary files /dev/null and b/HowTos/ingress_firewall_example_media/transit_firenet_vnet.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_ALB.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_ALB.png new file mode 100644 index 000000000..0bf7016f4 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_ALB.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Aviatrix_Transit_FireNet_topology.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Aviatrix_Transit_FireNet_topology.png new file mode 100644 index 000000000..6d20b2823 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Aviatrix_Transit_FireNet_topology.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT.png new file mode 100644 index 000000000..6562258a3 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT_Mapped_address.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT_Mapped_address.png new file mode 100644 index 000000000..7c9cd902d Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT_Mapped_address.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT_Mapped_address_2.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT_Mapped_address_2.png new file mode 100644 index 000000000..003649fa3 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT_Mapped_address_2.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy.png new file mode 100644 index 000000000..accba5642 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy_review.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy_review.png new file mode 100644 index 000000000..b66d7c5b2 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy_review.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy_service.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy_service.png new file mode 100644 index 000000000..336c93133 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy_service.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internal_ALB_Step_1_Configure_Load_Balancer.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internal_ALB_Step_1_Configure_Load_Balancer.png new file mode 100644 index 000000000..3ea899742 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internal_ALB_Step_1_Configure_Load_Balancer.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internal_ALB_Step_6_Review.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internal_ALB_Step_6_Review.png new file mode 100644 index 000000000..601da6b61 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internal_ALB_Step_6_Review.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_1_Configure_Load_Balancer.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_1_Configure_Load_Balancer.png new file mode 100644 index 000000000..f5ddba073 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_1_Configure_Load_Balancer.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_3_Configure_Security_Groups.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_3_Configure_Security_Groups.png new file mode 100644 index 000000000..020650d59 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_3_Configure_Security_Groups.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_4_Configure_Routing.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_4_Configure_Routing.png new file mode 100644 index 000000000..f971f3230 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_4_Configure_Routing.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_5_Register_Targets_1.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_5_Register_Targets_1.png new file mode 100644 index 000000000..999d41025 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_5_Register_Targets_1.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_5_Register_Targets_2.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_5_Register_Targets_2.png new file mode 100644 index 000000000..496e36e4d Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_5_Register_Targets_2.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_6_Review.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_6_Review.png new file mode 100644 index 000000000..88f83f242 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_6_Review.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_private_WEB_server_access.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_private_WEB_server_access.png new file mode 100644 index 000000000..a22813fe2 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Ingress_private_WEB_server_access.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/Internet_ALB_WEB_HTTP_8080_tg_healthcheck.png b/HowTos/ingress_protection_transit_firenet_fortigate_media/Internet_ALB_WEB_HTTP_8080_tg_healthcheck.png new file mode 100644 index 000000000..541c39e04 Binary files /dev/null and b/HowTos/ingress_protection_transit_firenet_fortigate_media/Internet_ALB_WEB_HTTP_8080_tg_healthcheck.png differ diff --git a/HowTos/ingress_protection_transit_firenet_fortigate_media/tmp.txt b/HowTos/ingress_protection_transit_firenet_fortigate_media/tmp.txt new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/HowTos/ingress_protection_transit_firenet_fortigate_media/tmp.txt @@ -0,0 +1 @@ + diff --git a/HowTos/inline_upgrade.rst b/HowTos/inline_upgrade.rst index 33324b797..5aa46d526 100644 --- a/HowTos/inline_upgrade.rst +++ b/HowTos/inline_upgrade.rst @@ -2,11 +2,11 @@ :description: software upgrade of controller and gateways :keywords: hitless upgrade, inline upgrade, upgrade gateway software, no packet loss upgrade -################################### -Inline Software Upgrade -################################### +#################################################### +Inline Software Upgrade for 6.4 and Earlier Releases +#################################################### -Aviatrix software is released frequently every 6 - 8 weeks. +If you are upgrading from release 6.4.x or earlier, follow the guidelines and procedures in this section. If you are upgrading from release 6.5.x or later, follow the guidelines and procedures in `Upgrading the Aviatrix Cloud Network Platform `__. When upgrading a controller's software, all gateways are upgraded with the new software at the same time. This is done by the controller pushing new software to gateways directly and automatically once requested. @@ -21,15 +21,36 @@ Pre-upgrade Checklist: Here are a few steps that we suggest you go through before the actual upgrade. If you are scheduling the upgrade during a maintenance window, you can execute these before the maintenance window, so you can make best use of your downtime. -#. Please check our `pre-operations checklist `_ before any operations on your controller -#. Ensure that all gateways are in green/up status. If not, please check out `Support Center `_ for common issues and solutions +#. Check `pre-operations checklist `_ before any operations on your controller. +#. Ensure that all gateways are in green/up status. If not, check out `Support Center `_ for common issues and solutions. #. Ensure that all the tunnels are green/up - if not, work with the right teams to debug and bring them up. -#. Execute "AviatrixConsole/Settings/Maintenance/Upgrade/DryRun" to make sure that all gateways are ready for upgrade. If any gateways fail the dry run, please run "AviatrixConsole/Troubleshoot/Diagnostics/Gateway/Diagnostics" and review results to make sure there is a good communication path between the Controller and the Gateway. If you cannot fix it, please click on "Submit Results" and then open a ticket by sending an email to support@aviatrix.com. -#. Please make sure that you have the right accounts/credentials to update IAM policies in all AWS accounts during the upgrade process -#. Please make a backup and check the S3 bucket to make sure the process was successful. If you don't have backup enabled, please follow the `backup instructions `_ to enable it. -#. If your controller is in AWS and running on a t2/t3 instance type, please make sure that "T2/T3 Unlimited" attribute is set to "enabled" via the AWS Console - select controller instance, click on "Actions/InstanceSettings/Change T2.T3 Unlimited/Enable" -#. Please make sure that your controller has DNS service available and has public network access - you can verify that by pinging www.google.com at "Controller/Troubleshoot/Diagnostics/Network/ControllerUtility". This is a requirement for upgrade and for the controller to function as designed. -#. Please run account audit for all your AWS accounts from "Controller/Accounts/AccountAudit" - please make sure that all of them pass. The IAM policies should be setup as documented. If you have any issues, please look at our `troubleshooting playbooks `_ +#. Execute "AviatrixConsole/Settings/Maintenance/Upgrade/DryRun" to make sure that all gateways are ready for upgrade. If any gateways fail the dry run, please run "AviatrixConsole/Troubleshoot/Diagnostics/Gateway/Diagnostics" and review results to make sure there is a good communication path between the Controller and the Gateway. If you cannot fix it, please click on "Submit Results" and then open a ticket on Support Portal at https://aviatrix.zendesk.com. +#. Make sure that you have the right accounts/credentials to update IAM policies in all AWS accounts during the upgrade process. +#. Do a backup and check the S3 bucket to make sure the process was successful. If you don't have backup enabled, please follow the `backup instructions `_ to enable it. +#. If your controller is in AWS and running on a t2/t3 instance type, make sure that "T2/T3 Unlimited" attribute is set to "enabled" via the AWS Console - select controller instance, click on "Actions/InstanceSettings/Change T2.T3 Unlimited/Enable" +#. Make sure that your controller has DNS service available and has public network access - you can verify that by pinging www.google.com at "Controller/Troubleshoot/Diagnostics/Network/ControllerUtility". This is a requirement for upgrade and for the controller to function as designed. +#. Run account audit for all your AWS accounts from "Controller/Accounts/AccountAudit" - please make sure that all of them pass. The IAM policies should be setup as documented. If you have any issues, please look at our `troubleshooting playbooks `_ +#. Make sure that your account has elevated permissions to launch host instances where such operations may become necessary. +#. Please clean up your bucket where you store your controller backups, so that only the last 3 relevant configuration files are seen. Any old configurations should be moved out to your archive bucket/folder. +#. New Controller AMIs are published over time. If you would like to upgrade your AMI, please follow the links listed below. + * In release 5.3, we introduced a feature to upgrade the AMI of the controller from within the UI, for AWS. + * If your Controller is on 5.2 or older release or if your controller is in Azure or GCP, you would have to migrate your Controller manually. + * Release 5.4 requires that your Controller be running on an 1804 based AMI. If your Controller is running an older 1404 AMI you would have to first migrate your controller before upgrading to 5.4 + * If in AWS, please check the AMI Name from “AWS portal Services/EC2/SelectControllerInstance/DescriptionTab/AMI-ID”. If it does not have 1804 in the Name, then it is running an older AMI. If the name has 1804 then it is running a newer AMI and migration is optional. + * You can upgrade your controller by following the directions here + * `Migration when an AMI type change is required `_ + * `Controller AMI Migration: Azure: AWS `_ + * `Controller AMI Migration: Azure `_ + * `Controller AMI Migration: GCP `_ +#. New Gateway AMIs are published over time with fixes for known issues and vulnerabilites. We strongly recommend that you periodically check and update your gateway AMI's + * New Gateways are automatically deployed with the latest AMI - we suggest that you upgrade to the latest Controller release and then deploy new gateways + * Gateways can be upgraded to use the latest AMI's through the `gateway replace operation `_. We recommend that this operation is executed when the Controller is running the latest version, so your gateways can be built using the latest AMI + * If your controller is running V6.2.1955 or later, you can go to "Settings->Maintenance->Software Patches->Update Available Patches", to download a new utility called "Generate list of Aviatrix Gateways using deprecated AMIs". Running this patch will send an email to the admin with a list of gateways running deprecated AMI's. + * **From v6.4, when you upgrade your Aviatrix Controller and Gateways, any gateways which are running on Ubuntu14 and Ubuntu16 run the risk of not getting upgraded** as documented in `Field Notice 28 `_. Please follow the instructions in the field notice to identify these gateways and replace them before you start your upgrade to 6.4 +#. If have more than 50 Gateways running on your Controller, we strongly recommend that you increase the Controller's disk size to at least 64GB, before you start the upgrade process. If you have more than 100 Gateways, please have the Controller's disk to be at least 128GB. Please open a support ticket on `Aviatrix Support Portal `_, if you have any questions or need any assistance. +#. If you have deployed `Controller HA in AWS `_, please check the version you have deployed. If there is a `newer version of Controller HA `_ available, you shoud upgrade by `disabling Controller HA `_ and then `enabling the Controller HA `_ feature. Do not stop the Controller if you have Controller HA feature enabled - this will deploy a new controller and restore the nightly backup. If you have to stop the Controller, you should first disable the Controller HA feature. +#. Please go through the list of `Field Notices `_ that are published and take actions for the ones that apply to your setup + How to upgrade software @@ -37,23 +58,35 @@ How to upgrade software Upgrades are done from the Controller UI. To check for an available update and perform an upgrade, follow these steps: -#. Follow the directions listed below in this document to update your IAM policies in all accounts, before starting the upgrade process -#. Log in to your Controller. -#. Expand `Settings` navigation menu item -#. Click `Maintenance` -#. Click `Dry Run` to make sure the controller and gateway are in contact and allowed to download our software from our release server. If the `Dry Run` is unsuccessful, you may want to check controller/gateway security groups and VPC DNS settings to make sure their outbound traffic to Internet is allowed. +#. Follow the directions listed in this `document to update your IAM policies `_ in all accounts, before starting the upgrade process +#. Head to Upgrade section by logging in to your Controller, expand `Settings` navigation menu item and click on `Maintenance` +#. Click `Dry Run` to make sure the controller and gateway are in contact and allowed to download software from our release server. If the `Dry Run` is unsuccessful, you may want to check controller/gateway security groups and VPC DNS settings to make sure their outbound traffic to Internet is allowed. #. Make a backup before the upgrade by following the instructions documented `here `_. -#. Click `Upgrade to the latest` to upgrade your software to the latest version - - #. If upgrading from a release<3.3.x: Please upgrade to the next immediate release by entering the right version in "Upgrade to custom release" - the correct order is: 2.5, 2.6, 2.7, 3.0, 3.1, 3.2, 3.3 - #. Upgrading from a release>=3.3.x: The Aviatrix Controller will enforce incremental upgrades, so please click on "Upgrade to the Latest". You might have to go through multiple upgrades before you reach the latest release. Follow the directions in the next note when you upgrade to release 4.0 - #. If upgrading from a release<4.0: Once you upgrade to 4.0, please go to "Aviatrix Console > Troubleshoot > Diagnostics > Services" and click on "Restart Cloudxd" - please click on it only one time, wait for a minute, close your browser and start a new https connection to Aviatrix Console. This is only needed if your controller is based on 14.04 AMI. This will not be required for later AMI's. - #. **If you are running 4.7 or reached 4.7 during upgrade,** the next release to upgrade is 5.0 and you would have to go to "Upgrade to Custom Release" and enter "5.0" in "Release Version" and click on "Upgrade to a Custom Release" button. - -#. Please go to “”AviatrixConsole/Settings/Maintenance/Upgrade/GatewayUpgradeStatus” and check that all gateways have been upgraded - “Current Version” on all gateways should match the version you have upgraded to. Please flip through additional pages if you have more than 20 gateways. If any gateway failed, please run `diagnostics `_ and a `forced upgrade `_. If needed, please open a ticket with diags and `tracelogs `_. +#. Please clean up your bucket where you store your controller backups, so that only the last 3 relevant configuration files are seen. Any old configurations should be moved out to your archive bucket/folder. +#. Controller Upgrade Operation + * For every single upgrade action, you should go through all of the following steps: + * Ensure that all gateways and tunnels are up + * Test all your network paths for connectivity - before upgrade + * Backup your controller configuration before upgrade + * Dry Run + * Upgrade + * Verify that all gateways are upgraded + * Verify that all gateways and tunnels are up + * Test all your network paths for connectivity - after upgrade + * Backup your controller configuration - after upgrade + * Upgrading Controller to the latest build in the Current Release + * To upgrade to latest build in the same release that the Controller is currently on, please use the "Settings/Maintenance/Upgrade/Upgrade to Custom Release" and type in the current running release. For example, if your Controller is running 6.2.1000 and you would like to upgrade to latest build on 6.2 (let's say 6.2.2500) - you should type in "6.2" in the "Upgrade to Custom Release" textbox and then click on "Upgrade to Custom Release" button. + * Upgrading Controller to next release + * The first upgrade should always be to the latest build in the current release. For example, if you are starting with your Controller running 6.2.1000, you should first upgrade to latest build of 6.2, before you upgrade to 6.3 - by going to "Settings/Maintenance/Upgrade/Upgrade to Custom Release" and entering "6.2". After the first upgrade to latest build in the same release, use the following instructions to upgrade to next release (6.3 for this example) + * You can use "Settings/Maintenance/Upgrade/Upgrade to the Latest" to move to the next release, except in the following cases: + * If upgrading from a release<3.3.x: Please upgrade to the next immediate release by entering the right version in "Upgrade to custom release" - the correct order is: 2.5, 2.6, 2.7, 3.0, 3.1, 3.2, 3.3 + * When you reach release 4.0: Please go to “Aviatrix Console > Troubleshoot > Diagnostics > Services” and click on “Restart Cloudxd” - please click on it only one time, wait for a minute, close your browser and start a new https connection to Aviatrix Console. Continue upgrading using "Settings/Maintenance/Upgrade/Upgrade to the Latest" + * When you reach release 4.7: Please go to "Upgrade to custom release" and enter "5.0" +#. Please go to "AviatrixConsole/Settings/Maintenance/Upgrade/GatewayUpgradeStatus" and check that all gateways have been upgraded - “Current Version” on all gateways should match the version you have upgraded to. Please flip through additional pages if you have more than 20 gateways. If any gateway failed, please run `diagnostics `_ and a `forced upgrade `_. If needed, please open a ticket with diags and `tracelogs `_. If any of the gateways were not upgraded as they were running older ubuntu 14 or ubuntu 16 images, you can `replace them to have them rebuilt with the latest ami's `_. We recommend that these older gateways be replaced before upgrading to v6.4. Please check `Field Notice 28 `_ #. Make a backup after the upgrade by following instructions documented `here `_. -#. If you are using terraform, please use the appropriate branch from https://github.com/terraform-providers/terraform-provider-aviatrix. For more information please go to https://github.com/terraform-providers/terraform-provider-aviatrix#controller-version +#. If you are using terraform, please use the appropriate branch from https://www.terraform.io/docs/providers/aviatrix/index.html (old link: https://github.com/terraform-providers/terraform-provider-aviatrix). For more information please go to https://www.terraform.io/docs/providers/aviatrix/index.html (old link: https://github.com/terraform-providers/terraform-provider-aviatrix#controller-version). #. If you are using Aviatrix VPN Client, please consider upgrading to the `latest release `_. +#. Please review your Gateway AMI's and Controller AMI as mentioned in the `Pre-upgrade Checklist `_ above and upgrade the AMI's, as needed. .. note:: diff --git a/HowTos/insane_mode.rst b/HowTos/insane_mode.rst index 1c2ab4d74..832bf6e8d 100644 --- a/HowTos/insane_mode.rst +++ b/HowTos/insane_mode.rst @@ -9,7 +9,7 @@ Insane Mode Encryption FAQ This document discusses Aviatrix High Performance Transit Network and answers related questions. -Why is Transit VPC performance capped at 1.25Gbsp? +Why is Transit VPC performance capped at 1.25Gbps? --------------------------------------------------- In the current Transit VPC solution, the throughput is capped at 1.25Gbps regardless if you have a 10Gbps @@ -52,7 +52,7 @@ and beyond, leveraging the multiple CPU cores in a single instance, VM or host. What are the use cases for Insane Mode? ---------------------------------------- - - High performance `Encrypted Transit ` + - High performance `Encrypted Transit `_ - High performance `Encrypted Peering `_ performance - High performance encryption over Direct Connect - Overcome VGW performance limit and 100 route limit @@ -136,18 +136,58 @@ Do I need Direct Connect to use Insane Mode for On-prem? ---------------------------------------------------- Our InsaneMode high speed encryption feature works on top of your existing WAN link and it is agnostic to the type of connection used. As long as you have a pipe -that's large enough to alow for high throughput data transfer, using InsaneMode will offer seperior performance to regular IPSec. +that's large enough to allow for high throughput data transfer, using InsaneMode will offer superior performance to regular IPSec. How to configure Insane Mode for Transit VPC? ---------------------------------------------- At `Step 1 Transit Network workflow `_ select "Insane Mode Encryption". +Can one CloudN appliance connect to multiple connections of Direct Connect or Express Route? +----------------------------------------------------------------------------------------------- + +Yes. A CloudN appliance can build multiple InsaneMode tunnels to different Aviatrix Transit Gateways over multiple DX or Express Route, as shown in the diagram below. + +|cloudn_multi_conn| + + +What are the supported gateway sizes for GCP High-performance encryption (Insane mode)? +--------------------------------------------------------------------------------------- + +There are total 4 sizes: n1-highcpu-4, n1-highcpu-8, n1-highcpu-16, and n1-highcpu-32 + +What is the subnet prefix length for GCP High-performance encryption (Insane mode)? +----------------------------------------------------------------------------------- + +Gateway subnet prefix length cannot be greater than /24. Moreover, Aviatrix highly suggests that customers utilize a subnet exclusively for deploying insane mode gateway without any other instances in the subnet. + +What ActiveMesh version does GCP High-performance encryption (Insane mode) support? +----------------------------------------------------------------------------------- + +GCP Insane mode supports only Transit Solution ActiveMesh 2.0 + + +What is the MTU and MSS size for GCP High-performance encryption (Insane mode)? +-------------------------------------------------------------------------------- + +MTU is 1460 and MSS is 1330 bytes + +What are the features supported with GCP insane mode? +----------------------------------------------------- + +Because GCP network infrastructure/concept is different than AWS/Azure, Aviatrix GCP Insane mode behavior differs from AWS/Azure support in the following ways: + +- Only Spoke and Transit gateway types are supported + +- Only "Multi Cloud Transit functionality is supported with Insane mode gateways"; `Encrypted peering `_ is not supported + +- Feature "Advertise Transit VPC Network CIDR(s)" is not supported with Insane mode gateway + +- Will support Managed CloudN connecting to Aviatrix Transit Gateway in GCP soon; Standalone/unmanaged CloudN connecting to Aviatrix Transit Gateway is not supported in GCP .. |tunnel_diagram| image:: insane_mode_media/tunnel_diagram.png :scale: 30% - .. |insane_tunnel_diagram| image:: insane_mode_media/insane_tunnel_diagram.png :scale: 30% @@ -175,6 +215,9 @@ At `Step 1 Transit Network workflow `_ -Test Result Summary --------------------------- +1. AWS Performance Test Results +---------------------------------------------- Aviatrix High Performance Encryption (HPE), also known as ActiveMesh Insane Mode, achieves line rate performance with encryption in AWS when Jumbo frames are deployed (the default setting for AWS instances). The test benchmark baseline is the native AWS peering where no Aviatrix gateways are deployed in the VPCs. Adding 500 stateful firewall rules have little impact to the performance. -Insane Mode Performance Test Topologies ---------------------------------------------------- - +Below are the test topologies. |test_topologies| -The test is conducted by iperf3 tool with TCP 128 streams. The two VPCs are in the same region. +The test is conducted by using iperf3 tool with TCP 128 streams. The two VPCs are in the same region. -ActiveMesh in AWS Performance Test Results ----------------------------------------------- - -1. MTU = 9000 Bytes (AWS default setting) +MTU = 9000 Bytes (AWS default setting) ============================================ |jumbo| -2. MTU = 1500 Bytes +MTU = 1500 Bytes =========================================================================================== |1500| Single Gateway in AWS Performance Test Results --------------------------------------------------- +=================================================== + +This test is done without HA enabled in either Spoke or Transit gateways. The traffic is end-to-end from user instance -> spoke gateway -> Multi-cloud Transit Gateway -> spoke gateway -> instance. For MTU = 9000 Bytes, the result is shown in the diagram below. |single_gateway_jumbo| -Azure Performance Test Results +For MTU = 350 Bytes, the result is shown in the diagram below. + +|single_gateway_350B| + +T3 instance series performance +================================= + +========================== =============================== =============================== +**Spoke Gateway** **Throughput Gbps (MTU 1500B)** **Throughput Gbps (MTU 9600B)** +========================== =============================== =============================== +t3a.xlarge 6.12 9.82 +t3a.medium 2.33 8.85 +t3a.small 2.7 8.52 +t3.large 3.34 9.5 +t3.medium 3.03 9.6 +t3.small 3.35 9.96 +========================== =============================== =============================== + + +2. Azure Performance Test Results +------------------------------------ + +The performance results below are from tests conducted with the topology of `Test VMs -> Spoke -> Transit -> Spoke -> Test VMs` in the same +region with active-mesh deployment. Note test VMs' route tables are load balanced to point to either primary Spoke gateways +or HA Spoke gateways to take advantage of the active-mesh deployment. + +The test topology is shown as below. + +|azure_test_topology| + +=========================== =============================== +**Transit Gateway** **Throughput with MTU 1500B** +=========================== =============================== +Standard_F48s_v2 24.52Gbps +Standard_F32s_v2 21.56Gbps +Standard_D32_v3 20.47Gbps +Standard_D5_v2 20.56Gbps +=========================== =============================== + +3. GCP Performance Test Results -------------------------------- -Azure maximum MTU is 4000 Bytes. +Topology is shown below where the test is performed with the following conditions: + + - VM <-> Spoke <-> Transit <-> Spoke <-> VM + - HA enabled + - HPE mode enabled + +|gcp_test_topology| + +n1 series performance +================================= + +==================== =============================== +**Transit Gateway** **Throughput Gbps (MTU 1500B)** +==================== =============================== +n1-highcpu-4 3.12 +n1-highcpu-8 6.54 +n1-highcpu-16 11.58 +n1-highcpu-32 19.97 +==================== =============================== + +n2 series performance +================================= + +==================== =============================== +**Transit Gateway** **Throughput Gbps (MTU 1500B)** +==================== =============================== +n2-highcpu-4 5.063 +n2-highcpu-8 10.2 +n2-highcpu-16 14.98 +n2-highcpu-32 25.549 +==================== =============================== + +c2 series performance +================================= + +==================== =============================== +**Transit Gateway** **Throughput Gbps (MTU 1500B)** +==================== =============================== +c2-standard-4 5.792 +c2-standard-8 9.44 +c2-standard-16 18.48 +c2-standard-30 25.52 +==================== =============================== + +.. note:: + + To deploy Aviatrix gateways with n2 or c2 series successfully, users need to apply `CPU Quota Increase `_ request to GCP support first. + + +4. OCI Performance Test Results +------------------------------------ + +The performance results below are from tests conducted with the topology of `Test VMs -> Spoke -> Transit -> Spoke -> Test VMs` in the same +region with active-mesh deployment. Note test VMs' route tables are load balanced to point to either primary Spoke gateways +or HA Spoke gateways to take advantage of the active-mesh deployment. + +=========================== =============================== +**Transit Gateway** **Throughput with MTU 1500B** +=========================== =============================== +VM.Standard2.2 0.5092Gbps +VM.Standard2.4 1.057Gbps +VM.Standard2.8 2.471Gbps +VM.Standard2.16 4.99Gbps +VM.Standard2.24 6.039Gbps +=========================== =============================== + +=========================== =============================== +**Transit Gateway** **Throughput with MTU 9000** +=========================== =============================== +VM.Standard2.2 2.584Gbps +VM.Standard2.4 4.878Gbps +VM.Standard2.8 10.75Gbps +VM.Standard2.16 20.1199bps +VM.Standard2.24 24.65Gbps +=========================== =============================== -==================== =============================== ==================================== -**Gateway VM Type** **Throughput with MTU 1500B** **Throughput with MTU 4000B** -==================== =============================== ==================================== -Standard_F32s_v2 8.9Gbps 13.3Gbps -Standard_F48s_v2 10.9Gbps 17.4Gbps -Standard_D64_v3 8.2Gbps 12.1Gbps -Standard_D32_v3 7.1Gbps 10.9Gbps -Standard_D5_v2 6.6Gbps 10.1Gbps -==================== =============================== ==================================== How to Tune Performance @@ -106,5 +207,14 @@ For Linux machine, follow the `instructions here Maintenance -> Upgrade -> UPGRADE TO CUSTOM RELEASE, enter preview for the "Release Version" field. + a. Upgrade Aviatrix software to the latest version by following the instructions `here `_. #. Update IAM policies. It's likely the Aviatrix required IAM policies are out of date. Follow the instructions `here `_ to update IAM policies for Controller account and all gateways accounts. diff --git a/HowTos/integrate_transit_gateway_with_expressroute.rst b/HowTos/integrate_transit_gateway_with_expressroute.rst new file mode 100644 index 000000000..a33684844 --- /dev/null +++ b/HowTos/integrate_transit_gateway_with_expressroute.rst @@ -0,0 +1,208 @@ +.. meta:: + :description: Transit Gateway integration with ExpressRoute Workflow + :keywords: Azure ExpressRoute, Aviatrix Transit Gateway integration with ExpressRoute + +================================================================== +Multi-Cloud Transit Integration with Azure VNG +================================================================== + +Introduction +============ + +Currently, Aviatrix Multi-cloud Transit solution requires encryption over Azure ExpressRoute or External Device to on-prem directly. +There are times where encryption is not required and native network connectivity on ExpressRoute is highly desirable. +In such scenarios, Aviatrix transit solution including Transit FirNet can only forward traffic between Spoke VNets or inspect east-west traffic only, as shown `here `_. + +This feature allows Aviatrix Multi-cloud Transit solution to integrate with native Azure Virtual Network Gateway (VNG) and enables +Aviatrix Transit Gateway to inspect traffic from on-prem to cloud in addition to east-west and egress traffic inspection. Both +native Spoke VNet and Aviatrix Spoke gateway based Spoke VNets are supported. + + +The key ideas for this solution are: +------------------------------------- + + - The edge (WAN) router runs a BGP session to Azure VNG via Azure ExpressRoute or VPN where the edge router advertises to the Azure VNG the on-prem routes and the VNG advertises the Spoke VNet CIDRs. + + - Aviatrix Controller periodically retrieves route entries from the Transit VNet VNG route table advertised from on-prem. The Controller then distributes these routes to Spoke VNet and Aviatrix Transit Gateway. + + - Azure native VNet Peering is configured between each Spoke VNet and Transit VNet VNG with `Allow Remote Gateway` attribute configured on the Spoke VNet to automatically advertise routes from Spoke VNet to VNG and to On-prem. + + - Traffic coming from on-prem to VNG is routed to Azure load balancer which then forwards traffic to both Aviatrix Transit Gateway for Active-mesh deployment. The same load balancer is also used to distribute traffic to firewalls for inspection. + + - Traffic coming from Spoke VNet is routed to Aviatrix Transit Gateway directly which then forwards the traffic to Azure load balancer. Future release will support Active-mesh in the this direction of traffic. + + +This document describes the configuration workflow for the following network diagram. + +|topology_expressroute| + +where there are two Spoke VNets, one with Aviatrix Spoke gateway (172.60.0.0/16) and one native Spoke VNet (172.50.0.0/16) + +Prerequisite +==================== + +`Upgrade `_ Aviatrix Controller to at least version 6.3. + + +.. tip:: + + We highly recommend you to ceate Azure Transit VNET by utilizing Aviatrix feature `Create a VNet `_ with Aviatrix FireNet VNet option enabled. Create a VNG in this Transit VNet. + + +Connect VNG on On-Prem +======================================================================================================= + +If you have already created VNG in Transit VNet, skip this section. + +Building Azure ExpressRoute is customer's responsibility. For more information about Azure ExpressRoute, please check out the below documents: + + - Refer to `Azure ExpressRoute `_ + + - Refer to `ExpressRoute documentation `_ for more info + + - Refer to `Equinix ECX Fabric Microsoft Azure ExpressRoute `_ if users select Equinix solution. This is just an example here. + +Adjust the topology depending on your requirements. + +Step 1.1 Create an ExpressRoute circuit +---------------------------------------- + +Refer to `Tutorial: Create and modify an ExpressRoute circuit `_ + +Step 1.2 Create Azure private network for an ExpressRoute circuit +------------------------------------------------------------------- + +Refer to `private peering section in Create and modify peering for an ExpressRoute circuit `_ + +Step 1.3 Create a VNG in Transit VNet +---------------------------------------------------------------------- + +We highly recommend you to use create Azure Transit VNET by utilizing `Create a VPC `_ with Aviatrix FireNet VNet option enabled. + +This step may take up to 45 minutes to complete. + +Refer to `Configure a virtual network gateway for ExpressRoute using the Azure portal `_ + + +Step 1.4 Connect a virtual network to an ExpressRoute circuit +-------------------------------------------------------------- + +Refer to `Connect a virtual network to an ExpressRoute circuit using the portal `_ + +Step 1.5 Check ExpressRoute Circuits - List Routes Table on Azure portal +--------------------------------------------------------------------------- + + - Login Azure Portal + + - Search for "ExpressRoute circuits" on the search bar + + - Select the "ExpressRoute circuits" that you created + + - Select the Azure private peering row + + - Click on the hyperlink "Get route table" to verify routes learned from on-prem + + +Connect Aviatrix Transit Gateway with VNG +============================================================================ + +Refer to `Global Transit Network Workflow Instructions `_ for the below steps. Please adjust the topology depending on your requirements. + +Step 2.1 Deploy Aviatrix Multi-Cloud Transit Gateway and HA in Azure +----------------------------------------------------------------------- + + - Follow this step `Deploy the Transit Aviatrix Gateway `_ to launch Aviatrix Transit gateway and enable HA with insane mode enabled in Azure Transit VNET. Insane mode is not required but an optional feature to increase throughput. + + - Instance size of at least Standard_D5_v2 will be required for `Insane Mode Encryptions `_ for higher throughput. Please refer to this `doc `_ for performance detail. + + - Enable `Transit FireNet Function `_ + + +Step 2.2 Connect Transit FireNet Gateway with VNG +------------------------------------------------------------------------------ + +This step assumes VNG is already deployed in the Transit VNet. + + - Go to Multi-Cloud Transit -> Step 3 Connect to VGW / External Device / Aviatrix CloudN / Azure VNG + + - Select **Azure VNG** radio button + + - Select **Primary Aviatrix Transit Gateway** in the drop down menu. Note if VNG has not been deployed in the Transit VNet, this step cannot complete. + + - VNG Name will populate automatically + + - Click **Connect** + +|vng_step| + + +Step 2.3 Check Effective routes info on Azure portal +------------------------------------------------------- + + - Login Azure Portal + + - Search for "Network interfaces" on the search bar + + - Select Aviatrix Transit Gateway's interface + + - Navigate to the page "Effective routes" by clicking the link "Effective routes" under the section "Support + troubleshooting" + + - Check route entry for On-prem pointing Next Hop Type **Virtual network gateway** + + |azure_effective_routes_routing_entry| + + +Attach Spoke VNet to Aviatrix Transit Gateway +============================================================================ + +Step 3.1 Deploy Aviatrix Spoke Gateway in Spoke VNet +-------------------------------------------------------- + + - Create Azure VNET for Aviatrix Spoke Gateway by utilizing Aviatrix feature `Create a VPC `_ or manually deploy it in cloud portal or feel free to use existing virtual network. + +Step 3.2 Launch Spoke Gateway and HA +-------------------------------------- + + - Follow this step `Deploy Spoke Gateways `_ to launch Aviatrix Spoke gateway and enable HA with insane mode enabled in Azure Spoke VNET. Insane mode is optional. + + - Instance size of at least Standard_D5_v2 will be required for `Insane Mode Encryptions `_ for higher throughput. Please refer to this `doc `_ for performance detail. + +Step 3.3 (Optional) Create Spoke VNet +--------------------------------------------------- + + - If you do not have any Spoke VNet, create one by using Aviatrix feature `Create a VPC `_ or manually do so in Azure portal. + + +Step 3.3 Attach Spoke Gateways to Transit Network +-------------------------------------------------- + + - Follow this step `Attach Spoke Gateways to Transit Network `_ to attach Aviatrix Spoke Gateways to Aviatrix Transit Gateways in Azure + + - Follow step `Attach Native Azure VNET to Transit Network `_ to attach Azure Native VNET Spoke to Aviatrix Transit Gateway. + +Ready to go! +============ + +Now you should be able to send traffic from cloud to on-prem as well as on-prem to cloud over Azure Express Route. + +For an end to end example configuration workflow, follow the `Multi-cloud transit with Azure VNG VPN example `_. + +For FireNet deployment, follow the `Transit FireNet workflow `_. + + + +.. |topology_expressroute| image:: transit_gateway_integration_with_expressroute_media/topology_expressroute.png + :scale: 60% + +.. |traffic_onprem_to_cloud_disable_inspection| image:: transit_gateway_integration_with_expressroute_media/traffic_onprem_to_cloud_disable_inspection.png + :scale: 60% + +.. |azure_effective_routes_routing_entry| image:: transit_gateway_integration_with_expressroute_media/azure_effective_routes_routing_entry.png + :scale: 40% + +.. |vng_step| image:: transit_gateway_integration_with_expressroute_media/vng_step.png + :scale: 40% + + +.. disqus:: + diff --git a/HowTos/ipmotion.rst b/HowTos/ipmotion.rst deleted file mode 100644 index 03efb7345..000000000 --- a/HowTos/ipmotion.rst +++ /dev/null @@ -1,256 +0,0 @@ -.. meta:: - :description: IP motion Ref Design - :keywords: AWS Migration, DR, Disaster Recovery, aviatrix, Preserving IP address, IPmotion, ip motion - - -================================= -IPmotion Setup Instructions -================================= - -`Aviatrix IPmotion `_ (IP Motion) is a technology that connects the same two subnets between on-prem and in the VPC. The technology is useful when migrating an on-prem VM to a public cloud while preserving its IP address. It can also be used for mission critical application HA to public cloud. - -The technology is described in the diagram below, -where an on-prem VM with IP address 172.16.1.11 is migrated to AWS -while preserving its IP address. After migration, any on-prem VMs can continue to communicate with this migrated VM -as if it still resides on-prem. - -Note that the actual migration process is not included in this document. We assume you have the necessary tools, for example, `AWS Migration Hub `_ to migrate on-prem VMs to public cloud. We also provide an `example `_ that demonstrates how to migrate a VM by combining AWS Server Migration Service and IPmotion. - - - - |image0| - -Planning and Prerequisites ---------------------------- - - 1. Identify an on-prem subnet where you plan to migrate VMs. For example, the subnet is 172.16.1.0/24. - #. Create an AWS VPC that has the same or larger CIDR block than the migrating subnet. - #. IPmotion builds an IPSEC tunnel using UDP ports 500 and 4500. Make sure these two UDP ports are open for outbound traffic. Inbound return traffic will also run on these two ports. The ports should be open to AWS public IP address ranges. - #. Consider `Design Patterns `_ for IPmotion. - #. For simplicity, in this guide, we assume the cloud subnet is a public subnet and the migration is over the Internet - #. Deploy Aviatrix virtual appliance CloudN in the on-premise subnet. Read `this document `_ on how to deploy the virtual appliance. AWS reserves `five IP addresses `__ on a given subnet, make sure that the CloudN IP address is not any one of them. For example, in a 172.16.1.0/24 subnet, 172.16.1.0-172.16.1.3 and 172.16.1.255 are reserved. - - #. Once the virtual appliance is deployed, go through the on-boarding process and create an AWS account. - - #. Take an inventory of IP addresses of all running VMs and unused IP addresses on this subnet, as shown in the example below. - - |image1| - - -.. note:: - For description purpose, a migrated VM that has the same IP address as its on-prem VM is called the migrated EC2 instance. - -Login to the CloudN Controller -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Open a browser and navigate to `https:///`. Once authenticated, click on `IP Motion` in the left navigation bar. - -Follow the steps below to set up `IP Motion` for the selected subnet. - - -1. Specify on-Prem IP Address List -------------------------------------------- - -The `on-prem IP address list` of a subnet includes both the list of IP addresses of VMs that will be -migrated and the list of IP addresses of VMs that will remain on-prem -but need to communicate with the migrated VMs. - -One simple way to specify this address range is to provide the list of IP addresses of -all running VMs, excluding CloudN IP addresses, since out of this list, -some or all VMs will be migrated to the cloud. For example, as shown in the above diagram, -if the running VMs excluding CloudN on subnet 172.16.1.0/24 are in the range of 172.16.1.10-172.16.1.20, -and you plan to move all running VMs to cloud, then specify this range for Step 1 as below. - - :: - - 172.16.1.10-172.16.1.20 - -.. Note:: the on-prem IP address format could be a single IP address or a range of IP addresses using a "-" in the list. Specify multiple ranges of IP addresses by separating them with a comma. Example: 172.16.1.10-172.16.1.20, 172.16.1.30, 172.16.1.120-172.16.1.130 - -.. - -Note that the larger this list is, the larger the IPmotion gateway instance size needs to be in the cloud (AWS). -The reason is that the IPmotion gateway needs to allocate private IP addresses from AWS -for any on-prem VMs. - -You can optimize the list by making sure only the running VMs are being specified. For the above example, if 172.16.1.11 is an IP address not assigned to any VM, you should skip this address and specify a multiple range separated by a comma: 172.16.1.10,172.16.1.12-172.16.1.20. - - :: - - 172.16.1.10,172.16.1.12-172.16.1.20 - - -Currently the largest number of VMs that a CloudN can handle on a subnet is 202 which requires a c4.4xlarge IPmotion gateway instance size. This number of VMs can be expanded in the future release. - -(You can further optimize the list for the on-prem part by specifying only the -dependent VMs. -For example, the CloudN is deployed on subnet 172.16.1.0/24. On this subnet, the IP addresses of VMs that are going to be migrated are -172.16.1.10, 172.16.1.15-172.16.1.20. -The IP addresses of VMs that are to remain on the subnet but need to -communicate with migrated VMs are in the range 172.16.1.50-172.16.1.70 -then you should enter -172.16.1.10,172.16.1.15-172.16.1.20,172.16.1.50-172.16.1.70) - - :: - - 172.16.1.10,172.16.1.15-172.16.1.20,172.16.1.50-172.16.1.70 - - -2. Reserve IPmotion Gateway IP Address List --------------------------------------------- - -This field is about specifying 10 IP addresses that are not being used by -any running VMs and reserving these addresses for Aviatrix IPmotion gateway. Again as an example displayed in -the above diagram, 172.16.1.100-172.16.1.110 are not used by any running VMs, you can reserve this range -for the IPmotion gateway. In other words, -if you specify 172.16.1.100-172.16.1.110 as the IPmotion gateway reserved IP addresses, -it means that this range of IP addresses is not currently used by any VM on -the subnet, and is reserved by Aviatrix during the migration phase. - -.. Note:: AWS reserves the 5 IP addresses of a subnet in VPC. For example, if the VPC subnet is 172.16.1.0/24, the addresses 172.16.1.0, 172.16.1.1, 172.16.1.2, 172.16.1.3 and 172.16.1.255 are reserved by AWS. If you have on-prem VMs including CloudN that use the first 3 IP addresses (excluding default gateway, DNS or any other infrastructure purpose) of a subnet, the IPmotion method will not work. - -.. - - -3. Launch IPmotion Gateway ----------------------------- - -This step launches an Aviatrix IPmotion gateway and builds a tunnel -(IPSEC tunnel if the connection is over Internet, direct tunnel if the connection is over Direct Connect.) -between the two subnets. -Note that the IPmotion gateway size reflects how many on-prem VMs can be supported, as -the table shown below. - -=============================== ================================================================================ -**IPmotion Gateway Size** **Max VMs can be migrated** -=============================== ================================================================================ -t2.micro 0 -t2.small 2 -t2.medium 9 -m4.large 8 -m4.xlarge 41 -m4.2xlarge 41 -m4.16xlarge 202 -c3.large 17 -c3.xlarge 41 -c3.2xlarge 41 -c3.4xlarge 202 -c4.large 17 -c4.xlarge 41 -c4.2xlarge 41 -c4.4xlarge 202 -c4.8xlarge 202 -=============================== ================================================================================ - -The "Migrate Subnet" is the subnet that has the same CIDR as the on-prem migrating subnet. "IPmotion Gateway Subnet" is the subnet where the Aviatrix IPmotion gateway is deployed. Consult the `Design Pattern `_ for IPmotion subnet choice. - -4. IPmotion Move ------------------- - -This step consists of two parts: Staging and Commit. - -Staging -^^^^^^^^ -Staging is the preparation step. After an IP address is moved to the Staging state, -you can power up the migrated EC2 instance with the same IP address as the on-prem VM -for testing and staging. Note that the migrated EC2 instance at this point cannot communicate with on prem. - -Highlight a specific IP address in the on-prem panel and click the Staging button. - -Undo Staging -^^^^^^^^^^^^ -If you want to move any IP address in the Staging state back to on-prem, select the IP address and click Undo. - -.. Note:: if the migrated EC2 instance is already running, you must terminate the instance from the AWS console before you can move its IP address back to an on-prem state. - -.. - - -Commit -^^^^^^^^ -Commit enables the migrated EC2 instance to communicate with any on-Prem VM. - -.. Note:: Before you commit an IP address, the on-prem VM that has been migrated must be powered down first. Committing the IP address implies that the migrated EC2 instance will be in operation. -.. - -Highlight a specific IP address and click the Commit button. - -Undo Commit -^^^^^^^^^^^ - -If migration fails after cut over, you can Undo the Commit by -selecting the IP address from the cloud panel and click Undo. - -The Undo function of Commit reverts a committed IP address to Staging state. After reverting to Staging state, -the communication between the migrated EC2 instance to on-prem is stopped and you can power up the on-prem VM and resume its operation. - - -5. Test Connectivity ---------------------- - -After an IP address is committed, you can test connectivity. -Go to the CloudN console, Troubleshoot -> Diagnostics -> Network -> Ping Utility. Enter the committed IP address -and click Ping. Make sure the security group of the migrated EC2 has ICMP allowed. Also make sure that the -migrated EC2 instance responds to a Ping request. - -6. Troubleshooting Tips ------------------------ - -- **View Button** click the View button on Step 1 or Step 2 at any time to see what state an IP address is at. -- **Reset Button** If all things fail and you would like to start over, first delete the IPmotion gateway by going to the Gateway List, selecting the gateway and clicking Delete. After deletion is completed, go to Step 1 and click Reset. You can then start it over by going through Step 1 again. -- **Get Support** email support@aviatrix.com for assistance. - -7. Discover application dependencies ----------------------------------------- - -After migrating one VM, you can use the Aviatrix IPmotion gateway to discover application dependencies by following `the dependency map discovery. `_ - -8. Migrate more VMs on the same subnet ---------------------------------------- - -Repeat Step 4 to migrate more VMs on this subnet. - -9. Migrate VMs in a different subnet -------------------------------------- - -To migrate a VM in a different subnet, you need to launch a new virtual appliance CloudN on that subnet -and repeat all the steps described in this document. - -For example, suppose you have created a VPC 172.16.0.0/16 and migrated subnet 162.16.1.0/24. Now you plan to migrate subnet 172.16.2.0/24. Follow these steps: - -- Go to the AWS console to create a second public subnet 172.16.2.0/24 in VPC 172.16.0.0/16. -- Launch Aviatrix virtual appliance CloudN on subnet 172.16.2.0/24. -- Repeat the steps listed in this document. - -10. Post Migration ------------------- - -Once you have migrated a few subnets to a VPC, you have the option to delete the Aviatrix IPmotion gateway, delete the Aviatrix on-prem virtual appliance -and remove the on-prem subnets that are now empty of any VMs. -You can then connect the VPC to on-prem via Aviatrix site2cloud, -AWS Direct Connect and other layer 3 connectivities. - -11. Limitations ----------------- - -There are a few known limitations in the current release. - - - You cannot migrate any on-prem VMs whose IP addresses overlap with AWS reserved IP addresses on a given subnet. AWS reserves five IP addresses of a given subnet if an on-prem VM overlaps with any of these three IP address, this solution cannot migrate this VM. - - - VPC CIDR cannot be 192.168.0.0/16. In the 192.168.0.0 range, the largest CIDR is 192.168.0.0/17. - - - The maximum number of on-prem VMs that can be migrated per subnet is 202. - - - The Aviatrix IPmotion solution is deployed on a per subnet basis, the maximum throughput per gateway is 1Gbps for IPSec performance. - - During the stage of disk copying, the function of disk copying can be done over Direct Connect. After the migrated VM boots and starts to communicate with on-prem, packets can only travel over Internet. - - Although the migrated instances do not require public IP address, the migrated subnet must be a public subnet during migration. If a migrated instance requires Internet access, it should assigned a public IP address. - - -.. |image0| image:: ipmotion_media/ipmotion.png - :width: 5.55625in - :height: 3.26548in - -.. |image1| image:: ipmotion_media/ipmotion-range-display.png - :width: 5.55625in - :height: 3.26548in - -.. disqus:: diff --git a/HowTos/ipmotion_dependency_discovery.rst b/HowTos/ipmotion_dependency_discovery.rst deleted file mode 100644 index da875985d..000000000 --- a/HowTos/ipmotion_dependency_discovery.rst +++ /dev/null @@ -1,25 +0,0 @@ -.. meta:: - :description: IP motion dependency discovery - :keywords: Splunk, DR, Disaster Recovery, aviatrix, Preserving IP address, IPmotion, ip motion, Dependency Discovery - -============================= -IPmotion Dependency Discovery -============================= -Dependency discovery can be set up on Splunk to see all the dependencies after migrating your applications to cloud. - -Setup instructions ------------------- - 1. Enable packet logging on all gateways for which you want to see dependency discovery. See `instructions `_ to enable packet logging. - #. Install and set up the Aviatrix Splunk app using instructions mentioned `here `_. - #. Install an another app named `Sankey Diagram - Custom Visualization`, which will be used to visualise Dependency discovery. To install this app, log in to the Splunk server. Go to Apps-> Find More Apps. Search for `Sankey Diagram` in the search bar and install the app named `Sankey Diagram - Custom Visualization` - #. Now go to the Aviatrix Splunk and click on the `Dependency discovery` dashboard to see dependencies across apps. - #. This dashboard lets you see network flow to/from servers across the network. It allows you to also filter on gateway, Source, Destination and Port. - - |image0| - -.. |image0| image:: ipmotion_media/dependency_discovery.png - :width: 7.55625in - :height: 3.26548in - -.. disqus:: - diff --git a/HowTos/ipv6_multivpc_vpn.rst b/HowTos/ipv6_multivpc_vpn.rst index 94e353da3..0f15f89df 100644 --- a/HowTos/ipv6_multivpc_vpn.rst +++ b/HowTos/ipv6_multivpc_vpn.rst @@ -75,7 +75,7 @@ If you experience VPN client connectivity issue, check the following: - Instance Security Group is configured with the correct inbound port open. - If you have User Profile enabled, the profile has the correct policies. -For support, email to support@aviatrix.com +For support, please open a support ticket at `Aviatrix Support Portal `_ .. |ipv6_uservpn| image:: ipv6_multivpc_vpn_media/ipv6_uservpn.png :scale: 30% diff --git a/HowTos/meter_pricing.rst b/HowTos/meter_pricing.rst new file mode 100644 index 000000000..93008ff27 --- /dev/null +++ b/HowTos/meter_pricing.rst @@ -0,0 +1,160 @@ +.. meta:: + :description: Metered offering pricing + :keywords: Aviatrix Transit, AWS Transit Gateway, TGW + +=============================== +Metered AMI Pricing Book +=============================== + +This document describes Aviatrix Metered offering pricing for use cases and scenarios. It applies to both +`AWS Metered AMI `_ +and `Azure Metered AMI `_ offerings. + +General license and pricing mapping is as follows: + +:: + + 1 inter-cloud license = $0.64/hour + 1 intra-cloud license = 0.21/hour + 1 security service license = $0.21/hour + 1 user VPN license = $0.04/hour + +Some common notions described in the following sessions: + +:: + + no HA - One gateway, HA gateway is not deployed. + yes HA - One gateway and its HA gateway are deployed. + no HPE - HPE (Insane Mode) is not enabled on the gateway. + yes HPE - HPE (Insane Mode) is enabled on the gateway. + yes SameCloud - In Spoke to Transit scenario, both gateways are in the same cloud. + In Transit Gateway Peering scenario, both Transit Gateways are in the same cloud. + no SameCloud - A Spoke gateway and Transit Gateway are in the different clouds, + or two Transit Gateways are in the different clouds. + + +.. note :: + + When launching a selected t3 series gateway instance in AWS with Insane Mode option enabled, HPE license is **not** applied. The selected t3 series instances are: t3a.xlarge, t3a.medium, t3a.small, t3.large, t3.medium, t3.small. + + + + + + + +1. Multi-cloud Spoke Gateway Attachment +----------------------------------------- + +=============================== ============================== ============================== ============================== =============================== +Spoke gateway types no HA, no HPE Transit Gateway yes HA, no HPE Transit Gateway no HA, yes HPE Transit Gateway yes HA, yes HPE Transit Gateway +=============================== ============================== ============================== ============================== =============================== +no HA, no HPE, yes SameCloud 1 intra-cloud license 1 intra-cloud license 1 intra-cloud license 1 intra-cloud license +yes HA, no HPE, yes SameCloud 1 intra-cloud license 2 intra-cloud licenses 1 intra-cloud license 2 intra-cloud licenses +no HA, yes HPE, yes SameCloud 1 intra-cloud license 1 intra-cloud license 8 intra-cloud licenses 8 intra-cloud licenses +yes HA, yes HPE, yes SameCloud 1 intra-cloud license 2 intra-cloud licenses 8 intra-cloud licenses 16 intra-cloud licenses +no HA, no HPE, no SameCloud 1 inter-cloud license 1 inter-cloud license 1 inter-cloud license 1 inter-cloud license +yes HA, no HPE, no SameCloud 1 inter-cloud license 2 inter-cloud licenses 1 inter-cloud license 2 inter-cloud licenses +no HA, yes HPE, no SameCloud 1 inter-cloud license 1 inter-cloud license 1 inter-cloud license 1 inter-cloud license +yes HA, yes HPE, no SameCloud 1 inter-cloud license 2 inter-cloud licenses 1 inter-cloud license 2 inter-cloud licenses +=============================== ============================== ============================== ============================== =============================== + +2. Multi-cloud Transit Gateway Peering +----------------------------------------- + +Multi-cloud Transit Gateway peering applies to both inter-region and inter-cloud `Aviatrix Transit Gateway peering `_. + +=============================== ===================================== ====================================== ====================================== ====================================== +Transit Gateway types no HA, no HPE peered Transit Gateway yes HA, no HPE peered Transit Gateway no HA, yes HPE peered Transit Gateway yes HA, yes HPE peered Transit Gateway +=============================== ===================================== ====================================== ====================================== ====================================== +no HA, no HPE, yes SameCloud 1 intra-cloud license Not supported 1 intra-cloud license Not supported +yes HA, no HPE, yes SameCloud Not supported 2 intra-cloud licenses Not supported 2 intra-cloud licenses +no HA, yes HPE, yes SameCloud 1 intra-cloud license Not supported 8 intra-cloud licenses Not supported +yes HA, yes HPE, yes SameCloud Not supported 2 intra-cloud licenses Not supported 16 intra-cloud licenses +no HA, no HPE, no SameCloud 1 inter-cloud license Not supported 1 inter-cloud license Not supported +yes HA, no HPE, no SameCloud Not supported 2 inter-cloud licenses Not supported 2 inter-cloud licenses +no HA, yes HPE, no SameCloud 1 inter-cloud license Not supported 8 inter-cloud licenses Not supported +yes HA, yes HPE, no SameCloud Not supported 2 inter-cloud licenses Not supported 16 inter-cloud licenses +=============================== ===================================== ====================================== ====================================== ====================================== + +3. Multi-cloud Transit Gateway Connection to on-prem +-------------------------------------------------------- + +========================= ====================== ====================== =========================== +Transit Gateway types AWS VGW External Device Managed CloudN Appliance +========================= ====================== ====================== =========================== +no HA, no HPE 1 inter-cloud license 1 inter-cloud license Not supported +yes HA, no HPE 2 inter-cloud licenses 2 inter-cloud licenses Not supported +no HA, yes HPE 1 inter-cloud license 1 inter-cloud license 8 intra-cloud licenses +yes HA, yes HPE 2 inter-cloud licenses 2 inter-cloud licenses 16 intra-cloud licenses +========================= ====================== ====================== =========================== + +4. Native Spoke Network Attachment +------------------------------------------- + +Native Spoke refers to a spoke VPC or VNet in a hub-and-spoke architecture. In this scenario, there is no Aviatrix Spoke gateway deployed in the Spoke network. + +===================== ======================= ============================== +Native Spoke types AWS TGW Multi-cloud Transit Gateway +===================== ======================= ============================== +Azure VNet Not supported 1 intra-cloud license +AWS VPC 1 intra-cloud license Not supported +GCP VPC Not supported Not supported +===================== ======================= ============================== + +5. Cloud Native Network Peering +--------------------------------- + +==================================================== ====================== +Cloud Native Peering types License +==================================================== ====================== +inter-region AWS TGW Peering 1 intra-cloud license +AWS VPC Peering 0 intra-cloud license +Azure VNet Peering 0 intra-cloud license +==================================================== ====================== + +6. FQDN Egress Control +------------------------- + +==================================================== =========================== +Aviatrix gateway types FQDN Function configured +==================================================== =========================== +no HA 1 security-service license +yes HA 2 security-service licenses +3 AZ 3 security-service licenses +==================================================== =========================== + +7. Site2Cloud +--------------- + +==================================================== ====================== +Aviatrix gateway types Site2Cloud configured +==================================================== ====================== +no HA 1 inter-cloud license +yes HA 2 inter-cloud licenses +==================================================== ====================== + +8. PrivateS3 +------------------------- + +==================================================== ============================== +Aviatrix gateway types PrivateS3 Function configured +==================================================== ============================== +no HA 1 security-service license +N number of gateways N security-service licenses +==================================================== ============================== + +9. User VPN +------------- + +==================================================== ====================== +Aviatrix gateway User VPN configured +==================================================== ====================== +1 active user connection 1 user license +==================================================== ====================== + + +.. |deployment| image:: FAQ_media/deployment.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/migrate_tgw_orchestrator_to_aviatrix_transit.rst b/HowTos/migrate_tgw_orchestrator_to_aviatrix_transit.rst new file mode 100644 index 000000000..d947c041f --- /dev/null +++ b/HowTos/migrate_tgw_orchestrator_to_aviatrix_transit.rst @@ -0,0 +1,79 @@ +.. meta:: + :description: instructions on migrating Aviatrix TGW Orchestrator deployment to multi-cloud Transit + :keywords: Transit Gateway, AWS Transit Gateway, TGW, TGW Migration + +================================================================== +Migrating TGW Orchestrator to Multi-Cloud Transit +================================================================== + +This document helps you migrate from an Aviatrix deployed `TGW Orchestrator `_ to an +Aviatrix `Multi-Cloud Transit `_ deployment. + +The objectives here are: + + - Minimum downtime during migration. + - No change to existing VPC infrastructure. + - Minimum change to on-prem connectivity. + - Transferring Security Domains and Connection Policies in TGW to multi-cloud transit. + + +The Solution +^^^^^^^^^^^^^^^^ + +The migration architecture is shown as the diagram below. We assume the current TGW Orchestrator deployment deploys Aviatrix Transit Gateway to connect to on-prem. + +|tgw_to_multi-cloud_transit| + +1. Migrate to ActiveMesh 2.0 +----------------------------- + +If the Aviatrix Transit Gateways was deployed prior to Release 6.0. A migration step to ActiveMesh 2.0 is necessary before +migrating to multi-cloud transit. + + 1. Upgrade to Release 6.0. Go to Settings -> Maintenance -> Upgrade to the Latest. + #. After upgrading to 6.0 is complete and successful, go to Settings -> Maintenance -> Migration -> ActiveMesh 2.0 Migration. Click to migrate. It should take a few minutes. + + +2. (Optional) Create multi-cloud security domains +--------------------------------------------------- + +If TGW Orchestrator configured Security Domains and Connection policies other than the default domains, create the corresponding security domains and connection policies. Otherwise skip this step and proceed. (You can always setup security domains for multi-cloud transit later.) + +Follow the `Multi-Cloud Transit Segmentation workflow `_ to plan. + +3. Migrate +------------- + + 1. Enable `Connected Transit `_ on the Aviatrix Transit Gateway if it is not already configured. This configuration mode ensures that migrated Spoke VPCs can communicate with Spoke VPCs that are still attached to TGW. + #. Launch an Aviatrix Spoke gateway in Spoke-1 VPC, enable HA if required. + #. Detach Spoke-1 from TGW. Go to TGW Orchestrator -> Build -> Detach. + #. Attach Aviatrix Spoke-1 gateway to Aviatrix Transit Gateway. Go to Multi-Cloud Transit -> Attach (Step 6a) + #. Repeat the above steps for all remaining Spoke VPCs during the migration process. + #. (Optional) After all Spoke VPCs have been migrated, setup multi-cloud connection policies. Go to Multi-Cloud Transit -> Segmentation -> Build to associate each Aviatrix Spoke gateway with a security domain. + #. Done. + +4. Other Components +----------------------- + +4.1 Hybrid Connectivity +~~~~~~~~~~~~~~~~~~~~~~~~~ + +If Hybrid connectivity is accomplished via TGW DXGW or TGW VPN, these connections can continue to serve the new deployment after migration to not to change the connectivity to on-prem. + +4.2 FireNet +~~~~~~~~~~~~ + +If TGW FireNet has been deployed with TGW Orchestrator, migrate that to `Transit FireNet `_ where firewall instances can be attached too the Aviatrix Transit Gateway. Disassociate firewall instances from FireNet and launch and associate to Aviatrix Transit Gateway after Spoke migration is complete. + + + +.. |tgw_to_multi-cloud_transit| image:: migrate_tgw_orchestrator_to_aviatrix_transit_media/tgw_to_multi-cloud_transit.png + :scale: 30% + +.. |migration_architecture| image:: diy_tgw_migrate_to_aviatrix_tgw_media/migration_architecture.png + :scale: 30% + +.. |migrate_tgw_config_vpn| image:: diy_tgw_migrate_to_aviatrix_tgw_media/migrate_tgw_config_vpn.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/migrate_tgw_orchestrator_to_aviatrix_transit_media/tgw_to_multi-cloud_transit.png b/HowTos/migrate_tgw_orchestrator_to_aviatrix_transit_media/tgw_to_multi-cloud_transit.png new file mode 100644 index 000000000..bae819570 Binary files /dev/null and b/HowTos/migrate_tgw_orchestrator_to_aviatrix_transit_media/tgw_to_multi-cloud_transit.png differ diff --git a/HowTos/netflow.rst b/HowTos/netflow.rst index a8e72f24c..fa029ee8e 100644 --- a/HowTos/netflow.rst +++ b/HowTos/netflow.rst @@ -7,41 +7,13 @@ Netflow Integration ================================= -Starting in release 3.5, Aviatrix Controller and gateways can forward `Netflow `_ logs to your designated service point. Netflow V5 is supported. +Aviatrix gateways can forward `Netflow `_ data to your designated service point. -To enable, click Settings on the main navigation bar, click Logging, and scroll down to NETFLOW AGENT. +Netflow v5 and v9 both are supported on gateways and cloudN. -Input the IP address and the port number of the destination Netflow service and click Enable. All gateways will have Netflow enabled by default. You can select a subset of gateways to have Netflow -enabled in the Advanced option. +To enable Netflow, go to Aviatrix Controller's console -> click "Settings" on the main navigation bar -> click "Logging" -> scroll down to "Netflow Agent". -All flows are captured, there is no option to sample a fraction of the packets. +Input the IP address and the port number of the destination Netflow service and click "Enable". -. - - - -.. |discovered_sites| image:: fqdn_discovery_media/discovered_sites.png - :scale: 50% - -.. |fqdn-new-tag| image:: FQDN_Whitelists_Ref_Design_media/fqdn-new-tag.png - :scale: 50% - -.. |fqdn-add-new-tag| image:: FQDN_Whitelists_Ref_Design_media/fqdn-add-new-tag.png - :scale: 50% - -.. |fqdn-enable-edit| image:: FQDN_Whitelists_Ref_Design_media/fqdn-enable-edit.png - :scale: 50% - -.. |fqdn-add-domain-names| image:: FQDN_Whitelists_Ref_Design_media/fqdn-add-domain-names.png - :scale: 50% - -.. |fqdn-attach-spoke1| image:: FQDN_Whitelists_Ref_Design_media/fqdn-attach-spoke1.png - :scale: 50% - -.. |fqdn-attach-spoke2| image:: FQDN_Whitelists_Ref_Design_media/fqdn-attach-spoke2.png - :scale: 50% - - -.. add in the disqus tag .. disqus:: diff --git a/HowTos/nextgentransit_for_azure.rst b/HowTos/nextgentransit_for_azure.rst index 3e37d45e7..3be8b110d 100644 --- a/HowTos/nextgentransit_for_azure.rst +++ b/HowTos/nextgentransit_for_azure.rst @@ -1,63 +1,91 @@ .. meta:: - :description: Next Gen Transit for Azure - :keywords: Next Gen Transit Architecture for Azure + :description: Aviatrix Transit for Azure + :keywords: Aviatrix Transit Architecture for Azure ============================================ -Next Gen Transit Architecture for Azure +Aviatrix Transit Architecture for Azure ============================================ +Azure Native Transit +--------------------------------------------------------------- +The most common design topology within Azure is the Hub and Spoke model. The hub is a virtual network (VNet) in Azure that acts as a central point of connectivity to your on-premises network. The spokes are VNets that peer with the HUB and can be used to isolate workloads, departments, subscriptions, etc... Traffic flows between the on-premises datacenter and the hub through an ExpressRoute or VPN gateway connection. It is common in these environments for spoke to spoke communication to be desired both within and across regions. To facilitate spoke to spoke communication, Azure natively provides three methods for performing this functionality. Each of these options has advantages and disadvantages however, these options can be used simultaneously for customers to apply the right transit method for the desired outcome. + +|hub-spoke| + +Intra-Region Transitive Options: +################################ + +1. **Leveraging ExpressRoute** - the most common transitive method is for customers to leverage their ExpressRoute circuits to provide spoke to spoke communication. This method requires a default (0.0.0.0/0) or summary route to be advertised from on-prem to allow spoke to spoke traffic to hairpin off the Microsoft Edge Routers. The advantage to this method is that this traffic will not incur VNET peering charges and this provides any to any spoke connectivity. The disadvantage to this approach is that bandwidth is limited by the ExpressRoute gateway SKU, traffic takes a longer path from spoke to spoke, a lack of granular control as this method provides any to any communication, and the fact that this is not a recommended approach as there is no dedicated bandwidth allocation on the Microsoft Edge Routers for this configuration. + +|S2SER| + +2. **Leveraging a HUB Network Virtual Appliance (NVA)** - in this option, an NVA is deployed in the HUB VNET and User Defined Routes (UDRs) are created in each spoke to route traffic from spoke to spoke. The advantage to this approach is that traffic takes a more ideal path, does not require any route advertisements from on-prem, and potentially provides additional security functionality depending upon the NVA being leveraged. The disadvantage to this approach comes with the management of UDRs at scale, potential bandwidth limits of the NVA itself, and the configuration of NVA high availability (HA) to ensure redundancy in case of failure. + +|S2SNVA| + +3. **VNET Peering** - the recommended approach for spoke to spoke communication is VNET peering as this leverages the MSFT backbone directly and always takes the preferred path. This option provides the lowest latency possible and has no bandwidth restrictions as opposed to the options previously discussed. The disadvantage of this model is this connectivity is a 1 to 1 mapping. Each spoke much be peered directly with another spoke in order to facilitate communication which at scale becomes a web of interconnected fully meshed VNETS. As such, customers often have challenges in managing the scale of VNET peers. + +|S2SPeer| + +Inter-Region Transitive Options: +################################ + +The options for spoke to spoke communication across regions follow the same patterns above with a few notable nuances. + +1. **Leveraging ExpressRoute** - this method is similar to what was described in Intra-Region however, as ExpressRoute circuits are terminated across regions the routes are propagated automatically. To facilitate cross region spoke to spoke communication, no summary or default route is required. The same advantages and disadvantages apply. + +2. **Leveraging a HUB Network Virtual Appliance (NVA)** - this method is also similar to what was previously described however, the number of UDRs increases as additional routes must be defined in the HUB VNETs to facilitate routing across regions to another HUB. Additionally, a VNET peer must be leveraged between the HUB to facilitate this HUB to HUB transit path. + +3. **VNET Peering** - the only change in VNET peering across regions is in naming convention. Microsoft refers to this as Global VNET Peering but still has the same advantages and disadvantages previously discussed. + +.. Note:: + +Azure Virtual WAN is another native architectural approach which can also provide transitive functionality. Aviatrix Transit can integrate with Azure Virtual WAN and is not covered in detail here. -Aviatrix Next Gen Transit for Azure + +Aviatrix Transit for Azure --------------------------------------------------------------- -The Aviatrix Next Gen Transit for Azure is an architecture to interconnect multiple VNets and on-prem in a hub and spoke -deployment model, as shown in the diagram below. +Aviatrix Transit for Azure is an architecture to interconnect multiple VNets and on-prem leveraging the hub and spoke deployment model while adding additional functionality and features. This deployment is shown in the diagram below. |nextgentransit_for_azure| -In the above diagram, the Aviatrix Controller is a VM that manages all networking connectivities from VNets to on-prem. -It deploys one Aviatrix gateway (two for redundancy) in each VNet. The Transit gateway deployed in the transit VNet connects to on-prem over Express Route or Internet. +In the above diagram, the Aviatrix Controller is a VM that manages all networking connections from VNETs to on-prem as well as between VNETs themselves. It deploys one Aviatrix gateway (two for redundancy) in each VNet. The Transit gateway is deployed in the transit VNet and connects to on-prem over Express Route or Internet. The Transit Gateway is then peered to each spoke VNET gateway to provide end to end communication. Communication can be granularly controlled to provide any to any communication between the spokes and to/from on-prem however, the transit gateway can also block certain traffic to keep spokes isolated. Additionally, all Spoke UDRs are orchestrated from the controller based on desired traffic flows. -Multiple Transit Gateways can also be interconnected. Spoke VNets can communicate to -remote Spoke VNets through the two connected Transit Gateways, as shown below. +For cross region communication, multiple Transit Gateways can also be interconnected. Spoke VNets can communicate to remote Spoke VNets through the two connected Transit Gateways with the same granular controls mentioned previously. Additionally, route advertisements between the two transit gateways can be controlled to provide additional functionality like summarization, route exclusion, etc. This topology is depicted below. |multiregion_azure| -Why do I need Aviatrix Next Gen Transit for Azure? ------------------------------------------------------- +Another important advantage of using Aviatrix Transit is that all communications are encrypted by default providing additional levels of security. Azure does not provide any native encryption across the Microsoft Backbone and depends upon third party NVAs to provide this functionality should customers require it. -Transit architecture is about building connectivity between cloud and on-prem in the most agile manner possible. In the Transit architecture, there is one connection (not including the backup) between on-prem and a Transit Hub VNet. Everything else (the Spoke VNet to on-prem traffic) is routed through the Transit Hub VNet. +The Aviatrix controller also has the ability to orchestrate native VNET peering for Azure VNETs should customers not wish to deploy gateways within spoke VNETs. While customers will lose the encryption and visibility benefits across these links, all appropriate UDRs will be orchestrated to facilitate transitive communication as desired. It is also important to note that certain native limitations may apply as to the number of peerings allowed as well as restricitions to overlapping IP space when native peering is leveraged. + +|native_peering| -The alternative to Transit architecture (often referred to as "flat" architecture) is to build one connection, either IPSEC over Internet or Express Route, each time you spin up a new VNet in Azure. This requires changes at the on-prem edge, which requires a change control process that takes from days to weeks. +Why do I need Aviatrix Transit for Azure? +------------------------------------------------------ -Azure provides certain hub-and-spoke capabilities with limitations. Here are some examples. +Transit architecture is about building connectivity between cloud and on-prem in the most agile manner possible. In the Transit architecture, there is one connection (not including the backup) between on-prem and a Transit Hub VNet. Everything else (the Spoke VNet to on-prem traffic) is routed through the Transit Hub VNet. - - The Azure native hub-and-spoke can only be deployed in the same region. A spoke VNet in one region cannot connect to the hub in a different region. - - Two hubs cannot be interconnected. - - Spoke VNets connecting to the same hub cannot communicate with each other through the hub. - - There is no encryption between spoke, hub and on-prem. - - Azure native networking has different capabilities and semantics than AWS native networking. What skills your operations team has invested in AWS do not apply to Azure, you must invest in Azure also. Aviatrix provides a single pane of glass to unify cloud networking for all cloud providers. +The alternative to Transit architecture is to leverage the native options already mentioned or is to build one connection (often referred to as "flat" architecture), either IPSEC over Internet or Express Route, each time you spin up a new VNet in Azure. This requires changes at the on-prem edge, which requires a change control process that takes from days to weeks. Additionally, this method often facilitates the default any to any connectivity which may require additional configuration to prevent. -The Benefits of the Aviatrix Next Gen Transit for Azure +The Benefits of Aviatrix Transit for Azure ------------------------------------------------------------------- - - **Simplicity** The Aviatrix Controller provides an abstraction layer and workflow to build the Transit network. You do not need to program any Azure route tables, manage the route entries or understand the significant details about Azure networking. - - **Multi Subscriptions Support** The Controller provides a single pane of glass to manage the entire cloud network of multiple Azure subscriptions. - - **Logging Service Integration** Out-of-the-box integration with Splunk, Sumo Logic, DataDog, ELK, remote syslog and Netflow. - - **Visibility** View connectivity status, network latency and traffic statistics from a central dashboard. - - **Global** The Spoke VNet can be in a different region than the Transit VNet. - - **Transit Peering** Two Transit Gateways can be interconnected so that Spoke VNets connecting to a Transit VNet can communicate with each through the Transit Peering. - - **No Route Limits** The Aviatrix solution auto summarizes the on-prem and Spoke VNet routes so that Spoke VNet route entries do not exceed the route limits. - - **End-to-End Encryption** All traffic in flight, between Spoke VNets and between Spoke to on-prem, is encrypted. - - **Spoke to Spoke via Transit** Spoke to Spoke traffic can be routed through the Transit Gateway. +- **Simplicity** The Aviatrix Controller provides an abstraction layer and workflow to build the Transit network. You do not need to program any Azure route tables, manage the route entries or understand the significant details about Azure networking. +- **Multi Subscriptions Support** The Controller provides a single pane of glass to manage the entire cloud network of multiple Azure subscriptions. +- **Logging Service Integration** Out-of-the-box integration with Splunk, Sumo Logic, DataDog, ELK, remote syslog and Netflow. +- **Visibility** View connectivity status, network latency and traffic statistics from a central dashboard. +- **Granular Routing Control** Route redistribution can be controlled to selectively allow specific route propagation and/or summarization. +- **Advanced Networking Features** Support for Network Address Translation, NGFW Insertion, FQDN filtering, etc. +- **No Route Limits** The Aviatrix solution auto summarizes the on-prem and Spoke VNet routes so that Spoke VNet route entries do not exceed the route limits. +- **End-to-End Encryption** All traffic in flight, between Spoke VNets and between Spoke to on-prem, is encrypted. How does it work? ------------------------------------------------------------------------------------------------- -The Next Gen Transit Network is a Duo Mode architecture. While the Transit Gateway runs -BGP protocol, advertising Spoke VNets CIDRs to an on-prem network and learning the on-prem network CIDRs, Spoke VNets do not run dynamic routing protocols. Learned routes by the Transit Gateway are reported to the Controller which in turn propagate to the Spoke VNets. By minimizing dynamic protocol running in the network, operations and troubleshooting become simple. -CloudOps engineers without extensive networking background are able to build and manage the network. +Aviatrix Transit Network is a Duo Mode architecture. While the Transit Gateway runs BGP protocol, advertising Spoke VNets CIDRs to an on-prem network and learning the on-prem network CIDRs, Spoke VNets do not run dynamic routing protocols. Learned routes by the Transit Gateway are reported to the Controller which in turn propagate to the Spoke VNets. By minimizing dynamic protocol running in the network, operations and troubleshooting become simple. CloudOps engineers without extensive networking background are able to build and manage the network. How do I deploy it? @@ -65,9 +93,9 @@ How do I deploy it? The Aviatrix Controller is available in the Azure Marketplace. - 1. Follow the `Azure Startup Guide `_ to launch the Controller. - #. Follow the onboarding steps to setup Azure API credentials so that the Controller can launch gateways on behalf of the Azure account. - #. Select the use case Next-Gen Transit Network and follow the `workflow `_ to start building the transit network. +1. Follow the `Azure Startup Guide `_ to launch the Controller. +#. Follow the onboarding steps to setup Azure API credentials so that the Controller can launch gateways on behalf of the Azure account. +#. Select the use case Next-Gen Transit Network and follow the `workflow `_ to start building the transit network. .. |nextgentransit_for_azure| image:: nextgentransit_for_azure_media/nextgentransit_for_azure.png @@ -76,4 +104,21 @@ The Aviatrix Controller is available in the Azure Marketplace. .. |multiregion_azure| image:: nextgentransit_for_azure_media/multiregion_azure.png :scale: 30% +.. |hub-spoke| image:: nextgentransit_for_azure_media/hub-spoke.png + :scale: 30% + +.. |S2SER| image:: nextgentransit_for_azure_media/S2SER.png + :scale: 30% + +.. |S2SNVA| image:: nextgentransit_for_azure_media/S2SNVA.png + :scale: 30% + +.. |S2SPeer| image:: nextgentransit_for_azure_media/S2SPeer.png + :scale: 30% + +.. |native_peering| image:: nextgentransit_for_azure_media/native-peering-updated-resized-2.png + :scale: 30% + + + .. disqus:: diff --git a/HowTos/nextgentransit_for_azure_media/S2SER.png b/HowTos/nextgentransit_for_azure_media/S2SER.png new file mode 100644 index 000000000..e4a48c79c Binary files /dev/null and b/HowTos/nextgentransit_for_azure_media/S2SER.png differ diff --git a/HowTos/nextgentransit_for_azure_media/S2SNVA.png b/HowTos/nextgentransit_for_azure_media/S2SNVA.png new file mode 100644 index 000000000..974c6edc9 Binary files /dev/null and b/HowTos/nextgentransit_for_azure_media/S2SNVA.png differ diff --git a/HowTos/nextgentransit_for_azure_media/S2SPeer.png b/HowTos/nextgentransit_for_azure_media/S2SPeer.png new file mode 100644 index 000000000..c3c1037a0 Binary files /dev/null and b/HowTos/nextgentransit_for_azure_media/S2SPeer.png differ diff --git a/HowTos/nextgentransit_for_azure_media/hub-spoke.png b/HowTos/nextgentransit_for_azure_media/hub-spoke.png new file mode 100644 index 000000000..d730cb334 Binary files /dev/null and b/HowTos/nextgentransit_for_azure_media/hub-spoke.png differ diff --git a/HowTos/nextgentransit_for_azure_media/native-peering-updated-resized-2.png b/HowTos/nextgentransit_for_azure_media/native-peering-updated-resized-2.png new file mode 100644 index 000000000..9b5ae4a46 Binary files /dev/null and b/HowTos/nextgentransit_for_azure_media/native-peering-updated-resized-2.png differ diff --git a/HowTos/oci_iam_policy.rst b/HowTos/oci_iam_policy.rst new file mode 100644 index 000000000..58a73efe4 --- /dev/null +++ b/HowTos/oci_iam_policy.rst @@ -0,0 +1,62 @@ +.. meta:: + :description: Describe how to customize OCI IAM role + :keywords: account, aviatrix, OCI IAM policy, OCI, compartment + + +================================== +OCI IAM least privilege policy +================================== + +When the Aviatrix Controller uses Oracle Cloud Infrastructure APIs to manage networking, gateway, and firewall resources; the following IAM Policies can be implemented for least privilege. +In OCI, IAM is managed through groups and policies. The policy boundary can span a single compartment or an entire tenancy. + +If you wish to limit the Controller access permissions, you can do so by creating a group with a set of policies used +by the Controller as shown below and scope policy to the compartment. This document describes what the minimal set of policies are. `Oracle Cloud IAM documentation `_ +covers IAM concepts and technical implementation detail. + +1. Aviatrix minimal required OCI IAM Policy bound by Compartment +---------------------------------------------------------------- + + + Allow group to manage volume-family in compartment + + Allow group to manage instance-family in compartment + + Allow group to manage virtual-network-family in compartment + + Allow group to inspect all-resources in compartment + + Allow group to inspect app-catalog-listing in compartment + + Allow group to read app-catalog-listing in compartment + + Allow group to manage app-catalog-listing in compartment + + + +2. Assign the OCI user to the group +----------------------------------- + + +3. Onboard the OCI user +-------------------------------- + +Follow the OCI account onboarding instructions here for the OCI user `here `_ + +.. note:: + + If you are deploying Transit FireNet that requires OCI Marketplace agreement. For example, Palo Alto + VM-Series firewalls. You will need to login as the user created and accept the agreeement from the vendor + in the compartment and region and version for the firewall deployment. See the screenshots below for reference. + +|pan_fw_subscribe| + +|pan_fw_accepted_agreement| + +.. |pan_fw_subscribe| image:: oci_iam_policy_media/pan_fw_subscribe.png + :scale: 30% + +.. |pan_fw_accepted_agreement| image:: oci_iam_policy_media/pan_fw_accepted_agreement.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/oci_iam_policy_media/pan_fw_accepted_agreement.png b/HowTos/oci_iam_policy_media/pan_fw_accepted_agreement.png new file mode 100644 index 000000000..553c3f7cd Binary files /dev/null and b/HowTos/oci_iam_policy_media/pan_fw_accepted_agreement.png differ diff --git a/HowTos/oci_iam_policy_media/pan_fw_subscribe.png b/HowTos/oci_iam_policy_media/pan_fw_subscribe.png new file mode 100644 index 000000000..885e3ddc8 Binary files /dev/null and b/HowTos/oci_iam_policy_media/pan_fw_subscribe.png differ diff --git a/HowTos/onboarding_faq.rst b/HowTos/onboarding_faq.rst index 5a51aa2e7..b3af6197e 100644 --- a/HowTos/onboarding_faq.rst +++ b/HowTos/onboarding_faq.rst @@ -11,12 +11,15 @@ Where do I start? ------------------- -The first time you log in, complete the Onboarding process. It takes a -few steps. +The first time you log in to Aviatrix Controller, complete the onboarding process. It takes a few steps. The onboarding process involves entering the information about your cloud provider account(s) that the controller requires for launching gateways and building connectivity in the VPCs/VNETs/VCNs of your account(s). The account information required can vary depending on the cloud provider. To complete the onboarding process, click on **Onboarding** from the Aviatrix Controller sidebar, then click on the icon of the cloud provider in which your controller is to launch gateways, and then follow the steps to enter your cloud provider account information. + +What is an Aviatrix Customer ID? +------------------------------------ If you have a BYOL license or use a community image, you need to have a -customer ID provided by Aviatrix to be able to use the product. Contact -support@aviatrix.com if you do not have a customer ID. +customer ID provided by Aviatrix to be able to use the product. Please open a support ticket at `Aviatrix Support Portal `_ if you do not have a customer ID. + +You do not need a Customer ID if you are running a metered AMI. What is an Aviatrix access account on the Controller? ------------------------------------------------------------- @@ -25,8 +28,27 @@ An Aviatrix access account (or account for short) represents the following infor - The cloud provider account (for example, AWS) credential that the Controller uses to launch Aviatrix gateway in that cloud account. +What is Controller ID? +------------------------- + +Controller ID is a 32 digits Universal Unique Identifier (UUID). This ID is unique per customer and used for tracking purposes. + +This 32 digits UUID can be seen under Settings -> Controller -> License. + +What are different types of licenses available? +-------------------------------------------------- + +There are three different types of licenses option available in Aviatrix Controller. + + 1. Bring Your Own License (BYOL) License - This license supports public cloud AWS, Azure, GCP and OCI. Please open a support ticket at `Aviatrix Support Portal `_ to get BYOL license. + #. Metered or Platinum Metered License - This is only applicable to AWS public cloud + #. Utility - The utility AMI is available in AWS and Azure both and supports maximum 100 tunnels and limited number of VPN users. + +To check license type, Go to Controller's console -> Settings -> Controller -> License + + Why do I need an AWS account credential? ---------------------------------------- +------------------------------------------- To build connectivity between two VPCs, the Aviatrix Controller launches Aviatrix gateway instances in the respective VPCs, instructs the gateways to build an IPSEC tunnel and modifies AWS route tables @@ -74,20 +96,39 @@ No. An Aviatrix Cloud Account corresponds to one cloud account of one cloud type You can create multiple Cloud Accounts to support multi cloud and multi account deployment environment. How do we apply Azure role-based access control to an Aviatrix Azure account? --------------------------------------------------------------------------- -Step 1. Add Aviatrix Resource Role through Powershell +-------------------------------------------------------------------------------- + +Aviatrix Controller is viewed as an application running on Azure. Since this application needs to create or +program Azure resources, such as launching a gateway, modifying route entries in a route table, etc, +the application requires a role with certain permissions. By default, this role is a pre-defined Azure built-in +role called "contributor". + +If you wish not to use the contributor role and instead creating a custom +role with Aviatrix provided permission, you can do so via Azure portal or with via PowerShell. +Below is guide on how to accomplish that via PowerShell. + +**Note:** For security purposes, Aviatrix recommends you use a custom role rather than the default role Aviatrix created. When you use a custom role name it is important to make sure the AssumeRole policy and Trust policy are correct. The AssumeRole policy is attached to the EC2 role and the Trust policy is accessed on the APP role Trust Relationship tab. + +For replacing the Contributor role via Azure portal, refer to `Azure IAM Custom Role `_. + +Step 1. Add an custom role through Powershell +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The custom role must have permission that meets the requirement for Aviatrix Controller to function. +The permission is represented by the json file below. +Remember to replace the subscription "11111111-1111-1111-1111-111111111111" with your own valid subscription ID. :: avx_rbac_role.json: { - "Name": "Aviatrix Resource Role", + "Name": "Aviatrix Controller Custom Role", "IsCustom": true, - "Description": "Aviatrix Resource Action", + "Description": "Custom role for Aviatrix Controller", "Actions": [ - "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/read", + "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/*", "Microsoft.Compute/*/read", "Microsoft.Compute/availabilitySets/*", "Microsoft.Compute/virtualMachines/*", @@ -108,7 +149,7 @@ Step 1. Add Aviatrix Resource Role through Powershell ], "NotActions": [], "AssignableScopes": [ - "/subscriptions/xyz/" + "/subscriptions/11111111-1111-1111-1111-111111111111" ] } @@ -119,12 +160,29 @@ In Powershell, perform the following: 2. New-AzRoleDefinition -InputFile avx_rbac_role.json -Step2. Add a role assignment in the Azure portal. +Step 2. Add a role assignment in the Azure portal +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -In Azure portal->Subscriptions->Access Control(IAM)->Add->Add role assignment->Select Aviatrix Resource Role as Role -> Select Service Principle-> Save +In Azure portal->Subscriptions->Access Control(IAM)->Add->Add role assignment. - -Step3. Use the Service Principle to create an Azure ARM account in the Aviatrix portal +At Role assignment, fill the fields as follows. + +======================== ======================= +Role Aviatrix Controller Custom Role (this is the role created from above) +Assign access to User, group, or service principal +Select My-new-controller (this is the registered application name for the Controller) +======================== ======================= + +Once the above step is complete, you have assigned the My-new-controller (as a service principal) the custom role +called "Aviatrix Controller Custom Role". + +For more information on how to PowerShell to create custom role on Azure, refer to `this link. `_. + + +How to setup OCI account credentials? +--------------------------------------- + +Follow the instructions on `Oracle Cloud Infrastructure Documentation. `_. How do I upgrade software? @@ -144,8 +202,7 @@ Check out docs.aviatrix.com. What is the support model? ---------------------------- -For support, send an email to -`support@aviatrix.com `__. We also offer premium customers 24/7 support. +For support, please open a support ticket at `Aviatrix Support Portal `_. We also offer premium customers 24/7 support. To request a feature, click the Make a wish button at the bottom of each page. @@ -154,14 +211,17 @@ In my environment, Aviatrix will be within a PCI CDE environment, do you have a Aviatrix does not need to be PCI compliant or provide a PCI AOC. -Below is a good article that will help you understand why we are not eligible for PCI compliance: - -https://www.proofport.com/blog/who-needs-aoc-and-why - -From the article: - Companies that sell some types of **equipment or software** used in cardholder data processing, transmission, and storage environments, but have no access to, or do not impact, those environments, are also not required to be PCI compliant and therefore do not have AOCs. A few examples include routers, firewalls, application servers, database servers, telecommunications equipment, server operating systems, **application firewalls**, etc +What is Certificate Domain? +-------------------------------- + +Entering Certificate Domain is required for Aviatrix China Solution. The domain is the one that you registered in China and applied for ICP license. For more information, see What is a China ICP License. + +How to setup Account Name Alias? +-------------------------------- + +For configuration details, refer to `Setup Account Name Alias `_. .. |image1| image:: FAQ_media/image1.png diff --git a/HowTos/onelogin_saml_media/onelogin_configuration.png b/HowTos/onelogin_saml_media/onelogin_configuration.png new file mode 100644 index 000000000..3c410bd6f Binary files /dev/null and b/HowTos/onelogin_saml_media/onelogin_configuration.png differ diff --git a/HowTos/onelogin_saml_media/onelogin_issuer_url.png b/HowTos/onelogin_saml_media/onelogin_issuer_url.png index 75353f2e4..81045a051 100644 Binary files a/HowTos/onelogin_saml_media/onelogin_issuer_url.png and b/HowTos/onelogin_saml_media/onelogin_issuer_url.png differ diff --git a/HowTos/onelogin_saml_media/onelogin_new_app_search.png b/HowTos/onelogin_saml_media/onelogin_new_app_search.png index 24d015ba5..59faaced7 100644 Binary files a/HowTos/onelogin_saml_media/onelogin_new_app_search.png and b/HowTos/onelogin_saml_media/onelogin_new_app_search.png differ diff --git a/HowTos/onelogin_saml_media/onelogin_new_app_step1.png b/HowTos/onelogin_saml_media/onelogin_new_app_step1.png index 40eb5e72f..ab2d52d5b 100644 Binary files a/HowTos/onelogin_saml_media/onelogin_new_app_step1.png and b/HowTos/onelogin_saml_media/onelogin_new_app_step1.png differ diff --git a/HowTos/onelogin_saml_media/onelogin_parameters.png b/HowTos/onelogin_saml_media/onelogin_parameters.png index cd5d6d2e5..9011de95f 100644 Binary files a/HowTos/onelogin_saml_media/onelogin_parameters.png and b/HowTos/onelogin_saml_media/onelogin_parameters.png differ diff --git a/HowTos/onelogin_saml_media/onelogin_select_add_apps.png b/HowTos/onelogin_saml_media/onelogin_select_add_apps.png index 42e05e770..42f44d4cd 100644 Binary files a/HowTos/onelogin_saml_media/onelogin_select_add_apps.png and b/HowTos/onelogin_saml_media/onelogin_select_add_apps.png differ diff --git a/HowTos/openvpn_client_faq.rst b/HowTos/openvpn_client_faq.rst index 84e1c6cc7..2fe957aea 100755 --- a/HowTos/openvpn_client_faq.rst +++ b/HowTos/openvpn_client_faq.rst @@ -50,10 +50,14 @@ Switch to a different configuration: #. Click `Connect` button. A drop down will appear. #. Select the profile from the list -What is "Client Certificate Sharing" ------------------------------------- +Which log files should I share when I open a support ticket? +--------------------------------------------------------------- -Enabling this feature allows the same user to be logged in from more than one location at a time. If this option is disabled and a user logs in from a second location, the first location will be disconnected automatically. +Please share the following log files with your support request. For MacOS, you can find them at "/Applications/Aviatrix VPN Client.app/Contents/Resources/logs" and for Windows, please look at “Program Files(x86)/Aviatrix VPN Client” + + * commandlog.log + * server.log + * openvpn1.log diff --git a/HowTos/openvpn_design_considerations.rst b/HowTos/openvpn_design_considerations.rst new file mode 100644 index 000000000..3724406dd --- /dev/null +++ b/HowTos/openvpn_design_considerations.rst @@ -0,0 +1,69 @@ +.. meta:: + :description: OpenVPN® FAQ + :keywords: Aviatrix OpenVPN, Client VPN, OpenVPN, SAML client, Remote User VPN + +=========================================== +User VPN Performance Guide for Deployment +=========================================== + +Aviatrix gateway OpenVPN® throughput +-------------------------------------------------------- + +Aviatrix VPN gateways are deployed behind cloud provider's native load balancer, the deployment +scales to unlimited number of VPN gateways capable of supporting unlimited number of +simultaneous VPN client connections. + +OpenVPNR® is a single process application running on a gateway. The best measured throughput is 1.1Gbps. t3.medium, c5.large and +c5.xlarge have similar performance. + +VPN Client throughput benchmark +---------------------------------------------------------------- + +Aviatrix VPN solution supports both UDP and TCP mode VPN deployments. They have similar performance +characteristics. The chart below benchmarks a VPN client's single session download and upload speed +on one VPN gateway in TCP mode +The benchmark provides a reference information on selecting VPN gateway instance size. +Note actual VPN client performance also depends on client's Internet ISP speed, packet loss ratio +and other factors. + +The chart below is measured on a Windows client. + +|windows_client| + +The chart below is measured on a Linux client. + +|linux_client| + +Simultaneous clients on a given VPN gateway +------------------------------------------------------------------------------ + +There are several factors to consider when determining the number of clients to support on a given VPN gateway. + + 1. `VPN virtual address space `_. The default is 192.168.43.0/24 which can support 64 simultaneous VPN connection. For large deployment, you should configure this to a /20 network so that address spacing is not an issue. + #. `Maximum VPN Connections `_. The default is 100. When the connection number exceeds the configuration, the VPN gateway rejects new connections. The VPN client should auto reconnect and the cloud provider's network load balancer forwards the connection to a different VPN gateway. + #. VPN Client performance. If each VPN client sustained average performance is designed to be capped at 1Mbps, then a VPN gateway can support 1000 VPN clients (i.e. connections). Accordingly, if each VPN client sustained average throughput is designed to be capped at 10Mbps, then a VPN gateway can support 100 clients. + +In most cases, using VPN gateway of t3.medium instance size is a good option. Launching a few of them behind an ELB provides redundancy and scaling. + +OpenVPN® is a registered trademark of OpenVPN Inc. + +.. |image1| image:: FAQ_media/image1.png +.. |imageIdleTimeout| image:: FAQ_media/idle_timeout.png +.. |imageClientLog| image:: FAQ_media/aviatrix_client_get_log.png +.. |imageRenegotiationInterval| image:: FAQ_media/renegotiation_interval.png + +.. |full_tunnel| image:: FAQ_media/full_tunnel.png + :scale: 30% + +.. |profile_config| image:: FAQ_media/profile_config.png + :scale: 30% + +.. |assign_user_to_profile| image:: FAQ_media/assign_user_to_profile.png + :scale: 30% + +.. |windows_client| image:: openvpn_faq_media/windows_client.png + :scale: 30% + +.. |linux_client| image:: openvpn_faq_media/linux_client.png + :scale: 30% +.. disqus:: diff --git a/HowTos/openvpn_faq.rst b/HowTos/openvpn_faq.rst index 48519f6a9..a34c1e333 100644 --- a/HowTos/openvpn_faq.rst +++ b/HowTos/openvpn_faq.rst @@ -67,12 +67,11 @@ Also check out `this link for help. VPN Users -> +Add New. -When a user is added, an email is sent to the user with instructions on how to download client software and connect to a VPN server. You can customize this email by updating the settings at "OpenVPN -> Advanced -> Email". You could also use your own SMTP server to send these emails out by following `these instructions `_ +When a user is added, an email is sent to the user with instructions on how to download client software and connect to a VPN server. You can customize this email by updating the settings at "OpenVPN -> Advanced -> Global Config -> User Defined Email Notification". You could also use your own SMTP server to send these emails out by following `these instructions `_ If you prefer to not share the .ovpn file with your users via email, do not enter the email address when you add a VPN user. You can then download the .ovpn file from OpenVPN -> VPN Users -> Select VPN User and then download the file and share it with your VPN user via your preferred file share mechanism. @@ -82,7 +81,6 @@ profiles first. See the next section. What user devices are VPN client software supported? ---------------------------------------------------------- - Windows, MAC, Linux, Chromebook, Android and iOS devices are supported. Is NAT capability supported on the gateway? @@ -180,7 +178,7 @@ How do I change a user’s profile programmatically? ------------------------------------------------------ -The controller provides a REST API which can be invoked to change a +The controller provides a API which can be invoked to change a user’s profile. Refer to API documentation under the Help menu. During this operation, the user’s existing VPN session will be @@ -191,6 +189,15 @@ The use case for this feature is to allow an administrator to quarantine a VPN user for security reasons. +How to set User VPN License Threshold Notification? +--------------------------------------------------- + +The User VPN License Threshold Notification can be set in Aviatrix Controller. Login to controller's console, navigate to Settings -> Controller -> License. + +Under License, user can set the number of license purchased and threshold value. Once the number of licenses exceeded the threshold value an email notification will be sent. + +The email id which receives all the notification can be set in Email tab (Settings -> Controller -> Email). + Is DUO multi-factor authentication supported? ----------------------------------------------- @@ -388,7 +395,55 @@ What IP Address is used for NAT'ing the VPN Clients? If the destination is another instance within the cloud provider, then the OpenVPN gateway’s private IP address is used to NAT the OpenVPN Client's traffic. But if the destination is outside the cloud provider(the Internet), then the public IP address of the OpenVPN Gateway is used. - +What is User Defined Email Notification? +---------------------------------------- + +User Defined Email Notification feature allows users to customize the email notification (both email content and attachment file name) for VPN client. + +To configure it, go to OpenVPN® -> Advanced -> Global Config -> User Defined Email Notification to edit the file name or email content. The new email format will be used when a VPN certificate is issued. Check `How do I add a VPN user?`_ for more info. + +How to customize pop-up messages after a VPN user is connected? +---------------------------------------------------------------- + +System Use Notification feature allows users to customize pop-up messages after a VPN user is connected. One use case is for customer to write their own messages for compliance. + +To configure it, go to OpenVPN® -> Advanced -> Global Config -> System Use Notification. + +.. note:: + + Please ensure that you are running Aviatrix VPN Client version 2.9 or higher to view the usage notification. + +How to set a minimum Aviatrix VPN client software version for OpenVPN® connection? +---------------------------------------------------------------------------------- + +Minimum Aviatrix VPN Client Version feature allows users to set a minimum Aviatrix VPN client software version that is allowed to connect successfully. + +To configure it, go to OpenVPN® -> Advanced -> Global Config -> Minimum Aviatrix VPN Client Version to set the Aviatrix VPN client version. + +What is Download SAML VPN Client? +----------------------------------------------- + +This feature only applies to VPN client using SAML authentication. + +It allows users to download the ovpn VPN connection cert file and the VPN client installer in a self-service manner. + +To configure it, go to OpenVPN® -> Advanced -> Global Config -> Download SAML VPN Client to enable/disable this feature. + +|client_download| + + +Once enabled, copy the `Download URL` link and send the link to your VPN users. When accessing the +URL link, a VPN user is redirected to SAML IDP for authentication. Only after authentication, a user +is allowed to access for VPN software download. + +Two files, the Aviatrix VPN client software and the UserVPN certificate (.ovpn file) are downloaded. Install the +client package to start the VPN client software and then load the client certificate to connect to the cloud network. + +.. important:: + + 1. Only one load balancer is supported on a given Controller implying that the system supports a fleet of UserVPN gateways behind one load balancer. + 2. `Client Certificate Sharing `_ must be enabled for the UserVPN solution implying you must first configure the VPN user on SAML IDP and on the Aviatrix Controller you need to configure only one VPN user. + OpenVPN® is a registered trademark of OpenVPN Inc. .. |image1| image:: FAQ_media/image1.png @@ -405,4 +460,12 @@ OpenVPN® is a registered trademark of OpenVPN Inc. .. |assign_user_to_profile| image:: FAQ_media/assign_user_to_profile.png :scale: 30% +.. |windows_client| image:: openvpn_faq_media/windows_client.png + :scale: 30% + +.. |linux_client| image:: openvpn_faq_media/linux_client.png + :scale: 30% + +.. |client_download| image:: openvpn_faq_media/client_download.png + :scale: 30% .. disqus:: diff --git a/HowTos/openvpn_faq_media/client_download.png b/HowTos/openvpn_faq_media/client_download.png new file mode 100644 index 000000000..2b6761ec3 Binary files /dev/null and b/HowTos/openvpn_faq_media/client_download.png differ diff --git a/HowTos/openvpn_faq_media/linux_client.png b/HowTos/openvpn_faq_media/linux_client.png new file mode 100644 index 000000000..d8ea3e1db Binary files /dev/null and b/HowTos/openvpn_faq_media/linux_client.png differ diff --git a/HowTos/openvpn_faq_media/windows_client.png b/HowTos/openvpn_faq_media/windows_client.png new file mode 100644 index 000000000..86a89d61f Binary files /dev/null and b/HowTos/openvpn_faq_media/windows_client.png differ diff --git a/HowTos/openvpn_features.rst b/HowTos/openvpn_features.rst index 1d895cec3..90872eaf9 100644 --- a/HowTos/openvpn_features.rst +++ b/HowTos/openvpn_features.rst @@ -19,7 +19,7 @@ VPN Management - **PKI Management** Supports Bring Your Own (BYO) PKI management system. - **Force Disconnect** Any admin can force disconnect a VPN user from the controller console. - **Dashboard** View all active VPN users and their connection history from the controller console dashboard. -- **REST API** Support REST API for all management activities. +- **API** Support API for all management activities. Authentication Options ----------------------- @@ -60,7 +60,7 @@ Client Software - **OpenVPN® Client Software** All OpenVPN® client software is supported. The supported clients are macOS, Windows, iOS, Android, Chromebook, Linux and BSD. - **Aviatrix VPN Client** Aviatrix VPN Client supports macOS, Windows and Linux Debian distribution and BSD distribution. Choose Aviatrix VPN Client if you require SAML authentication directly from VPN client software. - +To download and install Aviatrix VPN Client, refer to `this link `_. OpenVPN is a registered trademark of OpenVPN Inc. diff --git a/HowTos/openvpn_fqdn.rst b/HowTos/openvpn_fqdn.rst index 02c9d2c2d..cf7fa6250 100644 --- a/HowTos/openvpn_fqdn.rst +++ b/HowTos/openvpn_fqdn.rst @@ -4,7 +4,7 @@ ======================================================== -OpenVPN FQDN Filter Solution +OpenVPN + FQDN Filter Solution ======================================================== diff --git a/HowTos/overlapping_network_solutions.rst b/HowTos/overlapping_network_solutions.rst new file mode 100644 index 000000000..044ffd39f --- /dev/null +++ b/HowTos/overlapping_network_solutions.rst @@ -0,0 +1,171 @@ + + +.. meta:: + :description: Create site2cloud connection with overlap network address ranges + :keywords: Mapped site2cloud, VGW, SNAT, DNAT, Overlap Network CIDR, overlap CIDRs + + +=========================================================================================== +Overlapping Network Connectivity Solutions +=========================================================================================== + +This document describes a few scenarios of overlapping networking CIDRs and their solutions. The solution uses the `Mapped` option +of Aviatrix `Site2Cloud `_ feature when building IPSEC tunnels. + +Using Mapped Site2Cloud provides the advantage of not having to configure individual SNAT/DNAT rules, as +all virtual and physical network addresses are 1-1 translated. + +This document does not go into specifics of the actual configurations. For such information, check out `this example document `_. + +Scenario 1: On-prem Overlaps with Spoke VPC in TGW Deployment +---------------------------------------------------------------- + +In this scenario, on-prem site-1 overlaps with Spoke-1 VPC CIDR, they both are 172.32.0.0/16 and wish to communicate with each +other. The solution is to deploy an Aviatrix gateway in Spoke-2 VPC and build IPSEC tunnel +between Spoke-2 gateway and the on-prem. In the deployment, both Spoke-1 and Spoke-2 are attached to TGW and are in the same Security Domain. + +The diagram is shown below. Note one can launch an Aviatrix gateway in Spoke-1 directly and build the IPSEC tunnel. This example +demonstrates how to use `Spoke VPC Advertised Routes `_ to +build a more complex network. + +.. Tip:: + + VPC Spoke-1 is for illustration purpose. The destination network that overlaps with the on-prem site may be on on-prem network that connects with AWS TGW via DXGW or VPN. Similarly, the on-prem network could be a VPC/VNet in the cloud. + + +|overlap_onprem_tgw| + +Following are the steps to setup the above networks. + + 1. Attach VPC Spoke-2 to TGW. Go to TGW Orchestrator -> Build to attach. + #. Launch Aviatrix gateway in Spoke-2. Go to Gateway -> Add New to launch. + #. (Optional) Enable HA. Go to Gateway -> Gateway for High Availability Peering to enable HA. + #. Configure Site2Cloud to site-1 with Mapped Option on Spoke-2. Go to Site2Cloud -> Add New. Key parameters on site2cloud IPSEC configuration: + + :: + + Spoke-2 gateway site2cloud key parameters: + + Connection Type: Mapped + Enable HA: Selected (Optional) + Local Subnet (real): 172.32.0.0/16 + local Subnet (virtual): 192.168.0.0/16 + Remote Subnet (real): 172.32.0.0/16 + Remote Subnet (virtual): 100.100.0.0/16 + + #. Configure the on-prem site-1 IPSEC. Key parameters + + :: + + on-prem site-1 IPSEC key parameters: + + Local Subnet: 172.32.0.0/16 + Remote Subnet: 192.168.0.0/16 + + #. Make sure the tunnel come up. + + #. **Important** Advertise 100.100.0.0/16 to TGW from Spoke-2 VPC. Go to TGW Orchestrator -> List. Click Spoke-2, click Actions -> Edit Spoke Advertised Routes. Enter `172.34.0.0/100, 100.100.0.0/16`, where 172.34.0.0/16 is Spoke-2 VPC CIDR and 100.100.0.0/16 is the virtual network CIDR of on-prem site-1. + + #. Test connectivity. From on-prem site-1 to ping an instance in Spoke-1 using the Spoke-1 virtual network CIDR with the real host portion of its IP address. For example, if the instance in Spoke-1 is 172.32.10.15, then site-1 should ping 192.168.10.15. + + #. Done. + + +Scenario 2: Multi-Sites Overlap in TGW Deployment +----------------------------------------------------------------- + +Scenario 1 can be extended to on-prem multi sites that have overlapping or identical network addresses, as shown in the diagram below. + +|overlap_multi_onprem_tgw| + + 1. Attach VPC Spoke-2 to TGW. Go to TGW Orchestrator -> Build to attach. + #. Launch Aviatrix gateway in Spoke-2. Go to Gateway -> Add New to launch. + #. (Optional) Enable HA. Go to Gateway -> Gateway for High Availability Peering to enable HA. + #. Create a Site2Cloud connection to site-1 with Mapped Option on Spoke-2. Key parameters on site2cloud IPSEC configuration: + + :: + + Spoke-2 gateway site2cloud to site-1 key parameters: + + Connection Type: Mapped + Enable HA: Selected (Optional) + Local Subnet (real): 172.32.0.0/16 + local Subnet (virtual): 192.168.0.0/16 + Remote Subnet (real): 172.32.0.0/16 + Remote Subnet (virtual): 100.100.0.0/16 + + #. Create an on-prem site-1 to Spoke-2 gateway IPSEC connection with an on-prem router or firewall. Key parameters + + :: + + on-prem site-1 IPSEC key parameters: + + Route Based VPN. + Local Subnet: 172.32.0.0/16 + Remote Subnet: 192.168.0.0/16 + + #. Make sure the tunnel come up. + + #. Configure a Site2Cloud to site-2 connection with Mapped Option on Spoke-2. Key parameters on site2cloud IPSEC configuration: + + :: + + Spoke-2 gateway site2cloud to site-2 key parameters: + + Connection Type: Mapped + Enable HA: Selected (Optional) + Local Subnet (real): 172.32.0.0/16 + local Subnet (virtual): 192.168.0.0/16 + Remote Subnet (real): 172.32.0.0/16 + Remote Subnet (virtual): 100.200.0.0/16 + + #. Create an on-prem site-2 to Spoke-2 gateway IPSEC connection with an on-prem router or firewall. Key parameters + + :: + + on-prem site-2 IPSEC key parameters: + + Route Based VPN. + Local Subnet: 172.32.0.0/16 + Remote Subnet: 192.168.0.0/16 + + + #. **Important** Advertise 100.100.0.0/16 100.200.0.0/16 to TGW from Spoke-2 VPC. Go to TGW Orchestrator -> List. Click Spoke-2, click Actions -> Edit Spoke Advertised Routes. Enter `172.34.0.0/100, 100.100.0.0/16, 100.200.0.0/16`, where 172.34.0.0/16 is Spoke-2 VPC CIDR and 100.100.0.0/16 is the virtual network CIDR of on-prem site-1 and 100.200.0.0/16 is the virtual network CIDR of on-prem site-2. + + #. Test connectivity. From on-prem site-1 to ping an instance in Spoke-1 using the Spoke-1 virtual network CIDR with the real host portion of its IP address. For example, if the instance in Spoke-1 is 172.32.10.15, then site-1 should ping 192.168.10.15. + + + #. Test connectivity. From on-prem site-2 to ping an instance in Spoke-1 using the Spoke-1 virtual network CIDR with the real host portion of its IP address. For example, if the instance in Spoke-1 is 172.32.10.15, then site-2 should ping 192.168.10.15. + + #. Done. + +Scenario 3: On-prem Overlaps with Spoke in Aviatrix Transit Deployment +-------------------------------------------------------------------------- + +In this scenario, Aviatrix Transit solution is deployed and similarly on-prem site +overlaps with a Spoke CIDR where it needs to communicate with, as shown in the diagram below. + +|overlap_onprem_aviatrix_transit| + + +Scenario 4: Multi-Sites Overlap in Aviatrix Transit Deployment +----------------------------------------------------------------- + +This scenario extends the previous solution to include multi sites, as shown in the diagram below. + +|overlap_multi_onprem_aviatrix_transit| + + +.. |overlap_onprem_tgw| image:: overlapping_network_solutions_media/overlap_onprem_tgw.png + :scale: 30% + +.. |overlap_multi_onprem_tgw| image:: overlapping_network_solutions_media/overlap_multi_onprem_tgw.png + :scale: 30% + +.. |overlap_onprem_aviatrix_transit| image:: overlapping_network_solutions_media/overlap_onprem_aviatrix_transit.png + :scale: 30% + +.. |overlap_multi_onprem_aviatrix_transit| image:: overlapping_network_solutions_media/overlap_multi_onprem_aviatrix_transit.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/overlapping_network_solutions_media/overlap_multi_onprem_aviatrix_transit.png b/HowTos/overlapping_network_solutions_media/overlap_multi_onprem_aviatrix_transit.png new file mode 100644 index 000000000..91167c840 Binary files /dev/null and b/HowTos/overlapping_network_solutions_media/overlap_multi_onprem_aviatrix_transit.png differ diff --git a/HowTos/overlapping_network_solutions_media/overlap_multi_onprem_tgw.png b/HowTos/overlapping_network_solutions_media/overlap_multi_onprem_tgw.png new file mode 100644 index 000000000..373d3f3df Binary files /dev/null and b/HowTos/overlapping_network_solutions_media/overlap_multi_onprem_tgw.png differ diff --git a/HowTos/overlapping_network_solutions_media/overlap_onprem_aviatrix_transit.png b/HowTos/overlapping_network_solutions_media/overlap_onprem_aviatrix_transit.png new file mode 100644 index 000000000..2fca0570e Binary files /dev/null and b/HowTos/overlapping_network_solutions_media/overlap_onprem_aviatrix_transit.png differ diff --git a/HowTos/overlapping_network_solutions_media/overlap_onprem_tgw.png b/HowTos/overlapping_network_solutions_media/overlap_onprem_tgw.png new file mode 100644 index 000000000..f31f28669 Binary files /dev/null and b/HowTos/overlapping_network_solutions_media/overlap_onprem_tgw.png differ diff --git a/HowTos/paloalto_API_setup.rst b/HowTos/paloalto_API_setup.rst index 631a92b6b..dd0cd58e0 100644 --- a/HowTos/paloalto_API_setup.rst +++ b/HowTos/paloalto_API_setup.rst @@ -27,7 +27,7 @@ At the Palo Alto VM-Series console, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ a. Create a new role profile and name it Aviatrix-API-Role: Go to Device -> Admin Roles -> +Add - #. Click XML/REST API + #. Click XML/API #. Click Report, Configuration, Operation Requests and Commit #. Click Commit. @@ -86,9 +86,9 @@ Install a license in Panorama. Without the correct license, it won't work. b. Upgrade Panorama ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Panorama must be on the same or higher software version as its managed firewalls. +Panorama MUST be on the same or higher software version as its managed firewalls. -Currently (Dec., 2019), a newly launched firewall instance is on version 9.0.3.xfr. If the Panorama instance version is on 8.1.x, upgrade it to version 9.0.3.xfr or higher version by following the instructions below. +Currently (May, 2020) a newly launched firewall instance is on version 9.0.6 or 9.1.2. If the Panorama instance version is on 8.1.x, upgrade it to version 9.0.6 or higher version by following the instructions below. Go to Panorama --> Dynamic Updates, click "Check Now", select the latest version in "Applications and Threats", download and install. @@ -114,7 +114,7 @@ d. Create Device Group A Device Group is used to manage all the firewall policies. 1. **Add Device Group** - Go to Panorama --> Device Groups, click "Add" to create two new device groups for FireNet GW HA. Add managed VMs to each device group. Remember the device group name, for example "west2-firenet-primary". + Go to Panorama --> Device Groups, click "Add" to create a new device group for both FireNet GWs. Add managed VMs to the device group. Remember the device group name, for example "west2-firenet-primary". You may create two device groups as well if you want to separately edit for each Firenet GW. The following 3 # steps, please refer to the step 8 and 9 of https://docs.aviatrix.com/HowTos/config_paloaltoVM.html #. **Add Example Policy** (Optional if internet traffic is needed) @@ -150,7 +150,7 @@ Router name (Optional) Specify the firewall virtual Rou .. Note:: - - The Panorama manager needs to be configured separately for the primary and backup FireNet gateways, because each is associated with a different template name. + - The Panorama needs to be configured separately for the primary and backup FireNet gateways. - Panorama can be configured even when there is no VM-Series associated with a FireNet gateway. However in such case, the egress subnet is not decided, therefore the egress route cannot be added. Once the first VM-Series instance is launched and is in sync with Panorama, the egress route will be automatically added. @@ -158,8 +158,6 @@ Router name (Optional) Specify the firewall virtual Rou - After Panorama is setup, any additional VM-Series associated with same gateway will be controlled by Panorama and no further configuration on the VM-Series is needed. - - When all VM-Series are disassociated from a FireNet gateway, Panorama still maintains the configuration, unless the user removes the configuration from Panorama. - - When Panorama is configured, the associated will show the vendor as "Palo Alto Panorama". Clicking "Show" will use the same access account and password to access firewall and retrieve route information. To enable this, you need to configure admin role and user (same name and password as configured for Panorama itself) in the template in Panorama. - The controller only supports one virtual router. If Router name is not specified, the controller takes the first virtual router in the list. @@ -207,9 +205,7 @@ Commit and push. e. Integrate Panorama with Aviatrix Controller ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Go to the Aviatrix Controller->Firewall Network->Vendor Integration->Firewall Manager (Panorama), fill out all the required information and save. - -This step can also be done right after step a. +Go to the Aviatrix Controller->Firewall Network->Vendor Integration->Firewall Manager (Panorama), fill out all the required information and save. After this step, the Panorama and PAN firewalls are attached to the controller. 