Aviatrix NEXT GEN TRANSIT with customized SNAT and DNAT features¶
This technical note provides a step-by-step configuration on Aviatrix controller that will address the following requirements:
- Spoke VPCs in Cloud need to communicate with On-Prem
- On-Prem is not able to route RFC 1918 traffic to Cloud
- Perform Customized SNAT feature for the traffic from Cloud to On-Prem
- Perform DNAT feature for the traffic from On-Prem to Cloud
- Aviatrix NEXT GEN TRANSIT FOR AWS
- Spoke VPCs * 2 (for example: 10.1.0.0/16, 10.2.0.0/16)
- Transit VPC * 1 (for example: 192.168.100.0/24)
- AWS VGW
- On-Prem routable CIDR (for example: 18.104.22.168/8)
- Traffic from Cloud to On-Prem
- When a packet which is sent from Spoke VPCs in Cloud enters Aviatrix Transit Gateway, the packet’s source address needs to be changed to a IP that On-Prem is routable. (Source address translation)
- Traffic from On-Prem to Cloud
- When a packet which is sent from On-Prem enters Aviatrix Transit Gateway, the packet’s destination address needs to be changed from a IP within On-Prem routeable CIDR to a IP belong to a service in Spoke VPCs in Cloud. (Destination address translation)
Follow the steps below to setup for the scenario.
Step 1. Prerequisite¶
1.1. Upgrade Aviatrix Controller to at least version UserConnect-4.7.386
1.2. Prepare a IP mapping table for SNAT and DNAT configuration.
- Prepare two On-Prem routeable IPs (one for Aviatrix Transit Gateway; one for Aviatrix Transit HA Gateway if needed)Example: Transit Primary Gateway: 22.214.171.124/32 Transit HA Gateway: 126.96.36.199/32
- Prepare a list of IP mapping table for On-Prem routable CIDR to a service in Spoke VPCs corresponding to your topology
- A service might be a IP belong to Load Balancer or EIPExample: 188.8.131.52 <--> 10.1.0.98 184.108.40.206 <--> 10.2.0.243
Step 2. Build Aviatrix NEXT GEN TRANSIT FOR AWS¶
- follow the steps 1, 2, 3, 4, 4.1, 5, and 6 in the online document https://docs.aviatrix.com/HowTos/tgw_plan.html
Step 3. Perform Manual BGP Advertised Network List feature on the tunnel between Aviatrix Transit GW and AWS VGW¶
This action will advertise On-Prem routable CIDR to On-Prem via BGP session.
Example: On-Prem routable CIDR: 220.127.116.11/8
3.1. Go to Site2Cloud page, click on the tunnel between Aviatrix Transit Gateway and AWS VGW
3.2. Scroll down to Manual BGP Advertised Network List
3.3. Enter the value of On-Prem routable CIDR
- for example: 18.104.22.168/8
3.4. Click the button “Change BGP Manual Spoke Advertisement”
Step 4. Configure Aviatrix Customized SNAT function on both Transit Primary Gateway and Transit HA Gateway¶
This action changes the packet’s source IP address from Spoke VPCs in Cloud to a IP which belongs to On-Prem routable CIDR.
Example: Transit Primary Gateway: traffic from spoke VPCs 10.1.0.0/16 and 10.2.0.0/16 translate to IP 22.214.171.124 Transit HA Gateway: traffic from spoke VPCs 10.1.0.0/16 and 10.2.0.0/16 translate to IP 126.96.36.199
4.1. Go to Gateway page, click on the Transit Primary Gateway first. Click Edit.
4.2. Continue on the Edit page, scroll to SNAT. Select Customized SNAT.
4.3. Select Customized SNAT
4.4. Click Add New
4.5. Enter fields for Src CIDR, protocol, Interface (select the one with VGW) and SNAT IPs as below example.
4.6. Click Save
4.7. Repeat the above steps for more entries.
4.8. Click Enable SNAT to commit.
4.9. Go to Gateway page, click on the Transit HA Gateway. Click Edit.
4.10. Repeat the above steps to configure Customized SNAT for Transit HA Gateway as below example.
Step 5. Configure Aviatrix Customized DNAT function on Transit Primary Gateway¶
This action instructs the gateway to translate the destination address from a IP within On-Prem routeable CIDR to a IP belong to a service in Spoke VPCs in Cloud.
Example: 188.8.131.52/32 <--> 10.1.0.98 184.108.40.206/32 <--> 10.2.0.243
5.1. Go to Gateway page, click on the Transit Primary Gateway. Click Edit.
5.2. Scroll down to “Destination NAT”, click Add/Edit DNAT
5.3. Click Add/Edit DNAT
5.4. Click Add New
5.5. Enter fields for Destination CIDR, protocol, Interface (select the one with VGW) and DNAT IPs as below example.
5.6. Click Save
5.7. Repeat steps 5.4, 5.5, and 5.6 for multiple entries.
5.8. Click Update to commit.
Step 6. Attach spoke VPCs to an AWS Transit Gateway (TGW)¶
Step 7. Verify traffic flow¶
7.3. SNAT (failover to Transit HA gateway)
7.4. DNAT (failover to Transit HA gateway)