{"id":1438,"date":"2023-04-10T15:58:06","date_gmt":"2023-04-10T20:58:06","guid":{"rendered":"https:\/\/cloudlearning365.com\/?p=1438"},"modified":"2023-04-11T12:29:36","modified_gmt":"2023-04-11T17:29:36","slug":"gcp-interconnect-to-aviatrix-transit-option-1","status":"publish","type":"post","link":"https:\/\/cloudlearning365.com\/?p=1438","title":{"rendered":"GCP Interconnect to Aviatrix Transit &#8211; Option 1"},"content":{"rendered":"\n<p>In the last blog post: <a href=\"https:\/\/cloudlearning365.com\/?p=1360\" title=\"\">Learning GCP Interconnect: Step-by-Step Guide for Configuring BGP with ISR and Cloud Router<\/a>, I have shown steps of creating Interconnect VLAN attachment to existing VPC, as well as how to configure Cloud Routers and VPC peerings to establish connectivity from on-prem to GCP spoke VPC. You may have noticed a few feature difference amongst AWS Direct Connect, Azure Express Route and GCP Interconnect, which leads to different architecture.<\/p>\n\n\n\n<p>In this blog post, I will show you how to connect Aviatrix Edge 2.0 to Aviatrix Transit in GCP, using Interconnect as underlay.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"861\" height=\"1024\" src=\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-1-861x1024.png\" alt=\"\" class=\"wp-image-1440\" srcset=\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-1-861x1024.png 861w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-1-252x300.png 252w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-1-768x913.png 768w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-1-1292x1536.png 1292w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-1-1723x2048.png 1723w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-1.png 1859w\" sizes=\"auto, (max-width: 861px) 100vw, 861px\" \/><\/figure>\n\n\n\n<!--more-->\n\n\n\n<h2 class=\"wp-block-heading\">Interconnect as underlay<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In above diagram, the Interconnect VLAN attachment and Cloud Router is associated with Interconnect-VPC.<\/li>\n\n\n\n<li>In this architecture, Interconnect-VPC doesn&#8217;t require a subnet. The 10.16.0.0\/24 subnet was used to validate Cloud Router advertisement towards on-prem, but it can be deleted.<\/li>\n\n\n\n<li>Cloud Router forms BGP peering with the ISR-2 and learns 10.1.13.0\/24, it then program this dynamic route to Interconnect-VPC<\/li>\n\n\n\n<li>native-spoke1-VPC is peered with Interconnect-VPC, Interconnect-VPC export dynamic route 10.1.13.0\/24 to native-spoke1-VPC. <\/li>\n\n\n\n<li>Interconnect-VPC can import native-spoke1-VPC CIDR 10.32.0.0\/24, but the Cloud Router won&#8217;t advertise 10.32.0.0\/24 to on-prem ISR-2. To advertise 10.32.0.0\/24 to on-prem ISR-2, you must use custom advertisement option in Cloud Router, and add either 10.32.0.0\/24 or super-net of 10.32.0.0\/24.<\/li>\n\n\n\n<li>When Aviatrix Transit is launched in avx-transit-VPC, we can perform exact same step:<\/li>\n\n\n\n<li>Export dynamic route from Interconnect-VPC to avx-transit-VPC<\/li>\n\n\n\n<li>Custom advertisement of avx-transit-VPC CIDR: 10.64.0.0\/24 on Cloud Router towards on-prem ISR-2<\/li>\n\n\n\n<li> This builds private underlay connectivity between avx-transit-VPC 10.64.0.0\/24 and ISR-2 10.1.13.0\/24, which allows Aviatrix Edge WAN interface to have connectivity with Aviatrix Transit Gateways.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Aviatrix overlay routing <\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Aviatrix Edge then would be able to build multiple High Performance Encryption tunnels towards Aviatrix Transit gateways and obtain up to 10Gbps of combined throughput.