4. API calls @@ -226,7 +222,7 @@ Examples of Palo Alto Networks API used: :: - https://54.149.55.193/api/?password=Aviatrix123%23&type=keygen&user=apiadmin + https://54.149.55.193/api/?password=password&type=keygen&user=apiadmin 2. get route tables: diff --git a/HowTos/pan_bootstrap_example_azure.rst b/HowTos/pan_bootstrap_example_azure.rst new file mode 100644 index 000000000..a852e55ec --- /dev/null +++ b/HowTos/pan_bootstrap_example_azure.rst @@ -0,0 +1,116 @@ +.. meta:: + :description: Firewall Network + :keywords: Azure Transit Gateway, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Bootstrap, VM-Series + + +========================================================= +Bootstrap Configuration Example for VM-Series in Azure +========================================================= + +Using bootstrap option significantly simplifies VM-Series initial configuration setup. + +In this document, we provide a bootstrap example to set up an to allow HTTPS for Health Check Policy , "Allow All" firewall Policy and Egress NAT policy for the VM-Series to validate +that traffic is indeed sent to the VM-Series for VNET to VNET traffic inspection. This example does not use Panorama. + +Please use 9.1.0 and above version for better results. + +Note that Panorama PAN-OS version should be the same or higher than the firewall VMs when they are added to the Panorama, like, 9.1.0 for both Panorama and VMs. + +For a manual setup, follow `manual setup example. `_ + +1. Create Storage Account and Private Container +-------------------------------------------------- + +Login to Azure's console and create a storage account and file share in the storage for bootstrap with a **unique** name, for example "pan bootstrap", using this `guide `_ Step 1 and 2 with the following structure: + +:: + + Storage Account (e.g. bootstrapstorage) + File Share (e.g. pan-bootstrap) + Config/ + init-cfg.txt + bootstrap.xml + Content + License + Software + + +|file-share-folder-example| + +2. Upload config files +------------------------ + +Follow `Step 2.3 `_ to upload the configuration. Example Bootstrap.xml and config file is provided below. + +**2.1** The example bootstrap.xml file contains the "Allow All", Egress and API admin setup. To downloady the file, click :download:`bootstrap.xml `. + +**2.2** For the example init-cfg.txt file, click :download:`init-cfg.txt `. + +.. Note:: + In the example bootstrap.xml, you must specify custom usernames and passwords for the and , and generate hash strings for the passwords. + +**2.3** upload these two files to your config folder under Storage Account-> File Shares. + +3. Launch the VM-Series instance +----------------------------------- + +First follow `Step 3 `_ to get an access key which will be required at a time of VM-Series launch. + +Follow the Aviatrix Firewall Network (FireNet) workflow `Step 7a. `_ + +Fill in the required fields. Click Advanced. Fill in the following parameters. + +================================ ====================== +**Advanced Field** **Example Value** +================================ ====================== +Bootstrap Storage Name Azure Storage Name (e.g. bootstrapstorage) +Storage Access Key Azure Storage key (e.g. XiFiEeCzBLueMDTcKGdxhSV+ZUG3UvnLgfqA==) +File-share Folder File Share Folder Name (e.g. pan-bootstrap) +Share-directory (Optional) Config (Optional) +================================ ====================== + +Launch the VM-Series instance. Wait for 15 minutes for it to boot up and initialize. + +Login to the HTTPS interface of VM-Series management public IP with the username and password specified in the bootstrap.xml file. + + +4. Configure API Vendor Integration +-------------------------------------- + +In order for the Aviatrix Controller to automatically update firewall instance route tables, monitor the firewall instance health and manage instance failover, you need to setup API access permissions. + +Go to Controller -> Firewall Network -> Vendor Integration -> Firewall. Note the following fields. + + - Firewall Login User Name field, use the username specified in the bootstrap.xml file. + - Firewall Login Password field, use the password specified in the bootstrap.xml file. + +If you are manually configuring the firewall from scratch, follow `the instructions here `_ to enable API access. + + +5. Ready to go! +--------------- + +Now your firewall instance is ready to receive packets! + +Next step is to validate your configurations and polices using FlightPath and Diagnostic Tools (ping, traceroute etc.). + + +6. View Traffic Log +---------------------- + +You can view if traffic is forwarded to the firewall instance by logging in to the VM-Series console. Click Monitor. Start ping packets from one Spoke VNET to another Spoke VNET. + +7. Additional References +-------------------------- + +Following links from Palo Alto Networks for PAN-OS 8.1 and 9.0 provides additional information. + +`Create the init-cfg.txt File `_ + +`Bootstrap the VM-Series Firewall in Azure 9.1 `_ + +.. |file-share-folder-example| image:: bootstrap_example_media/file-share-folder-example.png + :scale: 40% + + +.. disqus:: diff --git a/HowTos/peering.rst b/HowTos/peering.rst index 32a97a3a5..29ff6e8ce 100644 --- a/HowTos/peering.rst +++ b/HowTos/peering.rst @@ -34,9 +34,7 @@ This guide helps you configure an encrypted peering. For cluster peering, refer AWS VPC Peering """""""""""""""""" -The Aviatrix Controller integrates native AWS `VPC Peering `_ for both intra region peering and inter -region peering, where it is available. Cross account peering is also supported. -We have made it simple for AWS VPC Peering by integrating route table programming and integrating requester and acceptor into one step. You can also decide which route table to participate in the AWS VPC Peering. +The Aviatrix Controller integrates native AWS `VPC Peering `_ for both intra region peering and inter region peering, where it is available. Cross account peering is also supported. We have made it simple for AWS VPC Peering by integrating route table programming and integrating requester and acceptor into one step. You can also decide which route table to participate in the AWS VPC Peering. To Configure: @@ -47,6 +45,33 @@ To Configure: 3. You can choose to build the peering for the entire VPC or select individual route tables. 4. Click OK. + Azure VNET Peering +"""""""""""""""""" + +The Aviatrix Controller integrates native Azure `VNET Peering `_ for both intra region peering and inter region peering. Cross subscription peering is also supported as long as both subscriptions are onboarded to the controller. + +To Configure: + +:: + + 1. Go to Peering -> Azure Peering -> New Peering. + 2. Select the subscription, region and VNET. + 3. Click OK. + + +Azure VNET Peering +"""""""""""""""""" + +The Aviatrix Controller integrates native Azure `VNET Peering `_ for both intra region peering and inter region peering. Cross subscription peering is also supported as long as both subscriptions are onboarded into the controller. + +To Configure: + +:: + + 1. Go to Peering -> Azure Peering -> New Peering. + 2. Select the subscription, region and VNET. + 3. Click OK. + MultiCloud Peering """"""""""""""""""" diff --git a/HowTos/periodic_ping.rst b/HowTos/periodic_ping.rst new file mode 100644 index 000000000..6a485c089 --- /dev/null +++ b/HowTos/periodic_ping.rst @@ -0,0 +1,38 @@ +.. meta:: + :description: Periodic Ping + :keywords: site2cloud troubleshooting tunnel drop stability IPSec + + +============================================ +Periodic Ping +============================================ + +In very rare cases Site2cloud tunnels may fail to pass traffic if the tunnel is dormant for a long period of time. This is not an issue with the Aviatrix Gateways and can usually be traced to misconfigurations on the remote device. To compensate for this Periodic Ping was developed to maintain a steady flow of traffic across the tunnel. + +For more information on troubleshooting Site2Cloud issues please refer to these links: + +- `Troubleshooting Site2Cloud Playbook `_ +- `Site2Cloud Workflow `_ + +Controller Path +-------------- + +Controller > Gateway > select gateway > Periodic Ping + +Configuration +-------------- +=============================== ================================================================= + **Option** **Description** +=============================== ================================================================= +Interval The interval the ping is sent in seconds +IP Address The destination IP of a device on the remote end of the tunnel +=============================== ================================================================= + +Set the desired values (ie, Interval 3 & IP Address 10.200.1.8) and then click "Enable." The Gateway will now ping the remote device in intervals of seconds. The ping will originate from the Gateway's local IP. + +Additional Notes +-------------- + +- If Periodic Ping is enabled on a Transit Gateway with BGP, "Advertise Transit VPC Network CIDR(s)" must be enabled for the ping to traverse the site2cloud tunnel + - - Controller > Transit Network > Advance Config > Edit Transit > select gateway > Advertise Transit VPC Network CIDR(s) > Enable +- This feature is available in software version 5.3 and above diff --git a/HowTos/privateS3_workflow.rst b/HowTos/privateS3_workflow.rst index ce975f8a3..7a25cfb34 100644 --- a/HowTos/privateS3_workflow.rst +++ b/HowTos/privateS3_workflow.rst @@ -7,14 +7,24 @@ PrivateS3 Workflow ========================================================= +Below is the workflow for PrivateS3. To learn more about PrivateS3, check out `PrivateS3 FAQ. `_. + Step 1. Launch an Aviatrix Gateway ------------------------------------- -Go to Gateway -> New Gateway to launch a gateway. Specify the Gateway Name, Access Account Name, Region, VPC ID, +Go to Gateway -> New Gateway to launch an Aviatrix gateway. Specify the Gateway Name, Access Account Name, Region, VPC ID, Public Subnet and Gateway Size. Leave all other fields as default. +Select the region where you want the S3 buckets to be explicitly allowed or denied access through PrivateS3. + +Step 2. Create Access Accounts +-------------------------------- + +PrivateS3 automatically scans the S3 buckets owned by the `Access Accounts. `_. +Create one Access Account if you have not done so. + -Step 2. Enable/Edit PrivateS3 +Step 3. Enable/Update PrivateS3 ---------------------------------- .. tip:: @@ -26,17 +36,54 @@ Each AWS S3 bucket has a unique FQDN name. For example, if a full URL to access =================================== ================== **Setting** **Value** =================================== ================== -Gateway Name Select a gateway launched in the previous step -Source CIDR Range Enter a summary list of the on-prem network address range separated by comma. For example, 10.10.0.0/16,10.12.0.0/16. Note this list should be a simple super set of your on-prem network CIDR range. It does not need to be precise. -S3 Bucket FQDN Name Resolution IP This is a display field. It displays the AWS internal NLB private IP address created by the Controller. This field does not immediately display after the first gateway is launched. Wait for a few minutes and refresh the browser. Use the displayed IP address for your on-prem DNS configuration in the next step. -+Add New Bucket Click and then enter a FQDN name of the file in S3 bucket. Click Save to save entry. Click +Add New Bucket again to enter another entry. -Enable If this is the first time, click Enable to enable the feature. -Update If PrivateS3 has been enabled, use this button to update changes including editing Source CIDR Range, Add New Bucket or Delete existing bucket. +Gateway Name Select a gateway launched in the previous step for PrivateS3 service. +Source CIDR Range This field represents a scope of on-prem network address range, it is used to check if PrivateS3 filtering function should be applied for a given packet source IP address. This address range does not need to be precise. Enter a summary list of the on-prem network address range separated by comma. For example, 10.0.0.0/8. +Access Accounts You can select multiple accounts and move them to the right panel. The Controller scans S3 of the selected accounts every 30 minutes to discover any new S3 buckets. +=================================== ================== + +Click Enable. If PrivateS3 has been enabled, use this Step to update changes in Source CIDR Range or Access Accounts. + +Once PrivateS3 is enabled, Controller creates an AWS NLB and attach the PrivateS3 gateway to it. The NLB serves as load balancer to forward +S3 HTTPS request to the gateways. + +Once PrivateS3 is enabled, you can go to Step 1 to create more Aviatrix gateways in the same VPC and attach it to the NLB. + +Once PrivateS3 is enabled on the selected accounts, the Controller scans every 30 minutes S3 buckets of the selected accounts in the region where Aviatrix PrivateS3 gateway is deployed. + +When new S3 buckets are discovered, an email will be sent to the Controller admin. Admin should login to the Controller, go to Security -> PrivateS3 -> Step 4 to take actions on the new buckets. The actions are either Allow or Deny. + +Step 4. Update S3 Bucket Policy +--------------------------------------- + +Filter on S3 buckets with policy New. Change it to either Allow or Deny. + +You can change all buckets to Allow All or Deny All. + + + +Step 5 View/Delete PrivateS3 +-------------------------------- + +When PrivateS3 is enabled, Aviatrix Controller creates an AWS Network Load Balancer (NLB) and attaches Aviatrix gateway to it. More Aviatrix +gateways can be launched and attached to this NLB. The NLB front ends the pool of Aviatrix gateways and distributes S3 related HTTPS +requests to the attached gateways. + +The View displays relevant data for troubleshooting and visibility. + +=================================== ================== +**Setting** **Value** +=================================== ================== +PrivateS3 NLB Name AWS NLB created by Aviatrix Controller when PrivateS3 is enabled. +NLB Status The status of the NLB created Aviatrix Controller. +PrivateS3 true/false to indicate if PrivateS3 is enabled or not. +Region AWS region where PrivateS3 gateways are launched. +PrivateS3 DNS Name Resolution IP This filed displays the AWS internal NLB private IP address created by the Controller AFTER you complete this step of attaching the bucket URL to the FIRST gateway. It will take sometime while the NLB is created. If you are repeating this step for additional gateways, the NLB IP should be autopopulated when you choose the first gateway that the URL was attached to. Use the displayed IP address for your on-prem DNS configuration in the next step. +PrivateS3 DNS Name This field displays the DNS name of the NLB created by Aviatrix Controller for PrivateS3 function. =================================== ================== -Step 3. Create on-prem DNS Private Zone ---------------------------------------------- +Additional Configuration 1: Create on-prem DNS Private Zone +-------------------------------------------------------------- Create a private zone on your on-prem DNS server so that all S3 bucket names resolve to the PrivateS3 private IP address displayed from Step 2 in the field "S3 Bucket FQDN Name Resolution IP". @@ -57,7 +104,30 @@ create a zone with domain name s3.us-west-2.amazonaws.com, another zone with dom Use DNS wildcard for record. For example, use *.s3.us-west-2.amazonaws.com that resolves to an A record that is the private IP address of the PrivateS3 internal NLB. +Additional Configuration 2: S3 endpoint +------------------------------------------------- + +PrivateS3 does not require a S3 endpoint, however, S3 endpoint in the VPC where PrivateS3 gateways are deployed +helps forwarding traffic to S3 services without +routing through the Internet. Configuring S3 endpoint is outside the scope of the PrivateS3 workflow. Login to AWS Console to create S3 endpoint. + +Adding More PrivateS3 Gateways +--------------------------------------------------------------- + +When you want to scale-out and add more Gateways to the pool, follow these steps + + 1. Deploy a new Gateway in a subnet in the same VPC by navigating to Gateway -> New Gateway. Specify the Gateway Name, Access Account Name, Region, VPC ID, Public Subnet and Gateway Size. Leave all other fields as default. + #. Navigate to Security -> Private S3 + #. Choose the initially deployed Gateway from the drop down menu under 'Gateway name' + #. Following fields will be automatically populate based on the earlier deployed Gateway in the same VPC: Source CIDR Range, S3 Bucket FQDN Name Resolution IP, NLB DNS, S3 Bucket Name + #. Click on Attach, which will add this new Gateway as a Target in the correct Target Group for the NLB created. + +This completes the configuration needed to add a new Gateway to the pool. + +Additional Read +--------------- +Additional read can be found in this short blog, `Secure, Cost Effective and Private S3 access via PrivateLink for Partners with Visibility and Troubleshooting Tools `_. .. |sfc| image:: sfc_media/sfc .png :scale: 30% diff --git a/HowTos/rbac_faq.rst b/HowTos/rbac_faq.rst new file mode 100644 index 000000000..3494824e5 --- /dev/null +++ b/HowTos/rbac_faq.rst @@ -0,0 +1,155 @@ +.. meta:: + :description: Role Based Access Control + :keywords: account, aviatrix, AWS IAM role, Azure API credentials, Google credentials, RBAC + + +================================= +Role Based Access Control FAQ +================================= + +What is Aviatrix Role Based Access Control (RBAC)? +---------------------------------------------------------- + +Aviatrix Controller is a multicloud and multitenant Enterprise platform. As such, the Aviatrix Controller manages multiple cloud accounts by requiring access by multiple +administrators. RBAC provides access controls to protect the security and integrity of the Controller while providing the ability to delegate and limit specific Aviatrix features +to groups defined by the admin of the Controller. + +Aviatrix RBAC aims to achieve two objectives: + + - **Granular Access Control** A Controller administrator in a specific permission group can perform certain tasks for a subset of Aviatrix `Access Account `_. For example, an Administrative user can be limited to perform on his own AWS account VPC attachment function. + - **Self Service** A Controller administrator in a specific permission group can onboard its own cloud accounts on the Controller and perform tasks. For example, a Controller administrator can be allowed to onboard his own AWS account on the Controller and create a group of users for different tasks on this access account. Another use case is for developers to have a read_only login permission to troubleshoot network connectivity issues. + +How does RBAC work? +---------------------- + +RBAC allows you to create a hierarchy of administrators within the Aviatrix Controller. It has the flexibility to permutate based on your requirements. + +The best way to explain how RBAC works is through examples. Following are a few deployment examples. + +RBAC Deployment Example 1 +--------------------------- + +In this example, the Controller admin creates a user Bob who has full responsibility to access account account-A and account-B. The Controller +admin also creates a user Alice who has full responsibility to access account-C and account-D. + +|rbac_example_1| + +Tasks carried out by admin +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +**Step 1** Create an account admin group. Admin Login. Go to Accounts -> Permission Groups -> +Add New. Give the group a name, for example, account-admins. + +**Step 2** Give this group the privilege to create Access Accounts. Go to Accounts -> Permission Groups. Click the 3 skewer dots, click Manage Permission. Click +Add New. Select Accounts in the list of functions. Click OK to confirm. + +**Step 3** Create user Bob to the account_admins group. Go to Account Users -> +New User. Fill the name, Bob, and other fields. For the field RBAC Groups, select account-admins created in Step 1. + +Tasks carried out by Bob +~~~~~~~~~~~~~~~~~~~~~~~~~ + +**Step 4** Bob should receive an email to invite him to access the Controller. Bob login. Bob creates a new permission group with full access. Go to Accounts -> Permission Groups -> +Add New. Fill permission group name, for example, group-bob. + +**Step 5** Bob associates himself with the group-bob. Go to Accounts -> Permission Groups. Select bob-group, click Manage users. Select Bob to associate with the group. + +**Step 6** Bob grants group-bob functional functional privilege. Go to Accounts -> Permission Groups. Select group-bob. Click Manage permissions. Click ALLWrite to grant group-bob + +**Step 7** Bob creates a new Access Account account-A. Bob login. Go to Accounts -> Access Accounts -> +Add New. For the field "Attach to RBAC Groups", select group-bob. This creates an access account that associates a cloud account that Bob manages. For the Account Name field, Bob enters account-A. + + +Bob can repeat **Step 7** to create account-B. Now Bob has full functional access to both account-A and account-B. + +Apply **Step 3** to **Step 7** for Alice to manage account-C and account-D. + +Can Bob assign a teammate with subset of functional privileges? +----------------------------------------------------------------- + +Yes. The deployment is shown in the diagram below. + +|rbac_example_2| + +Bob should perform the following tasks to have it setup. + + 1. Bob creates a new permission group, say Site2Cloud-ops. + #. Bob assigns himself to Site2Cloud-ops group. + #. Bob clicks "Manage permission" for Site2Cloud-ops group to select Site2Cloud permission for the group. + #. Bob clicks "Manage access accounts" for Site2Cloud-ops group to select account-A. + #. Bob creates a new user, say Adam and associate Adam to Site2Cloud-ops group. + +After the above tasks, Adam will be able to login and perform Site2Cloud tasks for account-A. But Adam cannot perform Site2Cloud +tasks for Alice's account. + +How to add a read_only user? +------------------------------ + +Read_only user has visibility to all pages on the Controller and can perform troubleshooting tasks. A read_only user cannot make modifications to any functions or accounts. + +|rbac_example_3| + +In this example, Alice creates a read_only user George. Alice performs the following steps. + + 1. Alice login. + #. Go to Accounts -> Account Users -> +Add New. + #. Add User Name George, User Email, Password. For RBAC Groups, select read_only. + +Can there be multiple admin users? +------------------------------------ + +Yes. Only admin can add more admin users. An admin user has the same privilege as the login admin with full access +to all pages and accounts. + +In this example, admin creates an admin user Jennifer. admin performs the following steps. + +|rbac_example_4| + + 1. admin login. + # Go to Accounts -> Account Users -> +Add New. + #. Add User Name Jennifer, User Email, Password. For RBAC Groups, select admin. + +Does RBAC support remote authentications? +------------------------------------------- + +RBAC supports remote authentication against LDAP, Duo and other SAML IDPs. + +For LDAP and Duo, RBAC supports authentication only; the permissions are still validated locally on the Controller. + +For other SAML IDPs, you can configure profile attribute associated with the SAML user for permissions, thus avoiding having to add users on the Controller. + +How do I setup SAML login for RBAC? +------------------------------------ + +Aviatrix Controller login supports `SAML login. `_ + +You have the option of authorizing user by Controller configuration or through SAML IDP Attribute. +Go to Settings -> Controller -> SAML Login -> + Add New + +If you select "Set Access By" to be 'SAML IDP attribute', +follow the instructions to setup SAML. In the SAML IDP Attribute Statements, add a new attribute "Profile". +For Value field, add the Name of the Permission Groups you configured on the Controller. + +When a user authenticates against SAML IDP, the Controller retrieves the profile attribute and apply permission to the user. +There is no need to configure account users on the Controller, but you still need to specify Permission Groups +and their associated permissions. + +If you select "Set Access By" to be 'Controller', +you need to select an RBAC Group when creating an IDP endpoint. + + + +.. |rbac_example_1| image:: rbac_faq_media/rbac_example_1.png + :scale: 50% + +.. |rbac_example_2| image:: rbac_faq_media/rbac_example_2.png + :scale: 50% + +.. |rbac_example_3| image:: rbac_faq_media/rbac_example_3.png + :scale: 50% + +.. |rbac_example_4| image:: rbac_faq_media/rbac_example_4.png + :scale: 50% + +.. |account_structure| image:: adminusers_media/account_structure_2020.png + :scale: 50% + +.. |access_account_35| image:: adminusers_media/access_account_35.png + :scale: 50% + +.. disqus:: diff --git a/HowTos/rbac_faq_media/rbac_example_1.png b/HowTos/rbac_faq_media/rbac_example_1.png new file mode 100644 index 000000000..740c8a8a1 Binary files /dev/null and b/HowTos/rbac_faq_media/rbac_example_1.png differ diff --git a/HowTos/rbac_faq_media/rbac_example_2.png b/HowTos/rbac_faq_media/rbac_example_2.png new file mode 100644 index 000000000..8dc121128 Binary files /dev/null and b/HowTos/rbac_faq_media/rbac_example_2.png differ diff --git a/HowTos/rbac_faq_media/rbac_example_3.png b/HowTos/rbac_faq_media/rbac_example_3.png new file mode 100644 index 000000000..52536cdde Binary files /dev/null and b/HowTos/rbac_faq_media/rbac_example_3.png differ diff --git a/HowTos/rbac_faq_media/rbac_example_4.png b/HowTos/rbac_faq_media/rbac_example_4.png new file mode 100644 index 000000000..4c15468b2 Binary files /dev/null and b/HowTos/rbac_faq_media/rbac_example_4.png differ diff --git a/HowTos/s2c_for_publicIP.rst b/HowTos/s2c_for_publicIP.rst index 0926d2de8..3956fe922 100644 --- a/HowTos/s2c_for_publicIP.rst +++ b/HowTos/s2c_for_publicIP.rst @@ -64,7 +64,7 @@ This step is to configure the gateway to translate the destination IP address 53 At the main navigation bar, click Gateway. Highlight the gateway, in this case, Spoke1, and click Edit. -Scroll down to Destination NAT. Follow the instructions `here `_ to configure, as shown below. +Scroll down to Destination NAT. Follow the instructions `here `_ to configure, as shown below. Note to use "Connection" field to specify the site2cloud connection name configured in Step 3. |dnat-config| diff --git a/HowTos/s2c_for_publicIP_media/dnat-config.png b/HowTos/s2c_for_publicIP_media/dnat-config.png index 12deb2fb7..92f32b984 100644 Binary files a/HowTos/s2c_for_publicIP_media/dnat-config.png and b/HowTos/s2c_for_publicIP_media/dnat-config.png differ diff --git a/HowTos/s2c_overlapping_cidrs_with_fast_convergence.rst b/HowTos/s2c_overlapping_cidrs_with_fast_convergence.rst new file mode 100644 index 000000000..750454c7a --- /dev/null +++ b/HowTos/s2c_overlapping_cidrs_with_fast_convergence.rst @@ -0,0 +1,189 @@ + +.. meta:: + :description: Site2Cloud Fast Timer and Convergence + :keywords: site2cloud, convergence, fast timers, overlapping subnets, netmap, ipsec + + +=========================================================================================== +Tuning For Sub-10 Seconds Failover Time in Overlapping Networks +=========================================================================================== + +Introduction +-------------- + +The purpose of this document is to provide the instructions for tuning network configurations for sub-10 seconds failover time when +network address ranges on-prem and cloud are overlapping. + +The scenario is described in the following diagram: + +|s2c_overlapping_cidr_topology| + +In the above diagram, Client-1 and Client-2 need to communicate with on-prem network. However, both Client-1 and Client-2 network +address ranges overlap with each other, and worse yet, they both overlap with on-prem network address range (10.0.0.0/16). Such scenarios +happen when Client-1, Client-2 and the on-prem networks belong to three different organizations. + +The traditional solution is to build IPSEC tunnel between the two networks and use SNAT/DNAT rules to translate each addresses, as +demonstrated in this `example. `_. Such solution requires a potentially +large number of SNAT/DNAT rules which is difficult to configure and maintain. + +With the introduction of `Mapped Site2Cloud for address overlapping networks `_ , you no longer need to wrestle with the individual SNAT/DNAT rules. + + +Configuration Steps +---------------------------- + +.. note:: + This example uses Aviatrix Gateway on client site to simulate fast convergence environment + +Step 1: Follow the Multi-Cloud Transit workflow to launch gateways +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Log in to the Controller console, go to Multi-CLOUD TRANSIT. Follow step 1, step 4 and step 6 respectively to launch transit and spoke gateways, and attach spoke gateways to transit. + +Create VPN tunnel between Transit Gateway and On-prem. + +Step 2: Create a Site2Cloud tunnel between Spoke Gateway and Client-1 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +2.1 Configure S2C from Spoke Gateway to Client-1 +################################################## + +Go to Controller Console -> Site2Cloud -> Setup. + +Click "+Add New". Fill the form and click OK. Select "Mapped" for the Connection Type field. + +================================================== ======================================================================= + **Field** **Value** +================================================== ======================================================================= + VPC ID/VNet Name Choose VPC ID (Select Spoke Gateway VPC) + Connection Type Mapped + Connection Name Arbitrary (e.g. S2C-SPK-to-Client1) + Remote Gateway Type Aviatrix + Tunnel Type Route-based + Algorithms Uncheck this box + IKEv2 Uncheck this box + Over Private Network Uncheck this box + Enable HA Check this box + Primary Cloud Gateway Select the Aviatrix Gateway created above + Backup Gateway Select the Aviatrix Gateway HA + Remote Gateway IP Address Public IP of Client-1 Primary Gateway + Remote Gateway IP Address (Backup) Public IP of Client-1 Backup Gateway + Pre-shared Key Optional (auto-generated if not entered) + Same Pre-shared Key as Primary Check this box + Custom Mapped Uncheck this box + Remote Subnet (Real) 10.10.0.0/16 (Client-1 Real CIDR) + Remote Subnet (Virtual) 100.64.0.0/16 (Client-1 Virtual CIDR) + Local Subnet (Real) 10.10.0.0/16 (On-Prem Network CIDR) + Local Subnet (Virtual) 192.168.0.0/16 (On-Prem Virtual CIDR) +================================================== ======================================================================= + + +2.2 Configure S2C from Client Side +################################################## + +Go to Controller Console -> Site2Cloud -> Setup. + +Click "+Add New". Fill the form and click OK. Select "unmapped" for the Connection Type field. + +================================================== ======================================================================= + **Field** **Value** +================================================== ======================================================================= + VPC ID/VNet Name Choose VPC ID (Select Client-1 VPC) + Connection Type Unmapped + Connection Name Arbitrary (e.g. S2C-Client1-to-SPK-GW) + Remote Gateway Type Aviatrix + Tunnel Type Route-based + Algorithms Uncheck this box + IKEv2 Uncheck this box + Over Private Network Uncheck this box + Enable HA Check this box + Primary Cloud Gateway Select the Aviatrix Gateway created above + Backup Gateway Select the Aviatrix Gateway HA + Remote Gateway IP Address Public IP of Spoke Primary Gateway + Remote Gateway IP Address (Backup) Public IP of Spoke Backup Gateway + Pre-shared Key Optional (auto-generated if not entered) + Same Pre-shared Key as Primary Check this box + Remote Subnet 192.168.0.0/16 (On-Prem Virtual CIDR) + Local Subnet 10.10.0.0/16 (Client-1 Local Network CIDR) +================================================== ======================================================================= + +Step 3: Configure global parameters +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Go to Controller Console -> Settings -> Advanced + +1) Click on "Tunnel" tab and change "Status Change Detection Time" and save settings. + +================================================== ======================================================================= + **Field** **Value** +================================================== ======================================================================= + Aviatrix Entity Choose Controller + Detecion time (secs) 20 +================================================== ======================================================================= + +2) Click on "Keepalive" tab and modify Keepalive Template Configuration + +================================================== ======================================================================= + **Field** **Value** +================================================== ======================================================================= + Keep Alive Speed fast +================================================== ======================================================================= + +Step 4: Configure site2cloud parameters +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Go to Aviatrix Controller's Console -> Site2Cloud -> Setup. + +4.1 Spoke Gateway Side +######################## + +Select Spoke Gateway VPC, spoke gateway to client site2cloud connection and click "Edit" + +1) Make sure only one tunnel is UP and HA status Active-Standby +2) DPD Timer is enabled, configure DPD timers as shown below and click "Save and Apply". + +================================================== ======================================================================= + **Field** **Value** +================================================== ======================================================================= + Initial Delay 1 + Retry 1 + Maxfail 1 +================================================== ======================================================================= + +3) Forward Traffic to Transit Gateway is enabled +4) Event Triggered HA is enabled + +4.2 Client Side +######################## + +Select Client VPC, client to spoke site2cloud connection and click "Edit" + +1) Make sure only one tunnel is UP and HA status Active-Standby +2) DPD Timer is enabled, configure DPD timers as shown below and click "Save and Apply". + +================================================== ======================================================================= + **Field** **Value** +================================================== ======================================================================= + Initial Delay 1 + Retry 1 + Maxfail 1 +================================================== ======================================================================= + +3) Active Active HA is disabled +4) Event Triggered HA is enabled + + +Test site2cloud fast convergence +------------------------------------ + +Bring down IPSec primary tunnel and measure convergence. + +Done. + +.. |s2c_overlapping_cidr_topology| image:: connect_overlap_cidrs_media/s2c_overlapping_cidr_topology.png + :scale: 40% + +.. disqus:: + + + diff --git a/HowTos/security_bulletin_article.rst b/HowTos/security_bulletin_article.rst new file mode 100644 index 000000000..32bc03a9c --- /dev/null +++ b/HowTos/security_bulletin_article.rst @@ -0,0 +1,538 @@ +======================================= +PSIRT Advisories +======================================= + +Aviatrix Product Security Team continually tests the software product, looking for vulnerabilities and weaknesses. If you have a security issue to report, please open a support ticket at Aviatrix Support Portal at https://support.aviatrix.com. Any such findings are fed back to Aviatrix's development teams and serious issues are described along with protective solutions in the advisories below. + +Please note the below Aviatrix Security recommendations and communication plans: +- Aviatrix strongly recommend customers to stay on the latest release to resolve features and bug issues. All fixes are in the new release; we do not patch older release versions. +- Customers are strongly recommended to perform image migration 2x a year. The migration process provides the latest system level security patch +- All known software vulerabilities are submitted to Mitre for CVE-ID references by Aviatrix Systems +- Avitrix publish Field Notices and send alerts to Controller Admin in the Controller console when security related issues are published + + +Most Recent IR +================ + +19. Aviatrix Controller and Gateways - Unauthorized Access +---------------------------------------- + +**Date** 01/11/2022 + +**Risk Rating** High for Gateways, medium for Controller. + +**Description** On the Aviatrix Controller, a successful attack would allow an unauthenticated remote attacker partial access to configuration information and allow them to disrupt the service. On the gateway, a successful attack would allow an unauthenticated network-adjacent attacker (i.e.: an attacker present on the gateway's VPC) access to its API. + +**Impact** Access to configuration information and disruption of service. + +**Affected Products** Aviatrix Controller and Gateways. + +**Solution** Upgrade your controller and gateway software to: + - 6.4.2995 or later. + - 6.5.2898 or later. + +18. Aviatrix Controller - Remote file execution +---------------------------------------- + +**Date** +10/04/2021 + +**Risk Rating** +Critical + +**Description** +The Aviatrix Controller legacy API had a vulnerability allowing an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing. + +**Impact** +Remote file execution + +**Affected Product** +Aviatrix Controller prior to the fixed versions. + +**Solution** +The vulnerability has been fixed in: + + - UserConnect-6.2-1804.2043 or later + - UserConnect-6.3-1804.2490 or later + - UserConnect-6.4-1804.2838 or later + - UserConnect-6.5-1804.1922 or later + + +**CVE-ID** +CVE-2021-40870 + +**Acknowledgement** +Aviatrix would like to thank the team at Tradecraft (https://www.wearetradecraft.com/) for the responsible disclosure of these issues. + +17. OpenVPN - Abitrary File Write +---------------------------------------- + +**Date** +8/10/2020 + +**Risk Rating** +High + +**Description** +The VPN service write logs to a location that is writable + +**Impact** +Unauthorized file permission + +**Affected Product** +Aviatrix OpenVPN R2.8.2 or earlier + +**Solution** +Aviatrix OpenVPN OpenVPN 2.10.8 - May 14 2020 or later + +**CVE-ID** +TBD + +**Acknowledgement** +Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + +16. Bypass htaccess security control +---------------------------------------- + +**Date** +8/10/2020 + +**Risk Rating** +Low + +**Description** +The htaccess control to prevent requests to a cert directory can be bypassed to download files. + +**Impact** +Excessive Permission + +**Affected Product** +Controller 5.3.1516 + +**Solution** +Controller R5.4.1290 (8/5/2020) or later + +**CVE-ID** +TBD + +**Acknowledgement** +Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + +15. Insecure File Permissions +---------------------------------------- + +**Date** +8/10/2020 + +**Risk Rating** +Medium + +**Description** +Several world writable files and directories were found + +**Impact** +Excessive Permission + +**Affected Product** +Controller 5.3.1516 + +**Solution** +Controller R5.4.1290 (8/5/2020) or later + +**CVE-ID** +TBD + +**Acknowledgement** +Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + +14. Bypass Htaccess Security Control +---------------------------------------- + +**Date** +8/10/2020 + +**Risk Rating** +Low + +**Description** +The htaccess control to prevent requests to directories can be bypassed for file downloading. + +**Impact** +Unauthorized file download + +**Affected Product** +Aviatrix Controller 5.3 or earlier + +**Solution** +Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later + +**CVE-ID** +CVE-2020-26549 + +**Acknowledgement** +Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + +13. Insecure sudo rule +---------------------------------------- + +**Date** +8/10/2020 + +**Risk Rating** +Medium + +**Description** +A user account has permission to execute all commands access as any user on the system. + +**Impact** +Excessive permission + +**Affected Product** +Aviatrix Controller 5.3 or earlier + +**Solution** +Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later + +**CVE-ID** +CVE-2020-26548 + +**Acknowledgement** +Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + +12. Cleartext Ecryption Key Storage +---------------------------------------- + +**Date** +8/10/2020 + +**Risk Rating** +High + +**Description** +Encrypted key values are stored in cleartext in a readable file + +**Impact** +Access to read key in encrypted format + +**Affected Product** +Aviatrix Controller 5.3 or earlier + +**Solution** +Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later +Migration required to the latest AMI Software Version 050120 (Aug 13, 2020) + +**CVE-ID** +CVE-2020-26551 + +**Acknowledgement** +Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + +11. Pre-Auth Account Takeover +---------------------------------------- + +**Date** +8/10/2020 + +**Risk Rating** +Critical + +**Description** +An API file does not require a valid session and allows for updates of account email addresses. + +**Impact** +Access to unauthorized files + +**Affected Product** +Aviatrix Controller 5.3 or earlier + +**Solution** +Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later + +**CVE-ID** +CVE-2020-26552 + +**Acknowledgement** +Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + + +10. Post-Auth Remote Code Execution +---------------------------------------- + +**Date** +8/10/2020 + +**Risk Rating** +High + +**Description** +Several APIs contain functions that allow arbitrary files to be uploaded to the web tree. + +**Impact** +Access to unauthorized files + +**Affected Product** +Aviatrix Controller 5.3 or earlier + +**Solution** +Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later + +**CVE-ID** +CVE-2020-26553 + +**Acknowledgement** +Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + +9. Pre-Auth Remote Code Execution +---------------------------------------- + +**Date** +8/10/2020 + +**Risk Rating** +Critical + +**Description** +An API file does not require a valid session ID and allows arbitrary files to be uploaded to the web tree. + +**Impact** +Access to unauthorized files + +**Affected Product** +Aviatrix Controller 5.3 or earlier + +**Solution** +Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later + +**CVE-ID** +CVE-2020-26553 + +**Acknowledgement** +Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + + +8. Insufficiently Protected Credentials +---------------------------------------- + +**Date** +8/10/2020 + +**Risk Rating** +Critical + +**Description** +An encrypted file containing credentials to unrelated systems is protected by a weak key. + +**Impact** +Encryption key may not meet the latest security standard + +**Affected Product** +Aviatrix Controller 5.3 or earlier + +**Solution** +Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later + +**CVE-ID** +CVE-2020-26550 + +**Acknowledgement** +Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + + + +7. Observable Response Discrepancy from API +---------------------------------------- + +**Date** +5/19/2020 + +**Risk Rating** +Medium + +**Description** +The Aviatrix Cloud Controller appliance is vulnerable to a user enumeration vulnerability. + +**Impact** +A valid username could be used for brute force attack. + +**Affected Product** +Aviatrix Controller 5.3 or earlier + +**Solution** +Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later + +**CVE-ID** +CVE-2020-13413 + +**Acknowledgement** +Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + + +6. OpenVPN Client - Elevation of Privilege +--------------------------------------- + +**Date** +5/19/2020 + +**Risk Rating** +High + +**Description** +The Aviatrix VPN client on Linux, macOS, and Windows is vulnerable to an Elevation of Privilege vulnerability. This vulnerability was previously reported (CVE-2020-7224), and a patch was released however the fix is incomplete. + +**Impact** +This would impact dangerous OpenSSL parameters code execution that are not authorized. +Impacts macOS, Linux and Windows clients. + +**Affected Product** +Client VPN 2.8.2 or earlier +Controller & Gateway 5.2 or earlier + +**Solution** +Client VPN upgrade to 2.10.7 +Controller & Gateway upgrade to 5.3 or later +In Controller, customer must configure OpenVPN minimum client version to 2.10.7 + +**CVE-ID** +CVE-2020-13417 + +**Acknowledgement** +Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + + +5. Cross Site Request Forgery (CSRF) +--------------------------------- + +**Date** +5/12/2020 + +**Risk Rating** +Critical + +**Description** +An API call on Aviatrix Controller web interface was found missing session token check to control access. + +**Impact** +Application may be vulnerable to Cross Site Request Forgery (CSRF) + +**Affected Product** +Aviatrix Controller with software release 5.3 or earlier + +**Solution** +Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later + +**CVE-ID** +CVE-2020-13412 + +**Acknowledgement** +Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + +4. Hard Coded Credentials +------------------------- + +**Date** +1/16/2020 + +**Risk Rating** +Low + +**Description** +The Aviatrix Cloud Controller contains credentials unused by the software. This is a clean-up effort implemented to improve on operational and security maintenance. + +**Impact** +This would impact operation and maintenance complexity. + +**Affected Product** +Aviatrix Controller 5.3 or lower + +**Solution** +Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later +Recommended: AWS Security Group settings grants only authorized Controller Access in your environment + +**CVE-ID** +CVE-2020-13414 + +**Acknowledgement** +Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + +3. CSRF on Password Reset +---------------------- + +**Date** +1/16/2020 + +**Risk Rating** +Medium + +**Description** +Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability. + +**Impact** +Vulnerability could lead to the unintended reset of a user’s password. + +**Affected Product** +Aviatrix Controller 5.3 or lower + +**Solution** +Upgrade 5.4.1066 (must be on version is 5.0 or above) +Make sure your AWS Security Group settings limit authorized Controller Access only + +**CVE-ID** +CVE-2020-13416 + +2. XML Signature Wrapping in SAML +------------------------------ + +**Date** +2/26/2020 + +**Risk Rating** +High + +**Description** +An attacker with any signed SAML assertion from the Identity Provider can establish a connection (even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix).  + +**Impact** +Aviatrix customer using SAML + +**Affected Product** +Aviatrix Controller 5.1 or lower + +**Solution** +Aviatrix Controller 5.2 or later +Plus Security Patch “SAML XML signature wrapping vulnerability” + +**CVE-ID** +CVE-2020-13415 + +**Acknowledgement** +Aviatrix is pleased to thank Ioannis Kakavas from Elastic for reporting this vulnerability under responsible disclosure. + +1. OpenVPN Client Arbitrary File Write +------------------------------------ + +**Date** +1/16/2020 + +**Risk Rating** +High + +**Description** +Aviatrix OpenVPN client through 2.5.7 or older on Linux, MacOS, and Windows is vulnerable when OpenSSL parameters are altered from the issued value set; the parameters could allow unauthorized third-party libraries to load.  + +**Impact** +OpenVPN client on Linux, MacOS, and Windows + +**Affected Product** +OpenVPN Client 2.5.7 + +**Solution** +Upgrade to VPN client v2.6 or later + +**CVE-ID** +CVE-2020-7224 + +**Acknowledgement** +Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure. + + +.. disqus:: diff --git a/HowTos/security_bulletin_faq.rst b/HowTos/security_bulletin_faq.rst new file mode 100644 index 000000000..4917c1500 --- /dev/null +++ b/HowTos/security_bulletin_faq.rst @@ -0,0 +1,247 @@ +************* +Security FAQs +************* + +Browse Questions +================= + +`Is customer data contained in the customer's AWS account?`_ + +`Will the controller and gateway need to reach out to Aviatrix to receive commands or send routing data to Aviatrix?`_ + +`Do we need a controller in each cloud environment (i.e., one for AWS, one for Azure, etc.)? If not, how do we do multi-cloud traffic steering?`_ + +`How are Aviatrix instances hardened?`_ + +`Does Aviatrix Controller have a database running?`_ + +`How does a Gateway device communicate/authenticate to the controller?`_ + +`Is Aviatrix SOC2 certified?`_ + +`Is Aviatrix PCI-DSS compliant?`_ + +`Is Aviatrix HIPAA compliant?`_ + +`Is Aviatrix FedRamp compliant?`_ + +`Is Aviatrix software in compliance with Section 508, IT Accessibility Standards?`_ + +`Is Aviatrix FIPS 140-2 certified?`_ + +`Can Aviatrix software support GovCloud implementation?`_ + +`Do Aviatrix Controller and Gateway instances support running an anti-malware agent?`_ + +`Is it possible to do OS disk encryption on Aviatrix Gateway instances without taking the Gateway down?`_ + +`Can a customer create their own custom hardened image for the Aviatrix Controller or Gateway instances?`_ + +`Can we install tools on the Aviatrix Gateway instances for monitoring network traffic and resource consumption?`_ + +`Can we patch the Aviatrix Controller and Gateway instances using our Systems Manager agent?`_ + +`Does Aviatrix implement Secure Coding and Development practices to ensure that the software is not vulnerable to DDoS, SQL Injection and/or Cross Site Scripting Attacks?`_ + +`Does Aviatrix software support IKEv2?`_ + +`Does Aviatrix software support role-based access control (RBAC)?`_ + +`What IAM policy is required to use Aviatrix?`_ + +`Can I use a custom SSL Certificate for the Controller and Gateway instances?`_ + +`How is data encrypted during transmission from source Controller to destination Gateway?`_ + +Is customer data contained in the customer's AWS account? +--------------------------------------------------------- + +Yes, all Aviatrix AMI is deployed in the customer’s private cloud environment. + +Will the controller and gateway need to reach out to Aviatrix to receive commands or send routing data to Aviatrix? +--------------------------------------------------------------------------------------------------------------------------------------- + +No, customers' configuration data is never accessed by Aviatrix. The only time Aviatrix receives information from a customer is:  + + * When a customer pushes log data to our encrypted customer S3 bucket for technical support. + + * For customers using a BYOL license, the license activity (acquisition and retiring a license) is validated to the Aviatrix license server.  + +Do we need a controller in each cloud environment (i.e., one for AWS, one for Azure, etc.)? If not, how do we do multi-cloud traffic steering?   +--------------------------------------------------------------------------------------------------------------------------------------- + +No, you don’t. One Aviatrix Controller manages cloud deployment in AWS, Azure, GCP, and OCI. Aviatrix Controller launches Gateways in each cloud and orchestrates policies to build network segmentation and secure connectivity. + +How are Aviatrix instances hardened? +------------------------------------ + +The Aviatrix Controller and Gateway instances are virtual machines using Ubuntu OS which is maintained specifically for Aviatrix for infrastructure services. All OS patches go through our full QA process and are managed in the releases of the Aviatrix software. + + * Users cannot login to Aviatrix Controller or Gateway instances, as SSH access is disabled. + + * Both Controller and Gateway instances have hard disk encryption, using AWS Elastic Block Storage (EBS) encryption. For more information, see AWS' documentation: https://docs.aviatrix.com/HowTos/FAQ.html#encrypt-controller-ebs-volume and https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html. + + * Aviatrix Gateway instances' inbound security group only opens to the Controller EIP on port 443. See additional detail here `How do I secure the Controller access? `_ + + +Does Aviatrix Controller have a database running? +------------------------------------------------- + +Controller instances have a local MongoDB database installed, however this is not acccessible to end users. + +How does a Gateway device communicate/authenticate to the controller?  +------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +Controllers send messages to your SQS or via HTTPS to the Gateway. Gateways pull messages from SQS.   + +Is Aviatrix SOC2 certified? +--------------------------- + +Yes, Aviatrix is SOC2 Type 1 and Type 2 certified. + +Is Aviatrix PCI-DSS compliant?  +------------------------------ + +Aviatrix is not in-scope for PCI-DSS compliance. We do not process credit card information, nor do we have access to the customer’s data. Aviatrix software is deployed in the customer’s private network. + +Is Aviatrix HIPAA compliant? +------------------------------ + +Aviatrix is not in-scope for HIPAA compliance. We do not process PHI/ePHI nor do we have access to the customer’s data. Aviatrix software is deployed in the customer’s private network. Internally, the company hires Third Party Administrator (TPA) for HR benefit services. We collect the business associate agreement for TPAs.   + +Is Aviatrix FedRamp compliant? +------------------------------ + +Aviatrix is not in-scope for FedRamp compliance because it is not a SaaS product and Aviatrix software is installed in the federal network. However, Aviatrix is currently certified for SOC2 and we are also working on additional readiness for other frameworks such as NIST 800-171, ISO 27002, HIPAA and PCI. + +Is Aviatrix software in compliance with Section 508, IT Accessibility Standards? +------------------------------------------------------------------------------- + +Aviatrix covers Level A ready under the VPAT (Voluntary Product Accessibility Template) standards.   + +Is Aviatrix FIPS 140-2 certified?  +--------------------------------- + +Yes. https://docs.aviatrix.com/HowTos/fips140-2.html  + +Can Aviatrix software support GovCloud implementation?   +------------------------------------------------------ + +Yes. We support AWS GovCloud infrastructure.    + +Do Aviatrix Controller and Gateway instances support running an anti-malware agent? +-------------------------------------------------------------------------------------- + +Because Aviatrix is an appliance, we do not allow customer SSH access to install anti-malware software on the instances. + +Is it possible to do OS disk encryption on Aviatrix Gateway instances without taking the Gateway down?  +------------------------------------------------------------------------------------------------------- + +No, customers are not allowed to add additional software code in Aviatrix Gateway instance. The instance is implemented with hard disk encryption using Elastic Block Store (EBS) encryption. Below are additional details for this technology.  + + * https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html   + + * https://docs.aviatrix.com/HowTos/encrypt_ebs_volume.html  + + * https://docs.aviatrix.com/HowTos/encrypt_ebs_volume.html#how-to-encrypt-gateway-ebs-volume-via-aviatrix-controller  + +Can a customer create their own custom hardened image for the Aviatrix Controller or Gateway instances? +----------------------------------------------------------------------------------------------------- + +No. Because Aviatrix is an appliance, the instances are not accessible to install custom software. + +Can we install tools on the Aviatrix Gateway instances for monitoring network traffic and resource consumption?  +---------------------------------------------------------------------------------------------------------------------- + +No, however, we support integrations to top SIEM platforms for your internal Threat/SOC operations. We currently support the following: + + * Remote syslog (recommended to use)  + + * AWS CloudWatch  + + * Splunk Enterprise  + + * Datadog  + + * Elastic Filebeat  + + * Sumo Logic  + + * Netflow  + +See the Logging documentation for details on how to configure this: https://docs.aviatrix.com/HowTos/AviatrixLogging.html  + +Can we patch the Aviatrix Controller and Gateway instances using our Systems Manager agent? +--------------------------------------------------------------------------------- + +No, our instances are appliances and customer SSH access is disabled. To patch Aviatrix Controller and Gateway instances, customers need to log into their Controller management console and update to the latest Aviatrix version.  + +Does Aviatrix implement Secure Coding and Development practices to ensure that the software is not vulnerable to DDoS, SQL Injection and/or Cross Site Scripting Attacks? +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +Aviatrix security measures for SDLC include access, change, vulnerability, threat intelligence and risk management safeguards. To ensure we protect our software code from known attacks like CSS, SQL Injection, and DDOS, we run vulnerability scans prior to each release to detect and mitigate any possible attacks. We also work closely with security researchers to detect zero day threats and we work with Coalfire to anually perform source code review and independent penetration testing. + +Does Aviatrix software support IKEv2? +-------------------------------------- + +IKEv2 is currenty supported for site2cloud tunnels. IKEv2 for Transit is in our roadmap.  + +Does Aviatrix software support role-based access control (RBAC)? +---------------------------------------------------------------- + +Yes, RBAC in Aviatrix Controller is available in version 5.4 or greater. The default roles available out of the box are admin and read_only. Customers can add custom RBAC permission groups in the Aviatrix Controller, and assign users to an RBAC Group. See detail here: https://docs.aviatrix.com/HowTos/rbac_faq.html + +|security_rbac_1| + +|security_rbac_2| + +What IAM policy is required to use Aviatrix? +-------------------------------------------- + +Since Aviatrix is an appliance deployed in your AWS account, you will create your AWS IAM Policy. When you launch Aviatrix, some services will deploy an IAM Policy to operate, however, it is the customer’s responsibility to edit the policy to your internal policy. When you edit the policy, we recommend you perform internal testing. + +The default IAM Policies used for Aviatrix are documented here: https://docs.aviatrix.com/HowTos/customize_aws_iam_policy.html?highlight=iam%20policy#iam-policies-required-for-aviatrix-use-cases + +See a sample of how to edit your IAM Policy for Aviatrix: https://docs.aviatrix.com/HowTos/customize_aws_iam_policy.html + +Can I use a custom SSL Certificate for the Controller and Gateway instances? +---------------------------------------------------------------------------- + +Yes, you can. To implement the SSL Certificate for your controller, go to Setting > Advanced > Security sub tab. Note that SSL verification check is not enabled by default and should be enabled by a customer + +|security_bulletin_faq_certificate| + +How is data encrypted during transmission from source Controller to destination Gateway? +-------------------------------------------------------------------------------------------- + +By default, data transfer is over a TCP connection with TLSv1.2 for encryption. Customers have the option to downgrade the TLS Version used due to internal dependency conflicts. You can configure this in Aviatrix Controller by clicking on Settings > Advanced > Security. + +How does Aviatrix encrypt data in transit? +-------------------------------------------------------------------------------------------- +Aviatrix 6.5 and above, Aviatrix implements a secured framework based on PKI/X.509 protocol to communicate between Controller and Gateway. + +How does Aviatrix handle security patch? +-------------------------------------------------------------------------------------------- +A security patch resolves software vulnerabilities and will be applied to the compatible software versions as stated in the release notes. When a patch is released, there will be a field notice to Aviatrix Controller via email. + +How do I stay up to date with the latest security vulnerabilities? +-------------------------------------------------------------------------------------------- +We recommend customers to deploy the latest image, upgrading to the latest software version, and staying on top of any security patch released. Guaranteeing security against vulnerabilities is a sustained effort and it is Aviatrix's policy to address them continuously. + +Does Aviatrix have a ISO 27002 Certification? +-------------------------------------------------------------------------------------------- +We currently don't but this is on the roadmap for 4Q2021. + + + +|security_bulletin_faq_encrypted_transmission| + +.. |security_rbac_1| image:: security_bulletin_media/security_bulletin_faq_rbac_1.png + +.. |security_rbac_2| image:: security_bulletin_media/security_bulletin_faq_rbac_2.png + +.. |security_bulletin_faq_certificate| image:: security_bulletin_media/security_bulletin_faq_certificate.png + +.. |security_bulletin_faq_encrypted_transmission| image:: security_bulletin_media/security_bulletin_faq_encrypted_transmission.png + +.. disqus:: diff --git a/HowTos/security_bulletin_media/security_bulletin_faq_certificate.png b/HowTos/security_bulletin_media/security_bulletin_faq_certificate.png new file mode 100644 index 000000000..daf560a48 Binary files /dev/null and b/HowTos/security_bulletin_media/security_bulletin_faq_certificate.png differ diff --git a/HowTos/security_bulletin_media/security_bulletin_faq_encrypted_transmission.png b/HowTos/security_bulletin_media/security_bulletin_faq_encrypted_transmission.png new file mode 100644 index 000000000..4582223ee Binary files /dev/null and b/HowTos/security_bulletin_media/security_bulletin_faq_encrypted_transmission.png differ diff --git a/HowTos/security_bulletin_media/security_bulletin_faq_rbac_1.png b/HowTos/security_bulletin_media/security_bulletin_faq_rbac_1.png new file mode 100644 index 000000000..2a12ec323 Binary files /dev/null and b/HowTos/security_bulletin_media/security_bulletin_faq_rbac_1.png differ diff --git a/HowTos/security_bulletin_media/security_bulletin_faq_rbac_2.png b/HowTos/security_bulletin_media/security_bulletin_faq_rbac_2.png new file mode 100644 index 000000000..146d65330 Binary files /dev/null and b/HowTos/security_bulletin_media/security_bulletin_faq_rbac_2.png differ diff --git a/HowTos/selective_upgrade.rst b/HowTos/selective_upgrade.rst new file mode 100644 index 000000000..a0e7d11ed --- /dev/null +++ b/HowTos/selective_upgrade.rst @@ -0,0 +1,352 @@ +.. meta:: + :description: software upgrade of controller and gateways + :keywords: hitless upgrade, selective upgrade, upgrade gateway software, no packet loss upgrade + +============================================= +Upgrading the Aviatrix Cloud Network Platform +============================================= + +If you are upgrading from release 6.5.x or later, follow the guidelines and procedures in this section. If you are upgrading from release 6.4.x or earlier, follow the guidelines and procedures in `Inline Software Upgrade for 6.4 and Earlier Releases `_. + +Aviatrix encourages you to keep your platform controller and gateways up to date to ensure you are operating the most secure and highest performing versions available. To facilitate less disruptive upgrades and reduce maintenance windows Aviatrix provides a rolling selective upgrade process. You can choose to upgrade all Aviatrix gateways in all regions simultaneously or select specific gateways and regions to upgrade in logical groups conforming to your network update policies and maintenance windows. + +Perform all preparatory tasks and verify all prerequisites are satisfied before performing Aviatrix upgrades. For more information, see Preparing to Upgrade the Aviatrix Network Platform. + +You can perform the following operations: + +* Performing a Platform Software Upgrade Dry Run +* Performing a Gateway Software Upgrade Dry Run +* Upgrading the Platform Software +* Upgrading the Gateway Software +* Rolling Back the Gateway Software +* Upgrading the Gateway Image + +Incremental upgrades are only available in Aviatrix 6.5 and later releases. If you are upgrading from a release prior to 6.5, the system automatically upgrades all gateways in the Aviatrix network. For more information, see `Upgrading from 6.4.x and Earlier Releases `_. + +Understanding Aviatrix Upgrades +------------------------------- + +There are two types of upgrades for the Aviatrix Platform and gateways: + +* **Software Upgrade** Platform and gateway software upgrades replace the relevant Aviatrix controller and gateway packages, configuration files, and binaries without disrupting network traffic or replacing the gateways. All software upgrades are hitless. +* **Image Upgrade** Gateway image upgrades replace the current gateways. Traffic throughput is briefly disrupted during image upgrades. + +There are two types of patch updates: + +* **Security Patches** Security patches are released when security updates to underlying software components become available. Most security patches are hitless. Review the release notes for the patch to discover if the upgrade is hitless or disruptive. +* **Software Patches** Software patches are released to address compatibility issues when they arise. You should apply the patches to the Aviatrix system when they become available if you are using any applications or configurations affected by the patch. Most software patches are hitless. Review the release notes for the patch to discover if the upgrade is hitless or disruptive. + +Understanding Release Numbers +----------------------------- + +Aviatrix release numbers follow the Major.Minor.Build format. For example, the release number 6.5.100 indicates: + +* 6 is the major release number. +* 5 is the minor release number. +* 100 is the build number. + +Each release type has different functionality parameters. + +* **Major** Includes new features and updates that affect the platform infrastructure and user interfaces. +* **Minor** Includes modified and new small features and updates that may affect the platform infrastructure and user interfaces. +* **Build** Corrected issues and feature enhancements. + +Valid Upgrade Paths +------------------- + +When you initiate an upgrade Aviatrix automatically presents the most recently published build for the selected major or minor release version. You cannot select the build number for any upgrades. For example, if you are upgrading from 6.5.x to 6.6.x you automatically receive the latest build of version 6.6. + +**Upgrading Build Version Paths** + +When you upgrade from one build version of a minor release to another build of the same minor release, the available version may skip over previously released build numbers. For example, you could upgrade from 6.6.100 to the latest build 6.6.900 and the system skips any intermediate builds. +Valid upgrade path to a new build. + +|upgrade.build.release| + +**Upgrading Minor Release Version Paths** + +When you upgrade from one minor version of a major release to another minor version of the same major release, you cannot skip over minor release versions. You must upgrade each minor release sequentially. For example, if you are upgrading from 6.5.current to 6.8.latest you must first upgrade to the intermediate releases 6.6.latest and 6.7.latest. +Valid upgrade paths to a new minor release. The current build is the build you are currently running. The latest build is latest available build available on the Aviatrix server. + +|upgrade.minor.release| + +**Upgrading Major Release Version Paths** + +When you upgrade from one major release to another major release, you cannot skip over major release versions. You must upgrade each major release sequentially. For example, if you are upgrading from 6.current to 8.latest you must first upgrade to the intermediate release 7.latest. +Valid upgrade path to a new major release. The current build is the build you are currently running. The latest build available on the Aviatrix server. + +|upgrade.major.release| + +Rules for Upgrading the Platform and Gateways +--------------------------------------------- + +In addition to satisfying the requirements and following recommendations in the Operations Checklist, you must follow these rules when you are upgrading your Aviatrix Platform. + +* Upgrade the platform controller before upgrading the individual gateways. Platform controller versions cannot be behind gateway versions. +* All gateways must be running the same version as the platform controller before you can upgrade the platform controller. +* Follow the valid upgrade paths. + +The following example demonstrates a selective upgrade from build 6.5.250 to 6.5.750. + +#. The Aviatrix Platform Controller and all gateways are running 6.5.250. +#. The Aviatrix Platform Controller is upgraded to 6.5.750. +#. Some gateways are upgraded to 6.5.750, some gateways continue to run 6.5.250. + +|upgrade.mixed.versions| + +4. Operations are normal and no conflicts are detected. +5. Gateways still running 6.5.250 are then upgraded to 6.5.750 and all gateways and the platform controller are running the same version. + +The following example demonstrates an attempted upgrade from 6.5.250 to 6.6.100. + +#. Aviatrix Platform Controller and all gateways are running 6.5.250. +#. The Aviatrix Platform Controller is upgraded to 6.5.750. +#. Some gateways are upgraded to 6.5.750, some gateways continue to run 6.5.250. +#. You attempt to upgrade the Aviatrix Platform Controller from 6.5.750 to 6.6.100 without first upgrading the remaining 6.5.250 gateways to 6.5.750. +#. The upgrade criteria are not satisfied, and the operation fails because all gateways connected to the platform controller are not upgraded to the same version as the platform controller. All gateways must be running the same version as the platform controller before you can upgrade the platform controller. + +|upgrade.mixed.versions.fail| + +**Note:** The ability to run different gateway software versions facilitates rolling upgrades and software rollback functions. Running different software versions in your network is not a valid operational design implementation. + +Rolling Back Gateway Software +----------------------------- + +You can roll back gateway software upgrades to the previous version, you cannot roll back platform controller upgrades. Gateway software rollbacks are briefly disruptive because the gateway is replaced. The gateway image version may also change during the software rollback. If the gateway to be rolled back is running the same image version before and after upgrading, when you roll back to the older software version the system creates a new gateway with the same image and the older software version. + + +Upgrading OpenVPN Users +----------------------- + +Most upgrades do not impact connected OpenVPN users. In some cases, OpenVPN service needs to be restarted as part of software upgrade. For example, upgrading to a new SSL version for security patch. In these cases, connected OpenVPN users are disconnected and need to reconnect after the upgrade. If a release requires stopping and restarting the service, the information is included in the release notes. + +Rollbacks do disrupt services. If there is only one OpenVPN gateway in service, all user connections are lost and users cannot reconnect until the gateway is available. If there are other OpenVPN gateways available, the disconnected users can attempt to log in again and land on the available gateways. + +Upgrading HA Gateways in an Active Mesh Topology +------------------------------------------------ + + +Gateway traffic is briefly affected and there is a drop in throughput when you perform a gateway image upgrade, and when a gateway software upgrade is rolled back. If Aviatrix ActiveMesh mode is enabled and only one gateway in an ActiveMesh pair is selected for upgrade, the system gracefully drains the traffic away from one of the gateways so it can be replaced. If both gateways in an ActiveMesh pair are selected, the gateways are replaced simultaneously without any additional safeguards. + +* If the gateway has BPG peers, the BGP process is shut down and the protocol reconverges to elect alternatives routes. +* The tunnel interfaces are shut down. The controller recalculates alternatives routes and distributes them to the gateways within the Aviatrix network. +* If the selected gateway is a spoke, the controller modifies the underlay cloud routing table of the selected gateway that was acting as the next hop for the default route or RFC1918 routes. The HA peer is selected as the next hop. + +|upgrade.gateway.reroute| + +Preparing to Upgrade the Aviatrix Network Platform +-------------------------------------------------- + +Aviatrix recommends you perform the tasks in the Operations Checklist before upgrading your deployment of the Aviatrix network platform. Taking the time perform dry runs and backing up your Aviatrix Platform configuration reduces the potential for issues during the upgrade and allows you to easily restore your configuration if there are issues after the upgrade. Correct any issues you find during your preparation before proceeding with an Aviatrix upgrade. + +**Upgrade Operations Checklist** +-------------------------------- + +Understanding the Release Contents +---------------------------------- + +To understand the contents and potential impact of upgrading to specific software release, see https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html. + +To understand the contents and potential impact of upgrading to specific image release, see https://docs.aviatrix.com/HowTos/image_release_notes.html. + +**Verify DNS Settings** + +The Aviatrix Controller must have a reliable DNS resolution service available. Aviatrix recommends using the default 8.8.8.8 for the DNS IP address. Using the default address is not required, but your network must be able to resolve public names and have uninterrupted access to the DNS name resolver. + +**AWS and Azure DNS Settings** + +If the controller is running on AWS or Azure, you can go to the controller Settings for the DNS and Disable the VPC or VNET DNS Server to force the controller to use 8.8.8.8. + +Verify Public Internet Access +----------------------------- + +Verify access to the public internet from the Aviatrix Controller. The controller must be open for inbound traffic on port 443 and outbound traffic on port 22. Aviatrix recommends you enable security groups to restrict access. Go to the Network tab on the Diagnostics page under Troubleshooting and perform the following tasks. + +* Ping a widely known public hostname or IP address with the Controller Utility. +* Ping www.security.aviatrix.com form port 443 with the Network Connectivity Utility. +* Ping www.github.com from port 443 with the Network Connectivity Utility. +* Ping www.github.com from port 22 with the Network Connectivity Utility. + +Verify Account Permissions and Access +------------------------------------- + +Go to the Accounts page and perform the following tasks. + +* Go to the Accounts Audit tab under Accounts and perform an Account Audit. Correct any reported issues. +* Verify all accounts can access all connected cloud resources. +* Verify the Aviatrix primary access account is available and that the account credentials are valid. +* The IAM policies must be configured as recommended by Aviatrix. For more information, see Controller Instance Requirements. +* If you are migrating your Aviatrix Platform Controller to a new image, verify the new image has all required accounts and permissions before migrating the controller. If you are restoring an image from a backup, the required accounts and permissions should all be available. Migration operations fail if there is not at least one Aviatrix backup file available. + +Verify Controller and Gateway Status +------------------------------------ + +Go to the Controller Dashboard and check the status of the Aviatrix Platform Controller and gateways. + +* Verify all gateways are up and the status is green. +* Verify all tunnels are up and the status is green. + +AWS Specific Upgrade Checklist +------------------------------ + +**Verify Controller HA Version** + +You should be running the latest version of the Controller HA application before upgrading. If there is a newer version of Controller HA available, you should upgrade by disabling and reenabling the Controller HA feature. For more information, see https://docs.aviatrix.com/HowTos/controller_ha.html . + +**Verify Controller HA is Enabled** + +If you use Controller HA do not disable your HA configuration before upgrading the platform controller or gateways. If you do disable Controller HA before upgrading, the system deploys a new controller and restores the most recent backup. + +**Settings for t2 and t3 Instances** + +If your Aviatrix Controller is in AWS and running on a t2 or t3 instance type and you are planning a platform image upgrade, you must set the T2/T3 Unlimited attribute to enabled. For more information, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/burstable-performance-instances-unlimited-mode-concepts.html. + +Back Up the Controller Configuration +------------------------------------ + +Always backup your Aviatrix platform configuration before performing an upgrade. For more information, see Controller Backup and Restore. Aviatrix recommends you clean up the bucket or folder where you store your controller backup configuration files. Only keep the 3 most recent configuration files and archive or delete the rest. + +Perform a Dry Run Upgrade +------------------------- + +Aviatrix recommends you perform a dry run upgrade on the platform controller and gateways before you execute the upgrade. A dry run is a sanity and health check that verifies there are no potential upgrade restrictions or conflicts before upgrading the software on the platform controller and selected gateways. Network issues, version conflicts, and other upgrade blocker issues are reported. Review the dry run upgrade results and correct any issues before proceeding with the upgrade. + +Upgrade Parameter Definitions +----------------------------- + +**Platform Upgrade Window Parameter Definitions** + +- **Previous Version** Previous version of the controller. +- **Current Version** Current version of the controller. +- **Kernel Version** Version of the controller's Linux kernel. +- **Release Versions** The upgrade path between the currently running version of the controller and the latest release available on the Aviatrix release server. For example, if you are running Aviatrix Platform 6.4.321 and the latest release available on the release server is 6.6.123 the Release Version field displays: UserConnect-6.6.123 (6.5,6.6). This indicates you must successively upgrade to 6.5 then upgrade to 6.6 to bring the platform up to the latest available version. +- **Target Release Version** New version of the Aviatrix Platform to which you are upgrading. If you do not specify a release number, the system automatically selects the latest build of the major and minor release currently running on the platform controller. The version cannot be a version earlier than the release currently running on the platform controller. + + +**Selective Gateway Upgrade Window Parameter Definitions** + +- **Current Version** Current software version running on the gateway. +- **Previous Version** If the gateway has never been upgraded there is no version number. If the gateway has been upgraded at least once, this is the software version the gateway ran before the last upgrade. +- **Target Version** Software version to which the gateway can be upgraded. It is the same version as the current version of the platform controller. +- **Previous Image Version** If the gateway OS has never been upgraded there is no version number. If the gateway OS has been upgraded at least once, this is the image version the gateway ran before the last upgrade. +- **Current Image Version** Current version of the gateway underlying OS. +- **Target Image Version** Every gateway software version matches a unique recommended OS version that may change over time. This version is determined by a compatibility matrix. This field displays the OS version that will be used in case of an OS upgrade. +- **Kernel Version** Version of the gateway OS kernel. +- **Rollback Version** Software version to which the gateway can be rolled back. It is the same version as the previous version of the platform controller. +- **Rollback Image Version** OS version that will be used in case of a gateway software rollback. Depending on the system compatibility matrix, this version can be higher, lower, or the same OS version currently running on the gateway. +- **Account** Account attached to the gateway. +- **Cloud** Cloud provider hosting the gateway. +- **Region** Cloud region where the gateway is deployed. +- **Gateway Type** Gateway persona: transit, spoke, or standalone. +- **Gateway Role** Primary or secondary. + +Performing a Platform Software Upgrade Dry Run +---------------------------------------------- + +To perform a platform software upgrade dry run: + +#. Click on Settings in the Aviatrix Controller main menu and select Maintenance. +#. Optional. In the Platform Upgrade window, enter the target major and minor release number in the Release Version field. For example, 6.5. If you do not specify a release number, the system automatically selects the latest build of the major and minor release currently running on the platform controller. +#. Click on Dry Run. +#. After the progress meter closes, review the information in the Upgrade Result window. + +* If there are no errors, you can continue with the upgrade process. +* If there are errors, you must resolve them before continuing with the upgrade. + +#. Close the Upgrade Result window. + + +Performing a Gateway Software Upgrade Dry Run +---------------------------------------------- + +To perform a gateway software upgrade dry run: + +#. Click on Settings in the Aviatrix Controller main menu and select Maintenance. Gateways can only be upgraded to the latest version of the platform controller software. The system automatically selects the platform controller current software version and the compatible gateway image version for that software version. +#. In the Selective Gateway Upgrade window, click on Dry Run. +#. After the progress meter closes, review the information in the Upgrade Result window. +#. If there are no errors, you can continue with the upgrade process. +#. If there are errors, you must resolve them before continuing with the upgrade. +#. Close the Upgrade Result window. + + +Upgrading the Platform Software +------------------------------- + +To perform a platform software upgrade: + +#. Click on Settings in the Aviatrix Controller main menu and select Maintenance. +#. Optional. In the Platform Upgrade window, enter the target major and minor release number in the Release Version field. For example, 6.5. If you do not specify a release number, the system automatically selects the latest build of the major and minor release currently running on the platform controller. +#. In the Platform Upgrade window, click on Platform Upgrade. You can follow the status in the progress window. You are logged out of the controller after the upgrade. +#. After the upgrade, log in to the controller. +#. Verify the upgrade by reviewing the Current Version in the Platform Upgrade window. + + +Upgrading the Gateway Software +------------------------------ + +To perform a gateway software upgrade: + +#. Click on Settings in the Aviatrix Controller main menu and select Maintenance. +#. In the Selective Gateway Upgrade window, select the gateways to be upgraded. The system automatically selects the platform controller current version for you. +#. Click on Software Upgrade. You can follow the status in the progress window. +#. Verify the gateway upgrade by reviewing the gateway information in the Current Version column. + + +Rolling Back the Gateway Software +--------------------------------- + +Gateway software rollbacks are briefly disruptive. You can only roll back the gateway software to the previous platform controller version running on the gateway. To perform a gateway software rollback: + +#. Click on Settings in the Aviatrix Controller main menu and select Maintenance. +#. In the Selective Gateway Upgrade window, select the gateways to be rolled back. The system automatically selects the platform controller previous version for the rollback target. +#. Click on Software Rollback. You can follow the status in the progress window. +#. Verify the gateway software rollback by reviewing the gateway information in the Current Version column. + + +Upgrading the Gateway Image +--------------------------- + +Traffic is briefly disrupted during the image upgrade in cluster configurations. + +**Note:** If ActiveMesh mode is not enabled or you are or running ActiveMesh 1.0, please open an Aviatrix Support ticket before attempting an upgrade. + +To perform a gateway image upgrade: + +#. Click on Settings in the Aviatrix Controller main menu and select Maintenance. +#. In the Selective Gateway Upgrade window, select the gateways to be upgraded. The system automatically selects the platform controller current software version and the compatible gateway image version for that software version. +#. Click on Image Upgrade. You can follow the status in the progress window. +#. Verify the gateway upgrade by reviewing the gateway information in the Current Image Version column. + + +Troubleshooting +--------------- + +In rare cases where the controller and a group of gateways are selected for upgrade and a fatal bug is discovered in the new software, a situation where the controller and gateways are stuck running different versions could develop. If this condition occurs assistance from Aviatrix Support is required. +For example: + +* A controller and gateways are running version 6.5.200. +* You upgrade the controller and a subset of gateways to 6.5.300. +* You rollback the gateways to 6.5.200 because of a bug in the 6.5.300 software. +* Now the controller is running 6.5.300 and all gateways are running 6.5.200, and the gateways cannot be upgraded to 6.5.300 because of the bug. +* The bug is resolved in controller version 6.5.400, so you want to upgrade to 6.5.400 to resolve the issue. However, this is not supported because the controller and gateways must be running the same software version before the controller can be upgraded. +* In this corner case, you must contact Aviatrix Support to upgrade the controller to the newer ver-sion. Support will diagnose the issue and provide the API operation required to perform the con-troller upgrade. + + + + + + +.. |upgrade.build.release| image:: selective_upgrade_media/upgrade.build.release.png + :scale: 100% +.. |upgrade.minor.release| image:: selective_upgrade_media/upgrade.minor.release.png + :scale: 100% +.. |upgrade.major.release| image:: selective_upgrade_media/upgrade.major.release.png + :scale: 100% +.. |upgrade.mixed.versions| image:: selective_upgrade_media/upgrade.mixed.versions.png + :scale: 75% +.. |upgrade.mixed.versions.fail| image:: selective_upgrade_media/upgrade.mixed.versions.fail.png + :scale: 75% +.. |upgrade.gateway.reroute| image:: selective_upgrade_media/upgrade.gateway.reroute.png + :scale: 100% + + diff --git a/HowTos/selective_upgrade_media/upgrade.build.release.png b/HowTos/selective_upgrade_media/upgrade.build.release.png new file mode 100644 index 000000000..fb42a9d69 Binary files /dev/null and b/HowTos/selective_upgrade_media/upgrade.build.release.png differ diff --git a/HowTos/selective_upgrade_media/upgrade.gateway.reroute.png b/HowTos/selective_upgrade_media/upgrade.gateway.reroute.png new file mode 100644 index 000000000..9d80b8369 Binary files /dev/null and b/HowTos/selective_upgrade_media/upgrade.gateway.reroute.png differ diff --git a/HowTos/selective_upgrade_media/upgrade.major.release.png b/HowTos/selective_upgrade_media/upgrade.major.release.png new file mode 100644 index 000000000..cb83e9a7d Binary files /dev/null and b/HowTos/selective_upgrade_media/upgrade.major.release.png differ diff --git a/HowTos/selective_upgrade_media/upgrade.minor.release.png b/HowTos/selective_upgrade_media/upgrade.minor.release.png new file mode 100644 index 000000000..e93b68129 Binary files /dev/null and b/HowTos/selective_upgrade_media/upgrade.minor.release.png differ diff --git a/HowTos/selective_upgrade_media/upgrade.mixed.versions.fail.png b/HowTos/selective_upgrade_media/upgrade.mixed.versions.fail.png new file mode 100644 index 000000000..9f762352b Binary files /dev/null and b/HowTos/selective_upgrade_media/upgrade.mixed.versions.fail.png differ diff --git a/HowTos/selective_upgrade_media/upgrade.mixed.versions.png b/HowTos/selective_upgrade_media/upgrade.mixed.versions.png new file mode 100644 index 000000000..cccc95d26 Binary files /dev/null and b/HowTos/selective_upgrade_media/upgrade.mixed.versions.png differ diff --git a/HowTos/setting_security_patches.rst b/HowTos/setting_security_patches.rst new file mode 100644 index 000000000..eb1add257 --- /dev/null +++ b/HowTos/setting_security_patches.rst @@ -0,0 +1,50 @@ +.. meta:: + :description: Documentation for Controller and Gateway Security Patches + :keywords: security patches, patches + +################################### +Security Patches +################################### + +The following security patches are recently released by Aviatrix. + +================================================================= ==================== ======================================================= +**Patch Name** **Version** **Description** +================================================================= ==================== ======================================================= +Increase File Descriptor limit 5.4 or earlier This patch will fix the VPN connection issue. + Before this patch openVPN do not have + permission to open more than 1024 connections + socket and it hangs if more than 1024 sockets are open. + + This patch is only applicable to Gateways, and not required after UserConnect-4.3. +Enable support for FIPS 140-2 6.0 or earlier Enable support for FIPS 140-2 Module. Click `here `_ for more details. + + This patch is only applicable to Aviatrix Gateways. +Remove old UI 6.0 or earlier This patch will remove the unnecessary web server components from old UI pages which could be accessible without requiring a credentials. + + Patch applied to Avitrix Controller only. +X-XSS-Protection and X-Content-Type-Options Headers 5.2+ X-XSS-Protection and X-Content-Type-Options Headers did not configure properly without the patch. + + Applicable to Aviatrix Gateway and Controller both. +SAML XML signature wrapping vulnerability 6.0 or earlier The SAML implementation in the Aviatrix controller was vulnerable to XML Signature Wrapping without the patch. + Without the patch, an attacker with any signed SAML assertion from the Identity Provider can establish a connection even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix. + + Applicable to Aviatrix Controller only. +================================================================= ==================== ======================================================= + +.. important:: + Increase File Descriptor limit patch will disconnect all VPN Users. + +To apply a patch: + +1) Backup your Aviatrix Controller. For more information, see `Controller Backup and Restore `_. + +2) Apply the security or software patch on the controller. From the Aviatrix Controller, navigate to Settings > Maintenance > SecurityPatches or SoftwarePatches and click on **UpdateAvailablePatches**. You should see the new patch in the display. + +3) Apply the patch by clicking on the icon on the right and selecting **Apply Patch** from the popup menu. + +4) Validate the update by clicking on the icon on the right and selecting **Patch Status** and scrolling down to bottom of page. + +5) Backup your Aviatrix Controller again to save the new configuration. + +.. disqus:: diff --git a/HowTos/setting_software_patches.rst b/HowTos/setting_software_patches.rst new file mode 100644 index 000000000..f0450c895 --- /dev/null +++ b/HowTos/setting_software_patches.rst @@ -0,0 +1,41 @@ +.. meta:: + :description: Documentation for Controller and Gateway Software Patches + :keywords: software patches, patches, software + +################################### +Software Patches +################################### + + +The following software patches are recently released by Aviatrix. + +================================================================= ==================== =============================================================== +**Patch Name** **Version** **Description** +================================================================= ==================== =============================================================== +Update with latest instance types support for cloud regions 5.4 or earlier Update the latest instance types support for cloud regions + + This patch is only applicable to Aviatrix Controller. +Update controller version info in the DB 5.4 or earlier Update the controller version info in the DB + + This patch is only applicable to Aviatrix Controller. +Apply xml file patch for Splunk year 2020 bug 5.4 or earlier This patch is required due to changes in Splunk. Click `here `_ for more details. + + Patch applied to Avitrix Controller and Gateway both. +Mitigation for Datadog Agent installation issue on Ubuntu 14.04 5.2 or earlier DataDog will not be installed properly without the patch on Controller due to + known DataDog issue with "hash sum mismatch" in APT repositories. + Applicable to Aviatrix Gateway and Controller both. +================================================================= ==================== =============================================================== + +To apply a patch: + +1) Backup your Aviatrix Controller. For more information, see `Controller Backup and Restore `_. + +2) Apply the security or software patch on the controller. From the Aviatrix Controller, navigate to Settings > Maintenance > SecurityPatches or SoftwarePatches and click on **UpdateAvailablePatches**. You should see the new patch in the display. + +3) Apply the patch by clicking on the icon on the right and selecting **Apply Patch** from the popup menu. + +4) Validate the update by clicking on the icon on the right and selecting **Patch Status** and scrolling down to bottom of page. + +5) Backup your Aviatrix Controller again to save the new configuration. + +.. disqus:: diff --git a/HowTos/sfc_faq.rst b/HowTos/sfc_faq.rst index 8f7f99a8e..a5b75311f 100644 --- a/HowTos/sfc_faq.rst +++ b/HowTos/sfc_faq.rst @@ -25,7 +25,7 @@ objects to his/her own S3 buckets. |s3_endpoint| -Note there is Endpoint policy but it controls who can use the Endpoint service, it does not control which destination S3 bucket the request can be granted. +Note that an Endpoint policy controls who can use the Endpoint service, but it does not control which destination S3 bucket the request can be granted. Same issue of data leakage occurs if you upload files to S3 over public Internet. @@ -33,7 +33,7 @@ What is Aviatrix PrivateS3? ----------------------------------------------- Aviatrix PrivateS3 is a feature that allows you to leverage AWS Direct Connect to transfer objects and files between on-prem and S3 -while giving you the control of which S3 buckets by the ability to whitelist the S3 buckets. +while giving you control of the S3 buckets by the ability to whitelist the S3 buckets. |sft_aviatrix| @@ -46,17 +46,19 @@ The key benefits are: 1. Transferring objects/data between on-prem and S3 by leveraging Direct Connect without using public VIF. #. The ability to control which S3 buckets can be accessed. - #. The ability to deploy multiple Aviatrix gateways to load balancing the data traffic. + #. The ability to deploy multiple Aviatrix gateways to load balance the data traffic. How does PrivateS3 work? -------------------------- -PrivateS3 combines a few elements to make it work. +PrivateS3 works as follows. - 1. Customer on-prem resolves all S3 bucket names under management to the private IP address of the Aviatrix created and managed AWS internal NLB. - #. Configure on the Aviatrix Controller the S3 bucket names that you allow access. - #. When Aviatrix PrivateS3 gateway receives the packets, it uses its FQDN feature to filter out the un-configured S3 bucket names, thus preventing data leakage. + 1. Customer on-prem resolves all S3 bucket names under management to the private IP address of the Aviatrix gateway created and managed in AWS internal NLB. + #. The Controller scans periodically (every 30 minutes) S3 buckets in the selected region and accounts. + #. The Controller sends email notification to the admin for newly discovered S3 buckets. All S3 buckets are denied access by default. + #. The admin logs into the Controller to approve or deny access to the discovered S3 buckets. + #. When Aviatrix PrivateS3 gateway receives the packets, it uses its FQDN feature to filter out any buckets names that are not on the allowed list, thus preventing data leakage. How to deploy PrivateS3? -------------------------- @@ -103,10 +105,23 @@ How can I test PrivateS3? There is a simple method to simulate DNS resolution to the PrivateS3 internal NLB. -Launch a Linux instance or host, in sudo mode, edit file /etc/hosts. Add S3 bucket FQDN names to this file, as shown in the example below. +Launch a Linux instance or host, in sudo mode, edit file /etc/hosts. Add S3 bucket FQDN names to this file, as shown in the example below, where 172.32.1.212 is the PrivateS3 NLB IP address. This IP address can be found `here `_. |dns_emulation| +You can then run an AWS CLI command, such as "aws s3 ls", you should be able to see the list of S3 buckets on the Access Account +in the region where a PrivateS3 gateway is launched. + +Below is another example of uploading a file to S3 using AWS CLI + +:: + + ubuntu@ip-172-32-1-144:~$ aws s3 cp init-cfg.txt.3 s3://sxw-new-bucket-2 + upload: ./init-cfg.txt.3 to s3://sxw-new-bucket-2/init-cfg.txt.3 + + +To test on a Window's machine, you modify file at c:\Windows\System32\Drivers\etc\hosts. An example instruction +is shown `here. `_ How do I troubleshoot PrivateS3? ---------------------------------- @@ -116,11 +131,22 @@ PrivateS3 combines FQDN feature and stateful firewall feature. 1. Go to Security -> Egress Control -> Egress FQDN Filter. There should be a tag automatically created. Click Edit button to see if the desired S3 bucket name is configured. #. Go to Gateway, select one PrivateS3 gateway, click Edit. Scroll down to Destination NAT to make sure the DNAT rule is configured. -Why doesn't AWS S3 list command work? +Does AWS S3 list command work? ----------------------------------------- -AWS S3 CLI "list" command requires you to add s3.region.amazonaws.com in the bucket rule, where region is represented -as us-west-2, us-east-2, for example. +Yes. AWS S3 CLI "list" command requires s3.region.amazonaws.com in the bucket rule where region is represented. This is automatically populated +by the Controller. + +Can Aviatrix Spoke gateways be used for PrivateS3 function? +-------------------------------------------------------------- + +No, Aviatrix Spoke gateways cannot be used for PrivateS3 function. This is because PrivateS3 requires certain DNAT rule that conflict with +Spoke gateway forwarding function. + +Is S3 endpoint required for PrivateS3? +--------------------------------------- + +No. S3 endpoint in the VPC where PrivateS3 gateways are deployed is not required for PrivateS3 to work. However creating a S3 endpoint allows traffic to be forwarded to S3 service without going through the Internet. .. |sfc| image:: sfc_media/sfc .png diff --git a/HowTos/sfc_media/dns_emulation.png b/HowTos/sfc_media/dns_emulation.png index 5e1063aba..9002aaaf1 100644 Binary files a/HowTos/sfc_media/dns_emulation.png and b/HowTos/sfc_media/dns_emulation.png differ diff --git a/HowTos/site2cloud.rst b/HowTos/site2cloud.rst index 2a80d2e3c..25d3e9367 100644 --- a/HowTos/site2cloud.rst +++ b/HowTos/site2cloud.rst @@ -20,7 +20,7 @@ Overview Aviatrix supports connectivity between its Gateways in the cloud and on-premise routers using a feature called `Site2Cloud`, as shown below. This document outlines how to get connectivity established between an Aviatrix Gateway in AWS, Azure, or GCP and your on-premise router or firewall. -|site2cloud| +|site2cloud_new| Configuration Workflow @@ -40,8 +40,8 @@ Create Site2Cloud Connection | VPC ID / VNet Name | Select the VPC or VNet where this tunnel | | | will terminate in the cloud. | +-------------------------------+----------------------------------------------+ - | Connection Type | `Unmapped` unless there is an overlapping | - | | CIDR block. | + | Connection Type | `Unmapped` unless Local Subnet and Remote | + | | Subnet are overlapped. | +-------------------------------+----------------------------------------------+ | Connection Name | Name this connection. This connection | | | represents the connectivity to the edge | @@ -51,11 +51,11 @@ Create Site2Cloud Connection | | `Aviatrix`, or `SonicWall`. | | | See below for additional details. | +-------------------------------+----------------------------------------------+ - | Tunnel Type | `UDP` or `TCP` | + | Tunnel Type | `Route-based` or `Policy-based` | | | | | | .. note:: | - | | `TCP` tunnel type requires an Aviatrix | - | | gateway on both sides. | + | | If Connection Type `Mapped` is selected | + | | only 'Route-based' is supported. | | | | +-------------------------------+----------------------------------------------+ | Algorithms | Defaults will be used if unchecked. See | @@ -75,6 +75,20 @@ Create Site2Cloud Connection | Enable HA | Enable High Availability. Additional fields | | | are displayed when checked. | +-------------------------------+----------------------------------------------+ + | Enable Single IP HA | HA gatway failover solution using Single | + | | Public IP on Aviatrix Regular gateway | + | | allows you to reuse the same EIP to bring up | + | | the backup tunnel. | + | | Supported for AWS and Azure only | + +-------------------------------+----------------------------------------------+ + | Over Private Network | Select this option if your underlying | + | | infrastructure is private network, such as | + | | AWS Direct Connect and Azure Express Rout. | + | | See “How does it work” section for more | + | | details. When this option is selected, BGP | + | | and IPSEC run over private IP addresses. | + | | terminate in this VPC. | + +-------------------------------+----------------------------------------------+ | Primary Cloud Gateway | Select the Gateway where the tunnel will | | | terminate in this VPC. | +-------------------------------+----------------------------------------------+ @@ -84,15 +98,35 @@ Create Site2Cloud Connection | | connection. If nothing is entered, one will | | | be generated for you. | +-------------------------------+----------------------------------------------+ - | Remote Subnet | Specify a list of the destination network | + | Remote Subnet (Real) | Specify a list of the destination network | | | CIDRs, separated by comma, that will | | | be encrypted. For example, 10.10.1.0/24, 10. | | | 10.2.0./24 | +-------------------------------+----------------------------------------------+ - | Local Subnet | Specify a list of the source network CIDRs | + | Remote Subnet (Virtual) | Only applicable when Connection Type is | + | | `Mapped`. Specify a list of virtual remote | + | | network | + | | CIDRs that is 1-1 mapped to the Remote | + | | Subnet Real. For example, if the real | + | | subnets are 10.10.1.0/24, 10.10.2.0/24 | + | | 24, you can specify the virtual remote | + | | subnets as | + | | 192.168.1.0/24, 192.168.2.0/24 | + +-------------------------------+----------------------------------------------+ + | Local Subnet (Real) | Specify a list of the source network CIDRs | | | , separated by comma, that will be encrypted.| | | For example, 172.16.1.0/24, 172.16.2.0/24 | +-------------------------------+----------------------------------------------+ + | Local Subnet (Virtual) | Only applicable when Connection Type is | + | | `Mapped`. Specify a list of virtual local | + | | network | + | | CIDRs that are 1-1 mapped to the Local | + | | Subnet Real. For example, if the real | + | | subnets are 172.16.1.0/24, 172.16.2.0/24, | + | | you can specify the virtual local | + | | subnets as | + | | 192.168.7.0/24, 192.168.8.0/24 | + +-------------------------------+----------------------------------------------+ | Backup Gateway | Only available when 'Enable HA' is selected. | | | Backup Gateway should be the .hagw created | | | at 'Gateway'->'Edit'->'Gateway for High | @@ -101,6 +135,9 @@ Create Site2Cloud Connection | Remote Gateway IP Address | Only available when 'Enable HA' is selected. | | (Backup) | IP address of the backup gateway (.hagw) | +-------------------------------+----------------------------------------------+ + | Same Pre-Shared Key as Primary| Check the option if the backup tunnel uses | + | | the same pre-shared key as the primary | + +-------------------------------+----------------------------------------------+ | Pre-shared Key (Backup) | Only available when 'Enable HA' is selected. | | | Optional. Enter the pre-shared key for this | | | backup connection. If nothing is entered, | @@ -186,7 +223,7 @@ Remote Gateway Type | Generic | Use this option for most third-party | | | routers and firewalls. | +-------------------------------+------------------------------------------+ - | AWS VGW | For terminating on an AWS Virtual Private | + | AWS VGW | For terminating on an AWS Virtual Private| | | Gateway, select this option. | +-------------------------------+------------------------------------------+ | Azure VPN | For terminating on Azure VPN Services | @@ -205,13 +242,13 @@ If the `Algorithms` checkbox is unchecked, the default values will be used. If +-------------------------------+ | Field | +===============================+ - | Phase 1 Authentication | + | Phase 1 Authentication | +-------------------------------+ | Phase 1 DH Groups | +-------------------------------+ | Phase 1 Encryption | +-------------------------------+ - | Phase 2 Authentication | + | Phase 2 Authentication | +-------------------------------+ | Phase 2 DH Groups | +-------------------------------+ @@ -244,6 +281,16 @@ Select the remote site device from the dropdowns provided. If your remote site This template file contains the gateway public IP address, VPC CIDR, pre-shared secret and encryption algorithm. Incorporate the information to your remote router/firewall configuration. If the remote gateway is a Aviatrix CloudN, go to site2cloud and simply import the downloaded configuration file and click OK. +Local Identifier +---------------- + +By default, Aviatrix configures gateway's public IP as Local Identifier. User can adjust this settings to gateway's private IP. + +Remote Identifier +----------------- + +By default, Aviatrix configures public ip of peer device as Remote Identifier. User can adjust this settings to private ip of peer device. + Dead Peer Detection -------------------- @@ -254,6 +301,53 @@ send periodic messages to ensure the remote site is up. By default DPD detection is enabled. +================ =============== =============== +Field Value Description +================ =============== =============== +Delay >= 1 Keealive timer (in seconds) +Retry Delay >= 1 How long should the tunnel wait before declaring keep alive failed. (in seconds) +Maxfail >= 1 Number of tries before considering the peer is dead. +================ =============== =============== + + +Active Active HA +---------------- + +Allow site2cloud gateways to support Active-Active mode where both tunnels are up and packets are routed to both gateways via respective VPC route tables. + +To enable this, go to SITE2CLOUD, edit the connection on the Setup page, scroll down to Active Active HA and click the button ENABLE. + +Forward Traffic to Transit Gateway +---------------------------------- + +This configuration option applies to a use case where an Aviatrix Spoke gateway connects to on-prem routers via Site2Cloud IPSec connections. + +Event Triggered HA +------------------ + +Event Trigger HA is a new mechanism to reduce the convergence time. To configure, go to Site2Cloud -> select a connection, click Edit. +Scroll down to Event Triggered HA and click Enable. + +Jumbo Frame +------------------ + +Jumbo Frame improves the performance between Aviatrix Transit gateway and CloudN. This feature is only supported for AWS, other clouds (Azure, GCP etc.) do not support Jumbo frame. To configure, go to Site2Cloud -> select a connection, click Edit. +Scroll down to Jumbo Frame and click Enable. + +Clear Sessions +------------------- + +Clear Session allows to reset all the active sessions on a selected Site2Cloud connection. To clear, go to Site2Cloud -> select a connection, click Edit. +Scroll down to Clear Sessions and click Clear. + + +Periodic Ping +-------------------- + +In very rare cases Site2cloud tunnels may fail to pass traffic if the tunnel is dormant for a long period of time. This is not an issue with the Aviatrix Gateways and can usually be traced to misconfigurations on the remote device. To compensate for this Periodic Ping was developed to maintain a steady flow of traffic across the tunnel. + +For configuration steps read the full article here: `Periodic Ping `_ + Network Device Support ====================== @@ -298,4 +392,7 @@ Diagnostics and troubleshooting options are available in the **Diagnostics** tab .. |site2cloud| image:: site2cloud_media/site2cloud.png :scale: 50% +.. |site2cloud_new| image:: site2cloud_media/site2cloud_new.png + :scale: 50% + .. disqus:: diff --git a/HowTos/site2cloud_faq.rst b/HowTos/site2cloud_faq.rst index 76777ccac..e2401e2ad 100644 --- a/HowTos/site2cloud_faq.rst +++ b/HowTos/site2cloud_faq.rst @@ -48,11 +48,11 @@ What are the encryption algorithms supported? **Type** **Value** ==================================== ====================================== Phase 1 Authentication SHA-1, SHA-512, SHA-384, SHA-256 -Phase 1 DH Groups 2, 1, 5, 14, 15, 16, 17, 18, 19 +Phase 1 DH Groups 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21 (20 & 21 IKEv2 Only) Phase 1 Encryption AES-256-CBC, AES-192-CBC, AES-128-CBC, 3DES Phase 2 Authentication HMAC-SHA-1, HMAC-SHA-512, HMAC-SHA-384, HMAC-SHA-256, NO-AUTH -Phase 2 DH Groups 2, 1, 5, 14, 15, 16, 17, 18, 19 -Phase 2 Encryption AES-256-CBC, AES-192-CBC, AES-128-CBC, AES-128-GCM-96, AES-256-GCM-128, 3DES, NULL-ENCR +Phase 2 DH Groups 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21 (20 & 21 IKEv2 Only) +Phase 2 Encryption AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-GCM-64, AES-128-GCM-96, AES-128-GCM-128, 3DES, NULL-ENCR ==================================== ====================================== @@ -61,6 +61,11 @@ Is IKEv2 supported? Yes. +How frequent are keys rotated? +--------------------------------- + +Re-key for IKE phase 1 is every 8 hours. Re-key for IKE phase 2 is every hour. + Are there configuration examples with other devices? ------------------------------------------------------------------- @@ -91,6 +96,11 @@ Here are a few documents in the Tech Notes session that demonstrate how you can - `Connecting offices to multiple VPCs using AWS Peering `_ - `Connect Networks with Overlap CIDRs `_ - `Connect Overlapping VPC to On-prem `_ + +How to troubleshoot Site2Cloud connection with IKEv2? +----------------------------------------------------- + +Refer to `Troubleshooting IPsec VPN connection with IKEv2 `_ .. |image1| image:: FAQ_media/image1.png diff --git a/HowTos/site2cloud_fortigate.rst b/HowTos/site2cloud_fortigate.rst index 8597bf2c8..4973607cb 100644 --- a/HowTos/site2cloud_fortigate.rst +++ b/HowTos/site2cloud_fortigate.rst @@ -250,7 +250,7 @@ Create an IPsec tunnel on FortiGate +-------------------------------+------------------------------------------+ | Key Lifetime | Seconds | +-------------------------------+------------------------------------------+ - | Seconds | 28800 | + | Seconds | 3600 | +-------------------------------+------------------------------------------+ |imagephase2advanced| diff --git a/HowTos/site2cloud_fortigate_media/phase2advanced.png b/HowTos/site2cloud_fortigate_media/phase2advanced.png index 7d40bfa35..6fca22054 100644 Binary files a/HowTos/site2cloud_fortigate_media/phase2advanced.png and b/HowTos/site2cloud_fortigate_media/phase2advanced.png differ diff --git a/HowTos/site2cloud_media/IKEv2_show_log.png b/HowTos/site2cloud_media/IKEv2_show_log.png new file mode 100644 index 000000000..a9d5d501c Binary files /dev/null and b/HowTos/site2cloud_media/IKEv2_show_log.png differ diff --git a/HowTos/site2cloud_media/site2cloud_new.png b/HowTos/site2cloud_media/site2cloud_new.png new file mode 100644 index 000000000..24473cbea Binary files /dev/null and b/HowTos/site2cloud_media/site2cloud_new.png differ diff --git a/HowTos/spoke_skip_rfc1918.rst b/HowTos/spoke_skip_rfc1918.rst deleted file mode 100644 index 64d65dc46..000000000 --- a/HowTos/spoke_skip_rfc1918.rst +++ /dev/null @@ -1,182 +0,0 @@ - - -.. meta:: - :description: Deploy a spoke that skip rfc1918 route programming - :keywords: site2cloud, VGW, AWS Global Transit Network, Aviatrix Transit Network, RFC1918 - - -=========================================================================================== -Deploying Spoke without Programming RFC1918 Routes -=========================================================================================== - -When an Aviatrix Controller deploys a Spoke gateway, it programs RFC1918 routes automatically into the AWS -route tables. - -However there are cases where the RFC1918 routes were already programmed to point to non Aviatrix instances, -therefore, the -normal workflow does not work and requires some exception handling via APIs. - -This tech note demonstrates how to deploy an Aviatrix spoke without programming RFC1918 routes in its VPC by using -Aviatrix APIs. - -| - -Environment Requirements ---------------------------------------------------------- - -An Aviatrix Transit Network has been deployed. The spoke VPC to be connected has its route table with already programmed RFC1918 routes for other purposes. -We need to connect this spoke VPC to the Aviatrix Transit Network so that the instance in this spoke VPC can talk to the -instance of On-Prem. - -|image1| - -.. note:: - - RFC1918 routes are 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/24 - -| - -The following steps use an Aviatrix API to deploy a spoke attaching to a transit network but skipping RFC1918 routes programming. - -Steps to Deploy A Spoke Skipping RFC1918 Route Programming ------------------------------------------------------------ - -Step 1: Login to Controller with Valid Username and Password -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Example Request: - -:: - - # curl -k --data "action=login" --data "username=admin" --data "password=Aviatrix123!" "https://10.123.123.123/v1/api" - -Example Response: - -:: - - { - "return": true, - "results": "User login:admin in account:admin has been authorized successfully — Please check email confirmation.", - "CID": "57e098ed708a8" - - } - - -Step 2: Launch an Aviatrix Spoke Gateway Using API with Option skip_rfc1918 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -With option skip_rfc1918 set to "yes", this new spoke gateway will not program RFC1918 routes to its VPC's route tables. - -Example Request: - -:: - - # curl -k --data "action=create_spoke_gw" --data "CID=XXXXXXXXXX" --data "account_name=my-aws" --data "cloud_type=1" --data "region=us-west-1" --data "vpc_id=vpc-abcd123~~spoke-vpc-01" --data "public_subnet=10.11.0.0/24~~us-west-1b~~spoke-vpc-01-pubsub" --data "gw_name=spoke-gw-01" --data "gw_size=t2.micro" --data "dns_server=8.8.8.8" --data "nat_enabled=no" --data "tags=k1:v1,k2:v2" --data "skip_rfc1918=yes" "https://CONTROLLER_IP/v1/api" - - -Example Response: - -:: - - { - "return": true, - "results": "Successfully created Gateway spoke-gw-01. Congratulations!!" - } - - -Step 3: Program Specific Routes for On-Prem Networks -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Using Aviatrix API to program specific routes for On-Prem networks points to the new spoke gateway we just created. - -.. note:: - - We only need to program on-prem networks which fall into the RFC1918 scope. For NON-RFC1918 public networks, they will be automatically programmed by the Aviatrix Controller. - -Example Request: - -:: - - # curl -k --data "action=add_routes_to_spoke_vpc" --data "CID=XXXXXXXXXX" --data "gateway_name=spoke-gw-01" --data "cidr_list=10.30.0.0/24,172.18.1.0/24,192.168.10.0/24" "https://YOUR_CONTROLLER_IP/v1/api" - -Example Response: - -:: - - { - "return": true, - "results": "Successfully added routes to spoke VPC." - } - - -Step 4: Attach Spoke to Transit Gateway -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -You can either use the controller UI or API to complete this step. Here the API method is given as below: - -Example Request: - -:: - - #curl -k --data "action=attach_spoke_to_transit_gw" --data "spoke_gw=spoke-gw-01" --data "transit_gw=my-transit-gw" --data "CID=XXXXX" "https://CONTROLLER_IP/v1/api?" - -Example Response: - -:: - - { - "return": true, - "results": "Successfully joined spoke-gw-01 to my-transit-gw." - } - - -Now you have completed deployment of the spoke to the transit network without programming the RFC1918 in its VPC route tables. - -|image2| - -Step 5: Attach more Spokes to Transit Gateway -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -If you have more spokes that you need to attach to a transit gateway in this way, repeat steps 2-4. - -Step 6: Update of On-Prem Networks -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Whenever any new On-Prem networks (in RFC1918 scope) are added, you need to use the API of step 3 above to program new routes -into the spoke's VPC. If any On-Prem network is removed, you need to use the following API to delete the specific route -for that network. - -Example Request: - -:: - - # curl -k --data "action=delete_routes_from_spoke_vpc" --data "CID=XXXXXXXXXX" --data "gateway_name=spoke-gw-01" --data "cidr_list=192.168.10.0/24" "https://YOUR_CONTROLLER_IP/v1/api" - -Example Response: - -:: - - { - "return": true, - "results": "Successfully deleted routes to spoke VPC." - } - - -.. note:: - - Only routes specified in the API that also point to the Aviatrix spoke gateway specified in the API will be deleted. - - -Test Connections between New Spoke and On-Prem ----------------------------------------------- - -Ping from any Ubuntu VM in this spoke VPC to any Ubuntu VM from On-Prem. - - -.. |image1| image:: spoke_skip1918_media/spoke_skip1918_before.png - :scale: 100% - -.. |image2| image:: spoke_skip1918_media/spoke_skip1918_after.png - :scale: 100% - -.. disqus:: diff --git a/HowTos/spokegw_external.rst b/HowTos/spokegw_external.rst new file mode 100644 index 000000000..590b04820 --- /dev/null +++ b/HowTos/spokegw_external.rst @@ -0,0 +1,375 @@ +.. meta:: + :description: Global Transit Network to External Device + :keywords: Spoke VPC, S2C Connection, AWS Global Transit Network, Azure Global Transit Network, BGP, + + +============================================================== +Aviatrix Spoke Gateway to External Devices (BGP-Enabled Spoke) +============================================================== + +You can connect an external device (External (or 3rd Party) Router/Firewall) to Aviatrix spoke gateways that are enabled with BGP (and NAT). + +BGP is run on top of a site to cloud (S2C) connection that terminates on active-mesh spoke gateways. + +This document focuses on the External Device connecting the Aviatrix Spoke GW that is enabled with BGP. + +Using BGP-enabled spoke gateways is currently supported for AWS Commercial and Azure Commercial cloud service providers, including Government regions. + +.. note:: + + BGP-enabled spokes are introduced in release 6.6. Spoke gateways created prior to Aviatrix release 6.6 cannot be enabled for BGP (you enable BGP at gateway creation). Rollback to release 6.5 Aviatrix gateways is not possible if there is at least one BGP-enabled Spoke Gateway. + + +What is a use case for connecting a BGP-enabled spoke gateway to an external router? +------------------------------------------------------------------------------------ + +Prior to Aviatrix release 6.6, you could enable BGP only on Aviatrix transit gateways (not spoke gateways). For software as a service (SaaS) providers with certain architectures, this meant having to deploy transit gateways for each of their tenants to enable the tenant to connect to their in-cloud network. + +By using BGP-enabled spoke gateways in their network architecture, SaaS providers can solve several requirements: + +- **Requirement**: Connect a large number of tenants \(1000+\). + + **Solution**: Distribute the tenants across Spoke Gateways, for horizontal scaling and blast radius minimization. + +- **Requirement**: Provide both dedicated tenant services, and shared services. + + **Solution**: Host dedicated services in tenant-specific Spoke VPCs. Host shared services in common Spoke VPCs. + +- **Requirement**: Onboard the tenants with BGP: dynamic control plane that fits their operational model. + + **Solution**: Terminate BGP on the tenant Spoke Gateways. + +- **Requirement**: Handle overlapping IPs across tenants, and between tenants and shared services. + + **Solution**: Use NAT on the tenant Spoke Gateways. + +- **Requirement**: Maintain isolation across tenants. + + **Solution**: Use segmentation domains on the tenant Spoke Gateways. + +- **Requirement**: Provide the highest throughput to tenant services. + + **Solution**: Horizontal scaling. Tenant services are directly hosted in the Spoke VPC where BGP terminates. They are directly accessed by tenants, without the Transit layer to be a bottleneck. + + +|spokegw_external_saas_sol| + + +How does using a BGP-enabled spoke to an external device work? +-------------------------------------------------------------- + +The Aviatrix Spoke GW runs a BGP session to an external router to dynamically exchange routes. It also establishes an IPSEC tunnel to the router for packet forwarding (BGP is run over IPsec only). BGP is run on top of a S2C connection that terminates on active-mesh spoke gateways. All spoke gateways must be active mesh (no standalone gateway). Each spoke gateway must have a unique Autonomous System (AS) number. + +Note the following points: + +Fully integrated with ActiveMesh 2.0 control plane. + +Route-based only. + +Active/Active HA is supported towards ActiveMesh and towards on-prem with ECMP across multiple BGP connections. Active/Standby S2C is also supported. + +Co-existence of BGP S2C with static S2C connections under the same Spoke GW is supported. + +FireNet is supported. The inspection policy is the entire Spoke Gateway including all the BGP routes (not individual S2C BGP sessions). + +The following features are not supported on a BGP-enabled spoke gateway in the current (6.6) release: + +- ActiveMesh 1.0. +- Mapped NAT. +- Manual Spoke Encrypted peering. +- User VPN. +- CloudWAN. +- Stateful Firewall. +- Private S3. +- Egress transit. +- Customize Spoke VPC Routing Table. +- Private VPC Default Route. +- Skip Public VPC Route Table. +- Select Route Tables upon Spoke Gateway Attachment to Transit. + + +The following features configured on a Transit Gateway take no effect on a Spoke VPC equipped with a BGP-enabled Spoke Gateway (they still work for any other Spoke VPC): + +- Customize Attached Spoke VPC Routing Table. +- Exclude Learned CIDRs to Spoke VPC. + +|spokegw_external_ex_arch| + + +Interactions with Segmentation Domains +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When using BGP-enabled spoke gateways, SaaS providers can use segmentation domains per spoke gateway to enforce isolation across tenants. When segmentation domains are set per BGP-enabled spoke gateway, the site to cloud (S2C) BGP connection respects the domain of the spoke gateway for traffic enforcement and route advertisement. + +All S2C connections on a given spoke gateway belong to the spoke gateway domain (currently, you cannot have different S2C connections on a given spoke gateway be assigned to different domains). + +In the current release: + +- BGP routes of a tenant are always advertised to all other tenants connected with S2C BGP under the same Spoke Gateway. No segmentation policies can control that. Connection Manual BGP Advertised Network List can control it. +- BGP routes of a tenant are propagated into ActiveMesh based on the connection policies of the spoke gateway. +- ActiveMesh routes are advertised over BGP based on the connection policies of the Spoke. + + +Interactions with NAT +~~~~~~~~~~~~~~~~~~~~~ + +In the current release, the following applies for NAT and BGP-enabled spoke gateways: + +- Customized NAT under Gateway config is supported (mapped NAT under S2C config is not currently supported). +- S2C BGP connections are available as option in the NAT connection. +- ActiveMesh connections are available in the NAT connection but ONLY for non-HPE spoke gateways. +- Many:1 and 1:1 NAT are possible. +- Active/Active HA for both gateways and S2C connections (with flow affinity) is supported. + + +Route Propagation +~~~~~~~~~~~~~~~~~ + +Spoke VPC CIDR + BGP prefixes received on the Spoke GW are propagated into ActiveMesh (Subnets outside of RFC 1918 are programmed on the VPC RTBs). + +All CIDRs known to ActiveMesh (Spoke VPCs for all regions and clouds + BGP prefixes + custom advertisements, etc.) are advertised over BGP on the Spoke GW S2C BGP connections. + +|bgp_spoke_route_propagation| + +Connected Transit +~~~~~~~~~~~~~~~~~ + +The propagation of BGP routes learned on a Spoke GW to other Spoke GWs under the same Transit complies with Connected Transit. + +If Connected Transit = Disabled, those routes are not propagated to other Spoke GWs under the same Transit. + +In this example, 192.168.200.0/25 learned via BGP on Spoke-1-GW is not propagated to Spoke-2-GW: + +|bgp_spoke_connected_transit| + + +How to configure a BGP spoke gateway and connect it to external router? +----------------------------------------------------------------------- + +This section describes how to: + +- Create a spoke gateway that is BGP enabled. +- Create the S2C BGP tunnel (build a site-to-cloud IPsec BGP attachment for the newly created spoke). +- Configure your router with the connection details. +- Configure additional settings. + + +Step 1: Create a BGP-Enabled Spoke Gateway +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To create a BGP-enabled spoke gateway: + +.. note:: + + In the current release (6.6), BGP must be enabled at the creation of the Spoke GW. Spoke GWs created pre-6.6 cannot be enabled with BGP. A Spoke GW enabled with BGP has a few restrictions compared to a non-BGP Spoke. See the section above "How does using a BGP-enabled spoke to an external device work?" for information about restrictions. + +1. Log in to Aviatrix Controller. + +2. From the sidebar, expand the Multi-Cloud Transit option, and then select **Setup**. + +3. Click on **Spoke** at the top of the workflow page. + + The Launch an Aviatrix Spoke Gateway page opens. + +4. Specify your information in step 1 and ensure you click the **Enable BGP** checkbox also: + + - Gateway Name: Specify the name for your spoke gateway. + - Region: Select the region in which you want to deploy the spoke. + - VPC ID: + - Click **Enable BGP**. + +5. Click **Create**. + +6. (Optional) Enable HA for the spoke gateway. + + When HA is enabled, a second Spoke GW will be launched. For best practice, the HA GW should be launched on a different public subnet in a different Availability Zone. + + Note: If the Spoke GW is connected to VGW, you cannot disable Spoke GW HA. + +7. Scroll back up to the top of the Launch an Aviatrix Spoke Gateway workflow page. + +8. Click on **Attach**. + + The Attach Spoke Gateway page opens. + + Now that you've created the spoke gateway, you can connect it to the external device (device in an on-prem network). In this case, you will build a site-to-cloud (S2C) BGP over IPsec connection. + + +Step 2: Create the S2C BGP Tunnel +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To create the S2C BGP tunnel: + +1. In the Attach Spoke Gateway page, Click **External Device**. + + You use the External Device option on the spoke gateway to build a BGP tunnel directly to the on-prem device for exchanging routes with a remote site. + +2. Select **BGP** so that the Spoke GW runs dynamic routing with remote site. + +3. Select **IPsec** to run BGP and build an IPSEC connection to a remote site. + +4. Specify the rest of the parameters (defined below) and click **Connect**. + + +Fill the parameters and click OK. For ActiveMesh design notes, check out `ActiveMesh Design Notes `_. + +============================ ========== +**Setting** **Value** +============================ ========== +External Device Select this option to build a connection to a remote site. +BGP Select BGP if the Spoke GW runs dynamic routing with remote site. +Static Remote Route-Based Select this option the remote site supports route-based VPN with static configuration. +IPsec Select this option to run BGP and build a IPSEC connection to a remote site. +Transit VPC Name The Transit VPC ID where Transit GW was launched. +Connection Name A unique name to identify the connection to external device. +Aviatrix Gateway BGP ASN The BGP AS number the Spoke GW will use to exchange routes with the external device. +Primary Aviatrix Gateway The Spoke GW you created. +Algorithms Optional parameters. Leave it unselected if you don't know. +IKEv2 Select the option to connect to the remote site using IKEv2 protocol. +Enable Remote Gateway HA Select HA if there are two external devices. +Over Private Network Select this option if your underlying infrastructure is private network, such as AWS Direct Connect and Azure Express Route. See "How does it work" section for more details. When this option is selected, BGP and IPSEC run over private IP addresses. +BGP Remote AS Number When BGP is selected, the BGP AS number the external device will use to exchange routes Aviatrix Spoke GW. +Remote Gateway IP IP address of the remote device. +Pre-shared Key Optional parameter. Leave it blank to let the pre-shared key to be auto generated. +Local Tunnel IP Optional parameter. This field is for the tunnel inside IP address of the Spoke gateway. Leave it blank. +Remote Tunnel