Network Resiliency Best Practices Guide

The Aviatrix Controller is shipped with a self-signed certificate. Establish a DNS hostname and install a TLS certificate issued by your organization or a recognized certificate authority.

Deploy the Aviatrix Controller and CoPilot in the same dedicated VPC.

Select and secure a suitable set of public IP addresses for both the Controller and CoPilot.

Controller High Availability (AWS): Configure the Aviatrix Controller to automatically restore itself in the event of a system issue.

Controller Security Group Management: Configure the Aviatrix Controller to manage security groups to restrict connectivity between Controller and Gateways as well as Aviatrix CoPilot. This prevents potential downtime or loss of visibility caused by user induced errors when managing Access Control Lists.

Controller Backup and Restore: The Controller orchestrates the configuration of your cloud network environment and should be periodically backed up to the appropriate AWS/Azure/Google account. If a replacement Controller is launched, you can restore the configuration data from your backup. Configure cloud storage accounts to replicate across regions in the event of a cloud provider outage.

Controller Disk/CPU/Memory Sizing Recommendations

SAML Authentication: Enable SAML-based authentication and role-based access controls to the Aviatrix platform.

Build a development environment: Follow the DevOPS lifecycle and establish a development environment comprised of a Controller and CoPilot which includes a subset of features and test applications.

Restrict access to the Aviatrix Controller and CoPilot: Access can be restricted by means of a Web Application Firewall (WAF) and Web ACLs, which allows your UserVPN clients to authenticate to the SAML endpoint without allowing access to the Controller. Access to the Controller from WAF can be limited with access controls.

Aviatrix CoPilot is shipped with a self-signed certificate. Establish a DNS hostname and install a TLS certificate issued by your organization or a recognized certificate authority.

Deploy CoPilot: CoPilot provides important visibility into your environment. Choose the deployment method that best suits your needs. Deploy the Aviatrix Controller and CoPilot in the same dedicated VPC.

Notification and Alerting: By configuring proactive alerting of gateways, VPN tunnels, and other network components, you can receive alerts in case of any failures or performance degradation. When creating alerts, establish severity levels for your environment to ensure prompt response based on the issue detected.

CoPilot Security Group Management: In addition to Controller and Gateway Security Group management, also enable CoPilot Security Group Management to restrict access to the CoPilot instance.

Customize Backup Schedules and Counts: Retain up to 60 days of Controller backups, to ensure quick recovery in the event of any issues. Determine a reasonable number of backups for your environment. Prior to network change windows, review backups and/or create a manual backup. Aviatrix recommends retaining an offline copy of your backup during upgrades. In addition to Controller backups, enable CoPilot backups to the Controller.

CoPilot Disk/CPU/Memory Sizing Recommendations

RBAC (Role Based Access Control): Limit access for non-administrators to read-only accounts. When assigning access, always follow the principle of least privilege.

SAML: only configure if not already configured in Controller.

Configure High Availability for Gateways and Tunnels: Aviatrix recommends deploying multiple HA gateways in different Availability Zones (AZs) to ensure redundancy. This helps distribute network traffic and provides automatic failover in case of a gateway failure.

Enable Single AZ HA: In non-production or non-critical environments which do not employ multiple gateways, Aviatrix recommends that gateways be deployed with single AZ HA enabled. This helps ensure uptime in the event of any issues. This is enabled by default if launched from the Controller or CoPilot. If using Terraform, you must enable the appropriate flag.

Gateway Scaling (Manual, Scheduled): Aviatrix Gateways can be dynamically sized and scaled both horizontally and vertically to meet network demand. Schedules can be created to address known times of increased network utilization, and alerting should be configured to notify when capacity is being reached.

Adjusting Aviatrix Controller Gateway Keepalive Timers: Recovery times depend on the selected HA strategy. Align your objectives for each environment with the Aviatrix guidelines for recovery.

Gateway audits (AWS): The Aviatrix Controller performs periodic audits for IAM and Security Group issues. If detected, resolve these issues in a timely manner to ensure stability.