<\/li>\n\n\n\n<li>From on-premise towards avx-spoke1-vpc, the traffic first reach LAN side router CSR-32, then it will gets to Aviatrix Edge Gateway LAN interface, where it will forward the traffic via encrypted tunnels to Aviatrix Transit Gateways, which in turn forward the traffic via encrypted tunnels to Aviatrix Spoke Gateways in avx-spoke1-vpc, then the traffic will gets to GCP fabric to reach destination.<\/li>\n\n\n\n<li>From avx-spoke1-vpc towards on-premise, the traffic first reaches GCP fabric, where Aviatrix programs RFC1918 routes point to Aviatrix Spoke Gateways, the traffic would reach spoke gateway then forwarded via encrypted tunnels towards Aviatrix Transit gateways, in which it will be again forwarded via encrypted tunnels towards Aviatrix Edge, then reaches LAN side router.<\/li>\n\n\n\n<li>This forms a dedicated encrypted data path from the GCP Cloud towards your on-premise network, which will prevent man in the middle attack.<\/li>\n\n\n\n<li>The dedicated encrypted data path is owned by the customer, and it gives the customer full ownership of visibility, troubleshooting, enterprise grade intelligence routing, advanced security features such as IDP, Distributed Firewalling as well as in the future releases deep packet inspection.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Sample terraform code for Aviatrix Transit, Spoke, VPC peering and Edge gateway<\/h2>\n\n\n\n<p>Here is a sample terraform code for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create Aviatrix Transit VPC and Transit Gateways<\/li>\n\n\n\n<li>Create Aviatrix Spoke VPC and Spoke Gateways, and attach to Aviatrix Transit<\/li>\n\n\n\n<li>Create VPC peering between Aviatrix Transit VPC and Interconnect VPC<\/li>\n\n\n\n<li>Create Edge gateway, form BGP connectivity with LAN side router, as well as attach to Aviatrix Transit<\/li>\n\n\n\n<li>The following code doesn&#8217;t manage Cloud Router, you need to make sure the Cloud Router would advertise Aviatrix Transit VPC towards on-prem WAN side router<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>variable \"region\" {\n  default = \"us-central1\"\n}\n\nvariable \"account\" {\n  default = \"gcp-lab-jye\"\n}\n\nvariable \"transit_gateway_name\" {\n  default = \"avx-mtt-hpe-transit-gw\"\n}\n\nvariable \"transit_vpc_name\" {\n  default = \"avx-transit-firenet\"\n}\n\nvariable \"transit_vpc_cidr\" {\n  default = \"10.64.0.0\/24\"\n}\n\nvariable \"transit_firenet_lan_cidr\" {\n  default = \"10.64.1.0\/24\"\n}\n\nvariable \"transit_gateway_asn\" {\n  default = 65101\n}\n\nvariable \"spoke_gateway_name\" {\n  default = \"avx-spoke1-gw\"\n}\n\nvariable \"spoke_vpc_name\" {\n  default = \"avx-spoke1\"\n}\n\nvariable \"spoke_vpc_cidr\" {\n  default = \"10.128.0.0\/24\"\n}\n\nvariable \"interconnect_vpc_selflink\" {\n  default = \"https:\/\/www.googleapis.com\/compute\/v1\/projects\/jye-01\/global\/networks\/vpc-interconnect\"\n}\n\nvariable \"interconnect_vpc_name\" {\n  default = \"vpc-interconnect\"\n}\n\n# Create Transit VPC and Transit Gateway\nmodule \"mc-transit\" {\n  source                 = \"terraform-aviatrix-modules\/mc-transit\/aviatrix\"\n  version                = \"2.3.3\"\n  cloud                  = \"GCP\"\n  region                 = var.region\n  cidr                   = var.transit_vpc_cidr\n  account                = var.account\n  enable_bgp_over_lan    = false\n  enable_transit_firenet = true\n  name                   = var.transit_vpc_name\n  gw_name                = var.transit_gateway_name\n  lan_cidr               = var.transit_firenet_lan_cidr\n  insane_mode            = true\n  instance_size          = \"n1-highcpu-4\"\n  local_as_number        = var.transit_gateway_asn\n  enable_multi_tier_transit = true\n}\n\n# Create Aviatrix Spoke VPC and Spoke Gateway\nmodule \"mc-spoke\" {\n  source     = \"terraform-aviatrix-modules\/mc-spoke\/aviatrix\"\n  version    = \"1.4.2\"\n  cloud      = \"GCP\"\n  region     = var.region\n  cidr       = var.spoke_vpc_cidr\n  account    = var.account\n  name       = var.spoke_vpc_name\n  gw_name    = var.spoke_gateway_name\n  transit_gw = module.mc-transit.transit_gateway.gw_name\n}\n\n\n# Create VPC peering from Avx MTT HPE Transit Firenet VPC to   \nresource \"google_compute_network_peering\" \"mtt_transit_firenet_to_interconnect\" {\n  name         = \"${module.mc-transit.vpc.name}-to-${var.interconnect_vpc_name}\"\n  network      = \"https:\/\/www.googleapis.com\/compute\/v1\/projects\/${split(\"~-~\",module.mc-transit.vpc.vpc_id)&#91;1]}\/global\/networks\/${split(\"~-~\",module.mc-transit.vpc.vpc_id)&#91;0]}\"\n  peer_network = var.interconnect_vpc_selflink\n  export_custom_routes  = true\n  import_custom_routes = true\n}\n\nresource \"google_compute_network_peering\" \"interconnect_to_mtt_transit_firenet\" {\n  name         = \"${var.interconnect_vpc_name}-to-${module.mc-transit.vpc.name}\"\n  network      = var.interconnect_vpc_selflink\n  peer_network = \"https:\/\/www.googleapis.com\/compute\/v1\/projects\/${split(\"~-~\",module.mc-transit.vpc.vpc_id)&#91;1]}\/global\/networks\/${split(\"~-~\",module.mc-transit.vpc.vpc_id)&#91;0]}\"\n  export_custom_routes  = true\n  import_custom_routes = true\n}\n\n# WARNING\n# MAKE SURE CLOUD ROUTER ADVERTISE ADDITIONAL TRANSIT CIDR\n# WARNING\n\nmodule \"interconnect_edge\" {\n  source  = \"terraform-aviatrix-modules\/mc-edge\/aviatrix\"\n  version = \"v1.1.2\"\n\n  site_id = \"interconnect\"\n\n  edge_gws = {\n    \n    gw1 = {\n      # ZTP configuration\n      ztp_file_download_path = \"\/mnt\/c\/gitrepos\/terraform-aviatrix-gcp-spoke-and-transit\"\n      ztp_file_type          = \"iso\"\n\n      gw_name = \"interconnectgw1\"\n\n      # Management interface\n      management_interface_config    = \"DHCP\"\n      # management_interface_ip_prefix = \"172.16.1.10\/24\"\n      # management_default_gateway_ip  = \"172.16.1.1\"\n\n      # DNS\n      # dns_server_ip           = \"8.8.8.8\"\n      # secondary_dns_server_ip = \"8.8.4.4\"\n\n      # WAN interface\n      wan_interface_ip_prefix = \"10.1.13.2\/24\"\n      wan_default_gateway_ip  = \"10.1.13.1\"\n\n      wan_public_ip = \"149.97.222.34\" # Required for peering over internet\n\n      # Management over private or internet\n      enable_management_over_private_network = false\n      management_egress_ip_prefix            = \"149.97.222.34\/32\"\n\n      # LAN interface configuraation\n      lan_interface_ip_prefix = \"10.1.12.2\/24\"\n      local_as_number         = 65010\n\n      # prepend_as_path = &#91;65010,65010,65010]\n\n      # spoke_bgp_manual_advertise_cidrs = &#91;\"192.168.1.0\/24\"]\n\n      # Only enable this when the Edge Gateway status shows up, after loaded ZTP ISO\/CloudInit\n        bgp_peers = {\n          peer1 = {\n            connection_name   = \"interconnect-peer\"\n            remote_lan_ip     = \"10.1.12.250\"\n            bgp_remote_as_num = 65020\n          }\n        }\n\n      # Change attached to true, after the Edge Gateway status shows up, after loaded ZTP ISO\/CloudInit\n      # Attach to transit GWs\n      transit_gws = {\n        transit1 = {\n          name                        = module.mc-transit.transit_gateway.gw_name\n          attached                    = false\n          enable_jumbo_frame          = false\n          enable_insane_mode          = true\n          enable_over_private_network = true\n          # spoke_prepend_as_path = &#91;65010,65010,65010]\n          # transit_prepend_as_path = &#91;65001,65001,65001]\n        }\n      }\n      \n    }\n\n  }\n}\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Multi-region deployment architecture   <\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Brownfield scenario, where customer already have Interconnect deployed.<\/li>\n\n\n\n<li>They may have one or multiple VPCs where the VLAN attachment is associated with.