{"id":29,"date":"2022-05-15T20:27:46","date_gmt":"2022-05-16T01:27:46","guid":{"rendered":"https:\/\/cloudlearning365.com\/?p=29"},"modified":"2022-10-14T09:38:11","modified_gmt":"2022-10-14T14:38:11","slug":"enable-private-connectivity-to-workloads-deployed-in-multiple-default-vpcs-part-1","status":"publish","type":"post","link":"https:\/\/cloudlearning365.com\/?p=29","title":{"rendered":"Enable private connectivity to workloads deployed in multiple default VPCs – Part 1"},"content":{"rendered":"\n

Scenario: One of our customers are primary in Azure, after merger and acquisitions, them acquired hundreds of AWS accounts, where workloads are deployed to default VPCs, which all have this address space: 172.31.0.0\/16<\/p>\n\n\n\n

They are looking for a solution to provide bi-directional private connectivity to these workloads in AWS from Azure without overhead of route management, also provide visibility to the traffic.<\/p>\n\n\n\n\n\n\n\n

Here below is the proposed solution: <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In above diagram, Azure workloads are deployed in spoke vNets, these spoke vNets are attached to hub Transit FireNet and are fully routable.<\/p>\n\n\n\n

USEProdApp1Priv is deployed in private subnet.<\/p>\n\n\n\n

USEShared1Pub have an EIP that we can SSH to.<\/p>\n\n\n\n

Azure side have a summarized real CIDR of 10.100.0.0\/16<\/p>\n\n\n\n

AWS side top right corner, account1, we would use a Cisco CSR 1000<\/p>\n\n\n\n

AWS bottom right corner, account2, we would use a standalone Aviatrix Gateway<\/p>\n\n\n\n

Let’s take a look at the differences between Cisco CSR and Aviatrix Gateway<\/p>\n\n\n\n

\n\n\n\n

Part 1 – Cisco CSR 1000 to Aviatrix Spoke GW mapped NAT configuration<\/h3>\n\n\n\n

Testing environment:<\/p>\n\n\n\n

Aviatrix Controller: 6.6.5545
Aviatrix Gateways: 6.6.5545
Cisco CSR 1000: 16.09.08<\/p>\n\n\n\n

Since bi-directional traffic is needed, in this configuration, IPs have one to one mapping.<\/p>\n\n\n\n

Azure side real CIDR: 10.100<\/strong>.0.0\/16, we will use 100.96<\/strong>.0.0\/16 for it’s virtual CIDR. <\/p>\n\n\n\n

AWS side will use virtual IP: 100.96.64.36<\/strong>, when tries to reach Azure side real IP: 10.100.64.36<\/strong><\/p>\n\n\n\n

Traffic flow from AWS side to Azure side, note NAT happens on Landing Spoke Gateway. (SIP = Source IP, DIP = Destination IP)<\/p>\n\n\n\n

<\/td>AWS Client \/ CSR<\/td>Landing Spoke GW<\/td>Transit GW<\/td>Prod Spoke GW<\/td>Azure Client<\/td><\/tr>
SIP<\/td>172.31.0.10<\/strong><\/td>100.64.0.10<\/strong><\/td>100.64.0.10<\/strong><\/td>100.64.0.10<\/strong><\/td>100.64.0.10<\/strong><\/td><\/tr>
DIP<\/td>100.96.64.36<\/strong><\/td>10.100.64.36<\/strong><\/td>10.100.64.36<\/strong><\/td>10.100.64.36<\/strong><\/td>10.100.64.36<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

AWS side real CIDR: 172.31<\/strong>.0.0\/16, we will use 100.64<\/strong>.0.0\/16 for it’s virtual CIDR.<\/p>\n\n\n\n

Azure side will use virtual IP: 100.64.0.10<\/strong>, when tries to reach AWS side real IP: 172.31.0.10<\/strong><\/p>\n\n\n\n

Traffic flow from Azure side to AWS side, note NAT happens on Landing Spoke Gateway. (SIP = Source IP, DIP = Destination IP)<\/p>\n\n\n\n

<\/td>Azure Client<\/td>Prod Spoke GW<\/td>Transit GW<\/td>Landing Spoke GW<\/td>CSR \/ AWS Client<\/td><\/tr>
SIP<\/td>10.100.64.36<\/strong><\/td>10.100.64.36<\/strong><\/td>10.100.64.36<\/strong><\/td>10.100.64.36<\/strong><\/td>100.96.64.36<\/strong><\/td><\/tr>
DIP<\/td>100.64.0.10<\/strong><\/td>100.64.0.10<\/strong><\/td>100.64.0.10<\/strong><\/td>100.64.0.10<\/strong><\/td>172.31.0.10<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Launch CSR<\/h4>\n\n\n\n