Gateway sizing recommendations: While each environment is different, Aviatrix provides recommendations on typical instance sizes for gateway deployments by cloud provider. Ensure that your environmental needs match the deployed instance sizes. Consider factors such as the number of VPCs, anticipated bandwidth requirements, and any specific performance needs of your applications.

Other gateway settings you can configure for resiliency are:

Multi-Region Design Patterns: Aviatrix recommends implementing a transit network architecture to centralize and simplify network connectivity. By using a hub-and-spoke model, you can connect multiple VPC or VNet environments to a central transit hub, which provides redundancy and centralized control. Also see Overview of Aviatrix Multicloud Transit Network.

Multicloud Deployments: Connect different cloud providers using MultiCloud Transit Peering.

Multi-Tier Transit: Use in larger deployments. You can add transit layers to simplify peerings.

Enable TGW nightly audit of routes: This ensures routing consistency when working in TGW Orchestrator environments.

Enable TGW route approval: This ensures the predictability of your network routing. Confirm and advertise approved routes learned over Direct Connect or VPN connections.

Use Transit Gateway Peering: Connect Transit Gateways in multiple accounts and regions together with Transit Gateway Peering for redundancy.

Simplify the insertion of Next Generation Firewalls with Transit FireNet: With Transit FireNet, Aviatrix simplifies the insertion and health-check of firewalls in a topology. Transit FireNet can filter traffic in both East/West and North/South directions and you can select inspected traffic. Health monitors ensure continuity of service in the event of a firewall outage.

Deploy Across Availability Zones: Transit FireNet is designed to provide high availability and fault tolerance. Deploy multiple Transit FireNet gateways across different availability zones and regions to ensure redundancy and resiliency. Deploy firewalls and Transit FireNets in matching availability zones to optimize latency.

Firenet Vendor Integrations: To simplify deployment of Next Generation Firewalls (NGFW), use existing Aviatrix vendor integrations to rapidly deploy and prepare Palo Alto, Check Point, and Fortinet FortiGate firewalls in the cloud.

Firewall instances should be deployed in HA pairs and designed to meet the throughput needs of your environment.

Deploy Across Regions: Deploy Site2Cloud connections across provider regions for redundancy.

Active-Active HA: To achieve redundancy for VPN connections, Aviatrix supports an active-active HA architecture. By establishing multiple tunnels between your on-premises data center and the cloud, you can ensure continuous connectivity even if one tunnel or gateway fails.

Use BGP AS Path Prepend: When establishing a Site2Cloud connection, review your traffic engineering requirements. Utilize AS Path Prepend when needed to influence traffic flows.

BGP route approval: Ensure the predictable flow of traffic by enabling BGP route approval. This prevents accidental injection of routes.

Handling IP-Overlap: In the event of IP overlap between Cloud and On-Premise environments, or between overlapping cloud environments, build Site2Cloud connectivity with Mapped NAT enabled. Mapped NAT simplifies IP address translation between existing environments.

Keeping IPSEC Tunnels Active: In environments that may not have regular traffic, avoid security association timeouts by enabling Periodic Ping as a keep-alive mechanism.

Reduce Convergence Time: Event Triggered HA reduces convergence time.

Fine-tune detection timers when networks overlap: When on-premise and cloud networks overlap, follow Aviatrix recommendations for improving failover timers.

The following settings are also available for resiliency:

Establish User VPN Profiles to Restrict Access: Establish VPN profiles for each environment requiring remote access.

Follow the principle of "least privilege": Create a base Deny-All ruleset and add additional access as required. Assign multiple profiles to a user in a layered approach via SAML to simplify access management.

Geographic redundancy: Deploy UserVPN gateways in geographically redundant locations, and use VPN User Accelerator when applicable to ensure uptime and low latency connectivity to your cloud environments.

Scale-out: Determine the approach that best suits your needs when deploying VPN gateways. Select from either load balancer, round-robin DNS, or geographically-based DNS response to address user VPN demands.

Increase the maximum number of user connections per gateway: Establish thresholds for usage of each VPN gateway to better distribute load.

Client certificate sharing: Do this to reduce provisioning requirements and use your chosen Identity Management system to provide role-based controls over access.

Integrate with SAML: Integrate VPN deployments with your identity management systems to provide uniform controls over authentication, authorization, and accounting.