Scribd Logo
Upload

Welcome to Scribd!

  • ACE Prof Mod3a - Multi-Cloud Segmentation Domains

    Uploaded by

    Syed Asad Raza
    65 views16 pages
    This document discusses multi-cloud network segmentation (MCNS) which allows grouping of virtual networks (VNets/VPCs/VCNs) across multiple cloud regions and providers based on similar security policies. MCNS is policy-based and consistent across accounts, subscriptions and projects. It provides segmentation for edge/access networks including on-premises data centers, branches and extranets. MCNS configuration involves enabling transit gateways, creating segments/security domains, defining connection policies, and associating spoke gateways or site-to-cloud connections to the appropriate segments.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses multi-cloud network segmentation (MCNS) which allows grouping of virtual networks (VNets/VPCs/VCNs) across multiple cloud regions and providers based on similar security policies. MCNS is policy-based and consistent across accounts, subscriptions and projects. It provides segmentation for edge/access networks including on-premises data centers, branches and extranets. MCNS configuration involves enabling transit gateways, creating segments/security domains, defining connection policies, and associating spoke gateways or site-to-cloud connections to the appropriate segments.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    65 views16 pages

    ACE Prof Mod3a - Multi-Cloud Segmentation Domains

    Uploaded by

    Syed Asad Raza
    This document discusses multi-cloud network segmentation (MCNS) which allows grouping of virtual networks (VNets/VPCs/VCNs) across multiple cloud regions and providers based on similar security policies. MCNS is policy-based and consistent across accounts, subscriptions and projects. It provides segmentation for edge/access networks including on-premises data centers, branches and extranets. MCNS configuration involves enabling transit gateways, creating segments/security domains, defining connection policies, and associating spoke gateways or site-to-cloud connections to the appropriate segments.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 16

    Multi-Cloud Network

    Segmentation (MCNS)

    Solutions Engineering Team

    www.aviatrix.com
    Multi-Cloud Network Segmentation

    ● Provides network segmentation across multi-region and multi-cloud, including on-prem


    environment

    ● Group VNets/VPCs/VCNs with similar security policies

    ● Define your own segments

    2
    Multi-Cloud Network Segmentation
    Use Cases

    3
    Aviatrix Multi-Cloud Network Segmentation
    Policy Based Network Segmentation
    • Global Aviatrix Controller
    Blue Segment
    • Consistent / Repeatable
    • Across accounts, subscriptions & projects Connection Policy
    Green Segment

    Cloud and Connection Agnostic


    • Single cloud
    • Intra-region or inter-region
    • Multiple clouds VPC SS VPC VPC VPC VPC VPC VPC VPC VPC VNet VNet VNet

    Edge/Access Segmentation
    • On-Prem DCs Transit Transit Transit Transit Transit
    VPC FireNet VPC FireNet VPC VNet FireNet
    • Branches VPC

    • Extranets
    • Cloud Peering IT IT
    BU1 BU2

    On-Demand Compliance/Governance AWS - REGION1 GCP – REGION1 GCP – REGION2 AZURE - REGION1
    • Security Posture within minutes
    • Aviatrix control plane realizes the intent
    • Zero-Trust
    • Flexible
    Site 2 Cloud Site 2 Cloud
    • Automated Direct Express
    Connect Route

    Extranet Extranet BRANCH OFFICES

    Data Center DATA CENTER

    4
    Multi-Cloud Network Segmentation
    Configuration: Multi-Cloud Transit à Segmentation à Plan
    Step 1 – Enable Transit Gateway for Segmentation

    8
    Multi-Cloud Network Segmentation
    Configuration: Multi-Cloud Transit à Segmentation à Plan
    Step 2 – Create Segments/Security Step 3 – Connection Policy
    Domains

    9
    Multi-Cloud Network Segmentation
    Configuration: Multi-Cloud Transit à Segmentation à Build
    Step 4 – Associate Spoke Gateways or S2C connections to the Segments/Domains

