Aviatrix NEXT GEN TRANSIT with customized SNAT and DNAT features

This technical note provides a step-by-step configuration on Aviatrix controller that will address the following requirements:

  1. Spoke VPCs in Cloud need to communicate with On-Prem
  1. On-Prem is not able to route RFC 1918 traffic to Cloud
  • Perform Customized SNAT feature for the traffic from Cloud to On-Prem
  • Perform DNAT feature for the traffic from On-Prem to Cloud

Topology:

  1. Aviatrix NEXT GEN TRANSIT FOR AWS
  • Spoke VPCs * 2 (for example: 10.1.0.0/16, 10.2.0.0/16)
  • Transit VPC * 1 (for example: 192.168.100.0/24)
  • AWS VGW
  1. On-Prem routable CIDR (for example: 99.0.0.0/8)

SNAT_DNAT_TRANSIT_SOLUTION

Scenario:

  1. Traffic from Cloud to On-Prem
  • When a packet which is sent from Spoke VPCs in Cloud enters Aviatrix Transit Gateway, the packet’s source address needs to be changed to a IP that On-Prem is routable. (Source address translation)
  1. Traffic from On-Prem to Cloud
  • When a packet which is sent from On-Prem enters Aviatrix Transit Gateway, the packet’s destination address needs to be changed from a IP within On-Prem routeable CIDR to a IP belong to a service in Spoke VPCs in Cloud. (Destination address translation)

Follow the steps below to setup for the scenario.

Step 1. Prerequisite

1.1. Upgrade Aviatrix Controller to at least version UserConnect-4.7.386

1.2. Prepare a IP mapping table for SNAT and DNAT configuration.

SNAT configuration

  • Prepare two On-Prem routeable IPs (one for Aviatrix Transit Gateway; one for Aviatrix Transit HA Gateway if needed)
Example:
Transit Primary Gateway: 99.0.0.1/32
Transit HA Gateway: 99.0.0.2/32

DNAT configuration

  • Prepare a list of IP mapping table for On-Prem routable CIDR to a service in Spoke VPCs corresponding to your topology
  • A service might be a IP belong to Load Balancer or EIP
Example:
99.1.0.98 <--> 10.1.0.98
99.2.0.243 <--> 10.2.0.243

Step 2. Build Aviatrix NEXT GEN TRANSIT FOR AWS

Step 3. Perform Manual BGP Advertised Network List feature on the tunnel between Aviatrix Transit GW and AWS VGW

This action will advertise On-Prem routable CIDR to On-Prem via BGP session.

Example:
On-Prem routable CIDR: 99.0.0.0/8

To configure:

3.1. Go to Site2Cloud page, click on the tunnel between Aviatrix Transit Gateway and AWS VGW

3.2. Scroll down to Manual BGP Advertised Network List

3.3. Enter the value of On-Prem routable CIDR

  • for example: 99.0.0.0/8

3.4. Click the button “Change BGP Manual Spoke Advertisement”

Step 4. Configure Aviatrix Customized SNAT function on both Transit Primary Gateway and Transit HA Gateway

This action changes the packet’s source IP address from Spoke VPCs in Cloud to a IP which belongs to On-Prem routable CIDR.

Example:
Transit Primary Gateway: traffic from spoke VPCs 10.1.0.0/16 and 10.2.0.0/16 translate to IP 99.0.0.1
Transit HA Gateway: traffic from spoke VPCs 10.1.0.0/16 and 10.2.0.0/16 translate to IP 99.0.0.2

To configure:

4.1. Go to Gateway page, click on the Transit Primary Gateway first. Click Edit.

4.2. Continue on the Edit page, scroll to SNAT. Select Customized SNAT.

4.3. Select Customized SNAT

4.4. Click Add New

4.5. Enter fields for Src CIDR, protocol, Interface (select the one with VGW) and SNAT IPs as below example.

4.6. Click Save

4.7. Repeat the above steps for more entries.

4.8. Click Enable SNAT to commit.

SNAT_TRANSIT_PRIMARY

4.9. Go to Gateway page, click on the Transit HA Gateway. Click Edit.

4.10. Repeat the above steps to configure Customized SNAT for Transit HA Gateway as below example.

SNAT_TRANSIT_HA

Step 5. Configure Aviatrix Customized DNAT function on Transit Primary Gateway

This action instructs the gateway to translate the destination address from a IP within On-Prem routeable CIDR to a IP belong to a service in Spoke VPCs in Cloud.

Example:
99.1.0.98/32 <--> 10.1.0.98
99.2.0.243/32 <--> 10.2.0.243

To configure:

5.1. Go to Gateway page, click on the Transit Primary Gateway. Click Edit.

5.2. Scroll down to “Destination NAT”, click Add/Edit DNAT

5.3. Click Add/Edit DNAT

5.4. Click Add New

5.5. Enter fields for Destination CIDR, protocol, Interface (select the one with VGW) and DNAT IPs as below example.

DNAT_TRANSIT_PRIMARY

5.6. Click Save

5.7. Repeat steps 5.4, 5.5, and 5.6 for multiple entries.

5.8. Click Update to commit.

Step 6. Attach spoke VPCs to an AWS Transit Gateway (TGW)

Step 7. Verify traffic flow

7.1. SNAT

  • Traffic from Spoke VPC 10.1.0.0/16 to On-Prem

    SNAT_10_1

  • Traffic from Spoke VPC 10.2.0.0/16 to On-Prem

    SNAT_10_2

7.2. DNAT

  • Traffic from On-Prem to Spoke VPC 10.1.0.0/16

    DNAT_99_1

  • Traffic from On-Prem to Spoke VPC 10.2.0.0/16

    DNAT_99_2

7.3. SNAT (failover to Transit HA gateway)

  • Traffic from Spoke VPC 10.1.0.0/16 to On-Prem

    SNAT_FAILOVER_10_1

  • Traffic from Spoke VPC 10.2.0.0/16 to On-Prem

    SNAT_FAILOVER_10_2

7.4. DNAT (failover to Transit HA gateway)

  • Traffic from On-Prem to Spoke VPC 10.1.0.0/16

    DNAT_FAILOVER_99_1

  • Traffic from On-Prem to Spoke VPC 10.2.0.0/16

    DNAT_FAILOVER_99_2