In this test, selected: Cisco Cloud Services Router (CSR) 1000V – BYOL for Maximum Performance,<\/strong> you may need to subscribe to the market place image<\/p>\n\n\n\n

Default c5.large<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Select your key pair and select the default VPC and a public subnet. Will need to obtain an EIP later for production workload<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Obtain public IPs of Aviatrix Spoke Gateways in Landing vNet, CSR need to establish IPSec connections to these two public IPs<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

As such, need to modify CSR security group to allow UDP 500 and UDP 4500 from these two public IPs:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Launch instance<\/p>\n\n\n\n

Allocate EIP, then associate the EIP with CSR<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Test connect to CSR<\/p>\n\n\n\n

ssh -i <your-pem-key> ec2-user@54.176.62.223 -oKexAlgorithms=+diffie-hellman-group14-sha1<\/code><\/pre>\n\n\n\n
Create Site to Cloud connection using Mapped NAT in Aviatrix Controller<\/h4>\n\n\n\n
Goes to Aviatrix controller web page, SITE2CLOUD -> Setup -> 2 Create a New Site2CloudConnection -> ADD NEW<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
VPC ID\/VNet Name : Select Landing vNet
Connection Type: Mapped
Connection Name: This is the name used for Aviatrix to track the Site2Cloud connection
Remote Gateway Type: Generic
Tunnel Type: Route Based
IKEv2: Enabled by default
Enable HA: Checked as we do have two gateways deployed for HA<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Primary Cloud Gateway: Select Primary Aviatrix Landing GW
Remote Gateway IP address: Enter CSR’s public IP
Backup Gateway: Select HA Aviatrix Landing GW
Remote Gateway IP Address (Backup): Enter CSR’s public IP<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Remote Subnet (Real): 172.31.0.0\/16
Remote Subnet (Virtual): 100.64.0.0\/16
Local Subnet (Real): 10.100.0.0\/16
Local Subnet (Virtual): 100.96.0.0\/16<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Click OK to create the Site2Cloud connection<\/p>\n\n\n\n
CONFIGURE CSR<\/h4>\n\n\n\n
Select the newly created Site2Cloud connection, and click on Edit button <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Under Connection Detail<\/strong>:<\/p>\n\n\n\n
Vendor: Cisco
Platform: IS, ASR, or CSR
Software: IOS(XE)<\/p>\n\n\n\n
Click on DOWNLOAD CONFIGURATION<\/strong><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This will create a text file for configuring your CSR<\/p>\n\n\n\n
Sample content of the file, I’ve highlighted sections need to be changed, note that although we do have two tunnels, only one can be active due to static route.<\/p>\n\n\n\n
! Aviatrix Site2Cloud configuration template\n!\n! This configuration serves as a general guideline and may have to be modified to\n! be functional on your device.\n!\n! If the provided encryption or authentication type is configured as 'n\/a', then\n! there was not a known mapping from the selected type to the encryption or\n! authentication type expected by the Cisco device.  Please reference the Cisco\n! documentation for your device and replace 'n\/a' with the expected configuration.                                                                                                 \n! \n! This connection has two IPsec tunnels between the customer gateway and \n! Aviatrix gateways in the cloud. Tunnel #1 is the primary tunnel. The \n! customer gateway should be configured in such a way that it should\n! switch over to tunnel #2 when tunnel #1 fails.\n! \n! You need to populate these values throughout the config based on your setup:\n! <crypto_policy_number>: the IKE crypto policy number\n! <tunnel_number1>: the primary IPSec tunnel interface number\n! <tunnel_number2>: the backup IPSec tunnel interface number\n! <ios_wan_interface1>: the primary source interface of tunnel packets\n! <ios_wan_interface2>: the backup source interface of tunnel packets\n! <customer_tunnel_ip1>: any un-used IPv4 address for the primary tunnel interface\n!                        when static routing is used (e.g. 1.1.1.1)\n! <customer_tunnel_ip2>: any un-used IPv4 address for the backup tunnel interface\n!                        when static routing is used (e.g. 1.1.1.3)\n! <netmask>: netmask for customer_tunnel_ip. Please use 255.255.255.255\n!