<\/li>\n\n\n\n<li>The multi-region architecture is similar to what have discussed above, where transit VPCs are peering with corresponding interconnect VPC in the corresponding region.<\/li>\n\n\n\n<li>In the case where a single interconnect VPC terminating multiple VLAN attachments from multiple regions, transit VPCs will all peer with the same interconnect VPC.<\/li>\n\n\n\n<li>Notice that there&#8217;s no need to have a subnet in the Interconnect VPC<\/li>\n\n\n\n<li>An Aviatrix Transit Peering connection can be established to provide east to west traffic flow within GCP.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"890\" height=\"1024\" src=\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Brown-Field-890x1024.png\" alt=\"\" class=\"wp-image-1441\" srcset=\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Brown-Field-890x1024.png 890w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Brown-Field-261x300.png 261w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Brown-Field-768x884.png 768w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Brown-Field-1334x1536.png 1334w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Brown-Field-1779x2048.png 1779w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Brown-Field.png 1920w\" sizes=\"auto, (max-width: 890px) 100vw, 890px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In case of greenfield deployment, we can have Interconnect VLAN attachment land directly on corresponding Aviatrix Transit VPC in the corresponding region. <\/li>\n\n\n\n<li>You can think the Aviatrix Transit VPC is the formal Interconnect VPC, however in this architecture, it does require a subnet for the Aviatrix Transit to place it&#8217;s eth0 to.<\/li>\n\n\n\n<li>In this architecture, when Aviatrix Spoke is using High Performance Encryption to attach to Aviatrix Transit, need to make sure the VPC peering connection are not configured to import\/export routes, so the underlay dynamic routes learned from Cloud Router won&#8217;t get programmed in spoke VPC routing table.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1018\" src=\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Green-Field-1024x1018.png\" alt=\"\" class=\"wp-image-1442\" srcset=\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Green-Field-1024x1018.png 1024w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Green-Field-300x298.png 300w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Green-Field-150x150.png 150w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Green-Field-768x763.png 768w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Green-Field-1536x1526.png 1536w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Green-Field-302x300.png 302w, https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/04\/GCP-Interconnect-Edge-via-Interconnect-Multi-region-Green-Field.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>In the last blog post: Learning GCP Interconnect: Step-by-Step Guide for Configuring BGP with ISR and Cloud Router, I have shown steps of creating Interconnect VLAN attachment to existing VPC, as well as how to configure Cloud Routers and VPC &hellip; <a href=\"https:\/\/cloudlearning365.com\/?p=1438\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[2,5],"tags":[],"class_list":["post-1438","post","type-post","status-publish","format-standard","hentry","category-aviatrix","category-gcp"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts\/1438","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1438"}],"version-history":[{"count":7,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts\/1438\/revisions"}],"predecessor-version":[{"id":1452,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts\/1438\/revisions\/1452"}],"wp:attachment":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1438"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}