IP Optional parameter. This field is for the tunnel inside IP address of the External device. Leave it blank. +Over Private Network(Backup) Select this option if HA is enabled. +BGP Remote ASN (Backup) When BGP is selected, the remote ASN for backup should be the same as the primary remote ASN. +Remote Gateway IP (Backup) IP address of the remote device. If "Private Network" is selected, enter the private IP address of the external device. +Pre-shared Key (Backup) Optional parameter. Leave it blank to let the pre-shared key to be auto generated. +Local Tunnel IP (Backup) Optional parameter. This field is for the tunnel inside IP address of the Spoke gateway. Leave it blank. +Remote Tunnel IP (Backup) Optional parameter. This field is for the tunnel inside IP address of the External device. Leave it blank. +============================ ========== + + +Step 3: Configure the external device +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To configure the external device: + +1. From the sidebar, expand the Site2Cloud option, and then select **Setup**. + + From the list of connections, take note that the Status of the connection you created to the external device is Down. + +2. From the table, click on the name of the connection you created to the external device (for example, Spoke-S2C-IPsec-T2Router) and then click **Edit**. + + The Connection Detail page opens. + +3. For Vendor, select the device you are using (any device that is capable of running IPsec and BGP). + + (For example, **Cisco**.) + +4. For Platform, select the applicable platform for the chosen device. + + (For example, **ISR, ASR, or CSR**.) + +5. Click **Download Configuration**. + + Open the downloaded Aviatrix Site2Cloud configuration template. + +6. Apply the following changes on your external device configuration (for example, on your CiscoASA) to configure the on-prem device with IPSEC tunnel and BGP: + + Crypto Policy Number + + Tunnel Number with Tunnel Source + + Make similar changes on the configuration of the backup tunnel. + + |spokegw_bgp_external_device_config| + + +Step 4: Verify status of connection is UP +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +(Verify status of connection is Up) After configuring the router, the tunnel should change the status from down to up. Go back to the controller Site2Cloud option Setup page and click the refresh icon. Verify the status of your connection is now Up. + + +Step 5: Verify the BGP routes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +(To verify the BGP routes) On the controller, from the sidebar, expand the Multi-Cloud Transit option and then select **BGP**. Under Diagnostics, select the Gateway name (of the BGP-enabled spoke). From the predefined show list, select **show ip bgp** to verify the BGP Routes. + + +Step 6: Customize spoke advertised VPC CIDRs +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +You can customize spoke advertised VPC CIDRs for your BGP-enabled spoke gateway. The CIDRs are propagated into ActiveMesh and into BGP as belonging to the Spoke Gateway shown in the example. + +The actual Spoke VPC CIDR is not advertised by default, but you can add it to the list. + +ActiveMesh propagation: those CIDRs are combined with the BGP prefixes received on the S2C BGP connection(s) of the Spoke GW. + +BGP advertisement: those CIDRs are combined with all other ActiveMesh CIDRs from the Aviatrix transit. + +|spokegw_external_custom_adv_cidrs| + + +Step 7: Set Up approval for gateway learned CIDR +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +You can set up approval for gateway learned CIDRs for your BGP-enabled spoke gateways. You must select Gateway mode (connection-level route approval is currently not supported). Route approval completely blocks a BGP prefix to even be considered by the control plane. Prefixes blocked are not programmed in the gateway route table. + +|bgp_spoke_learned_cidr_appr| + + +Step 8: Set Up BGP Route Control +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +1. From the sidebar, expand the Multi-Cloud Transit option, and then select **Advanced Config**. + +2. At the top of the page, click **Edit Spoke**. + +3. Select the BGP enabled spoke gateway. + +4. Specify the parameters to suit your business requirements (they are similar to BGP controls on transit gateways): + + Local AS Number + + BGP ECMP + + Active-Standby + + Gateway Manual BGP Advertised Network List + + Connection Manual BGP Advertised Network List + + +(Disconnect) To disconnect the external device +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To disconnect the external device from the BGP-enabled Spoke GW: + +1. Log in to Aviatrix Controller. + +2. From the sidebar, expand the Multi-Cloud Transit option, and then select **Setup**. + +3. In the Multi-cloud Transit Network Workflow page, click the **Detach** option. + +4. In Aviatrix Spoke Gateway, select the Spoke GW you created from the list menu. + +5. Click **Detach**. + + +.. |spokegw_external_saas_sol| image:: spokegw_external_media/spokegw_external_saas_sol.png + :scale: 30% + +.. |spokegw_external_ex_arch| image:: spokegw_external_media/spokegw_external_ex_arch.png + :scale: 30% + +.. |spokegw_external_custom_adv_cidrs| image:: spokegw_external_media/spokegw_external_custom_adv_cidrs.png + :scale: 30% + +.. |spokegw_bgp_external_device_config| image:: spokegw_external_media/spokegw_bgp_external_device_config.png + :scale: 30% + +.. |bgp_spoke_connected_transit| image:: spokegw_external_media/bgp_spoke_connected_transit.png + :scale: 30% + +.. |bgp_spoke_route_propagation| image:: spokegw_external_media/bgp_spoke_route_propagation.png + :scale: 30% + +.. |bgp_spoke_learned_cidr_appr| image:: spokegw_external_media/bgp_spoke_learned_cidr_appr.png + :scale: 30% + + +.. disqus:: diff --git a/HowTos/spokegw_external_media/External-Device-DX.png b/HowTos/spokegw_external_media/External-Device-DX.png new file mode 100644 index 000000000..5da7d1218 Binary files /dev/null and b/HowTos/spokegw_external_media/External-Device-DX.png differ diff --git a/HowTos/spokegw_external_media/External-Device-Internet.png b/HowTos/spokegw_external_media/External-Device-Internet.png new file mode 100644 index 000000000..15f60a4fa Binary files /dev/null and b/HowTos/spokegw_external_media/External-Device-Internet.png differ diff --git a/HowTos/spokegw_external_media/bgp_spoke_connected_transit.png b/HowTos/spokegw_external_media/bgp_spoke_connected_transit.png new file mode 100644 index 000000000..2755dad5b Binary files /dev/null and b/HowTos/spokegw_external_media/bgp_spoke_connected_transit.png differ diff --git a/HowTos/spokegw_external_media/bgp_spoke_example_arch.png b/HowTos/spokegw_external_media/bgp_spoke_example_arch.png new file mode 100644 index 000000000..416b504b1 Binary files /dev/null and b/HowTos/spokegw_external_media/bgp_spoke_example_arch.png differ diff --git a/HowTos/spokegw_external_media/bgp_spoke_learned_cidr_appr.png b/HowTos/spokegw_external_media/bgp_spoke_learned_cidr_appr.png new file mode 100644 index 000000000..56f33ea58 Binary files /dev/null and b/HowTos/spokegw_external_media/bgp_spoke_learned_cidr_appr.png differ diff --git a/HowTos/spokegw_external_media/bgp_spoke_route_propagation.png b/HowTos/spokegw_external_media/bgp_spoke_route_propagation.png new file mode 100644 index 000000000..6cb86e1e5 Binary files /dev/null and b/HowTos/spokegw_external_media/bgp_spoke_route_propagation.png differ diff --git a/HowTos/spokegw_external_media/download_config_external.png b/HowTos/spokegw_external_media/download_config_external.png new file mode 100644 index 000000000..3e0981cab Binary files /dev/null and b/HowTos/spokegw_external_media/download_config_external.png differ diff --git a/HowTos/spokegw_external_media/spokegw_bgp_external_device_config.png b/HowTos/spokegw_external_media/spokegw_bgp_external_device_config.png new file mode 100644 index 000000000..212fff25c Binary files /dev/null and b/HowTos/spokegw_external_media/spokegw_bgp_external_device_config.png differ diff --git a/HowTos/spokegw_external_media/spokegw_external_custom_adv_cidrs.png b/HowTos/spokegw_external_media/spokegw_external_custom_adv_cidrs.png new file mode 100644 index 000000000..32d01438e Binary files /dev/null and b/HowTos/spokegw_external_media/spokegw_external_custom_adv_cidrs.png differ diff --git a/HowTos/spokegw_external_media/spokegw_external_ex_arch.png b/HowTos/spokegw_external_media/spokegw_external_ex_arch.png new file mode 100644 index 000000000..675ec976a Binary files /dev/null and b/HowTos/spokegw_external_media/spokegw_external_ex_arch.png differ diff --git a/HowTos/spokegw_external_media/spokegw_external_saas_sol.png b/HowTos/spokegw_external_media/spokegw_external_saas_sol.png new file mode 100644 index 000000000..ea2f2e5d3 Binary files /dev/null and b/HowTos/spokegw_external_media/spokegw_external_saas_sol.png differ diff --git a/HowTos/spokegw_external_media/transitgw_bgp.png b/HowTos/spokegw_external_media/transitgw_bgp.png new file mode 100644 index 000000000..90780182e Binary files /dev/null and b/HowTos/spokegw_external_media/transitgw_bgp.png differ diff --git a/HowTos/spokegw_external_media/transitgw_bgp_dx.png b/HowTos/spokegw_external_media/transitgw_bgp_dx.png new file mode 100644 index 000000000..a7f7b0525 Binary files /dev/null and b/HowTos/spokegw_external_media/transitgw_bgp_dx.png differ diff --git a/HowTos/spokegw_external_media/transitgw_dx.png b/HowTos/spokegw_external_media/transitgw_dx.png new file mode 100644 index 000000000..07c9b9f10 Binary files /dev/null and b/HowTos/spokegw_external_media/transitgw_dx.png differ diff --git a/HowTos/spokegw_external_media/transitgw_internet.png b/HowTos/spokegw_external_media/transitgw_internet.png new file mode 100644 index 000000000..f4f107a7d Binary files /dev/null and b/HowTos/spokegw_external_media/transitgw_internet.png differ diff --git a/HowTos/spokegw_external_media/transitgw_phase1_dx.png b/HowTos/spokegw_external_media/transitgw_phase1_dx.png new file mode 100644 index 000000000..8c56ee773 Binary files /dev/null and b/HowTos/spokegw_external_media/transitgw_phase1_dx.png differ diff --git a/HowTos/spokegw_external_media/transitgw_phase2_dx.png b/HowTos/spokegw_external_media/transitgw_phase2_dx.png new file mode 100644 index 000000000..371b389c8 Binary files /dev/null and b/HowTos/spokegw_external_media/transitgw_phase2_dx.png differ diff --git a/HowTos/spokegw_external_media/transitgw_phrase1.png b/HowTos/spokegw_external_media/transitgw_phrase1.png new file mode 100644 index 000000000..c728f27e2 Binary files /dev/null and b/HowTos/spokegw_external_media/transitgw_phrase1.png differ diff --git a/HowTos/spokegw_external_media/transitgw_phrase2.png b/HowTos/spokegw_external_media/transitgw_phrase2.png new file mode 100644 index 000000000..03c380b7e Binary files /dev/null and b/HowTos/spokegw_external_media/transitgw_phrase2.png differ diff --git a/HowTos/spokegw_external_media/transitgw_private_aws.png b/HowTos/spokegw_external_media/transitgw_private_aws.png new file mode 100644 index 000000000..b9715cc58 Binary files /dev/null and b/HowTos/spokegw_external_media/transitgw_private_aws.png differ diff --git a/HowTos/spokegw_external_media/transitgw_private_azure.png b/HowTos/spokegw_external_media/transitgw_private_azure.png new file mode 100644 index 000000000..8ff92ff94 Binary files /dev/null and b/HowTos/spokegw_external_media/transitgw_private_azure.png differ diff --git a/HowTos/spokegw_external_media/transitgw_tunnel _dx.png b/HowTos/spokegw_external_media/transitgw_tunnel _dx.png new file mode 100644 index 000000000..894d453bc Binary files /dev/null and b/HowTos/spokegw_external_media/transitgw_tunnel _dx.png differ diff --git a/HowTos/spokegw_external_media/transitgw_tunnel.png b/HowTos/spokegw_external_media/transitgw_tunnel.png new file mode 100644 index 000000000..39ece8a50 Binary files /dev/null and b/HowTos/spokegw_external_media/transitgw_tunnel.png differ diff --git a/HowTos/spokegw_external_media/transitgw_tunnel_dx.png b/HowTos/spokegw_external_media/transitgw_tunnel_dx.png new file mode 100644 index 000000000..894d453bc Binary files /dev/null and b/HowTos/spokegw_external_media/transitgw_tunnel_dx.png differ diff --git a/HowTos/stateful_firewall_faq.rst b/HowTos/stateful_firewall_faq.rst index cec5742dd..cf8209318 100644 --- a/HowTos/stateful_firewall_faq.rst +++ b/HowTos/stateful_firewall_faq.rst @@ -32,18 +32,6 @@ because of the implementation of how rules are sent to the gateways. In the next release (5.2), the limitation will be removed. -What is the REST API to configure stateful firewall? --------------------------------------------------------- - -The API for the stateful firewall can be found `here. `_. - -Follow the example in the API doc to setup multiple rules. - -Currently the API call requires you to input the entire set of the rules for each call. There is no incremental append or delete -functions. - -In the next release (5.2), there will be new APIs to append new rules and delete a specific rule. - Is there limitation on the number of tags? -------------------------------------------- diff --git a/HowTos/tf_aviatrix_howto.rst b/HowTos/tf_aviatrix_howto.rst deleted file mode 100644 index 3bd99918b..000000000 --- a/HowTos/tf_aviatrix_howto.rst +++ /dev/null @@ -1,219 +0,0 @@ -.. meta:: - :description: Aviatrix Terraform provider tutorial - :keywords: AWS, Aviatrix Terraform provider, VPC, Transit network - - -=========================================================================================== -Aviatrix Terraform Tutorial -=========================================================================================== - -This document will walk you through the steps to set up the Aviatrix Terraform provider. As an example, an Aviatrix gateway will be launched. - -.. note:: - Aviatrix is now an official Terraform provider! The Terraform setup procedure has been significantly simplified and the documentation below has been updated accordingly. Customers who have previously set up our provider following our previous instructions may transition to our official provider by following the steps below in Step 5. - -1. Download Terraform Package -------------------------------------- - -Terraform is delivered as a zip file in binary. Click `here `_, select your respective OS and simply download the package as you would for any software. - -For Mac, Terraform is also present in `Homebrew `_. Perform ``brew install terraform`` to install Terraform (Skip step 1.1 if done this way). - -Once download is complete, double-click to unzip the file. The executable file ``terraform`` should be in your Downloads folder. (This will be used as an example in this document) - - -1.1. Setup Execution Path (only when not using package manager) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -If you are running the Terraform binary file after simply downloading it, you will need to execute it using the full path. - -Assuming it's downloaded into your ``$HOME/Downloads`` directory, run: - -:: - - $ ~/Downloads/terraform - -1.2 Verify Terraform Install -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -In your Terminal, run ``terraform`` to verify Terraform has been successfully been installed. - -Please run ``terraform --version`` to verify you have the latest version of Terraform. `As of 22 May 2019 `_ , the latest version of Terraform is **0.12.x**. - -For Windows, the command is ``terraform.exe --version`` - -2. Prepare Aviatrix Controller --------------------------------- - -Follow the `Aviatrix Controller Startup Guide `_ to launch a Controller and go through the Onboarding process. - -Once Onboarding is completed, a `primary account `_ should be created. This primary account will be used to launch a gateway. - - -3. Prepare a Terraform Environment (workspace) ----------------------------------------------- - -While you can run Terraform within any directory, we highly recommend using Terraform/ managing your infrastructure in an isolated environment. That can be achieved as simply as creating a separate directory to use and running ``terraform init`` within the directory. - -Example for Unix/Linux: - -:: - - $ mkdir terraform-test-environment - $ cd terraform-test-environment - $ terraform init - - -``terraform init`` will initialise the current directory into a working directory for Terraform. In the future, whenever a new Terraform configuration is written, or if a provider is updated, this command must be run again. - -Next, create a Terraform configuration file. For each Terraform environment, a provider must be specified; in this case, we will use Aviatrix. - -.. note:: - While it is possible to manage an entire infrastructure within one Terraform file, we recommend decoupling based on infrastructure. For example, a VPN setup can be in one Terraform file, under one directory, a transit-network can be in another. - -For this below example, we can create a test gateway. In this file "aviatrix_gateway_test.tf", copy and paste -the below text. Be sure to modify the parameters to suit your environment accordingly. - -:: - - # Specify Aviatrix as the provider with these parameters: - # controller_ip - public IP address of the controller - # username - login user name, default is admin - # password - password - # version - release version # of Aviatrix Terraform provider - - provider "aviatrix" { - controller_ip = "35.5.26.157" - username = "admin" - password = "ControllerPSWD#" - version = "2.2" - } - - # Launch a gateway with these parameters: - # cloud_type - Enter 1 for AWS - # account_name - Aviatrix account name to launch GW with - # gw_name - Name of gateway - # vpc_id - AWS VPC ID - # vpc_reg - AWS VPC region - # gw_size - Gateway instance size - # subnet - VPC subnet CIDR where you want to launch GW instance - - resource "aviatrix_gateway" "testGW" { - account_name = "for-create2" - cloud_type = 1 - gw_name = "testGW1" - vpc_id = "vpc-01dd5643eca66486c" - vpc_reg = "us-west-2" - gw_size = "t2.micro" - subnet = "172.34.0.0/24" - } - - -4. Run the Terraform Configuration ------------------------------------ - -In the directory where the Terraform configuration file resides, run the ``terraform init`` command to prepare the new configuration file. - -:: - - $ terraform init - -Then run the ``terraform plan`` command to see what will be executed. - -:: - - $ terraform plan - -Finally, run the ``terraform apply`` command to launch the gateway. - -:: - - $ terraform apply - -When the above command finishes, you can login to your Aviatrix Controller console, navigate to the Gateway page and see that the new gateway with the name "testGW1" has been successfully launched. - - -5. Troubleshooting --------------------------- - -5.1 Simple debugging -^^^^^^^^^^^^^^^^^^^^ -A simple Terraform debug method is to set TF_LOG level in ~/.bash_profile, as shown in the below example (Remember to run command ``source ~/.bash_profile`` after editing .bash_profile): - -:: - - export TF_LOG=TRACE - -With this log set to TRACE, you should see TRACE and ERROR when running Terraform commands. Pay attention to ERRORs if a Terraform command is not successful. - -5.2 Transitioning to Official Provider -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Our Aviatrix Terraform provider is now an official Terraform provider and as such, future releases will no longer be updated at the AviatrixSystems Github repo; it will be available through Hashicorp directly. - -This change means that current customers will no longer be required to manually use Git to pull changes locally and then run Go to build the provider. Future customers will also be saved the hassle of the previous setup procedure. - -For customers who previously set up the Aviatrix Terraform provider prior to the official release on Hashicorp, the transition procedure is relatively simple. - -1. Remove the ``.terraformrc`` created to previously link Terraform to the filepath of the local provider to build/ comment out the "aviatrix" providers block within the file - * For Linux/ Unix, it should be the ``~/.terraformrc`` - * For Windows, the file should be at ``%APPDATA%\terraform.rc`` -2. In your Terraform environment where the **provider** block is written, specify the version provider you would like to use (see below for example) - * Please note that the ``version`` refers to the Aviatrix Terraform release number. Refer to our `provider release notes `_ - -Please also note that previously, customers were to match and build the branch of the provider corresponding to the Controller version. Now, customers should use whichever latest ``version`` is compatible with their Controller. -You should follow the `Aviatrix Provider: Release Compatibility Chart `_ to ensure terraform compatibility with your current Aviatrix controller version. - -* **EXCEPTION: For customers on Controller 4.7.x, please note there are multiple releases to support various configurations:** - - * Controller 4.7.x , Terraform v0.11: Use **Release 1.15** - * Controller 4.7.x , Terraform v0.12: Use **Release 1.16** - -* **NOTE: For Release 2.0, there is major code restructuring and changes. Please follow Recommendations below before switching to Release 2.0+ if coming from releases prior/ Controller <4.7** - - * Controller 4.7.x , Terraform v0.12: Use **Release 2.2** - -:: - - provider "aviatrix" { - controller_ip = "1.2.3.4" - username = "admin" - password = "password" - version = "2.2" # specify a Release version as shown on this line - } - - ... - -Recommendation: -*************** -For customers on Controller 4.7 or looking to upgrade to 4.7, please refer to our `Upgrade Guide `_ before attempting to immediately switch to our official provider, especially if you are on Controller 4.7. - -Other documentation that may be of interest when upgrading between provider versions (unofficial or official) are: - * `Feature Changelist for R1.x `_: tracks customer-impacting changes to Terraform environment for R1.x - * `Feature Changelist for R2.x `_: tracks customer-impacting changes to Terraform environment for R2.x - -If you have any questions, or would require assistance for the upgrade process, please feel free to send an email to support@aviatrix.com. - - -6. More Examples ------------------ - -To see what resources are provided, check out the `Aviatrix Terraform Provider `_. - -To see another example, check out how to `setup Aviatrix Transit Network with Terraform `_. - - -7. Contribute to the Community --------------------------------- - -The Aviatrix Terraform Provider is an `open source project `_ and has recently become an official Terraform provider. All reviews, comments and contributions are welcome. - - -Enjoy! - -.. |setup_tf| image:: tf_aviatrix_howto_media/setup_tf.png - :width: 100% - -.. |go_install| image:: tf_aviatrix_howto_media/go_install.png - :width: 100% - -.. disqus:: diff --git a/HowTos/tf_export.rst b/HowTos/tf_export.rst deleted file mode 100644 index 5753dab47..000000000 --- a/HowTos/tf_export.rst +++ /dev/null @@ -1,205 +0,0 @@ -.. meta:: - :description: Aviatrix Terraform Export Feature - :keywords: AWS, Aviatrix Terraform provider, terraform, terraform provider, api - - -=========================================================================================== -Aviatrix Terraform: Export -=========================================================================================== - -This document will walk you through how the Aviatrix Terraform Export feature works. -It is assumed that the user has experience using Terraform, and has the Aviatrix Terraform -Provider set up. - -To learn more about Terraform, click `here `_. - -To learn how to set up the Terraform environment for Aviatrix, click `here `_. - -Aviatrix Terraform resource and data source documentation may be found `here `_. - -Further questions? Please visit our Support Center for Terraform `here `_. - -Use Case: ---------------------------- - -The Aviatrix Terraform Export feature allows users to export their current Controller -configurations (resources) into Terraform files (``.tf``) and import them into their -Terraform environment, facilitating an easy transition to using Terraform to manage -their infrastructure. - -**DISCLAIMER :** Export functionality is only available on Controller v4.3+, is -currently in beta and does not support every resource and its complete functionality. - -Example: ---------------------------- - -In this example, we will use VPN profiles that were created through the Controller -and export them into ``.tf`` files for an easy import into our Terraform environment. - -Step 1 - Assume we have the following VPN profiles already created (pictured below), prior to the transition - to using Terraform for infrastructure management. - - |profile1_in_controller| - - |profile2_in_controller| - -Step 2 - In order to bring in existing resources into the environment for Terraform management, - we must use ``terraform import``. - - The current implementation of Terraform import - can only import resources into the state, but does not generate a configuration file - (see HashiCorp's documentation `here `_ - regarding this issue.) - - This is where Aviatrix's Terraform Export feature is used. We can use this - feature to generate not only the necessary configuration files, but also a shell script - with the necessary commands to automatically import those existing resources for you. - - Simply navigate with the sidebar: **Useful Tools** > **Export to Terraform**. - Under the **Exporter** column, click the **Download TF** button for the corresponding - resource(s) you want to export. - - .. note:: - - If you have multiple resources or want to manage your entire infrastructure through Terraform, - you may export your entire current configuration by clicking the **Download All** button - located in the top right corner of the page. - - In our case, we will select *vpn_profile* and download the zip file. - - |how_to_export| - -Step 3 - Navigate to the directory where the zip was downloaded to and unzip the file. - There should be a folder with 2 files: - ``vpn_profile.tf`` and - ``vpn_profile_import.sh`` - - If we open ``vpn_profile.tf``, we can see that the exact configurations as seen - on the Controller are properly exported into the ``.tf`` file. - - |profile1_tf| - - |profile2_tf| - -Step 4 - For simplicity's sake, we will use this folder/ directory as the Terraform environment to manage - our VPN profiles. If you prefer to set up your overall infrastructure differently, - feel free to move those 2 files into your preferred directory before proceeding. - - If you have not already, create a ``provider.tf`` as seen below, providing your - Aviatrix Controller credentials. - - (This can also be specified in the ``vpn_profile.tf`` - instead, but as best practice, it is better to decouple components, especially credentials, - from your variable or configuration files): - - |provider_tf| - -Step 5 - In your preferred directory, in order to initialise the directory as a Terraform - environment, run: ``terraform init``. - - Then run the shell script with the command: ``sh vpn_profile_import.sh`` - - |import_profile| - -Step 6 - Congratulations! Your *vpn_profile(s)* have been successfully imported into - Terraform and can now be easily managed through code. - - You may verify that configured files are the same as our Controller configuration - by running ``terraform plan`` to catch deltas between our local Terraform state - and the Controller state. You may use ``terraform show`` to see your state. - - |verify_import1| - - |verify_import2| - -Addendum ---------------------------- -Now managing your *vpn_profile(s)* is as simple as modifying your exported ``vpn_profile.tf`` -file and doing ``terraform plan`` to see your changes, and ``terraform apply`` to -implement those changes. Changes can range from modifying existing profiles, removing them or -adding new ones. - -As seen below, continuing from our above example, we are changing *vpn_profile_1* and removing one of the policies, and -adding a new profile in ``vpn_profile.tf``. - -|edit_profile_tf1| - -|edit_profile_tf2| - -Going back to Terminal, by simply doing a ``terraform plan`` (1st picture), we see that Terraform detects -the changes we want to make. If we are satisfied with these changes, we can go ahead and do -``terraform apply`` (2nd picture). - -|terraform_apply_edit1| - -|terraform_apply_edit2| - -We can again verify these new changes by doing a ``terraform plan`` to catch deltas -between our new state and the Controller state, as well as a ``terraform show`` to view -the state. - -|terraform_apply_verify1| - -|terraform_apply_verify2| - -We can also go to the Controller and confirm that a new profile, *profile Name3*, has indeed -been created, and the edit to *profile Name1* has been implemented. - -|terraform_apply_verify3| - -|terraform_apply_verify4| - -The steps described in the **Addendum** can be applied and used for the management of any supported resource -in their respective ``.tf`` file(s). - -.. Image Gallery References -.. |profile1_in_controller| image:: tf_export_media/profile1_in_controller.png - :width: 100% -.. |profile2_in_controller| image:: tf_export_media/profile2_in_controller.png - :width: 100% - -.. |how_to_export| image:: tf_export_media/how_to_export.png - :width: 100% - -.. |profile1_tf| image:: tf_export_media/profile1_tf.png - :width: 100% -.. |profile2_tf| image:: tf_export_media/profile2_tf.png - :width: 100% - -.. |provider_tf| image:: tf_export_media/provider_tf.png - :width: 100% - -.. |import_profile| image:: tf_export_media/import_profile.png - :width: 100% - -.. |verify_import1| image:: tf_export_media/verify_import1.png - :width: 100% -.. |verify_import2| image:: tf_export_media/verify_import2.png - :width: 100% - -.. |edit_profile_tf1| image:: tf_export_media/edit_profile_tf1.png - :width: 100% -.. |edit_profile_tf2| image:: tf_export_media/edit_profile_tf2.png - :width: 100% - -.. |terraform_apply_edit1| image:: tf_export_media/terraform_apply_edit1.png - :width: 100% -.. |terraform_apply_edit2| image:: tf_export_media/terraform_apply_edit2.png - :width: 100% - -.. |terraform_apply_verify1| image:: tf_export_media/terraform_apply_verify1.png - :width: 100% -.. |terraform_apply_verify2| image:: tf_export_media/terraform_apply_verify2.png - :width: 100% -.. |terraform_apply_verify3| image:: tf_export_media/terraform_apply_verify3.png - :width: 100% -.. |terraform_apply_verify4| image:: tf_export_media/terraform_apply_verify4.png - :width: 100% - -.. disqus:: diff --git a/HowTos/tgw_approval.rst b/HowTos/tgw_approval.rst index 77ad7071d..9c4bf269f 100644 --- a/HowTos/tgw_approval.rst +++ b/HowTos/tgw_approval.rst @@ -25,35 +25,49 @@ Pending Learned CIDRs panel to Approved Learned CIDRs panel allows those routes To enable Approval, go to TGW -> Approval. Select the TGW and VPN/DXGW, click Learned CIDRs Approval to enable. -.. important:: +How does it work? +--------------------- - When TGW Approval is enabled on a TGW, summary routes (the RFC-1918 routes) are not programmed into the attached Spoke VPC route tables. Instead, specific route entries are programmed into the VPC route table. If more than 50 route entries are anticipated, please make support request to AWS to allow for more route entries. Up to 1000 route entries can be requested. +When Approval feature is enabled, TGW route table route propagation to connected Security Domain is turned +off. That is, the TGW VPN/DXGW learned routes are statically programmed into the TGW route table of +connected Security Domains after the routes are approved. -When Approval is disabled, all dynamically learned routes are automatically propagated to the Spokes. +This is illustrated in the following two examples. +Example 1: Two TGW VPN/DXGW in the same domain +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. |tgw_overview| image:: tgw_overview_media/tgw_overview.png - :scale: 30% +|tgw_two_vpn_approval| -.. |security_domain| image:: tgw_overview_media/security_domain.png - :scale: 30% +In the above example, two identical VPN CIDRs 10.10.1.0/24 are advertised to two TGW VPNs but are in the +same domain. Both have Approval enabled. +Whichever VPN attachment learns the CIDR first and is approved, its attachment is +programmed into Spoke associated +TGW route table, in this case, VPN1 attachment is approved first and is programmed into the Spoke associated +TGW route table. VPN2 CIDR should continue to remain in pending list. If VPN1 +withdraw route 10.10.1.0/24, you can initiate approval by moving the VPN2 pending CIDR to +the approved panel, and this time it should be programmed. -.. |domain_policy_diagram| image:: tgw_overview_media/domain_policy_diagram.png - :scale: 30% +Example 2 One TGW VPN requires approval and another one does not +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. |tgw_view| image:: tgw_overview_media/tgw_view.png - :scale: 30% +|tgw_vpn_different_domains| -.. |tgw_transit_vpc_compare| image:: tgw_overview_media/tgw_transit_vpc_compare.png - :scale: 30% +In the second example, TGW VPN2 link 10.10.9.0/24 is in a different domain and does not require +approval. Its route is propagated to the Spoke TGW route table, +while TGW VPN1 link 10.10.1.0/24 is statically +programmed to Spoke TGW route table after approval is initiated by the customer. + +Note in the second example, if TGW VPN2 link advertises the same network CIDR 10.10.1.0/24, this CIDR will be propagated first and TGW VPN1 approval request will be rejected and the CIDR 10.10.1.0/24 from +TGW VPN1 remains in the approval pending list. -.. |tgw_transit_orchestrator_compare| image:: tgw_overview_media/tgw_transit_orchestrator_compare.png +.. |tgw_approval| image:: tgw_overview_media/tgw_approval.png :scale: 30% -.. |edge_segmentation| image:: tgw_overview_media/edge_segmentation.png +.. |tgw_two_vpn_approval| image:: tgw_approval_media/tgw_two_vpn_approval.png :scale: 30% -.. |tgw_approval| image:: tgw_overview_media/tgw_approval.png +.. |tgw_vpn_different_domains| image:: tgw_approval_media/tgw_vpn_different_domains.png :scale: 30% .. disqus:: diff --git a/HowTos/tgw_approval_media/tgw_two_vpn_approval.png b/HowTos/tgw_approval_media/tgw_two_vpn_approval.png new file mode 100644 index 000000000..909d8df22 Binary files /dev/null and b/HowTos/tgw_approval_media/tgw_two_vpn_approval.png differ diff --git a/HowTos/tgw_approval_media/tgw_vpn_different_domains.png b/HowTos/tgw_approval_media/tgw_vpn_different_domains.png new file mode 100644 index 000000000..6e5ceb25b Binary files /dev/null and b/HowTos/tgw_approval_media/tgw_vpn_different_domains.png differ diff --git a/HowTos/tgw_build.rst b/HowTos/tgw_build.rst index 57b28d00f..c81de53e8 100644 --- a/HowTos/tgw_build.rst +++ b/HowTos/tgw_build.rst @@ -4,7 +4,7 @@ ========================================================= -AWS Transit Gateway Orchestrator Build +TGW Build ========================================================= At the Build stage, you attach VPCs to an AWS Transit Gateway (TGW) and security domain. Each VPC can only be attached to one security domain. @@ -46,7 +46,46 @@ For example, you can attach a VPC to prod_domain created at the Plan page, as sh This step detaches a VPC from a AWS Transit Gateway and Domain. +========================================================= +Build a TGW Connect Attachment +========================================================= + +A *TGW Connect attachment* creates a connection between the Connect VPC, Connect Attachment, Transport Attachment and third-party appliances. + +Note: Only VPC attachments to a TGW Connect attachment are supported. + + +TGW Connect Components +---------------------- + +**Connect VPC** - Central VPC containing EC2 instances running third-party virtual appliances that connect to the TGW over the Connect attachment. +**Connect Attachment** - TGW attachment type that leverages the Transport TGW attachment (existing VPC as transport) for the third-party appliance to connect to the TGW. Generic Routing Encapsulation (GRE) tunneling protocol and Border Gateway Protocol (BGP) are supported over the Connect attachment. +**Transport Attachment** - TGW attachment type (VPC attachment) used as the underlying transport by the Connect attachment. +**Third-Party Appliances** - Third-party virtual router and gateway appliances running on an EC2 instance, in a Connect VPC that leverages VPC attachment as the transport. It establishes BGP peering with the TGW over a GRE tunnel using the Connect attachment. It is also responsible for exchanging traffic with the TGW over an encapsulation channel. + + +In the following example, TGW CIDR block (1.1.1.0/24) is used as the Connect peer IP (GRE outer IP 1.1.1.1) on the TGW side. + +|tgw_connect_vpc| + +Building the TGW Connect +------------------------ + +1. Attach the Connect VPC to TGW using a VPC attachment. +2. Launch the third-party virtual appliances in the Connect VPC. +3. Configure a TGW CIDR block which will be used as the Connect peer IP (GRE outer IP) on the TGW side. +4. Create a Connect attachment on the TGW using VPC attachment as the Transport attachment. +5. Create a Connect peer (GRE tunnel) specifying the GRE and BGP parameters. +6. Add an additional Connect peer on the TGW attachment page. +7. Create a route in the appropriate VPC/Subnet route table for the third-party virtual appliances to connect with the TGW side Connect peer IP (GRE tunnel IP). You can use the *Edit Spoke VPC Customized Routes* feature to configure the route. +8. Complete the Connect peer configuration (GRE tunnel and BGP peering configuration) on the third-party virtual appliances. + + + .. |prod_vpc_attach| image:: tgw_build_media/prod_vpc_attach.png - :scale: 30% + :scale: 80% + +.. |tgw_connect_vpc| image:: tgw_build_media/tgw_connect_vpc.png + :scale: 80% .. disqus:: diff --git a/HowTos/tgw_build_media/tgw_connect_vpc.png b/HowTos/tgw_build_media/tgw_connect_vpc.png new file mode 100644 index 000000000..b07a38fca Binary files /dev/null and b/HowTos/tgw_build_media/tgw_connect_vpc.png differ diff --git a/HowTos/tgw_csr_migrate.rst b/HowTos/tgw_csr_migrate.rst index fe8d60787..9cb07f3d1 100644 --- a/HowTos/tgw_csr_migrate.rst +++ b/HowTos/tgw_csr_migrate.rst @@ -3,7 +3,7 @@ :keywords: Transit Gateway, AWS Transit Gateway, TGW, CSR Migration ============================================================== -Migrating a CSR Transit to Next Gen Transit for AWS +Migrating a CSR Transit to AWS Transit Gateway (TGW) ============================================================== This document assumes that you have deployed a `CSR Transit solution `_ with Transit hub CSR instances and VGWs diff --git a/HowTos/tgw_design_patterns.rst b/HowTos/tgw_design_patterns.rst index 542bc8d13..3a2731e9d 100644 --- a/HowTos/tgw_design_patterns.rst +++ b/HowTos/tgw_design_patterns.rst @@ -4,7 +4,7 @@ ========================================================= -AWS Transit Gateway Orchestrator Design Patterns +TGW Design Patterns ========================================================= Many design patterns exist to deploy your network with the AWS Transit Gateway Orchestrator. Here are some @@ -147,12 +147,24 @@ On the Aviatrix side, use the option `External Devices `_ when making the connection. |tgw_other_cloud| +Extending Security Domains to on-prem Sites +---------------------------------------------- + +If the Aviatrix Transit Gateway connect to multiple sites over IPSec or GRE tunnels, the Security Domains can be +extended to each site as shown below, where Blue Domain in the cloud can only communicate with Site 2, Green +Domain can only communicate with Site 1. Routes are only advertised within the domain and data traffic is segmented +by the Security Domains. + +|edge_seg| + + + .. |default_domain_design| image:: tgw_design_patterns_media/default_domain_design.png :scale: 30% @@ -203,4 +215,7 @@ in the diagram below. On the Aviatrix side, use the option `External Devices Plan -> Step 7 + 1. Prepare. Create a DXGW on AWS Console, figure out the cloud VPCs summary prefixes. i.e., prepare for TGW Orchestrator -> Plan -> Step 7 #. Disconnect Aviatrix Transit Gateway from VGW. Transit Network -> Setup -> Step 8 (Disconnect VGW) #. Connect. Connect to DXGW. TGW Orchestrator -> Plan -> Step 7 @@ -396,11 +396,14 @@ Edge Segmentation works across Connection Policies for `AWS TGW Peered Setup -> Step 3, Connect to VGW/External Device/CloudN, to select the option "Enable Edge Segmentation". +To enable Edge Segmentation, go to Multi-Cloud Transit Network -> Advanced Config, select Transit Gateway, and scroll to “AWS TGW Segmentation” and “Enable” +How to enable multicast capability function on TGW? +--------------------------------------------------- +Multicast capability function is able to be turned on when users launch AWS TGW. This is API support only. .. |tgw_overview| image:: tgw_overview_media/tgw_overview.png diff --git a/HowTos/tgw_limits.rst b/HowTos/tgw_limits.rst index dd5478469..b7552c368 100644 --- a/HowTos/tgw_limits.rst +++ b/HowTos/tgw_limits.rst @@ -36,11 +36,11 @@ Below is a list of commonly asked limits and limitations by network engineers. Functions Limits Comments =================================================== =============== ===================== Propagating on-prem routes to Spoke VPC route table not supported VPC owner's responsibility. Learn more `here `_ -Direct Connect support on TGW not supported Publicly announced in the roadmap -Inter region TGW connectivity not supported +Direct Connect support on TGW supported +Inter region TGW connectivity supported TGW VPN Static manual In addition to updating Spoke VPC route table, you need to update the TGW route table for on-prem routes. TGW VPN BGP prefix total 100 TGW does not summarize Spoke VPC CIDRs routes. The total route limit is aggregated routes from both on-prem and Spoke VPCs. -Spoke VPC Route entries in a route table 100 Default is 50. Performance is impacted on 100 routes. +Spoke VPC Route entries in a route table 100 Default is 50. Performance is impacted when more than 100 routes present. =================================================== =============== ===================== diff --git a/HowTos/tgw_list.rst b/HowTos/tgw_list.rst new file mode 100644 index 000000000..368647313 --- /dev/null +++ b/HowTos/tgw_list.rst @@ -0,0 +1,157 @@ +.. meta:: + :description: TGW List + :keywords: AWS Transit Gateway, Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network, TGW Build + + +========================================================= +TGW List +========================================================= + +TGW List page provides the list of TGW Attachments and TGW Security Domains. It also allow you to make modular changes on attachments and Security Domains. + +For background information, refer to the `TGW Orchestrator FAQ `_. + +Before you show list, you must have at least completed some `TGW Build `_ in Build page. + +TGW +------ + +TGW lists the TGWs created by the Controller. + +TGW lists also allows you to select a FireNet Inspection Mode. + +TGW Attachments +------------------------------------------- + +Show Details +~~~~~~~~~~~~~~~ + +Show Details display routing details of TGW attachments, Spoke VPC or TGW VPN/DXGW. +The routing details include Spoke VPC's VPC route table entries, its attached TGW route table entries and Edge +Domain VPC route table entries and its TGW route tables entries. The visibility helps verifying the correctness +of route entries. + +To view, go to TGW Orchestrator -> List -> TGW Attachment. Select the attachment, click Actions -> Show Details. + +Show Attachment Reachability +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Show Attachment Reachability displays the selected attachment's connectivity configuration graphically. + + +Audit Routes +~~~~~~~~~~~~~~ + +Audit Routes verify route correctness by scanning the attachment's VPC route table, its attached TGW route table +and connected TGW route tables. Use this to detect missing routes deleted by mistake or through programming +errors. + +Update VPC CIDR +~~~~~~~~~~~~~~~~~ + +If a new Spoke VPC CIDR is added/deleted or a new VPC route is added/deleted, clicking this option updates VPC +attachments without having to detach the VPC first. + +Update VPC CIDR automatically makes routing adjustment when there is VPC CIDR change, for example, a new VPC CIDR has +been added to the VPC. It also makes routing adjustment when a new route table is added or deleted. + +To configure, go to TGW Orchestrator -> List -> TGW Attachment. Select the attachment, click Actions -> Update VPC CIDR. + + +Edit Spoke VPC Customized Routes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +By default, RFC 1918 summarized routes and learned non RFC 1918 specific routes are dynamically programmed into +each Spoke VPC's VPC route table. This feature allows you to statically program specific routes whose +target is TGW. + +.. Note:: + + When Edit Spoke VPC Customized Routes is enabled, all dynamically learned routes by the Spoke VPC are not programmed into the Spoke VPC route tables. + +To configure, go to TGW Orchestrator -> List -> TGW Attachment. Select the attachment, click Actions -> Edit Spoke VPC Customized Routes. Enter a list of network CIDRs separated by comma. + + +Edit Spoke VPC Advertised Routes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +By default, Spoke VPC advertises its VPC CIDR to TGW route table. This feature allows you to advertise different network CIDRs. + +There are environments where all Spoke VPCs have one identical CIDR, attaching these Spoke VPCs to a TGW will result in error. +For example, Spoke VPC CIDR is 10.10.0.0/16, 100.100.0.0/16 where 100.100.0.0/16 is common across all Spoke VPCs. +By using this feature, the Spoke VPC only advertises 10.10.0.0/16. + +To configure, go to TGW Orchestrator -> List -> TGW Attachment. Select the attachment, click Actives -> Customize Spoke VPC Advertised Routes. Enter a list of network CIDRs separated by comma. + +Edit Spoke VPC Local Route Propagation +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This feature changes an attached Spoke VPC local route propagation attribute without detaching the VPC. + +To configure, go to TGW Orchestrator -> List -> TGW Attachment. Select one attachment, click Actions -> Edit Spoke VPC Local Route Propagation. + +Switch Security Domain +~~~~~~~~~~~~~~~~~~~~~~~~~ + +This feature allows you to switch a Spoke VPC's Security Domains without having to detach the Spoke VPC first. + +To configure, go to TGW Orchestrator -> List -> TGW Attachment. Select one attachment, click Actions -> Switch Security Domain. In the drop +down menu, select the desired Security Domain, click Update. + +FireNet Management +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +To allow access to the private IP of the MGMT interface of the Firewalls, enable Management Access From Onprem. This feature advertises the Firewalls private MGMT subnet to your Edge domain. This allows administrators and Firewall MGMT servers to connect to the Firewall without having to go over the internet. + +To enable, to to TGW Orchestrator -> List and highlight the FireNet VPC. Then choose Actions -> FireNet Management. + +TGW Security Domains +------------------------- + +Show Details +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Show Details display the TGW route table entries. + +Edit Intra Domain Inspection +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +By default, traffic between VPCs in the same Security Domain does not get inspected by firewalls in the FireNet deployment. + +This feature allows you to enable firewall inspection for traffic within one Security Domain. + +Enable Edge Inspection +~~~~~~~~~~~~~~~~~~~~~~~~ + +This option applies to connection-based inspection mode. When connection-based inspection is enabled, use this option to enable Egress +inspection for a specific domain. + +TGW Connection +---------------- + +TGW -> List -> Connection lists all Connection Policies. Each Connection Policy is represented by two rows. +Each row represents one Connection Policy in one direction. + +Enable Inspection +~~~~~~~~~~~~~~~~~~~ + +This configuration is to specify an inspection rule for connection-based mode. + +Select one Connection Policy row by clicking on the row. Then click Actions -> Enable Inspection. In the pop up drop down menu, select the +firewall domain to associate. Click Update. The reverse direction is automatically configured. + +Disable Inspection +~~~~~~~~~~~~~~~~~~~ + +This configuration is to disable an inspection rule for connection-based mode. Disable Inspection is only available for an inspection rule +if it is already enabled. + +Select one Connection Policy row by clicking on the row. Then click Actions -> Disable Inspection. In the pop up drop down menu, select the +firewall domain to disassociate. Click Update. The reverse direction is automatically configured. + + + + +.. |firewall_launch| image:: tgw_list_media/firewall_launch.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/tgw_plan.rst b/HowTos/tgw_plan.rst index 8b9f80ef0..260cc9200 100644 --- a/HowTos/tgw_plan.rst +++ b/HowTos/tgw_plan.rst @@ -4,11 +4,11 @@ ========================================================= -AWS Transit Gateway Orchestrator Plan +TGW Plan ========================================================= -The AWS Transit Gateway (TGW) Orchestrator Plan is the first stage in deploying a Next Gen Transit Network using AWS Transit Gateway. +The AWS Transit Gateway (TGW) Orchestrator Plan is the first stage in deploying a AVX Transit Network using AWS Transit Gateway. After you go through the Plan stage configuration, you can proceed to the `Build stage `_ to attach VPCs. @@ -59,7 +59,7 @@ Note that the three domains are connected, implying that if you attach a VPC to Account Name An `Aviatrix account `_ that corresponds to an IAM role or account in AWS. Region One of the AWS regions TGW Name The name of the AWS Transit Gateway -AWS Side AS Number Default AS number is 64512. This field currently is not used. +AWS Side AS Number TGW ASN number. Default AS number is 64512. ========================================== ========== After AWS Transit Gateway is created, you can validate by going to `View page `_ and seeing what has been created. @@ -87,9 +87,9 @@ In the example below, a new domain called prod_domain is created. ========================================== ========== TGW Name The name of the AWS Transit Gateway Security Domain Name Specify a unique domain name. For example, Dev_Domain -Aviatrix Firewall Domain Check this box if this domain is for Aviatrix Firewall Network. -Native Egress Domain Check this box if this domain is for non Aviatrix Firewall Network based central Internet bound traffic -Native Firewall Domain Check this box if this domain is for non Aviatrix Firewall Network based firewall traffic inspection +Aviatrix Firewall Domain Check this box if this domain is for Aviatrix FireNet +Native Egress Domain Check this box if this domain is for non Aviatrix FireNet based central Internet bound traffic. Native Egress Domain is not recommended as it only supports an active-standby firewall deployment. +Native Firewall Domain Check this box if this domain is for non Aviatrix FireNet based firewall traffic inspection. Native Firewall Domain is not recommended as it only supports an active-standby firewall deployment. ========================================== ========== 3. Build Your Domain Connection Policies @@ -123,46 +123,32 @@ Direct Connect or Internet. 4. Setup Aviatrix Transit GW ------------------------------------------------------------------ -If your deployment does not require on-prem connection or to another Transit gateway, skip this section. Later when the -requirement changes, return to this section and start with Step 4 to setup. +This section, Step 4, 5 and 6, is about deploying Aviatrix Transit Gateways in a VPC and attach the VPC to TGW. From TGW point of view, this VPC is +a Spoke VPC attached to TGW, however from Controller point of view, the Aviatrix Transit Gateway is the packet forwarding engine to on-prem +or to another Aviatrix Transit Gateway. The direct attachment architecture allows the Aviatrix Transit Gateways to forward packets to TGW and Spoke VPCs +at the rate of 50Mbps as specified by TGW. -.. tip:: - - Create a new transit VPC at `Useful Tools -> Create a VPC `_. Select the option "Aviatrix Transit VPC". - If you would like to continue to use your existing transit VPC and it is too small (not enough of /28 unused segments), use AWS Edit VPC CIDR feature to create a new /24 subnet for the Aviatrix Transit Gateway in TGW use case. - -4.1 Non DMZ Transit Network -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Non DMZ Transit refers to the configuration where Aviatrix Transit gateway at the edge VPC connects to on-prem in the following scenarios, - - - AWS VGW - - External Device over Direct Connect or Internet - - Aviatrix Appliance CloudN. - -|transit_gw| +The use case for this deployment is to use Aviatrix Transit Gateway to connect to on-prem or to peer with another Aviatrix Transit Gateway. -Step 4.1 is to take a detour to set up an Aviatrix Transit GW if you have not done so. Follow the `the Transit Network workflow `_ and complete Transit Network workflow Steps 1, 2 and 3. +If you intend to use `TGW DXGW to connect to on-prem `_ , `TGW VPN to connect to on-prem `_ or use `native TGW Peering to +connect to regions `_ , skip this section. -When complete, return to this section and continue to Step 5 in this workflow to Enable Aviatrix Transit GW for Hybrid Connection. +This section is modular, return to this section anytime if your requirements change later. +.. tip:: -4.2 Transit DMZ -~~~~~~~~~~~~~~~~~ - -If you plan to deploy Transit DMZ as shown below, follow the `Transit DMZ workflow `_ to launch the gateways and complete Transit DMZ workflow Step 1, Step 2 and Step 3. Step 4 can be setup at any time later. - -|transit_dmz| + We strongly recommend you to create a new transit VPC at `Useful Tools -> Create a VPC `_. Select the option "Aviatrix Transit VPC". + If you would like to use an existing VPC and its network CIDR is too small (not enough of /28 unused CIDR segments), use AWS Edit VPC CIDR feature to create a new /23 subnet to deploy the Aviatrix Transit Gateway in TGW use case. -When complete, you are done! +To deploy the Aviatrix Transit Gateways, take a detour and complete Step 1 & 2 in the `Transit Network workflow `_. If you intent to use Aviatrix Transit Gateway to connect to on-prem, also complete `Step 3 `_. -(The next two steps, Step 5 and Step 6 in this workflow should have already been executed for the Main gateway, i.e., you can skip the next two steps.) +When complete, return to this section and continue to Step 5 in this workflow to Enable Aviatrix Transit GW to TGW. 5. Prepare Aviatrix Transit GW for TGW Attachment --------------------------------------------------------------- -The Aviatrix Transit GW created in Step 4 does not build an IPSEC tunnel to AWS Transit Gateway. The networking between AWS Transit Gateway and the Aviatrix Transit GW is via the AWS VPC infrastructure. +The Aviatrix Transit GW created in Step 4 does not build an IPSEC tunnel to AWS Transit Gateway. The networking between AWS Transit Gateway and the Aviatrix Transit GW is via the AWS VPC infrastructure. This step designates an Aviatrix Transit GW to be used in conjunction with the AWS Transit Gateway. It creates a second Ethernet interface eth1 on the Aviatrix Transit GW for sending and receiving packets from AWS Transit Gateway. @@ -175,8 +161,8 @@ It also creates two subnets, -tgw-ingress and -tgw-egress and two respective ro ========================================== ========== **Setting** **Value** ========================================== ========== -Account Name An `Aviatrix account `_ that corresponds to an IAM role or account in AWS. This account is for launching Transit gateway. It does not need to be the same account as AWS Transit Gateway creator. -Gateway Namen Select a Transit GW from the drop down menu. +Cloud Type AWS or AWS Gov Cloud +Aviatrix Transit Gateway Name Select a Transit GW from the drop down menu. ========================================== ========== 6. Attach Aviatrix Transit GW to TGW @@ -199,12 +185,12 @@ In this step, route entries are added to the two created private subnet route ta |transit_complete| -After you finish Step 4, 5 and 6, your hybrid connection setup is complete. In the above example, +After you finish Step 4, 5 and 6, your hybrid connection using Aviatrix Transit Gateway for TGW setup is complete. +In the above example, if you have any Spoke VPCs attached to the prod_domain, EC2 instances should be able to communicate with on-prem. (Make sure instance security groups and any on-prem firewalls are configured properly.) - ------------------------------------------------------------------------------------------------- +------------------------------------------ This section consists of TGW native VPN, Direct Connect and TGW Inter Region Peering functions. @@ -212,13 +198,14 @@ Since TGW does not propagate learned routes from DXGW or VPN to Spoke VPCs, Avia this problem by periodically polling the TGW route table and programming the learned routes to attached Spoke VPCs. Setup AWS Transit Gateway VPN Connection -------------------------------------------- +-------------------------------------------- -This section configures a native VPN connection from TGW. It takes two steps: first configure, then download the configuration. Step 7 Setup VPN Connection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +This function configures a native TGW VPN. It takes two steps: first configure, then download the configuration. + This step creates a VPN connection from TGW in a selected Security Domain. ========================================== ========== @@ -287,7 +274,7 @@ It takes two steps to connect two Security Domains in two regions. .. tip:: - Your Controller may not have the latest IAM policies to execute TGW peering, go to Accounts -> Access Accounts. Click the 3 dot skewer for the account where TGW is deployed and click Update policy. Do so for the all TGW accounts if you wish to TGW build inter region peering. + Your Controller may not have the latest IAM policies to execute TGW peering, go to Accounts -> Access Accounts. Select the account where TGW is deployed and click `Update Policy`. Do so for the all TGW accounts if you wish to TGW build inter region peering. @@ -308,6 +295,17 @@ Region 2 Select a region where the peerin AWS Transit Gateway Name 2 Select an AWS TGW Created `here `_ ========================================== ========== +Inspect Inter Region Traffic +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Starting from Release 6.1, the Security Domain associated with each TGW Peering attachment is available for user. The Security Domain has the +name `peering_`. For example, for the TGW with name tgw-1, the peering Security Domain is `peering_tgw-1`. + +You can specify FireNet inspection policy on this Security Domain. When you do so, it implies that any cross region traffic +is inspected. Use TGW -> Plan -> Add/Modify Connection Policies to connect the peering domain with FireNet Domain. + +Note to avoid double inspections by two FireNet gateways associated with each TGW, configure the connection policy between peering domain and FireNet domain on only one TGW. + b. Build Connection Policies ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -332,6 +330,11 @@ This section consists of delete functions. To delete an Aviatrix Transit GW attached to a AWS Transit Gateway, go through Step 7 and Step 8 listed below. Then go to Controller Gateway page to terminate the gateway instance. + +Setup AWS Transit Gateway Connect +---------------------------------------------------- + + Detach Aviatrix Transit GW from TGW ---------------------------------------------------- diff --git a/HowTos/tgw_plan_media/prepare_tgw_attach.png b/HowTos/tgw_plan_media/prepare_tgw_attach.png index a06889234..bd43e6318 100644 Binary files a/HowTos/tgw_plan_media/prepare_tgw_attach.png and b/HowTos/tgw_plan_media/prepare_tgw_attach.png differ diff --git a/HowTos/tgw_plan_media/transit_complete.png b/HowTos/tgw_plan_media/transit_complete.png index 878edec4e..9efe1ef80 100644 Binary files a/HowTos/tgw_plan_media/transit_complete.png and b/HowTos/tgw_plan_media/transit_complete.png differ diff --git a/HowTos/tgwconnect.rst b/HowTos/tgwconnect.rst new file mode 100644 index 000000000..7804641a9 --- /dev/null +++ b/HowTos/tgwconnect.rst @@ -0,0 +1,57 @@ +.. meta:: + :description: AWS TGW Connect over Direct Connect + :keywords: AWS TGW Connect,DX + + +============================================================ +AWS TGW Connect over Direct Connect +============================================================ + + +Overview for AWS TGW Connect over Direct Connect +================================================ + +Amazon Web Services (AWS) enables AWS customers to integrate their Software Defined Wide Area Network (SD-WAN) devices with AWS Transit Gateway and AWS Direct Connect so they can use their existing SD-WAN devices to connect their on-premises networks to an AWS Transit Gateway. Refer to the following AWS articles for information about the attachments types involved (Transit Gateway Connect attachment and Transit Gateway Connect peer): + +https://aws.amazon.com/blogs/networking-and-content-delivery/simplify-sd-wan-connectivity-with-aws-transit-gateway-connect/ + +https://aws.amazon.com/blogs/networking-and-content-delivery/integrate-sd-wan-devices-with-aws-transit-gateway-and-aws-direct-connect/ + +In support of this, Aviatrix enables you to create one or multiple Transit Gateway Connect attachments over Direct Connect. You can also create Transit Gateway Connect peer attachments. For instructions, see Enable AWS TGW connect over Direct Connect. + +Enable AWS TGW Connect over Direct Connect +=========================================== + +To enable AWS TGW Connect over Direct Connect: + +1. (On AWS) Set up Direct Connect Gateway and the Transit virtual interface. +2. (In Aviatrix Controller) Edit the TGW CIDR blocks. Go to the TGW Orchestrator > List > TGW tab. Select the gateway and edit its CIDR in the Edit TGW CIDR dialog. + - Maximum number of CIDR blocks is 5. + - The CIDR block must be the same as Direct Connect allowed prefix (e.g., 20.0.0.0/24). +3. (In Aviatrix Controller) Build TGW Direct Connect attachment with allowed prefix (e.g., 20.0.0.0/24). +4. (In Aviatrix Controller) Build TGW Connect attachment over AWS Direct Connect. In the TGW Orchestrator, in the step for Setup TGW Connect, select either the VPC attachment or the AWS Direct Connect attachment. You can build multiple TGW Connect attachments with the same transport Direct Connect attachment. +5. (In Aviatrix Controller) Build TGW Connect peer with GRE configuration. A connect peer is a GRE tunnel. The TGW Connect attachment supports up to four GRE tunnels (connect peers). Below is the information you specify (TGW Orchestrator > List > Attachments tab > Create Connect PeerWS) to create the TGW Connect peer. For the desciption of each parameter, refer to the AWS article: https://aws.amazon.com/blogs/networking-and-content-delivery/integrate-sd-wan-devices-with-aws-transit-gateway-and-aws-direct-connect/. + + Enter the information in Create Connect Peer: + + - Maximum number of TGW Connect peer: 4 + - AWS Transit Gateway GRE address: + - Peer GRE address: + - BGP Inside CIDR blocks: + + The BGP addresses must be unique across all tunnels in a TGW. IPv6 is not supported. The following CIDR blocks are reserved and cannot be used: + + 169.254.0.0/29, 169.254.1.0/29, 169.254.2.0/29, 169.254.3.0/29, 169.254.4.0/29, 169.254.5.0/29, 169.254.169.252/29 + + - Peer ASN: +6. (On your third-party branch appliances) Complete the Connect peer configuration (GRE tunnel and BGP peering configuration). + +If you have the same prefix propagated into your TGW route table coming from VPN, Direct Connect, and Transit Gateway Connect attachments, AWS evaluates the best path in the following order: + +Priority 1 – Direct Connect Gateway attachment + +Priority 2 – Transit Gateway Connect attachment + +Priority 3 – VPN attachment + +TGW Connect attachment over AWS Direct Connect diff --git a/HowTos/transit_activemesh_spoke_overlap_cidr_media/cloud_instance_packet_capture.png b/HowTos/transit_activemesh_spoke_overlap_cidr_media/cloud_instance_packet_capture.png new file mode 100644 index 000000000..b376cf2be Binary files /dev/null and b/HowTos/transit_activemesh_spoke_overlap_cidr_media/cloud_instance_packet_capture.png differ diff --git a/HowTos/transit_activemesh_spoke_overlap_cidr_media/cloud_instance_to_onprem_host.png b/HowTos/transit_activemesh_spoke_overlap_cidr_media/cloud_instance_to_onprem_host.png new file mode 100644 index 000000000..ebdfb8f92 Binary files /dev/null and b/HowTos/transit_activemesh_spoke_overlap_cidr_media/cloud_instance_to_onprem_host.png differ diff --git a/HowTos/transit_activemesh_spoke_overlap_cidr_media/dnat_spoke_cloud_to_onprem.png b/HowTos/transit_activemesh_spoke_overlap_cidr_media/dnat_spoke_cloud_to_onprem.png new file mode 100644 index 000000000..b1307f81f Binary files /dev/null and b/HowTos/transit_activemesh_spoke_overlap_cidr_media/dnat_spoke_cloud_to_onprem.png differ diff --git a/HowTos/transit_activemesh_spoke_overlap_cidr_media/dnat_spoke_onprem_to_cloud.png b/HowTos/transit_activemesh_spoke_overlap_cidr_media/dnat_spoke_onprem_to_cloud.png new file mode 100644 index 000000000..92ddce2f4 Binary files /dev/null and b/HowTos/transit_activemesh_spoke_overlap_cidr_media/dnat_spoke_onprem_to_cloud.png differ diff --git a/HowTos/transit_activemesh_spoke_overlap_cidr_media/onprem_host_packet_capture.png b/HowTos/transit_activemesh_spoke_overlap_cidr_media/onprem_host_packet_capture.png new file mode 100644 index 000000000..f6a1e9b51 Binary files /dev/null and b/HowTos/transit_activemesh_spoke_overlap_cidr_media/onprem_host_packet_capture.png differ diff --git a/HowTos/transit_activemesh_spoke_overlap_cidr_media/onprem_host_to_cloud_instance.png b/HowTos/transit_activemesh_spoke_overlap_cidr_media/onprem_host_to_cloud_instance.png new file mode 100644 index 000000000..19bdc3b68 Binary files /dev/null and b/HowTos/transit_activemesh_spoke_overlap_cidr_media/onprem_host_to_cloud_instance.png differ diff --git a/HowTos/transit_activemesh_spoke_overlap_cidr_media/snat_spoke_ha_cloud_to_onprem.png b/HowTos/transit_activemesh_spoke_overlap_cidr_media/snat_spoke_ha_cloud_to_onprem.png new file mode 100644 index 000000000..e79d5e102 Binary files /dev/null and b/HowTos/transit_activemesh_spoke_overlap_cidr_media/snat_spoke_ha_cloud_to_onprem.png differ diff --git a/HowTos/transit_activemesh_spoke_overlap_cidr_media/snat_spoke_ha_onprem_to_cloud.png b/HowTos/transit_activemesh_spoke_overlap_cidr_media/snat_spoke_ha_onprem_to_cloud.png new file mode 100644 index 000000000..f4aef14f3 Binary files /dev/null and b/HowTos/transit_activemesh_spoke_overlap_cidr_media/snat_spoke_ha_onprem_to_cloud.png differ diff --git a/HowTos/transit_activemesh_spoke_overlap_cidr_media/snat_spoke_primary_cloud_to_onprem.png b/HowTos/transit_activemesh_spoke_overlap_cidr_media/snat_spoke_primary_cloud_to_onprem.png new file mode 100644 index 000000000..c23b30981 Binary files /dev/null and b/HowTos/transit_activemesh_spoke_overlap_cidr_media/snat_spoke_primary_cloud_to_onprem.png differ diff --git a/HowTos/transit_activemesh_spoke_overlap_cidr_media/snat_spoke_primary_onprem_to_cloud.png b/HowTos/transit_activemesh_spoke_overlap_cidr_media/snat_spoke_primary_onprem_to_cloud.png new file mode 100644 index 000000000..5e17c6582 Binary files /dev/null and b/HowTos/transit_activemesh_spoke_overlap_cidr_media/snat_spoke_primary_onprem_to_cloud.png differ diff --git a/HowTos/transit_activemesh_spoke_overlap_cidr_media/spoke_customized_spoke_advertise_vpc_cidr.png b/HowTos/transit_activemesh_spoke_overlap_cidr_media/spoke_customized_spoke_advertise_vpc_cidr.png new file mode 100644 index 000000000..246a32782 Binary files /dev/null and b/HowTos/transit_activemesh_spoke_overlap_cidr_media/spoke_customized_spoke_advertise_vpc_cidr.png differ diff --git a/HowTos/transit_activemesh_spoke_overlap_cidr_media/topology.png b/HowTos/transit_activemesh_spoke_overlap_cidr_media/topology.png new file mode 100644 index 000000000..131eca75b Binary files /dev/null and b/HowTos/transit_activemesh_spoke_overlap_cidr_media/topology.png differ diff --git a/HowTos/transit_advanced.rst b/HowTos/transit_advanced.rst new file mode 100644 index 000000000..4c7e43ac8 --- /dev/null +++ b/HowTos/transit_advanced.rst @@ -0,0 +1,210 @@ +.. meta:: + :description: Multi-Cloud Transit Network Advanced + :keywords: Transit VPC, Transit hub, AWS Global Transit Network, Encrypted Peering, Transitive Peering, AWS VPC Peering, VPN + + +================================================================ +Transit Advanced Config +================================================================ + +.. Note:: + + The advanced configuration applies to each Aviatrix Transit Gateway. Go to Multi-Cloud Transit -> Advanced Config -> Edit Transit. Select one gateway and apply the following changes. + +Local AS Number +-------------------- + +This option changes the Aviatrix Transit Gateway ASN number before you setup Aviatrix Transit Gateway connection configurations. + + +BGP Manual Advertised Network List +------------------------------------- + +This field is only applicable to Transit GW established by `Transit Network workflow `_. + +By default, Aviatrix Transit GW advertises individual Spoke VPC CIDRs to VGW. You can +override that by manually entering the intended CIDR list to advertise to VGW. + +This feature is critical to limit the total number of routes carried by VGW (maximum is 100). + +To enable this option in software version prior to 4.1, click Site2Cloud on the left navigation bar, select the connection established by `Step 3 `_, click to edit. +Scroll down to "Manual BGP Advertised Network List" to enable. + +For software version 4.1 and later, you will click Transit Network on the left navigation bar, click the Advanced Config option and browse to the Edit Gateway tab. Select the Transit Gateway you want to enable this feature on and scroll down to the "Manual BGP Advertised Network List" and enter the summarized CIDRs that you want to advertise + +To disable the option, leave the field blank and click "Change BGP Manual Spoke Advertisement". + +Connection Manual BGP Advertised Network List +--------------------------------------------- + +Manual Advertise Routes per BGP Connection expands the existing gateway based manual advertising routes feature to apply it to each BGP connection. One use case is to have better route advertising control for each remote BGP peer. + +To enable this option on software version 6.3, + +- click "MULTI-CLOUD TRANSIT" on the left navigation bar, and then click the "Advanced Config" option + +- browse to the "Edit Transit" tab, and then select the Transit Gateway + +- find the panel "Connection Manual BGP Advertised Network List", and then select the connection name and fill the CIDRs to advertise under field "Advertised Network List" + +To disable the option, leave the field blank and click the button "CHANGE". + +Advertise Transit VPC Network CIDR(s) +-------------------------------------- + +This field is only applicable to Transit GW established by `Transit Network workflow `_. + +By default, Aviatrix Transit GW does not advertise Transit VPC `CIDR `_. + +When this feature is enabled, Aviatrix Transit GW advertises the Transit VPC CIDR to VGW. The Controller programs the 3 RFC1918 routes in the AWS route table to point to the Transit GW. It also programs the learned routes from VGW into the AWS route table. + +If you deploy instances in the Transit VPC, enabling "Advertise Transit VPC CIDR(s) mode allows the instance to communicate both to Spoke VPCs and on-prem network, assuming the Spoke VPCs are in the RFC1918 range. + +To enable this option in software version prior to 4.1, click Site2Cloud on the left navigation bar, select the connection established by `Step 3 `_, click to edit. +Scroll down to "Advertise Transit VPC Network CIDR(s)" to enable. + +For software version 4.1 and later, you will click Transit Network on the left navigation bar, click the Advanced Config option and browse to the Edit Gateway tab. Select the Transit Gateway you want and scroll down to enable the "Advertise Transit VPC Network CIDR(s)" option. + + +Connected Transit +-------------------- + +By default, Aviatrix Spoke VPCs do not have routing established to communicate +with each other via Transit. They are completely segmented. + +If you would like to build a full mesh network where Spoke VPCs communicate with each other via Transit GW, you can achieve that by enabling "Connected Transit" mode. All connections are encrypted. + +.. Note:: + + For a Spoke VPC/VNet in a multi-cloud transit to communicate with a Spoke VPC in TGW Orchestrator, Connected + Transit must be enabled on the Aviatrix Transit Gateway that connects both sides. + +For software version 4.1 and later, you will click Transit Network on the left navigation bar, click the Advanced Config option and browse to the Edit Gateway tab. Select the Transit Gateway you want to enable the Connected Transit. + +Note all Spokes should be either in HA mode or non HA mode. A mixed deployment where some Spokes have +HA enabled while others don't work in a normal environment, but does not work +when a failover happens on a HA enabled Spoke. + +BGP ECMP +----------- + +This option is to enable Equal Cost Multi Path (ECMP) routing for the next hop. For Aviatrix Transit Gateway next hop routing decision +process, refer to `ActiveMesh 2.0 next hop. `_. + +Click the Slide Bar to enable BGP ECMP. + +Active-Standby +-------------- + +This option is to provide the flexibility on Aviatrix Transit Gateways to connect to on-prem with only one active tunnel and the other one as backup. In addition, this Active-Standby Mode supports ActiveMesh 2.0 only. + +The use case is a deployment scenario where on-prem device such as firewall does not support asymmetric routing on two tunnels. When Active-Standby mode is enabled, it applies to both BGP and Static Remote Route Based External Device Connections and for each connection, only one tunnel is active in forwarding traffic at any given time. + +This feature can only be applied to non HA remote device in `Multi-cloud transit Step 3 `_. + +Click the Slide Bar to enable Active-Standby mode. + + +Multi-Tier Transit +----------------------- +Use the Multi-Cloud Transit Gateway option to implement a hierarchical transit gateway architecture that permits packets to traverse more than 2 Aviatrix transit gateways. In previous releases, full-mesh transit peering was required. You can now connect the two CSPs or regions through one peered connection. You must use ActiveMesh 2.0 to use multi-tier transit gateways, but full-mesh transit peering is not required. + +Guidelines + +* You can use Multi-Cloud Transit Gateway option with or without HPE. +* Inter and intra-region peering are both supported. +* Inter-CSP HPE over Internet is supported between AWS and Azure. +* AWS TGW peering is not supported. + + +Gateway AS Path Prepend +------------------------------------------- + +You can insert BGP AS_PATH on the Aviatrix Transit Gateway to customize the BGP AP_PATH field when it advertises to VGW or peer devices. For example, +enter 65458, 65478 in the input field, these ASN will appear to the remote end. + +This configuration applies to all BGP peers of the Aviatrix Transit Gateway. + +If you don't configure this field, Transit Gateway only advertises its own ASN. + +Connection AS Path Prepend +---------------------------- + +Customize AS Path Prepend by specifying AS PATH for each BGP connection. +This feature applies to any dynamic connection and Transit Gateway peering connections on a selected Aviatrix Transit Gateway. + +BGP Polling Time +--------------------- + +Aviatrix Transit Gateways report its BGP routes to the Controller periodically. By default, the periodic timer is 50 seconds. +This polling time affects BGP route change convergence time. + +This option changes the default polling time. The range is 10 seconds to 50 seconds. + + +BGP Hold Time +---------------------- +Use the BGP Hold Time option to manually set the BGP holding time for your Aviatrix transit gateway. The hold time specifies how long a router waits for incoming BGP messages before it assumes the neighbor is dead. + +The Aviatrix transit gateway hold time is bound to the Aviatrix keep alive message time which is always 1/3 of the hold time. By default, the Hold Time is 180 seconds and the Keep Alive time is 60 seconds. The supported Hold Time range is 12 to 180 seconds. If the remote site has a shorter hold time, the shorter hold time is used for the gateway. + + + +Refresh BGP Advertised Routes +--------------------------------------- + +This option reset BGP connection to the remote BGP peers. + +Use this option to enable new features such as "Segmentation based BGP CIDR Advertisements" where on-prem receives BGP advertisement +for networks on-prem has connection policy or in the same Security Domain. + +AWS TGW Edge Segmentation +---------------------------- + +Refer to `TGW Edge Segmentation `_ for details. + +TGW Edge Segmentation can be enabled at given time. Select a connection to enable or disable. + +BGP Overlapping Alert Email +---------------------------- + +When Aviatrix Controller detects overlapping network CIDRs in the network, it sends out alert emails to the admins. + +BGP Route Limit Alert Email +---------------------------------- + +AWS VGW BGP supports up to 100 routes. When this limit is reached, VGW BGP goes down and causes outage. This email alert +notifies admin when routes approach 90. + +.. |Test| image:: transitvpc_workflow_media/SRMC.png + :width: 5.55625in + :height: 3.26548in + +.. |TVPC2| image:: transitvpc_workflow_media/TVPC2.png + :scale: 60% + +.. |HAVPC| image:: transitvpc_workflow_media/HAVPC.png + :scale: 60% + +.. |VGW| image:: transitvpc_workflow_media/connectVGW.png + :scale: 50% + +.. |launchSpokeGW| image:: transitvpc_workflow_media/launchSpokeGW.png + :scale: 50% + +.. |AttachSpokeGW| image:: transitvpc_workflow_media/AttachSpokeGW.png + :scale: 50% + +.. |SpokeVPC| image:: transitvpc_workflow_media/SpokeVPC.png + :scale: 50% + +.. |transit_to_onprem| image:: transitvpc_workflow_media/transit_to_onprem.png + :scale: 40% + +.. |azure_native_transit2| image:: transitvpc_workflow_media/azure_native_transit2.png + :scale: 30% + +.. |transit_approval| image:: transitvpc_workflow_media/transit_approval.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/transit_approval.rst b/HowTos/transit_approval.rst index e485a6333..4f7fa56cc 100644 --- a/HowTos/transit_approval.rst +++ b/HowTos/transit_approval.rst @@ -29,6 +29,16 @@ click Learned CIDRs Approval to enable. When Approval is disabled, all dynamically learned routes are automatically propagated to the Spokes. +Mode Gateway +-------------- + +By default, Learned CIDR Approval applies to all BGP connections configured on the Multi-cloud Transit Gateway. + +Mode Connection +---------------- + +If Connection mode is selected, approval is applied to a selected BGP connection as shown in the +drop down menu. A BGP connection that is not configured for Approval learns all routes from its peer automatically. .. |Test| image:: transitvpc_workflow_media/SRMC.png diff --git a/HowTos/transit_dmz_vendors.rst b/HowTos/transit_dmz_vendors.rst index 773170f7e..c09a5e3fa 100644 --- a/HowTos/transit_dmz_vendors.rst +++ b/HowTos/transit_dmz_vendors.rst @@ -106,7 +106,7 @@ Example of Palo Alto Networks API used: :: - https://54.149.55.193/api/?password=Aviatrix123%23&type=keygen&user=apiadmin + https://54.149.55.193/api/?password=password&type=keygen&user=apiadmin 2. get route tables: diff --git a/HowTos/transit_firenet_azure_native_spokes_workflow.rst b/HowTos/transit_firenet_azure_native_spokes_workflow.rst new file mode 100644 index 000000000..d61932605 --- /dev/null +++ b/HowTos/transit_firenet_azure_native_spokes_workflow.rst @@ -0,0 +1,388 @@ +.. meta:: + :description: Firewall Network Workflow + :keywords: Azure Transit Gateway, Azure, TGW orchestrator, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Firewall Network, FireNet + + +========================================================= +Transit FireNet Workflow for Azure Native Spoke VNets +========================================================= + +Aviatrix Transit FireNet allows you to deploy firewalls functions for the Aviatrix Multi-Cloud Transit architecture. With Transit FireNet feature, the Firewall Network (FireNet) function is integrated into the Aviatrix Transit gateway. + +Aviatrix Transit FireNet supports different hashing algorithms available in Azure cloud to load balance the traffic across different firewalls which includes `Hash-based distribution mode (five-tuple hash) `_ and `Source IP affinity mode (three-tuple or two-tuple hash) `_. + +To learn more about Hashing Algorithm and Transit FireNet, check out `Transit FireNet FAQ. `_ + +In this example, Transit VNet with Aviatrix Gateways will be deployed, and two Native Spoke VNets will be attached to it. + +The transit VNet will have a firewall of supported vendors (Check Point, Palo Alto Networks and Fortinet etc.) deployed in it. Please see the diagram below for more details. + +Once the infra is in-place then the policy will be created to inspect the east-west and north-south traffic. + +|avx_tr_firenet_topology_az_native| + +Step 1 : Create Transit VNet +******************************* + +VNets can be created manually on Azure or directly from Aviatrix Controller. + +Aviatrix controller has set of useful tools available for users and in this example, VNets are created following the Useful Tools `Create a VPC `_ guidelines. + +1. Login to the Aviatrix Controller with username and password +#. Navigate to **Useful Tools -> Create A VPC** +#. Add one VNet for Transit FireNet Gateway and select **Aviatrix FireNet VPC** option as shown below. +#. Create two more VNets with **no option/checkbox** selected for Spoke Gateways. + +|create_vpc_native_case| + +Step 2: Deploy the Transit Aviatrix Gateway +*************************************************** + +Transit Aviatrix Gateway can be deployed using the `Transit Gateway Workflow `_ + +Prerequisite for Azure +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Transit FireNet builds on the Aviatrix Transit Network solution where Aviatrix gateways are deployed in Transit VNet and/or in Spoke VNet in Azure. + +Make sure the deployment meets the following specifications: + +1. ActiveMesh must be enabled when launching the Aviatrix Transit Gateway. +2. Select the option “Enable Transit FireNet” when launching the Aviatrix Transit Gateway. +3. Aviatrix Transit Network must be in Connected mode. Go to Transit Network -> Advanced Config -> Connected Transit. Click Enable. + +.. important:: + Controller version 6.0 and prior, the minimum size of the Aviatrix Transit Gateway virtual machine is Standard_B2ms. Starting 6.1, minimum Transit Gateway instance size requirement is removed. + +Procedure +~~~~~~~~~~~~~~~~~~~~~ + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #1 Launch an Aviatrix Transit Gateway** +#. Choose virtual machine size **Standard_B2ms** +#. Enable **ActiveMesh Mode (Mandatory)** +#. Enable InsaneMode for higher throughputs (optional) +#. Enable Transit Gateway HA by navigating to **MULTI-CLOUD TRANSIT -> Setup -> #2 (Optional) Enable HA to an Aviatrix Transit Gateway** + +Please see an example below for Transit FireNet GW: + +|tr_firenet_gw_native| + +.. note:: + Insane Mode Encryption for higher throughput requires a virtual machine size as shown below. + +|insane_mode_tp| + + +Step 3: Attach Native Spoke VNETs to Transit Network +******************************************************* + +Transit and spoke gateways are deployed, next step is to connect them. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #6b Attach Azure ARM Spoke through Native Peering** +#. Select one VNET at a time and attach to the Transit Gateway. + +|attach_native_vnet| + +.. note:: + Transit Gateway is attached to Azure Native Spokes but by default, Transit Gateway will not route traffic between Native Spokes. + +Step 4: Enable Connected Transit +************************************** + +By default, spoke VNETs are in isolated mode where the Transit will not route traffic between them. To allow the Spoke VNETs to communicate with each other, we need to enable Connected Transit + +1. Navigate to **MULTI-CLOUD TRANSIT -> Advanced Config**, select the right Transit Gateway and enable **“Connected Transit”** + +|connected_transit_native_vnet| + +Step 5: Configure Transit Firewall Network +************************************************** + +Transit and Native VNET Spokes have now been deployed, next step is to deploy and enable the Firewall for traffic inspection. + +Let’s start with enabling the firewall function and configure the FireNet policy. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Transit FireNet -> #1 Enable Transit FireNet on Aviatrix Transit Gateway** +#. Choose the Aviatrix Transit Gateway and Click **“Enable”** + +|en_tr_firenet_native_case| + +3. Navigate to **MULTI-CLOUD TRANSIT -> Transit FireNet -> #2 Manage FireNet Policy** +#. Add spokes to the Inspected box for traffic inspection + +.. note:: + By default, FireNet inspects ingress (Internet to VNET) and east-west traffic (VNET to VNET) only. + +|tr_firenet_policy_native_case| + + +Step 6a: Launch and Associate Firewall Instance +***************************************************************** + +This step launches a Firewall instance and associates it with one of the FireNet gateways. To attach the existing firewall instance to one of the gateway, please follow Step 6b. + + +.. note:: + By default, Aviatrix Transit FireNet uses 5 tuple forwarding algorithm but that can be changed from Firewall Network -> Advanced settings. + + +6a.1 Launch and Attach +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Go to Aviatrix Controller's console and navigate to **Firewall Network -> Setup -> Step 7a** and provide all the required input as shown in a table and click **"Launch"** button. + +.. important:: + Vendor's firewall may take some time after launch to be available. + +========================================== ========== +**Setting** **Value** +========================================== ========== +VPC ID The Security VNET created in Step 1. +Gateway Name The primary FireNet gateway. +Firewall Instance Name The name that will be displayed on Azure Console. +Firewall Image The Azure AMI that you have subscribed. +Firewall Image Version Firewall supported software versions. +Firewall Instance Size Firewall virtual machine size. +Management Interface Subnet. Select the subnet whose name contains "gateway and firewall management" +Egress Interface Subnet Select the subnet whose name contains "FW-ingress-egress". +Username Applicable to Azure deployment only. "admin" as a username is not accepted. +Authentication Method Password or SSH Public Key +Password Applicable to Azure deployment only. +Key Pair Name (Optional) The .pem file name for SSH access to the firewall instance. +Attach (Optional) By selecting this option, the firewall instance is inserted in the data path to receive packet. If this is the second firewall instance for the same gateway and you have an operational FireNet deployment, you should not select this option as the firewall is not configured yet. You can attach the firewall instance later at Firewall Network -> Advanced page. +Advanced (Optional) Click this selection to allow Palo Alto firewall bootstrap files to be specified. +========================================== ========== + +1. Check Point Specification +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Check Point Security Gateway has 2 interfaces as described below. + +======================================================== =============================== ================================ +**Check Point VM interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress) Egress or Untrusted interface Allow ALL +eth1 (on subnet -dmz-firewall_lan) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +Note that security gateway eth1 is on the same subnet as Firenet gateway eth2 interface. + +Check Point Security Gateway launch from the Aviatrix Controller automatically initiates the on-boarding process, configure security gateway interfaces and program RFC 1918 routes. After completing this step, user should be able to login to the Check Point Gaia console with username **admin** and provided password during launch. + +.. note:: + Repeat Step 7a to launch the second security gateway to associate with the HA FireNet gateway. Or repeat this step to launch more security gateways to associate with the same Firenet gateway. + + +Follow `Check Point Example `_ to see how to launch Check Point Security Gateway in Azure, and for more details. + + +2. Palo Alto VM-Series Specifications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Palo instance has 3 interfaces as described below. + +======================================================== =============================== ================================ +**Palo Alto VM interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-gateway-and-firewall-mgmt) Management interface Allow SSH, HTTPS, ICMP, TCP 3978 +eth1 (on subnet -Public-FW-ingress-egress) Egress or Untrusted interface Allow ALL +eth2 (on subnet -dmz-firewall_lan) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +Note that firewall instance eth2 is on the same subnet as FireNet gateway eth2 interface. + +Launch VM Series from Aviatrix Controller automatically set it up the Palo Alto Network VM-Series firewall. User should be able to login to the VM-Series console with given username and password during launch. + +Please follow `Palo Alto Networks VM-Series Azure Example `_ to see how to launch VM-Series in Azure, and for more details. + + +.. important:: + + For Panorama managed firewalls, you need to prepare Panorama first and then launch a firewall. Check out `Setup Panorama `_. When a VM-Series instance is launched and connected with Panorama, you need to apply a one time "commit and push" from the Panorama console to sync the firewall instance and Panorama. + +.. Tip:: + + If VM-Series are individually managed and integrated with the Controller, you can still use Bootstrap to save initial configuration time. Export the first firewall's configuration to bootstrap.xml, create an IAM role and Bootstrap bucket structure as indicated above, then launch additional firewalls with IAM role and the S3 bucket name to save the time of the firewall manual initial configuration. + + +3. Fortinet Specifications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +FortiGate Next Generation Firewall instance has 2 interfaces as described below. + +======================================================== =============================== ================================ +**FortiGate VM interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress) Egress or Untrusted interface Allow ALL +eth1 (on subnet -dmz-firewall_lan) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +.. tip:: + Starting from Release 6.2, FortiGate bootstrap configuration is supported. + +Please refer to `FortiGate Azure Configuration Example `_ for more details. + +Step 6b: Associate an Existing Firewall Instance +******************************************************* + +This step is the alternative step to Step 7a. If you already launched the firewall (Check Point, Palo Alto Network or Fortinet) instance from Azure Console, you can still associate it with the FireNet gateway. + +Go to Aviatrix Controller's console and navigate to **Firewall Network -> Setup -> Step 7b** and associate a firewall with right FireNet Gateway. + + +Step 7: Vendor Firewall Integration +***************************************************** + +Vendor integration dynamically updates firewall route tables. The use case is for networks with RFC 1918 and non-RFC 1918 routes that require specific route table programming on the firewall appliance + +1. Go to Firewall Network -> Vendor Integration -> Select Firewall, fill in the details of your Firewall instance. +2. Click Save, Show and Sync. + +.. important:: + Aviatrix Controller automatically programs RFC 1918 in Check Point Security Gateway at a time of launch. This step can be skipped for Check Point if non-RFC 1918 routes programming is not required in Security Gateway. + +.. note:: + Vendor integration is not supported for FortiGate. User needs to configure RFC 1918 static routes manually in FortiGate firewall. + + +Step 8: Enable Health Check Policy in Firewall +*************************************************** +Aviatrix Controller uses HTTPS (TCP 443) to check the health of firewall every 5 seconds. User needs to enable this port in firewall as per given instruction. + +Check Point +~~~~~~~~~~~~~~ +By default, HTTPS or TCP 443 is allowed in Security Gateway. No action is required. + + +Palo Alto Network (PAN) +~~~~~~~~~~~~~~~~~~~~~~~~~ +By default, VM-Series do not allow HTTPS or TCP 443 port. Pleas follow the given steps to enable it: + + 1. Login to VM-Series with username and password. + #. Go to Network -> Interface Mgmt under Network Profiles and click "Add". + #. Give any name in "Interface Management Profile", check HTTPS checkbox under Administrative Management Service and click "OK". + #. Attach Profile with LAN interface. Network -> Interfaces -> Select LAN Ethernet Interface -> Advanced -> Management Profile -> Select appropiate profile. + +|PAN-health-check| + +See an example screenshot below how to attach profile to an interface. + +|pan_hcheck_attach| + +Firewall health check probes can be verified in Monitor -> Traffic. + +|pan-health-probe| + +Fortinet +~~~~~~~~~~~~~~~ +User needs to allow HTTPS or TCP 443 port in FortiGate firewall to monitor the health of firewall. Please follow the steps to allow HTTPS in FortiGate: + + 1. Login to FortiGate's console using username and password + #. Go to Network -> Interfaces, select **port 2** and click "Edit". + #. Check HTTPS checkbox under Administrative access -> IPv4 and click "OK". + +|health-check| + +The health check probes can be verified in FortiGate by navigating to Log & Report -> Local Traffic. + +|health-probe-logs| + + +Step 9: Example Setup for "Allow All" Policy +*************************************************** + +After a firewall instance is launched, wait for 5 to 15 minutes for it to come up. Time varies for each firewall vendor. +In addition, please follow example configuration guides as below to build a simple policy on the firewall instance for a test validation that traffic is indeed being routed to firewall instance. + +Palo Alto Network (PAN) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For basic configuration, please refer to `example Palo Alto Network configuration guide `_. + +For implementation details on using Bootstrap to launch and initiate VM-Series, refer to `Bootstrap Configuration Example `_. + +FortiGate (Fortinet) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For basic policy configuration, please refer to `example Fortinet configuration guide `_. + +Check Point +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For basic policy configuration, please refer to `example Check Point configuration guide `_. + + +Step 10: Verification +*************************** + +There are multiple ways to verify if Transit FireNet is configured properly: + + 1. Aviatrix Flightpath - Control-plane Test + #. Ping/Traceroute Test between Spoke VNETs (East-West) - Data-plane Test + +Flight Path Test for FireNet Control-Plane Verification: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Flight Path is a very powerful troubleshooting Aviatrix tool which allows users to validate the control-plane and gives visibility of end to end packet flow. + + 1. Navigate to **Troubleshoot-> Flight Path** + #. Provide the Source and Destination Region and VNET information + #. Select ICMP and Private subnet, and Run the test + +.. note:: + VM instance will be required in Azure, and ICMP should be allowed in security group. + +Ping/Traceroute Test for FireNet Data-Plane Verification: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Once control-plane is established and no problem found in security and routing polices. Data-plane validation needs to be verified to make sure traffic is flowing and not blocking anywhere. + +There are multiple ways to check data-plane: + 1. One way to SSH to Spoke EC2 instance and ping other Spoke EC2 to instance to make sure no traffic loss in the path. + 2. Ping/traceroute capture can also be performed from Aviatrix Controller. Go to **TROUBLESHOOT -> Diagnostics** and perform the test. + + +.. |avx_tr_firenet_topology_az_native| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/avx_tr_firenet_topology_az_native.png + :scale: 20% + +.. |insane_mode_tp| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/insane_mode_tp.png + :scale: 30% + +.. |create_vpc_native_case| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/create_vpc_native_case.png + :scale: 40% + +.. |tr_firenet_gw_native| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_gw.png + :scale: 35% + +.. |attach_native_vnet| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/attach_native_vnet.png + :scale: 35% + +.. |en_tr_firenet_native_case| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/en_tr_firenet_native_case.png + :scale: 35% + +.. |tr_firenet_policy_native_case| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_policy_native_case.png + :scale: 35% + +.. |avx_tr_firenet_topology| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/avx_tr_firenet_topology.png + :scale: 35% + +.. |connected_transit_native_vnet| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/connected_transit_native_vnet.png + :scale: 40% + +.. |health-check| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/health-check.png + :scale: 35% + +.. |PAN-health-check| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/PAN-health-check.png + :scale: 35% + +.. |health-probe-logs| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/health-probe-logs.png + :scale: 40% + +.. |pan-health-probe| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/pan-health-probe.png + :scale: 40% + +.. |pan_hcheck_attach| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/pan_hcheck_attach.png + :scale: 40% + + +.. disqus:: diff --git a/HowTos/transit_firenet_design_patterns.rst b/HowTos/transit_firenet_design_patterns.rst new file mode 100644 index 000000000..5e40594df --- /dev/null +++ b/HowTos/transit_firenet_design_patterns.rst @@ -0,0 +1,106 @@ +.. meta:: + :description: Firewall Network FAQ + :keywords: AWS Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network, Firewall, DMZ, Cloud DMZ, Firewall Network, FireNet + + +============================================================ +Transit FireNet Design Patterns +============================================================ + +This document describes common design patterns when Aviatrix Transit Firewall Network (Transit FireNet) is deployed. + + +1. Hybrid to On-prem +--------------------------------------------------- + +|hybrid| + +2. Hybrid with Insane Mode +-------------------------------------------------------- + +FireNet supports Insane Mode, + +|insane| + +3. FireNet in Multi Regions +--------------------------------------------------------------------------------- + + +|multi-regions| + +4. Two Firewall Networks +-------------------------------------------------------- + +You can deploy two Firewall Networks, one dedicated for East-West traffic inspection and another for Egress +inspection. + +Note you must follow the configuration sequence below: + + 1. Disable the Traffic Inspection of the FireNet gateway intended for Egress control. + #. Enable Egress Control for FireNet gateway intended for Egress control. + #. Build connection policies. + +|dual_firenet| + +5. Aviatrix FQDN in FireNet for Egress Control +------------------------------------------------- + +When Aviatrix FQDN gateway is deployed in a VPC/VNet, it uses a public IP address to perform both whitelisting and NAT function +for Internet bound traffic. Sometimes these Internet bound traffic are partner API calls and these partners require to +limit the number of IP addresses for each customer of theirs. In such situation, you can deploy FQDN in a centralized +manner as shown in the diagram below. + +|fqdn_egress| + +6. Central Egress in a Multi Region Deployment +-------------------------------------------------------- + +Since the default routes are propagated over the Aviatrix Transit Gateway peering, you can consolidate the Internet bound egress traffic to the +firewalls in one region, as shown in the diagram below. + +|central_egress| + +7. Distributed Egress in a Multi Region Deployment +------------------------------------------------------ + +If you need to have a distributed egress for each region, make sure you filter out the default route 0.0.0.0/0 when you build +the Aviatrix Transit Gateway peering, as shown in the diagram below. + +|multi_egress| + +8. Ingress Protection via Aviatrix Transit FireNet +------------------------------------------------------ + +This Ingress Protection design pattern is to have the traffic forward to firewall instances directly in Aviatrix Transit FireNet VPC as shown in the diagram below. In this design pattern, each firewall instance must configure (1) SNAT on its LAN interface that connects to the Aviatrix FireNet gateway and (2) DNAT to the IP of application server/load balancer. The draw back of this design is source IP address is not preserved when traffic reaches the application. + +For example configuration workflow, check out `Ingress Protection via Aviatrix Transit FireNet with Fortigate `_. + +|transit_firenet_ingress| + + +.. |hybrid| image:: transit_firenet_design_patterns_media/hybrid.png + :scale: 30% + +.. |insane| image:: transit_firenet_design_patterns_media/insane.png + :scale: 30% + +.. |multi-regions| image:: transit_firenet_design_patterns_media/multi-regions.png + :scale: 30% + +.. |dual_firenet| image:: transit_firenet_design_patterns_media/dual_firenet.png + :scale: 30% + +.. |fqdn_egress| image:: transit_firenet_design_patterns_media/fqdn_egress.png + :scale: 30% + +.. |central_egress| image:: transit_firenet_design_patterns_media/central_egress.png + :scale: 30% + +.. |multi_egress| image:: transit_firenet_design_patterns_media/multi_egress.png + :scale: 30% + +.. |transit_firenet_ingress| image:: ingress_firewall_example_media/Ingress_Aviatrix_Transit_FireNet_topology.png + :scale: 30% + + +.. disqus:: diff --git a/HowTos/transit_firenet_design_patterns_media/central_egress.png b/HowTos/transit_firenet_design_patterns_media/central_egress.png new file mode 100644 index 000000000..9f57a6aa7 Binary files /dev/null and b/HowTos/transit_firenet_design_patterns_media/central_egress.png differ diff --git a/HowTos/transit_firenet_design_patterns_media/dual_firenet.png b/HowTos/transit_firenet_design_patterns_media/dual_firenet.png new file mode 100644 index 000000000..c1d8f48af Binary files /dev/null and b/HowTos/transit_firenet_design_patterns_media/dual_firenet.png differ diff --git a/HowTos/transit_firenet_design_patterns_media/fqdn_egress.png b/HowTos/transit_firenet_design_patterns_media/fqdn_egress.png new file mode 100644 index 000000000..044ee4c15 Binary files /dev/null and b/HowTos/transit_firenet_design_patterns_media/fqdn_egress.png differ diff --git a/HowTos/transit_firenet_design_patterns_media/hybrid.png b/HowTos/transit_firenet_design_patterns_media/hybrid.png new file mode 100644 index 000000000..34ab716f8 Binary files /dev/null and b/HowTos/transit_firenet_design_patterns_media/hybrid.png differ diff --git a/HowTos/transit_firenet_design_patterns_media/insane.png b/HowTos/transit_firenet_design_patterns_media/insane.png new file mode 100644 index 000000000..e72694dad Binary files /dev/null and b/HowTos/transit_firenet_design_patterns_media/insane.png differ diff --git a/HowTos/transit_firenet_design_patterns_media/multi-regions.png b/HowTos/transit_firenet_design_patterns_media/multi-regions.png new file mode 100644 index 000000000..b2d68e795 Binary files /dev/null and b/HowTos/transit_firenet_design_patterns_media/multi-regions.png differ diff --git a/HowTos/transit_firenet_design_patterns_media/multi_egress.png b/HowTos/transit_firenet_design_patterns_media/multi_egress.png new file mode 100644 index 000000000..589f24b5b Binary files /dev/null and b/HowTos/transit_firenet_design_patterns_media/multi_egress.png differ diff --git a/HowTos/transit_firenet_faq.rst b/HowTos/transit_firenet_faq.rst index fcffd7de0..bcd3373b4 100644 --- a/HowTos/transit_firenet_faq.rst +++ b/HowTos/transit_firenet_faq.rst @@ -7,12 +7,16 @@ Transit FireNet FAQ ========================================================= -What is the Transit FireNet for AWS & Azure? ----------------------------------------------- +What is the Aviatrix Transit FireNet for AWS & Azure? +---------------------------------------------------------- -Aviatrix Transit FireNet is the `Firewall Network `_ function applied to the Aviatrix Encrypted Transit architecture. +Aviatrix Transit FireNet allows you to deploy firewalls functions for the Aviatrix Encrypted +Transit architecture. With Transit FireNet feature, the FireNet function is integrated into the Aviatrix Transit gateway. +If you are looking for firewall functions deployment in AWS Transit Gateway environment, your starting point +is `here. `_ + The use case is to deploy firewalls in the `encrypted transit architecture `_ for both AWS and Azure, as shown below. @@ -67,6 +71,8 @@ How do I configure FireNet? Follow the `FireNet workflow `_ to deploy firewall in the cloud. +For a complete end to end example, refer to `The Example Step by Step Guide for Transit FireNet in AWS `_. + How do I enable Egress inspection on Transit FireNet? -------------------------------------------------------- @@ -85,6 +91,19 @@ Is Ingress Inspection supported on Transit FireNet? Yes. You need to enable source NAT on the LAN Interface of the VM-Series. +How to exclude specific CIDRs from being inspected by the firewall? +-------------------------------------------------------------------- + +By default, FireNet inspects all East-West (VPC to VPC) traffic but you may have an instance in the VPC which you do not want to be inspected. For example, the Aviatrix Controller deployed in the Shared Service VPC to be excluded from inspection while Shared Service VPC traffic is inspected. This improves the Controller reachability by not subjecting the Controller access to unintentional firewall policy errors. + +Go to **Firewall Network --> Advanced** and put the CIDRs in the field **"Network List Excluded From East-West Inspection"** to exclude from being inspected by the firewall. + +.. Note:: + + 1. Maximum 20 CIDRs coma-separated are supported. + 2. CIDRs are excluded from East-West inspections only. + 3. In Transit FireNet, if Egress inspection is enabled, all the Egress traffic will get inspected by the firewall even for the CIDRs excluded for East-West inspection. + Can I deploy Aviatrix Egress Control FQDN gateway on Transit FireNet? ---------------------------------------------------------------------- @@ -97,6 +116,20 @@ The instructions are described as the following. 1. `Enable Aviatrix Transit Gateway for Transit FireNet `_ 2. `Launch and associate Aviatrix FQDN gateway `_ +What is the performance of Aviatrix Egress FQDN gateway on Transit FireNet? +---------------------------------------------------------------------------- + +Preliminary test results are as follows. + +============================== ========================= +# of FQDN gateways Throughput (Gbps) +============================== ========================= +4 27 +6 30 +============================== ========================= + + + Is there an example guide to setup Palo Alto VM-Series policies? ------------------------------------------------------------------ @@ -123,20 +156,72 @@ Yes. Follow the instructions for `Panorama integration. `_. + +What is the firewall instance state Inaccessible mean? +--------------------------------------------------------- + +The Controller periodically issues Palo Alto API calls to find out if API can be issued successfully. This is used for route updates purpose, as firewall route updates +requires API to work. If Palo Alto API fails for two consecutive times, the Controller declares the firewall is in Inaccessible state, but the firewall should still be attached +and be forwarded traffic as long as its health check pass. -Aviatrix FireNet gateway failure detection time is 15 - 20 seconds. The switch over to alternative gateway (primary or backup) is about the same time. -The Aviatrix Controller monitors the health of the firewall instances. For Pal Alto VM-Series, the Controller -uses Palo Alto API to periodically check the firewall instance health. The polling time is 10 seconds. However depending -on how the instance fails, it can take over a minutes for the failure condition to be detected. For example, -if you stop the instance from AWS console, it can take a minute before the API access fails. On the other hand, if the firewall instance interface is shutdown, the failure detection is 10 seconds. +How does Transit Firenet load balance traffic between different firewalls? +---------------------------------------------------------------------------- + +AWS +==== +In AWS, Transit FireNet Load Balance the traffic across different firewall using five-tuple hash. + +The tuple is composed of the: + +Source IP +Source port +Destination IP +Destination port +Protocol type + +The algorithm provides stickiness only within a transport session. Packets that are in the same session are directed to the same firewall. When the client starts a new session from the same source IP, the source port changes and causes the traffic to go to a different firewall. + + +Azure +====== +Aviatrix Transit FireNet supports different hashing algorithms available in Azure cloud to load balance the traffic across different firewalls which includes `Hash-based distribution mode (five-tuple hash) `_ and `Source IP affinity mode (three-tuple or two-tuple hash) `_. + +By default, Transit Firenet use 5-tuple hashing algorithm but that can be changed using Azure's portal. + 1. Login to Microsoft Azure's Portal and Go to Load balancer under Azure services. + #. Click the Transit Firenet where Load balancing algorithm needs to be changed. + #. Go to Load Balancing rules under Settings and click on "LBRule". + #. Select hashing algorithm under Session persistence. + 1. None -> Default five-tuple (source IP, source port, destination IP, destination port and protocol type) hashing algorithm. + 2. Client IP -> This mode uses a two-tuple (source IP and destination IP). + 3. Client IP and protocol -> three-tuple uses source IP, destination IP, and protocol type. + +|lb-rule-azure| + +How to migrate from Aviatrix Transit FireNet to Transit FireNet with AWS GWLB? +--------------------------------------------------------------------------------- + +Starting from Release 6.3, Multi-cloud Transit FireNet added support for AWS Gateway Load Balancer (GWLB). The key +advantage of this integration is to allow firewalls to be scaled up and down without affecting established sessions +(except sessions associated with the failed firewalls). + +To migrate from Transit FireNet to Transit FireNet with AWS GWLB and vice versa. Follow the steps below: + + 1. Save firewall configuration + #. Disassociate firewall instance -> Go to Aviatrix Controller's console -> FIREWALL NETWORK -> Setup -> Step 10. + #. Delete firewall instances -> Go to Aviatrix Controller's console -> FIREWALL NETWORK -> Setup -> Step 7a. + #. Disable Transit FireNet function -> Go to Aviatrix Controller's console -> MULTI-CLOUD TRANSIT -> Transit Firenet -> Step 5a to disable Transit FireNet Function for Aviatrix Transit Gateway. + #. Enable Transit FireNet function -> Go to Aviatrix Controller's console -> MULTI-CLOUD TRANSIT -> Transit Firenet -> Step 1a to enable Transit FireNet Function on Aviatrix Transit Gateway. Check "Use AWS GWLB" if migrating from Transit FireNet to Transit FireNet with AWS GWLB. + #. Launch & associate Firewall -> Go to Aviatrix Controller's console -> FIREWALL NETWORK -> Step 7a. + #. Restore firewall configuration. .. |transit_firenet| image:: transit_firenet_media/transit_firenet.png :scale: 30% @@ -150,4 +235,8 @@ if you stop the instance from AWS console, it can take a minute before the API a .. |transit_firenet_aviatrix_egress| image:: transit_firenet_media/transit_firenet_aviatrix_egress.png :scale: 30% +.. |lb-rule-azure| image:: transit_firenet_media/lb-rule-azure.png + :scale: 30% + + .. disqus:: diff --git a/HowTos/transit_firenet_media/lb-rule-azure.png b/HowTos/transit_firenet_media/lb-rule-azure.png new file mode 100644 index 000000000..41aaeac97 Binary files /dev/null and b/HowTos/transit_firenet_media/lb-rule-azure.png differ diff --git a/HowTos/transit_firenet_workflow.rst b/HowTos/transit_firenet_workflow.rst index b78c70857..8a188c2b4 100644 --- a/HowTos/transit_firenet_workflow.rst +++ b/HowTos/transit_firenet_workflow.rst @@ -1,34 +1,148 @@ .. meta:: :description: Firewall Network Workflow - :keywords: AWS Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Firewall Network, FireNet + :keywords: AWS Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Firewall Network, FireNet, AWS GWLB, Azure Load Balancer, Azure LB, Gateway Load balancer, GCP, GCP FireNet, Azure FireNet, GCP ILB ========================================================= -Transit FireNet Workflow +Transit FireNet Workflow for AWS, Azure, GCP, and OCI ========================================================= -For questions about Transit FireNet, check out `Transit FireNet FAQ. `_ +If you are looking deploying firewall networks in AWS TGW environment, your starting point is `here. `_. -Prerequisite ---------------- +To learn about Transit FireNet, check out `Transit FireNet FAQ. `_ -Transit FireNet builds on the Aviatrix Encrypted Transit Network. Follow the `Aviatrix Encrypted Transit Network workflow `_ to deploy Aviatrix Transit Gateways and Spoke gateways. ActiveMesh mode option must be selected when launching the gateways. +For a complete step by step guide on AWS for Transit FireNet, refer to `Transit FireNet on AWS Configuration Example Guide `_. +For a complete step by step guide on AWS for Transit FireNet with AWS Gateway Load Balancer (GWLB), refer to `Transit FireNet Workflow with AWS Gateway Load Balancer (GWLB) `_. + +For a complete step by step guide on Azure for Transit FireNet, refer to `Transit FireNet on Azure Configuration Example Guide `_. + +For a complete step by step guide on GCP for Transit FireNet, refer to `Transit FireNet on GCP Configuration Example Guide `_. + +For a complete step by step guide on OCI for Transit FireNet, refer to `Transit FireNet on OCI Configuration Example Guide `_. + +Prerequisite for AWS +--------------------- + +Transit FireNet builds on the Aviatrix Transit Network where Aviatrix gateways are deployed in both +the transit VPC and the spoke VPCs in AWS. Make sure the deployment meets the following specifications. + + 1. ActiveMesh must be enabled when launching the Aviatrix Transit Gateway. + 2. The minimum size of the Aviatrix Transit Gateway is c5.xlarge. + 3. Aviatrix Transit Network must be in Connected mode. Go to Transit Network -> Advanced Config -> Connected Transit. Click Enable. + +Follow the `Aviatrix Transit Network workflow `_ to deploy Aviatrix Transit Gateways and at least one Spoke gateway. When complete, proceed to Step 1. + +Prerequisite for Azure +------------------------ + +Transit FireNet builds on the Aviatrix Transit Network solution where Aviatrix gateways are deployed +in Transit VNet and/or in Spoke VNet in Azure. Make sure the deployment meets the following +specifications. + + 1. ActiveMesh must be enabled when launching the Aviatrix Transit Gateway. + #. The minimum size of the Aviatrix Transit Gateway instance size is Standard_B2ms. + #. Select the option "Enable Transit FireNet" when launching the Aviatrix Transit Gateway. + #. Aviatrix Transit Network must be in Connected mode. Go to Transit Network -> Advanced Config -> Connected Transit. Click Enable. + +Follow the `Aviatrix Transit Network workflow `_ to +deploy Aviatrix Transit Gateways and attach at least one Spoke gateway or one Spoke VNet. When you are done, proceed to Step 1. + + +Prerequisite for GCP +------------------------ + +Transit FireNet builds on the Aviatrix Transit Network solution where Aviatrix gateways are deployed +in Transit VPC and/or in Spoke VPC in GCP. Make sure the deployment meets the following +specifications. + + 1. ActiveMesh must be enabled when launching the Aviatrix Transit Gateway. + #. Minimum four VPCs will be required for GCP FireNet solution with Palo Alto VM-series and all VPCs should be in same region. + #. The minimum size of the Aviatrix Transit Gateway instance size is n1-standard_1. + #. Select the option "Enable Transit FireNet" when launching the Aviatrix Transit Gateway. + #. Aviatrix Transit Network must be in Connected mode. Go to Transit Network -> Advanced Config -> Connected Transit. Click Enable. + +Follow the `Aviatrix Transit Network workflow `_ to +deploy Aviatrix Transit Gateways and attach at least one Spoke gateway or one Spoke VNet. When you are done, proceed to Step 1. + + +Prerequisite for OCI +------------------------ + +Transit FireNet builds on the Aviatrix Transit Network solution where Aviatrix gateways are deployed in Transit VCN and/or in Spoke VCN in OCI. + +Make sure the deployment meets the following specifications: + + 1. ActiveMesh must be enabled when launching the Aviatrix Transit Gateway. + #. Select the option “Enable Transit FireNet” when launching the Aviatrix Transit Gateway. + #. Aviatrix Transit Gateway minimum instance size should be VM.Standard2.4 or more + +Follow the `Aviatrix Transit Network workflow `_ to +deploy Aviatrix Transit Gateways and attach at least one Spoke gateway. When you are done, proceed to Step 1. + +.. Note:: + + Transit FireNet Insane mode is not supported in Release 6.4. + 1. Enable Transit FireNet Function ------------------------------------------------ -.. important:: +A Transit FireNet Gateway is an Aviatrix Transit Gateway with FireNet service enabled. + +Starting from Release 6.0, an Aviatrix Spoke can be optionally attached to two Transit FireNet Gateways, one for east-west and north-south traffic inspection, and another for ingress/egress inspections. - for AWS deployment, Transit FireNet works when the Aviatrix Transit Gateway is launched with ActiveMesh enabled. +1a. Enable Transit FireNet on Aviatrix Transit Gateway +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Transit FireNet works when the Aviatrix Encrypted Transit Network is in Connected mode. Go to Transit Network -> Advanced Config -> Connected Transit. Click Enable. +This step defines a set of Aviatrix Transit FireNet Gateways. In the drop down menu, select one Aviatrix Transit Gateway and click Enable. +.. Note:: + + For Azure and GCP deployment, Transit FireNet function is enabled when launching the gateway, skip this step. + +By default, east-west and north-south traffic inspections are enabled on Transit FireNet Gateways, you can also enable Ingress/Egress inspection on the Transit FireNet Gateways. To do so, go to Firewall Network -> Advanced -> click the 3 dots skewer of one FireNet gateway, +enable Egress through firewall option. + +A deployment diagram in this option is shown as below: + +|single_transit_new| + +Starting 6.3, Aviatrix Transit FireNet solution is also supporting AWS Gateway Load Balancer (AWS GWLB). + +In order to use the Aviatrix Transit FireNet solution with AWS GWLB, select one Aviatrix Transit Gateway deployed in AWS from the drop down menu, check the box "Use AWS GWLB" and click "Enable". + +.. note:: + + IAM policies needs to be updated for ingress/egress traffic. Go to Aviatrix Controller console -> Accounts -> Access Accounts - > Select AWS Account and click "Update Policy". + .. important:: - For Azure deployment, the Aviatrix Transit Gateway must be `"launched" `_ with the option Enable Transit FireNet Function enabled. The minimum Azure FireNet gateway size is Standard_B2ms. + Transit FireNet solution with GWLB also requires HTTPS port enable on firewall appliance to check the firewall health status at regular interval. Click `here `_ for more information. + +By default, east-west and north-south traffic inspections are enabled on Transit FireNet Gateways, you can also enable Ingress/Egress inspection on the Transit FireNet Gateways. To do so, go to Firewall Network -> Advanced -> click the 3 dots skewer of one FireNet gateway, +enable Egress through firewall option. + +A deployment diagram in this option is shown as below: + +|gwlb_tr_firenet| + + +1b. Enable Transit FireNet on Aviatrix Egress Transit Gateway +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If you plan to use one set of Transit FireNet Gateways for all traffic types' inspection, skip this step. + +If a separate group of firewalls for Ingress/Egress traffic inspection is required, you need to deploy a second set of Aviatrix Transit Gateways +called Aviatrix Egress Transit Gateway, shown as the diagram below. + +|dual_transit| + +This step defines a set of Aviatrix Egress Transit FireNet Gateways. The HA Aviatrix Egress Transit FireNet Gateway is automatically enabled in this step. + + 2. Manage Transit FireNet Policy -------------------------------------- @@ -37,24 +151,51 @@ Select an Aviatrix Transit Gateway that you enabled for FireNet function in the On the left side of the panel, highlight one Spoke VPC/VNet for inspection and click Add. The selected Spoke VPC/VNet should appear on the right side panel. -For example, if traffic going in and out of VPC Spoke2 where Spoke2-gw is deployed should be inspected, move the Spoke2-gw to the right, as shown below. +For example, if traffic going in and out of VPC PROD1 where gcp-spk-prod1-gw is deployed should be inspected, move the gcp-spk-prod1-gw to the right, as shown below. -|transit_firenet_policy| +|transit_firenet_policy_new| For specify more VPC/VNets for inspection, repeat this step. -3. Deploy Firewall Network ------------------------------ +3. Deploy Firewall Instances +------------------------------- Go to Firewall Network -> Setup -> Deploy Firewall Network, follow the `deployment instructions `_ to launch one or more firewall instances. +4. Enable Firewall Management Access +-------------------------------------- + +When this option is configured, Aviatrix Transit Gateway advertises the transit VPC CIDR to on-prem. -4. Delete Function +The use case is if a firewall management console, such as Palo Alto Networks Panorama is deployed on-prem, the Panorama can access the firewalls of their private IP addresses with this option configured. + +5. Delete Function ------------------------------------------ In the drop menu, select one Aviatrix Transit Gateway with FireNet function to disable it. -.. |transit_firenet_policy| image:: transit_firenet_workflow_media/transit_firenet_policy.png - :scale: 30% +5a. Disable Transit FireNet on Aviatrix Transit Gateway +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Select a Transit FireNet gateway to disable the function. + +5b. Disable Transit FireNet on Aviatrix Egress Transit Gateway +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If Aviatrix Egress Transit Gateway has been configured, select one to disable the function. + + +.. |transit_firenet_policy_new| image:: transit_firenet_workflow_media/transit_firenet_policy_new.png + :scale: 40% + +.. |dual_transit| image:: transit_firenet_workflow_media/dual_transit.png + :scale: 40% + +.. |single_transit_new| image:: transit_firenet_workflow_media/single_transit_new.png + :scale: 40% + +.. |gwlb_tr_firenet| image:: transit_firenet_workflow_media/gwlb_tr_firenet.png + :scale: 40% + .. disqus:: diff --git a/HowTos/transit_firenet_workflow_aws.rst b/HowTos/transit_firenet_workflow_aws.rst new file mode 100644 index 000000000..64b0842ad --- /dev/null +++ b/HowTos/transit_firenet_workflow_aws.rst @@ -0,0 +1,358 @@ +.. meta:: + :description: Firewall Network Workflow + :keywords: AWS Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Firewall Network, FireNet + + +========================================================= +Transit FireNet Workflow for AWS +========================================================= + +Aviatrix Transit FireNet allows you to deploy firewalls functions for the Aviatrix Multi-Cloud transit architecture. With Transit FireNet feature, the Firewall Network (FireNet) function is integrated into the Aviatrix Transit gateway. + +To learn about Transit FireNet, check out `Transit FireNet FAQ. `_ + +If you are looking deploying firewall networks in AWS Transit Gateway (TGW) environment, your starting point is `here. `_. + +In this example, Transit VPC with Aviatrix Gateways will be deployed, and two Spoke Gateways (DEV and PROD) will be attached to it. + +The transit VPC will have a firewall of supported vendors (Checkpoint, Palo Alto Networks and Fortinet etc.) deployed in it. Please see the diagram below for more details. + +Once the infra is in-place then the policy will be created to inspect the east-west and north-south traffic. + +|avx_tr_firenet_topology| + +Step 1 : Create VPCs +*************************** + +VPCs can be created manually on AWS or directly from Aviatrix Controller. + +Aviatrix controller has set of useful tools available for users and in this example, VPCs are created following the Useful Tools `Create a VPC `_ guidelines. + +1. Login to the Aviatrix Controller with username and password +#. Navigate to **Useful Tools -> Create A VPC** +#. Add one VPC for Transit FireNet Gateway and select **Aviatrix FireNet VPC** option as shown below. +#. Create two more VPCs with **no option/checkbox** selected for Spoke Gateways. + +|create_vpc| + +Step 2: Deploy the Transit Aviatrix Gateway +*************************************************** + +Transit Aviatrix Gateway can be deployed using the `Transit Gateway Workflow `_ + +Prerequisite for AWS +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Transit FireNet builds on the Aviatrix Transit Network where Aviatrix gateways are deployed in both the transit VPC and the spoke VPCs in AWS. + +Make sure the deployment meets the following specifications: + +1. ActiveMesh must be enabled when launching the Aviatrix Transit Gateway. +#. The minimum size of the Aviatrix Transit Gateway is c5.xlarge. +#. Aviatrix Transit Network must be in Connected mode. Go to Transit Network -> Advanced Config -> Connected Transit. Click Enable. + +Procedure +~~~~~~~~~~~~~~~~~~~~~ + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #1 Launch an Aviatrix Transit Gateway** +#. Choose instance size **C5x.large** +#. Enable **ActiveMesh Mode (Mandatory)** +#. Enable InsaneMode for higher throughputs (optional) +#. Enable Transit VPC GW HA by navigating to **MULTI-CLOUD TRANSIT -> Setup -> #2 (Optional) Enable HA to an Aviatrix Transit Gateway** + +.. note:: + Instance size of c5.xlarge will be required for Insane Mode Encryption for higher throughput. + +Please see an example below for Transit FireNet GW: + +|tr_firenet_gw| + +Step 3: Deploy Spoke Gateways +************************************* + +Now that we have Aviatrix Transit Gateway, we can deploy Aviatrix Spoke Gateways in the spoke VPCs using `Aviatrix Spoke Gateway Workflow `_. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #4 Launch an Aviatrix Spoke Gateway** +#. Deploy a Spoke Gateway (GW) in each of the spoke VPCs using defaults while choose correct Account and VPC info +#. Choose the Public Subnet +#. Enable Spoke Gateway HA by navigating to Transit network -> Setup -> #5 (Optional) Enable/Disable HA at Spoke GW + +.. note:: + Instance size of c5.xlarge will be required for Insane Mode Encryption for higher throughput. + +|launch_spk_gw| + +Step 4: Attach Spoke Gateways to Transit Network +******************************************************* + +Transit and spoke gateways are deployed, next step is to connect them. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #6a Attach Spoke Gateway to Transit Network** +#. Select one spoke at a time and attach to the Transit Gateway. + +|attach_spk_trgw| + +.. note:: + Transit Gateway is attached to Spoke Gateways, but by default, Transit Gateway will not route traffic between Spoke Gateways. + +Step 5: Enable Connected Transit +************************************** + +By default, spoke VPCs are in isolated mode where the Transit will not route traffic between them. To allow the Spoke VPCs to communicate with each other, we need to enable Connected Transit + +1. Navigate to **MULTI-CLOUD TRANSIT -> Advanced Config**, select the right Transit Gateway and enable **“Connected Transit”** + +|connected_transit| + +Step 6: Configure Transit Firewall Network +************************************************** + +Transit and Spoke Gateways have now been deployed, next step is to deploy and enable the Firewall for traffic inspection. + +Let’s start with enabling the firewall function and configure the FireNet policy. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Transit FireNet -> #1 Enable Transit FireNet on Aviatrix Transit Gateway** +#. Choose the Aviatrix Transit Gateway and Click **“Enable”** + +|en_tr_firenet| + +3. Navigate to **MULTI-CLOUD TRANSIT -> Transit FireNet -> #2 Manage FireNet Policy** +#. Add spokes to the Inspected box for traffic inspection + +.. note:: + By default, FireNet inspects ingress (INET to VPC) and east-west traffic (VPC to VPC) only. + +|tr_firenet_policy| + + +Step 7: Subscribe Firewall Vendor in AWS Marketplace +************************************************************* + +At this point, FireNet functionality on Transit Gateway is enabled and FireNet policy is created for spokes. It is time to subscribe the firewall vendor and deploy the firewall. + +1. Navigate to **Firewall Network -> Setup -> #2 Subscribe to Firewall Vendor Product** in AWS Marketplace +#. Follow the link to subscribe to Check Point, Palo Alto or Fortinet in AWS Marketplace. + +.. note:: + Please subscribe the firewall but do not launch the firewall. + +|subscribe_firewall| + +Step 8a: Launch and Associate Firewall Instance +***************************************************************** + +This approach is recommended if this is the first Firewall instance to be attached to the gateway. + +This step launches a Firewall instance and associates it with one of the FireNet gateways. + + +.. important:: + + The Firewall instance and the associated Aviatrix FireNet gateway above must be in the same AZ, and, we recommend that the Management Interface Subnet and Egress (untrust dataplane) Interface Subnet should not be in the same subnet. + +7a.1 Launch and Attach +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Go to Aviatrix Controller's console and navigate to **Firewall Network -> Setup -> Step 7a** and provide all the required input as shown in a table and click **"Launch"** button. + +.. important:: + Vendor's firewall may take some time after launch to be available. + + +========================================== ========== +**Setting** **Value** +========================================== ========== +VPC ID The Security VPC created in Step 1. +Gateway Name The primary FireNet gateway. +Firewall Instance Name The name that will be displayed on AWS Console. +Firewall Image The AWS AMI that you have subscribed in Step 2. +Firewall Image Version Firewall instance current supported software versions. +Firewall Instance Size Firewall instance type. +Management Interface Subnet. Select the subnet whose name contains "gateway and firewall management" +Egress Interface Subnet Select the subnet whose name contains "FW-ingress-egress". +Username Applicable to Azure deployment only. "admin" as a username is not accepted. +Password Applicable to Azure deployment only. +Key Pair Name (Optional) The .pem file name for SSH access to the firewall instance. +Attach (Optional) By selecting this option, the firewall instance is inserted in the data path to receive packet. If this is the second firewall instance for the same gateway and you have an operational FireNet deployment, you should not select this option as the firewall is not configured yet. You can attach the firewall instance later at Firewall Network -> Advanced page. +Advanced (Optional) Click this selection to allow Palo Alto firewall bootstrap files to be specified. +IAM Role In advanced mode, create an IAM Role on the AWS account that launched the FireNet gateway. Create a policy to attach to the role. The policy is to allow access to "Bootstrap Bucket". +Bootstrap Bucket Name In advanced mode, specify a bootstrap bucket name where the initial configuration and policy file is stored. +========================================== ========== + +1. CheckPoint Specification +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +CheckPoint Firewall instance has 2 interfaces as described below. + +======================================================== =============================== ================================ +**CheckPoint VM instance interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress-AZ-a) Egress or Untrusted interface Allow ALL +eth1 (on subnet -dmz-firewall) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +Note that firewall instance eth1 is on the same subnet as FireNet gateway eth2 interface. + + + + + +.. important:: + + Starting from Release 5.4, launching CheckPoint firewall instances from the Aviatrix Controller automatically initiates its onboarding process. For initial login information, go to `Credentials for Checkpoint Initial Login `_. You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. + + +.. note:: + Repeat Step 8a to launch the second firewall instance to associate with the HA FireNet gateway. Or repeat this step to launch more firewall instances to associate with the same FireNet gateway. + + +Follow `Check Point Example `_ to launch Check Point security gateway in AWS and for more details. + + +2. Palo Alto VM-Series Specifications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Palo instance has 3 interfaces as described below. + +======================================================== =============================== ================================ +**Palo Alto VM instance interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress-AZ-a) Egress or Untrusted interface Allow ALL +eth1 (on subnet -Public-gateway-and-firewall-mgmt-AZ-a) Management interface Allow SSH, HTTPS, ICMP, TCP 3978 +eth2 (on subnet -dmz-firewall) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +Note that firewall instance eth2 is on the same subnet as FireNet gateway eth2 interface. + +.. important:: + + For Panorama managed firewalls, you need to prepare Panorama first and then launch a firewall. Check out `Setup Panorama `_. When a VM-Series instance is launched and connected with Panorama, you need to apply a one time "commit and push" from the Panorama console to sync the firewall instance and Panorama. + +.. Tip:: + + If VM-Series are individually managed and integrated with the Controller, you can still use Bootstrap to save initial configuration time. Export the first firewall's configuration to bootstrap.xml, create an IAM role and Bootstrap bucket structure as indicated above, then launch additional firewalls with IAM role and the S3 bucket name to save the time of the firewall manual initial configuration. + + +Follow `Palo Alto Network (VM Series) Example `_ to launch VM Series firewall in AWS and for more details. + + +3. Fortigate Specifications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fortigate Next Generation Firewall instance has 2 interfaces as described below. + +======================================================== =============================== ================================ +**Fortigate VM instance interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress-AZ-a) Egress or Untrusted interface Allow ALL +eth1 (on subnet -dmz-firewall) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +.. note:: + Firewall instance eth1 is on the same subnet as FireNet gateway eth2 interface. + +.. tip:: + Starting from Release 5.4, Fortigate bootstrap configuration is supported. + + +Follow `Fortigate Example `_ to launch Fortigate in AWS and for more details. + + + +Step 8b: Associate an Existing Firewall Instance +******************************************************* + +This step is the alternative step to Step 8a. If you already launched the firewall (Check Point, Palo Alto Network or Fortinet) instance from AWS Console, you can still associate it with the FireNet gateway. + +Go to Aviatrix Controller's console and navigate to **Firewall Network -> Setup -> Step 7b** and associate a firewall with right FireNet Gateway. + +Step 9: Example Setup for "Allow All" Policy +*************************************************** + +After a firewall instance is launched, wait for 5 to 15 minutes for it to come up. Time varies for each firewall vendor. +In addition, please follow example configuration guides as below to build a simple policy on the firewall instance for a test validation that traffic is indeed being routed to firewall instance. + +Palo Alto Network (PAN) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For basic configuration, please refer to `example Palo Alto Network configuration guide `_. + +For implementation details on using Bootstrap to launch and initiate VM-Series, refer to `Bootstrap Configuration Example `_. + +FortiGate (Fortinet) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For basic configuration, please refer to `example Fortinet configuration guide `_. + +Check Point +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For basic configuration, please refer to `example Check Point configuration guide `_. + + +Step 10: (Optional) Vendor Firewall Integration +***************************************************** + +Vendor integration dynamically updates firewall route tables. The use case is for networks with non-RFC 1918 routes that require specific route table programming on the firewall appliance + +1. Go to Firewall Network -> Vendor Integration -> Select Firewall, fill in the details of your Firewall instance. +2. Click Save, Show and Sync. + +Step 11: Verification +*************************** + +There are multiple ways to verify if Transit FireNet is configured properly: + + 1. Aviatrix Flightpath - Control-plane Test + #. Ping/Traceroute Test between Spoke VPCs (East-West) - Data-plane Test + +Flight Path Test for FireNet Control-Plane Verification: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Flight Path is a very powerful troubleshooting Aviatrix tool which allows users to validate the control-plane and gives visibility of end to end packet flow. + + 1. Navigate to **Troubleshoot-> Flight Path** + #. Provide the Source and Destination Region and VPC information + #. Select ICMP and Private subnet, and Run the test + +.. note:: + EC2 VM instance will be required in AWS, and ICMP should be allowed in security group. + +Ping/Traceroute Test for FireNet Data-Plane Verification: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Once control-plane is established and no problem found in security and routing polices. Data-plane validation needs to be verified to make sure traffic is flowing and not blocking anywhere. + +There are multiple ways to check data-plane: + 1. One way to SSH to Spoke EC2 instance (e.g. DEV1-VM) and ping other Spoke EC2 to instance (e.g PROD1-VM) to make sure no traffic loss in the path. + 2. Ping/traceroute capture can also be performed from Aviatrix Controller. Go to **TROUBLESHOOT -> Diagnostics** and perform the test. + + +.. |subscribe_firewall| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/subscribe_firewall.png + :scale: 25% + +.. |en_tr_firenet| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/en_tr_firenet.png + :scale: 25% + +.. |tr_firenet_policy| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/tr_firenet_policy.png + :scale: 25% + +.. |avx_tr_firenet_topology| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/avx_tr_firenet_topology.png + :scale: 25% + +.. |create_vpc| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/create_vpc.png + :scale: 25% + +.. |tr_firenet_gw| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/tr_firenet_gw.png + :scale: 25% + +.. |launch_spk_gw| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/launch_spk_gw.png + :scale: 25% + +.. |attach_spk_trgw| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/attach_spk_trgw.png + :scale: 25% + +.. |connected_transit| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/connected_transit.png + :scale: 25% + +.. disqus:: diff --git a/HowTos/transit_firenet_workflow_aws_gwlb.rst b/HowTos/transit_firenet_workflow_aws_gwlb.rst new file mode 100644 index 000000000..a3b742381 --- /dev/null +++ b/HowTos/transit_firenet_workflow_aws_gwlb.rst @@ -0,0 +1,456 @@ +.. meta:: + :description: Firewall Network Workflow + :keywords: AWS Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network, GWLB, Egress, Firewall, Firewall Network, FireNet, AGW, GWLBe + + +============================================================== +Transit FireNet Workflow with AWS Gateway Load Balancer (GWLB) +============================================================== + +Starting 6.3, Aviatrix Transit FireNet solution allows you to deploy firewalls functions with AWS Gateway Load Balancer. + +To learn about Transit FireNet, check out `Transit FireNet FAQ. `_ + +If you are looking deploying firewall networks in AWS Transit Gateway (TGW) environment, your starting point is `here. `_. + +In this example, Transit VPC with Aviatrix Gateways will be deployed, and two Spoke Gateways (DEV and PROD) will be attached to it as shown below: + +|topology_trfnet_with_gwlb| + +Step 1 : Create VPCs +*************************** + +VPCs can be created manually on AWS or directly from Aviatrix Controller. + +Aviatrix controller has set of useful tools available for users and in this example, VPCs are created following the Useful Tools `Create a VPC `_ guidelines. + +1. Login to the Aviatrix Controller with username and password +#. Navigate to **Useful Tools -> Create A VPC** +#. Add one VPC for Transit FireNet Gateway and select **Aviatrix FireNet VPC** option as shown below. +#. Create two more VPCs with **no option/checkbox** selected for Spoke Gateways. + +|create_vpc| + +Step 2: Deploy the Transit Aviatrix Gateway +*************************************************** + +Transit Aviatrix Gateway can be deployed using the `Transit Gateway Workflow `_ + +Prerequisite for AWS +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Transit FireNet builds on the Aviatrix Transit Network where Aviatrix gateways are deployed in both the transit VPC and the spoke VPCs in AWS. + +Make sure the deployment meets the following specifications: + +1. ActiveMesh must be enabled when launching the Aviatrix Transit Gateway. +#. The minimum size of the Aviatrix Transit Gateway is c5.xlarge. +#. Aviatrix Transit Network must be in Connected mode. Go to Transit Network -> Advanced Config -> Connected Transit. Click Enable. + +Procedure +~~~~~~~~~~~~~~~~~~~~~ + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #1 Launch an Aviatrix Transit Gateway** +#. Choose instance size **C5x.large** +#. Enable **ActiveMesh Mode (Mandatory)** +#. Enable InsaneMode for higher throughputs (optional) +#. Enable Transit VPC GW HA by navigating to **MULTI-CLOUD TRANSIT -> Setup -> #2 (Optional) Enable HA to an Aviatrix Transit Gateway** + +.. note:: + Instance size of c5.xlarge will be required for Insane Mode Encryption for higher throughput. + +Please see an example below for Transit FireNet GW: + +|tr_firenet_gw| + +Step 3: Deploy Spoke Gateways +************************************* + +Now that we have Aviatrix Transit Gateway, we can deploy Aviatrix Spoke Gateways in the spoke VPCs using `Aviatrix Spoke Gateway Workflow `_. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #4 Launch an Aviatrix Spoke Gateway** +#. Deploy a Spoke Gateway (GW) in each of the spoke VPCs using defaults while choose correct Account and VPC info +#. Choose the Public Subnet +#. Enable Spoke Gateway HA by navigating to Transit network -> Setup -> #5 (Optional) Enable/Disable HA at Spoke GW + +.. note:: + Instance size of c5.xlarge will be required for Insane Mode Encryption for higher throughput. + +|launch_spk_gw| + +Step 4: Attach Spoke Gateways to Transit Network +******************************************************* + +Transit and spoke gateways are deployed, next step is to connect them. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #6a Attach Spoke Gateway to Transit Network** +#. Select one spoke at a time and attach to the Transit Gateway. + +|attach_spk_trgw| + +.. note:: + Transit Gateway is attached to Spoke Gateways, but by default, Transit Gateway will not route traffic between Spoke Gateways. + +Step 5: Enable Connected Transit +************************************** + +By default, spoke VPCs are in isolated mode where the Transit will not route traffic between them. To allow the Spoke VPCs to communicate with each other, we need to enable Connected Transit + +1. Navigate to **MULTI-CLOUD TRANSIT -> Advanced Config**, select the right Transit Gateway and enable **“Connected Transit”** + +|connected_transit| + +Step 6: Configure Transit Firewall Network +************************************************** + +Transit and Spoke Gateways have now been deployed, next step is to enable the fireNet function and create traffic inspection policy. + +Let’s start with enabling the firewall function and configure the FireNet policy. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Transit FireNet -> #1 Enable Transit FireNet on Aviatrix Transit Gateway** +#. Choose the Aviatrix Transit Gateway, check Use AWS GWLB and Click **“Enable”** + +|en_tr_firenet_gwlb| + +3. Navigate to **MULTI-CLOUD TRANSIT -> Transit FireNet -> #2 Manage FireNet Policy** +#. Add spokes to the Inspected box for traffic inspection + +.. note:: + By default, FireNet inspects ingress (INET to VPC) and east-west traffic (VPC to VPC) only. + +|tr_firenet_policy_gwlb| + + +Step 7: Subscribe Firewall Vendor in AWS Marketplace +************************************************************* + +At this point, FireNet functionality on Transit Gateway is enabled and FireNet policy is created for spokes. It is time to subscribe the firewall vendor and deploy the firewall. + +1. Navigate to **Firewall Network -> Setup -> #2 Subscribe to Firewall Vendor Product** in AWS Marketplace +#. Follow the link to subscribe to Check Point, Palo Alto or Fortinet in AWS Marketplace. + +.. note:: + Please subscribe the firewall but do not launch the firewall. + +|subscribe_firewall| + +Step 8a: Launch and Associate Firewall Instance +***************************************************************** + +This approach is recommended if this is the first Firewall instance to be attached to the gateway. + +This step launches a Firewall instance and associates it with one of the FireNet gateways. + + +.. important:: + + The Firewall instance and the associated Aviatrix FireNet gateway above must be in the same AZ, and, we recommend that the Management interface subnet and Egress (untrust dataplane) interface subnet should not be in the same subnet. + + +Go to Aviatrix Controller's console and navigate to **Firewall Network -> Setup -> Step 7a** and provide all the required input as shown in a table and click **"Launch"** button. + +.. note:: + Vendor's firewall may take some time after launch to be available. + + +========================================== ========== +**Setting** **Value** +========================================== ========== +VPC ID The Security VPC created in Step 1. +Gateway Name The primary FireNet gateway. +Firewall Instance Name The name that will be displayed on AWS Console. +Firewall Image The AWS AMI that you have subscribed in Step 2. +Firewall Image Version Firewall instance current supported software versions. +Firewall Instance Size Firewall instance type. +Management Interface Subnet. Select the subnet whose name contains "gateway and firewall management" +Egress Interface Subnet Select the subnet whose name contains "FW-ingress-egress". +Username Applicable to Azure deployment only. "admin" as a username is not accepted. +Password Applicable to Azure deployment only. +Key Pair Name (Optional) The .pem file name for SSH access to the firewall instance. +Attach (Optional) By selecting this option, the firewall instance is inserted in the data path to receive packet. If this is the second firewall instance for the same gateway and you have an operational FireNet deployment, you should not select this option as the firewall is not configured yet. You can attach the firewall instance later at Firewall Network -> Advanced page. +Advanced (Optional) Click this selection to allow Palo Alto firewall bootstrap files to be specified. +IAM Role In advanced mode, create an IAM Role on the AWS account that launched the FireNet gateway. Create a policy to attach to the role. The policy is to allow access to "Bootstrap Bucket". +Bootstrap Bucket Name In advanced mode, specify a bootstrap bucket name where the initial configuration and policy file is stored. +========================================== ========== + +1. CheckPoint Specification +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Check Point Security Gateway do not support AWS GWLB in latest release, and it is in Roadmap for future release. + + +2. Palo Alto VM-Series Specifications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Palo instance has 3 interfaces as described below. + +======================================================== =============================== ================================ +**Palo Alto VM instance interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress-AZ-a) Egress or Untrusted interface Allow ALL +eth1 (on subnet -Public-gateway-and-firewall-mgmt-AZ-a) Management interface Allow SSH, HTTPS, ICMP, TCP 3978 +eth2 (on subnet -gwlb-pool) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +Note that firewall instance eth2 is on the same subnet as AWS GWLB interface. + +.. important:: + + For Panorama managed firewalls, you need to prepare Panorama first and then launch a firewall. Check out `Setup Panorama `_. When a VM-Series instance is launched and connected with Panorama, you need to apply a one time "commit and push" from the Panorama console to sync the firewall instance and Panorama. + +.. Tip:: + + If VM-Series are individually managed and integrated with the Controller, you can still use Bootstrap to save initial configuration time. Export the first firewall's configuration to bootstrap.xml, create an IAM role and Bootstrap bucket structure as indicated above, then launch additional firewalls with IAM role and the S3 bucket name to save the time of the firewall manual initial configuration. + + + +3. Fortigate Specifications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +FortiGate firewall supports AWS GWLB in their latest 6.4 release, please refer to the FortiOS 6.4 AWS Cookbook, pages 175 through 189. +This section covers both North-South and East-West scenarios. Please see the following link: + +https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/f4e6f33e-6876-11ea-9384-00505692583a/FortiOS_6.4_AWS_Cookbook.pdf + + +Step 8b: Associate an Existing Firewall Instance +******************************************************* + +This step is the alternative step to Step 8a. If you already launched the firewall (Check Point, Palo Alto Network or Fortinet) instance from AWS Console, you can still associate it with the FireNet gateway. + +Go to Aviatrix Controller's console and navigate to **Firewall Network -> Setup -> Step 7b** and associate a firewall with right FireNet Gateway. + +Step 9: Example Setup for "Allow All" Policy +*************************************************** + +After a firewall instance is launched, wait for 5 to 15 minutes for it to come up. Time varies for each firewall vendor. +In addition, please follow example configuration guides as below to build a simple policy on the firewall instance for a test validation that traffic is indeed being routed to firewall instance. + +Palo Alto Network (PAN) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For basic policy configuration, refer to following steps: + +1) `Download VM-Series Access Key `_ +2) `Reset VM-Series Password `_ +3) `Login to VM-Series and activate VM-Series license `_ +4) `Configure VM-Series ethernet1/1 with WAN zone `_ +5) `Configure VM-Series ethernet1/2 with LAN zone `_ +6) `Configure Vendor Integration `_ +7) `Enable HTTPS on VM-Series for Health Check `_ +8) `Configure basic Allow-All policy `_ + +For Egress Inspection + +Go to `Firewall Network -> Advanced -> Click on 3 dots -> Enable Egress Through Firewall `_ + +|egress_gwlb| + +FortiGate (Fortinet) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +FortiGate firewall supports AWS GWLB in their latest 6.4 release, please refer to the FortiOS 6.4 AWS Cookbook, pages 175 through 189. +This section covers both North-South and East-West scenarios. Please see the following link: + +https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/f4e6f33e-6876-11ea-9384-00505692583a/FortiOS_6.4_AWS_Cookbook.pdf + +Check Point +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Check Point Security Gateway do not support AWS GWLB in latest release. AWS GWLB is in Roadmap for future release. + +Step 10: Verification +*************************** + +There are multiple ways to verify if Transit FireNet is configured properly: + + 1. Aviatrix Flightpath - Control-plane Test + #. Ping/Traceroute Test between Spoke VPCs (East-West) - Data-plane Test + +Flight Path Test for FireNet Control-Plane Verification: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Flight Path is a very powerful troubleshooting Aviatrix tool which allows users to validate the control-plane and gives visibility of end to end packet flow. + + 1. Navigate to **Troubleshoot-> Flight Path** + #. Provide the Source and Destination Region and VPC information + #. Select ICMP and Private subnet, and Run the test + +.. note:: + EC2 VM instance will be required in AWS, and ICMP should be allowed in security group. + +Ping/Traceroute Test for FireNet Data-Plane Verification: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Once control-plane is established and no problem found in security and routing polices. Data-plane validation needs to be verified to make sure traffic is flowing and not blocking anywhere. + +There are multiple ways to check data-plane: + 1. One way to SSH to Spoke EC2 instance (e.g. DEV1-VM) and ping other Spoke EC2 to instance (e.g PROD1-VM) to make sure no traffic loss in the path. + 2. Ping/traceroute capture can also be performed from Aviatrix Controller. Go to **TROUBLESHOOT -> Diagnostics** and perform the test. + + +Transit FireNet with AWS GWLB Packet Walk +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +|gwlb_impementation| + + +**Step 1: Spoke Gateway Connections and Routing Table** + +|spk_list_1| + + +|spk_list_2| + +**Step 2: Transit Gateway Connections and Routing Table** +|transit_list_1| + + +|transit_list_2| + + +|transit_list_3| + +**Step 3: Transit to Endpoint Routing (dmz_firewall Route Table)** +|aws_cons_1| + + +|aws_cons_2| + +|aws_cons_3| + +**Step 4: AWS Gateway Load Balancer Endpoint to Gateway Load Balancer** +|aws_cons_4| + +|aws_cons_5| + +|aws_cons_6| + +|aws_cons_7| + + +**Step 5: Load Balancer to Firewall (Palo Alto Networks)** +|aws_cons_8| + +|aws_cons_9| + +|aws_cons_10| + +|aws_cons_11| + +|aws_cons_12| + +**Step 6: Load Balancer and Firewall (Palo Alto Networks) Routing** +|aws_cons_13| + +|aws_cons_14| + + +**Step 7: Egress Traffic Endpoint Point to NAT GW to Internet** + +|nat_gw_1| + +|nat_gw_2| + + + + +.. |gwlb_impementation| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/gwlb_impementation.png + :scale: 35% + +.. |nat_gw_1| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/nat_gw_1.png + :scale: 35% + +.. |nat_gw_2| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/nat_gw_2.png + :scale: 35% + + +.. |aws_cons_1| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_1.png + :scale: 35% + +.. |aws_cons_2| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_2.png + :scale: 35% + +.. |aws_cons_3| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_3.png + :scale: 35% + +.. |aws_cons_4| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_4.png + :scale: 35% + +.. |aws_cons_5| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_5.png + :scale: 35% + +.. |aws_cons_6| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_6.png + :scale: 35% + +.. |aws_cons_7| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_7.png + :scale: 35% + +.. |aws_cons_8| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_8.png + :scale: 35% + +.. |aws_cons_9| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_9.png + :scale: 35% + +.. |aws_cons_10| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_10.png + :scale: 35% + +.. |aws_cons_11| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_11.png + :scale: 35% + +.. |aws_cons_12| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_12.png + :scale: 35% + +.. |aws_cons_13| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_13.png + :scale: 35% + +.. |aws_cons_14| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_14.png + :scale: 35% + +.. |transit_list_1| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/transit_list_1.png + :scale: 35% + +.. |transit_list_2| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/transit_list_2.png + :scale: 35% + +.. |transit_list_3| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/transit_list_3.png + :scale: 35% + + +.. |spk_list_1| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/spk_list_1.png + :scale: 35% + +.. |spk_list_2| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/spk_list_2.png + :scale: 35% + +.. |subscribe_firewall| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/subscribe_firewall.png + :scale: 35% + +.. |en_tr_firenet_gwlb| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/en_tr_firenet_gwlb.png + :scale: 35% + +.. |tr_firenet_policy_gwlb| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/tr_firenet_policy_gwlb.png + :scale: 35% + +.. |topology_trfnet_with_gwlb| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/topology_trfnet_with_gwlb.png + :scale: 35% + +.. |create_vpc| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/create_vpc.png + :scale: 35% + +.. |tr_firenet_gw| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/tr_firenet_gw.png + :scale: 35% + +.. |launch_spk_gw| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/launch_spk_gw.png + :scale: 35% + +.. |attach_spk_trgw| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/attach_spk_trgw.png + :scale: 35% + +.. |connected_transit| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/connected_transit.png + :scale: 35% + +.. |egress_gwlb| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/egress_gwlb.png + :scale: 35% + +.. disqus:: diff --git a/HowTos/transit_firenet_workflow_azure.rst b/HowTos/transit_firenet_workflow_azure.rst new file mode 100644 index 000000000..dbcaadf14 --- /dev/null +++ b/HowTos/transit_firenet_workflow_azure.rst @@ -0,0 +1,403 @@ +.. meta:: + :description: Firewall Network Workflow + :keywords: Azure Transit Gateway, Azure, TGW orchestrator, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Firewall Network, FireNet + + +========================================================= +Transit FireNet Workflow for Azure +========================================================= + +Aviatrix Transit FireNet allows you to deploy firewalls functions for the Aviatrix Multi-Cloud Transit architecture. With Transit FireNet feature, the Firewall Network (FireNet) function is integrated into the Aviatrix Transit gateway. + +Aviatrix Transit FireNet supports different hashing algorithms available in Azure cloud to load balance the traffic across different firewalls which includes `Hash-based distribution mode (five-tuple hash) `_ and `Source IP affinity mode (three-tuple or two-tuple hash) `_. + +To learn more about Hashing Algorithm and Transit FireNet, check out `Transit FireNet FAQ. `_ + +In this example, Transit VNet with Aviatrix Gateways will be deployed, and two Spoke Gateways (DEV and PROD) will be attached to it. + +The transit VNET will have a firewall of supported vendors (Check Point, Palo Alto Networks and Fortinet etc.) deployed in it. Please see the diagram below for more details. + +Once the infra is in-place then the policy will be created to inspect the east-west and north-south traffic. + +|avx_tr_firenet_topology_az| + +Step 1 : Create Transit VNet +******************************* + +VNets can be created manually on Azure or directly from Aviatrix Controller. + +Aviatrix controller has set of useful tools available for users and in this example, VNets are created following the Useful Tools `Create a VPC `_ guidelines. + +1. Login to the Aviatrix Controller with username and password +#. Navigate to **Useful Tools -> Create A VPC** +#. Add one VNet for Transit FireNet Gateway and select **Aviatrix FireNet VPC** option as shown below. +#. Create two more VNets with **no option/checkbox** selected for Spoke Gateways. + +|create_vpc| + +Step 2: Deploy the Transit Aviatrix Gateway +*************************************************** + +Transit Aviatrix Gateway can be deployed using the `Transit Gateway Workflow `_ + +Prerequisite for Azure +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Transit FireNet builds on the Aviatrix Transit Network solution where Aviatrix gateways are deployed in Transit VNet and/or in Spoke VNet in Azure. + +Make sure the deployment meets the following specifications: + +1. ActiveMesh must be enabled when launching the Aviatrix Transit Gateway. +2. Select the option “Enable Transit FireNet” when launching the Aviatrix Transit Gateway. +3. Aviatrix Transit Network must be in Connected mode. Go to Transit Network -> Advanced Config -> Connected Transit. Click Enable. + +.. important:: + Controller version 6.0 and prior, the minimum size of the Aviatrix Transit Gateway virtual machine is Standard_B2ms. Starting 6.1, minimum Transit Gateway instance size requirement is removed. + +Procedure +~~~~~~~~~~~~~~~~~~~~~ + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #1 Launch an Aviatrix Transit Gateway** +#. Choose virtual machine size **Standard_B2ms** +#. Enable **ActiveMesh Mode (Mandatory)** +#. Enable InsaneMode for higher throughputs (optional) +#. Enable Transit Gateway HA by navigating to **MULTI-CLOUD TRANSIT -> Setup -> #2 (Optional) Enable HA to an Aviatrix Transit Gateway** + +Please see an example below for Transit FireNet GW: + +|tr_firenet_gw| + +.. note:: + + Insane Mode Encryption for higher throughput requires a virtual machine size. Check this `link `_ for detail. + +Step 3: Deploy Spoke Gateways +************************************* + +Now that we have Aviatrix Transit Gateway, we can deploy Aviatrix Spoke Gateways in the spoke VNET using `Aviatrix Spoke Gateway Workflow `_. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #4 Launch an Aviatrix Spoke Gateway** +#. Deploy a Spoke Gateway (GW) in each of the spoke VNETs using defaults while choose correct Account and VNET info +#. Choose the Public Subnet +#. Enable Spoke Gateway HA by navigating to Transit network -> Setup -> #5 (Optional) Enable/Disable HA at Spoke GW + +|launch_spk_gw| + +Step 4: Attach Spoke Gateways to Transit Network +******************************************************* + +Transit and spoke gateways are deployed, next step is to connect them. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #6a Attach Spoke Gateway to Transit Network** +#. Select one spoke at a time and attach to the Transit Gateway. + +|attach_spk_trgw| + +.. note:: + Transit Gateway is attached to Spoke Gateways, but by default, Transit Gateway will not route traffic between Spoke Gateways. + +Step 5: Enable Connected Transit +************************************** + +By default, spoke VNETs are in isolated mode where the Transit will not route traffic between them. To allow the Spoke VNETs to communicate with each other, we need to enable Connected Transit + +1. Navigate to **MULTI-CLOUD TRANSIT -> Advanced Config**, select the right Transit Gateway and enable **“Connected Transit”** + +|connected_transit| + +Step 6: Configure Transit Firewall Network +************************************************** + +Transit and Spoke Gateways have now been deployed, next step is to deploy and enable the Firewall for traffic inspection. + +Let’s start with enabling the firewall function and configure the FireNet policy. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Transit FireNet -> #1 Enable Transit FireNet on Aviatrix Transit Gateway** +#. Choose the Aviatrix Transit Gateway and Click **“Enable”** + +|en_tr_firenet| + +3. Navigate to **MULTI-CLOUD TRANSIT -> Transit FireNet -> #2 Manage FireNet Policy** +#. Add spokes to the Inspected box for traffic inspection + +.. note:: + By default, FireNet inspects ingress (INET to VNET) and east-west traffic (VNET to VNET) only. + +|tr_firenet_policy| + + +Step 7a: Launch and Associate Firewall Instance +***************************************************************** + +This approach is recommended if this is the first Firewall instance to be attached to the gateway. + +This step launches a Firewall instance and associates it with one of the FireNet gateways. + + +.. important:: + + The Firewall instance and the associated Aviatrix FireNet gateway above must be in the same AZ, and, we recommend that the Management Interface Subnet and Egress (untrust dataplane) Interface Subnet should not be in the same subnet. + +.. note:: + By default, Aviatrix Transit Firenet uses 5 tuple hashing algorithm but that can be changed to 2 or 3 tuple as per requirement. Please check transit `firenet FAQs `_ for more details. + +7a.1 Launch and Attach +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Go to Aviatrix Controller's console and navigate to **Firewall Network -> Setup -> Step 7a** and provide all the required input as shown in a table and click **"Launch"** button. + +.. important:: + Vendor's firewall may take some time after launch to be available. + +========================================== ========== +**Setting** **Value** +========================================== ========== +VPC ID The Security VNET created in Step 1. +Gateway Name The primary FireNet gateway. +Firewall Instance Name The name that will be displayed on Azure Console. +Firewall Image The Azure AMI that you have subscribed. +Firewall Image Version Firewall supported software versions. +Firewall Instance Size Firewall virtual machine size. +Management Interface Subnet. Select the subnet whose name contains "gateway and firewall management" +Egress Interface Subnet Select the subnet whose name contains "FW-ingress-egress". +Username Applicable to Azure deployment only. "admin" as a username is not accepted. +Authentication Method Password or SSH Public Key +Password Applicable to Azure deployment only. +Key Pair Name (Optional) The .pem file name for SSH access to the firewall instance. +Attach (Optional) By selecting this option, the firewall instance is inserted in the data path to receive packet. If this is the second firewall instance for the same gateway and you have an operational FireNet deployment, you should not select this option as the firewall is not configured yet. You can attach the firewall instance later at Firewall Network -> Advanced page. +Advanced (Optional) Click this selection to allow Palo Alto firewall bootstrap files to be specified. +========================================== ========== + +1. Check Point Specification +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Check Point Security Gateway has 2 interfaces as described below. + +======================================================== =============================== ================================ +**Check Point VM interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress) Egress or Untrusted interface Allow ALL +eth1 (on subnet -dmz-firewall) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +Note that security gateway eth1 is on the same subnet as Firenet gateway eth2 interface. + +Check Point Security Gateway launch from the Aviatrix Controller automatically initiates the on-boarding process, configure security gateway interfaces and program RFC 1918 routes. After completing this step, user should be able to login to the Check Point Gaia console with username **admin** and provided password during launch. + +.. note:: + Repeat Step 7a to launch the second security gateway to associate with the HA FireNet gateway. Or repeat this step to launch more security gateways to associate with the same Firenet gateway. + + +Follow `Check Point Example `_ to see how to launch Check Point Security Gateway in Azure, and for more details. + + +2. Palo Alto VM-Series Specifications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Palo instance has 3 interfaces as described below. + +======================================================== =============================== ================================ +**Palo Alto VM interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-gateway-and-firewall-mgmt) Management interface Allow SSH, HTTPS, ICMP, TCP 3978 +eth1 (on subnet -Public-FW-ingress-egress) Egress or Untrusted interface Allow ALL +eth2 (on subnet -dmz-firewall) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +Note that firewall instance eth2 is on the same subnet as FireNet gateway eth2 interface. + +Launch VM Series from Aviatrix Controller automatically set it up the Palo Alto Network VM-Series firewall. User should be able to login to the VM-Series console with given username and password during launch. + +.. important:: + + For Panorama managed firewalls, you need to prepare Panorama first and then launch a firewall. Check out `Setup Panorama `_. When a VM-Series instance is launched and connected with Panorama, you need to apply a one time "commit and push" from the Panorama console to sync the firewall instance and Panorama. + +.. Tip:: + + If VM-Series are individually managed and integrated with the Controller, you can still use Bootstrap to save initial configuration time. Export the first firewall's configuration to bootstrap.xml, create an IAM role and Bootstrap bucket structure as indicated above, then launch additional firewalls with IAM role and the S3 bucket name to save the time of the firewall manual initial configuration. + + +3. Fortinet Specifications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +FortiGate Next Generation Firewall instance has 2 interfaces as described below. + +======================================================== =============================== ================================ +**FortiGate VM interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-FW-ingress-egress) Egress or Untrusted interface Allow ALL +eth1 (on subnet -dmz-firewall) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +.. tip:: + Starting from Release 6.2, FortiGate bootstrap configuration is supported. + +Please refer to `FortiGate Azure Configuration Example `_ for more details. + +Step 7b: Associate an Existing Firewall Instance +******************************************************* + +This step is the alternative step to Step 7a. If you already launched the firewall (Check Point, Palo Alto Network or Fortinet) instance from Azure Console, you can still associate it with the FireNet gateway. + +Go to Aviatrix Controller's console and navigate to **Firewall Network -> Setup -> Step 7b** and associate a firewall with right FireNet Gateway. + + +Step 8: Vendor Firewall Integration +***************************************************** + +Vendor integration dynamically updates firewall route tables. The use case is for networks with RFC 1918 and non-RFC 1918 routes that require specific route table programming on the firewall appliance + +1. Go to Firewall Network -> Vendor Integration -> Select Firewall, fill in the details of your Firewall instance. +2. Click Save, Show and Sync. + +.. important:: + Aviatrix Controller automatically programs RFC 1918 in Check Point Security Gateway at a time of launch. This step can be skipped for Check Point if non-RFC 1918 routes programming is not required in Security Gateway. + +.. note:: + Vendor integration is not supported for FortiGate. User needs to configure RFC 1918 static routes manually in FortiGate firewall. + + +Step 9: Enable Health Check Policy in Firewall +*************************************************** +Aviatrix Controller uses HTTPS (TCP 443) to check the health of firewall every 5 seconds. User needs to enable this port in firewall as per given instruction. + +Check Point +~~~~~~~~~~~~~~ +By default, HTTPS or TCP 443 is allowed in Security Gateway. No action is required. + + +Palo Alto Network (PAN) +~~~~~~~~~~~~~~~~~~~~~~~~~ +By default, VM-Series do not allow HTTPS or TCP 443 port. Pleas follow the given steps to enable it: + + 1. Login to VM-Series with username and password. + #. Go to Network -> Interface Mgmt under Network Profiles and click "Add". + #. Give any name in "Interface Management Profile", check HTTPS checkbox under Administrative Management Service and click "OK". + #. Attach Profile with LAN interface. Network -> Interfaces -> Select LAN Ethernet Interface -> Advanced -> Management Profile -> Select appropiate profile. + +|PAN-health-check| + +See an example screenshot below how to attach profile to an interface. + +|pan_hcheck_attach| + +Firewall health check probes can be verified in Monitor -> Traffic. + +|pan-health-probe| + +Fortinet +~~~~~~~~~~~~~~~ +User needs to allow HTTPS or TCP 443 port in FortiGate firewall to monitor the health of firewall. Please follow the steps to allow HTTPS in FortiGate: + + 1. Login to FortiGate's console using username and password + #. Go to Network -> Interfaces, select **port 2** and click "Edit". + #. Check HTTPS checkbox under Administrative access -> IPv4 and click "OK". + +|health-check| + +The health check probes can be verified in FortiGate by navigating to Log & Report -> Local Traffic. + +|health-probe-logs| + + +Step 10: Example Setup for "Allow All" Policy +*************************************************** + +After a firewall instance is launched, wait for 5 to 15 minutes for it to come up. Time varies for each firewall vendor. +In addition, please follow example configuration guides as below to build a simple policy on the firewall instance for a test validation that traffic is indeed being routed to firewall instance. + +Palo Alto Network (PAN) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For basic configuration, please refer to `example Palo Alto Network configuration guide `_. + +For implementation details on using Bootstrap to launch and initiate VM-Series, refer to `Bootstrap Configuration Example `_. + +FortiGate (Fortinet) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For basic policy configuration, please refer to `example Fortinet configuration guide `_. + +Check Point +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For basic policy configuration, please refer to `example Check Point configuration guide `_. + + +Step 11: Verification +*************************** + +There are multiple ways to verify if Transit FireNet is configured properly: + + 1. Aviatrix Flightpath - Control-plane Test + #. Ping/Traceroute Test between Spoke VNETs (East-West) - Data-plane Test + +Flight Path Test for FireNet Control-Plane Verification: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Flight Path is a very powerful troubleshooting Aviatrix tool which allows users to validate the control-plane and gives visibility of end to end packet flow. + + 1. Navigate to **Troubleshoot-> Flight Path** + #. Provide the Source and Destination Region and VNET information + #. Select ICMP and Private subnet, and Run the test + +.. note:: + VM instance will be required in Azure, and ICMP should be allowed in security group. + +Ping/Traceroute Test for FireNet Data-Plane Verification: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Once control-plane is established and no problem found in security and routing polices. Data-plane validation needs to be verified to make sure traffic is flowing and not blocking anywhere. + +There are multiple ways to check data-plane: + 1. One way to SSH to Spoke EC2 instance (e.g. DEV1-VM) and ping other Spoke EC2 to instance (e.g PROD1-VM) to make sure no traffic loss in the path. + 2. Ping/traceroute capture can also be performed from Aviatrix Controller. Go to **TROUBLESHOOT -> Diagnostics** and perform the test. + + +.. |avx_tr_firenet_topology_az| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/avx_tr_firenet_topology_az.png + :scale: 20% + +.. |insane_mode_tp| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/insane_mode_tp.png + :scale: 30% + +.. |create_vpc| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/create_vpc.png + :scale: 40% + +.. |tr_firenet_gw| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_gw.png + :scale: 35% + +.. |launch_spk_gw| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/launch_spk_gw.png + :scale: 35% + +.. |attach_spk_trgw| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/attach_spk_trgw.png + :scale: 35% + +.. |en_tr_firenet| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/en_tr_firenet.png + :scale: 35% + +.. |tr_firenet_policy| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_policy.png + :scale: 35% + +.. |avx_tr_firenet_topology| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/avx_tr_firenet_topology.png + :scale: 35% + +.. |connected_transit| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/connected_transit.png + :scale: 40% + +.. |health-check| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/health-check.png + :scale: 35% + +.. |PAN-health-check| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/PAN-health-check.png + :scale: 35% + +.. |health-probe-logs| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/health-probe-logs.png + :scale: 40% + +.. |pan-health-probe| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/pan-health-probe.png + :scale: 40% + +.. |pan_hcheck_attach| image:: transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/pan_hcheck_attach.png + :scale: 40% + + +.. disqus:: diff --git a/HowTos/transit_firenet_workflow_gcp.rst b/HowTos/transit_firenet_workflow_gcp.rst new file mode 100644 index 000000000..91565a0de --- /dev/null +++ b/HowTos/transit_firenet_workflow_gcp.rst @@ -0,0 +1,288 @@ +.. meta:: + :description: Firewall Network Workflow + :keywords: GCP Transit Gateway, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Firewall Network, FireNet, GCP FireNet + + +========================================================= +Transit FireNet Workflow for GCP +========================================================= + +Aviatrix Transit FireNet allows you to deploy firewalls functions for the Aviatrix Multi-Cloud transit architecture. With Transit FireNet feature, the Firewall Network (FireNet) function is integrated into the Aviatrix Transit gateway. + +To learn about Transit FireNet, check out `Transit FireNet FAQ. `_ + +If you are looking to deploy firewall networks in AWS Transit Gateway (TGW) environment, your starting point is `here. `_. + + +In this example, Transit VPC with Aviatrix Gateways will be deployed, and two Spoke Gateways (DEV and PROD) will be attached to it. + +The transit VPC will have a firewall of supported vendors (Checkpoint, Palo Alto Networks and Fortinet etc.) deployed in it. Please see the diagram below for more details. + +Once the infra is in-place then the policy will be created to inspect the east-west and north-south traffic. + + +|avx_tr_firenet_topology| + + +Step 1 : Create VPCs +*************************** + +VPCs can be created manually on GCP or directly from Aviatrix Controller. + +Aviatrix controller has set of useful tools available for users and in this example, VPCs are created following the Useful Tools `Create a VPC `_ guidelines. + +1. Login to the Aviatrix Controller with username and password +#. Navigate to **Useful Tools -> Create A VPC** +#. Add one VPC for Transit FireNet Gateway and provide **Aviatrix FireNet VPC Subnet** as shown below. +#. Add three more VPCs as shown in Topology i.e Egress VPC, LAN VPC and Management VPC. +#. Create two more VPCs for Spoke Gateways. + +|create_vpc| + +Step 2: Deploy the Transit Aviatrix Gateway +*************************************************** + +Transit Aviatrix Gateway can be deployed using the `Transit Gateway Workflow `_ + +Procedure +~~~~~~~~~~~~~~~~~~~~~ + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #1 Launch an Aviatrix Transit Gateway** +#. Select the Cloud Type **Gcloud** +#. Select VPC ID **Transit FireNet VPC** +#. Choose instance size **n1-standard-1** +#. Enable **ActiveMesh Mode (Mandatory)** +#. Check **Enable Transit FireNet Function** checkbox and provide LAN VPC ID **Transit FireNet LAN VPC** +#. Enable InsaneMode for higher throughputs (optional) +#. Choose correct Account, Public Subnet and click **Create** +#. Enable Transit Gateway HA by navigating to **MULTI-CLOUD TRANSIT -> Setup -> #2 (Optional) Enable HA to an Aviatrix Transit Gateway** + +Please see an example below for Transit FireNet GW: + +|tr_firenet_gw| + +Step 3: Deploy Spoke Gateways +************************************* + +Now that we have Aviatrix Transit Gateway, we can deploy Aviatrix Spoke Gateways in the spoke VPCs using `Aviatrix Spoke Gateway Workflow `_. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #4 Launch an Aviatrix Spoke Gateway** +#. Deploy a Spoke Gateway (GW) in each of the spoke VPCs using defaults while choose correct Account and VPC info +#. Choose the Public Subnet +#. Enable Spoke Gateway HA by navigating to **MULTI-CLOUD TRANSIT -> Setup -> #5 (Optional) Enable/Disable HA at Spoke GW** + +|launch_spk_gw| + +Step 4: Attach Spoke Gateways to Transit Network +******************************************************* + +Transit and spoke gateways are deployed, next step is to connect them. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #6a Attach Spoke Gateway to Transit Network** +#. Select one spoke at a time and attach to the Transit Gateway. + +|attach_spk_trgw| + +.. note:: + Transit Gateway is now attached to Spoke Gateways but Transit Gateway will not route traffic between Spoke Gateways. + +Step 5: Enable Connected Transit +************************************** + +By default, spoke VPCs are in isolated mode where the Transit will not route traffic between them. To allow the Spoke VPCs to communicate with each other, we need to enable Connected Transit + +1. Navigate to **MULTI-CLOUD TRANSIT -> Advanced Config**, select the right Transit Gateway and enable **“Connected Transit”** + +|connected_transit| + +Step 6: Configure Transit Firewall Network +************************************************** + +Transit and Spoke Gateways have now been deployed, next step is to deploy and enable the Firewall for traffic inspection. + +Let’s start with enabling the firewall function and configure the FireNet policy. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Transit FireNet -> #1 Enable Transit FireNet on Aviatrix Transit Gateway** +#. Choose the Aviatrix Transit Gateway and Click **“Enable”** + +.. Note:: + + For GCP deployment, Transit FireNet function is enabled when launching the gateway, skip this step. + + +3. Navigate to **MULTI-CLOUD TRANSIT -> Transit FireNet -> #2 Manage FireNet Policy** +#. Add spokes to the Inspected box for traffic inspection + +.. note:: + By default, FireNet inspects ingress (INET to VPC) and east-west traffic (VPC to VPC) only. + +|tr_firenet_policy| + + +Step 7a: Launch and Associate Firewall Instance +***************************************************************** + +This approach is recommended if this is the first Firewall instance to be attached to the gateway. + +This step launches a Firewall instance and associates it with one of the FireNet gateways. + + +.. important:: + + The Firewall instance and the associated Aviatrix FireNet gateway above must be in the same AZ, and, we recommend that the Management Interface Subnet and Egress (untrust dataplane) Interface Subnet should not be in the same subnet. + +7a.1 Launch and Attach +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Go to Aviatrix Controller's console and navigate to **Firewall Network -> Setup -> Step 7a** and provide all the required input as shown in a table and click **"Launch"** button. + +.. important:: + Vendor's firewall may take some time after launch to be available. + + +========================================== ========== +**Setting** **Value** +========================================== ========== +VPC ID The Security VPC created in Step 1. +Gateway Name The primary FireNet gateway. +Firewall Instance Name The name that will be displayed on GCP Console. +Firewall Image The AWS AMI that you have subscribed in Step 2. +Firewall Image Version Firewall instance current supported software versions. +Firewall Instance Size Firewall instance type. +Management Interface VPC ID Select the Firewall Management VPC +Management Interface Subnet Select the subnet for Firewall Management +Egress Interface VPC ID Select the Firewall Egress VPC. +Egress Interface Subnet Select the subnet for Firewall Egress. +Attach (Optional) By selecting this option, the firewall instance is inserted in the data path to receive packet. If this is the second firewall instance for the same gateway and you have an operational FireNet deployment, you should not select this option as the firewall is not configured yet. You can attach the firewall instance later at Firewall Network -> Advanced page. +Advanced (Optional) Click this selection to allow Palo Alto firewall bootstrap files to be specified. +Bootstrap Bucket Name In advanced mode, specify a bootstrap bucket name where the initial configuration and policy file is stored. +========================================== ========== + +1. Check Point Specification +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Check Point support for Google Cloud is coming in future release + + +2. Palo Alto VM-Series Specifications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Palo instance has 3 interfaces as described below. + +======================================================== =============================== ================================ +**Palo Alto VM instance interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +nic0 Egress or Untrusted interface Allow ALL +nic1 Management interface Allow SSH, HTTPS, ICMP, TCP 3978 +nic2 LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +Note that firewall instance nic2 is on the same subnet as FireNet gateway nic1 interface. + +.. important:: + + For Panorama managed firewalls, you need to prepare Panorama first and then launch a firewall. Check out `Setup Panorama `_. When a VM-Series instance is launched and connected with Panorama, you need to apply a one time "commit and push" from the Panorama console to sync the firewall instance and Panorama. + +.. Tip:: + + If VM-Series are individually managed and integrated with the Controller, you can still use Bootstrap to save initial configuration time. Export the first firewall's configuration to bootstrap.xml, create an IAM role and Bootstrap bucket structure as indicated above, then launch additional firewalls with IAM role and the S3 bucket name to save the time of the firewall manual initial configuration. + + +Follow `Palo Alto Network (VM Series) GCP Example `_ to launch VM Series firewall in GCP and for more details. + + +3. Fortigate Specifications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fortinet support for Google Cloud is coming in future release + + +Step 7b: Associate an Existing Firewall Instance +******************************************************* + +This step is the alternative step to Step 8a. If you already launched the firewall (Check Point, Palo Alto Network or Fortinet) instance from AWS Console, you can still associate it with the FireNet gateway. + +Go to Aviatrix Controller's console and navigate to **Firewall Network -> Setup -> Step 7b** and associate a firewall with right FireNet Gateway. + + +Step 8: Vendor Firewall Integration +***************************************************** + +Vendor integration programs RFC 1918 and non-RFC 1918 routes in firewall appliance. + +1. Login to Aviatrix Controller's console +#. Go to Firewall Network -> Vendor Integration -> Select Firewall, fill in the details of your Firewall instance. +#. Click Save, Show and Sync. + +Step 9: Example Setup for "Allow All" Policy +*************************************************** + +After a firewall instance is launched, wait for 5 to 15 minutes for it to come up. Time varies for each firewall vendor. +In addition, please follow example configuration guides as below to build a simple policy on the firewall instance for a test validation that traffic is indeed being routed to firewall instance. + +Palo Alto Network (PAN) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For basic configuration, please refer to `example Palo Alto Network configuration guide `_. + +For implementation details on using Bootstrap to launch and initiate VM-Series, refer to `Bootstrap Configuration Example `_. + + +Step 10: Verification +*************************** + +There are multiple ways to verify if Transit FireNet is configured properly: + + 1. Aviatrix Flightpath - Control-plane Test + #. SSH, SCP or Telnet Test between Spoke VPCs (East-West) - Data-plane Test + +.. note:: + ICMP is blocked on Google Cloud Load balancer + +Flight Path Test for FireNet Control-Plane Verification: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Flight Path is a very powerful troubleshooting Aviatrix tool which allows users to validate the control-plane and gives visibility of end to end packet flow. + + 1. Navigate to **Troubleshoot-> Flight Path** + #. Provide the Source and Destination Region and VPC information + #. Select SSH and Private subnet, and Run the test + +.. note:: + VM instance will be required in GCP, and SSH/Telnet port should be allowed in firewall rules for Spoke VPCs. + +SSH/Telnet Test for FireNet Data-Plane Verification: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Once control-plane is established and no problem found in security and routing polices. Data-plane validation needs to be verified to make sure traffic is flowing and not blocking anywhere. + +There are multiple ways to check the data-plane. One way to SSH to Spoke instance (e.g. DEV1-VM) and telnet other Spoke instance (e.g PROD1-VM) to make sure no traffic loss in the path. + + +.. |subscribe_firewall| image:: transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/subscribe_firewall.png + :scale: 35% + +.. |en_tr_firenet| image:: transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/en_tr_firenet.png + :scale: 35% + +.. |tr_firenet_policy| image:: transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/tr_firenet_policy.png + :scale: 35% + +.. |avx_tr_firenet_topology| image:: transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/avx_tr_firenet_topology.png + :scale: 35% + +.. |create_vpc| image:: transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/create_vpc.png + :scale: 35% + +.. |tr_firenet_gw| image:: transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/tr_firenet_gw.png + :scale: 35% + +.. |launch_spk_gw| image:: transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/launch_spk_gw.png + :scale: 35% + +.. |attach_spk_trgw| image:: transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/attach_spk_trgw.png + :scale: 35% + +.. |connected_transit| image:: transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/connected_transit.png + :scale: 35% + +.. disqus:: diff --git a/HowTos/transit_firenet_workflow_media/dual_transit.png b/HowTos/transit_firenet_workflow_media/dual_transit.png new file mode 100644 index 000000000..75f32052e Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/dual_transit.png differ diff --git a/HowTos/transit_firenet_workflow_media/gwlb_tr_firenet.png b/HowTos/transit_firenet_workflow_media/gwlb_tr_firenet.png new file mode 100644 index 000000000..f56c5cf50 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/gwlb_tr_firenet.png differ diff --git a/HowTos/transit_firenet_workflow_media/single_transit.png b/HowTos/transit_firenet_workflow_media/single_transit.png new file mode 100644 index 000000000..0b01d9214 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/single_transit.png differ diff --git a/HowTos/transit_firenet_workflow_media/single_transit_new.png b/HowTos/transit_firenet_workflow_media/single_transit_new.png new file mode 100644 index 000000000..d674d0fd1 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/single_transit_new.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/attach_spk_trgw.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/attach_spk_trgw.png new file mode 100644 index 000000000..44dfeb688 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/attach_spk_trgw.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/avx_tr_firenet_topology.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/avx_tr_firenet_topology.png new file mode 100644 index 000000000..ca3cb5945 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/avx_tr_firenet_topology.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_1.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_1.png new file mode 100644 index 000000000..b3fb5c2e2 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_1.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_10.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_10.png new file mode 100644 index 000000000..953d030f4 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_10.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_11.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_11.png new file mode 100644 index 000000000..7b8406117 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_11.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_12.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_12.png new file mode 100644 index 000000000..f8c543c88 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_12.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_13.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_13.png new file mode 100644 index 000000000..66a55b1bf Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_13.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_14.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_14.png new file mode 100644 index 000000000..ef59e98fc Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_14.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_2.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_2.png new file mode 100644 index 000000000..319dd8786 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_2.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_3.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_3.png new file mode 100644 index 000000000..531de486b Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_3.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_4.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_4.png new file mode 100644 index 000000000..3808cea85 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_4.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_5.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_5.png new file mode 100644 index 000000000..66de7fe5d Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_5.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_6.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_6.png new file mode 100644 index 000000000..38d094ae0 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_6.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_7.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_7.png new file mode 100644 index 000000000..f4f1f0caa Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_7.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_8.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_8.png new file mode 100644 index 000000000..03f19744a Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_8.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_9.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_9.png new file mode 100644 index 000000000..3836cd2fe Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/aws_cons_9.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/connected_transit.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/connected_transit.png new file mode 100644 index 000000000..a05d85871 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/connected_transit.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/create_vpc.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/create_vpc.png new file mode 100644 index 000000000..7c21331c9 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/create_vpc.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/egress_gwlb.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/egress_gwlb.png new file mode 100644 index 000000000..95d886152 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/egress_gwlb.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/en_tr_firenet.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/en_tr_firenet.png new file mode 100644 index 000000000..4ac45f57c Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/en_tr_firenet.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/en_tr_firenet_gwlb.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/en_tr_firenet_gwlb.png new file mode 100644 index 000000000..59a74612c Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/en_tr_firenet_gwlb.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/gwlb_impementation.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/gwlb_impementation.png new file mode 100644 index 000000000..f814faeb9 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/gwlb_impementation.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/launch_spk_gw.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/launch_spk_gw.png new file mode 100644 index 000000000..93952de40 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/launch_spk_gw.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/nat_gw_1.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/nat_gw_1.png new file mode 100644 index 000000000..1a8bad5ed Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/nat_gw_1.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/nat_gw_2.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/nat_gw_2.png new file mode 100644 index 000000000..d6e255775 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/nat_gw_2.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/spk_list_1.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/spk_list_1.png new file mode 100644 index 000000000..45130902f Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/spk_list_1.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/spk_list_2.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/spk_list_2.png new file mode 100644 index 000000000..f248d2baa Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/spk_list_2.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/subscribe_firewall.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/subscribe_firewall.png new file mode 100644 index 000000000..bb180ca7a Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/subscribe_firewall.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/topology_trfnet_with_gwlb.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/topology_trfnet_with_gwlb.png new file mode 100644 index 000000000..c7ef8e97f Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/topology_trfnet_with_gwlb.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/tr_firenet_gw.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/tr_firenet_gw.png new file mode 100644 index 000000000..c57f5afb6 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/tr_firenet_gw.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/tr_firenet_policy.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/tr_firenet_policy.png new file mode 100644 index 000000000..478d54d75 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/tr_firenet_policy.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/tr_firenet_policy_gwlb.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/tr_firenet_policy_gwlb.png new file mode 100644 index 000000000..e34c5de55 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/tr_firenet_policy_gwlb.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/transit_list_1.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/transit_list_1.png new file mode 100644 index 000000000..a2882c716 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/transit_list_1.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/transit_list_2.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/transit_list_2.png new file mode 100644 index 000000000..e2b697663 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/transit_list_2.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/transit_list_3.png b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/transit_list_3.png new file mode 100644 index 000000000..55395d975 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_AWS_workflow_media/transit_list_3.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/PAN-health-check.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/PAN-health-check.png new file mode 100644 index 000000000..ce760b4ea Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/PAN-health-check.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/attach_native_vnet.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/attach_native_vnet.png new file mode 100644 index 000000000..b486546c6 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/attach_native_vnet.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/attach_spk_trgw.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/attach_spk_trgw.png new file mode 100644 index 000000000..5bcb6cb36 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/attach_spk_trgw.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/avx_tr_firenet_topology_az.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/avx_tr_firenet_topology_az.png new file mode 100644 index 000000000..d1a315702 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/avx_tr_firenet_topology_az.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/avx_tr_firenet_topology_az_native.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/avx_tr_firenet_topology_az_native.png new file mode 100644 index 000000000..be42d8d06 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/avx_tr_firenet_topology_az_native.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/connected_transit.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/connected_transit.png new file mode 100644 index 000000000..009ed2e67 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/connected_transit.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/connected_transit_native_vnet.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/connected_transit_native_vnet.png new file mode 100644 index 000000000..76cd9a237 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/connected_transit_native_vnet.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/create_vpc.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/create_vpc.png new file mode 100644 index 000000000..b42f6a6bf Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/create_vpc.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/create_vpc_native_case.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/create_vpc_native_case.png new file mode 100644 index 000000000..f1f13feca Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/create_vpc_native_case.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/en_tr_firenet.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/en_tr_firenet.png new file mode 100644 index 000000000..0cffc5a91 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/en_tr_firenet.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/en_tr_firenet_native_case.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/en_tr_firenet_native_case.png new file mode 100644 index 000000000..06d048307 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/en_tr_firenet_native_case.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/health-check.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/health-check.png new file mode 100644 index 000000000..ee5416a84 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/health-check.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/health-probe-logs.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/health-probe-logs.png new file mode 100644 index 000000000..687c5f219 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/health-probe-logs.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/insane_mode_tp.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/insane_mode_tp.png new file mode 100644 index 000000000..49a875f58 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/insane_mode_tp.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/launch_spk_gw.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/launch_spk_gw.png new file mode 100644 index 000000000..7045c7f54 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/launch_spk_gw.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/pan-health-probe.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/pan-health-probe.png new file mode 100644 index 000000000..0ea3c9de1 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/pan-health-probe.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/pan_hcheck_attach.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/pan_hcheck_attach.png new file mode 100644 index 000000000..b8bcf19ea Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/pan_hcheck_attach.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_gw.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_gw.png new file mode 100644 index 000000000..c81b88912 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_gw.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_gw_native.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_gw_native.png new file mode 100644 index 000000000..3f3d4856c Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_gw_native.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_policy.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_policy.png new file mode 100644 index 000000000..9af781a4d Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_policy.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_policy_native_case.png b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_policy_native_case.png new file mode 100644 index 000000000..7097f43dd Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_Azure_workflow_media/tr_firenet_policy_native_case.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/attach_spk_trgw.png b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/attach_spk_trgw.png new file mode 100644 index 000000000..93b9ce78e Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/attach_spk_trgw.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/avx_tr_firenet_topology.png b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/avx_tr_firenet_topology.png new file mode 100644 index 000000000..4ae66357b Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/avx_tr_firenet_topology.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/connected_transit.png b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/connected_transit.png new file mode 100644 index 000000000..277bf7510 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/connected_transit.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/create_vpc.png b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/create_vpc.png new file mode 100644 index 000000000..1c2516177 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/create_vpc.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/launch_spk_gw.png b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/launch_spk_gw.png new file mode 100644 index 000000000..c2419e1e3 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/launch_spk_gw.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/tr_firenet_gw.png b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/tr_firenet_gw.png new file mode 100644 index 000000000..b6c7b2caf Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/tr_firenet_gw.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/tr_firenet_policy.png b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/tr_firenet_policy.png new file mode 100644 index 000000000..98130fbde Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_GCP_workflow_media/tr_firenet_policy.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/attach_spk_trgw.png b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/attach_spk_trgw.png new file mode 100644 index 000000000..ccd11686b Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/attach_spk_trgw.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/avx_tr_firenet_topology_az.png b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/avx_tr_firenet_topology_az.png new file mode 100644 index 000000000..9a39cf382 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/avx_tr_firenet_topology_az.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/connected_transit.png b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/connected_transit.png new file mode 100644 index 000000000..d82840b10 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/connected_transit.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/create_vpc.png b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/create_vpc.png new file mode 100644 index 000000000..15bee0cfd Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/create_vpc.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/en_tr_firenet.png b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/en_tr_firenet.png new file mode 100644 index 000000000..6615ddae1 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/en_tr_firenet.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/launch_spk_gw.png b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/launch_spk_gw.png new file mode 100644 index 000000000..d4a51bff8 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/launch_spk_gw.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/tr_firenet_gw.png b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/tr_firenet_gw.png new file mode 100644 index 000000000..1e3d3a8fc Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/tr_firenet_gw.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/tr_firenet_policy.png b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/tr_firenet_policy.png new file mode 100644 index 000000000..8463dfb3b Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_oci_workflow_media/tr_firenet_policy.png differ diff --git a/HowTos/transit_firenet_workflow_media/transit_firenet_policy_new.png b/HowTos/transit_firenet_workflow_media/transit_firenet_policy_new.png new file mode 100644 index 000000000..d1d254a30 Binary files /dev/null and b/HowTos/transit_firenet_workflow_media/transit_firenet_policy_new.png differ diff --git a/HowTos/transit_firenet_workflow_oci.rst b/HowTos/transit_firenet_workflow_oci.rst new file mode 100644 index 000000000..34511eddf --- /dev/null +++ b/HowTos/transit_firenet_workflow_oci.rst @@ -0,0 +1,335 @@ +.. meta:: + :description: Firewall Network Workflow + :keywords: OCI Transit Gateway, OCI, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Firewall Network, FireNet OCI + + +========================================================= +Transit FireNet Workflow for OCI +========================================================= + +Aviatrix Transit FireNet allows you to deploy firewalls functions for the Aviatrix Multi-Cloud Transit architecture. With Transit FireNet feature, the Firewall Network (FireNet) function is integrated into the Aviatrix Transit gateway. + +To learn more about Transit FireNet, check out `Transit FireNet FAQ. `_ + +In this example, three VCNs with Aviatrix gateways will be deployed, one Aviatrix transit gateway and two Spoke Gateways (DEV and PROD) will be attached to it. + +The transit VCN will have a firewall of supported vendors (Check Point, Palo Alto Networks and Fortinet etc.) deployed in it. Please see the diagram below for more details. + +Once the infra is in-place then the policy will be created to inspect the east-west and north-south traffic. + +|avx_tr_firenet_topology_az| + +Step 1 : Create Transit VCN +******************************* + +VCNs can be created manually on OCI or directly from Aviatrix Controller. + +Aviatrix controller has set of useful tools available for users and in this example, VCNs are created following the Useful Tools `Create a VPC `_ guidelines. + +1. Login to the Aviatrix Controller with username and password +#. Navigate to **Useful Tools -> Create A VPC** +#. Add one VCN for Transit FireNet Gateway and select **Aviatrix FireNet VPC** option as shown below. +#. Create two more VCNs with **no option/checkbox** selected for Spoke Gateways. + +|create_vpc| + +Step 2: Deploy the Transit Aviatrix Gateway +*************************************************** + +Transit Aviatrix Gateway can be deployed using the `Transit Gateway Workflow `_ + +Prerequisite for OCI +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Transit FireNet builds on the Aviatrix Transit Network solution where Aviatrix gateways are deployed in Transit VCN and/or in Spoke VCN in OCI. + +Make sure the deployment meets the following specifications: + + 1. ActiveMesh must be enabled when launching the Aviatrix Transit Gateway. + 2. Select the option “Enable Transit FireNet” when launching the Aviatrix Transit Gateway. + 3. Aviatrix Transit Gateway minimum instance size should be VM.Standard2.4 or more + +.. Note:: + + Transit FireNet Insane mode is not supported in Release 6.4. + + +Procedure +~~~~~~~~~~~~~~~~~~~~~ + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #1 Launch an Aviatrix Transit Gateway** +#. Choose virtual machine size **VM.Standard2.4** +#. Enable **ActiveMesh Mode (Mandatory)** +#. Enable InsaneMode for higher throughput (optional) +#. Enable Transit Gateway HA by navigating to **MULTI-CLOUD TRANSIT -> Setup -> #2 (Optional) Enable HA to an Aviatrix Transit Gateway** + +Please see an example below for Transit FireNet GW: + +|tr_firenet_gw| + + +Step 3: Deploy Spoke Gateways +************************************* + +Now that we have Aviatrix Transit Gateway, we can deploy Aviatrix Spoke Gateways in the spoke VCN using `Aviatrix Spoke Gateway Workflow `_. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #4 Launch an Aviatrix Spoke Gateway** +#. Deploy a Spoke Gateway (GW) in each of the spoke VCNs using defaults while choose correct Account and VCN info +#. Choose the Public Subnet +#. Enable Spoke Gateway HA by navigating to Transit network -> Setup -> #5 (Optional) Enable/Disable HA at Spoke GW + +|launch_spk_gw| + +Step 4: Attach Spoke Gateways to Transit Network +******************************************************* + +Transit and spoke gateways are deployed, next step is to connect them. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Setup -> #6a Attach Spoke Gateway to Transit Network** +#. Select one spoke at a time and attach to the Transit Gateway. + +|attach_spk_trgw| + +.. note:: + By default, Transit Gateway will not route traffic between Spoke Gateways. + +Step 5: Enable Connected Transit +************************************** + +By default, spoke VCNs are in isolated mode where the Transit will not route traffic between them. To allow the Spoke VCNs to communicate with each other, we need to enable Connected Transit + +1. Navigate to **MULTI-CLOUD TRANSIT -> Advanced Config**, select the right Transit Gateway and enable **“Connected Transit”** + +|connected_transit| + +Step 6: Configure Transit Firewall Network +************************************************** + +Transit and Spoke Gateways have now been deployed, next step is to deploy and enable the Firewall for traffic inspection. + +Let’s start with enabling the firewall function and configure the FireNet policy. + +1. Navigate to **MULTI-CLOUD TRANSIT -> Transit FireNet -> #1 Enable Transit FireNet on Aviatrix Transit Gateway** +#. Choose the Aviatrix Transit Gateway and Click **“Enable”** + +|en_tr_firenet| + +3. Navigate to **MULTI-CLOUD TRANSIT -> Transit FireNet -> #2 Manage FireNet Policy** +#. Add spokes to the Inspected box for traffic inspection + +.. note:: + By default, FireNet inspects ingress (INET to VCN) and east-west traffic (VCN to VCN) only. + +|tr_firenet_policy| + + +Step 7a: Launch and Associate Firewall Instance +***************************************************************** + +This approach is recommended if this is the first Firewall instance to be attached to the gateway. + +This step launches a Firewall instance and associates it with one of the FireNet gateways. + + +.. important:: + + The Firewall instance and the associated Aviatrix FireNet gateway above must be in the same AZ, and, we recommend that the Management Interface Subnet and Egress (untrust dataplane) Interface Subnet should not be in the same subnet. + + +7a.1 Launch and Attach +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Go to Aviatrix Controller's console and navigate to **Firewall Network -> Setup -> Step 7a** and provide all the required input as shown in a table and click **"Launch"** button. + +.. important:: + Vendor's firewall may take some time after launch to be available. + +========================================== ========== +**Setting** **Value** +========================================== ========== +VPC ID The Security VNET created in Step 1. +Gateway Name The primary FireNet gateway. +Firewall Instance Name The name that will be displayed on Azure Console. +Firewall Image The OCI Image that you have subscribed. +Firewall Image Version Firewall supported software versions. +Firewall Instance Size Firewall virtual machine size. +Management Interface Subnet. Select the subnet whose name contains "gateway and firewall management" +Egress Interface Subnet Select the subnet whose name contains "FW-ingress-egress". +Username Applicable to Azure deployment only. "admin" as a username is not accepted. +Authentication Method SSH Public Key +Key Pair Name (Optional) The .pem file name for SSH access to the firewall instance. +Attach (Optional) By selecting this option, the firewall instance is inserted in the data path to receive packet. If this is the second firewall instance for the same gateway and you have an operational FireNet deployment, you should not select this option as the firewall is not configured yet. You can attach the firewall instance later at Firewall Network -> Advanced page. +Advanced (Optional) Click this selection to allow Palo Alto firewall bootstrap files to be specified. +========================================== ========== + +1. Check Point Specification +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Check Point support for OCI is coming in future release + +2. Palo Alto VM-Series Specifications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Palo instance has 3 interfaces as described below. + +======================================================== =============================== ================================ +**Palo Alto VM interfaces** **Description** **Inbound Security Group Rule** +======================================================== =============================== ================================ +eth0 (on subnet -Public-gateway-and-firewall-mgmt) Management interface Allow SSH, HTTPS, ICMP, TCP 3978 +eth1 (on subnet -Public-FW-ingress-egress) Egress or Untrusted interface Allow ALL +eth2 (on subnet -dmz-firewall) LAN or Trusted interface Allow ALL (Do not change) +======================================================== =============================== ================================ + +Note that firewall instance eth2 is on the same subnet as FireNet gateway eth2 interface. + +Launch VM Series from Aviatrix Controller automatically set it up the Palo Alto Network VM-Series firewall. User should be able to login to the VM-Series console with given username and password during launch. + +.. important:: + + For Panorama managed firewalls, you need to prepare Panorama first and then launch a firewall. Check out `Setup Panorama `_. When a VM-Series instance is launched and connected with Panorama, you need to apply a one time "commit and push" from the Panorama console to sync the firewall instance and Panorama. + +.. Tip:: + + If VM-Series are individually managed and integrated with the Controller, you can still use Bootstrap to save initial configuration time. Export the first firewall's configuration to bootstrap.xml, create an IAM role and Bootstrap bucket structure as indicated above, then launch additional firewalls with IAM role and the S3 bucket name to save the time of the firewall manual initial configuration. + + +3. Fortinet Specifications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fortinet support for OCI is coming in future release + + +Step 7b: Associate an Existing Firewall Instance +******************************************************* + +This step is the alternative step to Step 7a. If you already launched the firewall (Check Point, Palo Alto Network or Fortinet) instance from Azure Console, you can still associate it with the FireNet gateway. + +Go to Aviatrix Controller's console and navigate to **Firewall Network -> Setup -> Step 7b** and associate a firewall with right FireNet Gateway. + + +Step 8: Configure Firewall Interfaces +***************************************************** + +1. Check Point +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Check Point support for OCI is coming in future release + +2. Palo Alto VM-Series +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Follow `Configure PaloAlto VM-Series Example in OCI `_ to properly configure PAN VM-Series. + + +Step 9: Vendor Firewall Integration +***************************************************** + +Vendor integration dynamically updates firewall route tables. The use case is for networks with RFC 1918 and non-RFC 1918 routes that require specific route table programming on the firewall appliance + +1. Go to Firewall Network -> Vendor Integration -> Select Firewall, fill in the details of your Firewall instance. +2. Click Save, Show and Sync. + + +Step 10: Enable Health Check Policy in Firewall +*************************************************** +Aviatrix Controller uses ICMP or ping to check the health of firewall every 5 seconds. User needs to enable this port in firewall as per given instruction. + +Check Point +~~~~~~~~~~~~~~ +Check Point support for OCI is coming in future release + +Palo Alto Network (PAN) +~~~~~~~~~~~~~~~~~~~~~~~~~ +By default, VM-Series do not allow ICMP or ping. Pleas follow the given steps to enable it: + + 1. Login to VM-Series with username and password. + #. Go to Network -> Interface Mgmt under Network Profiles and click "Add". + #. Give any name in "Interface Management Profile", check ping checkbox under Administrative Management Service and click "OK". + #. Attach Profile with LAN interface. Network -> Interfaces -> Select LAN Ethernet Interface -> Advanced -> Management Profile -> Select appropriate profile. + +Fortinet +~~~~~~~~~~~~~~~ +Fortigate support for OCI is coming in future release + +Step 11: Example Setup for "Allow All" Policy +*************************************************** + +After a firewall instance is launched, wait for 5 to 15 minutes for it to come up. Time varies for each firewall vendor. +In addition, please follow example configuration guides as below to build a simple policy on the firewall instance for a test validation that traffic is indeed being routed to firewall instance. + +Palo Alto Network (PAN) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For basic configuration,`Follow PaloAlto VM-Series Example Step 8 `_ to add Allow-all policy. + + +FortiGate (Fortinet) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fortigate support for OCI is coming in future release + +Check Point +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Check Point support for OCI is coming in future release + + +Step 12: Verification +*************************** + +There are multiple ways to verify if Transit FireNet is configured properly: + + 1. Aviatrix Flightpath - Control-plane Test + #. Ping/Traceroute Test between Spoke VCNs (East-West) - Data-plane Test + +Flight Path Test for FireNet Control-Plane Verification: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Flight Path is a very powerful troubleshooting Aviatrix tool which allows users to validate the control-plane and gives visibility of end to end packet flow. + + 1. Navigate to **Troubleshoot-> Flight Path** + #. Provide the Source and Destination Region and VCN information + #. Select ICMP and Private subnet, and Run the test + +.. note:: + VM instance will be required in OCI, and ICMP should be allowed in security group. + +Ping/Traceroute Test for FireNet Data-Plane Verification: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Once control-plane is established and no problem found in security and routing polices. Data-plane validation needs to be verified to make sure traffic is flowing and not blocking anywhere. + +There are multiple ways to check data-plane: + 1. One way is to SSH to Spoke instance (e.g. DEV1-VM) and ping other Spoke instance (e.g PROD1-VM) to make sure no traffic loss in the path. + 2. Ping/traceroute capture can also be performed from Aviatrix Controller. Go to **TROUBLESHOOT -> Diagnostics** and perform the test. + + +.. |avx_tr_firenet_topology_az| image:: transit_firenet_workflow_media/transit_firenet_oci_workflow_media/avx_tr_firenet_topology_az.png + :scale: 35% + +.. |insane_mode_tp| image:: transit_firenet_workflow_media/transit_firenet_oci_workflow_media/insane_mode_tp.png + :scale: 30% + +.. |create_vpc| image:: transit_firenet_workflow_media/transit_firenet_oci_workflow_media/create_vpc.png + :scale: 40% + +.. |tr_firenet_gw| image:: transit_firenet_workflow_media/transit_firenet_oci_workflow_media/tr_firenet_gw.png + :scale: 35% + +.. |launch_spk_gw| image:: transit_firenet_workflow_media/transit_firenet_oci_workflow_media/launch_spk_gw.png + :scale: 35% + +.. |attach_spk_trgw| image:: transit_firenet_workflow_media/transit_firenet_oci_workflow_media/attach_spk_trgw.png + :scale: 35% + +.. |en_tr_firenet| image:: transit_firenet_workflow_media/transit_firenet_oci_workflow_media/en_tr_firenet.png + :scale: 35% + +.. |tr_firenet_policy| image:: transit_firenet_workflow_media/transit_firenet_oci_workflow_media/tr_firenet_policy.png + :scale: 35% + +.. |avx_tr_firenet_topology| image:: transit_firenet_workflow_media/transit_firenet_oci_workflow_media/avx_tr_firenet_topology.png + :scale: 35% + +.. |connected_transit| image:: transit_firenet_workflow_media/transit_firenet_oci_workflow_media/connected_transit.png + :scale: 40% + + +.. disqus:: diff --git a/HowTos/transit_for_publicIP.rst b/HowTos/transit_for_publicIP.rst new file mode 100644 index 000000000..6a6f035d6 --- /dev/null +++ b/HowTos/transit_for_publicIP.rst @@ -0,0 +1,90 @@ + + +.. meta:: + :description: Create Transit connection with VGW and run customized DNAT on gateway + :keywords: site2cloud, VGW, SNAT, DNAT, Public IP, Virtual IP Address + + +=========================================================================================== +Accessing a Virtual IP address instance via Aviatrix Transit Network +=========================================================================================== + +This document addresses the scenario where a customer on-prem firewall device needs to route encrypted +traffic to a partner network in the cloud (AWS/Azure/GCP). +However due to concerns for overlapping CIDR blocks to the customer network, the customer side enforces a policy that the destination IP address must be a public or a virtual IP address regardless if the partner network is in the RFC 1918 range. + +For example, the VPC instance IP address that the on-prem machine +should send data to is 172.32.0.199, but the on-prem machine must instead send data to a virtual IP address 54.189.117.94 (or even 100.100.100.100). + +Normally this problem can be solved by combining `Site2Cloud `_ feature and `DNAT `_ feature. + +There are situations where there are multiple applications in different VPCs, it is desirable to access different virtual addresses +without building multiple IPSEC tunnels to the cloud networks. This can be accomplished by building an +Aviatrix Transit Network where Spoke VPCs host these different applications, as shown in the diagram below. + +|transit_publicIP| + + +Below are the configuration steps. + +Step 1: Determine the virtual IP address +------------------------------------------- + +As this virtual IP address is what the on-prem host sees, it should not change. There are a couple of ways to determine it. + +You can allocate an EIP in the VPC for this virtual IP address. Make sure you don't associate this EIP to any instance. + +Alternatively, if the EC2 instance that on-prem hosts need to send data to has an EIP, +you can use that EIP. + +You can also try a reserved public IP address range, for example, 100.100.x.x range, if the customer does not object. + +Step 2: Follow the Transit Network workflow to launch a Spoke gateway +----------------------------------------------------------------------- + +Login to the Controller console, go to Site2Cloud. Follow step 1 to launch a gateway in the VPC 172.32.0.0/16. In this example the gateway name is Spoke1. + +(You can follow the `gateway launch instructions in this `_. Leave optional parameters unchecked.) + +Step 3: Customize Spoke gateway advertised routes +----------------------------------------------------------------------- + +Go to Gateway page, highlight the Spoke gateway created in the previous step, click Edit. + +Scroll down to "Customize Spoke Advertised VPC CIDRs", enter, in this example, 54.189.117.94/32 + +With this customization, the Spoke gateway advertises 54.189.117.94/32 to Transit Gateway and subsequently to on-prem. + + +Step 4: Attach the Spoke gatewway +--------------------------------------------- + +Follow the Transit Network -> Setup -> Step 6a, Attach Spoke GW to Transit VPC. + + +Step 5: Configure DNAT on Spoke gateway +------------------------------------------ + +This step is to configure the Spoke gateway to translate the destination virtual IP address 54.189.117.94 to the real +private IP address 172.32.0.199. + +At the main navigation bar, click Gateway. Highlight the Spoke gateway, and click Edit. + +Scroll down to Destination NAT. Follow the instructions `here `_ to configure, as shown below. Note to use "Connection" field to specify the site2cloud connection name configured in Step 3. + +|dnat_config| + + +Step 6. Test! +--------------------------------------------------------- + + +Test connectivity from on-prem host to the EC2 instance. For example, ping the virtual IP address 54.189.117.94 from an on-prem host machine. The ping should reach 172.32.0.199. + +.. |transit_publicIP| image:: transit_for_publicIP_media/transit_publicIP.png + :scale: 30% + +.. |dnat_config| image:: transit_for_publicIP_media/dnat_config.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/transit_for_publicIP_media/dnat_config.png b/HowTos/transit_for_publicIP_media/dnat_config.png new file mode 100644 index 000000000..ac7153d4f Binary files /dev/null and b/HowTos/transit_for_publicIP_media/dnat_config.png differ diff --git a/HowTos/transit_for_publicIP_media/transit_publicIP.png b/HowTos/transit_for_publicIP_media/transit_publicIP.png new file mode 100644 index 000000000..5fb31290d Binary files /dev/null and b/HowTos/transit_for_publicIP_media/transit_publicIP.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow.rst b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow.rst new file mode 100644 index 000000000..4ace296dd --- /dev/null +++ b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow.rst @@ -0,0 +1,548 @@ +.. meta:: + :description: Multi-cloud Transit Gateway to External Device with BGP over GRE high performance workflow + :keywords: Aviatrix Transit network, Private Network, AWS Direct Connect, BGP over GRE, External Device, High Performance + +========================================================================================== +GRE Tunneling for Multi-cloud Transit Gateway to on-prem Workflow +========================================================================================== + +Introduction +============ + +Connecting to on-prem network over GRE tunneling protocol in AWS is an alternative to IPSec. +When GRE tunneling is used, Aviatrix Multi-cloud Transit Gateways interoperate directly with on-prem network devices over AWS Direct Connect. + +When on-prem to cloud encryption is not required, using GRE allows you to achieve high performance throughput (10Gbps) without the need to +deploy Aviatrix CloudN appliance. + +The solution is shown in the diagram below, + +|transit_gateway_external_device_bgp_over_gre_diagram| + +where Aviatrix Multi-cloud Transit Gateways connect to an on-prem Edge Router over Direct Connect. + +This document describes a step-by-step instruction on how to build Aviatrix Transit Gateway to External Device using GRE over AWS Direct Connect. +In this Tech Note, you learn the following: + +#. Workflow on `building underlay connectivity with AWS Direct Connect 10 Gbps capacity `_ + +#. Workflow on `deploying Aviatrix Transit Solution `_ + +#. Workflow on `establishing connectivity between Edge Router and Aviatrix Transit Gateway to form GRE tunnel `_ + +#. Workflow on `building GRE tunnel and BGP over GRE `_ + +#. Workflow on `enabling ECMP Load Balancing to achieve high performance `_ + +For more information about Multi-Cloud Transit Network and External Device, please check out the below documents: + +- `Multi Cloud Global Transit FAQ `_ +- `Global Transit Network Workflow Instructions (AWS/Azure/GCP/OCI) `_ +- `Aviatrix Transit Gateway to External Devices `_ +- `Transit Network Design Patterns `_ + +.. important:: + + - This solution supports only `ActiveMesh 2.0 `_, please check this doc `How to migrate to ActiveMesh 2.0 `_ for migration detail. + - This solution is not available to Azure and GCP as they do not support GRE. + - Reachability between Transit VPC CIDR and Edge Router is customers' responsibility which is typically done by Colocation data center providers. + - Workflow on building underlay connectivity for private network with AWS Direct Connect here is just an example. Please adjust the topology depending on your requirements. + + +The key ideas for this solution are: +---------------------------------------- + +- The Edge (WAN) Router runs a BGP session to AWS VGW via AWS Direct Connect where the Edge Router advertises its GRE IPs. AWS VGW advertises the AWS Transit VPC CIDR. +- Leverage Edge Router BGP ECMP feature. +- Configure multiple GRE tunnels for greater aggregate throughput. + +.. important:: + + - Reachability between Transit VPC CIDR and Edge Router is the responsibility of customer. + +Prerequisite +==================== + +- This feature is available for 6.3 and later. `Upgrade `_ Aviatrix Controller to at least version 6.3 + +- In this example, we are going to deploy the below VPCs in AWS: + + - AWS Aviatrix Transit VPC (i.e. 10.1.0.0/16) by utilizing Aviatrix feature `Create a VPC `_ with Aviatrix FireNet VPC option enabled + + - AWS Aviatrix Spoke VPC (i.e. 192.168.1.0/24) by utilizing Aviatrix feature `Create a VPC `_ as the previous step or manually deploying it in each cloud portal. Moreover, feel free to use your existing cloud network. + +- Edge Router has high throughput supported on hardware interface(s) and GRE tunnel(s) + +1. Build underlay connectivity with AWS Direct Connect +=================================================================================== + +Building AWS Direct Connect is customer's responsibility. For more information about AWS Direct Connect, please check out the below documents: + +- Refer to `Connect Your Data Center to AWS `_ + +Please adjust the topology depending on your requirements. + +Step 1.1. Build AWS Direct Connect +----------------------------------- + +- Refer to `Equinix ECX Fabric AWS Direct Connect `_ if users select Equinix solution. This is just an example here. + +- Make sure select 10 Gbps capacity + +Step 1.2. Associate AWS VGW to AWS Transit VPC +----------------------------------------------- + +- Login AWS VPC Portal + +- Click the hyperlink "Virtual Private Gateways" under sidebar "VIRTUAL PRIVATE NETWORK (VPN)" + +- Select the Virtual Private Gateway that you have the private virtual interface to AWS Direct Connect + +- Click the button "Actions" + +- Click the hyperlink "Attach to VPC" + +- Select the AWS Transit VPC and click the button "Yes, Attach" + + |aws_vgw_attach| + +2. Deploy Aviatrix Multi-Cloud Transit Solution +================================================= + +Refer to `Global Transit Network Workflow Instructions `_ for the below steps. Please adjust the topology depending on your requirements. + +Step 2.1. Deploy Aviatrix Multi-Cloud Transit Gateway and HA in AWS +------------------------------------------------------------------- + +- Follow this step `Deploy the Transit Aviatrix Gateway `_ to launch Aviatrix Transit gateway and enable HA with insane mode enabled in AWS Transit VPC + +- In this example, sizes c5n.2xlarge and c5n.4xlarge are selected to benchmark `performance `_. + +Step 2.2. Enable Route Propagation on the subnet route table where Aviatrix Transit Gateway locates on AWS portal +------------------------------------------------------------------------------------------------------------------ + +- Login AWS VPC portal + +- Locate the subnet route table where Aviatrix Transit Gateway locates + +- Select the tab "Route Propagation" + +- Click the button "Edit route propagation" + +- Locate the AWS VGW that is associated with this Transit VPC and check the checkbox "Propagate" + +- Click the button "Save" + +- Check whether the Propagate status is Yes + + |aws_route_propagation_status_yes| + +Step 2.3. Deploy Spoke Gateway and HA +-------------------------------------- + +- Follow this step `Deploy Spoke Gateways `_ to launch Aviatrix Spoke gateway and enable HA with insane mode enabled in AWS Spoke VPC + +- In this example, sizes c5n.2xlarge and c5n.4xlarge are selected to benchmark `performance `_. + +Step 2.4. Attach Spoke Gateways to Transit Network +-------------------------------------------------- + +- Follow this step `Attach Spoke Gateways to Transit Network `_ to attach Aviatrix Spoke Gateways to Aviatrix Transit Gateways in AWS + +3. Build connectivity between Edge Router and Aviatrix Transit Gateway +========================================================================================================== + +Cisco ASR is used as an Edge Router in this example. + +Step 3.1. Check whether Edge Router has learned AWS Transit VPC CIDR via the BGP session between Edge Router and AWS Direct Connect +----------------------------------------------------------------------------------------------------------------------------------- + +- Login Edge Router (i.e. Cisco ASR) + +- Check whether Edge Router has learned AWS Transit VPC CIDR via the BGP session between Edge Router and AWS Direct Connect by issuing the related "show ip bgp" command + + Simple Cisco IOS example:: + + #show ip bgp + +Step 3.2. Prepare IP for GRE source IP on Edge Router +----------------------------------------------------- + +In this example, we use ASR loopback interface with an unique IP address as a GRE source IP. + +- Create a loopback interface and assign an IP to itself as a GRE source IP. + + Simple Cisco IOS example:: + + #configure t + + (config)#interface Loopback77 + + (config-if)#ip address 192.168.77.1 255.255.255.255 + +Step 3.3. Advertise that GRE source IP on Edge Router to the BGP session between Edge Router and AWS Direct Connect +------------------------------------------------------------------------------------------------------------------- + +The purpose of this step is to let AWS VGW learn the GRE source IP on Edge Router via BGP session between Edge Router and AWS Direct Connect, so that Aviatrix Transit Gateway can reach the GRE source IP on Edge Router to form GRE tunnel over AWS Direct Connect. +To demonstrate this concept in a simple fashion, we utilize IOS "ip prefix-list" function and apply it on BGP neighbor with direction out function to distribute GRE source IP. + +- Create a prefix list that defines GRE source IP on Edge Router for BGP advertisement + + Simple Cisco IOS example:: + + #configure t + + (config)#ip prefix-list Router-to-VGW description Advertised GRE source CIDRs 192.168.77.X/32 to build GRE tunnels + + (config)#ip prefix-list Router-to-VGW seq 10 permit 192.168.77.1/32 + +- Apply this prefix list to outgoing BGP advertisements + + Simple Cisco IOS example:: + + #configure t + + (config)#router bgp 65000 + + (config-router)#address-family ipv4 + + (config-router-af)#neighbor 169.254.253.17 prefix-list Router-to-VGW out + + Notes:: + + The IP 169.254.253.17 in this example here is the AWS Direct Connect BGP Peer IP. + +Step 3.4. Check route propagation info on AWS portal +---------------------------------------------------- + +- Login AWS VPC portal + +- Locate the subnet route table where Aviatrix Transit Gateway locates + +- Select the tab "Routes" + +- Check whether there is a route entry "GRE source IP on Edge Router pointing to AWS VGW" + + |aws_route_propagation_routing_entry| + +Step 3.5. Confirm that Edge Router and Aviatrix Transit Gateway can reach to each other IP for GRE tunnel +---------------------------------------------------------------------------------------------------------- + +4. Build GRE tunnel and BGP over GRE +================================================ + +Step 4.1. Configure GRE tunnel and BGP on Aviatrix Transit Gateway +-------------------------------------------------------------------- + +- Login Aviatrix Controller + +- Go to MULTI-CLOUD TRANSIT -> Setup -> 3) Connect to VGW / External Device / Aviatrix CloudN / Azure VNG + +- Select option "External Device" -> "BGP" -> "GRE" + +- Fill the parameters to set up GRE tunnel to Edge Router + + +----------------------------------+-------------------------------------------------------------------------------------------------+ + | Transit VPC Name | Select the Transit VPC ID where Transit GW was launched. | + +----------------------------------+-------------------------------------------------------------------------------------------------+ + | Connection Name | Provide a unique name to identify the connection to external device. | + +----------------------------------+-------------------------------------------------------------------------------------------------+ + | Aviatrix Transit Gateway BGP ASN | Configure a BGP AS number that the Transit GW will use to exchange routes with external device. | + +----------------------------------+-------------------------------------------------------------------------------------------------+ + | Primary Aviatrix Transit Gateway | Select the Transit GW. | + +----------------------------------+-------------------------------------------------------------------------------------------------+ + | Enable Remote Gateway HA | Don't check this option in this example. | + +----------------------------------+-------------------------------------------------------------------------------------------------+ + | Over Private Network | Check this option since AWS Direct Connect is underlay network | + +----------------------------------+-------------------------------------------------------------------------------------------------+ + | Remote BGP AS Number | Configure a BGP AS number that Edge Router will use to exchange routes with Transit GW | + +----------------------------------+-------------------------------------------------------------------------------------------------+ + | Local Tunnel IP | Leave it blank in this example. | + +----------------------------------+-------------------------------------------------------------------------------------------------+ + | Remote Tunnel IP | Leave it blank in this example. | + +----------------------------------+-------------------------------------------------------------------------------------------------+ + +- Click the button "CONNECT" to generate GRE tunnel and BGP session over it + + |aviatrix_transit_externel_device_gre| + +Step 4.2. Download the GRE configuration sample from Aviatrix Controller +--------------------------------------------------------------------------- + +- Navigate to SITE2CLOUD -> Setup + +- Select the connection that you created with “Connection Name” in the previous step + +- Click the button "EDIT" + +- Select Cisco as Vendor type, ISR, ASR or CSR as Platform, and IOS(XE) as Software for this example. + +- Click the button "Download Configuration". + +Step 4.3. Configure GRE tunnel on Edge Router +--------------------------------------------- + +- Open the downloaded GRE configuration file + +- Populate these values as follows based on your setup throughout the Tunnel Interface Configuration + + - : the primary GRE tunnel interface number connecting Aviatrix Transit Primary Gateway (i.e. 11) + + - : the secondary GRE tunnel interface number connecting Aviatrix Transit HA Gateway (i.e. 12) + + - : the IP which is assigned on the Loopback interface as an GRE source IP (i.e. 192.168.77.1) + + - : the IP which is assigned on the Loopback interface as an GRE source IP (i.e. 192.168.77.1) + +- Copy and paste the updated Tunnel Interface Configuration into Edge Router + + Simple Cisco IOS example:: + + interface Tunnel 11 + ip address 169.254.61.205 255.255.255.252 + ip mtu 1436 + ip tcp adjust-mss 1387 + tunnel source 192.168.77.1 + tunnel destination 10.1.0.185 + ip virtual-reassembly + no keepalive + exit + + interface Tunnel 12 + ip address 169.254.173.77 255.255.255.252 + ip mtu 1436 + ip tcp adjust-mss 1387 + tunnel source 192.168.77.1 + tunnel destination 10.1.1.27 + ip virtual-reassembly + no keepalive + exit + +Step 4.4. Configure BGP over GRE tunnel on Edge Router +--------------------------------------------------------- + +- Open the downloaded GRE configuration file + +- Copy and paste the BGP Routing Configuration into Edge Router + + Simple Cisco IOS example:: + + router bgp 65000 + bgp log-neighbor-changes + neighbor 169.254.61.206 remote-as 65212 + neighbor 169.254.61.206 timers 10 30 30 + neighbor 169.254.173.78 remote-as 65212 + neighbor 169.254.173.78 timers 10 30 30 + ! + address-family ipv4 + redistribute connected + neighbor 169.254.61.206 activate + neighbor 169.254.61.206 soft-reconfiguration inbound + neighbor 169.254.173.78 activate + neighbor 169.254.173.78 soft-reconfiguration inbound + maximum-paths 4 + exit-address-family + +- Create a prefix list that defines CIDR where server locates in on-prem/co-location for BGP advertisement + + Simple Cisco IOS example:: + + #configure t + + (config)#ip prefix-list Router-To-Transit-GRE description Advertised on-prem CIDRs 10.220.5.0/24 + + (config)#ip prefix-list Router-To-Transit-GRE seq 10 permit 10.220.5.0/24 + +- Apply the prefix list to outgoing BGP advertisements + + Simple Cisco IOS example:: + + #configure t + + (config)#router bgp 65000 + + (config-router)#address-family ipv4 + + (config-router-af)#neighbor 169.254.61.206 prefix-list Router-To-Transit-GRE out + + (config-router-af)#neighbor 169.254.173.78 prefix-list Router-To-Transit-GRE out + +Step 4.5. Verify GRE tunnel status on Aviatrix Controller +---------------------------------------------------------- + +- Navigate back to Aviatrix Controller + +- Go to SITE2CLOUD -> Setup + +- Find the connection that you created with “Connection Name” in the previous step + +- Check the Tunnel Status + + |aviatrix_gre_status_1| + +- Go to MULTI-CLOUD TRANSIT -> List + +- Select the Transit Primary Gateway that was created in the previous step + +- Click the button "DETAILS/DIAG" + +- Scroll down to the panel "Connections" -> "On-prem Connections" + +- Find the connection that you created with “Connection Name” in the previous step + +- Check the Tunnel Status + + |aviatrix_gre_status_2| + +Step 4.6. Verify BGP session status on Aviatrix Controller +---------------------------------------------------------- + +- Go to MULTI-CLOUD TRANSIT -> Advanced Config -> BGP Tab + +- Find the connection that you created with “Connection Name” in the previous step + +- Check the BGP Status + + |aviatrix_gre_bgp_status| + +5. Configure ECMP Load Balancing for high performance +===================================================================== + +Step 5.1. Build multiple GRE tunnels between Edge Router and Aviatrix Transit Gateway +---------------------------------------------------------------------------------------- + +- Build multiple GRE tunnels by repeating `"Build connectivity between Edge Router and Aviatrix Transit Gateway" `_. + +- Build multiple BGP over GRE tunnels by repeating `"Build GRE tunnel and BGP over GRE" `_. + +- In this example, we build up to 4 pairs of GRE connections (total up to 8 tunnels) to benchmark `performance `_. + + |aviatrix_multiple_gre| + +Step 5.2. Enable BGP ECMP feature on Aviatrix Transit Gateway +------------------------------------------------------------- + +- Navigate back to Aviatrix Controller + +- Go to MULTI-CLOUD TRANSIT -> Advanced Config -> Edit Transit Tab + +- Select the Transit Gateway that was created in the previous step + +- Scroll down to find the function `"BGP ECMP" `_ and enable it + + |aviatrix_gre_bgp_ecmp_function| + +Step 5.3. Verify BGP ECMP feature on Aviatrix Controller +-------------------------------------------------------- + +- Go to MULTI-CLOUD TRANSIT -> List + +- Select the Transit Primary Gateway that was created in the previous step + +- Click the button "DETAILS/DIAG" + +- Scroll down to the panel "Gateway Routing Table" + +- Click the button "Refresh" + +- Search for the on-prem CIDR on Destination column + +- Check whether there are multiple GRE tunnels with same Metric and Weight under the same route entry + + |aviatrix_gre_bgp_verify_ecmp_function| + +Step 5.4. Enable BGP ECMP feature on Edge Router +------------------------------------------------ + +- Configure "maximum-paths" with higher number of equal-cost routes in BGP settings so that BGP will install in the routing table. In this example, we configure "maximum-paths 8" to achieve high performance over multiple GRE tunnels. + + Simple Cisco IOS example:: + + #configure t + + (config)#router bgp 65000 + + (config-router)#address-family ipv4 + + (config-router-af)#maximum-paths 8 + +- Modify ECMP Load Balancing algorithm depending on traffic type. + + Simple Cisco IOS example:: + + #configure t + + (config)#ip cef load-sharing algorithm include-ports source destination + +Step 5.4. Verify BGP ECMP feature on Edge Router +------------------------------------------------ + +- Check whether BGP install equal-cost routes in the routing table by issuing the related command "show ip bgp" + + |asr_gre_bgp_verify_ecmp_function| + +6. Ready to go! +================= + +At this point, run connectivity and performance test to ensure everything is working correctly. + +7. Performance Benchmark +=========================== + +End-to-End traffic via Aviatrix <-> Cisco ASR +--------------------------------------------- + +Multiple flows result by using iperf3 tool with TCP 128 connections +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++-----------------------+---------------------------------------------+---------------------------------------------+ +| Aviatrix Gateway size | 3 pairs of GRE connections (total 6 tunnels)| 4 pairs of GRE connections (total 8 tunnels)| ++-----------------------+---------------------------------------------+---------------------------------------------+ +| C5n.2xlarge | 8.0 - 8.3 (Gbps) | 8.3 - 9.1 (Gbps) | ++-----------------------+---------------------------------------------+---------------------------------------------+ +| C5n.4xlarge | 9.0 - 9.3 (Gbps) | 9.2 - 9.3 (Gbps) | ++-----------------------+---------------------------------------------+---------------------------------------------+ + +Single flow result by using iperf3 tool with TCP 1 connection: +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +1.6 - 2.4 (Gbps) for both sizes C5n.2xlarge and C5n.4xlarge + +.. |transit_gateway_external_device_bgp_over_gre_diagram| image:: transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/transit_gateway_external_device_bgp_over_gre_diagram.png + :scale: 50% + +.. |aws_vgw_attach| image:: transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aws_vgw_attach.png + :scale: 50% + +.. |aws_route_propagation_status_yes| image:: transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aws_route_propagation_status_yes.png + :scale: 50% + +.. |aws_route_propagation_routing_entry| image:: transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aws_route_propagation_routing_entry.png + :scale: 50% + +.. |aviatrix_transit_externel_device_gre| image:: transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_transit_externel_device_gre.png + :scale: 50% + +.. |aviatrix_gre_status_1| image:: transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_status_1.png + :scale: 50% + +.. |aviatrix_gre_status_2| image:: transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_status_2.png + :scale: 50% + +.. |aviatrix_gre_bgp_status| image:: transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_bgp_status.png + :scale: 50% + +.. |aviatrix_gre_bgp_ecmp_function| image:: transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_bgp_ecmp_function.png + :scale: 50% + +.. |aviatrix_gre_bgp_verify_ecmp_function| image:: transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_bgp_verify_ecmp_function.png + :scale: 30% + +.. |asr_gre_bgp_verify_ecmp_function| image:: transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/asr_gre_bgp_verify_ecmp_function.png + :scale: 70% + +.. |aviatrix_multiple_gre| image:: transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_multiple_gre.png + :scale: 30% + +.. disqus:: + diff --git a/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/asr_gre_bgp_verify_ecmp_function.png b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/asr_gre_bgp_verify_ecmp_function.png new file mode 100644 index 000000000..ab9ef3912 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/asr_gre_bgp_verify_ecmp_function.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_bgp_ecmp_function.png b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_bgp_ecmp_function.png new file mode 100644 index 000000000..be92fcf00 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_bgp_ecmp_function.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_bgp_status.png b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_bgp_status.png new file mode 100644 index 000000000..aaa676576 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_bgp_status.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_bgp_verify_ecmp_function.png b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_bgp_verify_ecmp_function.png new file mode 100644 index 000000000..e963356f9 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_bgp_verify_ecmp_function.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_status_1.png b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_status_1.png new file mode 100644 index 000000000..afc033cf6 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_status_1.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_status_2.png b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_status_2.png new file mode 100644 index 000000000..1a520d429 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_gre_status_2.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_multiple_gre.png b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_multiple_gre.png new file mode 100644 index 000000000..2a8f9d529 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_multiple_gre.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_transit_externel_device_gre.png b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_transit_externel_device_gre.png new file mode 100644 index 000000000..990016900 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aviatrix_transit_externel_device_gre.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aws_route_propagation_routing_entry.png b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aws_route_propagation_routing_entry.png new file mode 100644 index 000000000..1dcd57349 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aws_route_propagation_routing_entry.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aws_route_propagation_status_yes.png b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aws_route_propagation_status_yes.png new file mode 100644 index 000000000..887f07a97 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aws_route_propagation_status_yes.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aws_vgw_attach.png b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aws_vgw_attach.png new file mode 100644 index 000000000..54c401554 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/aws_vgw_attach.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/transit_gateway_external_device_bgp_over_gre_diagram.png b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/transit_gateway_external_device_bgp_over_gre_diagram.png new file mode 100644 index 000000000..2d38f9c8a Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow_media/transit_gateway_external_device_bgp_over_gre_diagram.