Subnet Groups Management Workflow
Configuring Subnet Groups
To configure subnet groups, follow these steps:
-
In the Aviatrix Controller, go to: Multi-Cloud Transit > List > Spoke > (select a Spoke) > Actions > Configure Subnet Group.
A new page opens where you can create, modify, or delete Subnet Groups.
-
Select Create Subnet Group.
-
Enter a name for the subnet group. The figure above shows a new subnet group called sg-blue.
-
Click CREATE.
-
Continue to Modify Subnet Group.
In this example, sg-blue is added to the list of subnet groups available from the Subnet Group Name pull-down menu.
You use the Subnet List table to add or delete the subnet group to and from the Excluded Subnets and Included Subnets lists. Aviatrix Controller automatically retrieves the subnet from the Azure VNET and includes it in the list of excluded subnets. The excluded subnets include both Aviatrix-managed and user-created subnets that you created directly through the Azure console which are out-of-band from Aviatrix.
Creating a subnet group in a Spoke VNET enables this feature in the VNET. However, to redirect traffic from the subnet to the NGFW for inspection, you must explicitly add the subnets to a subnet group as well as enable the inspection policy on the subnet group. This means traffic for subnets that are merely part of a subnet group but do not have an inspection policy traverse the Aviatrix Transit FireNet gateway but are not redirected to or inspected by the NGFW. |
-
Select the subnet group you created from the Subnet Group Name pull-down menu.
-
To add an excluded subnet to the included subnet group, select one or more subnets from the Excluded Subnets list and click ADD.
-
To reconfigure the routing tables in Azure so that the traffic from the two included subnets is redirected to the Aviatrix Transit Gateway connected to the local Spoke gateway for the VNET, click UPDATE.
-
To delete a subnet from either list and move it to the other list, select one or more subnets and click DELETE.
-
To delete a subnet group, select the subnet group from the Subnet Group Name pull-down menu and click DELETE.
Important Recommendations
-
There is a downtime of 10 – 20 seconds when you add or remove subnets from a subnet group. If this downtime is not acceptable, be sure to add or remove subnet groups during a maintenance window.*
-
Configure a “Default" Subnet Group in the VNET and add all subnets that do not need an inspection policy to the “Default" group. All other subnets that require traffic inspection can be added to custom subnet groups that have an inspection policy set.
-
Only learned and Aviatrix-created routes are carried over from the subnet routing tables to the subnet group routing tables created by Aviatrix. Once a subnet is added to a group, you can manually recreate custom routes in the subnet group route table through the Azure console.
Configuring an Inspection Policy
The workflow for configuring an inspection policy is similar to configuring a FireNet inspection policy. When you enable the subnet groups for a VNET, the groups are available in the FireNet inspection policy page instead of the VNET.
You can select a subnet group and click ADD to move it from the Not Inspected list to the Inspected list. In the above figure, the Transit FireNet Gateway will redirect traffic from SPOKE_SUBNET_GROUP:spoke-east-us-a~~sg-blue to the NGFW. In the NGFW you can configure the firewall policies to either drop, log, or allow the traffic flow from the subnets in the group.
Traffic Traversal in Subnet Groups
Once you enable subnet groups in a VNET, the subnet group traffic is redirected to the transit gateway for inspection. The traffic is further redirected to the NGFW only if an inspection policy is set for the subnet group.
The diagrams in the following scenarios show single gateways for brevity. High Availability (HA) configuration is supported for spoke and transit FireNet gateways. |
In the following four scenarios, the blue and green subnet groups have an inspection policy, while the orange subnet group does not. The blue → green subnet group traffic traverses the NGFW on either side. Since the orange subnet group does not have an inspection policy, the orange → green subnet group traffic is not inspected by the firewall connected to the transit FireNet to which the orange subnet group’s spoke is attached. However, since the green subnet group has an inspection policy, the orange → green subnet group traffic traverses the firewall connected to the peer transit FireNet.
Multi-Region Inter-VNET Subnet Inspection Over Transit Peering
The traffic traversal is similar to the Inter-VNET Subnet Inspection Over Transit Peering scenario.
Connectivity Scenarios
The following tables cover different connectivity scenarios that you need to consider when using subnet groups.
Intra-VNET Subnet Inspection
Subnet A in VNET A | Subnet B in VNET A | Connectivity | Comment |
---|---|---|---|
Not in subnet group |
Not in subnet group |
Yes |
|
Not in subnet group |
In subnet group |
No |
Subnet A needs to be in a subnet group. See Important Recommendations. |
In subnet group |
In subnet group |
Yes |
Subnets can either be in the same or different subnet groups. |
Inter-VNET Subnet Inspection
Subnet A in VNET A | Subnet B in VNET A | Connectivity | Comment |
---|---|---|---|
Not in subnet group |
Not in subnet group |
Yes |
Only if VNET B has no subnet groups configured. See Important Recommendations. |
In subnet group |
Not in subnet group |
No |
Only if VNET B has no subnet groups configured. See Important Recommendations. |
In subnet group |
In subnet group |
Yes |
Subnets can either be in the same or different subnet groups. |
Inter-VNET Subnet Inspection Over Transit Peering
The connection behavior is same as the Inter-VNET Subnet Inspection.
Subnet A in VNET A | Subnet B in VNET A | Connectivity | Comment |
---|---|---|---|
Not in subnet group |
Not in subnet group |
Yes |
Only if VNET B has no subnet groups configured. See Important Recommendations. |
In subnet group |
Not in subnet group |
No |
Only if VNET B has no subnet groups configured. See Important Recommendations. |
In subnet group |
In subnet group |
Yes |
Subnets can either be in the same or different subnet groups. |