    10
    Multi-Cloud Network Segmentation
    Topology

    OR-Spoke-1 OR-Spoke-3 OR-SS AZSC-Spoke-1 AZSC-Spoke-2


    10.150.89.134 10.152.24.64 10.154.90.201 172.16.6.20 172.16.7.20

    OR-Transit AZSC-Transit
    6501 6502
    3 0
    10.160.0.0/16 172.16.10.0/16

    6470
    1

    DATA CENTER Partner-1 Partner-2


    10.200.0.0/16 10.201.0.0/16 10.202.0.0/16
    65050

    11
    Multi-Cloud Network Segmentation
    Blue Segment

    OR-Spoke-1 OR-Spoke-3 OR-SS AZSC-Spoke-1 AZSC-Spoke-2


    10.150.89.134 10.152.24.64 10.154.90.201 172.16.6.20 172.16.7.20

    OR-Transit AZSC-Transit
    6501 6502 Purple
    3 0
    10.160.0.0/16 172.16.10.0/16
    Remote-Blue
    Yellow

    Local-Blue

    6470
    1

    Transit

    DATA CENTER Partner-1 Partner-2


    10.200.0.0/16 10.201.0.0/16 10.202.0.0/16
    65050

    12
    Multi-Cloud Network Segmentation
    Red Segment

    OR-Spoke-1 OR-Spoke-3 OR-SS AZSC-Spoke-1 AZSC-Spoke-2


    10.150.89.134 10.152.24.64 10.154.90.201 172.16.6.20 172.16.7.20

    Purple

    OR-Transit AZSC-Transit
    6501 6502
    Remote-Red
    3 0
    10.160.0.0/16 172.16.10.0/16

    6470
    1

    Local-Red

    Transit

    DATA CENTER Partner-1 Partner-2


    10.200.0.0/16 10.201.0.0/16 10.202.0.0/16
    65050

    13
    Another MCNS Example (Demo)

    Aviatrix Controller

    us-east-2 us-east-1 us-central1 West US

    10.11.0.0/16 10.21.0.0/16 10.22.0.0/16 10.31.0.0/16 10.41.0.0/16 10.42.0.0/16

    Spoke2 Spoke1 Spoke2 Spoke1 Spoke2


    Spoke1

    ASN:65101 ASN:65102 ASN:65201 ASN:65301


    Transit1 Transit2 Transit4
    Transit3

    us-central1 10.30.0.0/16

    10.10.0.0/16 10.20.0.0/16 10.40.0.0/16


    Multi-Cloud Network Segmentation
    On-Prem via ExpressRoute

    AZSC-Spoke-1 AZSC-Spoke-2 OR-Spoke-1 OR-Spoke-3 OR-SS


    172.16.6.20 172.16.7.20 10.150.89.134 10.152.24.64 10.154.90.201

    AZSC-Transit OR-Transit
    65020 65013

    172.16.10.0/16 10.160.0.0/16

    ● Single DX or ER can be used to communicate


    between On-Prem and multiple CSP resources
    Equinix

    65050
    10.200.0.0/23

    ON-PREM
    DATA CENTER

    18
    Multi-Cloud Network Segmentation
    Primary Secondary Transit Paths – Emerging Use Case

    AZSC-Spoke-1 AZSC-Spoke-2 OR-Spoke-1 OR-Spoke-3 OR-SS


    172.16.6.20 172.16.7.20 10.150.89.134 10.152.24.64 10.154.90.201

    AZSC-Transit Longer AS-Path OR-Transit


    65020 65013

    172.16.10.0/16 10.160.0.0/16

    65050
    Primary 10.200.0.0/23

    Backup ON-PREM
    DATA CENTER

    19
    Multi-Cloud Network Segmentation
    Packet Walk

    AZSC-Spoke-2 workload-1 (Source IP): 172.16.7.20


    OR-SS (Destination IP): 10.154.90.201

    1. 172.16.7.20 sends a packet using RFC 1918 OR-SS AZSC-Spoke-2

    summary routes to Aviatrix Spoke Gateway in its


    10.154.90.201 172.16.7.20

    own AZ
    2. AZSC-Spoke1-AGW will forward the packet to
    AZSC-Transit-AGW OR-Transit AZSC-Transit

    3. AZSC-Transit-AGW will forward the packet to its 65013 65020

    transit peer OR-Transit 10.160.0.0/16 172.16.10.0/16

    4. OR-Transit gateway will forward the packet to OR-


    SS-Spoke gateway
    5. 10.154.90.201 will receive the packet from OR-SS
    Spoke-AGW

    22
    Next: Security Domains
    Thank you!

    EVENTS COMMUNITY
    aviatrix.com/events community.aviatrix.com

    You might also like