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_azure_workflow.rst b/HowTos/transit_gateway_external_device_bgp_over_lan_azure_workflow.rst new file mode 100644 index 000000000..e66176455 --- /dev/null +++ b/HowTos/transit_gateway_external_device_bgp_over_lan_azure_workflow.rst @@ -0,0 +1,313 @@ +.. meta:: + :description: Multi-cloud Transit Gateway to External Device with BGP over LAN simulation workflow + :keywords: Aviatrix Transit network, Private Network, BGP over LAN, External Device, High Performance, SD-WAN + +========================================================================================== +Azure Multi-cloud Transit BGP over LAN Workflow +========================================================================================== + +Introduction +============ + +Transit BGP to LAN allows Aviatrix Transit Gateways to communicate with a pair of instances in different VNets in Azure without running +any tunneling protocol such as IPSec or GRE. One use case is to interoperate with third-party virtual appliances such as +SD-WAN cloud instances that do not have the capability to support BGP over any tunneling protocols. + +For example, integrating with SD-WAN gateways can be deployed as below, + +|sd_wan_inte_azure| + +where an Aviatrix Multi-cloud Transit Gateway connects to a third-party cloud instance in different VNets in Azure. + +This document describes a step-by-step instruction on how to build Aviatrix Transit Gateway to External Device using BGP over LAN in Azure. +In this Tech Note, you learn the following: + +#. Workflow on `deploying Aviatrix Transit Solution `_ + +#. Workflow on `launching third-party cloud instances `_ + +#. Workflow on `building BGP over LAN `_ + +For other BGP over LAN workflows, please check out the below documents: + +- `AWS Multi-cloud Transit BGP over LAN Workflow `_ +- `Aviatrix BGP over LAN with Cisco Meraki in AWS `_ + +For more information about Multi-Cloud Transit Network and External Device, please check out the below documents: + +- `Multi Cloud Global Transit FAQ `_ +- `Global Transit Network Workflow Instructions (AWS/Azure/GCP/OCI) `_ +- `Aviatrix Transit Gateway to External Devices `_ +- `Transit Network Design Patterns `_ + +.. important:: + + - This solution supports only `ActiveMesh 2.0 `_, please check this doc `How to migrate to ActiveMesh 2.0 `_ for migration detail. + + - This solution is available to AWS and Azure. Workflow with Azure here is just an example. Please adjust the topology depending on your requirements. + + - LAN interfaces for Aviatrix Transit Primary and third-party cloud instance must be in the different VNets. + + - One BGP over LAN connection per gateway is supported. + +The key ideas for this solution are: +---------------------------------------- + +- A BGP session establishes between a third-party cloud instance and Aviatrix Transit Gateway via each LAN interface in different VNets. + +- Data plane traffic also runs between a third-party cloud instance and Aviatrix Transit Gateway via each LAN interface without a tunnel protocol such as IPSec and GRE. + +Prerequisite +==================== + +- This feature is available for 6.3 and later. `Upgrade `_ Aviatrix Controller to at least version 6.3 + +- In this example, we are going to deploy the below VNets in Azure: + + - Transit VNets (i.e. 10.1.0.0/16 and 10.2.0.0/16) by utilizing Aviatrix feature `Create a VNet `_ with Aviatrix FireNet VNet option enabled + + - Spoke VNets (i.e. 192.168.11.0/24 and 192.168.21.0/24) by utilizing Aviatrix feature `Create a VNet `_ as the previous step or manually deploying it in each cloud portal. Moreover, feel free to use your existing cloud network. + +- Third-party cloud instance has high throughput supported + +1. Deploy Aviatrix Multi-Cloud Transit Solution +================================================= + +Refer to `Global Transit Network Workflow Instructions `_ for the below steps. Please adjust the topology depending on your requirements. + +Step 1.1. Deploy Aviatrix Multi-Cloud Transit Gateway and HA +------------------------------------------------------------ + +- Follow this step `Deploy the Transit Aviatrix Gateway `_ to launch Aviatrix Transit gateway and enable HA with insane mode enabled in Transit VNet + +- (Important) Enable the function "BGP Over LAN" + +- In this example, size Standard_D5_v2 are selected to benchmark `performance `_. + +|aviatrix_azure_gateway_creation| + +Step 1.2. Deploy Spoke Gateway and HA +-------------------------------------- + +- Follow this step `Deploy Spoke Gateways `_ to launch Aviatrix Spoke gateway and enable HA with insane mode enabled in Spoke VNet + +Step 1.3. Attach Spoke Gateways to Transit Network +-------------------------------------------------- + +- Follow this step `Attach Spoke Gateways to Transit Network `_ to attach Aviatrix Spoke Gateways to Aviatrix Transit Gateways + +(Optional) Step 1.4 Attach Azure ARM Spoke VNet via native peering +------------------------------------------------------------------ + +- Follow this step `Attach Azure ARM Spoke VNet via native peering `_ if users prefer not to encrypt the traffic between the Transit VNet and the Spoke VNet. + +- In this example, this approach is selected to benchmark `performance `_. + +2. Launch third-party cloud instances +================================================================================ + +Step 2.1. Deploy third-party cloud instances in a seperate Transit VNet +----------------------------------------------------------------------- + +- Create a third-party cloud instance and put MGMT interface in public gateway subnet + +- Create a new public WAN subnet and a dedicated routing table for WAN interface if needed + +- Create a new private LAN subnet and a dedicated routing table for LAN interface + +- Make sure the function "IP forwarding" on third-party cloud instance's interfaces is enabled + +.. important:: + + Aviatrix Transit Gateway and third-party cloud instance CANNOT be deployed in the same Transit VNet. + +3. Build BGP over LAN +================================================ + +Step 3.1. Create Azure VNet peering between Aviatrix Transit VNet and third-party cloud instance Transit VNet +------------------------------------------------------------------------------------------------------------- + +Refer to `Azure VNET Peering doc `_ for more info. + +- Login Aviatrix Controller + +- Go to PEERING -> Azure + +- Click the button "+ NEW PEERING" + +- Select VNet where Aviatrix Transit gateway locates as Peer1 + +- Select VNet where third-party cloud instance locates as Peer2 + +- Click the button "OK" + +Step 3.2. Configure BGP over LAN on Aviatrix Transit Gateway +------------------------------------------------------------- + +- Login Aviatrix Controller + +- Go to MULTI-CLOUD TRANSIT -> Setup -> 3) Connect to VGW / External Device / Aviatrix CloudN / Azure VNG + +- Select option "External Device" -> "BGP" -> "LAN" + +- Fill the parameters to set up BGP over LAN to a third-party cloud instance + ++----------------------------------+-----------------------------------------------------------------------------------------------------------------------------+ +| Transit VPC Name | Select the Transit VPC ID where Transit GW was launched | ++----------------------------------+-----------------------------------------------------------------------------------------------------------------------------+ +| Connection Name | Provide a unique name to identify the connection to external device | ++----------------------------------+-----------------------------------------------------------------------------------------------------------------------------+ +| Aviatrix Transit Gateway BGP ASN | Configure a BGP AS number that the Transit GW will use to exchange routes with external device | ++----------------------------------+-----------------------------------------------------------------------------------------------------------------------------+ +| Primary Aviatrix Transit Gateway | Select the Transit GW | ++----------------------------------+-----------------------------------------------------------------------------------------------------------------------------+ +| Enable Remote Gateway HA | Check this option in this example to connect two external devices | ++----------------------------------+-----------------------------------------------------------------------------------------------------------------------------+ +| Remote BGP AS Number | Configure a BGP AS number that third-party cloud primary instance will use to exchange routes with Aviatrix Transit Primary | ++----------------------------------+-----------------------------------------------------------------------------------------------------------------------------+ +| Remote VNet Name | Select the Transit VNet where third-party cloud instance locates | ++----------------------------------+-----------------------------------------------------------------------------------------------------------------------------+ +| Remote LAN IP | Use the private IP of the LAN interface of the third-party cloud primary instance | ++----------------------------------+-----------------------------------------------------------------------------------------------------------------------------+ +| Local LAN IP | Aviatrix detects the Local LAN IP automatically | ++----------------------------------+-----------------------------------------------------------------------------------------------------------------------------+ +| Remote BGP AS Number (Backup) | Configure a BGP AS number that third-party cloud HA instance will use to exchange routes with Aviatrix Transit HA | ++----------------------------------+-----------------------------------------------------------------------------------------------------------------------------+ +| Remote LAN IP (Backup) | Use the private IP of the LAN interface of the third-party cloud HA instance | ++----------------------------------+-----------------------------------------------------------------------------------------------------------------------------+ +| Local LAN IP (Backup) | Aviatrix detects the Local LAN IP automatically | ++----------------------------------+-----------------------------------------------------------------------------------------------------------------------------+ + +- Click the button "CONNECT" to generate BGP session over LAN + + |aviatrix_azure_transit_externel_device_lan| + +Step 3.3. (Optional) Download the BGP over LAN configuration sample from Aviatrix Controller +-------------------------------------------------------------------------------------------- + +- Navigate to SITE2CLOUD -> Setup + +- Select the connection that you created with “Connection Name” in the previous step + +- Click the button "EDIT" + +- Select Vendor type, Platform, and Software. + +- Click the button "Download Configuration". + +Step 3.4. Configure BGP over LAN on third-party cloud instance +--------------------------------------------------------------- + +- Login Azure portal + +- Create a user-defined routing table with default route (0.0.0.0/0) pointing nexthop to Aviatrix Primary Transit's LAN IP for the subnet where third-party cloud primary instance's LAN interface locates + +- Create a user-defined routing table with default route (0.0.0.0/0) pointing nexthop to Aviatrix HA Transit's LAN IP for the subnet where third-party cloud HA instance's LAN interface locates for HA deployment + +- (Optional) Open the downloaded BGP over LAN configuration file + +- Login third-party cloud instance + +- Program route to send traffic to Aviatrix Transit's LAN IP through third-party cloud instance's LAN interface + +- Configure those related BGP and LAN info on third-party cloud instance + +- Check whether the function 'eBGP multi-hop' is enabled if BGP session is not established + +- Repeat those steps for HA deployment + +.. important:: + + Customer must create a default route 0.0.0.0/0 in the third-party cloud instance's LAN route table to point to Aviatrix Transit's LAN IP over VNET peering in Azure. + +Step 3.5. Verify LAN status on Aviatrix Controller +---------------------------------------------------------- + +- Navigate back to Aviatrix Controller + +- Go to SITE2CLOUD -> Setup + +- Find the connection that you created with “Connection Name” in the previous step + +- Check the Tunnel Status + + |aviatrix_azure_bgp_lan_status_1| + +- Go to MULTI-CLOUD TRANSIT -> List + +- Select the Transit Primary Gateway that was created in the previous step + +- Click the button "DETAILS/DIAG" + +- Scroll down to the panel "Connections" -> "On-prem Connections" + +- Find the connection that you created with “Connection Name” in the previous step + +- Check the Tunnel Status + + |aviatrix_azure_bgp_lan_status_2| + +Step 3.6. Verify BGP session status on Aviatrix Controller +---------------------------------------------------------- + +- Go to MULTI-CLOUD TRANSIT -> Advanced Config -> BGP Tab + +- Find the connection that you created with “Connection Name” in the previous step + +- Check the BGP Status + + |aviatrix_azure_bgp_status| + +4. Ready to go! +================= + +At this point, run connectivity and performance test to ensure everything is working correctly. + +5. Performance Benchmark +=========================== + +End-to-End traffic via Native Spoke VNet <-> Aviatrix <-> Aviatrix <-> Native Spoke VNet +---------------------------------------------------------------------------------------- + +The performance test is done with a pair of Aviatrix Transit Gateways as the third-party cloud instances, as shown below. + +Multiple flows result by using iperf3 tool with TCP 128 connections +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++-----------------------+------------------+ +| Aviatrix Gateway size | Throughput (Gbps)| ++-----------------------+------------------+ +| Standard_D5_v2 | 22 - 23 | ++-----------------------+------------------+ + +6. Additional Read +=========================== + +Additional read can be found in this short blog, `Need of conventional BGP support in the cloud `_ + +.. |transit_azure_gateway_external_device_bgp_over_lan_diagram| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_azure_gateway_external_device_bgp_over_lan_diagram.png + :scale: 50% + +.. |aviatrix_azure_transit_externel_device_lan| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_transit_externel_device_lan.png + :scale: 50% + +.. |aviatrix_azure_bgp_lan_status_1| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_bgp_lan_status_1.png + :scale: 50% + +.. |aviatrix_azure_bgp_lan_status_2| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_bgp_lan_status_2.png + :scale: 50% + +.. |aviatrix_azure_bgp_status| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_bgp_status.png + :scale: 50% + +.. |aviatrix_azure_gateway_creation| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_gateway_creation.png + :scale: 50% + +.. |sd_wan_integ| image:: transitvpc_designs_media/sd_wan_integ.png + :scale: 30% + +.. |sd_wan_inte_azure| image:: transitvpc_designs_media/sd_wan_inte_azure.png + :scale: 30% + +.. disqus:: + diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_gcp_workflow.rst b/HowTos/transit_gateway_external_device_bgp_over_lan_gcp_workflow.rst new file mode 100644 index 000000000..5cd1cfa5a --- /dev/null +++ b/HowTos/transit_gateway_external_device_bgp_over_lan_gcp_workflow.rst @@ -0,0 +1,271 @@ +.. meta:: + :description: Multi-cloud Transit Gateway to External Device with BGP over LAN simulation workflow + :keywords: Aviatrix Transit network, Private Network, BGP over LAN, External Device, High Performance, SD-WAN + +========================================================================================== +GCP Multi-peer BGP over LAN Workflow +========================================================================================== + +Introduction +============ + +Transit BGP to LAN allows Aviatrix Transit Gateways to communicate with multiple instances in the same VPC in GCP without running any tunneling protocol such as IPSec or GRE. One use case is to interoperate with third-party virtual appliances such as SD-WAN cloud instances that do not have the capability to support BGP over any tunneling protocols. + +For example, integrating with SD-WAN gateways can be deployed as below, where Aviatrix Multi-cloud Transit Gateways connect to third-party cloud instances in the same VPC in GCP: + +|sd_wan_integ_gcp| + +This document describes a step-by-step instruction on how to build Aviatrix Transit Gateway to External Device using BGP over LAN. +In this Tech Note, you will learn the following: + +#. Workflow on `deploying Aviatrix Transit Solution `_ + +#. Workflow on `launching third-party cloud instances `_ + +#. Workflow on `building BGP over LAN `_ + +For other BGP over LAN workflows, please check out the below documents: + +- `AWS Multi-cloud Transit BGP over LAN Workflow `_ +- `Azure Multi-cloud Transit BGP over LAN Workflow `_ +- `Aviatrix BGP over LAN with Cisco Meraki in AWS `_ + +For more information about Multi-Cloud Transit Network and External Device, please check out the below documents: + +- `Multi Cloud Global Transit FAQ `_ +- `Global Transit Network Workflow Instructions (AWS/Azure/GCP/OCI) `_ +- `Aviatrix Transit Gateway to External Devices `_ +- `Transit Network Design Patterns `_ + +.. important:: + + - This solution supports only `ActiveMesh 2.0 `_, please check this doc `How to migrate to ActiveMesh 2.0 `_ for migration detail. + + - This solution is available in Azure when connecting to a single BGP peer. Multi-peer BGP is supported in GCP and AWS. The workflow with GCP here is just an example. Please adjust the topology depending on your requirements. + + - GCP does not allow interfaces to be added to an instance after deployment. Verify the design before creating the instances to make sure they have all the interfaces required. + + +The key ideas for this solution are: +---------------------------------------- + +- A BGP session establishes between third-party cloud instances and Aviatrix Transit Gateways via each LAN interface in the same VPC. + +- Dataplane traffic also runs between third-party cloud instances and Aviatrix Transit Gateways via each LAN interface without a tunnel protocol such as IPSec or GRE. + +Prerequisite +==================== + +- This feature is available starting in Aviatrix software version 6.6. `Upgrade `_ Aviatrix Controller to at least version 6.6. + +- Third-party cloud instance has high throughput supported. + +1. Deploy Aviatrix Multi-Cloud Transit Solution +================================================= + +Refer to `Global Transit Network Workflow Instructions `_ for the below steps. Please adjust the topology depending on your requirements. + +Step 1.1. Deploy Aviatrix Multi-Cloud Transit Gateway and HA +------------------------------------------------------------ + +- Follow the `Deploy the Transit Aviatrix Gateway `_ instructions to launch Aviatrix Transit Gateway and enable HA with insane mode encryption enabled in Transit VPC. + +Step 1.2. Deploy Spoke Gateway and HA +-------------------------------------- + +- Follow the `Deploy Spoke Gateways `_ instructions to launch Aviatrix Spoke Gateway and enable HA with insane mode encryption enabled in Spoke VPC(s). + +Step 1.3. Attach Spoke Gateways to Transit Network +-------------------------------------------------- + +- Follow the `Attach Spoke Gateways to Transit Network `_ instructions to attach Aviatrix Spoke Gateways to Aviatrix Transit Gateways. + +2. Launch third-party cloud instances +================================================================================ + +Step 2.1. Deploy third-party cloud instances with an interface in the same VPC as the Aviatrix Transit Gateway +-------------------------------------------------------------------------------------------------------------- + +- Create a third-party cloud instance and put MGMT interface in public gateway subnet. + +- Create a new WAN subnet and dedicated routing table for WAN interface if needed. + +- Create a new LAN subnet and a dedicated routing table for the LAN interface. + +- Make sure the function "IP forwarding" is enabled on the third-party cloud instances. + +.. important:: + + GCP allows a maximum of 8 interfaces per instance, and the max limit depends on the number of vCPUs. Due to this limitation, the solution supports 7 BGP peers without FireNet enabled and 6 BGP peers with FireNet enabled. + +3. Build BGP over LAN +================================================ + +Step 3.1. Deploy the Aviatrix Transit Gateway with all the required BGP interfaces +---------------------------------------------------------------------------------- + +- Log in to Aviatrix Controller. + +- Navigate to Multi-cloud Transit -> Setup -> Transit tab. + +- Set the parameters to deploy the Aviatrix Transit Gateway. + ++----------------------------------+--------------------------------------------------------------------------------------------------+ +| Cloud Type | Gcloud | ++----------------------------------+--------------------------------------------------------------------------------------------------+ +| Gateway Name | Provide a unique name to identify the Transit Gateway | ++----------------------------------+--------------------------------------------------------------------------------------------------+ +| Access Account Name | Select the appropriate GCP account | ++----------------------------------+--------------------------------------------------------------------------------------------------+ +| VPC ID | Select the VPC where the Transit Gateway will be deployed | ++----------------------------------+--------------------------------------------------------------------------------------------------+ +| Public Subnet | Select the subnet the Transit Gateway interface will use | ++----------------------------------+--------------------------------------------------------------------------------------------------+ +| Zone | Select the Availability Zone where the Transit Gateway will be deployed | ++----------------------------------+--------------------------------------------------------------------------------------------------+ +| Gateway Size | Select an instance size that allows interfaces to be created for all BGP peers | ++----------------------------------+--------------------------------------------------------------------------------------------------+ +| Insane Mode Encryption | Check this box to enable high throughput | ++----------------------------------+--------------------------------------------------------------------------------------------------+ +| BGP over LAN | Check this box and then **Add Interface** for all BGP peers | ++----------------------------------+--------------------------------------------------------------------------------------------------+ + + + |transit_bgp_over_lan_gcloud| + +Enable HA on the Aviatrix Transit Gateway, deploying the HA Gateway in a different Availability Zone. + + |transit_bgp_over_lan_gcloud_ha| + + +Step 3.2. Configure BGP over LAN on Aviatrix Transit Gateway +------------------------------------------------------------ + +- Log in to Aviatrix Controller. + +- Navigate to Multi-cloud Transit -> Setup -> Attach tab -> External Connection -> Connect to VGW/External Device/Aviatrix CloudN/ Azure VNG + +- Select the options "External Device" -> "BGP" -> "LAN" + +- Set the parameters to initiate the BGP over LAN connection(s) to the third-party cloud instance(s) + ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| VPC Name / Site ID | Select the Transit VPC ID where the Transit Gateway was deployed. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Connection Name | Provide a unique name to identify the connection to external device. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Aviatrix Gateway BGP ASN | Configure a BGP AS number that the Transit Gateway will use to exchange routes with the external device. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Primary Aviatrix Gateway | Select the Transit Gateway. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Enable Remote Gateway HA | Check this box to connect two external devices. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| BGP Activemesh | Check this box to enable full mesh BGP connections to the external devices. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Remote BGP AS Number | Configure the BGP AS number that the third-party cloud instance will use to exchange routes with the Aviatrix Transit Gateway. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Remote LAN IP | Use the private IP of the LAN interface of the third-party cloud primary instance. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Local LAN IP | If blank, the controller will assign an IP in the same subnet as the Remote LAN IP. Optionally, configure a specific IP within the same subnet as the Remote LAN IP. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Remote BGP AS Number (Backup) | Configure the BGP AS number that the third-party HA cloud instance will use to exchange routes with the Aviatrix HA Transit Gateway. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Remote LAN IP (Backup) | Use the private IP of the LAN interface of the third-party HA cloud instance. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Local LAN IP (Backup) | If blank, the controller will assign an IP in the same subnet as the Remote LAN IP (Backup). Optionally, configure a specific IP within the same subnet as the Remote LAN IP (Backup). | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + + +- Click the Connect button to generate the BGP sessions. + + |transit_s2c_conn_bgp_peer_gcloud| + +- Create a Site2Cloud connection for each BGP peer. + +Step 3.3. (Optional) Download the BGP over LAN configuration sample from Aviatrix Controller +-------------------------------------------------------------------------------------------- + +- Navigate to Site2Cloud -> Setup. + +- Select the previously created connection(s). + +- Click “Edit”. + +- Select the Vendor, Platform and Software that correspond to the third-party device. + +- Click “Download Configuration”. + + +Step 3.4. Configure BGP over LAN on the third-party cloud instance(s) +--------------------------------------------------------------------- + +- (Optional) Open the downloaded BGP over LAN configuration file. + +- Configure the relevant BGP over LAN information on the third-party cloud instance(s). + +Step 3.5. Verify the connection status on Aviatrix Controller +------------------------------------------------------------- + +- Navigate to Site2Cloud -> Setup. + +- Find the previously created connection(s). + +- Check the tunnel status. + + |transit_check_tunnel_gcloud| + +- Navigate to Multi-Cloud Transit -> List. + +- Select the previously created Aviatrix Transit Gateway. + +- Click “Details/Diag”. + +- Scroll down to the Connections -> On-prem Connections section. + +- Find the previously created connection(s). + +- Check the tunnel status. + + |transit_verify_bgp_status_onprem_gcloud| + +Step 3.6. Verify the BGP session status on Aviatrix Controller +-------------------------------------------------------------- + +- Navigate to Multi-Cloud Transit -> BGP. + +- Find the previously created connection(s). + +- Check the Neighbor status. + + |transit_verify_bgp_status_gcloud| + + +4. Ready to go! +================= + +At this point, run connectivity and performance test to ensure everything is working correctly. + + +.. |transit_bgp_over_lan_gcloud| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_bgp_over_lan_gcloud.png + :scale: 50% + +.. |transit_bgp_over_lan_gcloud_ha| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_bgp_over_lan_gcloud_ha.png + :scale: 50% + +.. |transit_s2c_conn_bgp_peer_gcloud| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_s2c_conn_bgp_peer_gcloud.png + :scale: 50% + +.. |transit_verify_bgp_status_onprem_gcloud| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_verify_bgp_status_onprem_gcloud.png + :scale: 50% + +.. |transit_check_tunnel_gcloud| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_check_tunnel_gcloud.png + :scale: 50% + +.. |transit_verify_bgp_status_gcloud| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_verify_bgp_status_gcloud.png + :scale: 50% + +.. |sd_wan_integ_gcp| image:: transitvpc_designs_media/sd_wan_integ_gcp.png + :scale: 30% + +.. disqus:: + diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_bgp_lan_status_1.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_bgp_lan_status_1.png new file mode 100644 index 000000000..6bf475ae2 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_bgp_lan_status_1.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_bgp_lan_status_2.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_bgp_lan_status_2.png new file mode 100644 index 000000000..9c4d2b804 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_bgp_lan_status_2.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_bgp_status.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_bgp_status.png new file mode 100644 index 000000000..30d8cd7b2 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_bgp_status.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_gateway_creation.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_gateway_creation.png new file mode 100644 index 000000000..4d7ed65e7 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_gateway_creation.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_transit_externel_device_lan.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_transit_externel_device_lan.png new file mode 100644 index 000000000..6deedc4d7 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_azure_transit_externel_device_lan.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_bgp_lan_status_1.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_bgp_lan_status_1.png new file mode 100644 index 000000000..647cccf45 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_bgp_lan_status_1.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_bgp_lan_status_2.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_bgp_lan_status_2.png new file mode 100644 index 000000000..fc4b17eb0 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_bgp_lan_status_2.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_bgp_status.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_bgp_status.png new file mode 100644 index 000000000..5dddd6d30 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_bgp_status.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_transit_externel_device_lan.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_transit_externel_device_lan.png new file mode 100644 index 000000000..8f05639f6 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_transit_externel_device_lan.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_azure_gateway_external_device_bgp_over_lan_diagram.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_azure_gateway_external_device_bgp_over_lan_diagram.png new file mode 100644 index 000000000..c7f6223ac Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_azure_gateway_external_device_bgp_over_lan_diagram.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_bgp_over_lan_gcloud.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_bgp_over_lan_gcloud.png new file mode 100644 index 000000000..a1ba4329e Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_bgp_over_lan_gcloud.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_bgp_over_lan_gcloud_ha.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_bgp_over_lan_gcloud_ha.png new file mode 100644 index 000000000..6282167a4 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_bgp_over_lan_gcloud_ha.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_check_tunnel_gcloud.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_check_tunnel_gcloud.png new file mode 100644 index 000000000..a095e5170 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_check_tunnel_gcloud.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_gateway_external_device_bgp_over_lan_diagram.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_gateway_external_device_bgp_over_lan_diagram.png new file mode 100644 index 000000000..88d9abbe7 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_gateway_external_device_bgp_over_lan_diagram.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_s2c_conn_bgp_peer_gcloud.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_s2c_conn_bgp_peer_gcloud.png new file mode 100644 index 000000000..0660cc05f Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_s2c_conn_bgp_peer_gcloud.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_verify_bgp_status_gcloud.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_verify_bgp_status_gcloud.png new file mode 100644 index 000000000..dff603304 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_verify_bgp_status_gcloud.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_verify_bgp_status_onprem_gcloud.png b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_verify_bgp_status_onprem_gcloud.png new file mode 100644 index 000000000..bc27a694c Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_verify_bgp_status_onprem_gcloud.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow.rst b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow.rst new file mode 100644 index 000000000..22b266960 --- /dev/null +++ b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow.rst @@ -0,0 +1,524 @@ +.. meta:: + :description: AWS Multi-cloud Transit BGP over LAN with Cisco Meraki Workflow + :keywords: Aviatrix Transit network, Private Network, BGP over LAN, External Device, SD-WAN, Meraki + +========================================================================================== +Aviatrix BGP over LAN with Cisco Meraki in AWS +========================================================================================== + +Introduction +============ + +This Tech Note is a step-by-step guide for using `BGP over LAN `_ to interoperate with Cisco Meraki as the third party appliance in AWS. BGP over LAN also works in Azure, make adjustments accordingly when applying to deployment in Azure. + +Two supported design patterns are described as below: + +Design Pattern #1 with Aviatrix Multi-cloud Transit +---------------------------------------------------- + +|cisco_meraki_aviatrix_transit_solution_diag| + +In this design pattern, Aviatrix Multi-cloud transit is deployed to connect Spoke VPCs to the Transit VPC and Aviatrix Transit Gateway is used to connect to Meraki vMX in the same Transit VPC. + +Design Pattern #2 with AWS TGW Orchestrator +------------------------------------------- + +|cisco_meraki_aws_tgw_orchestrator_diag| + +In the second design pattern, AWS TGW is deployed for connecting to Spoke VPC and Aviatrix Multi-cloud transit is used to connect to Meraki vMX in the same Transit VPC. + +This Tech Note consists of: + +#. Workflow on `launching Cisco Meraki vMX in AWS `_ + +#. Workflow on `deploying branch Cisco Meraki device `_ + +#. Workflow on `deploying Aviatrix Multi-Cloud Transit Solution `_ + +#. Workflow on `building BGP over LAN `_ + +For more information about how to configure BGP over LAN, please refer to the doc links as follows: + +- `AWS Multi-cloud Transit BGP over LAN Workflow `_ +- `Azure Multi-cloud Transit BGP over LAN Workflow `_ + +For more information about Multi-Cloud Transit Network, External Device, and AWS TGW Orchestrator, please check out the below documents: + +- `Multi Cloud Global Transit FAQ `_ +- `Global Transit Network Workflow Instructions (AWS/Azure/GCP/OCI) `_ +- `Aviatrix Transit Gateway to External Devices `_ +- `Transit Network Design Patterns `_ +- `AWS TGW Orchestrator FAQ `_ +- `TGW Design Patterns `_ + +.. important:: + + - The minimum instance sizes of Aviatrix Transit Gateway for `BGP over LAN` are c4.4xlarge, c5.4xlarge, c5n.4xlarge + + - LAN interfaces for Aviatrix Transit Primary and Meraki vMX must be in the same Availability Zone. + +Prerequisite +==================== + +- This feature is available for 6.3 and later. `Upgrade `_ Aviatrix Controller to at least version 6.3. + +- In this Tech Note, the following VPC CIDRs are used for illustration purpose: + + - Transit VPC (10.1.0.0/16). You can create this VPC by using `Create a VPC `_ with Aviatrix FireNet VPC option enabled. + + - Spoke VPCs (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24). You can create the Spoke VPCs by using `Create a VPC `_ or manually deploying them in AWS console. Use existing Spoke VPCs also works. + +Illustration for Design Pattern #1 with Aviatrix Transit Solution +------------------------------------------------------------------ + + |cisco_meraki_aviatrix_transit_solution_illustration_diag| + +Illustration for Design Pattern #2 with AWS TGW Orchestrator +------------------------------------------------------------ + + |cisco_meraki_aws_tgw_orchestrator_illustration_diag| + +1. Launch Cisco Meraki vMX in AWS +================================================= + +Step 1.1. Deploy Cisco Meraki vMX in Transit VPC +------------------------------------------------- + +- Follow the steps in `vMX Setup Guide for Amazon Web Services (AWS) `_ to launch Cisco Meraki vMX in Transit VPC + + - Meraki Dashboard Configuration + + - AWS Setup, Accessing the AMI, and Configuring the EC2 Image + +- Step "Additional VPC Configuration" in `vMX Setup Guide for Amazon Web Services (AWS) `_ here is an optional as we will provide a guideline how to advertise spoke VPC CIDRs to branch Cisco Meraki through BGP protocol in the following steps. + +.. important:: + + - Assign an EIP to Meraki vMX's interface + + - Make sure the function "Source/Dest check" on Meraki vMX's interface is disabled + + - Since One-Armed Concentrator mode is adopted in this document, the vMX is configured with a single Network Interface which means all traffic will be sent and received on this interface. + +Step 1.2. Check Cisco Meraki vMX status on Meraki Dashboard +----------------------------------------------------------- + +- Login Meraki Dashboard + +- Select the "NETWORK" where this Cisco Meraki vMX in Transit VPC locates + +- Go to Security & SD-WAN -> MONITOR -> Appliance status + +- Check whether Cisco Meraki vMX displays "Active" status + + |cisco_meraki_aws_vMX_appliance_status| + +Step 1.3. Enable Hub (Mesh) type +----------------------------------------------------------- + +- Go to Security & SD-WAN -> CONFIGURE -> Site-to-site VPN + +- Find the panel "Type" on the top + +- Select the radio button "Hub (Mesh)" to establish VPN tunnels with all hubs and dependent spokes for this Cisco Meraki vMX + + |cisco_meraki_aws_vMX_s2s_hub_type| + +Step 1.4. Enable BGP settings +----------------------------------------------------------- + +- Find the panel "BGP settings" + +- Select the option "Enabled" for the field "BGP" + +- Adjust the values for the fields "BGP VPN AS" and "IBGP VPN Holdtimer" if needed and write down the BGP ASN + +- Click the button "Save" + + |cisco_meraki_aws_vMX_s2s_bgp_enable| + +.. important:: + + Will guide how to set up BGP neighbors for eBGP in the later workflow. + +2. Deploy branch Meraki device +================================================================== + +In this workflow example, we deploy another Meraki vMX in a Spoke VPC as a branch device and configure Hub-and-spoke Auto VPN Connection to verify this solution. +Please adjust the topology depending on your requirements. + +For more Meraki VPN info, please check out the below documents: + +- `Configuring Hub-and-spoke VPN Connections on the MX Security Appliance `_ +- `Meraki Auto VPN `_ + +Step 2.1. Deploy branch Meraki vMX in Spoke VPC +--------------------------------------------------------- + +- Follow step 1.1. but deploy Meraki vMX in Spoke VPC + +.. important:: + + Since Meraki vMX is deployed as a branch device in AWS as an example here, please follow the checklist as below: + + - Assign an EIP to Meraki vMX's interface + + - Make sure the function "Source/Dest check" on Meraki vMX's interface is disabled + + - Since One-Armed Concentrator mode is adopted in this document, the vMX is configured with a single Network Interface which means all traffic will be sent and received on this interface. Make sure both security group and routing table are configured properly. + +Step 2.2. Check branch Meraki vMX status on Meraki Dashboard +--------------------------------------------------------------------- + +- Login Meraki Dashboard + +- Select the "NETWORK" where this Cisco Meraki vMX in Spoke VPC locates + +- Go to Security & SD-WAN -> MONITOR -> Appliance status + +- Check whether branch Cisco Meraki device displays "Active" status + + |cisco_meraki_aws_branch_vMX_appliance_status| + +Step 2.3. Enable Spoke type +----------------------------------------------------------- + +- Select the "NETWORK" where this Cisco Meraki vMX in Spoke VPC locates + +- Go to Security & SD-WAN -> CONFIGURE -> Site-to-site VPN + +- Find the panel "Type" on the top + +- Select the radio button "Spoke" to establish VPN tunnels with selected hubs + +- Click the link "Add a hub" for the field "Hubs" + +- Select the "NETWORK" where the Cisco Meraki vMX in Transit VPC locates for Hubs + + |cisco_meraki_aws_branch_vMX_s2s_spoke_type| + +Step 2.4. Advertise Spoke VPC CIDR +----------------------------------------------------------- + +- Locate "Local networks" in the panel "VPN settings" + +- Click the button "Add a local network" + +- Fill the parameters to advertise Spoke VPC CIDR + ++-------------------+---------------------------------------------------------+ +| Name | Provide a unique name for the Local networks | ++-------------------+---------------------------------------------------------+ +| Subnet | Configure Spoke VPC CIDR as an example (192.168.2.0/24) | ++-------------------+---------------------------------------------------------+ +| VPN participation | VPN on | ++-------------------+---------------------------------------------------------+ + +- Click the button "Save" + + |cisco_meraki_aws_branch_vMX_s2s_vpn_settings| + +Step 2.5. Check VPN status +----------------------------------------------------------- + +- Select the "NETWORK" where this Cisco Meraki vMX in Spoke VPC locates + +- Go to Security & SD-WAN -> MONITOR -> VPN status + +- Check whether VPN status is Green and VPN Registry is Connected. + + |cisco_meraki_aws_branch_vMX_s2s_vpn_status| + +3. Deploy Aviatrix Multi-Cloud Transit Solution +================================================= + +Refer to `Global Transit Network Workflow Instructions `_ for the below steps. Please adjust the topology depending on your requirements. + +Step 3.1. Deploy Aviatrix Multi-Cloud Transit Gateway +------------------------------------------------------------ + +- Follow this step `Deploy the Transit Aviatrix Gateway `_ to launch Aviatrix Transit gateway in Transit VPC. + +- In this example, size c5n.4xlarge is selected. + +.. important:: + + The Aviatrix Transit Gateway must be deployed in the same available zone where Cisco Meraki vMX locates. + +Design Pattern #1: Aviatrix Spoke Gateway for encryption traffic +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Step 3.2. Deploy Aviatrix Spoke Gateway for encryption traffic +--------------------------------------------------------------- + +- Follow this step `Deploy Spoke Gateways `_ to launch Aviatrix Spoke gateway in Spoke VPC + +Step 3.3. Attach Spoke Gateways to Transit Network +-------------------------------------------------- + +- Follow this step `Attach Spoke Gateways to Transit Network `_ to attach Aviatrix Spoke Gateways to Aviatrix Transit Gateways + +Design Pattern #2: Spoke VPC through AWS TGW Orchestrator +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Step 3.4. Deploy Spoke VPC through AWS TGW Orchestrator +-------------------------------------------------------- + +- Follow Aviatrix TGW Orchestrator workflow `TGW Plan `_ to: + + - Create AWS TGW + + - Create a New Security Domain and Build Your Domain Connection Policies + + - Prepare Aviatrix Transit GW for TGW Attachment + + - Attach Aviatrix Transit GW to TGW + +- Follow Aviatrix TGW Orchestrator workflow `TGW Build `_ to: + + - Attach VPC to TGW + +4. Build BGP over LAN +================================================ + +Step 4.1. Configure BGP over LAN on Aviatrix Transit Gateway +------------------------------------------------------------- + +- Login Aviatrix Controller + +- Go to MULTI-CLOUD TRANSIT -> Setup -> 3) Connect to VGW / External Device / Aviatrix CloudN / Azure VNG + +- Select option "External Device" -> "BGP" -> "LAN" + +- Fill the parameters to set up BGP over LAN to Meraki vMX in Transit VPC + ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Transit VPC Name | Select the Transit VPC ID where Transit GW was launched | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Connection Name | Provide a unique name to identify the connection to external device | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Aviatrix Transit Gateway BGP ASN | Configure a BGP AS number that the Transit GW will use to exchange routes with external device | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Primary Aviatrix Transit Gateway | Select the Transit GW | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Enable Remote Gateway HA | Uncheck this option in this example | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Remote BGP AS Number | Configure a BGP AS number that Meraki vMX will use to exchange routes with Aviatrix Transit Primary | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Remote LAN IP | Use the private IP of the Network Interface on Meraki vMX | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Local LAN IP | Leave it blank and the controller will assign an IP in the same subnet where the Remote LAN IP locates. Optionally configure an IP of your choosing within the same subnet where the Remote LAN IP locates. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +- Click the button "CONNECT" to generate BGP session over LAN + + |aviatrix_transit_externel_device_lan| + +Step 4.2. (Optional) Download the BGP over LAN configuration sample from Aviatrix Controller +-------------------------------------------------------------------------------------------- + +- Navigate to SITE2CLOUD -> Setup + +- Select the connection that you created with “Connection Name” in the previous step + +- Click the button "EDIT" + +- Select Vendor type, Platform, and Software + +- Click the button "Download Configuration" + +Step 4.3. Enable and configure BGP over LAN on Cisco Meraki vMX +--------------------------------------------------------------- + +For more Cisco Meraki BGP information, please check this `doc `_ + +- (Optional) Open the downloaded BGP over LAN configuration file + +- Login Meraki Dashboard + +- Select the "NETWORK" where this Cisco Meraki vMX in Transit VPC locates + +- Go to Security & SD-WAN -> CONFIGURE -> Site-to-site VPN + +- Find the section "BGP neighbors" in the panel "BGP settings" + +- Click the link "Add a BGP neighbor" + ++----------------+-------------------------------------------------------------------------------------------------------------------+ +| Neighbor IP | Use Aviatrix Transit gateway's eth4 private IP. This IP belongs to the same subnet where Meraki vMX eth0 locates. | ++----------------+-------------------------------------------------------------------------------------------------------------------+ +| Remote AS | Configure Aviatrix Transit Gateway BGP ASN | ++----------------+-------------------------------------------------------------------------------------------------------------------+ +| Receive limit | Leave it blank or optional in this example | ++----------------+-------------------------------------------------------------------------------------------------------------------+ +| Allow transit | Uncheck this option in this example | ++----------------+-------------------------------------------------------------------------------------------------------------------+ +| EBGP Holdtimer | 30 for this example | ++----------------+-------------------------------------------------------------------------------------------------------------------+ +| EBGP Multihop | 1 for this example | ++----------------+-------------------------------------------------------------------------------------------------------------------+ + +- Click the button "Save" + + |cisco_meraki_aws_vMX_bgp_over_lan| + +.. important:: + + Update Meraki vMX's security group to allow traffic coming from Aviatrix Transit Gateway properly. One of the secure approaches is to specify Aviatrix Transit Gateway's eth4 security group ID as the source for the Inbound rule in Meraki vMX's security group. Please check "Security group rules" in this AWS `doc `_ for more info. + +Step 4.4. Verify LAN status on Aviatrix Controller +---------------------------------------------------------- + +- Navigate back to Aviatrix Controller + +- Go to SITE2CLOUD -> Setup + +- Find the connection that you created with “Connection Name” in the previous step + +- Check the Tunnel Status + + |aviatrix_bgp_lan_status_1| + +- Go to MULTI-CLOUD TRANSIT -> List + +- Select the Transit Primary Gateway that was created in the previous step + +- Click the button "DETAILS/DIAG" + +- Scroll down to the panel "Connections" -> "On-prem Connections" + +- Find the connection that you created with “Connection Name” in the previous step + +- Check the Tunnel Status + + |aviatrix_bgp_lan_status_2| + +Step 4.5. Verify BGP session status on Aviatrix Controller +---------------------------------------------------------- + +- Go to MULTI-CLOUD TRANSIT -> Advanced Config -> BGP Tab + +- Find the connection that you created with “Connection Name” in the previous step + +- Check the BGP Status + + |aviatrix_bgp_status| + +Step 4.6. Verify BGP session status on Cisco Meraki vMX +---------------------------------------------------------- + +- Login Meraki Dashboard + +- Select the "NETWORK" where this Cisco Meraki vMX in Transit VPC locates + +- Go to Security & SD-WAN -> MONITOR -> Event log + + |cisco_meraki_aws_vMX_bgp_event_log| + +Step 4.7. Verify routing info on Cisco Meraki vMX +---------------------------------------------------------- + +- Login Meraki Dashboard + +- Select the "NETWORK" where this Cisco Meraki vMX in Transit VPC locates + +- Go to Security & SD-WAN -> MONITOR -> Route table + +- Check whether Cisco Meraki vMX has the routes to branch Cisco Meraki device via VPN + +- Check whether Cisco Meraki vMX has the routes to Aviatrix Spoke VPC via BGP on LAN + + |cisco_meraki_aws_vMX_routing_info| + +Step 4.8. Verify routing info on branch Cisco Meraki device +----------------------------------------------------------- + +- Login Meraki Dashboard + +- Select the "NETWORK" where this branch Cisco Meraki locates + +- Go to Security & SD-WAN -> MONITOR -> Route table + +- Check whether Cisco Meraki vMX has the routes to Aviatrix Spoke VPC via Cisco Meraki vMX in Transit VPC + + |cisco_meraki_aws_branch_vMX_routing_info| + +.. note:: + + If iBGP protocol betweeen Meraki vMX in Transit VPC and branch Meraki device does not establish properly, please attempt to reboot Meraki vMX in Transit VPC. + +5. Ready to go! +================= + +At this point, run connectivity and performance test to ensure everything is working correctly. + +6. Troubleshooting Tips +======================== + +- Check to make sure "Source/Dest check" on Meraki vMX's interface is disabled. + +- Check whether the routing table and security group are configured properly. + +- Check eBGP is established between Aviatrix Transit Gateway and Meraki vMX in Transit VPC. + +- Check iBGP is established between Meraki vMX and branch Meraki device. + +.. |cisco_meraki_aws_tgw_orchestrator_diag| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_tgw_orchestrator_diag.png + :scale: 50% + +.. |cisco_meraki_aviatrix_transit_solution_diag| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aviatrix_transit_solution_diag.png + :scale: 50% + +.. |cisco_meraki_aws_vMX_appliance_status| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_appliance_status.png + :scale: 50% + +.. |cisco_meraki_aws_vMX_s2s_hub_type| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_s2s_hub_type.png + :scale: 50% + +.. |cisco_meraki_aws_vMX_s2s_bgp_enable| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_s2s_bgp_enable.png + :scale: 50% + +.. |cisco_meraki_aws_branch_vMX_appliance_status| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_appliance_status.png + :scale: 50% + +.. |cisco_meraki_aws_branch_vMX_s2s_spoke_type| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_s2s_spoke_type.png + :scale: 50% + +.. |cisco_meraki_aws_branch_vMX_s2s_vpn_settings| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_s2s_vpn_settings.png + :scale: 50% + +.. |cisco_meraki_aws_branch_vMX_s2s_vpn_status| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_s2s_vpn_status.png + :scale: 50% + +.. |aviatrix_transit_externel_device_lan| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_transit_externel_device_lan.png + :scale: 30% + +.. |cisco_meraki_aws_vMX_bgp_over_lan| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_bgp_over_lan.png + :scale: 50% + +.. |aviatrix_bgp_lan_status_1| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_bgp_lan_status_1.png + :scale: 30% + +.. |aviatrix_bgp_lan_status_2| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_bgp_lan_status_2.png + :scale: 30% + +.. |aviatrix_bgp_status| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_bgp_status.png + :scale: 30% + +.. |cisco_meraki_aws_vMX_bgp_event_log| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_bgp_event_log.png + :scale: 50% + +.. |cisco_meraki_aws_vMX_routing_info| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_routing_info.png + :scale: 50% + +.. |cisco_meraki_aws_branch_vMX_routing_info| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_routing_info.png + :scale: 50% + +.. |cisco_meraki_aviatrix_transit_solution_illustration_diag| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aviatrix_transit_solution_illustration_diag.png + :scale: 50% + +.. |cisco_meraki_aws_tgw_orchestrator_illustration_diag| image:: transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_tgw_orchestrator_illustration_diag.png + :scale: 50% + +.. disqus:: + diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_bgp_lan_status_1.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_bgp_lan_status_1.png new file mode 100644 index 000000000..eb6a012ea Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_bgp_lan_status_1.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_bgp_lan_status_2.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_bgp_lan_status_2.png new file mode 100644 index 000000000..cab4dab04 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_bgp_lan_status_2.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_bgp_status.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_bgp_status.png new file mode 100644 index 000000000..f2660e3a2 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_bgp_status.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_transit_externel_device_lan.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_transit_externel_device_lan.png new file mode 100644 index 000000000..91dd64850 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/aviatrix_transit_externel_device_lan.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aviatrix_transit_solution_diag.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aviatrix_transit_solution_diag.png new file mode 100644 index 000000000..67447221a Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aviatrix_transit_solution_diag.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aviatrix_transit_solution_illustration_diag.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aviatrix_transit_solution_illustration_diag.png new file mode 100644 index 000000000..56dfa6423 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aviatrix_transit_solution_illustration_diag.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_appliance_status.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_appliance_status.png new file mode 100644 index 000000000..4ca43fe7c Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_appliance_status.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_routing_info.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_routing_info.png new file mode 100644 index 000000000..8510267b8 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_routing_info.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_s2s_spoke_type.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_s2s_spoke_type.png new file mode 100644 index 000000000..842ed189a Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_s2s_spoke_type.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_s2s_vpn_settings.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_s2s_vpn_settings.png new file mode 100644 index 000000000..377981899 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_s2s_vpn_settings.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_s2s_vpn_status.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_s2s_vpn_status.png new file mode 100644 index 000000000..7d215f09b Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_branch_vMX_s2s_vpn_status.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_tgw_orchestrator_diag.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_tgw_orchestrator_diag.png new file mode 100644 index 000000000..faeba10b4 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_tgw_orchestrator_diag.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_tgw_orchestrator_illustration_diag.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_tgw_orchestrator_illustration_diag.png new file mode 100644 index 000000000..d50c579a2 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_tgw_orchestrator_illustration_diag.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_appliance_status.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_appliance_status.png new file mode 100644 index 000000000..43fd7e758 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_appliance_status.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_bgp_event_log.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_bgp_event_log.png new file mode 100644 index 000000000..dd734b74d Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_bgp_event_log.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_bgp_over_lan.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_bgp_over_lan.png new file mode 100644 index 000000000..eac60d8df Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_bgp_over_lan.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_routing_info.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_routing_info.png new file mode 100644 index 000000000..8ba345675 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_routing_info.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_s2s_bgp_enable.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_s2s_bgp_enable.png new file mode 100644 index 000000000..425978882 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_s2s_bgp_enable.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_s2s_hub_type.png b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_s2s_hub_type.png new file mode 100644 index 000000000..8decf7134 Binary files /dev/null and b/HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow_media/cisco_meraki_aws_vMX_s2s_hub_type.png differ diff --git a/HowTos/transit_gateway_external_device_bgp_over_lan_workflow.rst b/HowTos/transit_gateway_external_device_bgp_over_lan_workflow.rst new file mode 100644 index 000000000..df485cfa0 --- /dev/null +++ b/HowTos/transit_gateway_external_device_bgp_over_lan_workflow.rst @@ -0,0 +1,367 @@ +.. meta:: + :description: Multi-cloud Transit Gateway to External Device with BGP over LAN simulation workflow + :keywords: Aviatrix Transit network, Private Network, BGP over LAN, External Device, High Performance, SD-WAN + +========================================================================================== +AWS Multi-cloud Transit BGP over LAN Workflow +========================================================================================== + +Introduction +============ + +Transit BGP to LAN allows Aviatrix Transit Gateways to communicate with a pair of instances in the same VPC in AWS without running +any tunneling protocol such as IPSec or GRE. One use case is to interoperate with third-party virtual appliances such as +SD-WAN cloud instances that do not have the capability to support BGP over any tunneling protocols. + +For example, integrating with SD-WAN gateways can be deployed as below, + +|sd_wan_integ_aws| + +where an Aviatrix Multi-cloud Transit Gateway connects to a third-party cloud instance in the same VPC in AWS. + +This document describes a step-by-step instruction on how to build Aviatrix Transit Gateway to External Device using BGP over LAN in AWS. +In this Tech Note, you learn the following: + +#. Workflow on `deploying Aviatrix Transit Solution `_ + +#. Workflow on `launching third-party cloud instances `_ + +#. Workflow on `building BGP over LAN `_ + +For other BGP over LAN workflows, please check out the below documents: + +- `Azure Multi-cloud Transit BGP over LAN Workflow `_ +- `Aviatrix BGP over LAN with Cisco Meraki in AWS `_ + +For more information about Multi-Cloud Transit Network and External Device, please check out the below documents: + +- `Multi Cloud Global Transit FAQ `_ +- `Global Transit Network Workflow Instructions (AWS/Azure/GCP/OCI) `_ +- `Aviatrix Transit Gateway to External Devices `_ +- `Transit Network Design Patterns `_ + +.. important:: + + - This solution supports only `ActiveMesh 2.0 `_, please check this doc `How to migrate to ActiveMesh 2.0 `_ for migration detail. + + - This solution is available to AWS and Azure. Workflow with AWS here is just an example. Please adjust the topology depending on your requirements. + + - Require instance size to support at least 5 interfaces such as c4.4xlarge, c5.4xlarge, and c5n.4xlarge in AWS. + + - LAN interfaces for Aviatrix Transit Primary and third-party cloud instance must be in the same Availability Zone. + + - One BGP over LAN connection per gateway is supported. + +The key ideas for this solution are: +---------------------------------------- + +- A BGP session establishes between a third-party cloud instance and Aviatrix Transit Gateway via each LAN interface in the same VPC. + +- Data plane traffic also runs between a third-party cloud instance and Aviatrix Transit Gateway via each LAN interface without a tunnel protocol such as IPSec and GRE. + +Prerequisite +==================== + +- This feature is available for 6.3 and later. `Upgrade `_ Aviatrix Controller to at least version 6.3. + +- In this example, we are going to deploy the below VPCs in AWS: + + - Transit VPC (i.e. 10.1.0.0/16) by utilizing Aviatrix feature `Create a VPC `_ with Aviatrix FireNet VPC option enabled. + + - Spoke VPCs (i.e. 192.168.1.0/24 and 192.168.2.0/24) by utilizing Aviatrix feature `Create a VPC `_ as the previous step or manually deploying it in each cloud portal. Moreover, feel free to use your existing cloud network. + +- Third-party cloud instance has high throughput supported. + +1. Deploy Aviatrix Multi-Cloud Transit Solution +================================================= + +Refer to `Global Transit Network Workflow Instructions `_ for the below steps. Please adjust the topology depending on your requirements. + +Step 1.1. Deploy Aviatrix Multi-Cloud Transit Gateway and HA +------------------------------------------------------------ + +- Follow this step `Deploy the Transit Aviatrix Gateway `_ to launch Aviatrix Transit gateway and enable HA with insane mode enabled in Transit VPC. + +- In this example, size c5n.4xlarge are selected to benchmark `performance `_. + +Step 1.2. Deploy Spoke Gateway and HA +-------------------------------------- + +- Follow this step `Deploy Spoke Gateways `_ to launch Aviatrix Spoke gateway and enable HA with insane mode enabled in Spoke VPC + +- In this example, size c5n.4xlarge are selected to benchmark `performance `_. + +Step 1.3. Attach Spoke Gateways to Transit Network +-------------------------------------------------- + +- Follow this step `Attach Spoke Gateways to Transit Network `_ to attach Aviatrix Spoke Gateways to Aviatrix Transit Gateways + +2. Launch third-party cloud instances +================================================================================ + +Step 2.1. Deploy third-party cloud instances in the same VPC where Aviatrix Transit Gateways locate +---------------------------------------------------------------------------------------------------- + +- Create a third-party cloud instance and put MGMT interface in public gateway subnet. + +- Create a new public WAN subnet and a dedicated routing table for WAN interface if needed. + +- Create a new private LAN subnet and a dedicated routing table (optional) for LAN interface. + +- Make sure the function "Source/Dest check" on third-party cloud instance's interfaces is disabled + +.. important:: + + The primary Aviatrix Transit Gateway must be deployed in the same available zone as the first third-party cloud instance. The HA Transit Gateway if deployed must reside in the same available zone as the second cloud instance. + +3. Build BGP over LAN +================================================ + +Step 3.1. Configure BGP over LAN on Aviatrix Transit Gateway +------------------------------------------------------------- + +- Login Aviatrix Controller + +- Go to MULTI-CLOUD TRANSIT -> Setup -> 3) Connect to VGW / External Device / Aviatrix CloudN / Azure VNG + +- Select option "External Device" -> "BGP" -> "LAN" + +- Fill the parameters to set up BGP over LAN to a third-party cloud instance + ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Transit VPC Name | Select the Transit VPC ID where Transit GW was launched | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Connection Name | Provide a unique name to identify the connection to external device | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Aviatrix Transit Gateway BGP ASN | Configure a BGP AS number that the Transit GW will use to exchange routes with external device | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Primary Aviatrix Transit Gateway | Select the Transit GW | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Enable Remote Gateway HA | Check this option in this example to connect two external devices | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Remote BGP AS Number | Configure a BGP AS number that third-party cloud primary instance will use to exchange routes with Aviatrix Transit Primary | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Remote LAN IP | Use the private IP of the LAN interface of the third-party cloud primary instance | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Local LAN IP | Leave it blank and the controller will assign an IP in the same subnet where the Remote LAN IP locates. Optionally configure an IP of your choosing within the same subnet where the Remote LAN IP locates. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Remote BGP AS Number (Backup) | Configure a BGP AS number that third-party cloud HA instance will use to exchange routes with Aviatrix Transit HA | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Remote LAN IP (Backup) | Use the private IP of the LAN interface of the third-party cloud HA instance | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Local LAN IP (Backup) | Leave it blank and the controller will assign an IP in the same subnet where the Remote LAN IP (Backup) locates. Optionally configure an IP of your choosing within the same subnet where the Remote LAN IP (Backup) locates. | ++----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +- Click the button "CONNECT" to generate BGP session over LAN + + |aviatrix_transit_externel_device_lan| + +Step 3.2. (Optional) Download the BGP over LAN configuration sample from Aviatrix Controller +-------------------------------------------------------------------------------------------- + +- Navigate to SITE2CLOUD -> Setup + +- Select the connection that you created with “Connection Name” in the previous step + +- Click the button "EDIT" + +- Select Vendor type, Platform, and Software + +- Click the button "Download Configuration" + +Step 3.3. Configure BGP over LAN on third-party cloud instance +--------------------------------------------------------------- + +- (Optional) Open the downloaded BGP over LAN configuration file + +- Configure those related BGP and LAN info on third-party cloud instance + +Step 3.4. Verify LAN status on Aviatrix Controller +---------------------------------------------------------- + +- Navigate back to Aviatrix Controller + +- Go to SITE2CLOUD -> Setup + +- Find the connection that you created with “Connection Name” in the previous step + +- Check the Tunnel Status + + |aviatrix_bgp_lan_status_1| + +- Go to MULTI-CLOUD TRANSIT -> List + +- Select the Transit Primary Gateway that was created in the previous step + +- Click the button "DETAILS/DIAG" + +- Scroll down to the panel "Connections" -> "On-prem Connections" + +- Find the connection that you created with “Connection Name” in the previous step + +- Check the Tunnel Status + + |aviatrix_bgp_lan_status_2| + +Step 3.5. Verify BGP session status on Aviatrix Controller +---------------------------------------------------------- + +- Go to MULTI-CLOUD TRANSIT -> Advanced Config -> BGP Tab + +- Find the connection that you created with “Connection Name” in the previous step + +- Check the BGP Status + + |aviatrix_bgp_status| + +4. Ready to go! +================= + +At this point, run connectivity and performance test to ensure everything is working correctly. + +5. Performance Benchmark +=========================== + +End-to-End traffic via Aviatrix <-> Aviatrix +--------------------------------------------- + +The performance test is done with a pair of Aviatrix Transit Gateways as the third-party cloud instances, as shown below. + +Multiple flows result by using iperf3 tool with TCP 128 connections +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++-----------------------+------------------+ +| Aviatrix Gateway size | Throughput (Gbps)| ++-----------------------+------------------+ +| C5n.4xlarge | 23 - 24 | ++-----------------------+------------------+ + +6. Additional Read +=========================== + +Additional read can be found in this short blog, `Need of conventional BGP support in the cloud `_ + + +BGP over LAN Multi-Peer +=========================== + +Overview +------------- + +BGP over LAN in AWS can scale up to 10 BGP over LAN peers per Transit Gateway, and 20 total per Transit Gateway pair. This provides a higher throughput, better redundancy, and a consolidation of BGP over LAN peers on a pair of Transit Gateways. ECMP is supported on all BGP over LAN connections. + +On-Prem to Cloud +------------------ + +On-Prem to Cloud connectivity can be achieved with ECMP. + +|bgp_lan_multipeer_onprem_cloud| + +When connecting multiple peers, the same BGP over LAN ENI can be reused. Under Multi-Cloud Transit Step 3, specify the ENI IP to reuse it. + +|bgp_lan_multipeer_same_eni| + +On-prem to cloud can also be achieved without ECMP. + +|bgp_lan_multipeer_onprem_cloud_no_ecmp| + +On-Prem to On-Prem Using Aviatrix Transit as a Hub +-------------------------------------------------- + +This is the same architecture as on-prem to cloud without ECMP: + +|bgp_lan_multipeer_onprem_cloud_no_ecmp2| + +However, different ENIs must be used for each BGP over LAN peer, in order for the traffic to flow through the Aviatrix Transit Gateways. This is achieved by leaving the Local LAN IP field blank, or by specifying an IP different from any existing BGP over LAN ENIs. The Controller will allocate a new ENI in the subnet of the BGP over LAN peer specified by Remote LAN IP. Keep in mind that there is a maximum ENI count per instance, depending on the AWS instance type. Otherwise, there is no difference when it comes to performance or any other capabilities. + +|bgp_lan_multipeer_local_ipblank| + + +HA with BGP over LAN Multi-Peer +------------------------------- + +Use Remote Gateway HA to attach peers to the secondary Transit Gateway. One BGP over LAN connection consists of 2 peers. Because a peer must be in the same AZ as the Transit Gateway it is connected to, the HA model is 2 peers, each single-attached to their Transit Gateway in their AZ. Notice the BGPoLAN-1 and BGPoLAN-2 connection names in the following diagram. + +|bgp_lan_multipeer_ha| + + +Throughput with BGP over LAN Multi-Peer +--------------------------------------- + +The aggregate throughput with 20 BGP over LAN peers and a pair of c5n.18xlarge Transit Gateways are as follows: + +- 460-byte packets -> 12 Gbps. + +- 1460-byte packets -> 40 Gbps. + +- 9000-byte packets -> 90 Gbps. + + +Segmentation Domains with BGP over LAN Multi-Peer +------------------------------------------------- + +Segmentation domains are supported on a per BGP over LAN connection basis. If using Remote Gateway HA, then 1 BGP over LAN connection = 2 BGP over LAN peers = 1 domain. + + +Migration with BGP over LAN Multi-Peer +-------------------------------------- + +Additional BGP over LAN connections can be added to an existing Transit Gateway. The Gateway can have existing BGP over LAN connections. New connections can be added either with the single-ENI or the multi-ENI model. The existing connections do not need to be removed. The Transit Gateway does not need to be replaced. There is no control plane or data place disruption. + +Feature Interaction with BGP over LAN Multi-Peer +------------------------------------------------ + +FireNet is supported. A BGP over LAN connection can be part of FireNet Inspection Policies. + +NAT is not supported on BGP over LAN connections. The configuration is blocked. + +The existing Terraform module aviatrix_transit_external_device_conn supports BGP over LAN multi-peer, using the existing argument local_lan_ip. + + +.. |transit_gateway_external_device_bgp_over_lan_diagram| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/transit_gateway_external_device_bgp_over_lan_diagram.png + :scale: 50% + +.. |aws_vgw_attach| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aws_vgw_attach.png + :scale: 50% + +.. |aws_route_propagation_status_yes| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aws_route_propagation_status_yes.png + :scale: 50% + +.. |aws_route_propagation_routing_entry| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aws_route_propagation_routing_entry.png + :scale: 50% + +.. |aviatrix_transit_externel_device_lan| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_transit_externel_device_lan.png + :scale: 50% + +.. |aviatrix_bgp_lan_status_1| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_bgp_lan_status_1.png + :scale: 50% + +.. |aviatrix_bgp_lan_status_2| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_bgp_lan_status_2.png + :scale: 50% + +.. |aviatrix_bgp_status| image:: transit_gateway_external_device_bgp_over_lan_simulation_workflow_media/aviatrix_bgp_status.png + :scale: 50% + +.. |sd_wan_integ_aws| image:: transitvpc_designs_media/sd_wan_integ_aws.png + :scale: 30% + +.. |bgp_lan_multipeer_onprem_cloud| image:: transitvpc_designs_media/bgp_lan_multipeer_onprem_cloud.png + :scale: 50% + +.. |bgp_lan_multipeer_same_eni| image:: transitvpc_designs_media/bgp_lan_multipeer_same_eni.png + :scale: 50% + +.. |bgp_lan_multipeer_onprem_cloud_no_ecmp| image:: transitvpc_designs_media/bgp_lan_multipeer_onprem_cloud_no_ecmp.png + :scale: 50% + +.. |bgp_lan_multipeer_onprem_cloud_no_ecmp2| image:: transitvpc_designs_media/bgp_lan_multipeer_onprem_cloud_no_ecmp2.png + :scale: 50% + +.. |bgp_lan_multipeer_local_ipblank| image:: transitvpc_designs_media/bgp_lan_multipeer_local_ipblank.png + :scale: 50% + +.. |bgp_lan_multipeer_ha| image:: transitvpc_designs_media/bgp_lan_multipeer_ha.png + :scale: 50% + +.. disqus:: + diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/Connection_Example.png b/HowTos/transit_gateway_integration_with_expressroute_media/Connection_Example.png new file mode 100644 index 000000000..4a6f2d61d Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/Connection_Example.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/LB_IP.png b/HowTos/transit_gateway_integration_with_expressroute_media/LB_IP.png new file mode 100644 index 000000000..16f3ff5ab Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/LB_IP.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/LGW_example.png b/HowTos/transit_gateway_integration_with_expressroute_media/LGW_example.png new file mode 100644 index 000000000..c4c4a1ca7 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/LGW_example.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/VNG_VPN_IPSec.png b/HowTos/transit_gateway_integration_with_expressroute_media/VNG_VPN_IPSec.png new file mode 100644 index 000000000..41389cbc9 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/VNG_VPN_IPSec.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/azure_effective_routes_routing_entry.png b/HowTos/transit_gateway_integration_with_expressroute_media/azure_effective_routes_routing_entry.png new file mode 100644 index 000000000..5457b37e1 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/azure_effective_routes_routing_entry.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/be_pool.png b/HowTos/transit_gateway_integration_with_expressroute_media/be_pool.png new file mode 100644 index 000000000..fa011d7be Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/be_pool.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/bgp_su_output.png b/HowTos/transit_gateway_integration_with_expressroute_media/bgp_su_output.png new file mode 100644 index 000000000..a100f9300 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/bgp_su_output.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/create_VNG.png b/HowTos/transit_gateway_integration_with_expressroute_media/create_VNG.png new file mode 100644 index 000000000..5b00b6d9c Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/create_VNG.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/crypto_IOS_output.png b/HowTos/transit_gateway_integration_with_expressroute_media/crypto_IOS_output.png new file mode 100644 index 000000000..0fcd3d611 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/crypto_IOS_output.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/ip_int_br.png b/HowTos/transit_gateway_integration_with_expressroute_media/ip_int_br.png new file mode 100644 index 000000000..72dba98a2 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/ip_int_br.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/lb_rules.png b/HowTos/transit_gateway_integration_with_expressroute_media/lb_rules.png new file mode 100644 index 000000000..a62a2c14c Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/lb_rules.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/sh_ip_bgp.png b/HowTos/transit_gateway_integration_with_expressroute_media/sh_ip_bgp.png new file mode 100644 index 000000000..c60b2d512 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/sh_ip_bgp.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/spk_rt.png b/HowTos/transit_gateway_integration_with_expressroute_media/spk_rt.png new file mode 100644 index 000000000..a47fbbeed Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/spk_rt.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/subnet_name.png b/HowTos/transit_gateway_integration_with_expressroute_media/subnet_name.png new file mode 100644 index 000000000..03e248b38 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/subnet_name.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/subnet_ns.png b/HowTos/transit_gateway_integration_with_expressroute_media/subnet_ns.png new file mode 100644 index 000000000..daecab56e Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/subnet_ns.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/subnet_sn.png b/HowTos/transit_gateway_integration_with_expressroute_media/subnet_sn.png new file mode 100644 index 000000000..703c580b0 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/subnet_sn.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/subnet_sn_1.png b/HowTos/transit_gateway_integration_with_expressroute_media/subnet_sn_1.png new file mode 100644 index 000000000..8a9930d74 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/subnet_sn_1.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/topology_expressroute.png b/HowTos/transit_gateway_integration_with_expressroute_media/topology_expressroute.png new file mode 100644 index 000000000..e1ce567f4 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/topology_expressroute.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/tr_rt.png b/HowTos/transit_gateway_integration_with_expressroute_media/tr_rt.png new file mode 100644 index 000000000..3c9638469 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/tr_rt.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/tr_rt_ns.png b/HowTos/transit_gateway_integration_with_expressroute_media/tr_rt_ns.png new file mode 100644 index 000000000..20628b0c0 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/tr_rt_ns.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/traffic_cloud_to_onprem_disable_inspection.png b/HowTos/transit_gateway_integration_with_expressroute_media/traffic_cloud_to_onprem_disable_inspection.png new file mode 100644 index 000000000..8fa7bd1ad Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/traffic_cloud_to_onprem_disable_inspection.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/traffic_onprem_to_cloud_disable_inspection.png b/HowTos/transit_gateway_integration_with_expressroute_media/traffic_onprem_to_cloud_disable_inspection.png new file mode 100644 index 000000000..1371ecba3 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/traffic_onprem_to_cloud_disable_inspection.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/transit_ip.png b/HowTos/transit_gateway_integration_with_expressroute_media/transit_ip.png new file mode 100644 index 000000000..13086e28a Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/transit_ip.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/verify_vng_ip.png b/HowTos/transit_gateway_integration_with_expressroute_media/verify_vng_ip.png new file mode 100644 index 000000000..969fb02e1 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/verify_vng_ip.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/vng_rt.png b/HowTos/transit_gateway_integration_with_expressroute_media/vng_rt.png new file mode 100644 index 000000000..661dfd1ee Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/vng_rt.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/vng_step.png b/HowTos/transit_gateway_integration_with_expressroute_media/vng_step.png new file mode 100644 index 000000000..96bfcb8f1 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/vng_step.png differ diff --git a/HowTos/transit_gateway_integration_with_expressroute_media/vpn_topology.png b/HowTos/transit_gateway_integration_with_expressroute_media/vpn_topology.png new file mode 100644 index 000000000..dd9579836 Binary files /dev/null and b/HowTos/transit_gateway_integration_with_expressroute_media/vpn_topology.png differ diff --git a/HowTos/transit_gateway_integration_with_vng_IOSexample.rst b/HowTos/transit_gateway_integration_with_vng_IOSexample.rst new file mode 100644 index 000000000..025897775 --- /dev/null +++ b/HowTos/transit_gateway_integration_with_vng_IOSexample.rst @@ -0,0 +1,537 @@ +.. meta:: + :description: Transit Gateway integration with ExpressRoute Workflow + :keywords: Azure ExpressRoute, Aviatrix Transit Gateway integration with ExpressRoute + +============================================================================ +Configuration Example for Multi-Cloud Transit Integration Azure VNG VPN +============================================================================ + +This document describes the configuration workflow for the following network diagram. + +|vpn_topology| + +where there are two Spoke VNets, one with Aviatrix Spoke gateway (172.60.0.0/16) and one native Spoke VNet (172.50.0.0/16) + +Prerequisite +==================== + +`Upgrade `_ Aviatrix Controller to at least version 6.3. + + +.. tip:: + + We highly recommend you to ceate Azure Transit VNET by utilizing Aviatrix feature `Create a VNet `_ with Aviatrix FireNet VNet option enabled. Create a VNG in this Transit VNet. + + +Connect VNG on On-Prem +======================================================================================================= + +If you have already created VNG in Transit VNet, skip this section. + +This section covers an example of building a VPN tunnel with Cisco IOS. For more information about Azure VPN, please check out the below documents: + + - Refer to `Azure VPN Documentation `_ + + - Refer to `Azure VPN Gateway BGP Example `_ + + - Refer to `Azure S2S Example `_ + +Adjust the topology depending on your requirements. + +Step 1.1 Create Virtual Network Gateway +---------------------------------------- + +1. Login to Azure Portal and search "Virtual Network Gateway". +2. Click "Add" to create a new Virtual Network Gateway (VNG) + +|create_VNG| + + +------------------------------+-------------------------------------------+ + | Field | Description | + +------------------------------+-------------------------------------------+ + | Subscription | Select a **Azure Subscription** | + +------------------------------+-------------------------------------------+ + | Name | Any Name | + +------------------------------+-------------------------------------------+ + | Region | Select Region e.g. West US2 | + +------------------------------+-------------------------------------------+ + | Gateway type | Select **VPN** | + +------------------------------+-------------------------------------------+ + | VPN type | Select **Route-based** | + +------------------------------+-------------------------------------------+ + | SKU | Any (e.g. VpnGw1) | + +------------------------------+-------------------------------------------+ + | Generation | Any | + +------------------------------+-------------------------------------------+ + | Virtual Network | Select **Transit FireNet Gateway VNet** | + +------------------------------+-------------------------------------------+ + | Public IP address | Any | + +------------------------------+-------------------------------------------+ + | Public IP address name | Any | + +------------------------------+-------------------------------------------+ + | Enable active-active mode | Any (By default Disabled) | + +------------------------------+-------------------------------------------+ + | Configure BGP | Select **Enabled** and give any ASN | + +------------------------------+-------------------------------------------+ + +.. note:: + This step may take up to 45 minutes to complete. + +3. Once VNG is created. Go to Azure Portal -> Virtual Network Gateway -> Configuration and note down **Public IP Address** and **Default Azure BGP peer IP address** + + +Step 1.2 Create Azure Local Network Gateways (LGW) +------------------------------------------------------------------- + +1. Login to Azure Portal and search "Local network gateways". +2. Click "Add" to create a new Local Network Gateway + +|LGW_example| + + +------------------------------+-------------------------------------------+ + | Field | Description | + +------------------------------+-------------------------------------------+ + | Name | Any | + +------------------------------+-------------------------------------------+ + | IP Address | Any e.g. Cisco IOS Public IP 44.241.247.99| + +------------------------------+-------------------------------------------+ + | Configure BGP settings | Check BGP checkbox | + +------------------------------+-------------------------------------------+ + | BGP ASN | Any (e.g. 65002) | + +------------------------------+-------------------------------------------+ + | BGP peer IP address | Any (e.g. 192.168.1.1) | + +------------------------------+-------------------------------------------+ + | Subscription | Select valid subscription | + +------------------------------+-------------------------------------------+ + | Resource group | Any or Create new | + +------------------------------+-------------------------------------------+ + | Location | Any (e.g. West US2) | + +------------------------------+-------------------------------------------+ + + +Step 1.3 Create a VPN Connection +---------------------------------------------------------------------- + +1) Login to Azure Portal and search "Virtual network gateways" +2) Click on VNG created earlier +3) Select Connections +4) Click "Add" + +|Connection_Example| + + +------------------------------+-------------------------------------------+ + | Field | Description | + +------------------------------+-------------------------------------------+ + | Name | Any | + +------------------------------+-------------------------------------------+ + | Connection type | Select Site-to-Site (IPSec) | + +------------------------------+-------------------------------------------+ + | Virtual network gateway | Select VNG just created | + +------------------------------+-------------------------------------------+ + | Local network gateway | Select LNG just created | + +------------------------------+-------------------------------------------+ + | Shared key (PSK) | Enter the value that matches the value | + | | `Internet Key Exchange Configuration` | + | | > **Pre-Shared Key** | + +------------------------------+-------------------------------------------+ + | Use Azure Private IP address | Uncheck | + +------------------------------+-------------------------------------------+ + | Enable BGP | Check | + +------------------------------+-------------------------------------------+ + | IKE Protocol | Select IKEv2 | + +------------------------------+-------------------------------------------+ + +5) Select the VPN you just created and click the Download Configuration button along the top. At the dialog, select Cisco for the Vendor, IOS for the Device family and firmware version 15.x (IKEv2) + +Click Download Configuration. You will use this file to create the other side of the tunnel. + +.. note:: + Cisco IOS configuration is not accurate. Please modify it before use it. + +Cisco IOS sample configuration used in this example: + +:: + + Current configuration : 5983 bytes + ! + hostname Cisco-IOS + ! + username ec2-user privilege 15 + ! + crypto ikev2 proposal CSR-VPN-proposal + encryption aes-cbc-256 + integrity sha1 + group 2 + ! + crypto ikev2 policy CSR-VPN-policy + match address local 10.100.0.20 + proposal CSR-VPN-proposal + ! + crypto ikev2 keyring CSR-VPN-keyring + peer 52.151.46.220 + address 52.151.46.220 + pre-shared-key + ! + ! + crypto ikev2 profile CSR-VPN-profile + match address local 10.100.0.20 + match identity remote address 52.151.46.220 255.255.255.255 + authentication remote pre-share + authentication local pre-share + keyring local CSR-VPN-keyring + lifetime 3600 + dpd 10 5 on-demand + ! + ! + ! + crypto ipsec transform-set CSR-VPN-TransformSet esp-gcm 256 + mode tunnel + ! + crypto ipsec profile CSR-VPN-IPsecProfile + set transform-set CSR-VPN-TransformSet + set ikev2-profile CSR-VPN-profile + ! + ! + ! + interface Loopback11 + ip address 1.1.1.1 255.255.255.255 + ! + interface Tunnel11 + ip address 192.168.1.1 255.255.255.255 + ip tcp adjust-mss 1350 + tunnel source 10.100.0.20 + tunnel mode ipsec ipv4 + tunnel destination 52.151.46.220 + tunnel protection ipsec profile CSR-VPN-IPsecProfile + ! + interface VirtualPortGroup0 + vrf forwarding GS + ip address 192.168.35.101 255.255.255.0 + ip nat inside + no mop enabled + no mop sysid + ! + interface GigabitEthernet1 + ip address dhcp + ip nat outside + negotiation auto + no mop enabled + no mop sysid + ! + router bgp 65002 + bgp log-neighbor-changes + neighbor 172.40.1.254 remote-as 65515 + neighbor 172.40.1.254 ebgp-multihop 255 + neighbor 172.40.1.254 update-source Tunnel11 + ! + address-family ipv4 + network 1.1.1.1 mask 255.255.255.255 + network 10.100.0.20 + network 192.168.1.1 + neighbor 172.40.1.254 activate + exit-address-family + ! + iox + ip forward-protocol nd + ip tcp window-size 8192 + ip http server + ip http authentication local + ip http secure-server + ! + ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload + ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 10.100.0.1 + ip route 172.40.0.0 255.255.0.0 Tunnel11 + ip route 172.40.1.254 255.255.255.255 Tunnel11 + ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 10.100.0.1 global + ! + end + +Connect Aviatrix Transit Gateway with VNG +============================================================================ + +Refer to `Global Transit Network Workflow Instructions `_ for the below steps. Please adjust the topology depending on your requirements. + +Step 2.1 Deploy Aviatrix Multi-Cloud Transit Gateway and HA in Azure +----------------------------------------------------------------------- + + - Follow this step `Deploy the Transit Aviatrix Gateway `_ to launch Aviatrix Transit gateway and enable HA with insane mode enabled in Azure Transit VNET. Insane mode is not required but an optional feature to increase throughput. + + - Instance size of at least Standard_D5_v2 will be required for `Insane Mode Encryptions `_ for higher throughput. Please refer to this `doc `_ for performance detail. + + - Enable `Transit FireNet Function `_ + + +Step 2.2 Connect Transit FireNet Gateway with VNG +------------------------------------------------------------------------------ + +This step assumes VNG is already deployed in the Transit VNet. + + - Go to Multi-Cloud Transit -> Step 3 Connect to VGW / External Device / Aviatrix CloudN / Azure VNG + + - Select **Azure VNG** radio button + + - Select **Primary Aviatrix Transit Gateway** in the drop down menu. Note if VNG has not been deployed in the Transit VNet, this step cannot complete. + + - VNG Name will populate automatically + + - Click **Connect** + +|vng_step| + + +Step 2.3 Check Effective routes info on Azure portal +------------------------------------------------------- + + - Login Azure Portal + + - Search for "Network interfaces" on the search bar + + - Select Aviatrix Transit Gateway's interface + + - Navigate to the page "Effective routes" by clicking the link "Effective routes" under the section "Support + troubleshooting" + + - Check route entry for On-prem pointing Next Hop Type **Virtual network gateway** + + |azure_effective_routes_routing_entry| + + +Attach Spoke VNet to Aviatrix Transit Gateway +============================================================================ + +Step 3.1 Deploy Aviatrix Spoke Gateway in Spoke VNet +-------------------------------------------------------- + + - Create Azure VNET for Aviatrix Spoke Gateway by utilizing Aviatrix feature `Create a VPC `_ or manually deploy it in cloud portal or feel free to use existing virtual network. + +Step 3.2 Launch Spoke Gateway and HA +-------------------------------------- + + - Follow this step `Deploy Spoke Gateways `_ to launch Aviatrix Spoke gateway and enable HA with insane mode enabled in Azure Spoke VNET. Insane mode is optional. + + - Instance size of at least Standard_D5_v2 will be required for `Insane Mode Encryptions `_ for higher throughput. Please refer to this `doc `_ for performance detail. + +Step 3.3 (Optional) Create Spoke VNet +--------------------------------------------------- + + - If you do not have any Spoke VNet, create one by using Aviatrix feature `Create a VPC `_ or manually do so in Azure portal. + + +Step 3.3 Attach Spoke Gateways to Transit Network +-------------------------------------------------- + + - Follow this step `Attach Spoke Gateways to Transit Network `_ to attach Aviatrix Spoke Gateways to Aviatrix Transit Gateways in Azure + + - Follow step `Attach Native Azure VNET to Transit Network `_ to attach Azure Native VNET Spoke to Aviatrix Transit Gateway. + +Ready to go! +============ + +Now you should be able to send traffic from cloud to on-prem as well as on-prem to cloud over Azure Express Route. + +For FireNet deployment, follow the `Transit FireNet workflow `_. + +Troubleshooting +================= + +This section covers the end-to-end packet for troubleshooting purposes. This section covers the following: + + - Packet Flow when Inspection is disabled and traffic initiated from on-prem + + - Packet Flow when Inspection is disabled and traffic initiated from cloud + + - Packet Flow when Inspection is enabled and traffic initiated from cloud + + - Packet Flow when Inspection is enabled and traffic initiated from on-prem + +Before we start the packet walk hop by hop first make sure IPSec tunnel is connected and BGP session is up + +Azure Portal +------------- + +|VNG_VPN_IPSec| + +Cisco IOS +---------- + +Interface output to make sure all interfaces and tunnels are up. + +|ip_int_br| + +"Show ip bgp summary" shows BGP session status and if IOS learning any routes via BGP + +|bgp_su_output| + +Check IPSec IKEv2 tunnel status +|crypto_IOS_output| + + +Traffic Initiated from On-Prem and Inspection is disabled +----------------------------------------------------------- + +In this example, following VNETs in Azure will be used: + + - Azure Aviatrix Transit VNET (i.e. 172.40.0.0/16) + + - Azure Aviatrix Spoke VNETs (i.e. 172.50.0.0/16) + +|traffic_onprem_to_cloud_disable_inspection| + +Traffic flow from on-prem Cisco IOS Router with 10.100.0.0/16 subnet and Loopback 1.1.1.1/32 to Cloud Azure Native Spoke VNET (10.50.0.0/16) + +Lets start at Cisco IOS and verify if Spoke CIDR is learned and what is the Next Hop to reach to Spoke VNET. + +|sh_ip_bgp| + +Next Hop of Spoke VNET should be VPN termination point so it should be the IP address of VNG. + + - Login to Azure Portal and search "Virtual network gateways" + + - Go to Virtual network gateways, select Virtual Network Gateway created earlier + + - Click Configuration inside VNG and verify the IP address of Next Hop + +|verify_vng_ip| + +Traffic reached at VNG which is terminated at the Cloud. Now login to Azure Portal -> All resources -> VNG Route table to check what is the Next hop to reach Spoke VNET. + +|vng_rt| + +VNG route table showing next hop 172.40.0.134 which is a IP of Loadbalancer + +|LB_IP| + +Next we need to check the LB rules and see what is the LB backend pool name + +|lb_rules| + +Once we know pool name then we go to Backend Pool and check the next hop IP address + +|be_pool| + +LB should be pointing to Transit Gateway. Go Aviatrix Controller console and verify the private IP address of Aviatrix Transit FireNet Gateway. + +|transit_ip| + +Next go to transit and check if Transit has route to reach to Spoke VNET + +|tr_rt| + +Transit is showing it is going via IP 172.40.0.65. How do we verify that IP?? + +|subnet_sn| + +|subnet_sn_1| + +Traffic Initiated from Cloud and Inspection is disabled +----------------------------------------------------------- + +In this example, following VNETs in Azure will be used: + + - Azure Aviatrix Transit VNET (i.e. 172.40.0.0/16) + + - Azure Aviatrix Spoke VNETs (i.e. 172.50.0.0/16) + +|traffic_cloud_to_onprem_disable_inspection| + +Traffic flow from Cloud Azure Native Spoke VNET (10.50.0.0/16) to on-prem Cisco IOS Router with 10.100.0.0/16 subnet and Loopback 1.1.1.1/32 + +Lets start from Spoke and verify if IOS routes are learned and what is the Next Hop to reach to on-prem. + +|spk_rt| + +Spoke showing next-hop as transit 172.40.0.68 (Transit FireNet Gateway) + +|tr_rt_ns| + +Transit FireNet Gateway showing the destination 1.1.1.1/32 via eth2 (172.40.0.161). In order to verify the next hop, we need to Transit FireNet Gateway interface eth2 and capture the subnet name to verify the pool address. + +|subnet_name| + +|subnet_ns| + +Once traffic reach to VNG, we can verify that now VNG routing table is showing the destination IP via VPN tunnel. + +|azure_effective_routes_routing_entry| + + +.. |vpn_topology| image:: transit_gateway_integration_with_expressroute_media/vpn_topology.png + :scale: 60% + +.. |traffic_onprem_to_cloud_disable_inspection| image:: transit_gateway_integration_with_expressroute_media/traffic_onprem_to_cloud_disable_inspection.png + :scale: 60% + +.. |azure_effective_routes_routing_entry| image:: transit_gateway_integration_with_expressroute_media/azure_effective_routes_routing_entry.png + :scale: 40% + +.. |vng_step| image:: transit_gateway_integration_with_expressroute_media/vng_step.png + :scale: 40% + +.. |create_VNG| image:: transit_gateway_integration_with_expressroute_media/create_VNG.png + :scale: 40% + +.. |LGW_example| image:: transit_gateway_integration_with_expressroute_media/LGW_example.png + :scale: 40% + +.. |Connection_Example| image:: transit_gateway_integration_with_expressroute_media/Connection_Example.png + :scale: 40% + +.. |VNG_VPN_IPSec| image:: transit_gateway_integration_with_expressroute_media/VNG_VPN_IPSec.png + :scale: 40% + +.. |sh_ip_bgp| image:: transit_gateway_integration_with_expressroute_media/sh_ip_bgp.png + :scale: 40% + +.. |crypto_IOS_output| image:: transit_gateway_integration_with_expressroute_media/crypto_IOS_output.png + :scale: 40% + +.. |bgp_su_output| image:: transit_gateway_integration_with_expressroute_media/bgp_su_output.png + :scale: 40% + +.. |ip_int_br| image:: transit_gateway_integration_with_expressroute_media/ip_int_br.png + :scale: 40% + +.. |verify_vng_ip| image:: transit_gateway_integration_with_expressroute_media/verify_vng_ip.png + :scale: 40% + +.. |vng_rt| image:: transit_gateway_integration_with_expressroute_media/vng_rt.png + :scale: 40% + +.. |LB_IP| image:: transit_gateway_integration_with_expressroute_media/LB_IP.png + :scale: 40% + +.. |lb_rules| image:: transit_gateway_integration_with_expressroute_media/lb_rules.png + :scale: 40% + +.. |be_pool| image:: transit_gateway_integration_with_expressroute_media/be_pool.png + :scale: 40% + +.. |transit_ip| image:: transit_gateway_integration_with_expressroute_media/transit_ip.png + :scale: 40% + +.. |tr_rt| image:: transit_gateway_integration_with_expressroute_media/tr_rt.png + :scale: 40% + +.. |traffic_cloud_to_onprem_disable_inspection| image:: transit_gateway_integration_with_expressroute_media/traffic_cloud_to_onprem_disable_inspection.png + :scale: 40% + +.. |spk_rt| image:: transit_gateway_integration_with_expressroute_media/spk_rt.png + :scale: 40% + +.. |tr_rt_ns| image:: transit_gateway_integration_with_expressroute_media/tr_rt_ns.png + :scale: 40% + +.. |subnet_sn| image:: transit_gateway_integration_with_expressroute_media/subnet_sn.png + :scale: 40% + +.. |subnet_sn_1| image:: transit_gateway_integration_with_expressroute_media/subnet_sn_1.png + :scale: 40% + +.. |subnet_ns| image:: transit_gateway_integration_with_expressroute_media/subnet_ns.png + :scale: 40% + +.. |subnet_name| image:: transit_gateway_integration_with_expressroute_media/subnet_name.png + :scale: 40% + + +.. disqus:: + diff --git a/HowTos/transit_gateway_peering.rst b/HowTos/transit_gateway_peering.rst index 76456c241..708a8a666 100644 --- a/HowTos/transit_gateway_peering.rst +++ b/HowTos/transit_gateway_peering.rst @@ -35,6 +35,8 @@ Go to Transit Network -> Transit Peering -> Add New. Select one of each Transit Gateway and click OK. +There are a few optional and advanced options as described below. + Excluded Network CIDRs ^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -80,6 +82,42 @@ and Site-2 accesses Prod-3/Prod-4 and Dev-3/Dev-4 via its local regional TGW. |excluded_tgw_connections| +Peering over Private Network +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This advanced option only appears and applies to when the two Multi-cloud Transit Gateways is each launched in Insane Mode +and each is in a different cloud type. For example, one Multi-cloud Transit Gateway in AWS and the other in Azure. + +Peering over Private Network function is an optional field. When this checkbox is checked, users are able to build Aviatrix Transit Gateway peering over multi-cloud where there is private network connectivity. + +One of the use cases is two Aviatrix Transit Gateways deployed in two different public clouds where each has its private connectivity such as AWS Direct Connect and Azure Express Route connecting to on-prem or a co-location. By building a Transit Gateway private peering, Aviatrix Transit Gateway forwards traffic over the private links to the other Aviatrix Transit Gateway and beyond. + +For example configuration workflow, check out this doc `Aviatrix Transit Gateway Peering over Private Network Workflow `_. + + +Peering over Public Network or Internet +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Use the Insane Mode High Performance Encryption (HPE) option to create peered transit connections between Cloud Service Providers (CSPs) over the public internet. The transit gateways must be in Insane Mode to use this option. Currently, only intercloud connections between AWS and Azure are supported. +By default, the gateways create 4 HPE tunnels. The supported range is 2 to 20 HPE tunnels for each transit gateway. + + +Single-tunnel mode +^^^^^^^^^^^^^^^^^^^^^ + +This advanced option only appears and applies to when the +two Multi-cloud Transit Gateways is each launched in Insane Mode +and each is in a different cloud type. For example, one Multi-cloud Transit Gateway in AWS and the other in Azure. + +When this option is selected, instead of building up to 50 IPSec tunnels (as in Insane Mode) between the +two Multi-cloud Transit Gateways, +only a single tunnel connection is established. One use case is if the underlying private network is a low speed +(up to 4Gbps) link across the two cloud types. By using the Single-Tunnel mode, you do not pay the Insane Mode +license charges. Note when the Multi-cloud Transit Gateways enable HA on both cloud types, the aggregate +throughput via Single-Tunnel mode can reach 4Gbps. + + + Default Route Propagation Behavior ------------------------------------- @@ -90,6 +128,12 @@ On the other hand, if on-prem advertise the default route to the Aviatrix Transi propagated to the remote Aviatrix Transit Gateway via Transit Peering. +Spoke to Spoke Peering Monitoring +------------------------------------- + +The Peering page is only used only to create and delete peered spoke to spoke connections in activemesh mode. To view the status of the connection, go to the Multi-Cloud Transit > List > Spoke page. + + .. |multi-region| image:: tgw_design_patterns_media/multi-region.png :scale: 30% diff --git a/HowTos/transit_gateway_peering_with_private_network_workflow.rst b/HowTos/transit_gateway_peering_with_private_network_workflow.rst new file mode 100644 index 000000000..e9bbc4485 --- /dev/null +++ b/HowTos/transit_gateway_peering_with_private_network_workflow.rst @@ -0,0 +1,301 @@ +.. meta:: + :description: Transit Gateway Peering with Private Network Workflow + :keywords: Transit Gateway Peering, Aviatrix Transit network, Private Network, Transit Gateway Peering with Private Network, Azure ExpressRoute, AWS Direct Connect + +================================================================== +Multi-cloud Transit Gateway Peering over Private Network Workflow +================================================================== + +Introduction +============ + +Aviatrix Transit Gateway Peering over Private Network feature expands Transit Gateway peering to across multi-clouds where there is a private network connectivity between the cloud providers via on-prem or a co-location. This enables customers to build high performance data networks while ensuring data privacy by encrypting data in motion. + +The solution applies to AWS Direct Connect, Azure ExpressRoute, and Google Cloud Interconnect for the cloud to on-prem connectivity. + +This document describes a step-by-step instruction on how to build Aviatrix Transit Gateway Peering with Private Network over AWS Direct Connect and Azure ExpressRoute for R6.2 and later releases. In this note, you learn the following: + + #. Workflow on building underlay connectivity for private network with AWS Direct Connect + + #. Workflow on building underlay connectivity for private network with Azure ExpressRoute + + #. Workflow on Aviatrix Transit Gateway Peering with private network + +For more information about Multi-Cloud Transit Network, please check out the below documents: + + `Multi Cloud Global Transit FAQ `_ + + `Global Transit Network Workflow Instructions (AWS/Azure/GCP/OCI) `_ + + `Aviatrix Transit Gateway Encrypted Peering `_ + + `Transit Network Design Patterns `_ + +.. important:: + + - Aviatrix Transit Gateway Peering over Private Network solution supports only High-Performance Encryption (Insane) mode where Aviatrix Transit Gateways have Insane Mode Encryption option enabled at the gateway launch time. + + - This solution supports only `ActiveMesh 2.0 `_, please check this doc `How to migrate to ActiveMesh 2.0 `_ for migration detail. + + - Private subnets reachability between two Transit CIDRs is customers' responsibility which is typically done by Colo providers. + + - Workflow on building underlay connectivity for private network with AWS Direct Connect/Azure ExpressRoute here is just an example. Please adjust the topology depending on your requirements. + +Topology +==================== + +|transit_gateway_peering_with_private_network_diagram| + +The key ideas for this solution are: +------------------------------------- + + - The edge (WAN) router runs a BGP session to AWS VGW via AWS Direct Connect where the edge router advertises the Azure Transit VNET CIDR and the AWS VGW advertises the AWS Transit VPC CIDR. + + - The edge (WAN) router runs a BGP session to Azure VNG via Azure ExpressRoute where the edge router advertises the AWS Transit VPC CIDR and the Azure VNG advertises the AZURE Transit VNET CIDR. + + - The edge (WAN) router redistributes AWS Transit VPC CIDR and AZURE Transit VNET CIDR. + + - Once the reachability between two cloud transits over private network is there, user is able to deploy Aviatrix Multi Cloud Global Transit Gateway Encrypted Peering over Private Network + +.. important:: + + - Reachability between two transit networks' private CIDR is the responsibility of customer. + +Prerequisite +==================== + +This feature is available for 6.2 and later. +`Upgrade `_ Aviatrix Controller to at least version 6.2 + +In this example, we are going to deploy the below VPCs in AWS and Azure + + - AWS Aviatrix Transit VPC (i.e. 10.1.0.0/16) + + - AWS Aviatrix Spoke VPC (i.e. 192.168.1.0/24) + + - Azure Aviatrix Transit VNET (i.e. 10.0.0.0/16) + + - Azure Aviatrix Spoke VNET (i.e. 192.168.0.0/24) + +Workflow on building underlay connectivity for private network with AWS Direct Connect +====================================================================================== + +Building AWS Direct Connect is customer's responsibility. For more information about AWS Direct Connect, please check out the below documents: + + - Refer to `Connect Your Data Center to AWS `_ + +Please adjust the topology depending on your requirements. + +Step 1.1. Build AWS Direct Connect +----------------------------------- + + - Refer to `Equinix ECX Fabric AWS Direct Connect `_ if users select Equinix solution. This is just an example here. + +Step 1.2. Associate AWS VGW to AWS Transit VPC +----------------------------------------------- + + - Login AWS VPC Portal + + - Click the hyperlink "Virtual Private Gateways" under sidebar "VIRTUAL PRIVATE NETWORK (VPN)" + + - Select the Virtual Private Gateway that you have the private virtual interface to AWS Direct Connect + + - Click the button "Actions" + + - Click the hyperlink "Attach to VPC" + + - Select the AWS Transit VPC and click the button "Yes, Attach" + +Workflow on building underlay connectivity for private network with Azure ExpressRoute +======================================================================================= + +Building Azure ExpressRoute is customer's responsibility. For more information about Azure ExpressRoute, please check out the below documents: + + - Refer to `Azure ExpressRoute `_ + + - Refer to `ExpressRoute documentation `_ for more info + + - Refer to `Equinix ECX Fabric Microsoft Azure ExpressRoute `_ if users select Equinix solution. This is just an example here. + +Please adjust the topology depending on your requirements. + +Step 2.1. Create an ExpressRoute circuit +---------------------------------------- + + - Refer to `Tutorial: Create and modify an ExpressRoute circuit `_ + +Step 2.2. Create Azure private peering for an ExpressRoute circuit +------------------------------------------------------------------- + + - Refer to `private peering section in Create and modify peering for an ExpressRoute circuit `_ + +Step 2.3. Create a virtual network gateway for an ExpressRoute circuit +---------------------------------------------------------------------- + + - Refer to `Configure a virtual network gateway for ExpressRoute using the Azure portal `_ + +Step 2.4. Connect a virtual network to an ExpressRoute circuit +-------------------------------------------------------------- + + - Refer to `Connect a virtual network to an ExpressRoute circuit using the portal `_ + +Step 2.5. Check Express Route Circuits - List Routes Table on Azure portal +--------------------------------------------------------------------------- + + - Login Azure Portal + + - Search for "ExpressRoute circuits" on the search bar + + - Select the "ExpressRoute circuits" that you created + + - Select the Azure private peering row + + - Click on the hyperlink "Get route table" + + - Check whether AWS Transit VPC's CIDR with the ASN Path of edge router and AWS VGW + + |express_route_circuits_list_routes| + +Workflow on Aviatrix Transit Gateway Peering with private network +=================================================================== + +Refer to `Global Transit Network Workflow Instructions `_ and `Aviatrix Transit Gateway Encrypted Peering `_ for the below steps. Please adjust the topology depending on your requirements. + +Step 3.1. Deploy VPCs for Transit FireNet +------------------------------------------ + + - Create AWS Transit VPC and Azure Transit VNET by utilizing Aviatrix feature `Create a VPC `_ with Aviatrix FireNet VPC option enabled + + - Create AWS Spoke VPC and Azure Spoke VNET by utilizing Aviatrix feature `Create a VPC `_ as the previous step or manually deploying it in each cloud portal. Moreover, feel free to use your existing cloud network. + +Step 3.2. Deploy Aviatrix Multi-Cloud Transit Gateway and HA in AWS +------------------------------------------------------------------- + + - Follow this step `Deploy the Transit Aviatrix Gateway `_ to launch Aviatrix Transit gateway and enable HA with insane mode enabled in AWS Transit VPC + + - Instance size of at least c5.xlarge will be required for `Insane Mode Encryptions `_ for higher throughput. Recommended minimum size for Transit in AWS is c5n.4xlarge. Please refer to this `doc `_ for performance detail. + +Step 3.3. Enable Route Propagation on the subnet route table where Aviatrix Transit Gateway locates on AWS portal +------------------------------------------------------------------------------------------------------------------ + + - Login AWS VPC portal + + - Locate the subnet route table where Aviatrix Transit Gateway locates + + - Select the tab "Route Propagation" + + - Click the button "Edit route propagation" + + - Locate the AWS VGW that is associated with this Transit VPC and check the checkbox "Propagate" + + - Click the button "Save" + + - Check whether the Propagate status is Yes + + |aws_route_propagation_status_yes| + +Step 3.4. Check route propagation info on AWS portal +---------------------------------------------------- + + - Login AWS VPC portal + + - Locate the subnet route table where Aviatrix Transit Gateway locates + + - Select the tab "Routes" + + - Check whether there is a route entry "Azure Transit VNET's CIDR pointing to AWS VGW" + + |aws_route_propagation_routing_entry| + +Step 3.5. Deploy Aviatrix Multi-Cloud Transit Gateway and HA in Azure +--------------------------------------------------------------------- + + - Follow this step `Deploy the Transit Aviatrix Gateway `_ to launch Aviatrix Transit gateway and enable HA with insane mode enabled in Azure Transit VNET + + - Instance size of at least Standard_D5_v2 will be required for `Insane Mode Encryptions `_ for higher throughput. Please refer to this `doc `_ for performance detail. + + - Enable Transit FireNet Function (optional) + +Step 3.6. Check Effective routes info on Azure portal +------------------------------------------------------- + + - Login Azure Portal + + - Search for "Network interfaces" on the search bar + + - Select Aviatrix Transit Gateway's interface + + - Navigate to the page "Effective routes" by clicking the link "Effective routes" under the section "Support + troubleshooting" + + - Check whether there is a route entry "AWS Transit VPC's CIDR pointing to Next Hop Type Virtual network gateway" + + |azure_effective_routes_routing_entry| + +Step 3.7. Establish Transit Gateway Peering over Private Network +------------------------------------------------------------------- + + - Navigate back to Aviatrix Controller + + - Go to MULTI-CLOUD TRANSIT -> Transit Peering + + - Click the button "+ADD NEW" + + - Select "AWS Transit Gateway" as Transit Gateway1 + + - Select "Azure Transit Gateway" as Transit Gateway2 + + - Under Advanced options, check the option "Peering over Private Network" + + - (Optional) Under Advanced options, check the option `Single-Tunnel mode` if the underlying network is low speed (up to 4Gbps) + + - Click the button "OK" + + - Wait for a couple of minutes + + - Confirm the transit peering status is Up + + |transit_gateway_peering_status| + +Step 3.8. Deploy Spoke Gateway and HA +-------------------------------------- + + - Follow this step `Deploy Spoke Gateways `_ to launch Aviatrix Spoke gateway and enable HA with insane mode enabled in AWS Spoke VPC + + - Instance size of at least c5.xlarge will be required for `Insane Mode Encryptions `_ for higher throughput. Please refer to this `doc `_ for performance detail. + + - Follow this step `Deploy Spoke Gateways `_ to launch Aviatrix Spoke gateway and enable HA with insane mode enabled in Azure Spoke VNET + + - Instance size of at least Standard_D5_v2 will be required for `Insane Mode Encryptions `_ for higher throughput. Please refer to this `doc `_ for performance detail. + +Step 3.9. Attach Spoke Gateways to Transit Network +-------------------------------------------------- + + - Follow this step `Attach Spoke Gateways to Transit Network `_ to attach Aviatrix Spoke Gateways to Aviatrix Transit Gateways in AWS + + - Follow this step `Attach Spoke Gateways to Transit Network `_ to attach Aviatrix Spoke Gateways to Aviatrix Transit Gateways in Azure + +Ready to go! +============ + +Now you are able to send traffic over Aviatrix Transit Gateway Peering with Private Network. + +.. |transit_gateway_peering_with_private_network_diagram| image:: transit_gateway_peering_with_private_network_workflow_media/transit_gateway_peering_with_private_network_diagram.png + :scale: 50% + +.. |express_route_circuits_list_routes| image:: transit_gateway_peering_with_private_network_workflow_media/express_route_circuits_list_routes.png + :scale: 50% + +.. |aws_route_propagation_status_yes| image:: transit_gateway_peering_with_private_network_workflow_media/aws_route_propagation_status_yes.png + :scale: 50% + +.. |aws_route_propagation_routing_entry| image:: transit_gateway_peering_with_private_network_workflow_media/aws_route_propagation_routing_entry.png + :scale: 50% + +.. |azure_effective_routes_routing_entry| image:: transit_gateway_peering_with_private_network_workflow_media/azure_effective_routes_routing_entry.png + :scale: 50% + +.. |transit_gateway_peering_status| image:: transit_gateway_peering_with_private_network_workflow_media/transit_gateway_peering_status.png + :scale: 50% + +.. disqus:: + diff --git a/HowTos/transit_gateway_peering_with_private_network_workflow_media/aws_route_propagation_routing_entry.png b/HowTos/transit_gateway_peering_with_private_network_workflow_media/aws_route_propagation_routing_entry.png new file mode 100644 index 000000000..7cdf5ff57 Binary files /dev/null and b/HowTos/transit_gateway_peering_with_private_network_workflow_media/aws_route_propagation_routing_entry.png differ diff --git a/HowTos/transit_gateway_peering_with_private_network_workflow_media/aws_route_propagation_status_yes.png b/HowTos/transit_gateway_peering_with_private_network_workflow_media/aws_route_propagation_status_yes.png new file mode 100644 index 000000000..8cc94876b Binary files /dev/null and b/HowTos/transit_gateway_peering_with_private_network_workflow_media/aws_route_propagation_status_yes.png differ diff --git a/HowTos/transit_gateway_peering_with_private_network_workflow_media/azure_effective_routes_routing_entry.png b/HowTos/transit_gateway_peering_with_private_network_workflow_media/azure_effective_routes_routing_entry.png new file mode 100644 index 000000000..54b88e129 Binary files /dev/null and b/HowTos/transit_gateway_peering_with_private_network_workflow_media/azure_effective_routes_routing_entry.png differ diff --git a/HowTos/transit_gateway_peering_with_private_network_workflow_media/express_route_circuits_list_routes.png b/HowTos/transit_gateway_peering_with_private_network_workflow_media/express_route_circuits_list_routes.png new file mode 100644 index 000000000..dfe507d9e Binary files /dev/null and b/HowTos/transit_gateway_peering_with_private_network_workflow_media/express_route_circuits_list_routes.png differ diff --git a/HowTos/transit_gateway_peering_with_private_network_workflow_media/transit_gateway_peering_status.png b/HowTos/transit_gateway_peering_with_private_network_workflow_media/transit_gateway_peering_status.png new file mode 100644 index 000000000..09d0ead29 Binary files /dev/null and b/HowTos/transit_gateway_peering_with_private_network_workflow_media/transit_gateway_peering_status.png differ diff --git a/HowTos/transit_gateway_peering_with_private_network_workflow_media/transit_gateway_peering_with_private_network_diagram.png b/HowTos/transit_gateway_peering_with_private_network_workflow_media/transit_gateway_peering_with_private_network_diagram.png new file mode 100644 index 000000000..1c3c96973 Binary files /dev/null and b/HowTos/transit_gateway_peering_with_private_network_workflow_media/transit_gateway_peering_with_private_network_diagram.png differ diff --git a/HowTos/transit_list.rst b/HowTos/transit_list.rst new file mode 100644 index 000000000..cd52b593a --- /dev/null +++ b/HowTos/transit_list.rst @@ -0,0 +1,37 @@ +.. meta:: + :description: Multi-Cloud Transit Network List + :keywords: Transit VPC, Transit hub, AWS Global Transit Network, Encrypted Peering, Transitive Peering, AWS VPC Peering, VPN, List + + +================================================================ +Transit List +================================================================ + +Config Private VPC Default Route +----------------------------------- + +This feature allows to configure default route in private VPC only. +This is only supported for AWS Spoke gateway. + + +Skip Public VPC Route Table +------------------------------ + +Route Table Optimization allows customer to skip public VPC route table programming. This is only supported for AWS Spoke gateway and ActiveMesh 2.0 only. +Customize Spoke CIDR and this feature are mutually exclusive. + + +Auto Advertise Spoke Site2Cloud CIDRs +------------------------------------------ + +Dynamic Route updates on Spoke for Site2Cloud allows regional redundancy for Overlapping and Non-overlapping CIDRs. + +Route will be Auto Advertised or Removed for Remote and Local Virtual CIDRs when: + 1. S2C connection is created/deleted + #. S2C connection status change up/down + #. Spoke to Transit link goes down + +This feature is supported for mapped S2C connections only and on the following clouds: + * AWS and AWS-Gov, + * GCP, + * Azure and Azure-Gov diff --git a/HowTos/transit_s3_end_point.rst b/HowTos/transit_s3_end_point.rst index a6fae3703..56558607d 100644 --- a/HowTos/transit_s3_end_point.rst +++ b/HowTos/transit_s3_end_point.rst @@ -89,7 +89,7 @@ Step 1. Prerequisite Step 2. Build Aviatrix Global Transit Network FOR AWS ------------------------- - - deploy the topology by following the online document https://docs.aviatrix.com/HowTos/tgw_plan.html + - deploy the topology by following the online document https://docs.aviatrix.com/HowTos/transitvpc_workflow.html Step 3. Deploy AWS S3 end point in Shared Service VPC @@ -103,7 +103,7 @@ Step 3. Deploy AWS S3 end point in Shared Service VPC Step 4. Perform Customize Spoke Advertised VPC CIDRs feature on the Aviatrix Spoke gateway in the Shared Service VPC ------------------------- - - https://docs.aviatrix.com/HowTos/gateway.html#filter-advertised-spoke-vpc-cidrs + - https://docs.aviatrix.com/HowTos/gateway.html#customize-advertised-spoke-vpc-cidrs This action will advertise the customized routes to On-Prem via BGP session and other Aviatrix Spoke Gateways if the function Connected Transit is enabled. @@ -212,7 +212,7 @@ Step 7. Verify S3 traffic flow |SPOKE_SHARED_SPOKE_ETH0| .. |S3_ENDPOINT_TRANSIT_SOLUTION| image:: transit_s3_end_point/S3_ENDPOINT_TRANSIT_SOLUTION.png - :scale: 30% + :scale: 60% .. |AWS_S3_ENDPOINT| image:: transit_s3_end_point/AWS_S3_ENDPOINT.png :scale: 30% diff --git a/HowTos/transit_segmentation_faq.rst b/HowTos/transit_segmentation_faq.rst new file mode 100644 index 000000000..e97fc030a --- /dev/null +++ b/HowTos/transit_segmentation_faq.rst @@ -0,0 +1,113 @@ +.. meta:: + :description: Transit Segmentation FAQ + :keywords: Aviatrix Transit Gateway, AWS Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network + + +============================================================ +Transit Network Segmentation FAQ +============================================================ + +What is Multi-Cloud Transit Segmentation? +------------------------------------------- + +Aviatrix Multi-Cloud Transit Segmentation provides network isolation through security domains and connection policies to Aviatrix Transit network +where both Spoke and Transit networks deploy Aviatrix gateways across multi-region and multi-cloud. The concept can be +described in the diagram below, + +|transit_segmentation| + +Where Spokes associated with the blue domain can communicate with each other while Spokes associated with the green domain can communicate with each other. +But there is no cross communication between blue domain and green domain unless there is connection policy. The concept is the same as `Security Domains `_ +and `Connection Policies `_ defined in +TGW Orchestrator, except this is implemented with Aviatrix Transit where both Spokes and Transit VPC/VNet deploy Aviatrix gateways. (Note the segmentation works with Azure native Spoke VNets.) + +What is a Security Domain in Multi-Cloud Transit? +------------------------------------------------------- + +A Security Domain is an Aviatrix enforced network of VPC/VNet members, where VPC/VNets in the Security Domain can communicate with each other, and VPC/VNets not in the security domain cannot communicate with VPC/VNets in the Security Domain. + +One or more Spoke VPC/VNetss are members in a security domain. + +Spokes in a security domain can communicate with each other via an Aviatrix Transit Gateway. + +The Aviatrix Controller dynamically programs and updates both VPC/VNet route tables so that instances in different +Spoke VPC/VNets in the same domain can communicate with each other. + +Two security domains are not connected, i.e., a Spoke in one domain has no connectivity to another +Spoke in a different domain. Connection policy must be specified to connect the two domains so that Spokes in each domain can communicate with each other. + +The Security Domain also applies to the hybrid connection from Aviatrix Transit Gateway to on-prem or remote sites. Each BGP peer or connection can +be associated with one Security Domain. + + +What is a Connection Policy? +----------------------------- + +A connection policy is a rule enforced by Aviatrix for cross Security Domain connectivity. + + +What are the benefits of using Security Domains and Connection Policies? +-------------------------------------------------------------------------- + +The key use case for building Security Domains is to segment traffic for enhanced security posture. + +Using Security Domains and Connection Policies allow you to identify groups of Spokes and Edges with the same requirements from +a networking point of view and then apply connection policies at the group level. This avoids having to individually +specify connections at the Spoke level. The Aviatrix Controller takes care of route programming of all route tables. + +Can an Aviatrix Transit Security Domain work with TGW Orchestrator Security Domain? +------------------------------------------------------------------------------------- + +They do not work together at this time, however we have plan to integrate them in the future. + +How do I setup Multi-Cloud Transit Segmentation? +-------------------------------------------------- + +Follow the `Transit Segmentation Workflow. `_. + +How many Security Domains are supported in Multi-Cloud Transit Segmentation? +------------------------------------------------------------------------------- + +The maximum number of Security Domains on each Aviatrix Transit Gateway is 250. + +What is the difference in implementation of Segmentation between Release 6.1 and Release 6.0? +------------------------------------------------------------------------------------------------- + +In Release 6.1 and later, each Security Domain is implemented as an individual route table on the Aviatrix Transit Gateway. This allows +better handling for the default route (0.0.0.0/0) traffic if different domains require different egress next hop. In addition, duplicate +Spoke CIDRs attached to different Aviatrix Transit Gateways can co-exist if they belong to different domains. + +What is the limitation of Segmentation? +------------------------------------------ + +- Segmentation is not supported on Aviatrix Transit Gateway connection to Aviatrix CloudN hardware for Insane Mode connection. +- Segmentation is also not allowed if Aviatrix Transit Gateway instance type is C5n.18xlarge. +- If two Aviatrix Transit Gateways are peered together and one of them has FireNet Egress enabled, through Aviatrix Transit Gateway peering the Spoke VPC/VNets may be connected. The work around is to have FireNet Egress enabled on each Aviatrix Transit FireNet. +- Duplicated CIDRs that cross domains or cross transits may not work all the time. Aviatrix does not support duplicated CIDRs that cross domains or cross transits. + + +.. |transit_segmentation| image:: transit_segmentation_faq_media/transit_segmentation.png + :scale: 30% + +.. |security_domain| image:: tgw_overview_media/security_domain.png + :scale: 30% + +.. |domain_policy_diagram| image:: tgw_overview_media/domain_policy_diagram.png + :scale: 30% + +.. |tgw_view| image:: tgw_overview_media/tgw_view.png + :scale: 30% + +.. |tgw_transit_vpc_compare| image:: tgw_overview_media/tgw_transit_vpc_compare.png + :scale: 30% + +.. |tgw_transit_orchestrator_compare| image:: tgw_overview_media/tgw_transit_orchestrator_compare.png + :scale: 30% + +.. |edge_segmentation| image:: tgw_overview_media/edge_segmentation.png + :scale: 30% + +.. |tgw_approval| image:: tgw_overview_media/tgw_approval.