\n! --------------------------------------------------------------------------------\n! IPSec Tunnel #1 (Primary)\n! --------------------------------------------------------------------------------\n! #1: Internet Key Exchange (IKE) Configuration\n! A policy is established for the supported ISAKMP encryption, \n! authentication, Diffie-Hellman, lifetime, and key parameters.\n!\ncrypto ikev2 proposal avx-s2c-20.127.181.210\n  encryption aes-cbc-256\n  integrity sha256\n  group 14\n  exit\n!\ncrypto ikev2 policy <crypto_policy_number><\/mark>\n  proposal avx-s2c-20.127.181.210\n  exit\n!\ncrypto ikev2 keyring 54.176.62.223-20.127.181.210\n  peer 54.176.62.223-20.127.181.210\n    address 20.127.181.210\n    identity address 20.127.181.210\n    pre-shared-key P0645IO6UJ8Z8uEf0eXapGxKXlck35L0c124rjFc\n    exit\n  exit\n!\ncrypto ikev2 profile 54.176.62.223-20.127.181.210\n  match identity remote address 20.127.181.210 255.255.255.255\n  identity local address 54.176.62.223\n  authentication remote pre-share\n  authentication local pre-share\n  keyring local 54.176.62.223-20.127.181.210\n  lifetime 28800\n  dpd 10 3 periodic\n  exit\n!\n!---------------------------------------------------------------------------------\n! #2: IPSec Configuration\n! The IPSec transform set defines the encryption, authentication, and IPSec\n! mode parameters.\n!\ncrypto ipsec transform-set 54.176.62.223-20.127.181.210 esp-256-aes esp-sha256-hmac\n  mode tunnel\n  exit\ncrypto ipsec df-bit clear\n!\ncrypto ipsec profile 54.176.62.223-20.127.181.210\n  set security-association lifetime seconds 3600\n  set transform-set 54.176.62.223-20.127.181.210\n  set pfs group14\n  set ikev2-profile 54.176.62.223-20.127.181.210\n  set security-association lifetime kilobytes disable\n  set security-association lifetime seconds 3600\n  exit\n!\n!---------------------------------------------------------------------------------------\n! #3: Tunnel Interface Configuration\n! The virtual tunnel interface is used to communicate with the remote IPSec endpoint \n! to establish the IPSec tunnel.\n!\ninterface Tunnel <tunnel_number1><\/mark>\n  ip address 169.254.56.181 255.255.255.252\n  ip mtu 1436\n  ip tcp adjust-mss 1387\n  tunnel source <ios_wan_interface1><\/mark>\n  tunnel mode ipsec ipv4\n  tunnel destination 20.127.181.210\n  tunnel protection ipsec profile 54.176.62.223-20.127.181.210\n  ip virtual-reassembly\n  exit\n!\n!\n! --------------------------------------------------------------------------------\n! IPSec Tunnel #2 (Backup)\n! --------------------------------------------------------------------------------\n! #4: Internet Key Exchange (IKE) Configuration\n!\ncrypto ikev2 keyring 54.176.62.223-20.85.248.161\n  peer 54.176.62.223-20.85.248.161\n    address 20.85.248.161\n    identity address 20.85.248.161\n    pre-shared-key SyeqOQqT1cvMO2uwR4jHciXSn8Yn3AVYr8CE1dNh\n    exit\n  exit\n!\ncrypto ikev2 profile 54.176.62.223-20.85.248.161\n  match identity remote address 20.85.248.161 255.255.255.255\n  identity local address 54.176.62.223\n  authentication remote pre-share\n  authentication local pre-share\n  keyring local 54.176.62.223-20.85.248.161\n  lifetime 28800\n  dpd 10 3 periodic\n  exit\n!\n!---------------------------------------------------------------------------------\n! #5: IPSec Configuration\n! The IPSec transform set defines the encryption, authentication, and IPSec\n! mode parameters.\n!\ncrypto ipsec transform-set 54.176.62.223-20.85.248.161 esp-256-aes esp-sha256-hmac\n  mode tunnel\n  exit\n!\ncrypto ipsec profile 54.176.62.223-20.85.248.161\n  set security-association lifetime seconds 3600\n  set transform-set 54.176.62.223-20.85.248.161\n  set pfs group14\n  set ikev2-profile 54.176.62.223-20.85.248.161\n  set security-association lifetime kilobytes disable\n  set security-association lifetime seconds 3600\n  exit\n!\n!---------------------------------------------------------------------------------------\n! #6: Tunnel Interface Configuration\n! The virtual tunnel interface is used to communicate with the remote IPSec endpoint\n! to establish the IPSec tunnel.\n!\ninterface Tunnel <tunnel_number2><\/mark>\n  ip address 169.254.41.117 255.255.255.252\n  ip mtu 1436\n  ip tcp adjust-mss 1387\n  tunnel source <ios_wan_interface2><\/mark>\n  tunnel mode ipsec ipv4\n  tunnel destination 20.85.248.161\n  tunnel protection ipsec profile 54.176.62.223-20.85.248.161\n  ip virtual-reassembly\n  exit\n!