Encrypted Transitive Peering

As DevOps and applications are now run in AWS, it makes sense to have your employees access cloud directly with the following highlighted benefits:

  • Lower latency. Rather than having your employees connect via VPN to your corporate office first and then access the cloud, provide a cloud VPN where they can access AWS directly.
  • Better Security. Traditional VPN servers do not support modern multi factor authentication methods such as a combination of DUO Security, LDAP and OKTA.
  • Few hardware gears to manage.

However, your business may require hosting some critical applications in wide spread co-locations. As a cloud infrastructure engineer, you need to access these sites to check on the health of your servers and applications. The challenge is to setup a system to enable secure accessing abilities to both the cloud and co-locations.

Solution

Our solution is to leverage Aviatrix’s encrypted peering and encrypted transitive peering capability to setup an end to end secure network.

In this example, a datacenter or co-location hosts some critical customer facing applications. It connects to AWS VPC for additional processing, such as data analytics. The data center connects to a AWS VGW with IPSEC tunnel. Employees and developers access VPC-1 and VPC-2 directly via Aviatrix CloudVPN and encrypted peering configuration. The cloud infrastructure engineers need to access the servers in the datacenter or co-location for maintenance and monitoring purpose. They do so via an Aviatrix encrypted tunnel and Aviatrix encrypted transitive tunnel configuration. The solution diagram is shown below.

image0

Configuration Workflow

Before you start make sure you have the latest software by checking the Dashboard. If an alert message displays, click Upgrade to download the latest software.

We assume here that you have created a management VPC-main 172.31.0.0/16, its corresponding VPN gateways with ELB enabled. For more information for this part of configuration, check out this reference design. If you configure split tunnel mode for VPN gateways, make sure to include the co-location CIDRs in the additional CIDR field.

The encrypted transitive peering configuration workflow is as follows, with major steps highlighted.

  1. Create a gateway in VPC-2

    Go to Gateway -> New Gateway, make sure

    1. The gateway has NAT enabled, VPN disabled (as you don’t need to enable VPN capability)
  2. Create an encrypted peering between VPC-main and VPC-2

    Go to Peering -> Encrypted Peering -> New Peering, make sure:

    1. At VPC Name 1 drop down menu, select the peering gateway launched in VPC-main (note, this peering gateway is different from the VPN gateway).
    2. At VPC Name 2 drop down menu, select the gateway launched in VPC-2.
    3. Click Add.
  1. Create an encrypted transitive peering

    Go to Peering -> Transitive Peering -> New Peering, make sure:

    1. At Source VPC drop down menu, select the peering gateway launched in VPC-main (the same VPC gateway selected in the previous step)
    2. At Next Hop VPC drop down menu, select the gateway launched in VPC-2 (the same gateway for VPC-2 selected in the previous step)
    3. At Destination CIDR, fill in the destination CIDR of the co-location. For example, 10.12.0.0/24. Note this address should be unique across your network.
  2. Repeat the above step 3 for more co-locations.

  3. For support, send email to support@aviatrix.com.

  4. For feature request and feedback, click Make a wish at the bottom of each page.

  5. Enjoy!