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/transit_segmentation_faq_media/transit_segmentation.png b/HowTos/transit_segmentation_faq_media/transit_segmentation.png new file mode 100644 index 000000000..5393ff1b2 Binary files /dev/null and b/HowTos/transit_segmentation_faq_media/transit_segmentation.png differ diff --git a/HowTos/transit_segmentation_workflow.rst b/HowTos/transit_segmentation_workflow.rst new file mode 100644 index 000000000..d04cd323b --- /dev/null +++ b/HowTos/transit_segmentation_workflow.rst @@ -0,0 +1,99 @@ +.. meta:: + :description: Transit Network Segmentation Workflow + :keywords: Transit Gateway, AWS Transit Gateway, AWS TGW, TGW orchestrator, Aviatrix Transit network + + +========================================================= +Aviatrix Transit Network Segmentation Workflow +========================================================= + +For questions, refer to `Aviatrix Transit Segmentation FAQ. `_ + +1. Enable Aviatrix Transit Gateway for Segmentation +------------------------------------------------------ + + +========================================== ========== +**Setting** **Value** +========================================== ========== +Aviatrix Transit Gateway Name An `Aviatrix Transit Gateway deployed in the Transit VPC workflow `_ +========================================== ========== + +2. Create a Multi-Cloud Security Domain +-------------------------------------------------- + + +You can make changes to your network segmentation at any time, simply come back to this page. + +========================================== ========== +**Setting** **Value** +========================================== ========== +Security Domain Name Specify a unique domain name. For example, Dev_Domain +========================================== ========== + +3. Add/Modify Connection Policies +---------------------------------------------------- + +This step specifies the connection relationship of one domain to others. Two connected domains imply that Spokes in +each domain can communicate with each other despite the fact that they are in different domains. + +Highlight a domain on the left panel and click Add, the domain will appear to the right. + + +----------------------------------------------------------------------------------------------------------------------- + +This section is to build the network segmentation by associating a Spoke. + +4. Associate Aviatrix Spoke/Edge to Domain +------------------------------------------------------------------ + + +========================================== ========== +**Setting** **Value** +========================================== ========== +Aviatrix Transit Gateway Name The name of the Aviatrix Transit Gateway +Security Domain Name The name of the Security Domain +Attachment Name The name of a Spoke or edge connection to associate to the domain +========================================== ========== + + +5. Disassociate Aviatrix Spoke/Edge to Domain +------------------------------------------------------------------ + +========================================== ========== +**Setting** **Value** +========================================== ========== +Aviatrix Transit Gateway Name The name of the Aviatrix Transit Gateway +Security Domain Name The name of the Security Domain +Attachment Name The name of a Spoke or edge connection to disassociate from the domain +========================================== ========== + + +------------------------------------------ + +This section consists of the delete functions. + + +6. Delete Multi-Cloud Security Domain +---------------------------------------- + +========================================== ========== +**Setting** **Value** +========================================== ========== +Security Domain Name The name of the Security Domain +========================================== ========== + +7. Disable Aviatrix Transit Gateway for Segmentation +-------------------------------------------------------- + +========================================== ========== +**Setting** **Value** +========================================== ========== +Aviatrix Transit Gateway Name An `Aviatrix Transit Gateway deployed in the Transit VPC workflow `_ +========================================== ========== + + +.. |tgw_peer| image:: tgw_plan_media/tgw_peer.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/transit_solution_activemesh_spoke_snat_dnat_rfc1918.rst b/HowTos/transit_solution_activemesh_spoke_snat_dnat_rfc1918.rst new file mode 100644 index 000000000..e633c50a1 --- /dev/null +++ b/HowTos/transit_solution_activemesh_spoke_snat_dnat_rfc1918.rst @@ -0,0 +1,403 @@ +.. meta:: + :description: Aviatrix Active Mesh with customized SNAT and DNAT on spoke gateway + :keywords: Transit VPC, Transit hub, AWS Global Transit Network, Encrypted Peering, Transitive Peering, VPN, SNAT, DNAT + + +========================================================================================= +Aviatrix Active Mesh with customized SNAT and DNAT on spoke gateway +========================================================================================= + +The Problem +------------------ + +Organizations usually plan out cloud network address ranges for building non-overlapping connectivity to on-prem, +but there are times where a cloud network CIDR conflicts with an on-prem network address range. Moreover, there might be a +constraint that neither source NAT nor destination NAT can be performed in the on-prem network but still requires +connectivity to on-prem. Therefore, how to fulfill source NAT and destination NAT in the cloud becomes a key solution. + +Aviatrix Solution +------------------ + +This technical note illustrates an example solution of performing source NAT and destination NAT feature on Aviatrix spoke +gateway to a specific use case where a customer needs a connectivity between certain on-prem hosts and certain cloud +instances, but the on-prem network range overlaps with the cloud network CIDR as shown in the diagram below. +Additionally, traffic can be initiated from either side. + +Topology - Aviatrix Global Transit HA Network with Active Mesh: + +|TRANSIT_ACTIVEMESH_SPOKE_OVERLAP_CIDR_TOPOLOGY| + +:: + + In this example, the on-prem network address range is 10.3.0.0/16 and all other spoke VPCs connect to on-prem via + Aviatrix Global Transit HA Network with Active Mesh, however there is one spoke VPC with an identical CIDR of 10.3.0.0/16. + + +.. Note:: + + This tech note supports: + + 1. specific on-prem hosts and cloud instances which means no identical IP on each side including IPs of Aviatrix Spoke primary/HA gateway + + 2. bi-direction traffic + + 3. both on-prem and cloud network allow only RFC 1918 CIDR + +.. + +Furthermore, this technical note provides a step-by-step configuration on the Aviatrix controller that will address the following requirements: + + 1. Deploy `Aviatrix Global Transit HA Network with Active Mesh `__ + + 2. Deploy virtual CIDR within RFC 1918 range to solve the overlapping CIDR between on-prem network and cloud network + + - `Customize Advertised Spoke VPC CIDRs `__ + + - `Destination NAT with Mark and Exclude Route Table `__ + + - `Customized SNAT with Mark and Exclude Route Table `__ + +Scenario: + + 1. Traffic which is initiated from on-prem to cloud spoke network sends to a virtual IP of cloud instance. In addition, cloud instance views a virtual IP of on-prem host. + + 2. Traffic which is initiated from cloud spoke network to on-prem sends to a virtual IP of on-prem host. In addition, on-prem views a virtual IP of cloud instance. + + 3. All virtual IPs are belonging to RFC 1918 range. + +Follow the steps below to set up for the scenario. + +Step 1. Prerequisite +------------------------- + +1.1. `Upgrade `__ the Aviatrix Controller to at least version UserConnect-5.4 + +1.2. Prepare a Real/Virtual CIDR mapping table for on-prem network and cloud network + + One of the key steps to solve overlapping network issue is to route a non-overlapping CIDR. Therefore, please prepare + a virtual routable CIDR for your on-prem and spoke network. In this example, we practice a Virtual CIDR + within RFC 1918 range. + + :: + + Real/Virtual CIDR mapping table example: + + ============== ============== ================ + Real CIDR Virtual CIDR + ============== ============== ================ + Spoke VPC 10.3.0.0/16 10.203.0.0/16 + On-Prem VPC 10.3.0.0/16 10.103.0.0/16 + ============== ============== ================ + +1.3. Find out the Real IPs of certain on-prem hosts and certain cloud instances to build a Real/Virtual IPs mapping table + + Since this solution is to tackle a specific use case where a customer needs a connectivity between certain on-prem hosts + and certain cloud instances in overlapping CIDR, please find out those IPs and plan a Real/Virtual IPs mapping table for + routing advertisement and NAT configuration. + + :: + + Real/Virtual IPs mapping table example: + + ================ ============== ================ + Real IP Virtual IP + ================ ============== ================ + Cloud instance 10.3.0.86/32 10.203.0.86/32 + On-Prem host 10.3.0.85/32 10.103.0.85/32 + ================ ============== ================ + +Step 2. Build Aviatrix Global Transit HA Network with Active Mesh +------------------------- + +Deploy the topology by following the steps 1, 2, 3, 4, and 5 in `document `__ first + + - make sure `Active Mesh Mode `__ is enabled on both Aviatrix Transit Gateway and Spoke Gateway + + - make sure HA is deployed for both Aviatrix Transit Gateway and Spoke Gateway + + - make sure on-prem router advertises only the Real IP with /32 of on-prem host not the whole Real CIDR or Virtual IP/CIDR + + :: + + Example: on-prem router advertises 10.3.0.85/32 which is the Real IP of On-prem host + +Step 3. Perform Customize Spoke Advertised VPC CIDRs feature on Aviatrix Spoke gateway +------------------------- + +This action is to advertise the Virtual CIDR of cloud spoke network to on-prem via BGP session so that on-prem +is able to route the Virtual IP of Cloud instance. Please refer to this `doc `__ + +To configure: + + 3.1. Go to the Gateway page, click on the Aviatrix Spoke Gateway first. Click Edit. + + 3.2. Continue on to the Edit page, scroll to Customize Spoke Advertised VPC CIDRs. + + 3.3. Enter the Virtual CIDR of cloud spoke VPC that on-prem is able to route + + - make sure advertise the Virtual CIDR of cloud spoke VPC not the Virtual IP of specific cloud instance + + 3.4. Click the button "Save" + + |TRANSIT_ACTIVEMESH_SPOKE_CUSTOMIZED_SPOKE_ADVERTISE_VPC_CIDR| + + :: + + Example: Aviatrix Spoke gateway advertises 10.203.0.0/16 which is the Virtual CIDR of cloud spoke VPC + +Step 4. Attach Aviatrix Spoke to Aviatrix Transit Network +------------------------- + +Follow the `step 6 Join a Spoke GW to Transit GW Group `__ +in Global Transit Network Workflow. + + +Step 5. Configure Aviatrix DNAT function on Aviatrix Spoke Gateway for the traffic which is initiated from on-prem to cloud spoke network +------------------------- + +This action instructs the spoke gateway to translate a destination address from a Virtual IP of cloud instance to a Real IP of cloud instance in cloud spoke VPC. Please refer to `Aviatrix DNAT function doc `__. + +To configure: + + 5.1. Go to the Gateway page and click on the Spoke Primary Gateway. Click Edit. + + 5.2. Scroll down to “Destination NAT” + + 5.3. Click Add/Edit DNAT + + 5.4. Click Add New + + 5.5. Enter fields for Src CIDR, Dst CIDR, Protocol, Connection, Mark, DNAT IPs and Exclude Route Table as below example. + + =================== ======================= + **Field** **Value** + =================== ======================= + Source CIDR Real IP of on-prem host (i.e. 10.3.0.85/32) + Source Port Leave it blank + Destination CIDR Virtual IP of cloud instance (i.e. 10.203.0.86/32) + Destination Port Leave it blank + Protocol all + Interface eth0 + Connection Select the connection to Transit Gateway + Mark A rule field to mark this traffic session (i.e. use 103085 to track source 10.3.0.85/32) + DNAT IPs Real IP of cloud instance (i.e. 10.3.0.86) + DNAT Port Leave it blank + Exclude Route Table [IMPORTANT] Collect all your cloud routing table ids and fill them here + =================== ======================= + + |DNAT_SPOKE_ONPREM_TO_CLOUD| + + 5.6. Click Save + + 5.7. Repeat steps 5.4, 5.5, and 5.6 for multiple entries. + + 5.8. Click Update to commit. + +Step 6. Configure Aviatrix Customized SNAT function on Aviatrix Spoke Gateway and Spoke HA Gateway for the traffic which is initiated from on-prem to cloud spoke network +------------------------- + +This action changes the packet’s source IP address from a Real IP of on-prem host to a Virtual IP representing on-prem host. Please refer to `Aviatrix Customized SNAT function doc `__ + +To configure: + + 6.1. Go to the Gateway page, click on the Spoke Primary Gateway first. Click Edit. + + 6.2. Continue on to the Edit page, scroll to SNAT. Select Customized SNAT. + + 6.3. Select Customized SNAT + + 6.4. Click Add New + + 6.5. Enter fields for Protocol, Interface, Mark, SNAT IPs, and Exclude Route Table as below example. + + =================== ================================== + **Field** **Value** + =================== ================================== + Source CIDR Leave it blank + Source Port Leave it blank + Destination CIDR Leave it blank + Destination Port Leave it blank + Protocol all + Interface eth0 + Connection Select None + Mark Fill the number that we configure in the previous DNAT step 5 (i.e. 103085) + SNAT IPs Virtual IP of on-prem host (i.e. 10.103.0.85) + SNAT Port Leave it blank + Exclude Route Table [IMPORTANT] Collect all your cloud routing table ids and fill them here + =================== ================================== + + 6.6. Click Save + + 6.7. Repeat the above steps for more entries. + + 6.8. Click Enable SNAT to commit. + + |SNAT_SPOKE_PRIMARY_ONPREM_TO_CLOUD| + + 6.9. Go to Gateway page, click on the Spoke HA Gateway. Click Edit. + + 6.10. Repeat the above steps to configure Customized SNAT for Spoke HA Gateway as shown in the example below. + + |SNAT_SPOKE_HA_ONPREM_TO_CLOUD| + + +Step 7. Configure Aviatrix DNAT function on Aviatrix Spoke Gateway for the traffic which is initiated from cloud spoke network to on-prem +------------------------- + +This action instructs the spoke gateway to translate a destination address from a Virtual IP of on-prem host to a Real IP of on-prem host. Please refer to `Aviatrix DNAT function doc `__. + +To configure: + + 7.1. Go to the Gateway page and click on the Spoke Primary Gateway. Click Edit. + + 7.2. Scroll down to “Destination NAT” + + 7.3. Click Add/Edit DNAT + + 7.4. Click Add New + + 7.5. Enter fields for Src CIDR, Dst CIDR, Protocol, Interface, Mark, DNAT IPs and Exclude Route Table as below example. + + =================== ======================= + **Field** **Value** + =================== ======================= + Source CIDR Real IP of cloud instance (i.e. 10.3.0.86/32) + Source Port Leave it blank + Destination CIDR Virtual IP of on-prem host (i.e. 10.103.0.85/32) + Destination Port Leave it blank + Protocol all + Interface eth0 + Connection Select None + Mark A rule field to mark this traffic session (i.e. use 103086 to track source 10.3.0.86/32) + DNAT IPs Real IP of on-prem host (i.e. 10.3.0.85/32) + DNAT Port Leave it blank + Exclude Route Table [IMPORTANT] Collect all your cloud routing table ids and fill them here + =================== ======================= + + |DNAT_SPOKE_CLOUD_TO_ONPREM| + + 7.6. Click Save + + 7.7. Repeat steps 7.4, 7.5, and 7.6 for multiple entries. + + 7.8. Click Update to commit. + +Step 8. Configure Aviatrix Customized SNAT function on Aviatrix Spoke Gateway and Spoke HA Gateway for the traffic which is initiated from cloud spoke network to on-prem +------------------------- + +This action changes the packet’s source IP address from a Real IP of cloud instance to a Virtual IP representing cloud instance. Please refer to `Aviatrix Customized SNAT function doc `__ + +To configure: + + 8.1. Go to the Gateway page, click on the Spoke Primary Gateway first. Click Edit. + + 8.2. Continue on to the Edit page, scroll to SNAT. Select Customized SNAT. + + 8.3. Select Customized SNAT + + 8.4. Click Add New + + 8.5. Enter fields for Protocol, Interface, Connection, Mark, SNAT IPs, and Exclude Route Table as below example. + + =================== ================================== + **Field** **Value** + =================== ================================== + Source CIDR Leave it blank + Source Port Leave it blank + Destination CIDR Leave it blank + Destination Port Leave it blank + Protocol all + Interface eth0 + Connection Select the connection to Transit Gateway + Mark Fill the number that we configure in the previous DNAT step 7 (i.e. 103086) + SNAT IPs Virtual IP of cloud instance (i.e. 10.203.0.86) + SNAT Port Leave it blank + Exclude Route Table [IMPORTANT] Collect all your cloud routing table ids and fill them here + =================== ================================== + + 8.6. Click Save + + 8.7. Repeat the above steps for more entries. + + 8.8. Click Enable SNAT to commit. + + |SNAT_SPOKE_PRIMARY_CLOUD_TO_ONPREM| + + 8.9. Go to Gateway page, click on the Spoke HA Gateway. Click Edit. + + 8.10. Repeat the above steps to configure Customized SNAT for Spoke HA Gateway as shown in the example below. + + |SNAT_SPOKE_HA_CLOUD_TO_ONPREM| + + +Step 9. Verify traffic flow +------------------------- + +9.1. Traffic from on-prem to cloud spoke network + + - Issue ICMP traffic from on-prem host to a Virtual IP of cloud instance + + |ONPREM_HOST_TO_CLOUD_INSTANCE| + + - Execute packet capture on the cloud instance + + |CLOUD_INSTANCE_PACKET_CAPTURE| + +9.2. Traffic from cloud spoke network to on-prem + + - Issue ICMP traffic from cloud instance to a Virtual IP of on-prem + + |CLOUD_INSTANCE_TO_ONPREM_HOST| + + - Execute packet capture on the on-prem host + + |ONPREM_HOST_PACKET_CAPTURE| + +FAQ +------------------ + +Q1: Why we need to “mark” the NAT sessions? + +Ans: Basically, "mark" function in NAT is a unique number that is associated with specific packets. In this tech note, we leverage on it for the purpose of tracking session identified by the Source CIDR of DNAT and then utilizing it for the SNAT IPs of customized SNAT. It is an advanced option for users to configure NAT rule. Alternatively, users still can configure DNAT and customized SNAT rule without mark. + +Q2: Why we need to fill all VPC route table IDs for “Exclude Route Table”? + +Ans: As Aviatrix Global Transit HA Network design has a mechanism to handle cloud routing table updates, filling all VPC route table IDs for “Exclude Route Table” in NAT feature prevents extra routes to be injected in cloud routing table. + +.. |TRANSIT_ACTIVEMESH_SPOKE_OVERLAP_CIDR_TOPOLOGY| image:: transit_activemesh_spoke_overlap_cidr_media/topology.png + :scale: 50% + +.. |TRANSIT_ACTIVEMESH_SPOKE_CUSTOMIZED_SPOKE_ADVERTISE_VPC_CIDR| image:: transit_activemesh_spoke_overlap_cidr_media/spoke_customized_spoke_advertise_vpc_cidr.png + :scale: 30% + +.. |DNAT_SPOKE_ONPREM_TO_CLOUD| image:: transit_activemesh_spoke_overlap_cidr_media/dnat_spoke_onprem_to_cloud.png + :scale: 50% + +.. |SNAT_SPOKE_PRIMARY_ONPREM_TO_CLOUD| image:: transit_activemesh_spoke_overlap_cidr_media/snat_spoke_primary_onprem_to_cloud.png + :scale: 50% + +.. |SNAT_SPOKE_HA_ONPREM_TO_CLOUD| image:: transit_activemesh_spoke_overlap_cidr_media/snat_spoke_ha_onprem_to_cloud.png + :scale: 50% + +.. |DNAT_SPOKE_CLOUD_TO_ONPREM| image:: transit_activemesh_spoke_overlap_cidr_media/dnat_spoke_cloud_to_onprem.png + :scale: 50% + +.. |SNAT_SPOKE_PRIMARY_CLOUD_TO_ONPREM| image:: transit_activemesh_spoke_overlap_cidr_media/snat_spoke_primary_cloud_to_onprem.png + :scale: 50% + +.. |SNAT_SPOKE_HA_CLOUD_TO_ONPREM| image:: transit_activemesh_spoke_overlap_cidr_media/snat_spoke_ha_cloud_to_onprem.png + :scale: 50% + +.. |ONPREM_HOST_TO_CLOUD_INSTANCE| image:: transit_activemesh_spoke_overlap_cidr_media/onprem_host_to_cloud_instance.png + :scale: 100% + +.. |CLOUD_INSTANCE_PACKET_CAPTURE| image:: transit_activemesh_spoke_overlap_cidr_media/cloud_instance_packet_capture.png + :scale: 50% + +.. |CLOUD_INSTANCE_TO_ONPREM_HOST| image:: transit_activemesh_spoke_overlap_cidr_media/cloud_instance_to_onprem_host.png + :scale: 100% + +.. |ONPREM_HOST_PACKET_CAPTURE| image:: transit_activemesh_spoke_overlap_cidr_media/onprem_host_packet_capture.png + :scale: 100% + +.. disqus:: diff --git a/HowTos/transitgw_external.rst b/HowTos/transitgw_external.rst index 87090f1a3..7ed194290 100644 --- a/HowTos/transitgw_external.rst +++ b/HowTos/transitgw_external.rst @@ -7,42 +7,60 @@ Aviatrix Transit Gateway to External Devices ========================================================= -Starting from Release 4.1, there are three options to connect to a Transit GW with BGP: +There are four options to connect to Aviatrix Multi-cloud Transit GW: - AWS VGW + - Azure VNG - Aviatrix hardware appliance CloudN - External (or 3rd Party) Router/Firewall -This document provides instructions on how to connect the Aviatrix Transit GW to external router/firewall devices. +This document focuses on the External Device connecting the Aviatrix Transit GW. What are the use cases for connecting to an external router? --------------------------------------------------------------- - **Overcoming the AWS VGW 100 route limit** Typically, an Aviatrix Transit GW connects to VGW over IPSEC and runs a BGP session with VGW. VGW then connects to on-prem devices. By connecting directly to an external device, the VGW is bypassed. + + - **Overcome AWS VGW performance reset** VGW adjusts instance size based on network bandwidth consumption, leading to unexpected outage. - **Azure Transit Network** This feature allows an Aviatrix Transit GW to connect to on-prem over Azure Express Route or Internet. + + - **High Performance with on-prem** By using GRE tunneling protocol, Aviatrix Multi-cloud Transit Gateway `build multiple GRE tunnels to on-prem routers `_ to achieve 10Gbps throughput. + + - **Integrate with SD-WAN gateways deployed in the cloud** BGP over LAN as part of the External Device option provides an efficient mechanism to connect to SD-WAN cloud gateways by interoperating with them over LAN in the same VPC/VNet while exchanging routes dynamically via BGP. + - **All Other Cloud Providers** Use this feature to connect to network of cloud providers such as Alibaba Cloud, Tencent Cloud, Vmware Cloud, IBM Cloud and others. + How does it work? ------------------ -The Aviatrix Transit GW runs a BGP session to an external router to dynamically exchange routes. It also establishes an IPSEC tunnel to the router for packet forwarding. +The Aviatrix Transit GW runs a BGP session to an external router to dynamically exchange routes. It also establishes an IPSEC tunnel, GRE tunnel or direct Ethernet to the router for packet forwarding. For IPSEC tunneling, static routing option is also supported. The mechanism works for AWS Direct Connect, Azure Express Route or Internet. -Over Private Network -~~~~~~~~~~~~~~~~~~~~~~~ +Over Private Network in AWS +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When the underlying infrastructure is AWS Direct Connect, the diagram is shown as below. -|transitgw_dx| +|transitgw_private_aws| Make sure: - - The VGW is attached to the Transit VPC. + - The VGW is attached to the Transit VPC for IPSEC over Direct Connect and GRE over Direct Connect. - The external device advertises its IP address to VGW. - The external device advertises the on-prem network CIDR list to Aviatrix Transit GW. +Over Private Network in Azure +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When the underlying infrastructure is Azure Express Route, the External Device options are IPSEC or LAN, as shown below. + +|transitgw_private_azure| + +Note GRE is not supported on Azure. + Over the Internet ~~~~~~~~~~~~~~~~~~~~~ @@ -64,14 +82,21 @@ Fill the parameters and click OK. For ActiveMesh design notes, check out `Active ============================ ========== **Setting** **Value** ============================ ========== -BGP or Static Select BGP if the Transit GW runs dynamic routing with remote site. Otherwise, select Static. -VPC Name The Transit VPC ID where Transit GW was launched. +External Device Select this option to build a connection to a remote site. +BGP Select BGP if the Transit GW runs dynamic routing with remote site. +Static Remote Route-Based Select this option the remote site supports route-based VPN with static configuration. +Static Remote Policy-Based Select this option the remote site supports policy-based VPN with static configuration. The caveat in this mode is the remote site must always initiate the traffic. This function has been moved to `SITE2CLOUD `_. +IPsec Select this option to run BGP and build a IPSEC connection to a remote site. +GRE Select this option to run BGP and build a GRE connection to a remote site. +LAN Select this option to run BGP and data plane by LAN interface with an instance in the same VPC or VNet. +Transit VPC Name The Transit VPC ID where Transit GW was launched. Connection Name A unique name to identify the connection to external device. Aviatrix Transit GW BGP ASN The BGP AS number the Transit GW will use to exchange routes with external device. Primary Cloud Gateway The Transit GW you created in `Step 1 `_. If Transit DMZ is deployed, select the `Companion gateway `_. -Algorithm Optional parameters. Leave it unselected if you don't know. -Enable HA Select HA if there are two external devices. -Over DirectConnect Select this option if your underlying infrastructure is private network, such as AWS Direct Connect and Azure Express Rout. See "How does it work" section for more details. When this option is selected, BGP and IPSEC run over private IP addresses. +Algorithms Optional parameters. Leave it unselected if you don't know. +IKEv2 Select the option to connect to the remote site using IKEv2 protocol. +Enable Remote Gateway HA Select HA if there are two external devices. +Over Private Network Select this option if your underlying infrastructure is private network, such as AWS Direct Connect and Azure Express Rout. See "How does it work" section for more details. When this option is selected, BGP and IPSEC run over private IP addresses. BGP Remote AS Number When BGP is selected, the BGP AS number the external device will use to exchange routes Aviatrix Transit GW. Remote Gateway IP IP address of the remote device. If "Over DirectConnect" is selected, enter the private IP address of the external device. Pre-shared Key Optional parameter. Leave it blank to let the pre-shared key to be auto generated. @@ -173,6 +198,12 @@ Cisco ISR/ASR router configuration: .. |transitgw_dx| image:: transitgw_external_media/transitgw_dx.png :scale: 30% +.. |transitgw_private_aws| image:: transitgw_external_media/transitgw_private_aws.png + :scale: 30% + +.. |transitgw_private_azure| image:: transitgw_external_media/transitgw_private_azure.png + :scale: 30% + .. |transitgw_internet| image:: transitgw_external_media/transitgw_internet.png :scale: 30% diff --git a/HowTos/transitgw_external_media/transitgw_private_aws.png b/HowTos/transitgw_external_media/transitgw_private_aws.png new file mode 100644 index 000000000..b9715cc58 Binary files /dev/null and b/HowTos/transitgw_external_media/transitgw_private_aws.png differ diff --git a/HowTos/transitgw_external_media/transitgw_private_azure.png b/HowTos/transitgw_external_media/transitgw_private_azure.png new file mode 100644 index 000000000..8ff92ff94 Binary files /dev/null and b/HowTos/transitgw_external_media/transitgw_private_azure.png differ diff --git a/HowTos/transitvpc_designs.rst b/HowTos/transitvpc_designs.rst index 4b78e7dd0..c81307059 100644 --- a/HowTos/transitvpc_designs.rst +++ b/HowTos/transitvpc_designs.rst @@ -11,7 +11,7 @@ Transit Network Design Patterns to create a Transit VPC GW with a set of Spoke VPC GWs. From one Aviatrix Controller, you can setup -Transit Groups in a single region or across multiple AWS regions. +Transit network in a single region or across multiple AWS regions. Single Region Transit VPC Design ---------------------------------- @@ -99,20 +99,18 @@ Centralized Egress Control with Aviatrix SD-WAN Integration -------------------- -If you have multiple sites to connect to the cloud, you can use an Aviatrix gateway to terminate the many site2cloud to branch offices, and connect this gateway to the VGW in the Transit VPC. +Aviatrix Multi-cloud Transit integrates with SD-WAN cloud instances with BGP over LAN where both BGP routes and data packets +are exchanged between Aviatrix Transit Gateways and SD-WAN gateways deployed in the same Transit VPC, as shown in the diagram +below. . -Alternatively, you can use a SD-WAN termination point in the VPC to connect to the branches. - -Both options can be described in the diagram below. - -|image8| +|sd_wan_integ| .. |image0| image:: transitvpc_designs_media/singleRegion.png :width: 10.0in :height: 4.0in -.. |image1| image:: transitvpc_designs_media/multi_region.png +.. |image1| image:: transitvpc_designs_media/multi_region2.png :width: 10.0in :height: 4.0in @@ -128,7 +126,7 @@ Both options can be described in the diagram below. :width: 10.0in :height: 4.0in -.. |image5| image:: transitvpc_designs_media/Egresscontrol.png +.. |image5| image:: transitvpc_designs_media/egress-control2.png :width: 10.0in :height: 4.0in @@ -144,10 +142,21 @@ Both options can be described in the diagram below. :width: 10.0in :height: 4.0in +.. |transit_azure_native_spoke| image:: transitvpc_designs_media/transit_azure_native_spoke.png + :scale: 30% + +.. |multi_cloud_transit_native| image:: transitvpc_designs_media/multi_cloud_transit_native.png + :scale: 30% + +.. |sd_wan_integ| image:: transitvpc_designs_media/sd_wan_integ.png + :scale: 30% + .. |transit_firenet| image:: transit_firenet_media/transit_firenet.png :scale: 30% .. |transit_firenet_aviatrix_egress| image:: transit_firenet_media/transit_firenet_aviatrix_egress.png :scale: 30% + + .. disqus:: diff --git a/HowTos/transitvpc_designs_media/bgp_lan_multipeer_ha.png b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_ha.png new file mode 100644 index 000000000..420e5c001 Binary files /dev/null and b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_ha.png differ diff --git a/HowTos/transitvpc_designs_media/bgp_lan_multipeer_local_ip_blank.png b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_local_ip_blank.png new file mode 100644 index 000000000..b7ac22621 Binary files /dev/null and b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_local_ip_blank.png differ diff --git a/HowTos/transitvpc_designs_media/bgp_lan_multipeer_local_ipblank.png b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_local_ipblank.png new file mode 100644 index 000000000..b7ac22621 Binary files /dev/null and b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_local_ipblank.png differ diff --git a/HowTos/transitvpc_designs_media/bgp_lan_multipeer_onprem_cloud.png b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_onprem_cloud.png new file mode 100644 index 000000000..736a20f44 Binary files /dev/null and b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_onprem_cloud.png differ diff --git a/HowTos/transitvpc_designs_media/bgp_lan_multipeer_onprem_cloud_no_ecmp.png b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_onprem_cloud_no_ecmp.png new file mode 100644 index 000000000..420e5c001 Binary files /dev/null and b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_onprem_cloud_no_ecmp.png differ diff --git a/HowTos/transitvpc_designs_media/bgp_lan_multipeer_onprem_cloud_no_ecmp2.png b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_onprem_cloud_no_ecmp2.png new file mode 100644 index 000000000..420e5c001 Binary files /dev/null and b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_onprem_cloud_no_ecmp2.png differ diff --git a/HowTos/transitvpc_designs_media/bgp_lan_multipeer_same_eni.png b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_same_eni.png new file mode 100644 index 000000000..10598d9f0 Binary files /dev/null and b/HowTos/transitvpc_designs_media/bgp_lan_multipeer_same_eni.png differ diff --git a/HowTos/transitvpc_designs_media/egress-control2.png b/HowTos/transitvpc_designs_media/egress-control2.png new file mode 100644 index 000000000..3ba2de252 Binary files /dev/null and b/HowTos/transitvpc_designs_media/egress-control2.png differ diff --git a/HowTos/transitvpc_designs_media/multi_cloud_transit_native.png b/HowTos/transitvpc_designs_media/multi_cloud_transit_native.png new file mode 100644 index 000000000..3145f82a0 Binary files /dev/null and b/HowTos/transitvpc_designs_media/multi_cloud_transit_native.png differ diff --git a/HowTos/transitvpc_designs_media/multi_region.png b/HowTos/transitvpc_designs_media/multi_region.png deleted file mode 100644 index 14498895c..000000000 Binary files a/HowTos/transitvpc_designs_media/multi_region.png and /dev/null differ diff --git a/HowTos/transitvpc_designs_media/multi_region2.png b/HowTos/transitvpc_designs_media/multi_region2.png new file mode 100644 index 000000000..35e749feb Binary files /dev/null and b/HowTos/transitvpc_designs_media/multi_region2.png differ diff --git a/HowTos/transitvpc_designs_media/sd_wan_inte_azure.png b/HowTos/transitvpc_designs_media/sd_wan_inte_azure.png new file mode 100644 index 000000000..cf5d2b5ad Binary files /dev/null and b/HowTos/transitvpc_designs_media/sd_wan_inte_azure.png differ diff --git a/HowTos/transitvpc_designs_media/sd_wan_integ.png b/HowTos/transitvpc_designs_media/sd_wan_integ.png new file mode 100644 index 000000000..5cf72d005 Binary files /dev/null and b/HowTos/transitvpc_designs_media/sd_wan_integ.png differ diff --git a/HowTos/transitvpc_designs_media/sd_wan_integ_aws.png b/HowTos/transitvpc_designs_media/sd_wan_integ_aws.png new file mode 100644 index 000000000..d5f199e7f Binary files /dev/null and b/HowTos/transitvpc_designs_media/sd_wan_integ_aws.png differ diff --git a/HowTos/transitvpc_designs_media/sd_wan_integ_gcp.png b/HowTos/transitvpc_designs_media/sd_wan_integ_gcp.png new file mode 100644 index 000000000..fe914403a Binary files /dev/null and b/HowTos/transitvpc_designs_media/sd_wan_integ_gcp.png differ diff --git a/HowTos/transitvpc_designs_media/transit_azure_native_spoke.png b/HowTos/transitvpc_designs_media/transit_azure_native_spoke.png new file mode 100644 index 000000000..b83bf4181 Binary files /dev/null and b/HowTos/transitvpc_designs_media/transit_azure_native_spoke.png differ diff --git a/HowTos/transitvpc_faq.rst b/HowTos/transitvpc_faq.rst index e8a26ed7b..862215a8d 100644 --- a/HowTos/transitvpc_faq.rst +++ b/HowTos/transitvpc_faq.rst @@ -2,9 +2,9 @@ :description: onboarding Frequently Asked Questions :keywords: Aviatrix Getting Started, Aviatrix, AWS -============================ -Transit VPC/VNET FAQ -============================ +=============================== +Multi Cloud Global Transit FAQ +=============================== Why should I choose Transit architecture? @@ -17,9 +17,15 @@ The alternative to Transit architecture (often referred to as "flat" architectur How do I configure a Global Transit Network with Aviatrix solution? -------------------------------------------------------------------- -For Next Gen Transit Network for AWS deployment, follow the `Aviatrix Transit Gateway Orchestrator Workflow `_. -For Next Gen Transit Network for Azure deployment, follow the instructions `here. `_ +If you plan to deploy AWS Transit Gateway (TGW) based transit network, follow the `Aviatrix Transit Gateway Orchestrator Workflow `_. + +If you plan to deploy in Azure or deploy Aviatrix gateways in the Spoke VPC/VNets, follow the instructions `here. `_ + +Should Aviatrix Transit Network all be deployed in ActiveMesh mode? +---------------------------------------------------------------------- + +Yes. All Aviatrix Transit Network should be deployed in ActiveMesh mode. To learn more, check out `ActiveMesh FAQ `_. Should I deploy one Transit Group for Dev and one for Prod? ------------------------------------------------------------ @@ -47,25 +53,19 @@ Enable `Spoke VPC route summarization `_ to connect to on-prem directly over Direct Connect or the Internet. -Can I launch multiple Transit GW groups from one Controller? -------------------------------------------------------------- - -Yes, you can launch multiple Transit GW groups from one Aviatrix Controller. -Simply start at `Transit Gateway Plan stage `_ to create a new TGW in a different region or the same region. - I have a few high bandwidth applications, how do I deploy them in a Transit solution? -------------------------------------------------------------------------------------- Aviatrix's `Insane Mode solution `_ provides 10Gbps Transit network throughput. -How can I fit an egress firewall into the Next Gen Transit solution? +How can I fit an egress firewall into the Aviatrix Transit solution? ---------------------------------------------------------------------- There are two types of requirements. @@ -84,28 +84,23 @@ If your security team requires inline IDS/IPS firewall function, consider `Trans What are the automation methods for Transit Network? ----------------------------------------------------- -There are multiple resources to help you automate Transit Network setup. Note that if you are building a Transit Network following the workflow, you should use the APIs documented below. +There are multiple resources to help you automate Transit Network setup. Note that if you are building a Transit Network following the workflow, you should `use Terraform `_. - - `Transit Network section in API doc `_. - - - `Terraform example. `_ - - - `Python API example for Transit Network `_ Does Aviatrix Transit Network support HA? ------------------------------------------ -You can enable multi AZ HA during the workflow when launching a Transit VPC gateway or Spoke VPC gateway. +Yes. Aviatrix Transit Gateways operates in `ActiveMesh mode `_. Why are AWS t2 series instance types not recommended for production deployment on a Transit GW? ---------------------------------------------------------------------------------------------- +--------------------------------------------------------------------------------------------------- When a t2 series Transit GW communicate with VGW over IPSEC, there is a 3% packet drop for packet size less than 150 bytes by Transit GW due to an issue with AWS Xen hypervisor and the kernel version GW is using. This will be fixed in a future release. Note that this packet drop issue does not affect Spoke gateways. How do I resize a Transit GW instance? ------------------------------------- +------------------------------------------ Go to the Gateway page at the navigation bar, select the Transit GW, click Edit, scroll up to see the options and find Gateway Resize. Select the desired size and click Change. @@ -125,7 +120,7 @@ How can I route VPC egress Internet bound traffic to on-prem to go through the c If you advertise 0.0.0.0/0 to VGW, Spoke VPCs will have that route point to the Transit GW and route egress Internet traffic to VGW and back to on-prem. Make sure you do not have NAT enabled on the Spoke GW or AWS NAT service enabled in the VPC. How do I know if the tunnel between the VGW and the Transit GW is up? ---------------------------------------------------------------- +------------------------------------------------------------------------ Go to Site2Cloud, the tunnel status is displayed for each connection. @@ -263,7 +258,7 @@ Before you can summarize Spoke VPC CIDRs, you must make sure Spoke gateways all How to build Spoke to Spoke connectivity via Transit? ------------------------------------------------------ -Starting from release 3.5, Transit network supports `Connected mode. `_ where Spoke to Spoke connectivity is built automatically. +Starting from release 3.5, Transit network supports `Connected mode. https://docs.aviatrix.com/HowTos/transitvpc_designs.html#connected-transit-design_` where Spoke to Spoke connectivity is built automatically. How do a Spoke gateway and VPC private DNS work together? ---------------------------------------------------------- @@ -296,7 +291,7 @@ They differ in the following areas: - **Central Control** - With the Aviatrix solution, the Aviatrix Controller is the single pane of glass for all networking in the cloud. - - **AWS Transit Gateway Integration** If you have AWS deployment, Aviatrix Next Gen Transit integrates with an AWS TGW seamlessly for high bandwidth Spoke VPC connection. Customers who do not require end to end encryption can now use the TGW native service to connect the Spoke VPCs. + - **AWS Transit Gateway Integration** If you have AWS deployment, Aviatrix Transit integrates with an AWS TGW seamlessly for high bandwidth Spoke VPC connection. Customers who do not require end to end encryption can now use the TGW native service to connect the Spoke VPCs. - **Network Segmentation** - In the CSR-based solution, all Spoke VPCs have connectivity to each other through the Transit GW, even though these Spoke VPCs belong to different AWS accounts or business teams. In contrast, in the Aviatrix solution the Spoke VPCs have no connectivity to each other, by default. Connectivity is built by design. With the TGW integration, you can customize the `Security Domains `_ to meet your segmentation requirements. @@ -312,7 +307,15 @@ They differ in the following areas: For a fun read, here is a `blog on the differences `_ +If I already have a Transit to External Device connection using IKEv1, could I create another one using IKEv2? +--------------------------------------------------------------------------------------------------------------- + +Starting from 6.3 release, Aviatrix supports the feature `Transit to External Device Using IKEv2 `_. The prerequisite for IKEv2 is that you need to create the first Transit to External Device connection with IKEv2 enabled. If your current Transit gateway already has a connection using IKEv1 either is created by attaching spoke gateway or is built in MULTI-CLOUD TRANSIT step 3, you need to delete it first before creating the Transit to External Device connection with IKEv2. + +How to troubleshoot Transit to External Device connection with IKEv2 issue? +--------------------------------------------------------------------------- +Refer to `Troubleshooting IPsec VPN connection with IKEv2 `_ .. |bgp_summarize| image:: transitvpc_faq_media/bgp_summarize_transit_adv_page.png :scale: 60% diff --git a/HowTos/transitvpc_workflow.rst b/HowTos/transitvpc_workflow.rst index 4503b92a2..ed2699f09 100644 --- a/HowTos/transitvpc_workflow.rst +++ b/HowTos/transitvpc_workflow.rst @@ -3,25 +3,25 @@ :keywords: Transit VPC, Transit hub, AWS Global Transit Network, Encrypted Peering, Transitive Peering, AWS VPC Peering, VPN -================================================================ -Global Transit Network Workflow Instructions (AWS/Azure/GCP/OCI) -================================================================ +====================================================================== +Multi-cloud Transit Network Workflow Instructions (AWS/Azure/GCP/OCI) +====================================================================== .. important:: If you intend to deploy transit network by using AWS Transit Gateway (TGW), your starting point is `this link `_. For building encrypted Transit in AWS/Azure/GCP/OCI or Transit network with Azure Native Peering, this document is your starting point. -This workflow provides you with step by step instructions to build a Global Transit Network. +This workflow provides you with step by step instructions to build a Multi-cloud Transit Network. While the instructions below reference AWS, these functionalities apply to any public cloud in which Aviatrix Transit Network is supported. -For design guide, check out `Transit Network Design Patterns. `_ +For design guide, check out `Multi-cloud Transit Network Design Patterns. `_ -For more information, check out `Transit Network FAQ. `_ +For more information, check out `Multi-cloud Transit Network FAQ. `_ For other Aviatrix functions, such as `VPN access for users `_ and `VPN access for sites `_, check out `Aviatrix Overview `_ -This Global Transit Network consists of a Transit gateway and a set of Spoke gateways for communications +This Multi-cloud Transit Network consists of a Transit gateway and a set of Spoke gateways for communications between Spoke VPC or VNet instances and your on-prem network. @@ -29,7 +29,7 @@ between Spoke VPC or VNet instances and your on-prem network. For description purposes, gateway and GW are used interchangeably. Other than gateway deletion, resources created by this workflow should be deleted within the work flow. -The Global Transit Network diagram is described as below. +The Transit Network diagram is described as below. |Test| @@ -103,30 +103,33 @@ Transit GW HA either. -Although the title says to connect to AWS VGW, starting from Release 4.1, there are three options to connect to a Transit GW with BGP to an on-prem network. Choose one option that meets your network requirements. +Although the title says to connect to AWS VGW, there are four options to connect to a Transit GW to an on-prem network. Choose one option that meets your network requirements. - AWS VGW (This is the default setting.) + - Azure VNG - External Device (over Direct Connect or over Internet) - Aviatrix hardware appliance CloudN as shown below. -|transit_to_onprem| +|transit_to_onprem-2| ========================================== ================ =============== =============== ================== **Transit Gateway Connect Type** **Performance** **HA** Route Limit Deployment notes ========================================== ================ =============== =============== ================== AWS VGW 1.25Gbps Active/Active 100 VGW should be detached. Use the `instruction here `_ to build encryption between VGW and on-prem router. -External Device 1.25Gbps Active/Standby Unlimited VGW should be attached. Aviatrix Transit Gateway establishes BGP + IPSEC with on-prem router. -CloudN 10Gbps Active/Standby Unlimited VGW should be attached. Aviatrix Transit Gateway established BGP + IPSEC with on-prem CloudN. +External Device Up to 10Gbps Active/Standby Unlimited VGW should be attached. Aviatrix Transit Gateway establishes BGP + IPSEC with on-prem router. +CloudN 20Gbps Active/Active Unlimited VGW should be attached. Aviatrix Transit Gateway established BGP + IPSEC with on-prem CloudN. +Azure VNG 10Gbps Active/Active Unlimited VNG should be attached. ========================================== ================ =============== =============== ================== 3.1 External Device ^^^^^^^^^^^^^^^^^^^^^ -The "External Device" option allows you to build a BGP and IPSEC tunnel directly to on-prem or -in the cloud device. It bypasses the AWS VGW or Azure VPN gateway for exchanging routes with on-prem, thus overcoming the route limit by these native services. For more information, read more `here. `_ +The "External Device" option allows you to build IPSEC tunnel, GRE tunnel or Ethernet LAN directly to on-prem or +in the cloud device. It bypasses the AWS VGW or Azure VPN gateway for exchanging routes with on-prem, thus overcoming the route limit by these native services. +To learn how to leverage External Device to connect to variety of devices, read more about `External Device FAQ. `_ Follow the instructions in `this link `_ to complete this Step. 3.2 Aviatrix Appliance CloudN @@ -136,7 +139,16 @@ Follow the instructions in `this link `_ to complete Step 3. -3.3 AWS VGW (VPN Gateway) +3.3 Azure VNG +^^^^^^^^^^^^^^^^ + +With this option, data packets are forwarded natively to on-prem through Azure Virtual Network Gateway (VNG) either over +Express Route or Internet, and in the meantime, Aviatrix Transit Gateways are inserted in the data path between VNG and Spoke VNet. This allows you to run advanced function such as firewall inspection for on-prem to Spoke and between the Spokes. + +See `Multi-cloud Transit Integration with Azure VNG `_. + + +3.4 AWS VGW (VPN Gateway) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Aviatrix automates the process of discovering and connecting to AWS VGW. The instruction below is for connecting Aviatrix Transit GW to AWS VGW. @@ -309,13 +321,7 @@ going through the backup Transit GW. 13. Transit Network APIs ------------------------- -There are multiple resources to help you automate Transit Network setup. Note that if you are building a Transit Network following the workflow, you should use the APIs documented below. - - - `Transit Network section in API doc `_. - - - `Terraform example. `_ - - - `Python API example for Transit Network `_ +There are multiple resources to help you automate Transit Network setup. Note that if you are building a Transit Network following the workflow, you should follow the `Terraform example `_. How do I get started on AWS? @@ -336,70 +342,6 @@ After you have built the Transit GW and Spokes, you can view the connection betw Stay on the Transit Network page for any Spoke gateway and Transit GW actions such as attaching a Spoke, detaching a Spoke, connecting to VGW and disconnecting from a VGW. Do not go to any other pages for these actions. For deleting a Spoke gateway or Transit gateway, go to the Gateway page, select the gateway and delete. -Advanced Config ------------------- - -Manual BGP Advertised Network List -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -This field is only applicable to Transit GW established by `Transit Network workflow `_. - -By default, Aviatrix Transit GW advertises individual Spoke VPC CIDRs to VGW. You can -override that by manually entering the intended CIDR list to advertise to VGW. - -This feature is critical to limit the total number of routes carried by VGW (maximum is 100). - -To enable this option in software version prior to 4.1, click Site2Cloud on the left navigation bar, select the connection established by `Step 3 `_, click to edit. -Scroll down to "Connected Transit" to enable. - -For software version 4.1 and later, you will click Transit Network on the left navigation bar, click the Advanced Config option and browse to the Edit Gateway tab. Select the Transit Gateway you want to enable the Connected Transit. - -To disable the option, leave the field blank and click "Change BGP Manual Spoke Advertisement". - -Advertise Transit VPC Network CIDR(s) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -This field is only applicable to Transit GW established by `Transit Network workflow `_. - -By default, Aviatrix Transit GW does not advertise Transit VPC `CIDR `_. - -When this feature is enabled, Aviatrix Transit GW advertises the Transit VPC CIDR to VGW. The Controller programs the 3 RFC1918 routes in the AWS route table to point to the Transit GW. It also programs the learned routes from VGW into the AWS route table. - -If you deploy instances in the Transit VPC, enabling "Advertise Transit VPC CIDR(s) mode allows the instance to communicate both to Spoke VPCs and on-prem network, assuming the Spoke VPCs are in the RFC1918 range. - -To enable this option in software version prior to 4.1, click Site2Cloud on the left navigation bar, select the connection established by `Step 3 `_, click to edit. -Scroll down to "Connected Transit" to enable. - -For software version 4.1 and later, you will click Transit Network on the left navigation bar, click the Advanced Config option and browse to the Edit Gateway tab. Select the Transit Gateway you want to enable the Connected Transit. - - -Connected Transit -^^^^^^^^^^^^^^^^^ - -By default, Aviatrix Spoke VPCs do not have routing established to communicate -with each other via Transit. They are completely segmented. - -If you would like to build a full mesh network where Spoke VPCs communicate with each other via Transit GW, you can achieve that by enabling "Connected Transit" mode. All connections are encrypted. - -To enable this option in software version prior to 4.1, click Site2Cloud on the left navigation bar, select the connection established by `Step 3 `_, click to edit. -Scroll down to "Connected Transit" to enable. - -For software version 4.1 and later, you will click Transit Network on the left navigation bar, click the Advanced Config option and browse to the Edit Gateway tab. Select the Transit Gateway you want to enable the Connected Transit. - -Note all Spokes should be either in HA mode or non HA mode. A mixed deployment where some Spokes have -HA enabled while others don't work in a normal environment, but does not work -when a failover happens on a HA enabled Spoke. - -Prepend AS Path -^^^^^^^^^^^^^^^^^ - -You can insert BGP AS_PATH on the Transit Gateway customize the BGP AP_PATH field when it advertises to VGW or peer devices. For example, -enter 65458, 65478 in the input field, these ASN will appear to the remote end. - -If you don't configure this field, Transit Gateway only advertises its own ASN. - - - .. |Test| image:: transitvpc_workflow_media/SRMC.png :width: 5.55625in @@ -426,6 +368,9 @@ If you don't configure this field, Transit Gateway only advertises its own ASN. .. |transit_to_onprem| image:: transitvpc_workflow_media/transit_to_onprem.png :scale: 40% +.. |transit_to_onprem-2| image:: transitvpc_workflow_media/transit_to_onprem-2.png + :scale: 40% + .. |azure_native_transit2| image:: transitvpc_workflow_media/azure_native_transit2.png :scale: 30% diff --git a/HowTos/transitvpc_workflow_media/transit_to_onprem-2.png b/HowTos/transitvpc_workflow_media/transit_to_onprem-2.png new file mode 100644 index 000000000..dc3086d18 Binary files /dev/null and b/HowTos/transitvpc_workflow_media/transit_to_onprem-2.png differ diff --git a/HowTos/troubleshooting_ipsec_vpn_connection_with_ikev2.rst b/HowTos/troubleshooting_ipsec_vpn_connection_with_ikev2.rst new file mode 100644 index 000000000..909827b19 --- /dev/null +++ b/HowTos/troubleshooting_ipsec_vpn_connection_with_ikev2.rst @@ -0,0 +1,173 @@ +.. meta:: + :description: Troubleshooting IPsec VPN connection with IKEv2 + :keywords: Aviatrix Transit network, Private Network, Site2cloud, site to cloud, aviatrix, ipsec vpn, tunnel, Encrypted Peering + +================================================ +Troubleshooting IPsec VPN connection with IKEv2 +================================================ + +This article describes how to troubleshoot IPsec VPN connection with IKEv2 on Aviatrix gateway. + +Workflow +========= + +Check Site2Cloud Connection Status +---------------------------------- + +- Login Aviatrix Controller + +- Go to SITE2CLOUD -> Setup + +- Find the Site2Cloud Connection + +- Check the tunnel status + + - if the Status displays "Down", please follow the next step + +Perform the Diagnostics Action "Run analysis" +--------------------------------------------- + +- Go to SITE2CLOUD -> Diagnostics + +- Select the related information for VPC ID/VNet Name, Connection, and Gateway + +- Select the option "Run analysis" under Action and click the button "OK" + +- View the suggestion on the prompt panel to troubleshoot Site2Cloud tunnel down issue + +- Follow the next step to view logs if needed + +Troubleshoot the keyword in the Diagnostics Action "Show logs" +-------------------------------------------------------------- + +- Go to SITE2CLOUD -> Diagnostics + +- Select the related information for VPC ID/VNet Name, Connection, and Gateway + +- Select the option "Show logs" under Action and click the button "OK" + +- Review the logs on the prompt panel + +- Compare your logs with the successful example logs as below + +|IKEv2_show_log| + +- Attempt to locate the keyword or failure message during IKEv2/IPsec negotiation. Here are some examples of negotiation failure and hint to fix or troubleshoot it further: + + - `Keyword: "Error: Failed to deliver message to gateway"`_ + + - `Keyword: "establishing IKE_SA failed, peer not responding"`_ + + - `Keyword: "NO_PROPOSAL_CHOSEN"`_ + + - `Keyword: "AUTHENTICATION_FAILED"`_ + + - `Keyword: "no shared key found"`_ + + - `Keyword: "failed to establish CHILD_SA, keeping IKE_SA"`_ + +Keyword: "Error: Failed to deliver message to gateway" +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Probable Causes: + +- Aviatrix Controller cannot reach to gateway + +Suggestions: + +- Refer to `Aviatrix Gateway Troubleshooting Playbook `_ + +Keyword: "establishing IKE_SA failed, peer not responding" +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Probable Causes: + +- Peer IP address is mismatched, or peer IP address is not reachable + +- UDP Port 500/4500 is not accessible + +Suggestions: + +- Troubleshoot connectivity between Aviatrix gateway and peer VPN router + +Keyword: "NO_PROPOSAL_CHOSEN" +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Probable Causes: + +- Peer IP address is mismatched, or peer IP address is not reachable + +- IKE version is mismatched (one VPN gateway uses IKEv1 and another one uses IKEv2) + +- IKEv2 algorithm is mismatched + +- IPsec algorithm is mismatched + +Suggestions: + +- Troubleshoot connectivity between Aviatrix gateway and peer VPN router + +- Verify that both VPN settings use the same IKEv2 version + +- Verify that all IKEv2/IPsec algorithm parameters (i.e., Authentication/DH Groups/Encryption) match on both VPN configuration + +Keyword: "AUTHENTICATION_FAILED" +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Probable Causes: + +- IKE version is mismatched (one VPN gateway uses IKEv1 and another one uses IKEv2) + +- pre-shared key is mismatched + +- Identifier configuration is mismatched + +Suggestions: + +- Verify that both VPN settings use the same IKEv2 version + +- Verify that pre-shared key match on both VPN configuration + +- Verify that Identifier match + + - By default, Aviatrix utilizes gateway's public IP as Local Identifier. + +Keyword: "no shared key found" +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Probable Causes: + +- IKE version is mismatched (one VPN gateway uses IKEv1 and another one uses IKEv2) + +- Identifier configuration is mismatched + +Suggestions: + +- Verify that both VPN settings use the same IKEv2 version + +- Verify that Identifier match + + - By default, Aviatrix utilizes gateway's public IP as Local Identifier. + +Keyword: "failed to establish CHILD_SA, keeping IKE_SA" +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Probable Causes: + +- IPsec algorithm is mismatched + +Suggestions: + +- Verify that all IPsec algorithm parameters (i.e., Authentication/DH Groups/Encryption) match on both VPN configuration + +Other troubleshooting documents +=============================== + +- `Support Center Site2Cloud `_ + +- `Aviatrix Site2Cloud connection with IKEv1 End to End traffic Troubleshooting Playbook `_ + +.. |IKEv2_show_log| image:: site2cloud_media/IKEv2_show_log.png + :scale: 50% + +.. disqus:: diff --git a/HowTos/user_accelerator.rst b/HowTos/user_accelerator.rst index bb0226658..eb3c15cab 100755 --- a/HowTos/user_accelerator.rst +++ b/HowTos/user_accelerator.rst @@ -9,7 +9,7 @@ VPN User Accelerator =================================================== The VPN User Accelerator leverages the `AWS Global Accelerator `_ to connect -VPN users to the nearest AWS CloudFront access point and traverse the AWS backbone to the VPN gateway. +VPN users to the nearest AWS Edge location access point and traverse the AWS backbone to the VPN gateway. .. Note:: When this feature is enabled, the VPN user source address is masked out by AWS. diff --git a/HowTos/uservpn-TGW.rst b/HowTos/uservpn-TGW.rst index c1baf15d7..84e6a8693 100644 --- a/HowTos/uservpn-TGW.rst +++ b/HowTos/uservpn-TGW.rst @@ -19,12 +19,12 @@ The first step is to create a TGW from the Aviatrix Controller. b. Navigate to the TGW Orchestrator tab on the left side of the screen and click "Plan". - c. Next, select your cloud type. In this case it is AWS. Fill in the reamining information, name the TGW, and hit create. + c. Next, select your cloud type. In this case it is AWS. Fill in the remaining information, name the TGW, and hit create. |createTGW| To learn more about Transit Gateway deployment follow this link: - `Next Gen Transit for AWS FAQ `_ + `AVX Transit for AWS FAQ `_ 2. Create a Security Domain @@ -58,7 +58,7 @@ Now we have allowed both the Dev and Prod Domains to connect to the Shared Servi 4. Attach VPCs to TGW ---------------------- -The next step is to attach your existing VPCs to the Transist Gateway (TGW) created in Step 1. +The next step is to attach your existing VPCs to the Transit Gateway (TGW) created in Step 1. To perform this, navigate in the Aviatrix Controller to the "Build" section under the TGW Orchestrator tab. In section 1 "Attach VPC to TGW" @@ -190,4 +190,4 @@ OpenVPN is a registered trademark of OpenVPN Inc. .. |ping_test| image:: uservpn_TGW_media/ping_test.png :scale: 30% -.. disqus:: \ No newline at end of file +.. disqus:: diff --git a/HowTos/uservpn.rst b/HowTos/uservpn.rst index 9819b2802..8c8272df9 100644 --- a/HowTos/uservpn.rst +++ b/HowTos/uservpn.rst @@ -156,6 +156,9 @@ be able to connect then. |New_User| +Detach and revoke: will not only detach the user but revoke the user certificate as well. +attach: will re-attach detached users and also re-create the user certificate if the user certificate is revoked. + Conclusion ---------- You now have a working Aviatrix VPN Gateway. Users can connect and gain access to their cloud resources. diff --git a/HowTos/using_VPC_Endpoints_w_AVX.rst b/HowTos/using_VPC_Endpoints_w_AVX.rst new file mode 100644 index 000000000..568418398 --- /dev/null +++ b/HowTos/using_VPC_Endpoints_w_AVX.rst @@ -0,0 +1,170 @@ + + + +.. meta:: + :description: Using AVX S2C to use VPC endpoints in different regions + :keywords: site2cloud, endpoints, AWS Global Transit Network, Aviatrix Transit Network + + +=========================================================================================== +Using Aviatrix Site2Cloud tunnels to access VPC Endpoints in different regions +=========================================================================================== + +`VPC Endpoints `_ in AWS allow you to expose services to customers and partners over AWS PrivateLink. +In situations where allowing resources to be accessed directly from the Internet is undesirable, VPC Endpoints can enable internal VPC connectivity to resources in other accounts. + +One limitation of Endpoints is that it is a regional construct, meaning you can't use it to provide connectivity to resources across regions. In some cases it's not possible to move these workloads. + +This is where Aviatrix can help overcome that limitation. + +The end design will look similar to the diagram below. + +|image1| + +| + +Environment Requirements +--------------------------------------------------------- + +Three VPCs. + +In this example there are 2 VPCs in US-East-1. One customer/partner VPC(10.10.10.0/24) with an Endpoint, and our VPC(10.10.11.0/24) with an Endpoint Service tied to an internal Load Balancer. +There is 1 VPC(10.10.12.0/24) in US-East-2 that hosts our workload. + +A set of Aviatrix Gateways, 2 in our VPC in US-East-1, and 2 in the workload VPC in US-East-2. +Deploying a set of HA Gateways is documented `here `_ + +Once deployed, a set of Site2Cloud tunnels will be built. Documentation for building a tunnel between Aviatrix Gateways is `here `_ + +They should be built in an active-passive manner to avoid asymmetric routing in AWS. + + + + +Step 1: Deploy an internal Load Balancer in AWS +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +From the EC2 section in the console, choose Load Balancers. + +|image2| + +Choose Network Load Balancer + +|image3| + +Give the LB a name, choose internal, program a listening port for your workload(80 for this test), and choose all availability zones in our US-East-1 VPC. + +|image4| + +On the Routing section, create a new target group using our workload, port 80. Target type will be instance. Health Checks will be TCP based. + +|image5| + +In the Targets section, choose the Aviatrix Gateways in our US-East-1 VPC and move them to Registered Targets. Click Next to review, then Create. + + + + +Step 2: Attach an Endpoint Service to our new Load Balancer +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +From the VPC section of the AWS console, choose Endpoint Services, then Create Endpoint Service. + +The new Load Balancer will be in the list as an available NLB. + +|image6| + +Update these options as needed. Create Service. + + +|image8| + +That Service ARN will be what our customer uses to register a service in their VPC. + +|image9| + +Step 3: Create Endpoint in Customer VPC +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In the Customer VPC console, build a new Endpoint. + +Enter the ARN from the last step, and choose the Customer VPC to expose an endpoint in. Once built, the Endpoint DNS names can be used to route traffic. + +|image10| + + +Step 4: Configure Destination NAT rules on Aviatrix Gateway +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +A Destination NAT(DNAT) rule sends traffic from our VPC in US-East-1 to the workload VPC in US-East-2. + +On the controller, highlight the primary gateway deployed in our US-East-1 VPC. Click the Edit link. + +|image11| + +Scroll to the Destination NAT section and choose ADD NEW. + +Ensure Sync to HA Gateway is selected. + +Source CIDR will be the source of our US-East-1 VPC, 10.10.11.0/24. Destination CIDR will be the private IP of our Primary Gateway. In our example 10.10.11.5/32. Destination port in our example is 80. Protocol TCP. Connection is None. DNAT IPS in our example will be in the workload VPC available across our Site2Cloud tunnel. The server is 10.10.12.69. DNAT PORT is 80. + +Once filled out, hit SAVE, then UPDATE. + +Repeat this step in a second rule, updating the Destination CIDR to point to the private IP of the HA Gateway. + + +|image12| +|image13| + + + +Step 5: Test connections +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Ensure health checks on your Internal Load Balancer are healthy. Network Security Groups on your workload VPC(10.10.12.0/24) allow traffic from our VPC in US-East-1(10.10.11.0/24) + +Only 1 tunnel will be active in our scenario, and Aviatrix will update the route tables to point to the active tunnel. + +A simple way to test connectivity is to edit the /etc/hosts file on a linux instance to point to one of the DNS entries from the Endpoint in the Customer VPC. + + +.. |image1| image:: VPCEndpoints/VPCEndpointsDiagram.png + :scale: 50% + +.. |image2| image:: VPCEndpoints/image2.png + :scale: 100% + +.. |image3| image:: VPCEndpoints/image3.png + :scale: 75% + +.. |image4| image:: VPCEndpoints/image4.png + :scale: 75% + +.. |image5| image:: VPCEndpoints/image5.png + :scale: 75% + +.. |image6| image:: VPCEndpoints/image6.png + :scale: 50% + +.. |image7| image:: VPCEndpoints/image7.png + :scale: 50% + +.. |image8| image:: VPCEndpoints/image8.png + :scale: 50% + +.. |image9| image:: VPCEndpoints/image9.png + :scale: 100% + +.. |image10| image:: VPCEndpoints/image10.png + :scale: 60% + +.. |image11| image:: VPCEndpoints/image11.png + :scale: 100% + +.. |image12| image:: VPCEndpoints/image12.png + :scale: 50% + +.. |image13| image:: VPCEndpoints/image13.png + :scale: 50% + +.. disqus:: diff --git a/Solutions/aviatrix_aws_meshVPC.rst b/Solutions/aviatrix_aws_meshVPC.rst index caaa0f25b..c1d883080 100644 --- a/Solutions/aviatrix_aws_meshVPC.rst +++ b/Solutions/aviatrix_aws_meshVPC.rst @@ -139,7 +139,7 @@ https:// 5.1 Onboarding and create a cloud account -------------------------------------------- -Upon logging in to the controller for the first time, follow the onboarding process to create a cloud account that corresponds to an AWS IAM account. Aviatrix CloudN uses the account's IAM credential to execute AWS REST APIs to create a VPC and necessary resources. +Upon logging in to the controller for the first time, follow the onboarding process to create a cloud account that corresponds to an AWS IAM account. Aviatrix CloudN uses the account's IAM credential to execute AWS APIs to create a VPC and necessary resources. 5.2 Create a VPC and build an encrypted tunnel diff --git a/Solutions/old_aviatrix_aws_transitvpc.rst b/Solutions/old_aviatrix_aws_transitvpc.rst index 10d78be26..f8fcfaf7a 100644 --- a/Solutions/old_aviatrix_aws_transitvpc.rst +++ b/Solutions/old_aviatrix_aws_transitvpc.rst @@ -23,7 +23,7 @@ This document is published by AWS Answers for `AWS Global Transit Network `__ - Nutanix VLAN extended to AWS or Azure -- `Site to Cloud <../HowTos/cloudn-site2cloud.html>`__ - Build encrypted tunnel to existing VPC (AWS) or VNet (Azure) -- `IPmotion <../HowTos/ipmotion.html>`__ - Migrate on-premise VMs to AWS or Azure while preserving IP addresses - -Getting Started -=============== -There just a few steps to getting started: - -#. `Download and add <#step1>`__ the Aviatrix Virtual Appliance image to Nutanix -#. If you will be using Datacenter Extension (extending Nutanix VLAN to AWS/Azure), create a new VLAN that needs to be extended to AWS. Otherwise skip to the next step. -#. `Create a new VM <#step2>`__ in Nutanix -#. Set up `Aviatrix <#step3>`__ -#. Configure Aviatrix for your `Use Case <#step4>`__ - -.. _Step1: - -Download and Add the CloudN Image to Nutanix -============================================ - -#. Download the KVM image from `here `__ -#. Extract the .qcow2 file -#. Upload the image file to Nutanix - - |imageNutanixAddImage| - - .. note:: - Due to the size of the .qcow2 image file, you may need to upload it first to an S3 bucket and then pass the URL of the S3 file to Nutanix. - - |imageNutanixAddImageS3URL| - -#. Once the image has been uploaded, add it to the Catalog. - - |imageNutanixAddImageToCatalogMenu| - - |imageNutanixAddImageToCatalogDialog| - - -.. _Step2: - -Create a new VM on Nutanix Cluster -================================== - -#. Create a new VM in your Nutanix cluster -#. Populate the `Name` and `Description` fields -#. For initial configurations, we recommend 1 VCPU with 2 cores and 4 GiB of memory - - |imageNutanixCreateVMTopDialog| - -#. Remove all disks currently attached to the VM -#. Add a new disk. Be sure to select `Clone from Image Service` for the `Operation` - - |imageNutanixCreateVMAddDisk| - -#. Add 2 NICs. These 2 NICs should both be in that VLAN you want Aviatrix running on. If you are doing Datacenter Extension (VLAN extension to AWS or Azure), You will need to pick the VLAN you created for this use case. - - |imageNutanixCreateVMAddNIC| - -#. Power the VM on - - -.. _Step3: - -Set up Aviatrix Gateway -========================== - -#. Open the console to the Aviatrix Gateway VM -#. Login with the default username and password: - - | **username:** admin - | **password:** Aviatrix123# - -#. Once logged in, you will see a console. There are 2 options available: - - - `setup_interface_address` - - `setup_interface_static_address` - - - |imageAviatrixConsoleInitial| - -#. Run the setup command - - |imageAviatrixConsoleRunSetup| - -.. _Step4: - -Configure Aviatrix for Use Case -=============================== - -#. Login to the administrative web console - - https:// - - | **username:** admin - | **password:** IP address entered in previous setup step - -#. Follow instructions for your use case: - -- `Datacenter Extension <../Solutions/aviatrix_aws_meshVPC.html>`__ - Nutanix VLAN extended to AWS or Azure -- `Site to Cloud <../HowTos/cloudn-site2cloud.html>`__ - Build encrypted tunnel to existing VPC (AWS) or VNet (Azure) -- `IPmotion <../HowTos/ipmotion.html>`__ - Migrate on-premise VMs to AWS or Azure while preserving IP addresses - - -.. |imageNutanixAddImage| image:: cloudn_nutanix_startup_guide_media/nutanix_add_image.png - -.. |imageNutanixAddImageS3URL| image:: cloudn_nutanix_startup_guide_media/nutanix_add_image_s3_url.png - -.. |imageNutanixAddImageToCatalogDialog| image:: cloudn_nutanix_startup_guide_media/nutanix_add_image_to_catalog_dialog.png - -.. |imageNutanixAddImageToCatalogMenu| image:: cloudn_nutanix_startup_guide_media/nutanix_add_image_to_catalog_menu.png - -.. |imageNutanixCreateVMTopDialog| image:: cloudn_nutanix_startup_guide_media/nutanix_create_vm_top.png - -.. |imageNutanixCreateVMAddDisk| image:: cloudn_nutanix_startup_guide_media/nutanix_create_vm_add_disk.png - -.. |imageNutanixCreateVMAddNIC| image:: cloudn_nutanix_startup_guide_media/nutanix_create_vm_add_nic.png - -.. |imageAviatrixConsoleInitial| image:: cloudn_nutanix_startup_guide_media/aviatrix_console_initial.png - -.. |imageAviatrixConsoleRunSetup| image:: cloudn_nutanix_startup_guide_media/aviatrix_console_run_setup.png diff --git a/StartUpGuides/CloudN-Startup-Guide.rst b/StartUpGuides/CloudN-Startup-Guide.rst deleted file mode 100644 index 82bb34568..000000000 --- a/StartUpGuides/CloudN-Startup-Guide.rst +++ /dev/null @@ -1,754 +0,0 @@ -.. meta:: - :description: Aviatrix Virtual Appliance CloudN Startup guide - :keywords: Aviatrix Cloud Interconnect, DCCX, CloudN, datacenter extension - -======================================= - Virtual Appliance CloudN -======================================= - - - -The Aviatrix CloudN virtual appliance is deployed in an on-premise datacenter or co-location facility. - -CloudN supports REST API that allows for further automation and third party software integration. -REST API documentation can be found at `this link. `_ For an example of how to use REST API, check out `this link. `__ - -CloudN performs three major functions: - -- **Datacenter Extension** Extend your datacenter to multi cloud (Datacenter Extension or DCCX). Read `How to build agile DevOps documentation `_ for instructions. - -- **Site2Cloud** Build an encrypted tunnel to existing VPC/VNets (on-prem gateway for Site2Cloud). Read `How to build Site2Cloud `_ for instructions. - -- **IPmotion** Build connectivity that makes it possible to migrate on-prem VMs to the cloud while preserving their IP addresses. Read `How to setup IPmotion `_ for instructions. - -The following guide provides step by step instructions for deploying the virtual appliance. Read carefully as there are specific instructions for each of the above three use cases. - - -1. Download the Image -======================= - -The virtual appliance CloudN image can be downloaded from `the download link. `_ - - -2. Pre-Installation Check List -=============================== - -2.1. AWS EC2 Account for Datacenter Extension and IPmotion ------------------------------------------------------------ - -.. Note:: If CloudN is deployed for Site2Cloud function, you do not need to setup an EC2 account. Skip section 2.1. - -.. - - If you intend to launch a VPC in AWS, you need to have an AWS account. - - You need to have an AWS account in order to use most of the commands on - CloudN. Note that CloudN supports multiple CloudN cloud accounts with - each one associated with a different AWS account or IAM account, but - there needs to be at least one to start with. - - The AWS account can be a root account, an IAM user in an Administrator - Group or an IAM user with full access permission to EC2, VPC, S3, SQS, - SNS, CloudTrail and Route 53. For security reasons, we strongly - recommend you use an IAM user account. During onboarding, you will have the - opportunity to copy and paste a custom policy required by Aviatrix to - your AWS IAM account. - -2.1.1. IAM Administrator -***************************** - - The following steps show you how to add a user to Administrator Group in - AWS. - - Step 1. Login to https://console.aws.amazon.com/iam - - Step 2. Click Users, select the user that needs to be added to - Administrative privilege and click Add User to Groups - - |image4| - - Step 3. Add joe\_smith to admin group which was created previously via - Groups tab on the console. - - |image5| - -2.1.2. IAM User -******************* - - If you are an IAM user, make sure you have full access to EC2, VPC, S3, - SQS, SNS and CloudTrail service. Refer to this link on how to setup an - IAM access policy required by CloudN. During the onboarding process, we - will guide you through on setting up this IAM customer policy. - -2.2. Microsoft Azure Account for Datacenter Extension -------------------------------------------------------- - -.. Note:: If CloudN is deployed for Site2Cloud function, you do not need to set up an Azure account. Skip this section. - -.. - - To create credentials for Azure, follow `these instructions. `_ - -2.3. Deploy CloudN as a virtual router (Site2Cloud function) ------------------------------------------------------------- - - You can deploy CloudN as a virtual router and in a remote site for - Site2Cloud function. - -|image8| - - In this deployment, CloudN functions as a router deployed anywhere inside a datacenter and does not require a public IP address. - What is required is that - the default gateway of the subnet where CloudN is deployed has a static - route configured that routes traffic destined to the VPC CIDR where this - remote site wishes to connect to the CloudN. - -2.4. Deploy CloudN for Aviatrix Datacenter Extension ----------------------------------------------------------- - -If you plan to use CloudN for IPmotion, skip section 2.4 - -2.4.1. Cloud address planning and allocation -*********************************************** - - When used for datacenter extension (DCCX) function, CloudN manages your entire cloud address space. - - You need to identify or create a subnet where CloudN is deployed. CloudN - is deployed on a private subnet anywhere on your network. The CloudN does - not take a public IP address. Make sure this subnet is reachable by - other subnets where traffic is originated from. - - CloudN should be deployed on a subnet (or VLAN) where CloudN is the only - virtual machine on the VLAN. The CloudN VM’s IP address is determined by - CloudN software during installation time. - - The default gateway for the VLAN should either have the lowest address - or highest address for the VLAN. For example, if the VLAN where CloudN - is deployed is 10.10.0.0/16, the default gateway IP address for this - VLAN should be either 10.10.0.1 or 10.10.255.254. - - The size of this subnet or VLAN should be large enough to allow the - creation of the desired number of VPCs. For example, a network with a /16 - prefix can support 15 VPC/VNets with each VPC/VNet containing a /24 subnet - in AWS or Azure. - - CloudN allocates 4 bits or 16 subnets in each VPC. By default, two - subnets, one private and one public subnet, are created in each - available zone. A user can customize and create additional subnets. - -2.4.2. Deploy on Subnets larger than /24 -****************************************** - - If you deploy a CloudN in a /23 subnet, only two VPC/VNet can be - created. This VPC/VNet can support 8 subnets. - - It is recommended that you deploy CloudN in a subnet size between /16 - and /22. Below is a table describing the relationship between subnet size and the - maximum number of VPCs. - - |image6| - -2.4.3. Deploy on a Class C Subnet -************************************** - - Deploying CloudN in a /24 subnet is a special case. It is handled - differently than any other size of subnet. - - In this case, there is only one public subnet and 2 private subnets with - each in a different availability zone created for a VPC Container. Up to - 2 VPCs can be launched. Since not every AZ (Availability Zone) is - covered in subnet creation, applications that require subnets in each AZ - would not work. Deploying on a /24 subnet is best used for POC projects. - - If you have local machines on the subnet where CloudN is deployed, you - need to make sure all local machines including the default gateway and - CloudN are in one sub segmented area, as illustrated below: - - |image7| - - Leaving local machines outside the address range of 192.168.1.0/26 can - result in duplicate IP addresses. - - Each VPC has 1 public subnet and 2 private subnets. - -2.5. Network Interfaces --------------------------------- - - The CloudN local gateway is installed as a VM host with two network - interfaces. Make sure the two interfaces are on the same VLAN or subnet. - - If CloudN runs on the VMware ESXi host, follow the instructions in the next - chapter to enable promiscuous mode and forged transmit mode for both - interfaces. - - If CloudN runs on Microsoft Hyper-V, you do not need to configure the - network interfaces as they are pre-configured as part of the VHD image. - -2.6. Internet Connectivity --------------------------- - - CloudN needs to have Internet connectivity to perform most of its - functions. - -2.7. Proxy Settings -------------------- - - If there is a proxy server on-prem for Internet access, contact an IT - administrator to obtain a proxy server IP address, proxy port, and if - there needs to be a username and password for authenticating by the - proxy. - -2.8. Binding to CloudN Private IP address to a Single NAT Public IP Address ---------------------------------------------------------------------------- - .. Note:: If you select TCP as the tunnel type for either datacenter extension or site2cloud function, the constraints in this section do not apply. - - .. - - If your organization has more than one public IP addresses as the NAT - address, you must bind CloudN’s private IP address to one of the public - IP addresses. That is, CloudN will always be translated to one static - public IP address for its outbound traffic. - - For example, on Cisco ASA, you can configure the following to bind a - private IP address to one public IP: - - Step 1  Create a network object for the internal servers. - - :: - - hostname(config)# object network myWebServ - - hostname(config-network-object)# range 10.1.1.1 10.1.1.70 - - Step 2  Configure NAT to map servers from 10.1.1.1 to 10.1.1.70 to a - static public IP (209.165.201.10) - - :: - - hostname(config-network-object)# nat (inside,outside) static 209.165.201.10 - -2.9. Outbound TCP/UDP Ports ----------------------------------- - - CloudN requires the following TCP/UDP outbound ports open. - - - TCP port 443. - - - (optional) UDP ports 4500 and 500. - -.. Note:: Aviatrix CloudN supports encrypted tunnels over TCP port 443. If you select TCP as the tunnel type for datacenter extension or site2cloud function, no UDP ports 500/4500 are required to be open. The advantage of selecting TCP as the tunnel type is the reduction of deployment friction when building hybrid connectivity. In the current release for IPmotion, only UDP mode is supported. - -.. - - If you choose to reduce the scope of the above ports, you can limit them - to only AWS owned public IP address blocks. All AWS public IP addresses can be found in `this link. `__ - - Since CloudN operates in a client-server mode where the CloudN local - gateway is the client, there is no restriction or requirement to open - any known TCP/UDP port for inbound traffic. - -2.10. Time Service ---------------------- - - CloudN extensively uses Amazon Web Service (AWS) APIs and Azure REST - APIs. These APIs checks timestamp for each API call. CloudN is - pre-configured to synchronize its time with the host (please double check on - the VM advanced option to make sure this is the case.) To ensure correct - operation of CloudN, it is important that the Host where CloudN is - installed has the correct time. - - Most likely enterprise data center syncs VM time to host. However if - your environment requires you to sync time to an NTP server, CloudN - allows you to accomplish that. You can configure this at Settings -> - Time Service. - -2.11. Performance Consideration -------------------------------------- - - CloudN is a virtual appliance that runs on a hypervisor. The supported - hypervisors are VMware hypervisor products, Microsoft Enterprise 8.1 - Hyper-V and Oracle VirtualBox. - - By default CloudN is packaged with 2 vCPU, 4GB of memory and 20GB of hard disk (SCSI storage or hard drive) as part of - its image make up. You can always reconfigure the VM to take more CPU - and memory. - - For maximum performance, it is recommended that the host CPU has support - for Intel AES-NI and instructions set for hardware encryption. Intel - processors Westmere, Sandy Bridge, Ivy Bridge and Haswell all have AES-NI - enabled. - - In test environments, TCP throughput (using iperf tool) in the vicinity - of 880Mbps has been observed with CloudN running on a VMware ESXi host - with an Intel Xeon CPU (E3-1220L V2 @ 2.30GHz). - ----- - -3. Installation -================= - -The CloudN OVF image can be imported and installed on a VMware ESXi 5.0/5.1 -host, VMware Workstation, Fusion and VMware Player. Once you have signed -up as an Aviatrix customer, follow the instructions to download the zip -file on your PC. CloudN OVF image usually takes the name -“cloudN-ovf-date” where date is the time when the image was built. - -It is recommended that you run CloudN on ESXi 5.0 or later versions. However, you -can install the software on a VMware Player, VMware Workstation and Fusion -for testing and evaluation purposes. - -3.1. Installation on ESXi 5.0 or later -------------------------------------------- - - After downloading and extracting the zip file, copy the folder to a - location where you can import the virtual machine. For installation, - follow the steps below. - - Step 1: In the vSphere Client, select File > Deploy OVF Template - - |image9| - - Step 2: Locate the folder where the “.ovf” file is located - - |image10| - - Step 3: Click Next to proceed through the rest of the installation. - Please refer to the page - `ESXi Admin `_ - for more detailed instructions. - -3.1.1. Configure Network Adapter Properties for -************************************************************* - -.. Note:: If you deploy CloudN for Site2Cloud connectivity, CloudN network interfaces are not in promiscuous mode. Skip this section. - -.. - - CloudN has two network interfaces, both of which need to be on the same - VLAN. - - After the installation is finished, follow these steps to enable - promiscuous mode on the network adapter (below is an example): - - **Step 1**. Select (Highlight) the ESXi host tab where CloudN is hosted (for - example, 192.168.1.34) and click on the Configuration tab. - - |image11| - - **Step 2**. In the Hardware section, click Networking and then properties. - - |image12| - - **Step 3**. Select VM Network adapter for CloudN and click edit. - - |image13| - - **Step 4**. Click the Security tab. From the Promiscuous Mode dropdown menu, - click the box and select accept and click OK. If you are running ESXi - 5.1 or later, you also need to set Forged Transmit Mode for the port - group to “Accepted”. - - |image14| - - For more information on configuring security policies on the network - switch, please refer to the instructions in `this link `_. - - For additional CloudN on ESXi configuration illustrations, check out - `this note `_ - -.. Note:: DCCX does not support NIC teaming in active-active mode. -.. - - When NICteaming is configured, only active-standby mode is supported, as - shown below where the ESXi host has 4 Ethernet ports and VLAN220 is the - port group CloudN Ethernet ports belong to. - - |image15| - - -3.2. Installation on Windows 8.1 Enterprise Edition ------------------------------------------------------ - - CloudN VHD image can be deployed on Windows 8.1 Enterprise Edition, or - Windows 2012 Server R2 Hyper-V. - - After downloading the zip file and decompressing it, copy the folder to - a location where you can import the virtual machine. For installation, - follow the guide below. - - **Step 1**: Import the VHD Image - - |image16| - - **Step 2**: Locate Folder - - |image17| - - **Step 3**: Copy the Virtual Machine - - |image18| - - **Step 4**: Connect to the Virtual Machine - - |image19| - - **Step 5**: Start the Virtual Machine - - |image20| - - **Step 6**: Login to Virtual Machine - - :: - - User Name: admin - - Password: Aviatrix123# - -3.2.1. Enable MAC Address Spoofing for DCCX and IPmotion -********************************************************* - -.. Note:: If you deploy CloudN for Site2Cloud function, MAC Spoofing is not needed. Skip this section. -.. - - Both Network Adapters associated with CloudN VM should have “Enable MAC - Address Spoofing” turn on. This is accomplished by expanding the Network - Adapter, selecting Advanced Feature and checking the box “Check MAC Address - Spoofing” for each Network Adapter. - - As part of VHD image, this setting should already be configured and - should not be changed. - - |image21| - -3.3. NIC Teaming Support for DCCX and IPmotion ------------------------------------------------- - -.. Note:: If you deploy CloudN for Site2Cloud function, active and active NIC team is supported. -.. - - For DCCX, NIC teaming is only supported for active standby mode. - - -4. Booting Up and Initial Configuration -========================================= - -This section and the following steps can be automated. Check out `this vmware PowerCli script. `_ - -The below description is how you can boot up in a manual way. - -After the virtual machine boots up, you must first login to the -machine while still in the hypervisor console. - -**CloudN Login User Name: admin** - -**CloudN Login Password: Aviatrix123#** - -After this initial login, if you see the screen the screen below. - -|image40| - -Follow the instruction to type “help” at the prompt. - -|image41| - -Follow the steps to go through the boot up process. You can type “help” -at any time to review the steps. Type “?” to view all available -commands. For each command, type “?” to view syntax and parameters. - -4.1. **Step 1**: Setup Interface Address ------------------------------------------ - - There are two ways to give CloudN its IP address: auto-generate by - CloudN itself or statically assign one. - -4.1.1. Statically assign CloudN IP address (Recommended method) -*************************************************************** - - Command: setup\_interface\_static\_address - - Syntax: setup\_interface\_static\_address [static\_ip\_address] - [net\_mask] [default\_gateway\_ip\_address] - [primary\_dns\_server\_ip\_address] - [secondary\_dns\_server\_ip\_address] [proxy {true\|false}] - - Below is an example where there is no proxy server. In such a case, CloudN - will configure the network interfaces, test Internet connectivity and - download the latest Aviatrix software. - - |image42| - -.. Note:: For DCCX deployment, choose CloudN IP to be next to the default gateway IP address of the VLAN or subnet where CloudN is deployed. This does not apply to IPmotion deployment. - -4.1.1.1. Proxy Configuration -****************************** - - If there is a proxy server for Internet access, you must set up proxy - configuration on CloudN to pass traffic to the proxy correctly. The following is - the necessary command. - - command: setup\_network\_proxy - - syntax: setup\_network\_proxy <--http\_proxy> <--https\_proxy> - - where action is “test” or “save”. - - Example: - - :: - - setup\_network\_proxy test --http\_proxy http://10.30.0.3:3128 - --https\_proxy http://10.30.0.3:3128 - - setup\_network\_proxy save --http\_proxy http://10.30.0.3:3128 - --https\_proxy http://10.30.0.3:3128 - - Note that after the proxy configuration is saved, CloudN VM will reboot to have - the proxy take effect. - -4.1.2. Auto-generate CloudN interface IP address -*************************************************** - - All you need to do here is provide information related to the subnet - where CloudN is deployed. CloudN scans the subnet and finds an IP address - that is close to the default gateway (for example, if the default - gateway is 10.10.0.1, CloudN will try 10.10.0.2) and is available, - CloudN will then assign itself this IP address and CloudN software will be - downloaded if the configuration is successful. - - Command setup\_interface\_address: - - Syntax: setup\_interface\_address [net\_mask] - [default\_gateway\_ip\_address] [dns\_server\_ip\_address\_1] - [dns\_server\_ip\_address\_2] [proxy {true\|false}] - - |image43| - - CloudN will identify an unused IP address in an iterative fashion and - assign it to itself. As seen in the above example, the IP address - generated is 10.88.0.3. - - Once the IP address is generated, CloudN will start to download the - latest CloudN software. - - …….. snippet……. - - |image44| - - If you see the above message, the download is completed. - -4.2. Step 2: Display Interface Address ---------------------------------------- - - |image45| - - Now you can use the cloudN IP address as a URL to access the CloudN Manager - that manages CloudN. - - Note: The hypervisor console has only limited CLI for initial booting-up - purposes. Once the Aviatrix software is downloaded, full commands are - installed. - - The User should use the GUI to access CloudN Console. - -4.3. Troubleshooting --------------------- - - If there is any error messages during installation, it is usually due to a - lack of Internet connectivity, an incorrect DNS server IP address or - unopened firewall ports. Type “?” to see all the commands that help you - troubleshoot. - - Use the commands “\ ***ping***\ ” and “\ ***traceroute***\ ” to check out - Internet connectivity. Check your DNS server setting and consult your - network and server admin to determine the cause of routing failure. - - After connectivity issue is resolved, use command - “download\_cloudn\_software” to continue installation and finish. Or you - can type in setup\_interface\_address again. - -4.4. Use a Browser to Access CloudN ---------------------------------------- - - CloudN has a built in CloudN Console that let you run provisioning from - a browser. - - Once IP addressed setup is complete, you can use any browser, type - https:// and see a Login page. - - |image46| - - Login with: - - User Name: **admin** - - Password: **private IP address of the VM** - - After logging in, go through the initial setup process. - - For the first time user and initial set up, follow Onboarding to go - through the initial set up and launch your first VPC/VNet. - ----- - -.. Warning:: Any resources created by the Controller, such as Aviatrix gateways, AWS/Azure routing tables, subnets, etc, must be deleted from the controller console. If you delete them directly on the AWS console, the Controller's view of resources will be incorrect which will lead to features not working properly. - -.. - -5. Onboarding -=============== - -After you log in to the browser console, click Onboarding to go through a -few steps of initial setup and start using Aviatrix. - -For all feature documentation, go to docs.aviatrix.com - -For support issues, send email to support@aviatrix.com. - -Enjoy! - -.. |image0| image:: CloudN_Startup_Guide_media/image001.png - :width: 2.90683in - :height: 0.35000in -.. |image1| image:: CloudN_Startup_Guide_media/image002.png - :width: 6.50000in - :height: 3.65556in -.. |image2| image:: CloudN_Startup_Guide_media/image003.png - :width: 6.66736in - :height: 3.75069in -.. |image3| image:: CloudN_Startup_Guide_media/image004.png - :width: 6.34375in - :height: 2.49143in -.. |image4| image:: CloudN_Startup_Guide_media/image005.png - :width: 5.08878in - :height: 2.24352in -.. |image5| image:: CloudN_Startup_Guide_media/image006.png - :width: 4.98377in - :height: 2.19722in -.. |image6| image:: CloudN_Startup_Guide_media/image007.png - :width: 6.78264in - :height: 3.42942in -.. |image7| image:: CloudN_Startup_Guide_media/image008.png - :width: 5.43403in - :height: 3.40694in -.. |image8| image:: CloudN_Startup_Guide_media/image009.png - :width: 5.08365in - :height: 3.25278in -.. |image9| image:: CloudN_Startup_Guide_media/image010.png - :width: 5.02847in - :height: 2.76966in -.. |image10| image:: CloudN_Startup_Guide_media/image011.png - :width: 4.65347in - :height: 3.86107in -.. |image11| image:: CloudN_Startup_Guide_media/image010.png - :width: 5.52847in - :height: 3.04506in -.. |image12| image:: CloudN_Startup_Guide_media/image012.png - :width: 5.90347in - :height: 3.25161in -.. |image13| image:: CloudN_Startup_Guide_media/image013.png - :width: 5.55366in - :height: 3.60000in -.. |image14| image:: CloudN_Startup_Guide_media/image014.png - :width: 4.65196in - :height: 5.04306in -.. |image15| image:: CloudN_Startup_Guide_media/image015.png - :width: 4.31116in - :height: 5.29931in -.. |image16| image:: CloudN_Startup_Guide_media/image016.png - :width: 4.80625in - :height: 2.45417in -.. |image17| image:: CloudN_Startup_Guide_media/image017.png - :width: 4.65347in - :height: 3.51297in -.. |image18| image:: CloudN_Startup_Guide_media/image018.png - :width: 4.79795in - :height: 3.60000in -.. |image19| image:: CloudN_Startup_Guide_media/image019.png - :width: 5.01754in - :height: 2.42407in -.. |image20| image:: CloudN_Startup_Guide_media/image020.png - :width: 5.02847in - :height: 3.94766in -.. |image21| image:: CloudN_Startup_Guide_media/image021.png - :width: 5.02847in - :height: 4.76850in -.. |image22| image:: CloudN_Startup_Guide_media/image022.png - :width: 5.44632in - :height: 4.97500in -.. |image23| image:: CloudN_Startup_Guide_media/image023.png - :width: 5.49339in - :height: 4.97500in -.. |image24| image:: CloudN_Startup_Guide_media/image024.png - :width: 5.36000in - :height: 3.35000in -.. |image25| image:: CloudN_Startup_Guide_media/image025.png - :width: 5.87531in - :height: 4.20185in -.. |image26| image:: CloudN_Startup_Guide_media/image026.png - :width: 5.57477in - :height: 3.97500in -.. |image27| image:: CloudN_Startup_Guide_media/image027.png - :width: 5.15273in - :height: 3.67407in -.. |image28| image:: CloudN_Startup_Guide_media/image028.png - :width: 5.02847in - :height: 3.60535in -.. |image29| image:: CloudN_Startup_Guide_media/image029.png - :width: 5.27781in - :height: 3.53518in -.. |image30| image:: CloudN_Startup_Guide_media/image030.png - :width: 5.15347in - :height: 2.87345in -.. |image31| image:: CloudN_Startup_Guide_media/image031.png - :width: 5.15347in - :height: 3.63154in -.. |image32| image:: CloudN_Startup_Guide_media/image032.png - :width: 5.35637in - :height: 5.10000in -.. |image33| image:: CloudN_Startup_Guide_media/image033.png - :width: 5.27298in - :height: 2.85000in -.. |image34| image:: CloudN_Startup_Guide_media/image034.png - :width: 5.15347in - :height: 4.24250in -.. |image35| image:: CloudN_Startup_Guide_media/image035.png - :width: 5.15347in - :height: 4.24250in -.. |image36| image:: CloudN_Startup_Guide_media/image036.png - :width: 5.40347in - :height: 2.92053in -.. |image37| image:: CloudN_Startup_Guide_media/image037.png - :width: 5.74346in - :height: 3.10000in -.. |image38| image:: CloudN_Startup_Guide_media/image038.png - :width: 5.78376in - :height: 4.03518in -.. |image39| image:: CloudN_Startup_Guide_media/image039.png - :width: 5.83527in - :height: 4.10000in -.. |image40| image:: CloudN_Startup_Guide_media/image040.png - :width: 5.90347in - :height: 3.76788in -.. |image41| image:: CloudN_Startup_Guide_media/image041.png - :width: 6.50000in - :height: 3.82639in -.. |image42| image:: CloudN_Startup_Guide_media/image042.png - :width: 6.50000in - :height: 3.54931in -.. |image43| image:: CloudN_Startup_Guide_media/image043.png - :width: 5.65347in - :height: 3.50335in -.. |image44| image:: CloudN_Startup_Guide_media/image044.png - :width: 5.65347in - :height: 3.53435in -.. |image45| image:: CloudN_Startup_Guide_media/image045.png - :width: 5.65347in - :height: 2.18844in -.. |image46| image:: CloudN_Startup_Guide_media/image046.png - :width: 5.30625in - :height: 2.97910in - - -.. add in the disqus tag - -.. disqus:: diff --git a/StartUpGuides/CloudN_Startup_Guide_media/Thumbs.db b/StartUpGuides/CloudN_Startup_Guide_media/Thumbs.db deleted file mode 100644 index 3f492675a..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/Thumbs.db and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image001.png b/StartUpGuides/CloudN_Startup_Guide_media/image001.png deleted file mode 100644 index cbaf4a9e3..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image001.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image002.png b/StartUpGuides/CloudN_Startup_Guide_media/image002.png deleted file mode 100644 index 25d7c811c..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image002.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image003.png b/StartUpGuides/CloudN_Startup_Guide_media/image003.png deleted file mode 100644 index 62b0ee86e..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image003.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image004.png b/StartUpGuides/CloudN_Startup_Guide_media/image004.png deleted file mode 100644 index 9ebd8e04c..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image004.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image005.png b/StartUpGuides/CloudN_Startup_Guide_media/image005.png deleted file mode 100644 index b8b3ccec0..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image005.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image006.png b/StartUpGuides/CloudN_Startup_Guide_media/image006.png deleted file mode 100644 index 023ce2d0f..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image006.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image007.png b/StartUpGuides/CloudN_Startup_Guide_media/image007.png deleted file mode 100644 index 99208e928..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image007.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image008.png b/StartUpGuides/CloudN_Startup_Guide_media/image008.png deleted file mode 100644 index 421894bdf..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image008.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image009.png b/StartUpGuides/CloudN_Startup_Guide_media/image009.png deleted file mode 100644 index 314a33690..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image009.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image010.png b/StartUpGuides/CloudN_Startup_Guide_media/image010.png deleted file mode 100644 index 0b496680c..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image010.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image011.png b/StartUpGuides/CloudN_Startup_Guide_media/image011.png deleted file mode 100644 index a12bca5c6..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image011.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image012.png b/StartUpGuides/CloudN_Startup_Guide_media/image012.png deleted file mode 100644 index 0dc3d0ccc..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image012.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image013.png b/StartUpGuides/CloudN_Startup_Guide_media/image013.png deleted file mode 100644 index 200fa6ca9..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image013.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image014.png b/StartUpGuides/CloudN_Startup_Guide_media/image014.png deleted file mode 100644 index 83b2a307d..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image014.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image015.png b/StartUpGuides/CloudN_Startup_Guide_media/image015.png deleted file mode 100644 index 5f37f9293..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image015.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image016.png b/StartUpGuides/CloudN_Startup_Guide_media/image016.png deleted file mode 100644 index 79adae937..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image016.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image017.png b/StartUpGuides/CloudN_Startup_Guide_media/image017.png deleted file mode 100644 index 2f325bae5..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image017.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image018.png b/StartUpGuides/CloudN_Startup_Guide_media/image018.png deleted file mode 100644 index fbf1db03e..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image018.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image019.png b/StartUpGuides/CloudN_Startup_Guide_media/image019.png deleted file mode 100644 index 275af762f..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image019.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image020.png b/StartUpGuides/CloudN_Startup_Guide_media/image020.png deleted file mode 100644 index 3262cadde..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image020.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image021.png b/StartUpGuides/CloudN_Startup_Guide_media/image021.png deleted file mode 100644 index 28db90be0..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image021.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image022.png b/StartUpGuides/CloudN_Startup_Guide_media/image022.png deleted file mode 100644 index 3de2a4de8..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image022.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image023.png b/StartUpGuides/CloudN_Startup_Guide_media/image023.png deleted file mode 100644 index 808b89f2f..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image023.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image024.png b/StartUpGuides/CloudN_Startup_Guide_media/image024.png deleted file mode 100644 index 7d60704eb..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image024.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image025.png b/StartUpGuides/CloudN_Startup_Guide_media/image025.png deleted file mode 100644 index 2adbfdc5d..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image025.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image026.png b/StartUpGuides/CloudN_Startup_Guide_media/image026.png deleted file mode 100644 index fbf7ffff1..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image026.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image027.png b/StartUpGuides/CloudN_Startup_Guide_media/image027.png deleted file mode 100644 index b853a7cdb..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image027.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image028.png b/StartUpGuides/CloudN_Startup_Guide_media/image028.png deleted file mode 100644 index e33eaf0a1..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image028.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image029.png b/StartUpGuides/CloudN_Startup_Guide_media/image029.png deleted file mode 100644 index 11f35ddef..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image029.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image030.png b/StartUpGuides/CloudN_Startup_Guide_media/image030.png deleted file mode 100644 index e82224c6c..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image030.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image031.png b/StartUpGuides/CloudN_Startup_Guide_media/image031.png deleted file mode 100644 index ad7c1c925..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image031.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image032.png b/StartUpGuides/CloudN_Startup_Guide_media/image032.png deleted file mode 100644 index 3945d925c..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image032.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image033.png b/StartUpGuides/CloudN_Startup_Guide_media/image033.png deleted file mode 100644 index 4500781a2..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image033.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image034.png b/StartUpGuides/CloudN_Startup_Guide_media/image034.png deleted file mode 100644 index db042d756..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image034.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image035.png b/StartUpGuides/CloudN_Startup_Guide_media/image035.png deleted file mode 100644 index 6d6225142..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image035.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image036.png b/StartUpGuides/CloudN_Startup_Guide_media/image036.png deleted file mode 100644 index 1a44346f2..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image036.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image037.png b/StartUpGuides/CloudN_Startup_Guide_media/image037.png deleted file mode 100644 index e9600be8f..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image037.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image038.png b/StartUpGuides/CloudN_Startup_Guide_media/image038.png deleted file mode 100644 index 671f52e20..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image038.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image039.png b/StartUpGuides/CloudN_Startup_Guide_media/image039.png deleted file mode 100644 index c7f7f9fab..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image039.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image040.png b/StartUpGuides/CloudN_Startup_Guide_media/image040.png deleted file mode 100644 index 4c5f7aa0e..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image040.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image041.png b/StartUpGuides/CloudN_Startup_Guide_media/image041.png deleted file mode 100644 index 1e8d0395d..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image041.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image042.png b/StartUpGuides/CloudN_Startup_Guide_media/image042.png deleted file mode 100644 index a7bf1a9be..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image042.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image043.png b/StartUpGuides/CloudN_Startup_Guide_media/image043.png deleted file mode 100644 index 7f5dc4eaf..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image043.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image044.png b/StartUpGuides/CloudN_Startup_Guide_media/image044.png deleted file mode 100644 index bedd60c24..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image044.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image045.png b/StartUpGuides/CloudN_Startup_Guide_media/image045.png deleted file mode 100644 index 4b97ca19e..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image045.png and /dev/null differ diff --git a/StartUpGuides/CloudN_Startup_Guide_media/image046.png b/StartUpGuides/CloudN_Startup_Guide_media/image046.png deleted file mode 100644 index deb223da4..000000000 Binary files a/StartUpGuides/CloudN_Startup_Guide_media/image046.png and /dev/null differ diff --git a/StartUpGuides/GoogleAviatrixCloudControllerStartupGuide_media/gcp_controller_gcp_marketplace_01.png b/StartUpGuides/GoogleAviatrixCloudControllerStartupGuide_media/gcp_controller_gcp_marketplace_01.png new file mode 100644 index 000000000..034e6a478 Binary files /dev/null and b/StartUpGuides/GoogleAviatrixCloudControllerStartupGuide_media/gcp_controller_gcp_marketplace_01.png differ diff --git a/StartUpGuides/GoogleAviatrixCloudControllerStartupGuide_media/gcp_controller_gcp_marketplace_02.png b/StartUpGuides/GoogleAviatrixCloudControllerStartupGuide_media/gcp_controller_gcp_marketplace_02.png new file mode 100644 index 000000000..07b49e941 Binary files /dev/null and b/StartUpGuides/GoogleAviatrixCloudControllerStartupGuide_media/gcp_controller_gcp_marketplace_02.png differ diff --git a/StartUpGuides/GoogleAviatrixCloudControllerStartupGuide_media/gcp_controller_gcp_marketplace_03.png b/StartUpGuides/GoogleAviatrixCloudControllerStartupGuide_media/gcp_controller_gcp_marketplace_03.png new file mode 100644 index 000000000..94a551227 Binary files /dev/null and b/StartUpGuides/GoogleAviatrixCloudControllerStartupGuide_media/gcp_controller_gcp_marketplace_03.png differ diff --git a/StartUpGuides/ZeroToConnectivityInAWS_media/AMI_24x7_copilot.png b/StartUpGuides/ZeroToConnectivityInAWS_media/AMI_24x7_copilot.png new file mode 100644 index 000000000..8ec2b9ca8 Binary files /dev/null and b/StartUpGuides/ZeroToConnectivityInAWS_media/AMI_24x7_copilot.png differ diff --git a/StartUpGuides/ZeroToConnectivityInAWS_media/subscribe_24x7.png b/StartUpGuides/ZeroToConnectivityInAWS_media/subscribe_24x7.png new file mode 100644 index 000000000..a6a358839 Binary files /dev/null and b/StartUpGuides/ZeroToConnectivityInAWS_media/subscribe_24x7.png differ diff --git a/StartUpGuides/appendix-CloudN-Startup-Guide.rst b/StartUpGuides/appendix-CloudN-Startup-Guide.rst deleted file mode 100644 index 89c0dca68..000000000 --- a/StartUpGuides/appendix-CloudN-Startup-Guide.rst +++ /dev/null @@ -1,441 +0,0 @@ - - - -*********************************** -Test Drive CloudN on Your Laptop -*********************************** - -CloudN can be installed on your laptop and test driven for evaluation purposes. -It runs on VMware Workstation, VMware Player, Fusion and virtual box. - -Download CloudN Images -####################### - -Follow `these instructions `_ to download CloudN image. - - -Test Drive CloudN in NAT Mode -################################# - -One good configuration to test drive cloudN is to deploy it on your -laptop on a private subnet in NAT mode (In Hyper-V, the network adapters -are configured as Internal Network Wire). - -As an example, if your NAT mode subnet is 192.168.10.0/24, you can -create a maximum of 2 VPCs from CloudN deployed on this subnet. Suppose the -default gateway IP address is 192.168.10.2. You should configure CloudN to -take 192.168.10.3 as its IP address. - -In addition, CloudN reserves IP -address ranges from 192.168.10.4 to 192.168.10.7. (If you have other VMs -running on this subnet, if their IP address fall in the same sub -segment as CloudN, you can use one of these VMs as test VM.) - -Once you launch VPCs from this CloudN, the other VMs on the -subnet should be able to run SSH, RDP, and SCP (file copy) to any -instances in VPCs using the instance private IP address seamlessly, -without any bastion station or landing VPC. Refer to How It Works -section for more explanations. - -.. Note:: If you install CloudN on a NAT subnet, make sure both Ethernet interfaces are changed to NAT mode (By default, CloudN is pre-configured and shipped with both Network Adapters in Bridged mode). Right click on the CloudN VM, click Settings. Change both Network Adapters to NAT mode, as shown below for the VMware Workstation: - -|image23| - -Test Drive on MAC with VMware Fusion ------------------------------------- - -After downloading the zip file and decompressing it, copy the folder to -a location where your Mac can access it. Perform the following steps to -install CloudN. - -**Step 1**: From the VMware Fusion menu bar, select File > Import. - -|image24| - -**Step 2**: The Import Library window appears, along with a dialog box for -browsing to the location of OVF file. - -|image25| - -**Step 3**: Browse to the .ovf file and click open - -|image26| - -**Step 4**: Type the name of the imported virtual machine in the Save -As text box and indicate where to save it. - -|image27| - -**Step 5**: After the import is complete, the virtual machine appears in the -virtual machine library. Click on “Start Up” to start the CloudN virtual -machine. - -|image28| - -**Step 6**: Change Network Adapters to NAT mode - -Select the VM, click Settings, click Network Adapter, select “\ **Share -with my Mac**\ ”, as shown below - -|image29| - -Test Drive on PC with VMware Workstation ------------------------------------------ - -Click on File -> Open, as shown below. - -|image30| - -Then open the desired VM. - -|image31| - -Highlight the VM, right click, select Settings, click on Network -Adapters, change both Network Adapter to NAT mode as shown below. - -|image32| - -Test Drive on VirtualBox ------------------------- - -CloudN works on VirtualBox only in a bridged mode. - -After downloading and extracting the zip file, copy the folder to a -location where you can import the virtual machine. For installation, -follow the steps below. - -**Step 1**: From the VirtualBox menu bar, select File > Import Appliance - -|image33| - -**Step 2**: Navigate to the CloudN ovf file and click “Next” - -|image34| - -**Step 3**: In the next screen, click on “Import” to start the import -process and wait for it to finish. - -|image35| - -**Step 4**: CloudN virtual machine installation is finished. It can be -launched by selecting it and clicking on the “Start” button. - -|image36| - -Configure Network Interfaces ------------------------------ - -CloudN network interfaces should be configured in bridge mode as the NAT -mode makes it impossible for guests to communicate with each other. In -addition to this, both interfaces should be allowed to be in promiscuous -mode. Execute the steps below to satisfy these requirements. - -Step 1: Select the CloudN VM and click on “Settings” - -|image37| - -Step 2: In the settings window, select “Network” and select "Bridged -Adapter" in the drop down list for the "Attached to" field. - -|image38| - -Step 3: Click on “Advanced” to reveal advanced configuration options and -select “Allow All” in the drop down list for “Promiscuous Mode” field. -Repeat this procedure for “Adapter 2” as well. - -|image39| - -Booting Up and Initial Configuration -##################################### - -CloudN supports a browser based GUI Interface and REST APIs. - -After the virtual machine boots up, you must first log in to the -machine while still in hypervisor console. - -**CloudN Login User Name: admin** - -**CloudN Login Password: Aviatrix123#** - -After this initial login, if you see the screen below: - -|image40| - -Follow the instruction to type “help” at the prompt. - -|image41| - -Follow the steps to go through the boot up process. You can type “help” -at any time to review the steps. Type “?” to view all available -commands. For each command, type “?” to view syntax and parameters. - -Step 1: Setup Interface Address -------------------------------- - -CloudN works by dividing the subnet where CloudN is deployed into -sub-segments where each sub-segment becomes the VPC/VNet CIDR in the -cloud. We recommend you deploy CloudN in its own subnet to maximize the -number of VPC/VNets you can create. - -Statically assign CloudN IP address ------------------------------------- - -You can statically assign an IP address to CloudN. Choose this approach -if you use CloudN to connect to an existing VPC. In the use case where -CloudN does not create a VPC and build an encrypted tunnel, CloudN does not -need to be deployed on a separate subnet. - -Command: setup\_interface\_static\_address - -Syntax: setup\_interface\_static\_address [static\_ip\_address] -[net\_mask] [default\_gateway\_ip\_address] -[primary\_dns\_server\_ip\_address] -[secondary\_dns\_server\_ip\_address] [proxy {true\|false}] - -Below is an example where there is no proxy server. In such case, CloudN -will configure the network interfaces, test Internet connectivity and -download the latest Aviatrix software. - -|image42| - -Proxy Configuration --------------------- - -If there is a proxy server for Internet access, you must setup proxy -configuration on CloudN to pass traffic to proxy correctly. The following is -the necessary command. - -command: setup\_network\_proxy - -syntax: setup\_network\_proxy <--http\_proxy> <--https\_proxy> - -where action is “test” or “save”. - -Example: - -:: - - setup\_network\_proxy test --http\_proxy http://10.30.0.3:3128 - --https\_proxy http://10.30.0.3:3128 - - setup\_network\_proxy save --http\_proxy http://10.30.0.3:3128 - --https\_proxy http://10.30.0.3:3128 - -Note that after the proxy configuration is saved, CloudN VM will reboot to have -the proxy take effect. - - -Step 2: Display Interface Address ----------------------------------- - -|image45| - -Now you can use the cloudN IP address as the URL to access the CloudN Manager -that manages CloudN. - -Note: The hypervisor console has only limited CLI for the initial booting up -purposes. Once Aviatrix software is downloaded, full commands are -installed. - -The user should use the GUI to access the CloudN Console. - -Troubleshooting ---------------- - -If there are any error messages during installation, they are usually due to a -lack of Internet connectivity, an incorrect DNS server IP address or -unopened firewall ports. Type “?” to see all the commands that help you -troubleshoot. - -Use the commands “\ ***ping***\ ” and “\ ***traceroute***\ ” to check out -Internet connectivity. Check your DNS server setting and consult your -network and server admin to determine the cause of routing failure. - -After the connectivity issue is resolved, use the command -“download\_cloudn\_software” to continue installation and finish. Or you -can again type in the command setup\_interface\_address. - -Use a Browser to Access CloudN -------------------------------- - -CloudN has a built in CloudN Console that lets you run provisioning from -a browser. - -Once IP address setup is complete, you can use any browser to type -https:// and see a Login page. - -|image46| - -Login with: - -User Name: **admin** - -Password: **private IP address of the VM** - -After logging, go through the initial setup process. - -For the first time user and initial setup, follow Onboarding to go -through the initial set up and launch your first VPC/VNet. - -Onboarding -############# - -After you log in to the browser console, click Onboarding to go through a -few steps of initial setup and start creating the first VPC/VNet. - -Once you log in, click on Help for Frequently Asked Questions (FAQs). All -features have descriptions and should be self-explanatory. - -For support issues, send an email to support@aviatrix.com. - -For feedback and feature requests, click Make a wish at the bottom of -each page. - -Enjoy! - -.. |image0| image:: CloudN_Startup_Guide_media/image001.png - :width: 2.90683in - :height: 0.35000in -.. |image1| image:: CloudN_Startup_Guide_media/image002.png - :width: 6.50000in - :height: 3.65556in -.. |image2| image:: CloudN_Startup_Guide_media/image003.png - :width: 6.66736in - :height: 3.75069in -.. |image3| image:: CloudN_Startup_Guide_media/image004.png - :width: 6.34375in - :height: 2.49143in -.. |image4| image:: CloudN_Startup_Guide_media/image005.png - :width: 5.08878in - :height: 2.24352in -.. |image5| image:: CloudN_Startup_Guide_media/image006.png - :width: 4.98377in - :height: 2.19722in -.. |image6| image:: CloudN_Startup_Guide_media/image007.png - :width: 6.78264in - :height: 3.42942in -.. |image7| image:: CloudN_Startup_Guide_media/image008.png - :width: 5.43403in - :height: 3.40694in -.. |image8| image:: CloudN_Startup_Guide_media/image009.png - :width: 5.08365in - :height: 3.25278in -.. |image9| image:: CloudN_Startup_Guide_media/image010.png - :width: 5.02847in - :height: 2.76966in -.. |image10| image:: CloudN_Startup_Guide_media/image011.png - :width: 4.65347in - :height: 3.86107in -.. |image11| image:: CloudN_Startup_Guide_media/image010.png - :width: 5.52847in - :height: 3.04506in -.. |image12| image:: CloudN_Startup_Guide_media/image012.png - :width: 5.90347in - :height: 3.25161in -.. |image13| image:: CloudN_Startup_Guide_media/image013.png - :width: 5.55366in - :height: 3.60000in -.. |image14| image:: CloudN_Startup_Guide_media/image014.png - :width: 4.65196in - :height: 5.04306in -.. |image15| image:: CloudN_Startup_Guide_media/image015.png - :width: 4.31116in - :height: 5.29931in -.. |image16| image:: CloudN_Startup_Guide_media/image016.png - :width: 4.80625in - :height: 2.45417in -.. |image17| image:: CloudN_Startup_Guide_media/image017.png - :width: 4.65347in - :height: 3.51297in -.. |image18| image:: CloudN_Startup_Guide_media/image018.png - :width: 4.79795in - :height: 3.60000in -.. |image19| image:: CloudN_Startup_Guide_media/image019.png - :width: 5.01754in - :height: 2.42407in -.. |image20| image:: CloudN_Startup_Guide_media/image020.png - :width: 5.02847in - :height: 3.94766in -.. |image21| image:: CloudN_Startup_Guide_media/image021.png - :width: 5.02847in - :height: 4.76850in -.. |image22| image:: CloudN_Startup_Guide_media/image022.png - :width: 5.44632in - :height: 4.97500in -.. |image23| image:: CloudN_Startup_Guide_media/image023.png - :width: 5.49339in - :height: 4.97500in -.. |image24| image:: CloudN_Startup_Guide_media/image024.png - :width: 5.36000in - :height: 3.35000in -.. |image25| image:: CloudN_Startup_Guide_media/image025.png - :width: 5.87531in - :height: 4.20185in -.. |image26| image:: CloudN_Startup_Guide_media/image026.png - :width: 5.57477in - :height: 3.97500in -.. |image27| image:: CloudN_Startup_Guide_media/image027.png - :width: 5.15273in - :height: 3.67407in -.. |image28| image:: CloudN_Startup_Guide_media/image028.png - :width: 5.02847in - :height: 3.60535in -.. |image29| image:: CloudN_Startup_Guide_media/image029.png - :width: 5.27781in - :height: 3.53518in -.. |image30| image:: CloudN_Startup_Guide_media/image030.png - :width: 5.15347in - :height: 2.87345in -.. |image31| image:: CloudN_Startup_Guide_media/image031.png - :width: 5.15347in - :height: 3.63154in -.. |image32| image:: CloudN_Startup_Guide_media/image032.png - :width: 5.35637in - :height: 5.10000in -.. |image33| image:: CloudN_Startup_Guide_media/image033.png - :width: 5.27298in - :height: 2.85000in -.. |image34| image:: CloudN_Startup_Guide_media/image034.png - :width: 5.15347in - :height: 4.24250in -.. |image35| image:: CloudN_Startup_Guide_media/image035.png - :width: 5.15347in - :height: 4.24250in -.. |image36| image:: CloudN_Startup_Guide_media/image036.png - :width: 5.40347in - :height: 2.92053in -.. |image37| image:: CloudN_Startup_Guide_media/image037.png - :width: 5.74346in - :height: 3.10000in -.. |image38| image:: CloudN_Startup_Guide_media/image038.png - :width: 5.78376in - :height: 4.03518in -.. |image39| image:: CloudN_Startup_Guide_media/image039.png - :width: 5.83527in - :height: 4.10000in -.. |image40| image:: CloudN_Startup_Guide_media/image040.png - :width: 5.90347in - :height: 3.76788in -.. |image41| image:: CloudN_Startup_Guide_media/image041.png - :width: 6.50000in - :height: 3.82639in -.. |image42| image:: CloudN_Startup_Guide_media/image042.png - :width: 6.50000in - :height: 3.54931in -.. |image43| image:: CloudN_Startup_Guide_media/image043.png - :width: 5.65347in - :height: 3.50335in -.. |image44| image:: CloudN_Startup_Guide_media/image044.png - :width: 5.65347in - :height: 3.53435in -.. |image45| image:: CloudN_Startup_Guide_media/image045.png - :width: 5.65347in - :height: 2.18844in -.. |image46| image:: CloudN_Startup_Guide_media/image046.png - :width: 5.30625in - :height: 2.97910in - - -.. add in the disqus tag - -.. disqus:: diff --git a/StartUpGuides/aviatrix-china-controller-startup-guide.rst b/StartUpGuides/aviatrix-china-controller-startup-guide.rst.txt similarity index 100% rename from StartUpGuides/aviatrix-china-controller-startup-guide.rst rename to StartUpGuides/aviatrix-china-controller-startup-guide.rst.txt diff --git a/StartUpGuides/aviatrix-cloud-controller-startup-guide.rst b/StartUpGuides/aviatrix-cloud-controller-startup-guide.rst index 15704bbb8..3d0b1b2cb 100644 --- a/StartUpGuides/aviatrix-cloud-controller-startup-guide.rst +++ b/StartUpGuides/aviatrix-cloud-controller-startup-guide.rst @@ -7,16 +7,74 @@ AWS Startup Guide ================================================================== +.. raw:: html + + + +.. raw:: html + + + +.. raw:: html + + + + Welcome to getting started on AWS! This guide takes you through the 3 steps to launch the Controller instance. When complete, you'll be ready to deploy use cases. |3-step| -You can also `watch a video `_ for this startup guide. +.. + You can also `watch a video `_ for this startup guide. + -.. important :: +.. important:: -The Aviatrix Controller must be launched by a cloudformation script provided by Aviatrix. Follow the instructions in this document to launch the Controller. Do not launch the Controller instance from AWS Console. + The Aviatrix Controller must be launched by a cloudformation script provided by Aviatrix. Follow the instructions in this document to launch the Controller. Do not launch the Controller instance from AWS Console. Step 1. Subscribe to an Aviatrix AMI @@ -28,16 +86,23 @@ If you have already subscribed the Metered AMI on AWS Marketplace, skip this ste ---------------------------------------------------------------- Click the AMI link below to take you to the AWS Marketplace to complete step 1.1 and 1.2. -(Open a new tab on the selected AMI so you can follow along with this guide.) -`Aviatrix Secure Networking Platform PAYG - Metered AMI `_ . +.. |marketplace_metered_link2| raw:: html + + Aviatrix Secure Networking Platform Metered with Copilot + +|marketplace_metered_link2| + +.. + `Aviatrix Secure Networking Platform Metered - Copilot & 24x7 Support `_ + 1.2 Continue to Subscribe ---------------------------------------- Click `Continue to Subscribe`. Subscribing means that you can begin deploying the software in later steps via the CloudFormation template. - |subscribe| + |AMI_24x7_copilot| 1.3 Accept Terms ----------------------------- @@ -53,9 +118,21 @@ Step 2. Launch the Controller with CloudFormation 2.1 Click CloudFormation Link -------------------------------- -Click the link below to take you to the CloudFormation page on the AWS Console with the pre-loaded template. Follow the instructions in Step 2 to run the Cloudformation script. +Click the link below to take you to the CloudFormation page on the AWS Console with the pre-loaded template. Follow the instructions in the next steps +to run the Cloudformation script. + +.. |CFT_link| raw:: html + + CloudFormation for Aviatrix Secure Networking Platform Metered with Copilot + + +|CFT_link| + +.. + `CloudFormation for Aviatrix Secure Networking Platform Metered - Copilot & 24x7 Support `_ + -`CloudFormation for Secure Networking Platform PAYG - Metered `_ +For other products, check out `Other Aviatrix Products CloudFormation launch scripts `_. 