\n!---------------------------------------------------------------------------------------\n! #7: Routing Configuration\n! The static route directs the local traffic to the Aviatrix remote subnets via the tunnel\n! interface. When the primary tunnel, Tunnel<tunnel_number1> is down, the <tunnel_number1>\n! should be replaced with the backup tunnel, <tunnel_number2>.\n!\nip route 100.96.0.0 255.255.0.0 Tunnel<tunnel_number1><\/mark>\n!---------------------------------------------------------------------------------------\n!\n!\nFor vendor specific instructions, please go to the following URL:\nhttp://docs.aviatrix.com\/#site2cloud\n<\/code><\/pre>\n\n\n\n
Sample completed configuration:<\/p>\n\n\n\n
! Aviatrix Site2Cloud configuration template\n!\n! This configuration serves as a general guideline and may have to be modified to\n! be functional on your device.\n!\n! If the provided encryption or authentication type is configured as 'n\/a', then\n! there was not a known mapping from the selected type to the encryption or\n! authentication type expected by the Cisco device.  Please reference the Cisco\n! documentation for your device and replace 'n\/a' with the expected configuration.                                                                                                 \n! \n! This connection has two IPsec tunnels between the customer gateway and \n! Aviatrix gateways in the cloud. Tunnel #1 is the primary tunnel. The \n! customer gateway should be configured in such a way that it should\n! switch over to tunnel #2 when tunnel #1 fails.\n! \n! You need to populate these values throughout the config based on your setup:\n! <crypto_policy_number>: the IKE crypto policy number\n! <tunnel_number1>: the primary IPSec tunnel interface number\n! <tunnel_number2>: the backup IPSec tunnel interface number\n! <ios_wan_interface1>: the primary source interface of tunnel packets\n! <ios_wan_interface2>: the backup source interface of tunnel packets\n! <customer_tunnel_ip1>: any un-used IPv4 address for the primary tunnel interface\n!                        when static routing is used (e.g. 1.1.1.1)\n! <customer_tunnel_ip2>: any un-used IPv4 address for the backup tunnel interface\n!                        when static routing is used (e.g. 1.1.1.3)\n! <netmask>: netmask for customer_tunnel_ip. Please use 255.255.255.255\n!\n! --------------------------------------------------------------------------------\n! IPSec Tunnel #1 (Primary)\n! --------------------------------------------------------------------------------\n! #1: Internet Key Exchange (IKE) Configuration\n! A policy is established for the supported ISAKMP encryption, \n! authentication, Diffie-Hellman, lifetime, and key parameters.\n!\ncrypto ikev2 proposal avx-s2c-20.127.181.210\n  encryption aes-cbc-256\n  integrity sha256\n  group 14\n  exit\n!\ncrypto ikev2 policy 1<\/mark>\n  proposal avx-s2c-20.127.181.210\n  exit\n!\ncrypto ikev2 keyring 54.176.62.223-20.127.181.210\n  peer 54.176.62.223-20.127.181.210\n    address 20.127.181.210\n    identity address 20.127.181.210\n    pre-shared-key P0645IO6UJ8Z8uEf0eXapGxKXlck35L0c124rjFc\n    exit\n  exit\n!\ncrypto ikev2 profile 54.176.62.223-20.127.181.210\n  match identity remote address 20.127.181.210 255.255.255.255\n  identity local address 54.176.62.223\n  authentication remote pre-share\n  authentication local pre-share\n  keyring local 54.176.62.223-20.127.181.210\n  lifetime 28800\n  dpd 10 3 periodic\n  exit\n!\n!---------------------------------------------------------------------------------\n! #2: IPSec Configuration\n! The IPSec transform set defines the encryption, authentication, and IPSec\n! mode parameters.\n!\ncrypto ipsec transform-set 54.176.62.223-20.127.181.210 esp-256-aes esp-sha256-hmac\n  mode tunnel\n  exit\ncrypto ipsec df-bit clear\n!\ncrypto ipsec profile 54.176.62.223-20.127.181.210\n  set security-association lifetime seconds 3600\n  set transform-set 54.176.62.223-20.127.181.210\n  set pfs group14\n  set ikev2-profile 54.176.62.223-20.127.181.210\n  set security-association lifetime kilobytes disable\n  set security-association lifetime seconds 3600\n  exit\n!\n!---------------------------------------------------------------------------------------\n! #3: Tunnel Interface Configuration\n! The virtual tunnel interface is used to communicate with the remote IPSec endpoint \n! to establish the IPSec tunnel.