2.2 Login to AWS Console --------------------------- @@ -92,6 +169,8 @@ Change to the region where you would like to install the Aviatrix Controller on Leave the `Controller Size` at `t2.large` and keep the `IAM role creation` at "New" unless you have already created the Aviatrix IAM roles. +For more information on Controller instance size selection, refer to `Controller sizing recommendations. `_. + 2.7 Click `Next` ------------------ @@ -215,27 +294,45 @@ You are now ready to deploy use cases. Here are some of the things you can do: - `Build Multicloud Peering `_ - `Build Encrypted Peering `_ - `Build Firewall Network `_ +- `Build PrivateS3 `_ - `Aviatrix Overview. `_ .. Important:: Any resources created by the Controller, such as Aviatrix gateways, route entries, ELB, SQS queues, etc, must be deleted from the Controller console. If you delete them directly on an AWS console, the Controller's view of resources will be incorrect which will lead to features not working properly. -For technical support, email us at support@aviatrix.com +For technical support, please open a support ticket at `Aviatrix Support Portal `_. Enjoy! Other Aviatrix Products ^^^^^^^^^^^^^^^^^^^^^^^^^^ -In addition to Metered AMI, we offer a few others, as shown below. Subscribe to them on AWS Marketplace and then come back to this section to click on the CloudFormation script to launch the Controller. +In addition to Metered AMI, we offer a few others, as shown below. Subscribe to them on AWS Marketplace and then proceed to select the CloudFormation launch method to launch the Controller stack directly from AWS console. + + - `Aviatrix Secure Networking Platform Metered - 24x7 Support `_ - - `Aviatrix User VPN – Metered `_ + - `Aviatrix Secure Networking Platform - Enterprise Subscription `_ - - `Secure Networking Platform - Custom `_ + - `Aviatrix Secure Networking Platform - BYOL `_ - - `Aviatrix Secure Networking Platform - BYOL `_ + - `Aviatrix Secure Networking Platform - BYOL in AWS China `_ - `Community BYOL (Available only in us-west-2 region) `_ + + +Additional Information for Controller +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + - **Controller sizing** `Controller instance sizing and EBS volume selection info `_. + + - **Controller backup and restore** `Controller backup instructions info `_. + + - **Controller high availability** Controller HA instructions can be found `here `_. + + - **Software upgrade** `Software upgrade procedure info `_. + + + .. add in the disqus tag @@ -245,6 +342,12 @@ In addition to Metered AMI, we offer a few others, as shown below. Subscribe to .. |subscribe| image:: ZeroToConnectivityInAWS_media/subscribe.png :scale: 30% +.. |subscribe_24x7| image:: ZeroToConnectivityInAWS_media/subscribe_24x7.png + :scale: 30% + +.. |AMI_24x7_copilot| image:: ZeroToConnectivityInAWS_media/AMI_24x7_copilot.png + :scale: 40% + .. |3-step| image:: ZeroToConnectivityInAWS_media/3-step.png :scale: 30% diff --git a/StartUpGuides/aviatrix_operations.rst b/StartUpGuides/aviatrix_operations.rst index 8b3902cfc..2344fe978 100644 --- a/StartUpGuides/aviatrix_operations.rst +++ b/StartUpGuides/aviatrix_operations.rst @@ -28,7 +28,7 @@ This document summarizes 10 operation services provided by Aviatrix Solutions. 2. Automation ---------------- - - **REST API** All functions support REST API. + - **API** All functions support API. - **Terraform** Aviatrix provides its own Terraform Provider for Aviatrix created resources. - **Cloud Formation** Aviatrix provides Cloud Formation Scripts for AWS Controller launch and multi account creation. - **Examples** Terraform examples are presented for various use cases. @@ -99,7 +99,7 @@ The Controller and gateways can export logged data to the following services: 9. Software and Technical Support ------------------------------------ - - **support@aviatrix.com** Technical problem? Have no fear. Aviatrix's most capable networking engineers are ready to help you troubleshoot issues large and small and most of them are not even related to Aviatrix solutions. Aviatrix offers 24/7 support for Platinum customers. + - `Aviatrix Support Portal `_ Technical problem? Have no fear. Aviatrix's most capable networking engineers are ready to help you troubleshoot issues large and small and most of them are not even related to Aviatrix solutions. Aviatrix offers 24/7 support for Platinum customers. - **Fast Release Cycle** New software releases become available every 6 - 8 weeks. A new software release automatically generates notification email to the Controller admin team. - **Hot Fix** Any showstoppers or operation impacting problems are immediately addressed by "Hot Fix" patches. - **Solution Architects** Aviatrix solution architects can help you design your cloud network deployment to be simple to manage, scalable and secure. diff --git a/StartUpGuides/aviatrix_overview.rst b/StartUpGuides/aviatrix_overview.rst index f50c92d5e..17d6a1ecc 100644 --- a/StartUpGuides/aviatrix_overview.rst +++ b/StartUpGuides/aviatrix_overview.rst @@ -11,15 +11,19 @@ What Do We Do? ================ Aviatrix is a cloud native networking company. Unlike any other networking vendors, the -Aviatrix software platform understands the cloud provider's native construct. This allows us to program the native constructs and integrate them into our software -to provide you with turn key solutions. +Aviatrix software platform understands the cloud provider's native constructs. This allows you to leverage +and control the native constructs directly using the cloud provider's APIs extending their capabilities and +integrating them into our software to provide organizations with turn key solutions accelerating your cloud journey. |aviatrix_overview| -We focus on solving networking problems in use cases relevant to public clouds. -These use cases are shown as below: +We focus on solving common networking problems faced by enterprises on their public cloud journey while providing +a common control plane that provides multi-account/multi-cloud automation, advanced transit services, security services, troubleshooting capabilities, +and visibility that you need. -- Datacenter to cloud (`Next Gen Global Transit Network solution `_) +Some common enterprise use cases are shown below: + +- Datacenter to cloud (`Aviatrix Transit Network solution `_) - Scalable Firewall deployment in the cloud (`Firewall Network `_) - Cloud to cloud VPN (`Encrypted peering `_ connectivity in a cloud and multi cloud ) - User to cloud VPN (`Remote user VPN (OpenVPN® based SSL VPN solution) `_ for developers) @@ -30,12 +34,13 @@ We also provide security features for workloads/applications in the cloud: - `Gateway inline L4 stateful firewall. `_ - `VPC Egress Security. `_ +- `High Speed Secure Access to AWS S3 `_. In addition, we have specific network solutions for `cloud migration `_ and agile `datacenter extension `_ to cloud for vmware workloads. -You can automate Aviatrix deployment by `REST APIs `_ and `Terraform configurations `_. +You can automate Aviatrix deployment by `Terraform configurations `_. What are the complexities in cloud networking? --------------------------------------------------- @@ -47,9 +52,9 @@ The complexity of the cloud networking comes from the following areas and they o 1. Unprecedented Scale ^^^^^^^^^^^^^^^^^^^^^^^^^ - - Cloud networks (VPC/VNet) are many orders of magnitude in quantity than datacenters, driven by business billing/accounting and isolation. - - Multi accounts structure is a new element for networking and is significantly increasing the number of cloud networks. - - Multi cloud is happening by industry verticals and bleed cross all sectors due to the SaaS inter-connect effect. + - Cloud networks (VPC/VNET/VCNs) are many orders of magnitude in quantity than datacenters, driven by business billing/accounting and variable isolation requirements. + - Multiple account ownership is a new concept for networking significantly increasing the number of cloud networks. + - Multi-cloud strategies are the new industry norm enterprise will eventually require workloads spread across multiple cloud providers where they run best. 2. Security ^^^^^^^^^^^^^^^^ @@ -65,13 +70,13 @@ The complexity of the cloud networking comes from the following areas and they o 3. Unprecedented Performance ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - As more data traverses among islands of networks, performance requirement is catching up. + - As more enterprise data and workloads traverse cloud networks, the enterprise needs to account for performance requirements in their cloud architecture. -4. Skill Gap +4. Skills Gap ^^^^^^^^^^^^^ - - Each cloud offers completely different APIS, semantics and implementation in networking. - - Business cannot invest equally in time and effort to multiple cloud providers. + - Each cloud offers completely different terminology, APIS, semantics, and implementation details to provide networking. + - Businesses cannot invest equally in time and effort to achieve skill parity across multiple cloud providers making it difficult to expand and pivot strategy. - New generation of operational engineers are short in sophisticated networking skills. Older networking engineers are short in API skills. 5. Interoperability @@ -90,6 +95,8 @@ Customers find that the most compelling value of our product is simplicity, both - **Centrally Managed** A single pane of glass to manage all your cloud accounts and cloud network scattered in different regions and clouds. Hitless software upgrade eliminates operation downtime and maintenance window. +- **Flexible Consumption Model** We offer pay-as-you-go metered images available on cloud providers' marketplace. No contract negotiation and no upfront commitment. Start instantly and turn it off at any time if you decide not to continue. + For example, we hide the platform differences between AWS, Azure and GCP, so that you have the same experience when networking to any of them or between them. @@ -105,34 +112,52 @@ Our goal is to become your go-to vendor for all things cloud networking. What Features Are Supported in Which Cloud? ----------------------------------------------- -========================================== ========== ============= ====================== ================= ========== -**Feature** **AWS** **Azure** **GCP** **AWS GovCloud** **OCI** -========================================== ========== ============= ====================== ================= ========== -Marketplace Launch Yes Yes No (Community Image) Yes Yes -Multi Accounts Yes Yes Yes Yes Yes - -Next Gen Transit Network Spoke Yes Yes Yes Yes Yes -Next Gen Transit Network Edge Yes Yes Yes Yes Yes -Firewall Network Yes No No Yes No -Transit Gateway Peering Yes Yes Yes Yes Yes - -Native Peering Yes Yes N/A Yes No - -FQDN Egress Control Yes Yes Yes Yes Yes -Stateful Firewall Yes Yes Yes Yes Yes -Advanced NAT Yes Yes Yes Yes Yes - -Remote Access User VPN Yes Yes Yes Yes Yes -Site to Cloud VPN Yes Yes Yes Yes Yes - -Insane Mode Encryption Yes Yes No Yes No - -Logging Service Integration Yes Yes Yes Yes Yes -FlightPath Expert Diagnostics Yes No No Yes No -IPv6 Yes No No No No -PrivateS3 (unique to AWS) Yes No No Yes No -========================================== ========== ============= ====================== ================= ========== - ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| **Feature** | **AWS** | **Azure** | **GCP** | **OCI** | **AWS GovCloud** | **Azure GovCloud** | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Marketplace Launch | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Multi Accounts | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Aviatrix Transit Network Spoke | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Aviatrix Transit Network Edge | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Firewall Network | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Transit Gateway Peering | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Native Peering | Yes | Yes | N/A | No | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| FQDN Egress Control | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Stateful Firewall | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Advanced NAT | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Remote Access User VPN | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Site to Cloud VPN | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Insane Mode Encryption | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Logging Service Integration | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| FlightPath Expert Diagnostics | Yes | Yes | Yes | No | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| IPv6 | Yes | No | No | No | No | No | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| PrivateS3 (unique to AWS) | Yes | No | No | No | Yes | No | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Controller Security Group Management | Yes | Yes | Yes | No | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ +| Managed CloudN | Yes | Yes | Yes | Yes | Yes | Yes | ++--------------------------------------+---------+-----------+---------+---------+------------------+--------------------+ + +What Features Are Supported in Which China Region Cloud? +-------------------------------------------------------- + +`Features supported table in China region `_ How To Launch Aviatrix? ========================= @@ -146,11 +171,12 @@ The Controller image is available in `AWS Marketplace, `_ +High Speed Secure Access to AWS S3 (PrivateS3) +================================================ + +Aviatrix PrivateS3 provides control and visibility for AWS S3 upload/download while leveraging the high speed private connections. It solves the following problems. + + + a. **Prevent Data Leakage** We attempt to use AWS Direct Connect for high speed access to S3, but doing so anyone in the company can upload data to their own S3 buckets. + #. **Palo Alto Firewall not usable** Palo Alto Firewall FQDN uses DNS name resolution which does not work on S3 as it has hundreds of thousands of IP addresses and as such the firewall is not usable. + +To learn more, `follow the PrivateS3 FAQ `_ + + Cloud Migration ================== diff --git a/StartUpGuides/aviatrix_overview_media/aviatrix_overview_2020.png b/StartUpGuides/aviatrix_overview_media/aviatrix_overview_2020.png new file mode 100644 index 000000000..77a09077c Binary files /dev/null and b/StartUpGuides/aviatrix_overview_media/aviatrix_overview_2020.png differ diff --git a/StartUpGuides/aws_manual_startup_guide.rst b/StartUpGuides/aws_manual_startup_guide.rst index 9d3505965..e7c568579 100644 --- a/StartUpGuides/aws_manual_startup_guide.rst +++ b/StartUpGuides/aws_manual_startup_guide.rst @@ -17,8 +17,9 @@ select the image type you wish to launch. :: Note if you select the BYOL image, you need a customer ID from Aviatrix - for launching gateways. Send email to support@aviatrix.com or - info@aviatrix.com to request a customer ID. + for launching gateways. Send email to info@aviatrix.com or open a support + ticket at Aviatrix Support Portal (https://support.aviatrix.com) to request + a customer ID. Customer ID is not needed if you select utility images such as “5 @@ -94,7 +95,7 @@ Once you are at AWS EC2 console, follow the steps below: address ranges as Aviatrix gateways need to communicate to the controller on this port. -For support, send email to support@aviatrix.com. Enjoy! +Please open a support ticket at `Aviatrix Support Portal `_. Enjoy! .. |image0| image:: AviatrixCloudControllerStartupGuide_media/image001.png :width: 2.90683in diff --git a/StartUpGuides/azure-aviatrix-cloud-controller-startup-guide.rst b/StartUpGuides/azure-aviatrix-cloud-controller-startup-guide.rst index 4232eb8ff..3e148eb17 100644 --- a/StartUpGuides/azure-aviatrix-cloud-controller-startup-guide.rst +++ b/StartUpGuides/azure-aviatrix-cloud-controller-startup-guide.rst @@ -10,58 +10,69 @@ The Aviatrix cloud network solution consists of two components, the controller a gateways, both of which are Azure VMs. Gateways are launched from the controller console to specific VNets. This guide helps you to launch the controller VM in Azure. Make sure you follow the instructions to also subscribe to the Aviatrix Companion Gateway described in this guide. -.. Note:: +1. Subscribe to the Aviatrix Metered Offer +============================================= - We suggest you consider deploying the Controller in AWS. The preferred approach is to launch the Controller from the AWS Marketplace as a metered AMI by following the `AWS Startup Guide `_. The Aviatrix Controller is multi cloud, multi subscription and multi region capable. Launching the Controller in AWS may be a good idea even if you only deploy gateways in Azure, as AWS provides a pay-as-you-go (without up front commitment nor contract negotiation) metered payment system that has the least friction. However if Azure is your choice to deploy the Controller, no worries, proceed to the following sections. +Go to `Azure Marketplace `_ to subscribe to Aviatrix Controller Meter License - PAYG. -1. Subscribe to the Aviatrix Controller -============================================= +Follow the Azure portal instruction to subscribe. + +|subscribe_to_meter| + + + +2. Subscribe to the Aviatrix Controller BYOL Offer +=================================================== -Go to `Azure Marketplace `_ to subscribe to one Aviatrix image. +After you subscribe to Aviatrix Meter License offer, you should receive an email from admin@aviatrix.io to inform you with customer ID and a link to subscribe the actual Aviatrix Controller BYOL offer. **More to continue on Step 4.** +(Note with Aviatrix Meter License, you are billed monthly. No upfront cost and pay as you go.) -2. Subscribe to an Aviatrix Companion Gateway -================================================= +3. (Optional) Subscribe to an Aviatrix Companion Gateway +=========================================================== -The Aviatrix companion gateway needs to be subscribed as programmable. +This step is not required for most of deployment scenarios as Aviatrix Controller automatically subscribes to the Aviatrix Companion Gateway +when it is launched. -In order to launch an Aviatrix gateway from the controller, you must also subscribe to the Aviatrix Companion Gateway, which is free in the Azure marketplace. Follow the steps in `this doc `__ to subscribe. +There are exceptional cases, such as if you provide Managed Service on Azure, the Aviatrix Companion Gateway requires manual subscription. +For manual subscription, follow the steps in `this doc `__ to subscribe. -3. Launch the Controller + +4. Launch the Controller ============================== -Create an Azure Account ---------------------------- -Create an Azure account if you do not already have one. +Click the link in the email to launch the Controller +------------------------------------------------------ + +Going back to the email received from admin@aviatrix.io. The email informs you with a customer ID and a +link to subscribe the actual Aviatrix Controller BYOL offer, as shown below. + +|license_key| + +Click the link to take to Azure Portal again to launch the Controller. Launch Controller VM from Azure marketplace portal ----------------------------------------------------- -a. Launch from marketplace, select the license type and click Create - Virtual Machine, as shown below. If you select a “BYOL” image, you - need a Customer ID. Send email to support@aviatrix.com or - info@aviatrix.com to request a Customer ID. - - |marketplace| -#. From the dropdown menu select one option, for example the BYOL option. +a. Get from Azure Marketplace for the actual BYOL Controller. - |dropdown| + |click_byol| -#. At Basics header, create new Resource Group titled "aviatrix" , virtual machine name can be "aviatrixController". - For instance size we recomend at least 8GB of RAM so B2ms should be sufficient. Next enter a username, password and - Resource group, click OK. +#. At Basics header, create new Resource Group titled "aviatrix", virtual machine name can be "aviatrixController". + For instance size we recommend at least 8GB of RAM so B2ms should be sufficient. Next enter a username, password and + Resource group, click OK. Please do NOT use 'ubuntu' as username if you use password as authentication type. |Azure_Basics| #. At the networking header, this will be preconfigured with a default subnet and security group. You should not need - to change anything here. + to change anything here. For Public IP, click Create New, at Assignment select Static and click OK. - |Networking| + |static_ip| -#. The management, advanced, and tag heders should not need any configuration. +#. The management, advanced, and tag headers should not need any configuration. #. Finish launching the VM by hitting the create button. @@ -79,26 +90,14 @@ a. Launch from marketplace, select the license type and click Create #. Go through the login process. -#. Start with the onboarding tab at the console. +#. Start with the Onboarding tab at the console. .. Warning:: Any resources created by the Controller, such as Aviatrix gateways, Azure routing entries, subnets, etc, must be deleted from the Controller console. If you delete them directly on Azure console, The Controller's view of the resources will be incorrect, which will lead to features not working properly. - -4. Access the Controller -============================ - -After the Controller instance is in a running state in AWS, you can access the Controller -via a browser by `https://Controller_public_IP`, where Controller_public_IP is the static public IP address of the Controller. - -The initial password is the private IP address of the instance. - -Follow the steps to go through an initial setup phase to download the latest software. -After the latest software is downloaded, re-login again to go through the onboarding process. - 5. Onboarding ============== -The purpose of onboarding is to help you setup an account on the Aviatrix Controller that +The purpose of Onboarding is to help you setup an account on the Aviatrix Controller that corresponds to an Azure account with policies so that the Controller can launch gateways using Azure APIs. @@ -139,6 +138,19 @@ Enjoy! .. |Networking| image:: AzureAviatrixCloudControllerStartupGuide_media/Networking.png :width: 5.0in :height: 5.0in + +.. |subscribe_to_meter| image:: AzureAviatrixCloudControllerStartupGuide_media/subscribe_to_meter.png + :scale: 90% + +.. |license_key| image:: AzureAviatrixCloudControllerStartupGuide_media/license_key.png + :scale: 90% + +.. |click_byol| image:: AzureAviatrixCloudControllerStartupGuide_media/click_byol.png + :scale: 90% + +.. |static_ip| image:: AzureAviatrixCloudControllerStartupGuide_media/static_ip.png + :scale: 30% + .. add in the disqus tag .. disqus:: diff --git a/StartUpGuides/cloudn_nutanix_startup_guide_media/aviatrix_console_initial.png b/StartUpGuides/cloudn_nutanix_startup_guide_media/aviatrix_console_initial.png deleted file mode 100644 index af050bab0..000000000 Binary files a/StartUpGuides/cloudn_nutanix_startup_guide_media/aviatrix_console_initial.png and /dev/null differ diff --git a/StartUpGuides/cloudn_nutanix_startup_guide_media/aviatrix_console_run_setup.png b/StartUpGuides/cloudn_nutanix_startup_guide_media/aviatrix_console_run_setup.png deleted file mode 100644 index 42fcc626a..000000000 Binary files a/StartUpGuides/cloudn_nutanix_startup_guide_media/aviatrix_console_run_setup.png and /dev/null differ diff --git a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_add_image.png b/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_add_image.png deleted file mode 100644 index 225f194c5..000000000 Binary files a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_add_image.png and /dev/null differ diff --git a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_add_image_s3_url.png b/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_add_image_s3_url.png deleted file mode 100644 index ac4bc6e65..000000000 Binary files a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_add_image_s3_url.png and /dev/null differ diff --git a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_add_image_to_catalog_dialog.png b/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_add_image_to_catalog_dialog.png deleted file mode 100644 index e4904a285..000000000 Binary files a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_add_image_to_catalog_dialog.png and /dev/null differ diff --git a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_add_image_to_catalog_menu.png b/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_add_image_to_catalog_menu.png deleted file mode 100644 index 8c864a586..000000000 Binary files a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_add_image_to_catalog_menu.png and /dev/null differ diff --git a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_create_vm_add_disk.png b/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_create_vm_add_disk.png deleted file mode 100644 index d812f009b..000000000 Binary files a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_create_vm_add_disk.png and /dev/null differ diff --git a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_create_vm_add_nic.png b/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_create_vm_add_nic.png deleted file mode 100644 index 14747b61e..000000000 Binary files a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_create_vm_add_nic.png and /dev/null differ diff --git a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_create_vm_disks_view.png b/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_create_vm_disks_view.png deleted file mode 100644 index 32226df54..000000000 Binary files a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_create_vm_disks_view.png and /dev/null differ diff --git a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_create_vm_top.png b/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_create_vm_top.png deleted file mode 100644 index 06bcbfd98..000000000 Binary files a/StartUpGuides/cloudn_nutanix_startup_guide_media/nutanix_create_vm_top.png and /dev/null differ diff --git a/StartUpGuides/google-aviatrix-cloud-controller-startup-guide.rst b/StartUpGuides/google-aviatrix-cloud-controller-startup-guide.rst index f79032685..de7c58796 100644 --- a/StartUpGuides/google-aviatrix-cloud-controller-startup-guide.rst +++ b/StartUpGuides/google-aviatrix-cloud-controller-startup-guide.rst @@ -19,8 +19,8 @@ have disparate subnets and a subnet can connect across regions. .. Important:: - We advise you not to deploy a Controller in GCP. The preferred approach is to launch the Controller from AWS Marketplace as a metered AMI by following the `AWS Startup Guide `_. The Aviatrix Controller is multi cloud, multi account and multi region capable. Launching a controller in AWS is preferred even if you only deploy gateways in GCP. This is because AWS provides a metered charging mechanism, a true pay-as-you-go (without up front commitment nor contract negotiation) payment system that has the least friction. - + + The Aviatrix Controller is a secure multi-cloud networking platform. Aviatrix recommends you deploy your controller in clouds that offer metered pricing, then deploy your gateways in any supported cloud. Metered pricing offers you a true pay-as-you-go option without any up-front commitments or contract negotiations. The AWS and Azure clouds offer metered pricing for running the Aviatrix Controller image. The GCP and OCI clouds do not offer metered pricing for running the Aviatrix Controller image. Prerequisite ============ @@ -28,10 +28,7 @@ Prerequisite Get a Customer ID from Aviatrix ------------------------------- -Currently, the Aviatrix Controller for GCloud is only available via community -image for BYOL license. Send an email to info@aviatrix.com or -support@aviatrix.com with your organization name to request a customer -ID. We offer a 30 day free trial license. +Currently, the Aviatrix Controller for GCloud is only available via community image for BYOL license. Send an email to info@aviatrix.com or open a support ticket at `Aviatrix Support Portal `_ with your organization name to request a customer ID. We offer a 30 day free trial license. Create a Google Cloud Platform (GCloud) account ------------------------------------------------ @@ -61,8 +58,29 @@ Aviatrix controller. (As an example, we created a project called Aviatrix-UCC, the project ID is aviatrix-ucc-1214) -Copy Aviatrix Controller Image to Your Project ----------------------------------------------- +(Optional) Create Networks +-------------------------- + +This step creates a network in the project created in the previous step. + +When a new project is created, a default network is created. You may +skip this step if you do not need to customize the network address range by +creating a new network, or go on to the next step if you have done so. + +Note that the Aviatrix Controller handles a GCloud network like a VPC in AWS. +Whenever a network configuration is mentioned for GCloud, the term VPC +is used. (The VNet is used for Azure.) + +At GCloud console, select the project that you have copied the Aviatrix +controller image to. Click the 3 bars. At the drop down menu, select +Networking. Click “[+] Create Network”. + +Note: if you plan to have multiple projects, we suggest you plan your +subnets so that the network addresses do not overlap. Select Custom to +create subnets. + +Option #1: Copy Aviatrix Controller Image to Your Project +========================================================= At your GCloud console (https://console.cloud.google.com), select the project where you want to launch your controller. Click the 3 bars at @@ -81,35 +99,14 @@ At the top screen, click “[+] CREATE IMAGE”, make sure to: - At Cloud Storage file, paste in the following text string: - **aviatrix200/aviatrix-cloud-services-gateway-111517-byol.tar.gz** + **aviatrix300/aviatrix-cloud-services-gateway-032020-byol.tar.gz** -- Click create, as shown below. +- Click **Create**. |image1| -(Optional) Create Networks --------------------------- - -This step creates a network in the project created in the previous step. - -When a new project is created, a default network is created. You may -skip this step if you do not need to customize the network address range by -creating a new network, or go on to the next step if you have done so. - -Note that the Aviatrix Controller handles a GCloud network like a VPC in AWS. -Whenever a network configuration is mentioned for GCloud, the term VPC -is used. (The VNet is used for Azure.) - -At GCloud console, select the project that you have copied the Aviatrix -controller image to. Click the 3 bars. At the drop down menu, select -Networking. Click “[+] Create Network”. - -Note: if you plan to have multiple projects, we suggest you plan your -subnets so that the network addresses do not overlap. Select Custom to -create subnets. - -Launch the Aviatrix Controller -============================== +Launch the Aviatrix Controller from the copied Image +---------------------------------------------------- At the GCloud console, @@ -133,11 +130,35 @@ At the GCloud console, - Select “Read Write” for Compute. -- At Firewall, click “Allow HTTPS Traffic”, as shown below. +.. Important:: + + Do not check the **Firewall** box to **Allow HTTPS Traffic**. Aviatrix reccomends you improve security by removing any 0.0.0.0 entries on port 443 not allowing the Aviatrix Controller to the world. + +- Click **Create**. + + +Option #2: Deploy Aviatrix Controller in GCP Marketplace (Preview mode) +======================================================================= + +- Go to GCP marketplace + +- Find the product "Aviatrix Secured Networking Platform - BYOL" + +- Click the button "LAUNCH" -- Click Create. + |gcp_controller_gcp_marketplace_01| + +- Make sure the selected Machine type has at least 2 vCPUs with 8 GB memory - |image2| +- Boot Disk is SSD Persistnent Disk with 32 GB + + |gcp_controller_gcp_marketplace_02| + +.. Important:: + + Do not check the **Firewall** box to **Allow HTTPS Traffic**. Aviatrix reccomends you improve security by removing any 0.0.0.0 entries on port 443 not allowing the Aviatrix Controller to the world. + +- Click **DEPLOY**. Access the Aviatrix Controller ============================== @@ -156,7 +177,8 @@ and install the latest software. Log in again with your new admin password .. Warning:: Any resources created by the controller, such as Aviatrix gateways, GCP routing tables, subnets, LB, etc, must be deleted from the controller console. If you delete them directly on AWS console, controllers view of resources will be incorrect which will lead to features not working properly. -.. +.. Note:: Upgrade from 5.3 to 5.4 is not supported Controller needs to be migrated. Look at the GCP controller migration secion in the below link. +https://docs.aviatrix.com/HowTos/controller_migration.html Onboarding ========== @@ -192,10 +214,19 @@ should be self-explanatory. An alert message will be displayed on the Dashboard menu when a new release becomes available. -For support, send email to support@aviatrix.com + + +For support, please open a support ticket at `Aviatrix Support Portal `_ Enjoy! +.. |gcp_controller_gcp_marketplace_01| image:: GoogleAviatrixCloudControllerStartupGuide_media/gcp_controller_gcp_marketplace_01.png + :scale: 35% +.. |gcp_controller_gcp_marketplace_02| image:: GoogleAviatrixCloudControllerStartupGuide_media/gcp_controller_gcp_marketplace_02.png + :scale: 35% +.. |gcp_controller_gcp_marketplace_03| image:: GoogleAviatrixCloudControllerStartupGuide_media/gcp_controller_gcp_marketplace_03.png + :scale: 35% + .. |image0| image:: GoogleAviatrixCloudControllerStartupGuide_media/image001.png :width: 2.90683in :height: 0.35000in @@ -209,7 +240,6 @@ Enjoy! :width: 4.93125in :height: 2.10210in - .. add in the disqus tag .. disqus:: diff --git a/StartUpGuides/old-aws-startup-guide.rst b/StartUpGuides/old-aws-startup-guide.rst index 4eea5c5f1..bca21f055 100644 --- a/StartUpGuides/old-aws-startup-guide.rst +++ b/StartUpGuides/old-aws-startup-guide.rst @@ -30,7 +30,7 @@ Once you subscribe, return to this page and continue to the next section. Search "aviatrix" on AWS marketplace and accept the terms and conditions to use the software. After subscription, follow the instructions in the next sections to launch the Controller. -If you choose the BYOL image, you need a customer ID (license ID) to use Aviatrix solution. Send an email to support@aviatrix.com to obtain one. +If you choose the BYOL image, you need a customer ID (license ID) to use Aviatrix solution. Please open a support ticket at `Aviatrix Support Portal `_ to obtain one. DNS Server Connectivity Check ============================== @@ -109,7 +109,7 @@ Key Use cases - `Client VPN or OpenVPN® `_ -For support, send email to support@aviatrix.com. Enjoy! +For support, please open a support ticket at `Aviatrix Support Portal `_. Enjoy! OpenVPN is a registered trademark of OpenVPN Inc. diff --git a/StartUpGuides/oracle-aviatrix-cloud-controller-startup-guide.rst b/StartUpGuides/oracle-aviatrix-cloud-controller-startup-guide.rst index 634c6c634..dcda1ecc8 100644 --- a/StartUpGuides/oracle-aviatrix-cloud-controller-startup-guide.rst +++ b/StartUpGuides/oracle-aviatrix-cloud-controller-startup-guide.rst @@ -10,10 +10,10 @@ The Aviatrix cloud network solution consists of two components, the controller a gateways, both of which are cloud VMs. Gateways are launched from the controller console to specific VCNs. This guide helps you to launch the controller in OCI. -.. Note:: +.. Important:: + + The Aviatrix Controller is a secure multi-cloud networking platform. Aviatrix recommends you deploy your controller in clouds that offer metered pricing, then deploy your gateways in any supported cloud. Metered pricing offers you a true pay-as-you-go option without any up-front commitments or contract negotiations. The AWS and Azure clouds offer metered pricing for running the Aviatrix Controller image. The GCP and OCI clouds do not offer metered pricing for running the Aviatrix Controller image. - Currently we support deploying the Controller in either OCI or AWS. If you would like to launch Controller from the AWS Marketplace as a metered AMI, please follow the `AWS Startup Guide `_. - The Aviatrix Controller is multi cloud, multi subscription and multi region capable. Launching the Controller in any vendor can also enable you to deploy and manage gateways in any cloud. 1. Prepare your account in OCI diff --git a/Support/password-recovery-img/Pic1.png b/Support/password-recovery-img/Pic1.png deleted file mode 100755 index 723ecc1db..000000000 Binary files a/Support/password-recovery-img/Pic1.png and /dev/null differ diff --git a/Support/password-recovery-img/Pic2.png b/Support/password-recovery-img/Pic2.png deleted file mode 100755 index 2ebd01b74..000000000 Binary files a/Support/password-recovery-img/Pic2.png and /dev/null differ diff --git a/Support/password-recovery-img/Pic3.png b/Support/password-recovery-img/Pic3.png deleted file mode 100755 index 155b1ae1d..000000000 Binary files a/Support/password-recovery-img/Pic3.png and /dev/null differ diff --git a/Support/support_center.rst b/Support/support_center.rst deleted file mode 100644 index 59b4d5c88..000000000 --- a/Support/support_center.rst +++ /dev/null @@ -1,58 +0,0 @@ -.. meta:: - :description: Aviatrix Support Center - :keywords: Aviatrix, Support, Support Center - -=========================================================================== -Aviatrix Support Center -=========================================================================== - -Overview --------- - -The goal of the Aviatrix Support Center is to be a central repository for known issues, solutions, workarounds and common design principles for our customers. Please look at our `Official Support Page `_ for more information. - -Topics -------------- - -- `Operations `_ -- `Ticket Submission & Priority Guidelines `_ -- `Aviatrix Controller `_ -- `Transit Solution `_ -- `IPSec `_ -- `Site2Cloud `_ -- `OpenVPN Gateway `_ -- `Security: Egress FQDN Control and Firewall `_ -- `Logging `_ -- `Useful Tools `_ -- `Terraform `_ -- `CloudN `_ -- `AWS Infrastructure `_ -- `GCP Infrastructure `_ - - - -Scope of Aviatrix Support -------------------------- -Our Aviatrix Technical Support covers various topics or issues for Aviatrix products: - -* "How-to" questions about Aviatrix software feature and solutions -* Best practices to help you successfully integrate, deploy, and manage cloud networking -* Troubleshooting network connectivity issues related to Aviatrix products -* Troubleshooting third party software integration supported by Aviatrix software -* Controller UI issues, Restful API and Aviatrix Terraform provider - -Aviatrix Support does not include: - -* Debugging custom software such as terraform script, Restful API written in Python, Ansible or any other languages. -* Performing network administration or operation tasks -* Customizing IAM, Cloud Formation based on customer environment/requirements -* Code/script development - -Contact Aviatrix Support ------------------------- - -Aviatrix customers who need technical assistance can contact our support team - - at support@aviatrix.com, or - - via our `Aviatrix Support Web Portal `_. - -Please also refer to `Ticket Submission & Priority Guidelines `_ for more details. diff --git a/Support/support_center_aws_infrastructure.rst b/Support/support_center_aws_infrastructure.rst deleted file mode 100644 index c508c804b..000000000 --- a/Support/support_center_aws_infrastructure.rst +++ /dev/null @@ -1,148 +0,0 @@ -.. meta:: - :description: Aviatrix Support Center - :keywords: Aviatrix, Support, Support Center - -=========================================================================== -AWS Infrastructure -=========================================================================== - - -How do I increase the size of the disk on my Gateway? -------------------------------------------------------- -Follow these instructions to increase the size of your instance's disk. - -* Login to the AWS console and locate the Aviatrix gateway instance -* Click on Root device: /dev/sda1 and then click on EBS ID vol-xxxxxxxxxx link -* With the volume selected, click Action > "Modify Volume" to change the Disk Size -* Increase the value in the Size field. Click OK to start the resize process. Please make sure you wait until the state of the volume is "in-use - completed (100%)" -* Select the Aviatrix gateway instance in the EC2 page. Click Reboot for the disk space to take effect. This will cause downtime (< 5 minutes) due to the reboot process -* Confirm that the gateway is in a running state in AWS console -* Login to your controller to run gateway diagnostics and submit to us. Please also upload the gateway `tracelog `_ - -How do I save an EIP used for a Gateway? -------------------------------------------------------- - -* When creating a new Gateway, the default option for “Allocate New EIP” is "on" – this would mean that the Aviatrix Controller would check out a new EIP from AWS Infrastructure. If this gateway is deleted, the Controller will release this EIP to the AWS Infrastructure. If you expect to keep the EIP in future, it is recommended that the "Allocate New EIP" option is unchecked and an available EIP is picked during the Gateway creating process. -* If you are having issues with the Gateway and would like a new Gateway to replace the existing one and with the same EIP, the best way to do this is via “Controller GUI / Troubleshoot / Diagnostics / Gateway Tab / Gateway Replace” -* If you want to transfer the EIP from one Aviatrix Gateway to another one, please follow the following steps (Example: GatewayA-EIPA, GatewayB-EIPB. Move EIPA to GatewayB) **Note: Only supported in releases 4.0 and up. Using this for release 3.5 and lower will result in the loss of the EIP:** - - * From the AWS Console, create a new EIP (Continuing the example: call this EIP-new) - * From the Aviatrix Controller, go to “Controller GUI / Troubleshoot / Diagnostics / Gateway Tab / Migration,” pick the Gateway that you want to pick the EIP from, enter this new-EIP and click on OK. (Pick GatewayA and enter EIP-new. This will release EIPA) - * On the Aviatrix Controller, on the same page, pick the Gateway that you want to receive the old EIP and enter the old-EIP. (Example: Pick Gateway B and enter EIPA. This will release EIPB) - -How can I encrypt an EBS Volume on Controller/Gateway? ----------------------------------------------------------- - -AWS does not allow EBS encryption during instance launch time. Follow instructions for `Controller `_ and `Gateway `_ - - -Why are IAM Roles/Policies important? ----------------------------------------------------------- - -* The Aviatrix Controller and its Gateways need access to AWS's resources and to function as designed. Any loss in these access privileges could cause unpredictable behavior and performance of your network. This access is granted and managed through IAM roles and policies. For more information please refer the following documents - - * `IAM Policy Requirements `_ - * `IAM Policies `_ - * `How to use IAM Roles and Policies `_ - * `Guidelines to customize IAM Policies `_ -* AWS has an IAM corner case - if an EC2 instance had an IAM role attached and then the role was deleted and added again, that EC2 instance's roles and policies will not function in a predictable way. If you have deleted and added Aviatrix IAM roles, it might be good to detach the roles from your Controllers and Gateways and attach them again. -* Aviatrix IAM policies might be updated - please make it a point to update them when you `update the software on Aviatrix system `_ - - -What do I do if my gateway instance is identified for retirement by AWS? ---------------------------------------------------------------------------- - -AWS will inform you when one of your instances is scheduled for retirement if the underlying hardware has issues or is being upgraded. Usually a start/stop from the AWS console will migrate the instance to newer hardware. Please check `here for more information `_. Also, please open a support ticket with AWS for more information - - -How can I monitor the destination ports and ip addresses for instances in my VPC? ---------------------------------------------------------------------------------------- - -Aviatrix provides a `Discovery `_ function to do this. But you could also consider `AWS's flowlogs `_ functionality on a vpc which will capture all incoming and outgoing traffic out of the vpc and will log either into S3 or into CloudWatch. Please follow the directions `here `_ and capture these logs. Capturing the outgoing port and IP address information will help you craft better Egress Control Policies. - - - - -How can I debug IAM related issues? (IAM Debug Playbook) ------------------------------------------------------------ - -`IAM roles and policies `_ are essential for the Aviatrix System to function as designed. Please follow the following steps to identify and address any IAM issues - -* If you are using `"AWS Organizations" `_ to centrally manage & govern your policies across accounts, please follow the following to check on the policies to make sure you have the right permissions. - - * Check "Service Controller Policies" for "Root": Go to "AWS Console > AWS Organizations > Organize Account" and click on "Root" on the left panel, followed by a click on "Service Control Policies" on the right panel. Check all attached "Service Control Policies". - * Check "Service Controller Policies" for "Organization Unit": Go to "AWS Console > AWS Organizations > Organize Account > Find" and click on the "Oranization Unit" (which the account belongs to) on the left panel > Click on "Service control policies" on the right panel. Check all attached "Service Control Policies" - * Check "Service Controller Policies" for the account: Go to "AWS Console > AWS Organizations > Account > Find" and click on the account from the list. Click on "Service Control Policies" on the right panel. Check all attached "Service Control Policies". -* Go to "Aviatrix Console > Settings > Advanced > AWS IAM Policy Update > Update Account IAM Policy" and make sure to pick one account at a time and click on "Check" - if the "Status=Up-to-date" then you do not need any updates, else you would have to `update the polices `_. Repeat this check for all accounts that were added to Aviatrix Controller -* Go to "Aviatrix Console > Troubleshoot > Diagnostics > Cloud > Account Diagnostics" and click on "OK" - this will identify any IAM issues you might have -* Go to ""AWS Console > IAM > Roles" and search for "aviatrix". - - * Click on "aviatrix-role-app" and make sure that "aviatrix-app-policy" is attached to this role. For each Gateway that is on a different account than the Controller, please make sure that both its own account and the Controller's account are attached in the "Trust Relationships" tab. Update the "aviatrix-app-policy" if needed by following these `instructions `_. - * Click on "aviatrix-role-ec2" and make sure that "aviatrix-assume-role-policy" is attached to it. Please update it following the `instructions `_. - * Repeat the above for all accounts that are registered inside the Aviatrix Controller at "Aviatrix Console > Accounts > Access Accounts" -* Please go to "AWS Console > EC2" and confirm that all of your Aviatrix Controllers and Gateways have "aviatrix-role-ec2" associated. If any of them do not have this attached, please attach them -* If the above does not address your IAM related issues, please go to the AWS Console and detach " aviatrix-role-ec2" role from the Controller instance - by attaching the "none" role and then reattaching the "aviatrix-role-ec2" role again. -* If you have edited the Aviatrix roles(aviatrix-role-app, aviatrix-role-ec2) and policies(aviatrix-app-policy, aviatrix-assume-role-policy) - please make sure that you have followed the `instructions for requirements `_ and for `customization `_. -* If you use `AWS Organizations `_ for Central governance and management across AWS accounts, please work with your network security team or AWS for further support on how to provide the right access for Aviatrix Network System of Controllers and Gateways. -* Repeat the "Aviatrix Console > Settings > Advanced > AWS IAM Policy Update > Update Account IAM Policy > Check" and "Aviatrix Console > Troubleshoot > Diagnostics > Cloud > Account Diagnostics" for all accounts for a final check. - - -Why do I get an email alert about my gateway with "Cloud Message Queue Failure" message? ------------------------------------------------------------------------------------------------ - -Typically, this message is sent when a gateway is not able to access the messages from the controller via AWS' SQS, either because it cannot resolve/reach AWS SQS or does not have the permissions to retrieve the messages from AWS SQS(i.e. dns, network connectivity, system issues, IAM permissions). Please check the following: - - * Please run `gateway diagnostics `_ by going to "Controller/Troubleshoot/Diagnostics/Gateway" and pick the gateway and run diagnostics test and "submit" them to us. You can also review the results by referring to the `service descriptions in diagnostics `_. - * Please make sure that the DNS can resolve public FQDN's and not just private FQDN's - * Go to "Controller/Troubleshoot/Diagnostics/Network/GatewayUtility", pick the gateway and ping www.google.com - to see if it can resolve names and if it has network connectivity. - * Check that this gateway has the `right IAM policies `_ - - * Check that your controller and the gateway instances have "aviatrix-role-ec2" role attached to it on the AWS console - * Check that the policies attached to this role are correct by going to "Controller/Accounts/AccountAudit" and run `account audit `_ on the account that this gateway belongs to. If needed, please update the policies - To update IAM policy to latest please got to "Controller/Accounts/Access Accounts/SelectAccount Name/click 3 dots/UpdatePolicy" and click OK. - * Go to AWS Console > IAM > Roles > click on aviatrix-role-ec2 > check that aviatrix-assume-role-policy policy is attached > click on the policy name > {} JSON > it should be like https://s3-us-west-2.amazonaws.com/aviatrix-download/iam_assume_role_policy.txt - * Go to AWS Console > IAM > Roles > click on aviatrix-role-app > check that aviatrix-app-policy policy is attached > click on the policy name > {} JSON > it should be like https://s3-us-west-2.amazonaws.com/aviatrix-download/IAM_access_policy_for_CloudN.txt - * If the gateway is not on the same account as the Controller, please makse sure that this access account has trust relationship to the primary account (the Controller’s AWS account). - * Please make sure that both your contoller and gateway have an EIP associated and not just a PublicIP/PrivateIP - * Please note that this check is done once a day - after you address the issues, please wait for 24 hours from the previous alert to see if you will receive another alert - * Sometimes, this could be a transient issue which will resolve due to temporary dns/network failures - * If you are not able to find and address the issue, please `upload the tracelogs `_ for this gateway and send an email to support@aviatrix.com to open a new ticket. - - - -How do you launch a controller in GovCloud? -------------------------------------------------------------------------- - -Pre-deployment checklist: - * Prepare a VPC with a public subnet (i.e., with 0.0.0.0/0 route points to IGW) to launch the controller. - * Go to EC2/Network & Security/Key Pairs to create a key pair. - * Note that AWS US-EAST region does not support t2.large. Pick t3.large instead to avoid deployment failure. - -Launch from CloudFormation template: - * Copy the Aviatrix CloudFormation template URL from your AWS commerical cloud account as follows: - - * The CloudFormation links (Metered or BYOL) listed in https://docs.aviatrix.com/StartUpGuides/aviatrix-cloud-controller-startup-guide.html#other-aviatrix-products should prompt you to login to your AWS commerical account and bring you into the CloudFormation-Create-stack UI. - * Look under the Amazon-S3-URL field for the actual Metered/BYOL template URL - * Copy the URL - * Launch the CloudFormation template by following these steps: - - * Login to your GovCloud account - * Go to Service/CloudFormation/Create Stack, enter the Aviatrix CloudFormation template URL copied in the previous step - * Click Next and follow the typical CloudFormation Deployment process. - -Launch from EC2/Instances/Launch Instance/AWS Marketplace manually: - * You would need to create the Aviatrix-role-ec2, Aviatrix-role-app, Aviatrix-assume-role-policy and Aviatrix-app-policy `manually `_. In addition, you would need to change the Resource of AssumeRole Action in Aviatrix-assume-role-policy from "arn:aws:iam::*:role/aviatrix-*" to "arn:aws-us-gov:iam::*:role/aviatrix-*", making sure the arn is pointing to using aws-us-gov. - * Launch the controller by picking an Aviatrix image under EC2/Instances/Launch Instance/AWS Marketplace. - -Other notes: - * Flightpath with AWS Govcloud does not work unless a Commerical AWS account is also registered on the controller. Register a commerical AWS cloud account with the controller: - - * Goto Accounts/Access Accounts/Add Account - * Pick AWS and uncheck IAM role-based checkbox - * Populate your AWS Access Key ID/Account Number/Secret key. - * Controller `VPC tracker `_ is not yet supported for GovCloud - - -Can I change my AWS Access Account auth between IAM role based and Accesskey? -------------------------------------------------------------------------------- - -You can change between IAM rolebased and accesskey based authentication on AWS accounts from "Controller/Accounts/AccessAccounts/SelectAccount/Edit" when there are no resources on this account. If any resources, such as Gateway's are created, you will not be able to switch over diff --git a/Support/support_center_cloudn.rst b/Support/support_center_cloudn.rst deleted file mode 100644 index 30631d2cb..000000000 --- a/Support/support_center_cloudn.rst +++ /dev/null @@ -1,20 +0,0 @@ -.. meta:: - :description: Aviatrix Support Center - :keywords: Aviatrix, Support, Support Center - -=========================================================================== -CloudN -=========================================================================== - -Which sites does the CloudN device require to have connectivity to? ---------------------------------------------------------------------------------------------------- - -CloudN requires access to the following: - -* diag.aviatrix.com:443 to allow uploading logs to Aviatrix for Support -* customer-bucket.s3-website-us-east-1.amazonaws.com:443 -* www.carmelonetworks.com:443 for upgrades -* license.aviatrix.com:443 for license -* bower.io:443 for upgrade -* github.com:443 for upgrades - diff --git a/Support/support_center_controller.rst b/Support/support_center_controller.rst deleted file mode 100644 index d08283844..000000000 --- a/Support/support_center_controller.rst +++ /dev/null @@ -1,314 +0,0 @@ -.. meta:: - :description: Aviatrix Support Center - :keywords: Aviatrix, Support, Support Center, controller, bacakup, iam, upgrade, rest api, ssl certificate, controller HA, alerts, blackhole, interfaces, keepalive, certificate, dns, idle timeout, migrate controller, ca signed cert, saml auth, lost password - -=========================================================================== -Controller -=========================================================================== - -What are the minimum requirements for an instance to run the Aviatrix Controller Software? ---------------------------------------------------------------------------------------------------- - -We strongly recommend that the instance be at least t2.large and have at least 32GB of storage to act as a Controller in AWS. Please check out https://docs.aviatrix.com/StartUpGuides/aviatrix-cloud-controller-startup-guide.html#select-instance-size for more information. - -The controller needs to be able to resolve all DNS queries, download software, communicate with the gateways over port 443, redirect inbound SAML VPN connection (if used). The same goes with the gateways in regards to DNS queries and sending keepalive back to the controller. The Aviatrix controller must have an EIP even if it is behind an ELB for all necessary communication to work. However, you may access the UI using its private IP for operation. - -If you have enabled `Controller HA functionality `_, please disable before initiating the following process. And do not forget to enable Controller HA after you finish with the disk size upgrade process. - -If you have less than 32GB of Storage on your controller, please follow these steps to increase your disk space: - -1. Make a backup of your controller. (https://docs.aviatrix.com/HowTos/controller_backup.html) -2. Login to the AWS console and locate the Aviatrix controller instance. -3. Click on Root device: /dev/sda1 and then click on EBS ID vol-xxxxxxxxxx. -4. With the volume selected, click Action > Modify Volume to change the size to 32. -5. Click OK to start the resize process. Please make sure you wait until the state of the volume is "in-use - completed (100%)". -6. Select the Aviatrix controller instance in EC2 page. Click Reboot for the disk space to take effect. -7. Confirm that the controller is in running state in AWS console. -8. Login to your controller to sanity test. -9. Take a backup again, by following instructions at https://docs.aviatrix.com/HowTos/controller_backup.html - -Note that rebooting the controller will not impact your IPsec tunnels as it's not in the data path. Please send an email to support@aviatrix.com, if you have any questions. - - - -Why are IAM policies important? ---------------------------------- - -During the launch of your Aviatrix Controller, two IAM roles(aviatrix-role-ec2 & aviatrix-role-app) are created and two associated IAM policies(aviatrix-assume-role-policy & aviatrix-app-policy) are also created. These roles and policies allow the Controller to use AWS APIs to launch gateway instances, create new route entries and build networks and are hence very important to keeping your network operational. Please check out `IAM Policies `_, `Requirements `_, `Customization `_ and `IAM for Secondary Access Accounts `_. After a software upgrade, please update your IAM policies using the instructions in the above links - these updates have to be done for all accounts that have the Controller and the gateway. - -We expect the following: - - * All of your Aviatrix Controllers and Gateways to have "aviatrix-role-ec2" attached - * Your account to have an IAM role named "aviatrix-role-ec2", with an IAM policy named "aviatrix-assume-role-policy" attached to it. The policy should be identical to the `specified policy requirements `_, unless it is customized carefully - * Your account to have another IAM role named "aviatrix-role-app", with an IAM policy named "aviatrix-app-policy" attached to it. The policy should be identical to the `specified policy requirements `_, unless it is customized carefully - * If you have secondary accounts, the above roles in all of the secondary accounts should be trusting the Controller's AWS account number via the "Trust Relationship" tab on the role. - - - -Why should I upgrade my Controller Software? ----------------------------------------------- - -Our engineering team works very hard to fix issues on a continuous basis. We also continue to add new features and try to enhance the systems to keep your network working effectively and securely. Please take advantage of this and stay on the latest releases. `Controller upgrade `_ does not affect your tunnels. Please keep your controller's size at > t2.large! - - -Does Aviatrix Controller support automation? -------------------------------------------------- - -The Aviatrix Controller supports a `comprehensive set of REST API `_ to enable automation - -We also support Terraform. Please check out `Aviatrix Terraform Tutorial `_, `Aviatrix Terraform Provider `_, `Transit Network using Terraform `_ and our `Github Repository `_. - - -Can I use an SSL Certificate from AWS ACM? -------------------------------------------- - -You can place your `controller behind an ELB in AWS `_ and use your certificate from AWS ACM. Remember to increase the `default ELB idle connection timeout `_ from 60 seconds to at least 300 seconds. - - -How do I backup my Aviatrix configuration? ------------------------------------------- - -Please checkout `backup functionality `_ on your Aviatrix controller. - -* If you have a "."/period character in the S3 bucket name, please ensure you are running software version 4.0.685 or later.) -* We strongly recommend the "Multiple Backup" setting to be turned on at Controller/Settings/Maintenance/Backup&Restore. After turning this option on - click on Disable and then Enable and then click on "Backup Now." Check in your S3 bucket to make sure that the backup function is successful. -* We support `backup using AWS encrypted storage `_ -* Please do not use the AWS's AMI to take snapshots - this is not a valid backup mechanism and will not work - - -How can I customize the Controller GUI? --------------------------------------- - -* On the Gateway page, you can customize the columns and add more information(click on the "Name, State, ..." drop down list box and select the fields you are interested in). You can also sort and filter on any column by clicking on header. -* On the gateway page, you can adjust the number of gateways you can see at a time - the default is 5 gateways - -How can I troubleshoot connectivity issues? --------------------------------------------- -Please refer to `How to use Aviatrix FlightPath `_!! - - -Does Aviatrix support High Availability? ------------------------------------------- - -We have HA built into our system through `Transit HA `_ and `Single AZ HA `_. The `Gateway HA `_ is now deprecated. - -`Aviatrix Controller HA `_ does not support HA in multiple regions, but works across multiple AZ's. More information `here `_ - - -Does Controller send alerts when Gateway status changes? --------------------------------------------------------------------- - -The Aviatrix Controller monitors the gateways and tunnels and whenever there is a tunnel or gateway state change, it will send an email to the admin of the system. You can always override the admin email by updating "ControllerUi/Settings/Controller/Email/StatusChangeEventEmail". If you do not want to see these emails, you can set it to an email address that you don't monitor. - -As an alternative, you can also set Cloudwatch Event Alerts in AWS to be alerted when Gateway/Controller Instances are Started or Stopped. - -What are blackholes on Alert Bell? --------------------------------------------------------------------- - -Blackhole route(s) usually means that the route in your AWS route table points to a non-existant AWS resource. -Besides, a route pointing to an EC2 with the stopped state will have this blackhole state. - -The blackhole definition on the AWS website: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRouteTables.html -route.state - The state of a route in the route table (active | blackhole). The blackhole state indicates that the route's target isn't available (for example, the specified gateway isn't attached to the VPC, the specified NAT instance has been terminated, and so on). - -Here is more info for the Aviatrix Alert Bell function: https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html -Alert Bell is a new multi purpose alerting function displayed on the Aviatrix Controller Console. For example, Aviatrix Controller periodically scans your AWS route tables and alerts you if there is any blackhole entry in your AWS route table that needs to be cleaned up as best practice. GuardDuty findings are also recorded by Alert Bell. - -You can decide to remove the blackholes in AWS portal if they are not needed. - - -How can I check and track configuration changes and run audit on my Aviatrix System? --------------------------------------------------------------------------------------- - -You have a couple ways to run audits on the Aviatrix System: - - * You can view and download audit logs from "Controller GUI > Troubleshoot > Logs > Display Logs > Display Audit Logs" and "Download Audit Logs". More information `here `_ - * If you have `external logging `_ enabled, you can search for "AviatrixCMD" on your logging system. More information `here `_ - - -Which Aviatrix gateway interface to perform packet capture on? --------------------------------------------------------------- - -An Aviatrix gateway may have a single or multiple interfaces depending on the type of gateway used for a network deployment. Therefore, it will be helpful if a user knows which interface to perform the packet capture when troubleshooting a network connectivity or packet flow issue. Please note that all interfaces on the Aviatrix gateway are automatically created based on the features enabled. - -+-----------------------+--------------------------------+--------------------------------------------------------+ -| Gateway Type | Interface | Description | -+=======================+================================+========================================================+ -| SSLVPN | eth0 | Main interface | -| +--------------------------------+--------------------------------------------------------+ -| | tun0 | Interface created for OpenVPN connection | -+-----------------------+--------------------------------+--------------------------------------------------------+ -| Regular | eth0 | Main interface | -| (created in GW page) | | | -+-----------------------+--------------------------------+--------------------------------------------------------+ -| Spoke | eth0 | Main interface | -| +--------------------------------+--------------------------------------------------------+ -| | tun-XXXXXXXX | (Optional) VTI to the Aviatrix Transit gateway | -+-----------------------+--------------------------------+--------------------------------------------------------+ -| Transit | eth0 | Main interface | -| +--------------------------------+--------------------------------------------------------+ -| | tun-XXXXXXXX | VTI to the VGW, external device or CloudN | -| +--------------------------------+--------------------------------------------------------+ -| | tun-YYYYYYYY (to Gateway_Name) | VTI to each Spoke gateway | -+-----------------------+--------------------------------+--------------------------------------------------------+ -| Transit for TGW only | eth0 | Main interface | -| +--------------------------------+--------------------------------------------------------+ -| | eth1 | Interface connecting to AWS Transit GW | -| +--------------------------------+--------------------------------------------------------+ -| | tun-XXXXXXXX | VTI to the VGW, external device or CloudN | -| +--------------------------------+--------------------------------------------------------+ -| | tun-YYYYYYYY (to Gateway_Name) | (Optional) VTI to each Transit peering gateway | -+-----------------------+--------------------------------+--------------------------------------------------------+ -| Transit DMZ | eth0 | Main interface | -| (Main) +--------------------------------+--------------------------------------------------------+ -| | eth1 | (Optional) Interface connecting to AWS Transit Gateway | -| +--------------------------------+--------------------------------------------------------+ -| | eth2 | Interface connecting to Firewall instance | -| +--------------------------------+--------------------------------------------------------+ -| | tun-YYYYYYYY (to Gateway_Name) | (Optional) VTI to each Spoke or Transit peering gateway| -+-----------------------+--------------------------------+--------------------------------------------------------+ -| Transit DMZ | eth0 | Main interface | -| (Companion) +--------------------------------+--------------------------------------------------------+ -| | eth2 | Interface connecting to Firewall instance | -| +--------------------------------+--------------------------------------------------------+ -| | tun-XXXXXXXX | (Optional) VTI to the VGW, external device or CloudN | -+-----------------------+--------------------------------+--------------------------------------------------------+ - -In order to perform a packet capture, go to Troubleshoot > Diagnostics > Network page and scroll down to Packet Capture section. Select the target gateway and the interface you want to capture the packet and all other relevant fields. By default, the packet capture will run for 60 seconds when no duration is configured. The maximum packet capture duration is 240 seconds and you may manually stop the process at any time. - - - - - -Why are my Gateways reported as down? --------------------------------------------------------------- - -The Aviatrix Controller depends on `Gateway keepalive messages `_ from the Gateways to determine the `Gateway status `_. The default configuration for Gateway keepalives is set to "medium" - which means that the Gateway will be sending a keepalive to the Controller every 12 seconds and the Controller runs a health check on the Gateway every 60 seconds. The Gateway is considered to be "UP" if the Controller receives 2 or more message between two consecutive health checks. - -Sometimes due to Cloud Infrastructure and/or Network issues, there is a temporary glitch in network connectivity which could lead to the Gateway being marked as "Down" and the Controller sending an alert email. If you do receive such a message, please check the status of the tunnels on the Gateway and run `Diagnostics on the Gateway `_. - -The Gateway could also be reported as "Down" due to the Controller's Security Group not being open to the Gateway’s EIP. To restrict the Security Groups on the Controller to allow traffic from all Gateways automatically, you can turn on the `Controller Security Group Management `_ feature at "Controller UI > Settings > Controller > Security Group Management" - -Please also note that a Gateway "Down" state does not necessarily mean IPsec or OpenVPN service is down - it only means that the Controller has not received the keepalive messages from the Gateway and that could be due to a few reasons as mentioned above. - - -What is the preferred way for generating a CSR and uploading a Signed CA Certificate to the Aviatrix Controller? ------------------------------------------------------------------------------------------------------------------------- - -The recommended way is to generate a CSR and have it signed by your CA and then upload the signed cert, ca cert and the key at "Controller Web Interface > Settings > Advanced > Security > Import Method > Import Certificate with the Key". `Instructions to generate CSR `_ - - - -Why is having a reachable DNS server important for the Aviatrix Controller? ----------------------------------------------------------------------------------------------------- - -When an Aviatrix Controller is launched, by default it will pick up the DNS used in the VPC DHCP Options and the default AWS DHCP is using AmazonProvidedDNS. If VPC DHCP Options are not set, it will use the AWS's Default DNS server (ex: 10.1.0.2 if VPC CIDR is 10.1.0.0/16). - -If you have a DNS server configured in DHCP options, please make sure that it can resolve public FQDNs. The Aviatrix Controller depends on this service to run as designed and will run into unexpected problems if it cannot resolve public FQDNs - -If you are using AWS's VPC DNS Service, please do make sure that "enableDnsSupport" is turned on - else, AWS will not provide DNS services in the VPC (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html, https://docs.aws.amazon.com/glue/latest/dg/set-up-vpc-dns.html) - - -How can I increase the idle timeout when my Aviatrix Controller is deployed behind an ELB, to avoid frequent logins? ----------------------------------------------------------------------------------------------------------------------- - -If the Aviatrix controller is behind an ELB, you can go to the AWS portal's Load Balancers page. Select the ELB that you use for the controller and Edit the attributes to increase the Idle timeout. We recommend at least 360 seconds. The default is 60 seconds. Please check out https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#connection-idle-timeout for more information. - - -How can I move my controller from one AWS account to another AWS account? --------------------------------------------------------------------------- - -1. Backup the old controller configuration to an S3 bucket using these `instructions `_. FileName created should look like: CloudN_xxx_config.enc -2. In the target account, create a new controller, running the same Aviatrix Software Version as the old controller using `these directions `_ -3. Build the "Trust-Relationship" between all gateway (AWS) accounts and the new controller's AWS account using these `directions `_. NOTE: Make sure that you repeat this step for every gateway's (AWS) account -4. Login to the new controller and run "Aviatrix Console/Settings/Maintenance/Backup&Restore/Restore" . Enter the AccessKey & SecretKey (which have the permissions to access the S3 bucket located in the same AWS account of your old controller), BucketName, FileName -5. After restore process is finished, check that the new controller can access/configure all the gateways from old controller. - - -How can I import a CA signed cert into my controller through REST API? --------------------------------------------------------------------------- - -Here is a sample script to import a CA signed cert: - -:: - - # Description: - # This script demonstrates using Aviatrix REST API, "import_new_https_certs" - - # Instruction(s): - # + Please replace the content from line 11 to 23 with your own data - - import requests - - controller_hostname = '1.2.3.4' # This can be the public IP or domain name of the Aviatrix controller - api_endpoint_url = 'https://' + controller_hostname + '/v1/api' - - # File paths in local machine - path_to_input_file_01 = './my-ca-cert.csr' # assuming this file is in the same folder as this python script is - path_to_input_file_02 = './my-server-cert.crt' - path_to_input_file_03 = './my-private-key.key' - - - body_payload = { - 'action': 'import_new_https_certs', - 'CID': 'Rzz61dB94uaYwpJX6dWn', # Please provide your valid CID here - 'gateway_name': 'abg-us-east-1-spoke-s-rateshop-aviatrix-ubuntu' # Comment out this parameter if this API is invoked against the Aviatrix controller - } - - # Notes: - # + 'ca_cert', 'server_cert' and 'private_key' are actually the body-param names - - file_list = { - 'ca_cert': ('file_name_to_be_saved_in_server_01.cert', open(file=path_to_input_file_01, mode='rb'), 'application/vnd.ms-excel', {'Expires': '0'}), - 'server_cert': ('file_name_to_be_saved_in_server_02.cert', open(file=path_to_input_file_02, mode='rb'), 'application/vnd.ms-excel', {'Expires': '0'}), - 'private_key': ('file_name_to_be_saved_in_server_03.pem', open(file=path_to_input_file_03, mode='rb'), 'application/vnd.ms-excel', {'Expires': '0'}) - } - - response = requests.post(url=api_endpoint_url, data=body_payload, files=file_list, verify=False) - print(response.text) - - -How can I use SAML for controller auth when I'm also using SAML for VPN authentication? ------------------------------------------------------------------------------------------- - -By default, we use "Hostname" for "Entity Id" when creating the SAML Endpoint in the Controller Console. When you create a second endpoint for controller login, you would have to pick "Custom" for "Entity Id" and use a custom string. You would have to use the same custom string for EntityId when you provision the SAML App at your IdP(Okta, Onelogin, Azure, etc) - -How to reset Controller login password if it's lost or forgotten? --------------------------------------------------------------- - -In case if you've lost or forgetten the password to AVX console, please use next steps to repair it: - -1. Input the username to Username field, and press “Forgot password” from the login page - -|login_page| - -2. Check email and find the one time token inside. Message format is : - -<> is the one time Aviatrix token from controller <> and is valid for 15 minutes. - -Please pay attention that the token expires in 15 minutes. If you repeatedly get this and think that this is being done by someone with malicious intent, you can restrict the IP's allowed to access your controller through AWS's Security Groups - -3. Enter Access Token in Account Verification window: - -|verification_window| - -4. Type new password for the admin user: - -|admin_user| - -5. Press Save button and try to login with a new password - -.. |login_page| image:: password-recovery-img/Pic1.png - :scale: 70% - -.. |verification_window| image:: password-recovery-img/Pic2.png - :scale: 70% - -.. |admin_user| image:: password-recovery-img/Pic3.png - :scale: 70% - - -How can I secure my controller? ------------------------------------ - -Please follow the instructions `here `_ to secure your controller. diff --git a/Support/support_center_egress_firewall.rst b/Support/support_center_egress_firewall.rst deleted file mode 100644 index 8fe4e28c4..000000000 --- a/Support/support_center_egress_firewall.rst +++ /dev/null @@ -1,105 +0,0 @@ -.. meta:: - :description: Aviatrix Support Center - :keywords: Aviatrix, Support, Support Center - -=========================================================================== -Security: Egress FQDN Control and Firewall -=========================================================================== - -Why should base policies be same? --------------------------------------- - -When you are using multiple Egress Filters and/or Security Policies on the same gateway, we program the rules into the gateway with a default setting for packets which don't meet your specific rules. When there are different base policies being configured, the interpretation from the admin and what has been programmed into the system might vary. To avoid this misinterpretation, we do request the users to not mix the base rules and stick with all "white lists/deny all" or all "black lists/allow all" policies/base rules - - -Should I use Black lists or White lists for Egress FQDN Control? ----------------------------------------------------------------------------- - -White lists should specifically be used for access to applications or access to servers. If you are browsing the WEB/internet, then you should be using black lists since a lot of webpages refer or load content from other websites, or use the Discovery feature to discover the websites you are surfing and use that to configure your white lists https://docs.aviatrix.com/HowTos/fqdn_discovery.html - - -Which policies are executed first - egress or firewall? ----------------------------------------------------------------------------- - -The policies for 80/443 are executed first followed by the other policies. -FQDN takes precedence over Stateful Firewall. - - - -How can I overcome the character limit in REST API and Terraform while adding a lot of FQDN Rules for a FQDN Egress Control Tag? --------------------------------------------------------------------------------------------------------------------------------------------------------- - -There is a character limit while using `FQDN Egress Control REST API `_, which might limit you to about 100 FQDN rules. You can use the following workaround to load a file with FQDN Rules. The size of the file can be upto 65280 bytes. We recommend that you keep your FQDN rules to less than 500-750 per Tag. - - -:: - - First: Prepare your data file("test_file" in this example) for your Egress Control Rules. Format is "FQDN,protocol,port". Here's an example: - *.yahoo.com,tcp,443 - google.com,tcp,443 - - Next: Make sure that you have an Egress Filter Tag created on the controller. "Controller UI > Security > Egress Control > New Tag". "newtag2" for this example - - Next: Using REST API, login to your controller and generate a CID. This works on a Mac - replace the username, password and controller's IP/FQDN. https://s3-us-west-2.amazonaws.com/avx-apidoc/API.htm#_login - curl -k -s --data "action=login" --data "username=admin" --data "password=My-Pass-3484" "https://1.1.2.55/v1/api" - - Next: Copy the following python code into a file, let's say, egress-rules.py. Update the CID value from the above command, input the url and run it: - - ---------- - #!/usr/local/bin/python3 - import requests - import os - - CID = "aL4H34aPWnS738TmHsGV" - fqdn_file = "test_file" - tag_name = "newtag2" - url="https://1.1.2.55/v1/api" - - print("import FQDN config file") - myfile = { - "import_file":open(fqdn_file, "rb") - } - - payload = { - "action": "import_fqdn_filter_tag_domain_names_from_file", - "CID": CID, - "tag_name": tag_name - } - - response = requests.post(url=url, files=myfile ,data=payload, verify=False) - print(response.json()) - ---------- - - Next: Check on your controller to verify that the Egress FQDN Filter tag has been updated. - - -What is the DNS dependency for Egress Control? ---------------------------------------------------- - -By default, the DNS server on the Gateways are set to 8.8.8.8, except when you have manually edited the Gateway (Controller UI > Gateway > Edit) to "Enable VPC DNS" to pick up VPC'S DNS settings (ether through DHCP Option or the default AWS VPC DNS Server) - -When the egress control is enabled: - - * If you set rules only for 80/443 ports: when you enable the egress fqdn list, the gateway will check if it has access to the DNS before it will turn on the FQDN filter. If it cannot access the DNS server, it will fail this enable operation. - * If you set rules for non-80/443: the controller will replace the gateway default DNS (8.8.8.8) - with the Server from DHCP Options or DNS VPC Server. If the gateway cannot reach this new DNS, the enable operation on the FQDN Egress Control will fail. - -If you run into these issues, please try: - - * Run `diagnostics on the gateway `_ and look for `"DNS Resolution" tag `_. - * Go to "Controller Web Interface > Troublshoot > Diagnostics > Network > Gateway Utility" and pick the gateway and try to ping to an FQDN and see if the name to IP resolution happens. - - -How can I create an Egress Control Aviatrix Gateway in Azure? -------------------------------------------------------------------- - -Azure's subnets by default have an internet gateway associated. So the process is slightly different from AWS. Here are the steps: - -1. Create a subnet for your VNET. Do NOT associate any route table to this subnet. This will be your public subnet. This subnet will be used when creating the Aviatrix gateway. -2. Create a second subnet for user instances. Create a route table and associate it with this second subnet. This will act as a private subnet like in AWS. -3. Launch an Aviatrix Gateway in the first public subnet created in Step 1. If you need an HA, you can create it in the same subnet. - - -Where can I find the traffic logs for my Egress FQDN Control on my Aviatrix Gateway? -------------------------------------------------------------------- - -All traffic through your Aviatrix Egress Control Gateways will be logged. You can check out the logs from the Controller at "Controller/Security/EgressControl/EgressFQDNViewLog". We recommend that you `turn on external logging `_ to send the syslogs from Aviatrix to your logging systems. Please look at the `right tag for FQDN relevant logs `_. diff --git a/Support/support_center_gcp_infrastructure.rst b/Support/support_center_gcp_infrastructure.rst deleted file mode 100644 index 8ff7f3ab1..000000000 --- a/Support/support_center_gcp_infrastructure.rst +++ /dev/null @@ -1,19 +0,0 @@ -.. meta:: - :description: Aviatrix Support Center - :keywords: Aviatrix, Support, Support Center - -=========================================================================== -GCP Infrastructure -=========================================================================== - - -What are the restrictions on resource name length in GCP? --------------------------------------------------------------- - -`GCP restricts the names of instances/route/firewallrules to a max of 63 characters `_. GCP adds the VPC Name in front of each route and firewall name created by default (in the default VPC). We are following the same convention for gateway naming. You might run into limitations if you use a long name. Please look into using a shorter name. - - -How is DNS implemented in GCP? --------------------------------- - -DNS in GCP is documented at https://cloud.google.com/compute/docs/internal-dns. The default DNS nameserver for gateway instances is 169.254.169.254. diff --git a/Support/support_center_ipsec.rst b/Support/support_center_ipsec.rst index ddc2e74a4..1c949f352 100644 --- a/Support/support_center_ipsec.rst +++ b/Support/support_center_ipsec.rst @@ -6,16 +6,18 @@ IPSec =========================================================================== - What is the MTU setting on the IPSec Tunnels between the Aviatrix Gateways? -------------------------------------------------------------------------------------------- -All the IPSec tunnels have the TCP MSS set to 1370 bytes, by default, on Aviatrix gateway created in AWS, Azure and OCI. In GCP, the default value is 1350 bytes due to previous experience with some GCP applications. If you are running any applications which do not support fragmentation, you might have issues - please adjust the MTU on your end devices. Here are a couple examples of ssh failing due to MTU - `ssh hangs due to MTU `_, -`music fails due to MTU `_ +All the IPSec tunnels have the TCP MSS set to 1370 bytes, by default, on Aviatrix gateway created in AWS, Azure and OCI. In GCP, the default value is 1330 bytes (from R6.1) due to previous experience with some GCP applications. If you are running any applications which do not support fragmentation, you might have issues - please adjust the MSS value on your gateways. + +MSS is the maximum size that the payload can be, after subtracting space for the IP, TCP, and other headers. It's typically a minimum of a 40 byte offset (40 bytes less) than MTU. A good primer on the relationship between segment size and application traffic is available to review here: + +`How TCP segment size can affect application traffic flow `_ You can adjust the TCP MSS at “Aviatrix Console > Settings > Advanced > Tunnel > TCP MAXIMUM SEGMENT SIZE(MSS)” on the Aviatrix gateway. - -Please note that we **strongly** recommend that you do not set the MTU to a value higher than 1370 bytes. + +Please note that we **strongly** recommend that you do not set the MSS to a value higher than 1370 bytes. Why did my IPSec tunnel go down? diff --git a/Support/support_center_logging.rst b/Support/support_center_logging.rst deleted file mode 100644 index 2d96585ad..000000000 --- a/Support/support_center_logging.rst +++ /dev/null @@ -1,119 +0,0 @@ -.. meta:: - :description: Aviatrix Support Center - :keywords: Aviatrix, Support, Support Center - -=========================================================================== -Logging -=========================================================================== - -How does logging service work? -------------------------------------- - -When a logging service is enabled on the controller, the controller pushes the logging configuration and modules(if needed) to the controller and to all the gateways. Once this is done, the logs flow from each of the Aviatrix Network Components directly to the logging server/service. Please make sure that you have a path from each of these components to the logging server/service. - -When a new gateway is created later or if a gateway goes through forced-upgrade or through replace-gateway, they go through the same process as described above. - -Is AWS's Cloudwatch supported? -------------------------------------- - -We are happy to report that starting with release 4.0 we support `Logging to AWS Cloudwatch `_. Check it out! - -Are syslogs viewable on Controller? -------------------------------------- - -Syslogs are not viewable on the Controller. Please deploy an external service such as Cloudwatch, DataDog, Splunk, Logstash, SumoLogic, or rsyslog. Also, syslogs from gateways are not collected at the Controller and are sent directly from the gateways to the Controller. - -Is Splunk Cloud supported? -------------------------------------- - -We currently only support logging into Splunk Enterprise and do not support logging into Splunk Cloud directly. As a workaround, you can deploy a Splunk Heavy Forwarder and set it as the destination on Aviatrix for all the logs. You can then have the Splunk Heavy Forwarder send the logs into Splunk Cloud. - - -How do I use a Sumologic collector which is deployed behind an Aviatrix Egress Control Gateway? ---------------------------------------------------------------------------------------------------------------- - -If you are deploying a SumoLogic Collector behind an Aviatrix Egress Control Gateway, you might want to look at this `Link `_ to enable SNI and then you can set up a filter to let traffic from *.sumologic.com to pass through. - -How do I know if the rsyslog is running well? Will I get an email? --------------------------------------------------------------------------- - -Starting release 4.0, there is a daily connectivity check from all Aviatrix Gateways and the Controller to the syslog server, when rsyslog is enabled. If any of the devices cannot reach the server successfully, an email is sent out to the admin with the Subject:"Failed to connect to Remote Syslog Server" - -How can I get Gateway or Tunnel Down Alerts? --------------------------------------------------------------------------- - -The Aviatrix Controller will send an email alert to the admin when a tunnel or gateway status changes. You can also setup receiving alerts related to a particular/all gateways or tunnel going up or down, by having your logging services alert you. - -* Links to `Splunk Alerts `_ -* `SumoLogic Alerts `_ -* `Datadog Alerts `_ -* `Cloudwatch Alarms `_. - - -How can I get my logs into AWS S3 Bucket? --------------------------------------------------------------------------- - -There are a few ways to get your logs into an S3 bucket. Here are a couple: - - * Send `logs to rsyslog and then onto S3 `_ - * Send `logs to Cloudwatch `_ and then `onto S3 `_ - - - -How can I upgrade/downgrade to a specific Sumo agent version in Aviatrix Controller/Gateways? ------------------------------------------------------------------------------------------------------ - -When SumoLogic is first enabled, the Controller installs the latest Sumo agent on all the Aviatrix Gateways and the Controller. Any new gateway created later will get the latest SumoLogic Agent available at that time. A second disable/enable of Sumo Logging will not upgrade the agents that are already installed. - -From release 4.2 onwards, we allow you to upgrade/downgrade the Sumo Collector Agent that has been installed in the Aviatrix Controller and Gateways, from the SumoLogic Web UI(Collection>SelectCollector>Edit>ChangeVersion>PickVersion). Please allow enough time for this upgrade to be completed - SumoLogic's Web UI will confirm once the upgrade is completed. If you create any new gateways after this process, you will have to adjust its agent through SumoLogic's Web UI - - -How can I turn on ephemeral mode on SumoLogic for Aviatrix Gateways? ------------------------------------------------------------------------ - -SumoLogic's ephemeral feature allows the collectors to be expired and removed if they don’t send any data for 12 hours - more information `here `_. - -In Aviatrix release 4.3, we have introduced an option for you to configure Sumo attributes ("Additional Configurations(Optional) key=value pairs"). You can add "Vephemeral=true" in this field to turn on this feature while you enable SumoLogic Logging. - -If you already have SumoLogic enabled, you would have to disable/add "Vephemeral=true"/enable to have Aviatrix Gateway Collectors be created with the ephemeral flag. Please note that any existing gateways/collectors in Sumo are still registered as non-ephemeral. If you want all gateways to be registered as ephemeral collectors - you would have to disable sumo on the Aviatrix Controller, delete all the Aviatrix Gateway Collectors on your SumoLogic Web UI and then enable SumoLogging with the flag on the Controller. - - -How can I send my logs to AlertLogic? ------------------------------------------- - -We do not support sending logs to AlertLogic directly. AlertLogic supports rsyslog if you deploy their remote collector in your network as mentioned at this `link `_. Please configure "Aviatrix Console > Settings > Logging > Remote Syslog" and send logs to AlertLogic's local collector on port 514. This collector should be forwarding these logs to AlertLogic's web logging service. - - -Can I upgrade the Sumo agent in my Controller and Gateways? ------------------------------------------------------------- - -We include a Sumo agent in our software but it might not be the latest. Aviatrix release 4.3 and later will let you update this agent from your Sumo Web Interface. -Go to - Manage Data > Collection > Collection ==>Upgrade Collectors link in the page > Update All/individual collectors from the "Upgrade Collectors" collectors -or, by clicking an individual collector and doing an upgrade/downgrade - - -What are the instance size requirements if I use Sumo? ----------------------------------------------------------- - -Sumo Logic's agent is memory intensive and we recommend that you use at least a t3.small instance. If you use any smaller instance, it could cause unexpected failures in your controller and gateways. - -As a workaround, you can use rsyslog instead of Sumo agent to send your logs to yoru Sumo logging system. Please check out these links - - * `Aviatrix Logging Introduction `_ - * `Aviatrix Logging using rsyslog `_ - * `Using rsyslog to send logs to Sumo `_ - - -How can I use rsyslog to send logs into different logging services? ---------------------------------------------------------------------- - -Almost all of the logging services support rsyslog inputs - please check out these links for your favourite logging service. `Splunk `_, `logstash/filebeat `_, `Sumo `_, `DataDog `_ - - -What should I do if my logging has stopped? ---------------------------------------------------------------------- - -Please check the following - - * Please check that your logging server is properly provisioned with enough computing power and storage space - * If your logging was working well in the past and stopped suddenly, please open a ticket with the support team by sending an email to support@aviatrix.com. diff --git a/Support/support_center_openvpn_gateway.rst b/Support/support_center_openvpn_gateway.rst deleted file mode 100644 index 5686b985b..000000000 --- a/Support/support_center_openvpn_gateway.rst +++ /dev/null @@ -1,381 +0,0 @@ -.. meta:: - :description: Aviatrix Support Center - :keywords: Aviatrix, Support, Support Center, openvpn, saml, aviatrix vpn client, .ovpn file, okta token authentication, openvpn profiles, tunnelblick, ldap, csv upload - -=========================================================================== -OpenVPN Gateway -=========================================================================== - - -What is the recommended design for Aviatrix OpenVPN Solution? ---------------------------------------------------------------- - -**Our recommended design** is to let your VPN users connect into your cloud environment through an Aviatrix OpenVPN gateway, with one or more behind a load balancer, and use the peering between VPCs to allow access to your VPN Clients into your other VPCs. We recommend using VPN profiles to control/limit access to other VPC’s as you see fit. - - -How do I generate an .ovpn file for my SAML VPN users? ---------------------------------------------------------------------- - -Once you enable SAML auth for an OpenVPN gateway, you need to create a dummy user on the controller to generate an .ovpn file – you can share this file with all of your users. As the second authentication is through SAML, this should provide good security. This is per VPC+ELB/GW setup. If you have more than one such deployed VPC+ELB/GW setups, you would need a .ovpn file for each of those setups. - - -Can I connect via multiple VPN sessions from the same PC using Aviatrix VPN Client? ----------------------------------------------------------------------------------------------- - -Currently we do not support multiple VPN sessions from the same PC via the Aviatrix VPN Client - - -Which VPN Clients are supported with SAML authentication? ------------------------------------------------------------------ - -At this time, we support SAML authentication for our VPN clients only for our `Aviatrix VPN Client `_ - -When using Okta Authentication with Okta API Token, what is the suggested Okta App administrator role to Token? ------------------------------------------------------------------ - -You can refer to this link about OKTA `App administrator role permission table `_. -You will need Super Admin or Read-Only Admin to allow the privilege to create a Token for API access. - -Can I set a profile for my VPN user via SAML? ------------------------------------------------------------------ - -You can add a custom attribute “Profile” in your IdP and the value will be passed to the Aviatrix OpenVPN gateway during authentication. The Aviatrix controller will then attach the Profile provided by the IdP to the VPN user. Currently we only allow one profile value to be passed via SAML auth. This will override any local settings on the controller for this user. - - -Can I assign multiple profiles to the same users? ------------------------------------------------------------- - -You can assign multiple profiles to a VPN user, but please make sure that they all have the same base policies (allow all or deny all). - - -What is the recommended default browser for Aviatrix OpenVPN with SAML Authentication? --------------------------------------------------------------------------------------------- - -Microsoft Edge does not work well with the SAML authentication process when it is set as the default browser. Please try setting your default browser to Firefox or Chrome. - - -How do I delete a Network Load Balancer created by Aviatrix? ---------------------------------------------------------------------------------------------------- - -An ELB will be automatically deleted by the Aviatrix Controller if all the gateways behind it are deleted and if there are no more users attached to it. The last resort to delete an ELB is delete it from Troubleshoot > ELB. Please refrain from deleting an ELB from the AWS portal for any ELBs created by the Aviatrix controller. - - -Should I be worried about Tunnelblick VPN Client's warning message about "comp-lzo"? ----------------------------------------------------------------------------------------- - -Tunneblick VPN Client might show a warning about "comp-lzo" being deprecated when connecting to Aviatrix OpenVPN Gateway. You can safely ignore this message. We have kept this option in for backward compatibility - - -Why is my VPN client failing to connect with this error: “Network is unreachable for DNS resolution”? -------------------------------------------------------------------------------------------------------- - -The Aviatrix VPN Client needs to have a successful name resolution for “localhost.aviatrix.com” to a local address 127.0.0.1. We need a publicly resolvable FQDN to use the browser to communicate on signed TLS. Some DNS servers do not allow this, resulting in the Aviatrix VPN Client failing to connect, displaying this error. If your dns server is resolving other domains, but failing to resolve localhost.aviatrix.com ("nslookup localhost.aviatrix.com" doesn’t return 127.0.0.1), you can employ a simple workaround of adding “localhost.aviatrix.com” pointing to “127.0.0.1” in the hosts file. - - * Mac/Linux: add “127.0.0.1 localhost.aviatrix.com” to /etc/hosts. You would need a sudo access for this - * Windows: add “127.0.0.1 localhost.aviatrix.com” to C:\Windows\System32\Drivers\etc\hosts file. Please open your editor/notepad with “run as administrator” (edited) - -Another option is to set the DNS server to a different one - we recommend that you test it with 8.8.8.8 to make sure that the Aviatrix Client works well. - -Any known issue with DD-WRT routers? ------------------------------------------------ - -Aviatrix VPN Client needs to be able to resolve localhost.aviatrix.com to 127.0.0.1. The DD-WRT router is known to have an issue resolving this, so your VPN connection might fail. Please take a look at this `link `_ for a workaround. - - -What should I do if Aviatrix VPN Client displays "Permission Denied" error? --------------------------------------------------------------------------- - -If you encounter a "Permission Denied" error while starting Aviatrix VPN Client on Microsoft Windows, you can fix this by running it with an administrator role. Here are the steps for Windows 10: - - * From Start Menu, find the Aviatrix VPN Client. Right-click and select Open File Location. - * Right-click the program and go to Properties. - * On the Properties window, click the Compatibility tab. - * Under the Compatibility mode section, check the "Run as administrator" checkbox. - * Click the OK button to save the settings and start the program again. - - -Looking for an easy LDAP solution for Aviatrix OpenVPN Solution? ------------------------------------------------------------------------------- - -Check out `AWS's LDAP `_ - - -How can I scale my VPN user setup? ---------------------------------------------------- - -Deploy your Aviatrix OpenVPN Gateways behind a Load Balancer so you can scale up by adding more VPN gateways behind the ELB when needed and not have to worry about losing an IP address and having to reissue certificates to all of your VPN users. Alternatively, you may choose to use `Aviatrix UDP LoadBalanced VPN using DNS `_ -. - -How can the OpenVPN made Highly Available? ------------------------------------------------ - -We have HA built into our OpenVPN system. By default, the OpenVPN gateways are deployed behind a `Load Balancer `_ in AWS. When you deploy additional OpenVPN gateways in the same VPC, they are deployed behind the same ELB, so the system becomes HA and resilient to any failures. - -Here are `instructions `_ to use LB with UDP OpenVPN sessions. - - -What is the recommended VPN CIDR Block (default is 192.168.43.0/24)? ------------------------------------------------------------------------------- - -Make sure that there is no overlap between the local subnet of the computer running the VPN Client and the VPN CIDR Block. `Link `_. Also make sure that you have enough ip address space to support all of your VPN users since we use 4 IP addresses per user - the default vpn cidr, 192.168.43.0/24, should be good for ~60 users. Pick a larger subnet for more users. - -If you were to use 192.168.42.0/23, you can have up to 120 users connect to a single OpenVPN Gateway. Note that this is per gateway - so if you have 4 OpenVPN Gateways behind an ELB, each of them will have the same CIDR allowing 120 users each. The IP Addresses of the VPN Users will be NAT'ed by the OpenVPN Gateway so the traffic would look like it originated from the OpenVPN Gateway. - -Please look `here `_ for more information on VPN CIDR Block. - - - -How does a vpn client access resources from different VPCs when connecting to OpenVPN gateway? -------------------------------------------------------------------------------------------------- - -Be default, split VPN clients can only reach the VPC that the OpenVPN gateway is deployed. If you want them to reach other VPC's, please add them to "VPN CIDR" - `instructions `_ - - -If an OpenVPN gateway is created in a Spoke Gateway VPC in a Transit Network, can my VPN users access the other Spoke's resources? ---------------------------------------------------------------------------------------------------------------- - -In a Transit solution, note that traffic between spokes is not allowed by default and hence your clients will not be able to reach other spoke VPCs - check out "`Connected Mode `_". Also traffic from `Transit VPC `_ is also not advertised by default. - -We recommend that you deploy OpenVPN on a separate Gateway to take advantage of the Load Balancer for scalability. - - -Why do my VPN clients take longer to connect, sometimes? --------------------------------------------------------------------- - -Sometimes the clients might take some time to connect due to ELB's load - check the logs on the client. Temporary network connectivity issues, DNS resolution on your PC and other factors may contribute to this slow connection issue. - - -Why are my DNS settings changes not taking effect? --------------------------------------------------------- - -In the case of a full tunnel deployment, if an OpenVPN Gateway is edited to toggle the "Use VPC/VNet DNS Server" setting, please follow it by clicking on OpenVPN/EditConfig/ReloadDHCPConfiguration to let the changes take effect. Note that this will restart the OpenVPN processes on the gateway, affecting all the connected clients. The VPC DNS settings are shared with an OpenVPN user only in a Full tunnel setup. For split tunnel setup, the configured Nameservers field in OpenVPN/EditConfig/Modify Split Tunnel will be pushed to the connected clients. An empty Nameservers field will not push any DNS settings to the connected clients but instead will use the client's local DNS from his local network or manually configured. - - -How can I send the VPN config files to my users? ------------------------------------------------------- - -By default, when you add the email address to a user, they will receive the VPN config file (.ovpn) via email. If you do not want to share these files via email, please do not enter the email address for the vpn users. You can then download these files one at a time from the Controller UI per user. You can use our `REST API `_ - and then share it via your preferred mechanism with your VPN user. The REST API allows you to scale up if you deploy it via automation. - - -How can I customize the email that is sent out when a new VPN user is added? --------------------------------------------------------------------------------------------- - -You can customize the message of the email and the filename of the .ovpn file by following the instructions `here `_. We will enhance this feature in the future to allow you to customize the subject as well, stay tuned. - - -My Mac is not picking up the DNS server setting when connected? -------------------------------------------------------------------------- - -The OpenVPN gateway will push the DNS setting to the vpn clients (by default for full tunnel and when configured for split-tunnel). Note that an empty Nameservers field in split-tunnel mode will not push any DNS settings to the connected clients but instead will use the client's local DNS from his local network or manually configured. - -If the Mac has the DNS configured manually, then it cannot be overwritten by the VPN Client. We have a couple of workarounds for this issue. - -* Turn on the "Allow override of manually set DNS" option in the VPN Client / Advanced / Advanced -* Change the DNS setting on your Mac so that it will be picked up from the DHCP server - - -How do I create a new gateway behind my existing ELB/OpenVPN Gateway? -------------------------------------------------------------------------- - -Go to "Controller/Gateway/+NewGateway" - * provide a gateway name - * pick the same vpc as your first gateway - * you can pick a subnet in a different AZ for more reliability - * turn on "VPN Access" - * turn on "Advanced Options" - * pick the same "authentication" and use the same auth information as your existing gateway (you can find this information from "Controller/OpenVPN/EditConfig/Authentication") [CK] For ELB, it has to use the same authentication method if you need multiple OpenVPN gateways for redundancy. - * use exactly the same configuration as the first gateway - * click on OK - - -How can I resolve my private VPC Instance's name when connecting via remote VPN? -------------------------------------------------------------------------------------- - -Our recommended approach is for you to advertise your VPC Instance Names via your domain registrar. For example, if you have an instance with a private ip of 10.10.5.6, you can register it with your domain registrar as myinstance.example.com (assuming you own example.com) to resolve it to 10.10.5.6. This would allow the instance to be reachable via any public DNS server and not be dependent on having the "right" DNS setting. - -OpenVPN Gateways are deployed with a default DNS server of 8.8.8.8. A remote user can be configured to connect to this gateway via VPN Client either through a full tunnel or a split tunnel - - * For full tunnel, the DNS server from the OpenVPNGateway is pushed to the remote user's computer. You can change from the default 8.8.8.8 to the VPC's DNS server by going to "Controller > Gateways > Select Gateway > Edit > Use VPC/VNet DNS Server > Enable". You can control this through "DHCP Options Sets" in your AWS VPC settings. After making this change, please make sure to go to "Controller > OpenVPN > Edit Config > Pick ELB/Gateway > Reload DHCP Configuration and click on the red button" for the OpenVPN software to pick these settings. Please validate by reconnecting your VPN client. - * For split tunnel, the DNS server settings are not pushed by default. You can configure this setting from "Controller > OpenVPN > Edit Config > Modify Split Tunnel > Yes > Nameservers". You can provide multiple DNS servers separated by commas - - - -How can I have my laptop reconnect if the user VPN session gets disconnected? -------------------------------------------------------------------------------------- - -Most of the VPN clients have a setting to reconnect when they discover that the session has been disconnected. On the Aviatrix VPN client, please check out "Menu > Advanced > Advanced > Reconnect on disconnection" - - -How long will the user VPN session be connected when my laptop is in sleep or loses network connection? --------------------------------------------------------------------------------------------------------------- - -If the user VPN session is setup to use TCP(default setting with ELB), the session will be torn down anywhere from 4-6 minutes after the server stops receiving any traffic from the client. Our keepalives timeout after 4 minutes and most of the TCP sessions timeout based on the client's OS settings. - - -How can I use a CSV file to do bulk import of vpn users? --------------------------------------------------------------------------------------------------------------- - -The Aviatrix Controller supports to read a CSV file to import users using Aviatrix Console GUI started from version 5.0, please refer to this `instruction `_. -If you prefer to use API to add vpn users from a csv file, here is an example using python and REST API - -:: - - First: Prepare your data file("vpn-users.csv" in this example) for your VPN users. Format is "vpc_id, lb_name, username, user_email, profile_name". The first line is needed. The first three args are required. Email and profile are optional. If you do not want to use them, please delete them from the csv header line and update the python file as well - remove the lines from the payload. Here's an example, the first header line is required: - - vpc_id,lb_name,username,user_email,profile_name - vpc-0a64f49d9w8kdjde,Aviatrix-vpc-0aidj3sk80x341898c02,test1,test1@example.com,test-fqdn - vpc-0a64f49d9w8kdjde,Aviatrix-vpc-0aidj3sk80x341898c02,test2,test2@example.com,test-fqdn - vpc-0a64f49d9w8kdjde,Aviatrix-vpc-0aidj3sk80x341898c02,test3,test3@example.com,test-fqdn - vpc-0a64f49d9w8kdjde,Aviatrix-vpc-0aidj3sk80x341898c02,test4,test4@example.com,test-fqdn - - Next: Using REST API, login to your controller and generate a CID. This works on a Mac - replace the username, password and controller's IP/FQDN. https://s3-us-west-2.amazonaws.com/avx-apidoc/API.htm#_login - curl -k -s --data "action=login" --data "username=admin" --data "password=My-Pass-3484" "https://1.1.2.55/v1/api" - - Next: Copy the following python code into a file, lets say, import-vpn-users.py. Update the CID value from the above command, and run it: - - #!/usr/local/bin/python3 - import requests - import os - import csv - - CID = "Uj8rE7cJsoENKS7wltkm" #update with your CID look to - vpn_users_file = "vpn-users.csv" - url="https://your-controllers-ip-or-fqdn/v1/api" - - # first line should have the data needed for the rest api - vpc_id, lb_name, username, user_email, profile_name with open(vpn_users_file, mode='r') as csv_file: - - csv_reader = csv.DictReader(csv_file) - line_count = 0 - for row in csv_reader: - # skipping first line as it has the headers - if line_count == 0: - line_count += 1 - line_count += 1 - - payload = { - "action": "add_vpn_user", - "CID": CID, - "vpc_id": row["vpc_id"], - "lb_name": row["lb_name"], - "username": row["username"], - "user_email": row["user_email"], - "profile_name": row["profile_name"] - } - - response = requests.post(url=url, data=payload, verify=False) - print(response.json()) - - # printing all vpn users configured on this controller - payload = { - "action": "list_vpn_users", - "CID": CID - } - - response = requests.post(url=url, data=payload, verify=False) - parsed = json.loads(json.dumps(response.json())) - print("--------------------------") - print("id, email, vpc_id, lb_name") - print("--------------------------") - for items in parsed['results']: - print(f"{items['_id']}, {items['email']}, {items['vpc_id']}, {items['lb_name']}") - print("--------------------------") - - -I need to migrate all my Aviatrix setup and resource from one AWS account A to Account B, what is the suggestion of migrating my VPN users? ---------------------------------------------------------------------------------------------------------------------------------------------------- - -To migrate controller from one AWS account to another, please follow the instructions at https://docs.aviatrix.com/Support/support_center_controller.html#how-can-i-move-my-controller-from-one-aws-account-to-another-aws-account. However you will need to make sure your controller is running the latest software version by upgrading to the current controller. Upgrade instructions are `here `_. - -For the OpenVPN GW with ELB migration, the ovpn file is associated with the ELB name used in AWS account A. When a user is connected to the OpenVPN, it's actually connected via the ELB created in AWS. If AWS can migrate everything from one AWS account in the VPC to another AWS account, there is possibly a chance to re-use the same ovpn file. - -Here are our recommendation instead of doing the migration we believe the steps below are faster and less complicated. - -1. Spin up a brand new controller in the account B. Follow the instructions here to subscribe and launch a new controller. This could be done ahead of migration. -2. After controller is initialized to the latest version, onboard the new account and create a new OpenVPN gateway in the new account. -3. Upgrade the current controller to the latest version. Go to OpenVPN > VPN Users page, detach all users and then export the list of users. -4. Import the OpenVPN users to the new controller at OpenVPN > VPN Users page. -5. Attach them to the new OpenVPN gateway ELB in the new controller. -6. All users should receive the new ovpn file. -7. Once your user confirm the connection to the new OpenVPN gateway, you can delete all users, gateway from the old controller and terminate the controller. - -How can I limit the duration on my vpn user's sessions? ------------------------------------------------------------- - -"Idle-timeout" option is off by default. As long as the client's computer is up and running, we do not disconnect the user vpn session. If this option is enabled, the server will disconnect any user sessions, which have not had any traffic for the duration it is set to. Please look `here `_ for more information. - - -How can I force my VPN users to authorize at every interval? ------------------------------------------------------------- - -Renegotiation interval is off by default and if you enable it, the client will be challenged to authorize at every interval you have configured it to. Please look `here `_ for more information. - - -How can I resolve my VPC Instance FQDN Names when connecting via remote VPN? --------------------------------------------------------------------------------- - -Our recommended approach is for you to advertise your FQDNs via public DNS(you should be able to tie your instance's private ip address to a public dns name), if you cannot do that, you can use your VPC's DNS server to let your clients resolve the names. - -OpenVPN Gateways are deployed with a default DNS server of 8.8.8.8. A remote user can be configured to connect to this gateway via VPN Client either through a full tunnel or a split tunnel - - * For full tunnel, the DNS server from the OpenVPNGateway is pushed to the remote user's computer. You can change from the default 8.8.8.8 to the VPC's DNS server by going to "Controller > Gateways > Select Gateway > Edit > Use VPC/VNet DNS Server > Enable". You can control this through "DHCP Options Sets" in your AWS VPC settings. After making this change, please make sure to go to "Controller > OpenVPN > Edit Config > Pick ELB/Gateway > Reload DHCP Configuration and click on the red button" for the OpenVPN software to pick these settings. Please validate by reconnecting your VPN client. - * For split tunnel, the DNS server settings are not pushed, by default. You can configure this setting from "Controller > OpenVPN > Edit Config > Modify Split Tunnel > Yes > Nameservers". You can provider multiple DNS servers separated by commas - - -Which ports should I have open in my firewall to allow OpenVPN users to come in? ------------------------------------------------------------------------------------------ - -If you have deployed a TCP based Aviatrix OpenVPN Gateways behind an AWS ElasticLoadBalancer (this is the default in Aviatrix Console), please allow - - * IP Address: AWS Load Balancers' public IP - * Port: 443 - * Please note that the Network Load Balancer will communicate with the Aviatrix OpenVPN Gateways on port 943. Since the source IP's are preserved, you need to keep this port open to 0.0.0.0/0 to allow all clients to connect. - -If you have deployed a UDP based OpenVPN Gateway (i.e. without an ELB enabled) - - * IP: Aviatrix OpenVPN Gateway's public IP - * Port: 1194 - -If you are using SAML authentication for your OpenVPN users, please also allow the following: - - * IP: Aviatrix Controller's public IP - * Port: 443 - - -Is Aviatrix VPN Client supported on Windows running in a proxy environment? ------------------------------------------------------------------------------- - -Our client is not supported in a proxy environment, but please try the following command. It has worked for one of our customers - - * netsh winhttp import proxy source=ie - - -How can Aviatrix VPN Client and a VPN configuration file(.ovpn file) be pushed to their computers? ----------------------------------------------------------------------------------------------------- - -We do not have an API or a programmatic way to push the Aviatrix VPN Client app and configurations, but here is a workflow you can automate: - -* You can push the Aviatrix VPN Client with any of your current App push tools for each of the platform. In Windows, an unattended install can be done by “AVPNC_win_x64.exe /SILENT”. -* You can use `Aviatrix REST API `_ to generate the .ovpn file for each user - look at `OpenVPN/VPNUsers/Download/Get VPN Configuration `_. Regarding the configuration -* You would also need the ".AviProf.conf" file for Macs in home directory and for Windows you need "%APPDATA%/AviProf.conf" - - * Please look at your own AviProf.conf file to figure out the format, it is a simple json file - * Regarding the encoded strings per profile in the above AviProf.conf - it is a base64encode of the fullpath+.ovpn file. You would have to generate it. (On Mac: "base64 --encode" or "base64 --decode") - * If you deploy a profile with `certificate sharing `_, and deploy in a directory path which identical for all users, then you can build and deploy the same ".AviProf.conf" for all your users. - - -How can I find out log history of my VPN users? ------------------------------------------------------- - -There are different options to find this information: - - * Please look at "Controller > OpenVPN > Troubleshooting > VPN USER HISTORY SEARCH section" - * You can look for a `disconnect log `_ if you have `external logging feature `_ turned on. - * You could also look at our `REST API `_ to get this data. - - -How can I address incomptibility between my Aviatrix VPN Client application and Cisco Umbrella Client running on my PC for DNS? ----------------------------------------------------------------------------------------------------------------------------------------------- - -Cisco Umbrella Client updates the DNS settings to point to itself on your local computer and could have an issue in letting you resolve your internal properties which cannot be resolved by public dns servers. Umbrella Client is known to be `incompatible with many vpn clients `_. - -One of the solution is for you to configure Umbrella to not resolve your internal domains. In Umbrella preferences, you can head to Deployments/Configuration/DeomainManagements and add the domains you want to be resolved outside umbrella. Please reach out to your Cisco Support if you have more questions diff --git a/Support/support_center_operations.rst b/Support/support_center_operations.rst index 577f0f39e..faf920cdf 100644 --- a/Support/support_center_operations.rst +++ b/Support/support_center_operations.rst @@ -9,20 +9,23 @@ Operations Pre-Op Procedures --------------------- -We recommend that you always go through the following checklist before you start any operations on your Aviatrix Controller. This will help minimize any issues or collateral damage. All of the following procedures can be executed outside your maintenance window - and can help save valuable time during maintenance window. If you have any comments or feedback, we welcome your inputs at support@aviatrix.com +We recommend that you always go through the following checklist before you start any operations on your Aviatrix Controller. This will help minimize any issues or collateral damage. All of the following procedures can be executed outside your maintenance window - and can help save valuable time during maintenance window. If you have any comments or feedback, we welcome your inputs - please submit a new ticket at our `Aviatrix Support Portal `_. * Your Controller has to have a reliable DNS resolution service available. We recommend using 8.8.8.8. If you are on AWS/Azure, you can go to "Controller/Settings/Controller/DNS Server/Use VPC.VNET DNS Server" and disable it. This will force the controller to use 8.8.8.8. * The controller needs to have full access to public internet * Please check that you can ping google.com from "Controller/Troubleshoot/Diagnostics/Network/ControllerUtility" - * Please check that you can reach carmelosystems.com on port 443 from the controller using "Controller/Troubleshoot/Diagnostics/Network/NetworkConnectivityUtility" + * Please check that you can reach carmelonetworks.com on port 443 from the controller using "Controller/Troubleshoot/Diagnostics/Network/NetworkConnectivityUtility" * Please check that you can ping github.com and also reach it on port 443 * Please check ping and port 443 connectivity to bower.io * Always take a `backup on your controller `_ before you start any operation +* Please clean up your bucket where you store your controller backups, so that only the last 3 relevant configuration files are seen. Any old configurations should be moved out to your archive bucket/folder. * We recommend that your Controller be hosted on a separate VPC, so that any network operations do not affect connectivity between you and the controller and also does not impact any DNS services to the controller. If the controller is hosted in a shared services VPC, we recommend that you plan your operations to avoid any connectivity or DNS issues. * Please make sure that Aviatrix controller has an EIP associated. A controller without EIP in AWS or static IP in Azure/GCP will result in controller not being able to function properly upon reboot due to the change of its original ip address. * If the controller has `ControllerHA `_ enabled - please do know that if your controller is shutdown(accidentally, or intentionally) or goes down or is not available, the HA process will terminate it and create a new controller using the last configuration that was backed up. You can go to AWS portal and select the region where the controller is running to check if there is any active Controller HA CloudFormation stack. Please terminate the Controller HA CloudFormation stack if you are performing a controller migration or Backup & Restore operation. * Please be careful with the Security Groups on the controller. You need to allow yourself on port 443 and all gateways on 443 to come in. The controller needs to be able to reach out to all gateways on port 443 and 22 - we recommend that you do not adjust the outbound rules. Please consider using `security group management feature `_ * Always do account audits to avoid any permission issues - Please run account audit for all your AWS accounts from “Controller/Accounts/AccountAudit” - please make sure that all of them pass. The `IAM policies `_ should be setup as documented. If you have any issues, please look at our troubleshooting playbooks -* If you are planning an upgrade - please go through https://docs.aviatrix.com/HowTos/inline_upgrade.html carefully and open a ticket if you have any questions - you can create a new ticket by sending a new email to support@aviatrix.com or by registering at https://aviatrix.zendesk.com +* If you are migrating your controller from one AWS account to another AWS account, you will need to make sure that all AWS onboarded accounts have the trust relationship with the new controller AWS account. This is required to make sure the new controller has the permission to update on those onboard AWS accounts. +* If you are planning an upgrade - please go through https://docs.aviatrix.com/HowTos/inline_upgrade.html carefully and open a ticket if you have any questions - you can create a new ticket at Support Portal https://support.aviatrix.com +* Please go through the Field Notices that are published at https://docs.aviatrix.com/HowTos/field_notices.html and make sure that you act on the ones that could impact you. diff --git a/Support/support_center_site2cloud.rst b/Support/support_center_site2cloud.rst deleted file mode 100644 index 0fa2ce700..000000000 --- a/Support/support_center_site2cloud.rst +++ /dev/null @@ -1,77 +0,0 @@ -.. meta:: - :description: Aviatrix Support Center - :keywords: Aviatrix, Support, Support Center - -=========================================================================== -Site2Cloud -=========================================================================== - - -How can I debug Site2Cloud connections? ------------------------------------------ - -Site2Cloud connections depend on the third party onsite router/firewall providing the remote end of the IPSec tunnel. Here are some common items to check on - -* If the tunnel is not coming up, make sure there is interesting traffic from either or both sides of the tunnels -* Ports 500 and 4500 have to be allowed, if you have a firewall, for IPSec tunnels to be established. Please check your firewall, security groups on the gateway and make sure that any NACLs are not blocking traffic. -* Ensure that the third party device has the matching IKE Phase 1, IPSec Phase 2 algorithm and also security policy (i.e. subnet to indicate interesting traffic for encryption). Please download the Site2Cloud connection configuration from the Aviatrix controller Site2Cloud page and send it to your third party device administrator for proper configuration. - - -Can Site2Cloud connection be terminated on an Aviatrix OpenVPN Gateway? ----------------------------------------------------------------------------------- - -Terminating a Site2Cloud connection on an Aviatrix OpenVPN gateway is not our best practice even though it’s possible. Please note that Aviatrix does not incur extra charge for having multiple gateways as we only charge based on the connected OpenVPN users and the number of IPSec tunnel built. - - -How do I connect my onprem router to VGW for Site2Connection? ----------------------------------------------------------------------------------- - -Please follow the directions on AWS Console at https://docs.aws.amazon.com/vpc/latest/adminguide/Welcome.html for detailed instructions. You could also look at https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html#DevicesTested for more information. - -How do I create a Site2Cloud connection with Customized SNAT and DNAT to virtual ip addresses? ----------------------------------------------------------------------------------------------- - -If you need to translate a source ip address and/or a destination ip address to different ip addresses due to your on-premise requirements, please follow the instructions at `Site2Cloud with Customized SNAT and DNAT to a virtual ip address `_. - -How do I connect my onsite router, which does not support BGP, to connect to my transit gateway via AWS's VGW? ---------------------------------------------------------------------------------------------------------------------- - -If your onsite router does not support BGP, please follow the following steps to connect to VGW on AWS Console; - - * Create a new "VPN Connection" on AWS console - * For "Customer Gateway" pick "new" and use your onsite router's public ip address - * Skip "BGP ASN" - * Set the "routing options" to "static" - * Enter all of your onsite CIDR's at "Static IP Prefixes" - * Click on "Create VPN Connection" - * At the Site-to-Site VPN connection page at AWS portal, select the vpn connection you created just now and click on "Download Configuration" to download the appropriate configuration. Follow the steps in this document to setup your tunnel on your onsite router. - -You would have to manually set the "remote subnets" in your onsite router to the on cloud CIDR's that you want the router to access. Your onprem CIDR's that you configured above, will be propogated by the VGW to the transit gateway via BGP and they will make it to all of your Spoke Gateways. - - -How can I set the IPSec Phase1/2 lifetime values for Site2Cloud Tunnels? ------------------------------------------------------------------------------------- - -As of version 5.0.2773, we do not support setting the lifetime values for IPSec Phase1 and Phase2 - -While you are creating a new Site2Cloud connection - - * If you pick the remote gateway as "generic", we always use the settings from the peer device that this gateway is connecting to - so you can set these values on your remote IPSec device as you need - - * After you create the site2cloud tunnel, when you download the configuration file, for both vendors(generic and cisco), we incorrectly show lifetime values for phase1 and phase2 - please ignore them. - * If you pick "AWS VGW" as the remote gateway, the lifetimes are set to 28800/3600 for phase1/2. - - * While you are downloading the configuration after creating this site2cloud tunnel, the configuration file for generic vendor will incorrectly show these values as 28800/28800 instead of 28800/3600 - we have an outstanding defect to address this issue 28800/3600, as of version 5.0.2773. - * If you pick Cisco as the vendor, we correctly show these values as 28800/3600. Please make a note of this and configure your remote end correctly - -If I already have a Site2Cloud connection using IKEv1, could I create another one using IKEv2 ? ------------------------------------------------------------------------------------------------------ -The prerequisite for IKEv2 is that you need to create the first Site2Cloud connection with IKEv2 enabled. -If your current gateway already have a Site2Cloud connection using IKEv1 which was created prior to 5.0 release, you will need to delete it first before creating the IKEv2 Site2Cloud connection. -Alternatively, you can create a new Aviatrix gateway in the same VPC and make the first Site2Cloud connection with IKEv2 enabled. - - -How can I use a S2C with a simple NAT to public IP? ------------------------------------------------------------------------------------------------------ - -If you are planning to NAT your local CIDR behind the Aviatrix Gateway, make sure that you enable SNAT on the gateway (Controller/Gateway/Edit/SourceNAT) and on your S2C configuration set your local subnet to the EIP of the Aviatrix Gateway(/32), so that you do not advertise the real local CIDR to the remote gateway. diff --git a/Support/support_center_terraform.rst b/Support/support_center_terraform.rst deleted file mode 100644 index 845ae3e08..000000000 --- a/Support/support_center_terraform.rst +++ /dev/null @@ -1,106 +0,0 @@ -.. meta:: - :description: Aviatrix Support Center - :keywords: Aviatrix, Support, Support Center - -=========================================================================== -Terraform -=========================================================================== - -What are the requirements to use Terraform with Aviatrix Systems? ----------------------------------------------------------------------- - -.. note:: - Aviatrix is now an official Terraform provider! The Terraform setup procedure has been significantly simplified and the documentation below has been updated accordingly. Customers who have previously set up our provider following our previous instructions may transition to our official provider by following Step 5 in the setup tutorial `here `_ - -We are constantly improving and enhancing our Terraform support, so we request that you to stay with the latest Aviatrix software and use the corresponding Terraform Aviatrix Provider from our Github repository. Please update the provider resource as we are frequently updating it. - -Please note the below requirements for the Aviatrix Terraform Provider: - -* **Terraform 0.11.x / 0.12.x** -* **Go 1.11+** (no longer required if using our official provider) - - -Which branch of Terraform Aviatrix Provider Resource should I use? ----------------------------------------------------------------------- - -Our `Github repository `_ for the Terraform Aviatrix Provider has multiple branches. Please make sure that you pick the branch that matches with the version of the software release on your Aviatrix Controller. The latest release is supported with the master branch. Here is the supported list: - - * Aviatrix Controller Release 3.5: Use the `Github UserConnect-3.5 branch `_ - * Aviatrix Controller Release 4.0: Use the `Github UserConnect-4.0 branch `_ - * Aviatrix Controller Release 4.1: Use the `Github UserConnect-4.1 branch `_ - * Aviatrix Controller Release 4.2: Use the `Github UserConnect-4.2 branch `_ - * Aviatrix Controller Release 4.3: Use the `Github UserConnect-4.3 branch `_ - * Aviatrix Controller Release 4.6: Use the `Github UserConnect-4.6 branch `_ - - -Please note that for Aviatrix Controller 4.7 and onward, we support Terraform v0.12, which is not backwards-compatible with v0.11 and below. -Please see Hashicorp's blog `here `_ for more information. - -However, we continue to offer support for Terraform v0.11 with our Controller 4.7. - - * For Aviatrix Controller Release 4.7, Terraform v0.11: Use the `Github UserConnect-4.7-TF.11 branch `_ - * For Aviatrix Controller Release 4.7, Terraform v0.12: Use the `Github UserConnect-4.7-TF.12-v1 branch `_ - -In addition to the Terraform v0.12 support, we have also had major restructuring to our code, such as attribute renaming, resource renaming and values etc, and have made a release (**R2.0**) for this version of our provider in the branch listed below: - - * `Github UserConnect-4.7-TF.12-v2 branch `_ - - -* For information from Hashicorp on how to upgrade to Terraform v0.12, please see `here `_ -* For full instructions on how to upgrade to Controller 4.7, Terraform v0.12, Aviatrix Terraform Provider R2.0 (v2), please see the `R2.0 upgrade guide `_ -* Any updates for R1.x that might impact customers are documented in the `Feature Changelist `_ -* Any updates/ future releases for R2.0+ that might impact customers will be documented in the `Feature Changelist v2 `_ - - -If you were using the master branch in the past, please move to the right release based branch as listed above to avoid incompatibility issues. - -.. note:: - As of Aviatrix Controller Release 5.0, our Aviatrix Terraform provider is now officially recognized by Hashicorp. Customers may now simply source our provider within the "providers" block, wherever specified in the customer's Terraform environment, by identifying the Release version. For full instructions on transitioning to our official provider, please see Step 5 in the setup tutorial `here `_ - -:: - - provider "aviatrix" { - controller_ip = "1.2.3.4" - username = "admin" - password = "password" - version = "2.2" # specify a Release version as shown on this line - } - - ... - -What if my Terraform scripts are timing out? ----------------------------------------------------------------------- - -If you run into timeout issues, please use the IP address of the controller instead of the hostname of the controller and let us know if that helps. Please open a ticket by sending an email to support@aviatrix.com - -Terraform sends all the operations to the controller at the same time, so if you see any issues during large operations, try serializing the operations by setting the value for parallelism to 1. More information at https://www.terraform.io/docs/commands/apply.html#parallelism-n. Please do let us know if you run into this issue, by sending an email to support@aviatrix.com - - -How do I debug Terraform issues? ----------------------------------------------------------------------- - -If you run into issues with Terraform, please turn on debug logs by doing ``export TF_LOG=TRACE`` on your Terminal and then running your Terraform scripts again. Please share the output with our support team at support@aviatrix.com. Please also take a look at the `official terraform debug instructions `_. - - -How can I launch a new Aviatrix Controller with Terraform? ----------------------------------------------------------------------- - -Launching a new controller typically involves multiple steps as described `here `_. We do support setting up, launching and initializing an `Aviatrix Controller from Terraform `_. Here are the steps involved: - - * `Setup IAM roles and policies `_ - * `Launch a Controller from AMI `_ - * `Initialize the Aviatrix Controller `_ - - -How can I create my IAM roles and policies in AWS using Terraform? ---------------------------------------------------------------------- - -You can use our Terraform `IAM roles module `_ to create the Aviatrix IAM roles required to connect your Aviatrix Controller to an existing AWS account. This should be run in the account where you are installing the Controller and any additional accounts that will be connected to the Controller. - -This performs a similar role as the CloudFormation script does in "Controller UI > Accounts > Access Accounts > New Account > Select AWS > Select IAM-role-based > Launch CloudFormation Script" - it does not create the account, but rather creates the IAM roles/profiles like this CloudFormation script. This is similar to what is mentioned `here `_. - - -Which version of Terraform Aviatrix Provider should I use? -------------------------------------------------------------- - -The terraform aviatrix provider resource version has to match with the controller version that you have deployed. Please look at `this link `_ to find out which version to use. Then you can add "version = x.x.x" to specify the right vesion in the aviatrix provider resource as mentioned in the instructions `here `_. diff --git a/Support/support_center_transit_solution.rst b/Support/support_center_transit_solution.rst deleted file mode 100644 index 97933719e..000000000 --- a/Support/support_center_transit_solution.rst +++ /dev/null @@ -1,67 +0,0 @@ -.. meta:: - :description: Aviatrix Support Center - :keywords: Aviatrix, Support, Support Center - -=========================================================================== -Transit Solution -=========================================================================== - - -How can I get all my Spoke VPCs to be interconnected or behave like a full mesh network? --------------------------------------------------------------------------------------------- - -Explore "`Connected Mode `_" if you want all spoke VPCs to talk to each other. Prerequisites: all spokes need to be similar (either have/not have HA) and all of them must be on HA or non-HA connections when connected mode is being turned on. You can enable it by going to "Controller UI > Transit Network > Advanced Config > Edit Transit > Pick the transit Gateway > Connected Transit = Enable" - -How much IP address space do I need in my VPC to launch a transit solution? --------------------------------------------------------------------------------------------- - -To ensure you have enough subnets for various Aviatrix solutions (TGW, Transit DMZ), we highly recommend you to use Create a new transit VPC at `Useful Tools -> Create a VPC `_. Select the option "Aviatrix Transit VPC". - If you would like to continue to use your existing transit VPC and it is too small (not enough /28 unused segments), use the AWS Edit VPC CIDR feature to create a new /24 subnet for the Aviatrix Transit Gateway in TGW use case. - -If you do not want to use our Create a VPC feature at our controller, please make sure that you have at least four /28 subnets worth of address space in the VPC before you launch the transit solution - -For a TGW based transit solution to support Hybrid connection, the `transit VPC needs to have a spare /26 CIDR space. `_. Aviatrix Transit GW uses the spare space to create 4 subnets in the next step. - -How do I troubleshoot Spoke to On-prem connection issues? --------------------------------------------------------------------------------------------- - -Here are some `Troubleshooting guidelines `_ - -It is recommended that all spokes have HA pairs. When a switchover occurs to the transit HA, only spokes with HA will remain connected, the non-HA spokes will lose connectivity and be black-holed. - - -How can I switch between primary link and backup link? --------------------------------------------------------------------------------------------- - -For peering links, you can find the active links by going to "Controller > Peering > Encrypted Peering" and searching for "active" by typing in the textbox next to the magnifying glass. For any non-transit connections (like spoke to shared-services) you can switchover right here by clicking on the "Switch Over". For some Transit connections (such as transit gateway to spoke gateway), you can also switchover right here if your Transit network did not enable Connected Transit or `Manual BGP Advertised Network List `_. - -If your Transit network is enabled with Connected Transit or `Manual BGP Advertised Network List `_, you would have to go to " Troubleshoot > Diagnostics > BGP" and click on the "Switch Over" on the gateway which is currently active that you want to switch over from. For example, if you want to have all active links on primary gateway, you will click on the "Switch Over" on the hagw connection. - -Why can't the traffic from a new subnet added to the attached VPC to AWS Transit Gateway reach the on-premise network? --------------------------------------------------------------------------------------------- - -In a NextGen Transit for AWS solution (i.e. AWS Transit Gateway), you may find that an EC2 instance in a new subnet created in a new AZ will not be able to reach on-premise network or another Spoke VPC, or vice versa. This could be due to the lack of proper route programming in the AWS VPC. The following scenarios will require the VPC to be detached and re-attached to TGW so that the Aviatrix controller will perform the necessary programming in AWS infrastructure. - -* when you add a new subnet in a new AZ, or -* when you add a new route table in the VPC - -If you are creating a new subnet in the existing AZ in which the VPC is already attached to the TGW **AND** the newly created subnet is associated with the existing route table, it will not require VPC detachment and reattachment to the TGW. - -The above limitations exist in software version 4.3 and prior releases. In our future releases, we will be able to support the above scenarios without detaching and re-attaching the VPC to TGW. - -How can I migrate from Aviatrix Transit Network solution to AWS Transit Gateway deployment? --------------------------------------------------------------------------------------------- - -If you have an existing Aviatrix Global Transit Network in production, you may refer to `Migrating an Aviatrix Global Transit Network to Next Gen Transit for AWS `_. - - -If I add an additional CIDR to my spoke VPC, do I need to do anything with my Aviatrix Transit Network? ---------------------------------------------------------------------------------------------------------- - -The Aviatrix Spoke Gateway needs to learn and advertise this additional CIDR to the Aviatrix Transit Gateway. Please go to "Aviatrix Console > Transit Network > Setup" to detach this Spoke Gateway from the Transit Gateway and then attach it back again. - - -Can I have some Spokes without HA gateways in my Aviatrix Transit Solution? ---------------------------------------------------------------------------------------------------------- - -In Aviatrix Transit Solution without ActiveMesh enabled, if you are priovisioning HA's for transit gateway, we strongly recommend that you add HA's for all Spoke gateways as well. If at any time, your site2cloud connection from transit-primary gateway goes down and connection switches over to the Transit-HA gateway, then the VPC's which do not have Spoke-HA's will lose connectivity. You would have to manually go to "Controller/Troubleshoot/Diagnostics/BGP" and switchover your active connection from Transit-HA to Primary Transit gateway. diff --git a/Support/support_center_useful_tools.rst b/Support/support_center_useful_tools.rst deleted file mode 100644 index 2a5facde2..000000000 --- a/Support/support_center_useful_tools.rst +++ /dev/null @@ -1,12 +0,0 @@ -.. meta:: - :description: Aviatrix Support Center - :keywords: Aviatrix, Support, Support Center - -=========================================================================== -Useful Tools -=========================================================================== - -VPC Tracker: Why does it not show all VPC's? ----------------------------------------------- - -VPC tracker currently only reports VPCs that have instances in it. The rationale is that AWS has default VPC in each region, which results in lots of VPCs that may not have real meaning. diff --git a/Support/support_ticket_priority.rst b/Support/support_ticket_priority.rst deleted file mode 100644 index bf07c913b..000000000 --- a/Support/support_ticket_priority.rst +++ /dev/null @@ -1,67 +0,0 @@ -.. meta:: - :description: Aviatrix Support Ticket Priority Guidelines - :keywords: Aviatrix, Support, Support Center, Priority - -=========================================================================== -Aviatrix Support Ticket Submission & Priority Guidelines -=========================================================================== - -Overview --------- -Aviatrix offers 2 types of support plans: Standard and Platinum. Please refer to our `Official Support SLA `_ for more information. - -Aviatrix customers may create a support ticket via - - an email to support@aviatrix.com, or - - `Aviatrix Support Web Portal `_. - - .. note:: - | For Platinum support subscription that covers 7x24x365, please reach out to sales@aviatrix.com. - -Ticket Priority Guidelines --------------------------- -* Priority 1: Production system down (Email subject should include “P1” keyword) -* Priority 2: System working, degraded functionality (Email subject should include “P2” keyword) -* Priority 3: General questions, requests, comments (Default priority if not specified) - - .. note:: - - | When a Priority 1 ticket is submitted by a customer with Aviatrix Platinum support subscription, our support personnel will be paged and the ticket submitter will be contacted at our earliest availability within an hour (see `Official Support SLA `_). - - -Detailed Description -^^^^^^^^^^^^^^^^^^^^ -**Priority 1 (Critical business impact)** - -* Definition: Priority 1 selection indicates that customer is unable to use the software application, resulting in a critical impact on business operations. This condition requires immediate resolution. - -* Key Deliverables – Priority 1 service involves reacting to the customer’s emergency situation by immediately providing an appropriate resource. Unless another agreement is in place, Priority 1 issues will be serviced on a continual effort basis until the Priority 1 condition has been resolved. Resolution of Priority 1 conditions may include temporary relief, enabling the customer’s business to operate until a more comprehensive solution is provided. - -NOTE: A critical situation does not automatically imply Priority 1. The problem’s associated business impact determines the priority. - -**Priority 2 (Limited business impact)** - -* Definition – This indicates the Aviatrix software is usable, but that some features (not critical to operations) are unavailable. - -* Priority 2 Conditions - - Issue affects customer’s ability to meet near–term deadlines - Component returning error or not responding - Degraded performance is negatively impacting business operations Acceptable workaround may exist - Issue is specific to one or a few users. - -* Key Deliverables – Priority 2 issues are important for the customer and the customer’s services and will be serviced as such. These issues will be worked during normal business hours, until the Priority 2 condition has been resolved. - -**Priority 3 (Minimal business impact)** - -* Definition – This indicates the problem does not significantly impact operations, or that a reasonable workaround has been implemented. - -* Priority 3 Conditions - - General question such as “how–to” or syntax questions - Issue with little or no impact - Documentation issues - Issue is essentially resolved but remains open for customer confirmation. Intermittent wait status with little or no customer interaction required - -* Key Deliverables – Priority 3 issues will be serviced as general issues during normal business hours until the Priority 3 condition has been resolved. - - diff --git a/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_controller.rst b/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_controller.rst deleted file mode 100644 index 312f86a90..000000000 --- a/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_controller.rst +++ /dev/null @@ -1,478 +0,0 @@ -.. meta:: - :description: - :keywords: - -========================================================================================= -Aviatrix Controller Troubleshooting Playbook -========================================================================================= - -This technical note provides a step-by-step tips to troubleshoot Aviatrix Controller - -Workflow: ---------- - -1. Troubleshoot Basic Network function from user’s environment to Aviatrix Controller - - `T_01. Verify Internet layer by sending ICMP traffic to the public IP of Aviatrix Controller`_ - - `T_02. Verify Transport layer by sending traffic to the public IP of Aviatrix Controller with IP/Protocol/Port`_ - - `T_03. [OPTIONAL] Verify Application layer by sending ICMP traffic to the domain name of Aviatrix Controller`_ - - `T_04. Verify connectivity between user’s environment and Aviatrix Controller`_ - -2. Troubleshoot Deployment configuration - - * Aviatrix - - `Check whether the DNS function works properly in Aviatrix Controller`_ - - `Check whether the IP in Aviatrix database is same as the current public IP of the controller`_ - - `Check whether basic deployment functions properly by running Aviatrix Diagnostic report for Aviatrix Controller from Aviatrix Controller`_ - - `Check basic network configuration of AWS where Aviatrix Controller locates from Aviatrix Controller`_ - - * Cloud Platform - - `Check basic network configuration of AWS where Aviatrix Controller locates from AWS portal`_ - -3. Troubleshoot Basic Network function for Aviatrix Controller from Aviatrix Controller GUI - - `T_05. Verify Internet layer by sending ICMP traffic to a public server with IP from Aviatrix Controller`_ - - `T_06. Verify Transport layer by sending traffic to a public server with IP/Protocol/Port from Aviatrix Controller`_ - - `T_07. Verify Application layer by sending ICMP traffic to a public server with domain name from Aviatrix Controller`_ - -4. Troubleshoot Application traffic - - `T_08. Verify whether Aviatrix Gateway can issue AWS EC2 API properly from Aviatrix Controller`_ - -Detail: -------- - -Check whether the DNS function works properly in Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check Aviatrix function CONTROLLER PUBLIC IP from Aviatrix Controller GUI - - * https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#controller-public-ip - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> CONTROLLER PUBLIC IP - - * Expect to view only one public IP - - * If the output displays empty, Aviatrix solution will not work properly - - Probable Causes: - - * DNS which is used by Aviatrix Controller cannot resolve/forward a public domain name request properly. - - Suggestions: - - * Attempt to use a public DNS such as 8.8.8.8 or cloud platform default DNS first - - * `Check basic network configuration of AWS where Aviatrix Controller locates from AWS portal`_ - -Check whether the IP in Aviatrix database is same as the current public IP of the controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check Aviatrix function CONTROLLER PUBLIC IP from Aviatrix Controller GUI - - * https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#controller-public-ip - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> CONTROLLER PUBLIC IP - - * Expect to view only one public IP - - * If the output displays multiple public IPs, Aviatrix solution will not work properly - - Probable Causes: - - * The public IP configuration on Aviatrix Controller is not static or EIP type - - * The public IP gets changed after Aviatrix Controller reboot - - Suggestions: - - * Assign an EIP or static type of public IP to Aviatrix Controller - - * Execute IP Migration on Aviatrix Controller - - * Steps: - - 1. https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#controller-ip-migration - - 2. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> CONTROLLER IP MIGRATION - - 3. Confirm the IP info - - 4. Click the button “Migrate" - -Check whether basic deployment functions properly by running Aviatrix Diagnostic report for Aviatrix Controller from Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check whether diagnostic report can be performed - - * https://docs.aviatrix.com/HowTos/Troubleshooting_Diagnostics_Result.html - - * Expect not to view the field 'Issues found’ inside the show results - - * If the field 'Issues found’ prompts, follow the instruction to fix it or look for the suggestion as below: - - 1. Check DNS Resolution output - - * Expect to view "DNS resolution": "Pass" - - * If not, refer to `Troubleshooting_Diagnostics_Result `_ doc for probable causes and how to address it. - - * Notes: Aviatrix Controller uses a DNS which is assigned by Cloud platform as default DNS - - 2. Check Public IP output - - * Expect to view "Public IP": "Pass" - - * If not, refer to `Check basic network configuration of AWS where Aviatrix Controller locates from Aviatrix Controller`_ - -Check basic network configuration of AWS where Aviatrix Controller locates from Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check Cloud Platform instance level and network level from Aviatrix Controller - - * https://docs.aviatrix.com/HowTos/flightpath.html - - * Run flight path feature - - * Expect to meet the criticals in `Check basic network configuration of AWS where Aviatrix Controller locates from AWS portal`_ - -Check basic network configuration of AWS where Aviatrix Controller locates from AWS portal -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check Cloud Platform instance level and network level from AWS portal - - 1. Check the Security Group which is attached to Aviatrix Controller - - * Expect to have the below rules in inbound rules as default: - - 1. Type: HTTPS. Protocol: TCP, Port Range:443, Source: Custom: ‘CLIENT’S PUBLIC IP' - - 2. Or Type: HTTPS. Protocol: TCP, Port Range:443, Source: 0.0.0.0/0 - - * Expect to have the below rules in outbound rules as default: - - 1. Type: All traffic, Protocol: All, Port Range: All, Destination: 0.0.0.0/0 - - 2. Check the Network ACL where Aviatrix Controller locates - - * Expect to have the below rules in inbound rules as default: - - 1. Rule # 100, Type: ALL Traffic, Protocol: ALL, Port Range: ALL, Source: 0.0.0.0/0 Allow/Deny ALLOW - - 2. Rule # *, Type: ALL Traffic, Protocol: ALL, Port Range: ALL, Source: 0.0.0.0/0 Allow/Deny DENY - - * Expect to have the below rules in outbound rules as default: - - 1. Rule # 100, Type: ALL Traffic, Protocol: ALL, Port Range: ALL, Source: 0.0.0.0/0 Allow/Deny ALLOW - - 2. Rule # *, Type: ALL Traffic, Protocol: ALL, Port Range: ALL, Source: 0.0.0.0/0 Allow/Deny DENY - - * If customizing ACL is needed, please make sure both inbound and outbound rules are configured properly - - 3. Check the Routing Table where Aviatrix Controller locates - - * Expect to have a route “0.0.0.0/0” pointing to AWS IGW since Aviatrix solution needs to be deployed in public subnet - - * If not, please add a route “0.0.0.0/0” pointing to AWS IGW - - 4. Check whether the Routing Table where Aviatrix Controller locates has Endpoint entry - - * Expect that the routing to AWS Endpoint does not impact the traffic to IGW/internet - - * NOTES: Private DNS or AWS interface endpoint might resolve an AWS service domain name into a private IP which might mislead the traffic to endpoint entry - - 5. Check whether an EIP is assigned to Aviatrix Controller - - Check Point 2: Check Cloud Platform network application level from AWS portal - - 1. Check the DHCP options set on the VPC where the Aviatrix Gateways locates - - * Expect to use AWS DNS server as default as below example - - :: - - domain-name = us-west-1.compute.internal; domain-name-servers = AmazonProvidedDNS; - - * If users deploys a private DNS, please make sure the private DNS can forward request to public DNS properly - - * NOTES: Aviatrix Controller uses a DNS which is assigned by Cloud platform as default DNS - - 2. Check whether both DNS resolution and DNS hostnames are Enabled on the VPC where the Aviatrix Controller locates - - * Expect to view the status “Enabled” for both DNS resolution and DNS hostnames - - * If not, please turn it to enable on AWS portal - -T_01. Verify Internet layer by sending ICMP traffic to the public IP of Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * For troubleshooting purpose, please temporarily allow ICMP traffic from your environment's public IP on Aviatrix Controller in Cloud Platform - - * Issue command #ping [CONTROLLER PUBLIC IP] - - * Expect to view Ping Success - - * If the Ping fail, please check the traceroute/tracert report to figure out where the traffic ends - - Probable Causes: - - * Aviatrix Controller is not UP - - * Basic network configuration in cloud platform does not configure properly - - * Firewall or network blocks the ICMP traffic - - Suggestions: - - * Check controller status - - * Check network configuration - -T_02. Verify Transport layer by sending traffic to the public IP of Aviatrix Controller with IP/Protocol/Port -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Issue command #telent [CONTROLLER PUBLIC IP] 443 - - * Expect to view telnet success - - * If it fails, please check the tcptraceroute report to figure out where the traffic ends - - Probable Causes: - - * Aviatrix Controller is not UP - - * Basic network configuration in cloud platform does not configure properly - - * Firewall or network blocks the 443 traffic - - Suggestions: - - * Check controller status - - * Check network configuration - -T_03. [OPTIONAL] Verify Application layer by sending ICMP traffic to the domain name of Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * For troubleshooting purpose, please temporarily allow ICMP traffic from your environment's IP on Aviatrix Controller in Cloud Platform - - * Issue command #ping [CONTROLLER DOMAIN NAME] - - * Expect to view Ping Success - - * If the Ping fail, - - * check the traceroute/tracert report to figure out where the traffic ends - - * issue the command #nslookup [CONTROLLER DOMAIN NAME] to verify the IP - - Probable Causes: - - * A DNS cannot resolve this domain or forward this DNS request to a public DNS properly - - * Network configuration/routing to DNS - - Suggestions: - - * Check the DNS configuration/entry/record - - * Check network configuration - -T_04. Verify connectivity between user’s environment and Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Attempt to browse https://[AVIATRIX CONTROLLER PUBLIC IP] on Chrome browser - - * Expect to view Aviatrix Controller GUI successfully - - * If it fails, users cannot deploy Aviatrix solution through Aviatrix Controller GUI - - Probable Causes: - - * Browser cache or other issues - - Suggestions: - - * Clean the browser cache and try again - - * Attempt to use another browser such as Firefox - -T_05. Verify Internet layer by sending ICMP traffic to a public server with IP from Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#controller-utility - - * Take a public server 8.8.8.8 for example - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> CONTROLLER UTILITY - - 2. Host Name (or IP): 8.8.8.8 - - 3. Click the button “Ping" - - * Expect to view Ping Success as example: - - :: - - Example: - - PING 8.8.8.8 (8.8.8.8) 400(428) bytes of data. - 76 bytes from 8.8.8.8: icmp_seq=1 ttl=48 (truncated) - 76 bytes from 8.8.8.8: icmp_seq=2 ttl=48 (truncated) - 76 bytes from 8.8.8.8: icmp_seq=3 ttl=48 (truncated) - 76 bytes from 8.8.8.8: icmp_seq=4 ttl=48 (truncated) - 76 bytes from 8.8.8.8: icmp_seq=5 ttl=48 (truncated) - - --- 8.8.8.8 ping statistics --- - 5 packets transmitted, 5 received, 0% packet loss, time 4008ms - rtt min/avg/max/mdev = 1.954/1.986/2.028/0.061 ms - -T_06. Verify Transport layer by sending traffic to a public server with IP/Protocol/Port from Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#network-connectivity-utility - - * Take a public server 8.8.8.8 for example - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> NETWORK CONNECTIVITY UTILITY - - 2. Hostname: 8.8.8.8 - - 3. Port: 443 - - 4. Gateway Name: Controller - - 5. Protocol: TCP - - 6. Click the button “Go" - - * Expect to view a green message “Able to reach 8.8.8.8 at 443 from controller” on Aviatrix GUI - -T_07. Verify Application layer by sending ICMP traffic to a public server with domain name from Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#controller-utility - - * Take a public server www.google.com for example - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> CONTROLLER UTILITY - - 2. Host Name (or IP): www.google.com - - 3. Click the button “Ping" - - * Expect to view Ping Success and able to resolve the domain name to a public IP as example: - - :: - - Example: - - PING www.google.com (216.58.194.164) 400(428) bytes of data. - 76 bytes from sfo07s13-in-f4.1e100.net (216.58.194.164): icmp_seq=1 ttl=51 (truncated) - 76 bytes from sfo07s13-in-f4.1e100.net (216.58.194.164): icmp_seq=2 ttl=51 (truncated) - 76 bytes from sfo07s13-in-f4.1e100.net (216.58.194.164): icmp_seq=3 ttl=51 (truncated) - 76 bytes from sfo07s13-in-f4.1e100.net (216.58.194.164): icmp_seq=4 ttl=51 (truncated) - 76 bytes from sfo07s13-in-f4.1e100.net (216.58.194.164): icmp_seq=5 ttl=51 (truncated) - - --- www.google.com ping statistics --- - 5 packets transmitted, 5 received, 0% packet loss, time 4004ms - rtt min/avg/max/mdev = 2.126/2.139/2.154/0.009 ms - - * If it cannot resolve to a public IP or Ping fail, this Aviatrix Gateway might not function properly - - Probable Causes: - - * A private DNS cannot resolve a public domain or forward this public DNS request to a public DNS properly - - * The outbound rules of security group or ACL is not allowing traffic to 0.0.0.0/0 - - Suggestions: - - * Check the private DNS configuration - - 1. Make sure it can resolve a public domain - - 2. Make sure it can forward a public DNS request to a public DNS - - * `Check basic network configuration of AWS where Aviatrix Controller locates from AWS portal`_ - -T_08. Verify whether Aviatrix Gateway can issue AWS EC2 API properly from Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRegions.html - - * Check the AWS EC2 API server in your VPC region in https://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region - - :: - - Take us-west-1 region for example: ec2.us-west-1.amazonaws.com - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> CONTROLLER UTILITY - - 2. Host Name (or IP): ec2.us-west-1.amazonaws.com - - 3. Click the button “Ping" - - * Expect to view Ping Success and able to resolve the domain name to a public IP as example: - - :: - - Example: - - PING ec2.us-west-1.amazonaws.com (176.32.118.39) 400(428) bytes of data. - 408 bytes from 176.32.118.39: icmp_seq=1 ttl=251 time=1.94 ms - 408 bytes from 176.32.118.39: icmp_seq=2 ttl=251 time=1.96 ms - 408 bytes from 176.32.118.39: icmp_seq=3 ttl=251 time=1.99 ms - 408 bytes from 176.32.118.39: icmp_seq=4 ttl=251 time=1.96 ms - 408 bytes from 176.32.118.39: icmp_seq=5 ttl=251 time=2.02 ms - - --- ec2.us-west-1.amazonaws.com ping statistics --- - 5 packets transmitted, 5 received, 0% packet loss, time 4004ms - rtt min/avg/max/mdev = 1.943/1.976/2.021/0.038 ms - - * If it resolves to a private IP or Ping fail, Aviatrix Gateway might not able to function AWS API properly - - Probable Causes: - - * There is an AWS endpoint/interface for AWS EC2 API in the routing table or subnet - - * A private DNS cannot resolve a public domain or forward this public DNS request to a public DNS properly - - Suggestions: - - 1. Check whether your VPC/subnet/routing table has an AWS endpoint for AWS EC2 API - - 1. Attempt to remove the endpoint first and then verify it again - - 2. Check the private DNS configuration - - 1. Make sure it can resolve a public domain - - 2. Make sure it can forward public DNS request to a public DNS - - 3. `Check basic network configuration of AWS where Aviatrix Controller locates from AWS portal`_ - - -.. disqus:: diff --git a/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_firenet_inspection_end_to_end_traffic.rst b/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_firenet_inspection_end_to_end_traffic.rst deleted file mode 100644 index c9671472b..000000000 --- a/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_firenet_inspection_end_to_end_traffic.rst +++ /dev/null @@ -1,438 +0,0 @@ -.. meta:: - :description: - :keywords: - -========================================================================================= -Aviatrix FireNet Inspection End to End traffic Troubleshooting Playbook -========================================================================================= - -This technical note provides a step-by-step tips and simple topology to troubleshoot Aviatrix FireNet Inspection End to End traffic - -Prerequisite Setup ------------------- - -Topology: - -* TGW * 1 - -* Security Domain * 3 - - * Firewall Domain * 1 - - :: - - Example: - FIRENET-SD - - * Spoke Domain * 2 - - :: - - Example: - CLIENT-SD and SERVER-SD - -* Spoke VPC * 2 - - :: - - Example: - Spoke VPC 10.60.0.0/16 - Spoke VPC 10.61.0.0/16 - -* Aviatrix Firenet gateway * 1 - -* Firewall * 1 - - :: - - Example: - Palo Alto Firewall - -* FireNet VPC * 1 - - :: - - Example: - FireNet VPC 10.66.0.0/16 - -Deployment: - - * Follow `Aviatrix Firewall Network workflow `_ to launch FireNet Security Domain, FireNet gateways and firewall instances. - - * Follow `Aviatrix TGW Orchestrator Plan workflow `_ to: - - * create Spoke Security Domains - - :: - - Example: - CLIENT-SD and SERVER-SD - - * build Connection policy between the CLIENT-SD domain and the SERVER-SD domain. - - * build Connection policy between CLIENT-SD domain and Firewall domain so that traffic in and out of the domain is inspected. - - * Follow `Aviatrix TGW Orchestrator Build workflow `_ to: - - * attach Spoke VPC 10.60.0.0/16 to CLIENT-SD to the TGW - - * attach Spoke VPC 10.61.0.0/16 to SERVER-SD to the TGW - - -Workflow: ---------- - -1. Check basic information - Cloud Permission, Aviatrix Controller, and Aviatrix Gateway - - `Cloud Permission - AWS IAM Service Troubleshooting Playbook `_ - - `Aviatrix Controller Troubleshooting Playbook `_ - - `Aviatrix Gateway Troubleshooting Playbook `_ - -2. Troubleshoot FireNet Deployment configuration - - * Aviatrix - - Check Connection Policy - - https://docs.aviatrix.com/HowTos/tgw_faq.html#what-is-a-connection-policy - - `Check Connection Policy from TGW Orchestrator View`_ - - `Check Connection Policy from TGW Orchestrator Plan`_ - - `Check Connection Policy from TGW Orchestrator List`_ - - Check routing info in Cloud Platform which is related to TGW Orchestrator - - `Check routing info in Cloud Platform from TGW Orchestrator Audit`_ - - `Check routing info in Cloud Platform from TGW Orchestrator Test`_ - - `Check routing info for Spoke Security Domain in Cloud Platform from TGW Orchestrator List`_ - - `Check routing info for FireNet Security Domain in Cloud Platform from TGW Orchestrator List`_ - - `Check basic Firewall Network configuration from Firewall Network Advanced`_ - - `Check routing info in Cloud Platform which is related to Firewall Network`_ - - `Check routing info in Aviatrix FireNet Gateway from Firewall Network Advanced`_ - - `Check routing info in Firewall from Firewall Network`_ - - * Cloud Platform - - `Check routing info for TGW Orchestrator feature from AWS portal`_ - - `Check Aviatrix gateway’s instance level and network level for FireNet feature from AWS portal`_ - - `Check Firewall instance level and network level for FireNet feature from AWS portal`_ - -3. Troubleshoot connectivity between end device and end device - - `T_01. Verify Internet layer by sending ICMP traffic from end device in Client Spoke Security Domain to the end device in Server Spoke Security Domain with IP`_ - - `T_02. Verify Transport layer by sending traffic from end device in Client Spoke Security Domain to the end device in Server Spoke Security Domain with IP/Protocol/Port`_ - - `T_03. Verify real traffic between end to end devices`_ - -Detail: -------- - -Check Connection Policy from TGW Orchestrator View -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Steps: - - 1. Navigate to the Aviatrix GUI page: TGW Orchestrator -> View - - 2. Select the TGW - - 3. Select the security_domains - - 4. Find your Spoke Domains and FireNet Domain - - :: - - Example: - FIRENET-SD, CLIENT-SD and SERVER-SD - - 5. Expand vpc_members and connected_domains on those Spoke Domains and FireNet Domain - - * Expect to view each security domain has corresponding VPC and connection policies as example below: - - * CLIENT-SD - - :: - - Example: - vpc_members: VPC 10.60.0.0/16 - connected_domains: FIRENET-SD and SERVER-SD - - * SERVER-SD - - :: - - Example: - vpc_members: VPC 10.61.0.0/16 - connected_domains: CLIENT-SD - - * FIRENET-SD - - :: - - Example: - vpc_members: VPC 10.66.0.0/16 - connected_domains: CLIENT-SD - -Check Connection Policy from TGW Orchestrator Plan -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aviatrix.com/HowTos/tgw_plan.html#create-a-new-security-domain - - * Steps: - - 1. Navigate to the Aviatrix GUI page: TGW Orchestrator -> Plan - - 2. Navigate to the step 3 Add / Modify Connection Policies - - 3. Select the target AWS Transit Gateway Name - - 4. Find your Spoke Domains and FireNet Domain - - :: - - Example: - FIRENET-SD, CLIENT-SD and SERVER-SD - - * Expect to view each security domain has corresponding domain connection policies as example below: - - * CLIENT-SD - - :: - - Example: - Connected: FIRENET-SD and SERVER-SD - - * SERVER-SD - - :: - - Example: - Connected: CLIENT-SD - - * FIRENET-SD - - :: - - Example: - Connected: CLIENT-SD - -Check Connection Policy from TGW Orchestrator List -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Steps: - - 1. Navigate to the Aviatrix GUI page: TGW Orchestrator -> List - - - 2. Find your Spoke Domains and FireNet Domain under the field Security Domain - - :: - - Example: - FIRENET-SD, CLIENT-SD and SERVER-SD - - 3. Select one of the security domains and click the button "Show Details" - - * Expect to view each security domain has corresponding domain connection policies as example below: - - * CLIENT-SD - - :: - - Example: - Connected Domain(s): FIRENET-SD and SERVER-SD - - * SERVER-SD - - :: - - Example: - Connected Domain(s): CLIENT-SD - - * FIRENET-SD - - :: - - Example: - Connected Domain(s): CLIENT-SD - - -Check routing info in Cloud Platform from TGW Orchestrator Audit -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Steps: - - 1. Navigate to the Aviatrix GUI page: TGW Orchestrator -> Audit - - 2. Click the button "Run On-Demand Audit" - - * Expect to view 'No issue found.' as example below: - - :: - - Example: - No issue found. - - * If the output displays other string than 'No issue found.', Aviatrix solution will not work properly - - Probable Causes: - - * IAM permission issue - - * Manually modify routes in Cloud platform - - - Suggestions: - - * Check IAM permission by following the documents `Cloud Permission - AWS IAM Service Troubleshooting Playbook `_ - - * Refer to the message(s) in the prompt and correct those missing routes by one of the suggestions as below: - - * detach and attach VPC to TGW - - * disconnect and connect policy connection - -Check routing info in Cloud Platform from TGW Orchestrator Test -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Steps: - - 1. Navigate to the Aviatrix GUI page: TGW Orchestrator -> Test - - 2. Select the source instance and destination instance on the related configuration - - 3. Click the button "FlightPath Test" - - * Expect to view Pass. - - * If the output displays error/failed message, Aviatrix solution will not work properly - - Probable Causes: - - * IAM permission issue - - * Manually modify routes in Cloud platform - - * Either Security group or ACL is not configured properly - - Suggestions: - - * Check IAM permission by following the documents `Cloud Permission - AWS IAM Service Troubleshooting Playbook `_ - - * Refer to the message(s) in the prompt and correct those missing routes by one of the suggestions as below: - - * detach and attach VPC to TGW - - * disconnect and connect policy connection - - * Correct the security group and ACL to allow traffic on both source and destination instances. - -Check routing info for Spoke Security Domain in Cloud Platform from TGW Orchestrator List -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Steps: - - 1. Navigate to the Aviatrix GUI page: TGW Orchestrator -> List - - 2. Find your Spoke Domains under the field Security Domain - - :: - - Example: - CLIENT-SD and SERVER-SD - - 3. Select one of the spoke security domains and click the button "Show Details" - - * Expect to view: - - 1. in VPC Route Table Details section - - * RFC 1918 routes (192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12) points to AWS TGW - - 2. in TGW Route Table Details section - - * one routing entry pointing to the Spoke VPC CIDR itself, tgw attachment ID itself, propagated type, and Resource Name with Spoke VPC name - - * rest of the routing entries pointing to - - * Spoke VPC CIDR, FireNet tgw attachment ID, static type, and Resource Name with FireNet VPC name - - * FireNet VPC CIDR, FireNet tgw attachment ID, static type, and Resource Name with FireNet VPC name - -Check routing info for FireNet Security Domain in Cloud Platform from TGW Orchestrator List -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Steps: - - 1. Navigate to the Aviatrix GUI page: TGW Orchestrator -> List - - 2. Find your FireNet Security Domain under the field Security Domain - - :: - - Example: - FIRENET-SD - - 3. Select it and click the button "Show Details" - - * Expect to view: - - 1. in VPC Route Table Details section - - * routing table *-firenet-tgw-egress has a route 0.0.0.0/0 pointing to AWS TGW - - * routing table *-firenet-tgw-ingress has a route 0.0.0.0/0 pointing to the interface eth1 of Aviatrix FireNet gateway - - * routing table *-firenet-dmz-firewall has a route 0.0.0.0/0 pointing to the interface eth2 of Aviatrix FireNet gateway - - 2. in TGW Route Table Details section - - * routing entries of all Spoke and FireNet security domains, VPC CIDRS, and the corresponding info - -Check basic Firewall Network configuration from Firewall Network Advanced -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Firewall Network -> Advanced - - 2. Click on the three dot button on the right FireNet VPC ID - - * Expect to view: - - 1. status 'true' under the field Attached which proves Firewall instance is attached to FireNet gateway - - 2. button "Enable" is clicked uder the section "Traffic Inspection" - - 3. State 'up' under the section "FireNet Gateway" - - 4. the below info under section AWS Firewall Network Route Tables - - * routing table * TGW Egress Subnet has a route 0.0.0.0/0 pointing to AWS TGW - - * routing table * TGW Ingress Subnet has a route 0.0.0.0/0 pointing to the interface eth1 of Aviatrix FireNet gateway - - * routing table * Firewall Subnet has a route 0.0.0.0/0 pointing to the interface eth2 of Aviatrix FireNet gateway - -Check routing info in Cloud Platform which is related to Firewall Network -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Firewall Network -> Vendor Integration - - 2. Click on the first tab "Firewall" diff --git a/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_gateway.rst b/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_gateway.rst deleted file mode 100644 index 2eba2d98d..000000000 --- a/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_gateway.rst +++ /dev/null @@ -1,459 +0,0 @@ -.. meta:: - :description: - :keywords: - -========================================================================================= -Aviatrix Gateway Troubleshooting Playbook -========================================================================================= - -This technical note provides a step-by-step tips to troubleshoot Aviatrix Gateway - -Workflow: ---------- - -1. Check basic information - Cloud Permission and Aviatrix Controller - - `Cloud Permission - AWS IAM Service Troubleshooting Playbook `_ - - `Aviatrix Controller Troubleshooting Playbook `_ - -2. Troubleshoot Deployment configuration - - * Aviatrix - - `Check whether Aviatrix Gateway displays status properly from Aviatrix Controller`_ - - `Check whether basic deployment functions properly by running Aviatrix Diagnostic report for Aviatrix Gateways from Aviatrix Controller`_ - - `Check basic network configuration of AWS where Aviatrix Gateway locates from Aviatrix Controller`_ - - * Cloud Platform - - `Check basic network configuration of AWS where Aviatrix Gateway locates from AWS portal`_ - -3. Troubleshoot Basic Network function for Aviatrix Gateway from Aviatrix Controller - - `T_01. Verify Internet layer by sending ICMP traffic to a public server with IP`_ - - `T_02. Verify Transport layer by sending traffic to a public server with IP/Protocol/Port`_ - - `T_03. Verify Application layer by sending ICMP traffic to a public server with domain name`_ - - `T_04. Verify connectivity between Controller and Gateway`_ - -4. Troubleshoot Application traffic - - `T_05. Verify whether Aviatrix Gateway can issue AWS EC2 API properly`_ - -Detail: -------- - -Check whether Aviatrix Gateway displays status properly from Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check Aviatrix Gateway Audit Status for AWS type - - * https://docs.aviatrix.com/HowTos/gateway_audit.html - - * Expect to view “Pass” status - - * If the status displays "Error(SG)*”, Aviatrix Controller might not connect to Aviatrix Gateway properly - - Probable Causes: - - * this gateway instance’s security group does not have an inbound rule that is open to the Controller’s EIP - - Suggestions: - - 1. Login AWS portal - - 2. Find the Aviatrix Gateway in EC2 service - - 3. Allow the Controller’s EIP with port 443 in inbound rules of security group - - Check Point 2: Check general Aviatrix Gateway State in Gateway page - - * Expect to view “UP” status - - * If the status does not display “UP” status, please check this `doc `_ for the explanation and take action to bring it to UP status. - -Check whether basic deployment functions properly by running Aviatrix Diagnostic report for Aviatrix Gateways from Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check whether diagnostic report can be performed - - * https://docs.aviatrix.com/HowTos/Troubleshooting_Diagnostics_Result.html - - * Expect not to view the field 'Issues found’ inside the show results - - * If the field 'Issues found’ prompts, please follow the instruction to fix it or look for the suggestion as below: - - 1. Check DNS Resolution output - - * Expect to view "DNS resolution": "Pass" - - * If not, please refer to `Troubleshooting_Diagnostics_Result doc `_ for probable causes and how to address it. - - * Notes: Aviatrix Gateway uses 8.8.8.8 as default DNS - - 2. Verify whether Gateway can consume AWS SQS properly - - * Expect to view "ApproximateNumberOfMessages": "0" - - * If not, - - 1. Please refer to `Troubleshooting_Diagnostics_Result doc `_ for probable causes and how to address it. - - 2. Or restart supervisor services if the above step does not address the issue - - * https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#service-actions - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Gateway -> SERVICE ACTIONS - - 2. Select the Gateway Name - - 3. Select Services: supervisor - - 4. Select Actions: Restart Service - - 5. Click the button “OK" - - 3. Verify Aviatrix Gateway can receive HTTPS traffic from Aviatrix Controller - - * Check HTTPS Output field - - * Expect to view "443": ["up","reachable"] - - * If not, please refer to `Troubleshooting_Diagnostics_Result doc `_ for probable causes and how to address it. - - 4. Verify Aviatrix Controller can receive HTTPS traffic from Aviatrix Gateway - - * Check HTTPS Get Output field - - * Expect to view "HTTPS GET": "Pass" - - * If not, please refer to `Troubleshooting_Diagnostics_Result doc `_ for probable causes and how to address it. - -Check basic network configuration of AWS where Aviatrix Gateway locates from Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check Cloud Platform instance level and network level from Aviatrix Controller - - * https://docs.aviatrix.com/HowTos/flightpath.html - - * Run flight path feature - - * Expect to meet the critical in `Check basic network configuration of AWS where Aviatrix Gateway locates from AWS portal`_ - -Check basic network configuration of AWS where Aviatrix Gateway locates from AWS portal -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check Cloud Platform instance level and network level from AWS portal - - 1. Check the Security Group which is attached to Aviatrix Gateway - - * Expect to have the below rules in inbound rules as default: - - 1. Type: All traffic, Protocol: All, Port Range: 0-65535, Source: Custom: ‘VPC CIDR' - - 2. Type: HTTPS. Protocol: TCP, Port Range:443, Source: Custom: ‘CONTROLLER’S PUBLIC IP' - - * Expect to have the below rules in outbound rules as default: - - 1. Type: All traffic, Protocol: All, Port Range: All, Destination: 0.0.0.0/0 - - 2. Check the Network ACL where Aviatrix Gateway locates - - * Expect to have the below rules in inbound rules as default: - - 1. Rule # 100, Type: ALL Traffic, Protocol: ALL, Port Range: ALL, Source: 0.0.0.0/0 Allow/Deny ALLOW - - 2. Rule # *, Type: ALL Traffic, Protocol: ALL, Port Range: ALL, Source: 0.0.0.0/0 Allow/Deny DENY - - * Expect to have the below rules in outbound rules as default: - - 1. Rule # 100, Type: ALL Traffic, Protocol: ALL, Port Range: ALL, Source: 0.0.0.0/0 Allow/Deny ALLOW - - 2. Rule # *, Type: ALL Traffic, Protocol: ALL, Port Range: ALL, Source: 0.0.0.0/0 Allow/Deny DENY - - * If customizing ACL is needed, please refer to this `document `_ - - 3. Check the Routing Table where Aviatrix Gateway locates - - * Expect to have a route “0.0.0.0/0” pointing to AWS IGW since Aviatrix solution needs to be deployed in public subnet - - * If not, please add a route “0.0.0.0/0” pointing to AWS IGW - - 4. Check whether the Routing Table where Aviatrix Gateway locates has Endpoint entry - - * Expect that the routing to AWS Endpoint does not impact the traffic to IGW/internet - - * NOTES: Private DNS or AWS interface endpoint might resolve an AWS service domain name into a private IP which might mislead the traffic to endpoint entry - - 5. Check whether an EIP is assigned to Aviatrix Gateway - - Check Point 2: Check Cloud Platform network application level from AWS portal - - 1. Check the DHCP options set on the VPC where the Aviatrix Gateways locates - - * Expect to use AWS DNS server as default as below example - - :: - - domain-name = us-west-1.compute.internal; domain-name-servers = AmazonProvidedDNS; - - * If users deploys a private DNS, please make sure the private DNS can forward request to public DNS properly - - * NOTES: Aviatrix Gateway uses DNS 8.8.8.8 as a default DNS. Users are able to remove the default DNS server for the Aviatrix gateway and instructs the gateway to use the `VPC DNS server configured in VPC DHCP option `_ - - 2. Check whether both DNS resolution and DNS hostnames are Enabled on the VPC where the Aviatrix Gateways locates - - * Expect to view the status “Enabled” for both DNS resolution and DNS hostnames - - * If not, please turn it to enable on AWS portal - - Check Point 3: Check whether AWS SQS with type FIFO exists in AWS portal - - * Expect to have the below info in AWS Simple Queue Service - - * A queue name with format “aviatrix-[AVIATRIX-GATEWAY-PUBLIC-IP].fifo” - - * This queue should exist in - - * either the same region where Aviatrix Gateway locates - - * or in the supported FIFO queue region near to the region where Aviatrix Gateway locates https://aws.amazon.com/about-aws/whats-new/2019/02/amazon-sqs-fifo-qeues-now-available-in-15-aws-regions/ - - * If there is no queue existed, Aviatrix Controller cannot deliver messages to Aviatrix Gateway - - Probable Causes: - - * Aviatrix software does not create an AWS FIFO queue properly - - * Users delete it by accident - - Suggestions: - - * By design, Aviatrix software will create a new AWS FIFO queue if it detects the queue is missing when Aviatrix Controller delivers messages to Aviatrix Gateway. Therefore, users can toggle (enable and then disable) the `SNAT `_ feature to force creating an AWS FIFO queue if needed. - - * Delete Aviatrix Gateway and re-create it through Aviatrix Controller - -T_01. Verify Internet layer by sending ICMP traffic to a public server with IP -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#gateway-utility - - * Take a public server 8.8.8.8 for example - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> GATEWAY UTILITY - - 2. Select the Gateway Name - - 3. Select the Interface: eth0 - - 4. Destination Host Name (or IP): 8.8.8.8 - - 5. Click the button “Ping" - - * Expect to view Ping Success as example: - - :: - - PING 8.8.8.8 (8.8.8.8) from 192.168.100.20 : 400(428) bytes of data. - 76 bytes from 8.8.8.8: icmp_seq=1 ttl=51 (truncated) - 76 bytes from 8.8.8.8: icmp_seq=2 ttl=51 (truncated) - 76 bytes from 8.8.8.8: icmp_seq=3 ttl=51 (truncated) - 76 bytes from 8.8.8.8: icmp_seq=4 ttl=51 (truncated) - 76 bytes from 8.8.8.8: icmp_seq=5 ttl=51 (truncated) - - --- 8.8.8.8 ping statistics --- - 5 packets transmitted, 5 received, 0% packet loss, time 4005ms - rtt min/avg/max/mdev = 1.977/2.068/2.280/0.113 ms - -T_02. Verify Transport layer by sending traffic to a public server with IP/Protocol/Port -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#network-connectivity-utility - - * Take a public server 8.8.8.8 for example - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> NETWORK CONNECTIVITY UTILITY - - 2. Hostname: 8.8.8.8 - - 3. Port: 443 - - 4. Gateway Name: Aviatrix Gateway - - 5. Protocol: TCP - - 6. Click the button “Go" - - * Expect to view a green message “Able to reach 8.8.8.8 at 443 from gateway [AVIATRIX-GATEWAY-NAME]” on Aviatrix GUI - -T_03. Verify Application layer by sending ICMP traffic to a public server with domain name -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#gateway-utility - - * Take a public server www.google.com for example - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> GATEWAY UTILITY - - 2. Select the Gateway Name - - 3. Select the Interface: eth0 - - 4. Destination Host Name (or IP): www.google.com - - 5. Click the button “Ping" - - * Expect to view Ping Success and able to resolve the domain name to a public IP as example: - - :: - - PING www.google.com (172.217.6.68) 400(428) bytes of data. - 76 bytes from sfo07s17-in-f68.1e100.net (172.217.6.68): icmp_seq=1 ttl=51 (truncated) - 76 bytes from sfo07s17-in-f68.1e100.net (172.217.6.68): icmp_seq=2 ttl=51 (truncated) - 76 bytes from sfo07s17-in-f68.1e100.net (172.217.6.68): icmp_seq=3 ttl=51 (truncated) - 76 bytes from sfo07s17-in-f68.1e100.net (172.217.6.68): icmp_seq=4 ttl=51 (truncated) - 76 bytes from sfo07s17-in-f68.1e100.net (172.217.6.68): icmp_seq=5 ttl=51 (truncated) - - --- www.google.com ping statistics --- - 5 packets transmitted, 5 received, 0% packet loss, time 4007ms - rtt min/avg/max/mdev = 1.836/1.857/1.906/0.046 ms - - * If it cannot resolve to a public IP or Ping fail, this Aviatrix Gateway might not function properly - - Probable Causes: - - * A private DNS cannot resolve a public domain or forward this public DNS request to a public DNS properly - - * The outbound rules of security group or ACL is not allowing traffic to 0.0.0.0/0 - - Suggestions: - - 1. please check the private DNS configuration if you enable the feature `“Use VPC/VNet DNS Server" `_ - - 1. Make sure it can resolve a public domain - - 2. Make sure it can forward public DNS request to a public DNS - - 2. `Check basic network configuration of AWS where Aviatrix Gateway locates from AWS portal`_ - -T_04. Verify connectivity between Controller and Gateway -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#network-connectivity-utility - - Check Point 1: Check whether gateway can reach to controller with port 443 - - * Steps: - - 1. Collect the public IP of controller - - 2. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> NETWORK CONNECTIVITY UTILITY - - 3. Hostname: [CONTROLLER-PUBLIC-IP] - - 4. Port: 443 - - 5. Gateway Name: Aviatrix Gateway - - 6. Protocol: TCP - - 7. Click the button “Go" - - * Expect to view a green message “Able to reach [CONTROLLER-PUBLIC-IP] at 443 from gateway [AVIATRIX-GATEWAY-NAME]” on Aviatrix GUI - - Check Point 2: Check whether controller can reach to gateway with port 443 - - * Steps: - - 1. Collect the public IP of gateway - - 2. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> NETWORK CONNECTIVITY UTILITY - - 3. Hostname: [GATEWAY-PUBLIC-IP] - - 4. Port: 443 - - 5. Gateway Name: Aviatrix Gateway - - 6. Protocol: TCP - - 7. Click the button “Go" - - * Expect to view a green message “Able to reach [GATEWAY-PUBLIC-IP] at 443 from controller" on Aviatrix GUI - - Probable Causes: - - * Either Security Group or ACL is not configured properly - - * Apache does not work properly - - Suggestions: - - * Follow the instructions in `Check whether Aviatrix Gateway displays status properly from Aviatrix Controller`_ - - * Follow the instructions in `Check whether basic deployment functions properly by running Aviatrix Diagnostic report for Aviatrix Gateways from Aviatrix Controller`_ - - * Enable the function `CONTROLLER SECURITY GROUP MANAGEMENT `_ on Aviatrix Controller - -T_05. Verify whether Aviatrix Gateway can issue AWS EC2 API properly -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRegions.html - - * Check the AWS EC2 API server in your VPC region in https://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region - - :: - - Take us-west-1 region for example: ec2.us-west-1.amazonaws.com - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> GATEWAY UTILITY - - 2. Select the Gateway Name - - 3. Select the Interface: eth0 - - 4. Destination Host Name (or IP): ec2.us-west-1.amazonaws.com - - 5. Click the button “Ping" - - * Expect to view Ping Success and able to resolve the domain name to a public IP as example: - - :: - - PING ec2.us-west-1.amazonaws.com (176.32.118.30) 400(428) bytes of data. - 408 bytes from 176.32.118.30 (176.32.118.30): icmp_seq=1 ttl=251 time=0.276 ms - 408 bytes from 176.32.118.30 (176.32.118.30): icmp_seq=2 ttl=251 time=0.274 ms - 408 bytes from 176.32.118.30 (176.32.118.30): icmp_seq=3 ttl=251 time=0.306 ms - 408 bytes from 176.32.118.30 (176.32.118.30): icmp_seq=4 ttl=251 time=0.344 ms - 408 bytes from 176.32.118.30 (176.32.118.30): icmp_seq=5 ttl=251 time=0.300 ms - - --- ec2.us-west-1.amazonaws.com ping statistics --- - 5 packets transmitted, 5 received, 0% packet loss, time 4060ms - rtt min/avg/max/mdev = 0.274/0.300/0.344/0.025 ms - - * If it resolves to a private IP or Ping fail, Aviatrix Gateway might not able to function AWS API properly - - Probable Causes: - - * There is an AWS endpoint/interface for AWS EC2 API in the routing table or subnet - - Suggestions: - - 1. Check whether your VPC/subnet/routing table has an AWS endpoint for AWS EC2 API - - 2. Attempt to remove the endpoint first and then verify it again diff --git a/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_openvpn_end_to_end_traffic.rst b/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_openvpn_end_to_end_traffic.rst deleted file mode 100644 index e672e22ee..000000000 --- a/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_openvpn_end_to_end_traffic.rst +++ /dev/null @@ -1,421 +0,0 @@ -.. meta:: - :description: - :keywords: - -========================================================================================= -Aviatrix OpenVPN End to End traffic Troubleshooting Playbook -========================================================================================= - -This technical note provides a step-by-step tips to troubleshoot Aviatrix OpenVPN End to End traffic - -Workflow: ---------- - -1. Check basic information - Cloud Permission, Aviatrix Controller, and Aviatrix Gateway - - `Cloud Permission - AWS IAM Service Troubleshooting Playbook `_ - - `Aviatrix Controller Troubleshooting Playbook `_ - - `Aviatrix Gateway Troubleshooting Playbook `_ - -2. Troubleshoot OpenVPN Deployment configuration - - * Aviatrix - - `Check OpenVPN configuration from Aviatrix Controller`_ - - * Cloud Platform - - `Check Aviatrix gateway’s instance level and network level for OpenVPN feature from AWS portal`_ - - `Check AWS components which are created by Aviatrix when ELB function is enabled from AWS portal`_ - -3. Troubleshoot other Aviatrix Features Deployment configuration - - `Check other Aviatrix features on Aviatrix OpenVPN Gateway which might cause routing issue`_ - -4. Troubleshoot end device’s Deployment configuration - - `Check end/testing device's instance level and network level from AWS portal`_ - -5. Troubleshoot connectivity between Aviatrix and OpenVPN client - - `Check OpenVPN client’s log for detail`_ - - `Troubleshoot Network between Aviatrix and OpenVPN client`_ - -6. Troubleshoot connectivity between OpenVPN client and end device - - `T_01. Verify Internet layer by sending ICMP traffic to the end device with IP`_ - - `T_02. Verify Transport layer by sending traffic to the end device with IP/Protocol/Port`_ - - `T_03. Verify DNS by issuing command #nslookup [DOMAIN NAME OF END DEVICE] on OpenVPN client`_ - - `T_04. Verify connectivity between OpenVPN client and end device`_ - -Detail: -------- - -Check OpenVPN configuration from Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Check what tunnel mode is configured on this Aviatrix Gateway - - * https://docs.aviatrix.com/HowTos/openvpn_faq.html#is-full-tunnel-mode-supported-on-the-gateway - - * Check VPN CIDR - - * https://docs.aviatrix.com/HowTos/gateway.html#vpn-cidr-block - - * Check additional CIRDs - - * https://docs.aviatrix.com/HowTos/gateway.html#additional-cidrs - - * Check Name server - - * https://docs.aviatrix.com/HowTos/gateway.html#nameservers - - * Check Search Domains - - * https://docs.aviatrix.com/HowTos/gateway.html#search-domains - - * Check Enable ELB - - * https://docs.aviatrix.com/HowTos/gateway.html#enable-elb - - * Check VPN NAT - - * https://docs.aviatrix.com/HowTos/gateway.html#vpn-nat - - * More info in https://docs.aviatrix.com/HowTos/gateway.html - -Check Aviatrix gateway’s instance level and network level for OpenVPN feature from AWS portal -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check the Security Group which is attached to the Aviatrix Gateway - - * If ELB is enabled: - - * Type: Custom TCP Rule, Protocol: TCP, Port Range: 943, Source: Custom: ‘0.0.0.0/0' - - * If ELB is NOT enabled: - - * Type: Custom UDP Rule, Protocol: UDP, Port Range: 1194, Source: Custom: ‘0.0.0.0/0' - -Check AWS components which are created by Aviatrix when ELB function is enabled from AWS portal -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check whether Load Balancers is created - - * Listeners: TCP : 443 - - Check Point 2: Check whether Target Groups is created - - * Description tab/Basic Configuration: Protocol: TCP, Port: 943, and Target type: instance - - * Targets tab: - - * Check whether the Instance ID is Aviatrix OpenVPN gateway - - * Port: 943 - - * Status: healthy - -Check other Aviatrix features on Aviatrix OpenVPN Gateway which might cause routing issue -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Check whether OpenVPN Profiles feature is configured - - * https://docs.aviatrix.com/HowTos/openvpn_features.html#authorization - - * https://docs.aviatrix.com/HowTos/openvpn_faq.html#what-is-user-profile-based-security-policy - - * Check whether Site2Cloud feature is configured - - * https://docs.aviatrix.com/HowTos/site2cloud.html - - * If so, please make sure there is no overlap CIDR since S2C routing has high priority - - * Check whether Stateful Firewall is configured - - * https://docs.aviatrix.com/HowTos/tag_firewall.html - - * Check whether PBR is configured - - * https://docs.aviatrix.com/HowTos/gateway.html#enable-policy-based-routing-pbr - -Check end/testing device's instance level and network level from AWS portal -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check the Security Group which is attached to the end/testing instance - - * Expect to have at least allowing Aviatrix OpenVPN’s private IP in inbound rules if `VPN NAT `_ is enabled: - - 1. Type: All traffic, Protocol: All, Port Range: 0-65535, Source: Custom: ‘Aviatrix OpenVPN’s private IP' - - * Expect to have at least allowing virtual IP of the VPN user or the whole VPN CIDR in inbound rules if `VPN NAT `_ is not enabled: - - 1. Type: All traffic, Protocol: All, Port Range: 0-65535, Source: Custom: ‘VPN CIDR' - - Check Point 2: Check the Network ACL where Aviatrix Gateway locates - - * Expect to have the below rules in inbound rules as default: - - 1. Rule # 100, Type: ALL Traffic, Protocol: ALL, Port Range: ALL, Source: 0.0.0.0/0 Allow/Deny ALLOW - - 2. Rule # *, Type: ALL Traffic, Protocol: ALL, Port Range: ALL, Source: 0.0.0.0/0 Allow/Deny DENY - - * Expect to have the below rules in outbound rules as default: - - 1. Rule # 100, Type: ALL Traffic, Protocol: ALL, Port Range: ALL, Source: 0.0.0.0/0 Allow/Deny ALLOW - - 2. Rule # *, Type: ALL Traffic, Protocol: ALL, Port Range: ALL, Source: 0.0.0.0/0 Allow/Deny DENY - - * If customizing ACL is needed, make sure inbound and outbound has the regarding configuration for VPN traffic especially outbound rule - - Check Point 3: Check the Routing Table where your end device locates - - * Expect to have - - 1. “VPC CIDR” local route - - 2. a route entry “virtual IP of the VPN user” or “VPN CIDR” pointing Aviatrix Gateway if `VPN NAT `_ is not enabled - - Check Point 4: Execute Packet Capture on end device if possible - - * Expect to view as below traffic for incoming traffic - - 1. Aviatrix OpenVPN’s private IP if `VPN NAT `_ is enabled. - - 2. virtual IP of the VPN user if `VPN NAT `_ is not enabled. - - * Expect to view outing traffic - -Check OpenVPN client’s log for detail -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aviatrix.com/HowTos/openvpn_client_faq.html - -Troubleshoot Network between Aviatrix and OpenVPN client -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check whether OpenVPN client can reach to AWS NLB/Aviatrix OpenVPN gateway via internet - - * Check there is no firewall configuration blocking OpenVPN session on client’s environment - - * OS firewall - - * Network environment - - * https://docs.aviatrix.com/Support/support_center_openvpn_gateway.html#why-are-my-dns-settings-changes-not-taking-effect - - * Check the routing info on client’s OS/Network environment - - * Make sure client has access to internet especially the public IP of Aviatrix OpenVPN gateway or the domain name of AWS NLB - - * Utilize command traceroute/tracert to confirm the routing path - - * Attempt to issue telnet command from client’s OS to - - * The domain name of OpenVPN gateway/AWS NLB which you can copy from Aviatrix OpenVPN ovpn file with the parameter ‘remote' - - * If the above step fails, attempt to issue telnet command to the public IP of OpenVPN gateway/AWS NLB to differentiate whether it is DNS issue - - Check Point 2: Check whether VPN user is displayed on the Dashboard from Aviatrix Controller - - * https://docs.aviatrix.com/HowTos/openvpn_faq.html#what-are-the-monitoring-capabilities - - * If VPN user is not displayed, attempt to troubleshoot authentication - - * https://docs.aviatrix.com/HowTos/openvpn_features.html#authentication-options - - * For troubleshooting purpose, please consider disable authentication and attempt to establish OpenVPN session again - - * `Troubleshoot MFA authentication for NON SAML scenario`_ - - Check Point 3: Check routing info on OpenVPN client’s OS after establishing OpenVPN session - - * Check whether your VPN CIDR overlaps or is same as your client’s network - - * https://docs.aviatrix.com/HowTos/gateway.html#vpn-cidr-block - - * If the CIDR is identical, please change either your client’s network or VPN CIDR of Aviatrix OpenVPN gateway - - * Check what tunnel mode is configured on this Aviatrix Gateway - - * https://docs.aviatrix.com/HowTos/openvpn_faq.html#is-full-tunnel-mode-supported-on-the-gateway - - * If it is split tunnel mode, - - * the VPC CIDR where your end device locates should display in your routing table - - * If it is full tunnel mode, - - * since all traffic will forward to the OpenVPN virtual interface, at least the below routes should display in your routing table - - * 0/1 pointing to OpenVPN Gateway's VPN CIDR with OpenVPN virtual interface - - * 128.0/1 pointing to OpenVPN Gateway's VPN CIDR with OpenVPN virtual interface - - Check Point 4: Check DNS info on OpenVPN client’s OS after establishing OpenVPN session - - * https://docs.aviatrix.com/Support/support_center_openvpn_gateway.html#why-are-my-dns-settings-changes-not-taking-effect - - * If DNS info does not display properly in the client’s OS, please check - - * whether you hard code DNS in your PC/laptop - - * whether your office/home router hard code DNS settings - - Check Point 5: Check the traffic between OpenVPN client and Aviatrix Gateway after establishing OpenVPN session - - * Test ICMP traffic from OpenVPN client to the private IP of Aviatrix OpenVPN gateway - - * Execute Packet Capture feature from Aviatrix Controller - - * https://docs.aviatrix.com/HowTos/troubleshooting.html#packet-capture - - * `Check other Aviatrix features on Aviatrix OpenVPN Gateway which might cause routing issue`_ - -Troubleshoot MFA authentication for NON SAML scenario -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - 1. Check the logs on MFA authentication server if possible - - * Use a third-party tool or client to verify the security/credential works properly - - 2. Check MFA authentication server's instance level and network level - - * If server is deployed in AWS portal, please check whether Security Group, Network ACL and Routing Table are configured properly to receive traffic from Aviatrix OpenVPN gateway. - - * If server is deployed in other cloud platforms, internet or On-Prem, please check the similar configuration - - 3. `Check OpenVPN client’s log for detail`_ - - 4. Check whether Aviatrix OpenVPN gateway can reach to the authentication server - - * Utilize Aviatrix GATEWAY UTILITY feature to test ICMP traffic and DNS configuration - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> GATEWAY UTILITY - - 2. Attempt to send ICMP traffic to the IP of the server if possible - - 3. Attempt to send ICMP traffic to the domain name of the server to verify Aviatrix gateway can resolve the domain name to IP properly - - * Utilize Aviatrix NETWORK CONNECTIVITY UTILITY feature to test the hostname and port - - * https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#network-connectivity-utility - -T_01. Verify Internet layer by sending ICMP traffic to the end device with IP -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * For troubleshooting purpose, please consider allowing ICMP traffic on end device to confirm the whole routing path. - - * Steps: - - 1. Send ICMP traffic from OpenVPN client to the end device with IP by Ping command - - 2. Send ICMP traffic from OpenVPN client to the end device with IP by Traceroute/Tracert command - - * If the Ping fails, please check the traceroute/tracert report to figure out where the traffic ends - - Probable Causes: - - * End device does not allow ICMP traffic - - * check for the private IP of Aviatrix OpenVPN gateway if `VPN NAT `_ is enabled. - - * check for the VPN CIDR if `VPN NAT `_ is disabled. - - * Traffic might be mis-routed or be blocked somewhere - - Suggestions: - - * `Check other Aviatrix features on Aviatrix OpenVPN Gateway which might cause routing issue`_ - - * Execute Aviatrix feature “Packet Capture” on Aviatrix OpenVPN gateway to view incoming and outgoing traffic - - * https://docs.aviatrix.com/HowTos/troubleshooting.html#packet-capture - -T_02. Verify Transport layer by sending traffic to the end device with IP/Protocol/Port -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Steps: - - * Send traffic from OpenVPN client to the end device by Telnet command - - * If the telnet traffic fails, the real application traffic might not work properly - - Probable Causes: - - * End device does not allow Protocol/Port properly - - * End device does not allow - - * for the private IP of Aviatrix OpenVPN gateway if `VPN NAT `_ is enabled. - - * for the VPN CIDR if `VPN NAT `_ is disabled. - - * Traffic might be mis-routed or be blocked somewhere - - Suggestions: - - * `Check other Aviatrix features on Aviatrix OpenVPN Gateway which might cause routing issue`_ - - * Execute Aviatrix feature “Packet Capture” on Aviatrix OpenVPN gateway to view incoming and outgoing traffic - - * https://docs.aviatrix.com/HowTos/troubleshooting.html#packet-capture - -T_03. Verify DNS by issuing command #nslookup [DOMAIN NAME OF END DEVICE] on OpenVPN client -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Steps: - - * Execute command #nslookup [DOMAIN NAME OF END DEVICE] on OpenVPN client - - * If DNS request fails, traffic will not send to the end device properly - - Probable Causes: - - * DNS cannot resolve the domain name - - * OpenVPN client cannot route traffic to the DNS - - Suggestions: - - * Troubleshoot DNS configuration - - * Attempt to issue nslookup command with different record in DNS - - * #nslookup [ANOTHER DOMAIN IN DNS RECORD] - - * Troubleshoot the routes between OpenVPN Client and DNS - - * Attempt to issue nslookup command with specific DNS IP - - * #nslookup [DOMAIN NAME] [DNS IP] - - * Check whether users configure additional CIDRS and Name server properly on Aviatrix OpenVPN gateway - - * https://docs.aviatrix.com/HowTos/gateway.html#additional-cidrs - - * https://docs.aviatrix.com/HowTos/gateway.html#nameservers - -T_04. Verify connectivity between OpenVPN client and end device -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Steps: - - * Send the real application traffic from OpenVPN client to the end device - - * If it still fails, please follow the Suggestions as below: - - Suggestions: - - * `Check other Aviatrix features on Aviatrix OpenVPN Gateway which might cause routing issue`_ - - * Execute Aviatrix feature “Packet Capture” on Aviatrix OpenVPN gateway to view incoming and outgoing traffic - - * https://docs.aviatrix.com/HowTos/troubleshooting.html#packet-capture diff --git a/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_s2c_end_to_end_traffic.rst b/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_s2c_end_to_end_traffic.rst deleted file mode 100644 index c0d2a87bc..000000000 --- a/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_s2c_end_to_end_traffic.rst +++ /dev/null @@ -1,618 +0,0 @@ -.. meta:: - :description: - :keywords: - -========================================================================================= -Aviatrix Site2Cloud End to End traffic Troubleshooting Playbook -========================================================================================= - -This technical note provides a step-by-step tips to troubleshoot Aviatrix Site2Cloud End to End traffic - -Workflow: ---------- - -1. Check basic information - Cloud Permission, Aviatrix Controller, and Aviatrix Gateway - - `Cloud Permission - AWS IAM Service Troubleshooting Playbook `_ - - `Aviatrix Controller Troubleshooting Playbook `_ - - `Aviatrix Gateway Troubleshooting Playbook `_ - -2. Troubleshoot Site2Cloud Deployment configuration - - * Aviatrix - - `Check Site2Cloud configuration from Aviatrix Controller`_ - - `Check IPSec VPN tunnel logs from Site2Cloud Diagnostics`_ - - * Cloud Platform - - `Check Aviatrix gateway’s instance level and network level for Site2Cloud feature from AWS portal`_ - -3. Check other Aviatrix Features Deployment configuration - - `Check other Aviatrix features on Aviatrix Gateway which might cause routing issue`_ - -4. Troubleshoot connectivity between Aviatrix gateway and Edge router - - `T_01. Verify Internet layer by sending ICMP traffic to the public IP of Edge router from Aviatrix Gateway`_ - - `T_02. Verify Transport layer by sending traffic with port 500/4500 to the public IP of Edge router from Aviatrix Gateway`_ - - `T_03. Verify Transport layer by sending traffic with port 500/4500 to the public IP of Aviatrix Gateway from Edge router`_ - -5. Check end device’s deployment configuration on Edge router side - - `Check end/testing device's instance level and network level configuration on Edge router side`_ - - `T_04. Troubleshoot connectivity between end device and Edge router on edge router side`_ - -6. Check end device’s deployment configuration on Aviatrix gateway side - - `Check end/testing instance level and network level configuration on Aviatrix gateway side`_ - - `T_05. Troubleshoot connectivity between end device and Aviatrix gateway on aviatrix gateway side`_ - -7. Troubleshoot connectivity between end device and end device - - `T_06. Verify Internet layer by sending ICMP traffic from end device on Aviatrix side to the end device on Edge router side with IP`_ - - `T_07. Verify Internet layer by sending ICMP traffic from end device on Edge router side to the end device on Aviatrix side with IP`_ - - `T_08. Verify Transport layer by sending traffic from end device on Aviatrix side to the end device on Edge router side with IP/Protocol/Port`_ - - `T_09. Verify Transport layer by sending traffic from end device on Edge router side to the end device on Aviatrix side with IP/Protocol/Port`_ - - `T_10. Verify real traffic between end to end devices`_ - -8. Refer to other troubleshooting documents - - * https://docs.aviatrix.com/Support/support_center_site2cloud.html - -Detail: -------- - -Check Site2Cloud configuration from Aviatrix Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Check IPSec VPN tunnel configuration detail from Site2Cloud page - - * https://docs.aviatrix.com/HowTos/site2cloud.html#edit-connection - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Site2Cloud - - 2. Select the connection - - 3. Click the three bar/hamburger button to view IPSec VPN tunnel detail - - * Check IPSec VPN tunnel configuration detail from Download Configuration - - * https://docs.aviatrix.com/HowTos/site2cloud.html#download-configuration - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Site2Cloud - - 2. Select the connection - - 3. Click the button "Download Configuration" - - * Check IPSec VPN tunnel configuration detail from Site2Cloud Diagnostics - - * https://docs.aviatrix.com/HowTos/site2cloud.html#troubleshooting - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Site2Cloud -> Diagnostics tab - - 2. Select the related tunnel info for VPC ID/VNet Name, Connection, and Gateway - - 3. Select the Action "Show configuration" - - 4. Click the button "OK" - -Check IPSec VPN tunnel logs from Site2Cloud Diagnostics -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aviatrix.com/HowTos/site2cloud.html#troubleshooting - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Site2Cloud -> Diagnostics tab - - 2. Select the related tunnel info for VPC ID/VNet Name, Connection, and Gateway - - 3. Select the Action "Show logs" - - 4. Click the button "OK" - - Check Point 1: Check whether phase 1 is established - - * Expect to view the string "ISAKMP-SA established" in the latest log - - * If this string does not show up in the logs, IPSec VPN phase 1 does not establish properly - - Probable Causes: - - * Aviatrix Gateway cannot reach to the public IP of edge router - - * Edge router cannot process IPSec VPN phase 1 negotiation traffic with port 500 - - * Phase 1 configuration on both IPSec VPN devices does not match - - Suggestions: - - * Check whether edge router can receive traffic from Aviatrix Gateway - - * `T_02. Verify Transport layer by sending traffic with port 500/4500 to the public IP of Edge router from Aviatrix Gateway`_ - - * Confirm whether phase 1 configuration is consistent on both edge routers - - * Phase 1 Authentication - - * Phase 1 DH Group - - * Phase 1 Encryption - - * Phase 1 lifetime: 28800 - - * Pre-shared Key - - Check Point 2: Check whether phase 2 is established - - * Expect to view the string "IPsec-SA established" in the latest log - - * If this string does not show up in the logs, IPSec VPN phase 2 does not establish properly - - Probable Causes: - - * Edge router cannot process IPSec VPN phase 2 negotiation traffic with port 4500. Notes: if function nat traversal is enabled, IPSec VPN tunnel uses port 4500. - - * Phase 2 configuration on both IPSec VPN devices does not match - - Suggestions: - - * Check whether edge router can receive traffic from Aviatrix Gateway - - * `T_02. Verify Transport layer by sending traffic with port 500/4500 to the public IP of Edge router from Aviatrix Gateway`_ - - * Confirm whether phase 2 configuration is consistent on both edge routers - - * Phase 2 Authentication - - * Phase 2 DH Group - - * Phase 2 Encryption - - * Phase 2 lifetime: 3600 - - * Remote Subnet and Local Subnet - - Check Point 3: Check whether message "seems to be dead" displays in the latest log - - * Expect not to view this string "seems to be dead" in the latest log - - * If this string shows up in the logs, IPSec VPN tunnel might disconnect at some point - - Probable Causes: - - * DPD configuration does not match on both IPSec VPN devices - - * Phase 1 rekey process somehow behaves anormal - - Suggestions: - - * Sync up DPD configuration on both IPSec VPN devices - - * interval 10 seconds - - * retry 3 times - - * max failure 3 times - - * or disable DPD function on both IPSec VPN devices - - Check Point 4: Check whether phase 2 negotiation uses port 4500 - - * Expect to view that phase 2 negotiation uses port 4500 - - * If phase 2 negotiation uses non 4500, it might have a chance to fail IPSec VPN tunnel depending on topology. Notes: if the function nat traversal is enabled, phase 2 negotiation uses port 4500; if the function nat traversal is disabled, phase 2 negotiation uses port 500 - - Probable Causes: - - * user's environment has a NAT device thus the function nat traversal needs to be enabled - - Suggestions: - - * although the function nat traversal is not necessary to be configured on edge router (it depends on the whole network topology), we highly suggest to configure it since we enable it on Aviatrix Gateway side. - -Check Aviatrix gateway’s instance level and network level for Site2Cloud feature from AWS portal -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check the Security Group which is attached to the Aviatrix Gateway - - * Expect to have the below rules in inbound rules as default: - - 1. Type: Custom UDP Rule, Protocol: UDP, Port Range: 4500, Source: Custom: 'EDGE ROUTER PUBLIC IP' - - 2. Type: Custom UDP Rule. Protocol: UDP, Port Range: 500, Source: Custom: 'EDGE ROUTER PUBLIC IP' - - * Expect to have the below rules in outbound rules as default: - - 1. Type: All traffic, Protocol: All, Port Range: All, Destination: 0.0.0.0/0 - -Check other Aviatrix features on Aviatrix Gateway which might cause routing issue -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Check whether SNAT feature is configured - - * https://docs.aviatrix.com/HowTos/gateway.html#enable-nat - - * https://docs.aviatrix.com/HowTos/gateway.html#source-nat - - * Check whether DNAT feature is configured - - * https://docs.aviatrix.com/HowTos/gateway.html#destination-nat - - * Check whether Network Mapping feature is configured - - * https://docs.aviatrix.com/HowTos/gateway.html#network-mapping - - * Check whether Site2Cloud Mapped feature is configured - - * https://docs.aviatrix.com/HowTos/site2cloud.html#connection-type-mapped - -T_01. Verify Internet layer by sending ICMP traffic to the public IP of Edge router from Aviatrix Gateway -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * For troubleshooting purpose, please consider allowing ICMP traffic on Edge router to confirm Aviatrix Gateway can reach to the Edge router. - - * https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#gateway-utility - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> GATEWAY UTILITY - - 2. Select the Gateway Name - - 3. Select the Interface: eth0 - - 4. Destination Host Name (or IP): [Public IP of Edge router] - - 5. Click the button “Ping" - - * If the Ping fails, Aviatrix Gateway might not able to reach to the public IP of Edge router. If the Edge router does not allow ICMP traffic for security concern, please troubleshoot the connectivity by refering to `T_02. Verify Transport layer by sending traffic with port 500/4500 to the public IP of Edge router from Aviatrix Gateway`_ - - Probable Causes: - - * End device does not allow ICMP traffic from the public IP of Aviatrix Gateway - - * Traffic might be mis-routed or be blocked somewhere - - Suggestions: - - * Check the firewall settings on Edge router - - * Execute function “Packet Capture” on Edge router - - * Execute function `Network Traceroute `_ on Aviatrix Gateway and check the report to figure out where the traffic ends - -T_02. Verify Transport layer by sending traffic with port 500/4500 to the public IP of Edge router from Aviatrix Gateway -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html#network-connectivity-utility - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> NETWORK CONNECTIVITY UTILITY - - 2. Hostname: [Public IP of Edge router] - - 3. Port: 500 - - 4. Gateway Name: Aviatrix Gateway - - 5. Protocol: UDP - - 6. Click the button “Go" - - * Expect to view a green message “Able to reach [Public IP of Edge router] at 500 from gateway [AVIATRIX-GATEWAY-NAME]” on Aviatrix GUI - - 7. Test port 4500 by following the previous steps - - * If the testing fails, Aviatrix Gateway might not able to reach to the public IP of Edge router with the specific port 500 or 4500. - - Probable Causes: - - * End device does not allow traffic with port 500 or 4500 from the public IP of Aviatrix Gateway - - * Traffic might be mis-routed or be blocked somewhere - - Suggestions: - - * Check the firewall settings on Edge router - - * Execute function “Packet Capture” on Edge router - check whether traffic from Aviatrix Gateway can hit the Edge router and the Edge router can return the traffic back to Aviatrix Gateway properly. - -T_03. Verify Transport layer by sending traffic with port 500/4500 to the public IP of Aviatrix Gateway from Edge router -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Steps: - - * Send traffic with port 500 from Edge router to Aviatrix Gateway by similar Telnet command - - * Send traffic with port 4500 from Edge router to Aviatrix Gateway by similar Telnet command - - * If the telnet traffic fails, the real application traffic might not work properly - - Probable Causes: - - * Traffic might be mis-routed or be blocked somewhere - - * The related IPSec VPN configuraion on Cloud platform does not configure properly - - Suggestions: - - * `Check Site2Cloud configuration from Aviatrix Controller`_ - - * Execute Aviatrix feature “Packet Capture” on Aviatrix gateway to view incoming and outgoing traffic - - * https://docs.aviatrix.com/HowTos/troubleshooting.html#packet-capture - -Check end/testing device's instance level and network level configuration on Edge router side -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check the firewall configuration on end device - - * Expect to allow traffic from the range which is defined in the IPSec VPN tunnel - - Check Point 2: Check the routing configuration on end device - - * Expect to route traffic back to the range which is defined in the IPSec VPN tunnel - - Check Point 3: Check the Security Group which is attached to the end/testing instance if it is deployed in AWS - - * Expect to allow traffic from the range which is defined in the IPSec VPN tunnel - - Check Point 4: Check the Network ACL where end/testing instance locates if it is deployed in AWS - - * Expect to allow traffic from the range which is defined in the IPSec VPN tunnel - - Check Point 5: Check the Routing Table where end/testing instance locates if it is deployed in AWS - - * Expect to route traffic back to the range which is defined in the IPSec VPN tunnel - -T_04. Troubleshoot connectivity between end device and Edge router on edge router side -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check whether Edge router can reach to the IP of the end device - - Check Point 2: Check whether end device can reach to the IP of the Edge router - - Check Point 3: Attempt to simulate sending traffic from end device to the range which is defined in the IPSec VPN tunnel - - * Expect Edge router receives the traffic from end device - - * Execute function "packet capture" on Edge router - -Check end/testing instance level and network level configuration on Aviatrix gateway side -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check the firewall configuration on end device - - * Expect to allow traffic from the range which is defined in the IPSec VPN tunnel - - Check Point 2: Check the routing configuration on end device - - * Expect to route traffic back to the range which is defined in the IPSec VPN tunnel - - Check Point 3: Check the Security Group which is attached to the end/testing instance if it is deployed in AWS - - * Expect to allow traffic from the range which is defined in the IPSec VPN tunnel - - Check Point 4: Check the Network ACL where end/testing instance locates if it is deployed in AWS - - * Expect to allow traffic from the range which is defined in the IPSec VPN tunnel - - Check Point 5: Check the Routing Table where end/testing instance locates if it is deployed in AWS - - * Expect to route traffic back to the range which is defined in the IPSec VPN tunnel - -T_05. Troubleshoot connectivity between end device and Aviatrix gateway on aviatrix gateway side -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check whether Aviatrix gateway can reach to the IP of the end device - - * If troubleshooting purpose, please allow ICMP traffic on end device from Aviatrix gateway - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Troubleshoot -> Diagnostics -> Network -> GATEWAY UTILITY - - 2. Select the Gateway Name - - 3. Select the Interface: eth0 - - 4. Destination Host Name (or IP): [IP of end device on Aviatrix gateway side] - - 5. Click the button “Ping" - - Probable Causes: - - * End device does not allow ICMP traffic from the private IP of Aviatrix Gateway - - * Traffic might be mis-routed or be blocked somewhere - - Suggestions: - - * Check the firewall settings on end device - - * `Check end/testing instance level and network level configuration on Aviatrix gateway side`_ - - * Execute function “Packet Capture” on end device - - * Execute function `Network Traceroute `_ on Aviatrix Gateway and check the report to figure out where the traffic ends - - Check Point 2: Check whether end device can reach to the private IP of the Aviatrix Gateway - - Check Point 3: Attempt to simulate sending traffic from end device to the range which is defined in the IPSec VPN tunnel - - * Expect that Aviatrix gateway receives the traffic from end device - - * Execute `Packet Capture feature `_ from Aviatrix Controller GUI - -T_06. Verify Internet layer by sending ICMP traffic from end device on Aviatrix side to the end device on Edge router side with IP -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * For troubleshooting purpose, please consider allowing ICMP traffic on end device to confirm the whole routing path. - - * Steps: - - 1. Send ICMP traffic from end device on Aviatrix side to the end device on Edge router side with IP by Ping command - - 2. Send ICMP traffic from end device on Aviatrix side to the end device on Edge router side with IP by Traceroute/Tracert command - - * If the Ping fails, please check the traceroute/tracert report to figure out where the traffic ends - - Probable Causes: - - * End device does not allow ICMP traffic - - * Traffic might be mis-routed or be blocked somewhere - - Suggestions: - - * `Check other Aviatrix features on Aviatrix Gateway which might cause routing issue`_ - - * Execute Aviatrix feature `Packet Capture `_ on Aviatrix gateway to view incoming and outgoing traffic - - * https://docs.aviatrix.com/HowTos/troubleshooting.html#packet-capture - - * Check IPSec VPN tunnel - security association details from Site2Cloud Diagnostics - - * https://docs.aviatrix.com/HowTos/site2cloud.html#troubleshooting - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Site2Cloud -> Diagnostics tab - - 2. Select the related tunnel info for VPC ID/VNet Name, Connection, and Gateway - - 3. Select the Action "Show security association details" - - 4. Click the button "OK" - - 5. Record the packet status which you can search for the keyword "current:" on the outgoing info - - :: - - [Aviatrix Gateway private IP to Edge Router public IP] - [UPDATE EXAMPLE LATER] - - 6. Click the button "OK" again - - 7. Compare the packet status again - - * Expect to view the packet status value increasing - - * Check IPSec VPN tunnel statistics for the incoming traffic on Edge router - - * Check whether Edge router configures SNAT or DNAT feature - - * if so, check NAT function statistics - - * Execute feature “Packet Capture” on Edge router to view incoming and outgoing traffic - - * Check firewall configuration on Edge router - -T_07. Verify Internet layer by sending ICMP traffic from end device on Edge router side to the end device on Aviatrix side with IP -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * For troubleshooting purpose, please consider allowing ICMP traffic on end device to confirm the whole routing path. - - * Steps: - - 1. Send ICMP traffic from end device on Edge router side to the end device on Aviatrix side with IP by Ping command - - 2. Send ICMP traffic from end device on Edge router side to the end device on Aviatrix side with IP by Traceroute/Tracert command - - * If the Ping fails, please check the traceroute/tracert report to figure out where the traffic ends - - Probable Causes: - - * End device does not allow ICMP traffic - - * Traffic might be mis-routed or be blocked somewhere - - Suggestions: - - * `Check other Aviatrix features on Aviatrix Gateway which might cause routing issue`_ - - * Execute Aviatrix feature `Packet Capture `_ on Aviatrix gateway to view incoming and outgoing traffic - - * Check IPSec VPN tunnel - security association details from Site2Cloud Diagnostics - - * https://docs.aviatrix.com/HowTos/site2cloud.html#troubleshooting - - * Steps: - - 1. Navigate to the Aviatrix GUI page: Site2Cloud -> Diagnostics tab - - 2. Select the related tunnel info for VPC ID/VNet Name, Connection, and Gateway - - 3. Select the Action "Show security association details" - - 4. Click the button "OK" - - 5. Record the packet status which you can search for the keyword "current:" on the incoming info - - :: - - [Edge Router public IP to Aviatrix Gateway private IP] - [UPDATE EXAMPLE LATER] - - 6. Click the button "OK" again - - 7. Compare the packet status again - - * Expect to view the packet status value increasing - - * Check IPSec VPN tunnel statistics for the outgoing traffic on Edge router - - * Check whether Edge router configures SNAT or DNAT feature - - * if so, check NAT function statistics - - * Execute feature “Packet Capture” on Edge router to view incoming and outgoing traffic - - * Check firewall configuration on Edge router - -T_08. Verify Transport layer by sending traffic from end device on Aviatrix side to the end device on Edge router side with IP/Protocol/Port -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Troubleshooting steps are similar to `T_06. Verify Internet layer by sending ICMP traffic from end device on Aviatrix side to the end device on Edge router side with IP`_ - - * Instead of sending ICMP traffic, try to simulate the traffic by issuing command #telnet with specific port - -T_09. Verify Transport layer by sending traffic from end device on Edge router side to the end device on Aviatrix side with IP/Protocol/Port -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Troubleshooting steps are similar to `T_07. Verify Internet layer by sending ICMP traffic from end device on Edge router side to the end device on Aviatrix side with IP`_ - - * Instead of sending ICMP traffic, try to simulate the traffic by issuing command #telnet with specific port - -T_10. Verify real traffic between end to end devices -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * Troubleshooting steps are similar to - - `T_06. Verify Internet layer by sending ICMP traffic from end device on Aviatrix side to the end device on Edge router side with IP`_ - - `T_07. Verify Internet layer by sending ICMP traffic from end device on Edge router side to the end device on Aviatrix side with IP`_ - - * Instead of sending ICMP traffic, try to troubleshoot the real traffic - diff --git a/TroubleshootingPlaybook/troubleshooting_playbook_aws_iam_service.rst b/TroubleshootingPlaybook/troubleshooting_playbook_aws_iam_service.rst deleted file mode 100644 index 03d7dfa48..000000000 --- a/TroubleshootingPlaybook/troubleshooting_playbook_aws_iam_service.rst +++ /dev/null @@ -1,224 +0,0 @@ -.. meta:: - :description: - :keywords: - -========================================================================================= -AWS IAM Service Troubleshooting Playbook -========================================================================================= - -This technical note provides a step-by-step tips to troubleshoot AWS IAM Service. - -Workflow: ---------- - -1. `Check whether IAM role/policy for AWS Accounts (1) Primary and (2) Secondary are configured properly`_ - -2. `Check whether InstanceProfileArn has the exact string “instance-profile/aviatrix-role-ec2”`_ - -3. `Check whether IAM role is attached to Aviatrix Gateway and IAM policy is associated to IAM role properly`_ - -4. `Check whether trust relationship is not established properly between primary and secondary account`_ - -5. `Check whether company centrally manages & governs permission/policies across accounts through AWS Organization`_ - -6. `Refer to other troubleshooting documents`_ - -Detail: -------- - -Check whether IAM role/policy for AWS Accounts (1) Primary and (2) Secondary are configured properly -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Check Point 1: - - Option 1: Check Account Audit Status from Aviatrix Controller - - * https://docs.aviatrix.com/HowTos/account_audit.html - - * Expect to view “Pass” status - - * If the status displays "Pass*” or “Fail”, this AWS account might hit at least one of the Probable Causes as below. - - Option 2: Check whether AWS IAM role and policy are updated to the latest version from AWS portal - - * https://docs.aviatrix.com/HowTos/iam_policies.html - - Probable Causes: - - * Company manages permission through AWS Organization - - * AWS IAM is out of sync - - * Customized instance profile name - - * Outdated IAM policy - - * Customized IAM policy - - * IAM role does not attach to Controller/Gateway properly - - * Trust relationship is not established properly between primary and secondary account - - Suggestions: - - * Attempt to address this by following Aviatrix Account Audit's suggestion: - - 1. Click the button “Check” on the page Accounts -> Account Audit -> Select the Account name which has "Pass*” or “Fail” status - - 2. Follow the suggestion in the prompted panel - - 3. Repeat the above steps until all accounts are in “Pass” state - - * Refer the below documents - - * https://docs.aviatrix.com/HowTos/iam_policies.html - - * https://docs.aviatrix.com/HowTos/HowTo_IAM_role.html - -Check whether InstanceProfileArn has the exact string “instance-profile/aviatrix-role-ec2” -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Run Aviatrix Diagnostic report for Controller from Aviatrix Controller - - * https://docs.aviatrix.com/HowTos/Troubleshooting_Diagnostics_Result.html - - * Expect the string “aviatrix-role-ec2” is exactly be named in the report of InstanceProfileArn as below example: - - :: - - InstanceProfileArn " \"InstanceProfileArn\" : \"arn:aws:iam::XXXXX:instance-profile/aviatrix-role-ec2\",\n" - - * If the string in InstanceProfileArn field is not “aviatrix-role-ec2”, Aviatrix Software might not function the AWS IAM role/policy properly. - - Check Point 2: Run Aviatrix Diagnostic report for Gateways from Aviatrix Controller - - * https://docs.aviatrix.com/HowTos/Troubleshooting_Diagnostics_Result.html - - * Option 1: - - * Repeat Check Point 1 for all gateways - - * Option 2: - - * Expect to view “Passed” status in the field of “GatewayIamRole” as below example: - - * "GatewayIamRole": "Passed" - - * If the string is not “Passed”, Aviatrix Software might not function the AWS IAM role/policy properly. - - Probable Causes: - - * There is a customized instance profile name which is not "aviatrix-role-ec2" - - Suggestions: - - * Users need to clean up the customized instance profile name first. - - * Users need to rename the InstanceProfile to “aviatrix-role-ec2”. The customized name might need to be updated in Terraform or CloudFormation script. - -Check whether IAM role is attached to Aviatrix Gateway and IAM policy is associated to IAM role properly -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - Check Point 1: Check Aviatrix Gateway Audit Status from Aviatrix Controller - - * https://docs.aviatrix.com/HowTos/gateway_audit.html - - * Expect to view “Pass” status - - * If the status displays “Error(IAM)”, Aviatrix Software might not function the AWS IAM role/policy properly. - - Probable Causes: - - * gateway's aviatrix-role-ec2 is detached from the instance profile - - * aviatrix-role-app does not have associated policy - - Suggestions: - - * Toggle IAM role on Aviatrix Gateway - - 1. Attach “No Role” to Aviatrix Gateway and click the button “Apply" in AWS portal - - 2. Wait for a few seconds - - 3. Attach “aviatrix-role-ec2” to Aviatrix Gateway and click the button “Apply" in AWS portal - - * Update the Aviatrix IAM role/policy - - * https://docs.aviatrix.com/HowTos/iam_policies.html - -Check whether trust relationship is not established properly between primary and secondary account -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aviatrix.com/HowTos/HowTo_IAM_role.html#establish-trust-relationship-with-primary-account - - Check Point 1: Check the primary account in AWS portal - - 1. Check the aviatrix-role-app - - 2. Expect to grant - - 1. the primary (Controller) AWS account itself access to the aviatrix-role-app in this primary account - - Check Point 2: Check the secondary account in AWS portal - - 1. Check your aviatrix-role-app in all the secondary account - - 2. Expect to grant - - 1. the primary (Controller) AWS account access to the aviatrix-role-app in this secondary account - - 2. the secondary (Gateway) AWS account itself access to the aviatrix-role-app in this secondary account - -Check whether company centrally manages & governs permission/policies across accounts through AWS Organization -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://aws.amazon.com/organizations/ - - Check Point 1: Check “Service Control Policies” for “Root” has the right permissions by following the steps below: - - 1. Go to “AWS Console > AWS Organizations > Organize Account” - - 2. Click on “Root” on the left panel, followed by a click on “Service Control Policies” on the right panel. - - 3. Check all attached “Service Control Policies”. - - Check Point 2: Check “Service Controller Policies” for “Organization Unit” has the right permissions by following the steps below: - - 1. Go to “AWS Console > AWS Organizations > Organize Account > Find” - - 2. Click on the “Oranization Unit” (which the account belongs to) on the left panel > Click on “Service control policies” on the right panel. - - 3. Check all attached “Service Control Policies”. - - Check Point 3: Check “Service Controller Policies” for the account: - - 1. Go to “AWS Console > AWS Organizations > Account > Find” - - 2. Click on the account from the list. Click on “Service Control Policies” on the right panel. - - 3. Check all attached “Service Control Policies”. - - Expectation: - - * allowing us-west-1 region in your AWS organization policy - - * at least the same permission as Aviatrix IAM policy to all attached “Service Control Policies" - - Suggestions: - - * Please update the “Service Control Policies” to the expectation and run the below steps again - - * `Check whether IAM role/policy for AWS Accounts (1) Primary and (2) Secondary are configured properly`_ - - * `Check whether InstanceProfileArn has the exact string “instance-profile/aviatrix-role-ec2”`_ - - * `Check whether IAM role is attached to Aviatrix Gateway and IAM policy is associated to IAM role properly`_ - -Refer to other troubleshooting documents -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - * https://docs.aviatrix.com/Support/support_center_aws_infrastructure.html#how-can-i-debug-iam-related-issues-iam-debug-playbook - - - - diff --git a/TroubleshootingPlaybook/troubleshooting_playbook_overview.rst b/TroubleshootingPlaybook/troubleshooting_playbook_overview.rst deleted file mode 100644 index fe612cac8..000000000 --- a/TroubleshootingPlaybook/troubleshooting_playbook_overview.rst +++ /dev/null @@ -1,135 +0,0 @@ -.. meta:: - :description: - :keywords: - -========================================================================================= -Aviatrix Troubleshooting Playbook Overview -========================================================================================= - -This technical note provides an overview and guideline of Aviatrix Troubleshooting Playbook. The purpose of Aviatrix troubleshooting playbook is trying to assist users self-troubleshooting Aviatrix product, the related Cloud platform configuration, and data plan step-by-step. - -Overview: ---------- - -#. `How to high-level troubleshoot Aviatrix product`_ - -#. `Explanation of Aviatrix troubleshooting playbook outline`_ - -How to high-level troubleshoot Aviatrix product -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -1. Draw a network topology including end device, Aviatrix product, network components and CIDR - -2. List out Aviatrix features which has been deployed in your environment - -3. Understand the deployment configuration and traffic flow - -4. Identify the problem by refering to Aviatrix troubleshooting playbook and other Aviatrix docs - -5. Attempt to address the problem by refering to suggestions in Aviatrix troubleshooting playbook and other Aviatrix docs - -6. Submit or update a support ticket - - * Upload `Aviatrix Diagnostic report `_ - - * `Upload tracelog `_ - -Explanation of Aviatrix troubleshooting playbook outline -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Playbook template - - 1. Check cloud permission - - 2. Troubleshoot cloud deployment configuration - - * methods: - - * Aviatrix software - - * Cloud platform portal - - * workflow: - - 1. Instance level such as AWS security group - - 2. Network level such as AWS subnet, Network ACL, and routing table - - 3. Other services - - 3. Troubleshoot Aviatrix configuration - - * methods: - - * Aviatrix software - - * workflow: - - 1. Basic Linux network configuration - - 2. Basic Linux operating system configuration - - 4. Troubleshoot Aviatrix feature configuration - - * methods: - - * Aviatrix software - - * Cloud platform portal - - * workflow: - - 1. Instance level such as AWS security group - - 2. Network level such as AWS subnet, Network ACL, and routing table - - 3. Other services - - 5. Troubleshoot data plan/traffic - - * methods: - - * Aviatrix software - - * User environment - - * workflow: - - 1. IP layer -> Transport layer -> Application layer - - 2. Packet capture - -Troubleshooting process - - 1. Identify the problem by - - 1. Set checkpoints - - 2. Define expectation - - 3. List failure/error message - - 2. Establish or educated guess a theory of probable causes - - 3. Establish an action plan/suggestion and execute the plan - -Category: ---------- - -Cloud Permission - -* `AWS IAM Service Troubleshooting Playbook `_ - -Aviatrix Controller - -* `Aviatrix Controller Troubleshooting Playbook `_ - -Aviatrix Gateway - -* `Aviatrix Gateway Troubleshooting Playbook `_ - -Aviatrix Features - -* `Aviatrix OpenVPN End to End traffic Troubleshooting Playbook `_ - -* `Aviatrix Site2Cloud End to End traffic Troubleshooting Playbook `_ diff --git a/_static/js/6sense.js b/_static/js/6sense.js new file mode 100644 index 000000000..f182c5d99 --- /dev/null +++ b/_static/js/6sense.js @@ -0,0 +1,13 @@ +window._6si = window._6si || []; +window._6si.push(['enableEventTracking', true]); +window._6si.push(['setToken', '18dfc111143ad2f7ede4cfee932d7f2b']); +window._6si.push(['setEndpoint', 'b.6sc.co']); + +(function() { + var gd = document.createElement('script'); + gd.type = 'text/javascript'; + gd.async = true; + gd.src = '//j.6sc.co/6si.min.js'; + var s = document.getElementsByTagName('script')[0]; + s.parentNode.insertBefore(gd, s); +})(); \ No newline at end of file diff --git a/_static/js/custom.js b/_static/js/custom.js index 868bdc89d..f335729a3 100644 --- a/_static/js/custom.js +++ b/_static/js/custom.js @@ -1,4 +1,6 @@ $(function() { + $('.wy-breadcrumbs-aside').append('
» Request Product Demo'); + $('.wy-menu-vertical > ul.current').prev().addClass('active'); $('.wy-menu-vertical > p.caption').on('click', function(e){ diff --git a/conf.py b/conf.py index 0f20ddf8b..57aeeedea 100644 --- a/conf.py +++ b/conf.py @@ -29,6 +29,7 @@ def setup(app): app.add_javascript('js/custom.js') app.add_javascript('js/digitalpi-utm-tracker-aviatrix.com.js') app.add_javascript('js/marketo-munchkin.js') + app.add_javascript('js/6sense.js') app.add_javascript('js/drift.js') # -- General configuration ------------------------------------------------ @@ -40,9 +41,9 @@ def setup(app): # Add any Sphinx extension module names here, as strings. They can be # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. -#extensions = [] +extensions = [] -extensions = ['sphinxcontrib.disqus'] +#extensions = ['sphinxcontrib.disqus'] # Add any paths that contain templates here, relative to this directory. @@ -59,7 +60,7 @@ def setup(app): # General information about the project. project = 'aviatrix_docs' -copyright = '2018, Aviatrix Systems, Inc' +copyright = '2021, Aviatrix Systems, Inc' author = 'Aviatrix' # Options for extensions diff --git a/index.rst b/index.rst index 1bc69162b..fe9867f8f 100644 --- a/index.rst +++ b/index.rst @@ -2,7 +2,7 @@ Welcome to Aviatrix Docs ======================== All Aviatrix product documentation can be found here. -If you cannot find what you need, email us at support@aviatrix.com. Hats off to all who helped fix typos and mistakes. You can do that too by clicking the "Edit on GitHub" button on the top right corner of any document. Please also visit our `main website`_ for more information regarding use cases and upcoming events. +If you cannot find what you need, please reach out to us via `Aviatrix Support Portal `_. Hats off to all who helped fix typos and mistakes. You can do that too by clicking the "Edit on GitHub" button on the top right corner of any document. Please also visit our `main website`_ for more information regarding use cases and upcoming events. .. _main website: http://aviatrix.com .. _GitHub: https://github.com/AviatrixSystems/Docs @@ -13,8 +13,8 @@ While all content is searchable, the site is organized into the following sectio * :ref:`Getting Started` * :ref:`Onboarding and Accounts` * :ref:`Gateway` -* :ref:`Transit Gateway Orchestrator` * :ref:`Transit Network` +* :ref:`Transit Gateway Orchestrator` * :ref:`Firewall Network` * :ref:`Cloud WAN` * :ref:`Peering` @@ -23,15 +23,13 @@ While all content is searchable, the site is organized into the following sectio * :ref:`Security` * :ref:`UsefulTools` * :ref:`Settings` -* :ref:`Troubleshoot` -* :ref:`REST APIs` * :ref:`Downloads` * :ref:`Release Notes` +* :ref:`Security Bulletin` +* :ref:`CoPilot` * :ref:`Tech Notes` * :ref:`Good To Know` * :ref:`Support Center` -* :ref:`IPmotion` -* :ref:`Troubleshooting Playbook` .. _Getting Started: @@ -46,9 +44,7 @@ While all content is searchable, the site is organized into the following sectio StartUpGuides/oracle-aviatrix-cloud-controller-startup-guide StartUpGuides/google-aviatrix-cloud-controller-startup-guide StartUpGuides/aviatrix_operations - StartUpGuides/CloudN-Startup-Guide - StartUpGuides/appendix-CloudN-Startup-Guide - StartUpGuides/aviatrix-china-controller-startup-guide + HowTos/meter_pricing HowTos/FAQ @@ -61,11 +57,12 @@ While all content is searchable, the site is organized into the following sectio HowTos/onboarding_faq HowTos/aviatrix_account HowTos/HowTo_IAM_role - HowTos/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts/howto_customize_aviatrix_iam_role_names_for_2ndary_accounts.rst HowTos/iam_policies HowTos/aviatrix_iam_policy_requirements HowTos/customize_aws_iam_policy HowTos/Aviatrix_Account_Azure + HowTos/aviatrix_account_alibaba + HowTos/azure_custom_role HowTos/CreateGCloudAccount HowTos/oracle-aviatrix-cloud-controller-onboard HowTos/AdminUsers_DuoAuth @@ -73,6 +70,8 @@ While all content is searchable, the site is organized into the following sectio HowTos/Quick_Tour HowTos/accesskey HowTos/account_audit + HowTos/rbac_faq + HowTos/oci_iam_policy .. _Gateway: @@ -83,6 +82,41 @@ While all content is searchable, the site is organized into the following sectio HowTos/gateway Solutions/gateway_ha HowTos/gateway_audit + HowTos/default_route_faq + + +.. _Transit Network: + +.. toctree:: + :maxdepth: 1 + :caption: Multi-Cloud Transit Network + + HowTos/transitvpc_faq + HowTos/transitvpc_workflow + HowTos/transitgw_external + HowTos/spokegw_external + HowTos/transit_approval + HowTos/transit_advanced + HowTos/transitvpc_designs + HowTos/transit_list + HowTos/azure_transit_designs + HowTos/transit_segmentation_faq + HowTos/transit_segmentation_workflow + HowTos/activemesh_faq + HowTos/activemesh_design_notes + HowTos/activemesh_beta + HowTos/insane_mode + HowTos/insane_mode_perf + HowTos/CloudN_insane_mode + HowTos/CloudN_workflow + HowTos/migrate_tgw_orchestrator_to_aviatrix_transit + HowTos/integrate_transit_gateway_with_expressroute + HowTos/transit_gateway_external_device_bgp_over_gre_high_performance_workflow + HowTos/transit_gateway_external_device_bgp_over_lan_workflow + HowTos/transit_gateway_external_device_bgp_over_lan_azure_workflow + HowTos/transit_gateway_external_device_bgp_over_lan_gcp_workflow + + .. _Transit Gateway Orchestrator: @@ -93,6 +127,7 @@ While all content is searchable, the site is organized into the following sectio HowTos/tgw_faq HowTos/tgw_plan HowTos/tgw_build + HowTos/tgw_list HowTos/tgw_approval HowTos/tgw_design_patterns HowTos/transit_gateway_peering @@ -101,27 +136,7 @@ While all content is searchable, the site is organized into the following sectio HowTos/transitgw_external HowTos/transitvpc_workflow HowTos/transitvpc_design - -.. _Transit Network: - -.. toctree:: - :maxdepth: 1 - :caption: Encrypted Transit Network - - HowTos/transitvpc_faq - HowTos/transitvpc_workflow - HowTos/transitgw_external - HowTos/transit_approval - HowTos/transitvpc_designs - HowTos/Setup_Transit_Network_Terraform - HowTos/transit_firenet_faq - HowTos/transit_firenet_workflow - HowTos/activemesh_faq - HowTos/activemesh_design_notes - HowTos/activemesh_beta - HowTos/insane_mode - HowTos/insane_mode_perf - HowTos/CloudN_insane_mode + HowTos/tgwconnect .. _Firewall Network: @@ -131,15 +146,29 @@ While all content is searchable, the site is organized into the following sectio HowTos/firewall_network_faq HowTos/firewall_network_workflow - HowTos/firewall_network_design_patterns + HowTos/transit_firenet_faq + HowTos/transit_firenet_workflow + HowTos/transit_firenet_design_patterns + HowTos/firewall_advanced HowTos/paloalto_API_setup HowTos/ingress_firewall_example + HowTos/Azure_ingress_firewall_example HowTos/config_paloaltoVM + HowTos/config_PaloAltoAzure.rst + HowTos/config_paloaltoGCP + HowTos/config_paloaltoOCI HowTos/bootstrap_example - HowTos/config_FortiGate.rst - HowTos/config_Checkpoint.rst + HowTos/pan_bootstrap_example_azure + HowTos/config_FortiGateVM + HowTos/config_FortiGateAzure + HowTos/fortigate_bootstrap_example + HowTos/fortigate_bootstrap_example_azure + HowTos/config_CheckPointVM + HowTos/config_CheckPointAzure + HowTos/checkpoint_bootstrap_azure HowTos/config_PFsense HowTos/config_Barracuda.rst + HowTos/firewall_network_design_patterns .. _Cloud WAN: @@ -209,8 +238,12 @@ While all content is searchable, the site is organized into the following sectio HowTos/cloudn-site2cloud HowTos/site2cloud_case_study HowTos/EncrOverExpRoute + HowTos/connect_overlap_cidrs_routebasedipsec + HowTos/overlapping_network_solutions HowTos/connect_overlap_cidrs HowTos/connect_overlap_vpc_via_VGW + HowTos/periodic_ping + .. _OpenVPN: @@ -221,6 +254,7 @@ While all content is searchable, the site is organized into the following sectio HowTos/uservpn HowTos/openvpn_faq HowTos/openvpn_features + HowTos/openvpn_design_considerations HowTos/Cloud_Networking_Ref_Des HowTos/GeoVPN HowTos/DNSVPN @@ -240,9 +274,9 @@ While all content is searchable, the site is organized into the following sectio HowTos/user_accelerator HowTos/ipv6_multivpc_vpn HowTos/uservpn-TGW - - - + HowTos/Setup_Okta_SAML_Profile_Attribute + HowTos/Setup_PingOne_SAML_Profile_Attribute + HowTos/azure_saml_auth_vpn_access .. _UsefulTools: @@ -252,6 +286,7 @@ While all content is searchable, the site is organized into the following sectio HowTos/vpc_tracker HowTos/create_vpc + HowTos/discover_flows .. _Settings: @@ -261,6 +296,7 @@ While all content is searchable, the site is organized into the following sectio HowTos/controller_backup HowTos/controller_ha + HowTos/selective_upgrade HowTos/inline_upgrade HowTos/AviatrixLogging HowTos/alert_and_email @@ -286,46 +322,49 @@ While all content is searchable, the site is organized into the following sectio HowTos/Troubleshoot_Diagnostics HowTos/error-msgs HowTos/azuregwlaunch + HowTos/Troubleshoot_ELB_Status HowTos/flightpath -.. _REST APIs: +.. _Downloads: .. toctree:: :maxdepth: 1 - :caption: REST APIs + :caption: Downloads - HowTos/Aviatrix_Controller_API - HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/multiple_approaches_to_use_aviatrix_api - HowTos/aviatrix_apis_datacenter_extension + Downloads/samlclient -.. _Terraform: +.. _Release Notes: .. toctree:: :maxdepth: 1 - :caption: Terraform + :caption: Release Notes - HowTos/tf_aviatrix_howto - HowTos/aviatrix_terraform - HowTos/tf_export + HowTos/UCC_Release_Notes + HowTos/changelog + HowTos/field_notices + HowTos/image_release_notes -.. _Downloads: +.. _Security Bulletin: .. toctree:: :maxdepth: 1 - :caption: Downloads + :caption: Security Bulletin - Downloads/cloudndownload - Downloads/samlclient + HowTos/security_bulletin_article + HowTos/security_bulletin_faq -.. _Release Notes: +.. _CoPilot: .. toctree:: :maxdepth: 1 - :caption: Release Notes + :caption: CoPilot - HowTos/UCC_Release_Notes - HowTos/changelog - HowTos/field_notices + HowTos/copilot_release_notes + HowTos/copilot_release_notes_images + HowTos/copilot_overview + HowTos/copilot_getting_started + HowTos/copilot_reference_guide.rst + HowTos/copilot_faq .. _Tech Notes: @@ -333,19 +372,20 @@ While all content is searchable, the site is organized into the following sectio :maxdepth: 1 :caption: Tech Notes - HowTos/CloudN-config-drive-v1_4 HowTos/AWS_NetworkLoadBalancer_Onsite_And_In_Cloud HowTos/DatadogIntegration StartUpGuides/aws_manual_startup_guide HowTos/site_to_site_vpn HowTos/controller_security_for_SAML + HowTos/azure_saml_auth_vpn_access HowTos/simpletransit HowTos/s2c_vgw_snat HowTos/s2c_overlapping_subnets HowTos/s2c_for_publicIP + HowTos/transit_for_publicIP + HowTos/transit_solution_activemesh_spoke_snat_dnat_rfc1918 HowTos/meraki_to_transit HowTos/reserve_onprem - HowTos/spoke_skip_rfc1918 HowTos/HowTo_Setup_AWS_Managed_Microsoft_AD_for_Aviatrix Solutions/aviatrix_aws_meshVPC Solutions/build_zerotrust_cloud_network @@ -364,8 +404,18 @@ While all content is searchable, the site is organized into the following sectio HowTos/activemesh_migration HowTos/openvpn_fqdn HowTos/HowTo_Setup_SAML_with_G_SUITE_ORG - HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute - + HowTos/transit_firenet_workflow_aws + HowTos/transit_firenet_workflow_aws_gwlb + HowTos/transit_firenet_workflow_azure + HowTos/transit_firenet_workflow_gcp + HowTos/transit_firenet_workflow_oci + HowTos/cloud_wan_workflow_azure_vwan + HowTos/using_VPC_Endpoints_w_AVX + HowTos/transit_gateway_peering_with_private_network_workflow + HowTos/aviatrix_aws_outposts + HowTos/s2c_overlapping_cidrs_with_fast_convergence + HowTos/transit_gateway_external_device_bgp_over_lan_with_aws_meraki_workflow + .. _Good To Know: .. toctree:: @@ -387,42 +437,5 @@ While all content is searchable, the site is organized into the following sectio :maxdepth: 1 :caption: Support Center - Support/support_center Support/support_center_operations - Support/support_center_controller - Support/support_center_openvpn_gateway - Support/support_center_transit_solution - Support/support_center_egress_firewall - Support/support_center_logging - Support/support_center_site2cloud - Support/support_center_ipsec - Support/support_center_aws_infrastructure - Support/support_center_gcp_infrastructure - Support/support_center_terraform - Support/support_ticket_priority - Support/support_center_useful_tools - Support/support_center_cloudn - -.. _IPmotion: - -.. toctree:: - :maxdepth: 1 - :caption: IPmotion - - HowTos/ipmotion - HowTos/HowTo_Setup_IPMotion - HowTos/design_pattern_ipmotion - HowTos/ipmotion_dependency_discovery - -.. _Troubleshooting Playbook: - -.. toctree:: - :maxdepth: 1 - :caption: Troubleshooting Playbook - - TroubleshootingPlaybook/troubleshooting_playbook_overview.rst - TroubleshootingPlaybook/troubleshooting_playbook_aws_iam_service.rst - TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_controller.rst - TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_gateway.rst - TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_openvpn_end_to_end_traffic.rst - TroubleshootingPlaybook/troubleshooting_playbook_aviatrix_s2c_end_to_end_traffic.rst + diff --git a/requirements.txt b/requirements.txt index 3454025f8..633ce88ce 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,6 @@ sphinxcontrib-disqus ## use v1.5.5 of Sphinx to make disqus work correctly sphinx==1.5.5 +## pin docutils to 0.17 to work around https://github.com/sphinx-doc/sphinx/issues/9727 +docutils<0.18