\n!\ninterface Tunnel 1<\/mark>\n  ip address 169.254.56.181 255.255.255.252\n  ip mtu 1436\n  ip tcp adjust-mss 1387\n  tunnel source GigabitEthernet1<\/mark>\n  tunnel mode ipsec ipv4\n  tunnel destination 20.127.181.210\n  tunnel protection ipsec profile 54.176.62.223-20.127.181.210\n  ip virtual-reassembly\n  exit\n!\n!\n! --------------------------------------------------------------------------------\n! IPSec Tunnel #2 (Backup)\n! --------------------------------------------------------------------------------\n! #4: Internet Key Exchange (IKE) Configuration\n!\ncrypto ikev2 keyring 54.176.62.223-20.85.248.161\n  peer 54.176.62.223-20.85.248.161\n    address 20.85.248.161\n    identity address 20.85.248.161\n    pre-shared-key SyeqOQqT1cvMO2uwR4jHciXSn8Yn3AVYr8CE1dNh\n    exit\n  exit\n!\ncrypto ikev2 profile 54.176.62.223-20.85.248.161\n  match identity remote address 20.85.248.161 255.255.255.255\n  identity local address 54.176.62.223\n  authentication remote pre-share\n  authentication local pre-share\n  keyring local 54.176.62.223-20.85.248.161\n  lifetime 28800\n  dpd 10 3 periodic\n  exit\n!\n!---------------------------------------------------------------------------------\n! #5: IPSec Configuration\n! The IPSec transform set defines the encryption, authentication, and IPSec\n! mode parameters.\n!\ncrypto ipsec transform-set 54.176.62.223-20.85.248.161 esp-256-aes esp-sha256-hmac\n  mode tunnel\n  exit\n!\ncrypto ipsec profile 54.176.62.223-20.85.248.161\n  set security-association lifetime seconds 3600\n  set transform-set 54.176.62.223-20.85.248.161\n  set pfs group14\n  set ikev2-profile 54.176.62.223-20.85.248.161\n  set security-association lifetime kilobytes disable\n  set security-association lifetime seconds 3600\n  exit\n!\n!---------------------------------------------------------------------------------------\n! #6: Tunnel Interface Configuration\n! The virtual tunnel interface is used to communicate with the remote IPSec endpoint\n! to establish the IPSec tunnel.\n!\ninterface Tunnel 2<\/mark>\n  ip address 169.254.41.117 255.255.255.252\n  ip mtu 1436\n  ip tcp adjust-mss 1387\n  tunnel source GigabitEthernet1<\/mark>\n  tunnel mode ipsec ipv4\n  tunnel destination 20.85.248.161\n  tunnel protection ipsec profile 54.176.62.223-20.85.248.161\n  ip virtual-reassembly\n  exit\n!\n!---------------------------------------------------------------------------------------\n! #7: Routing Configuration\n! The static route directs the local traffic to the Aviatrix remote subnets via the tunnel\n! interface. When the primary tunnel, Tunnel<tunnel_number1> is down, the <tunnel_number1>\n! should be replaced with the backup tunnel, <tunnel_number2>.\n!\nip route 100.96.0.0 255.255.0.0 Tunnel1<\/mark>\n!---------------------------------------------------------------------------------------\n!\n!\nFor vendor specific instructions, please go to the following URL:\nhttp://docs.aviatrix.com\/#site2cloud\n<\/code><\/pre>\n\n\n\n
Now goes to CSR<\/p>\n\n\n\n
conf t<\/code><\/pre>\n\n\n\n
Then paste the modified code into CSR console<\/p>\n\n\n\n
Switch back to Aviatrix Controller, SITE2CLOUD -> Setup -> Refresh, in a few minutes and you should see the connection status is Green and Up<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
If the connection doesn’t come up in a few minutes, you can go to SITE2CLOUD -> Diagnostics -> Select the connection -> Action: Run analytics or Show Logs <\/p>\n\n\n\n
Observe route tables in Azure vNets<\/h4>\n\n\n\n
It’s worth to note that Aviatrix inject RFC1918 routes into spoke subnets route tables pointing to Aviatrix Spoke Gateways, this steers all traffic towards transit.<\/p>\n\n\n\n
In the Landing vNet, since we just created a Site2Cloud connection with static route, Aviatrix controller is aware of this intention and programed AWS virtual CIDR 100.64.0.0\/16 point to Aviatrix Spoke Gateway in Landing vNet<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Then how do we get traffic to other connected spoke vNet or even across transits? Note below, Prod spoke vNet only have RFC1918 routes added, and 100.64.0.0\/16 is missing:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Allow Site2cloud connection to be accessiable across transit<\/h5>\n\n\n\n