Aviatrix Site2Cloud Virtual Appliance Configuration Guide Last updated: October 18, 2016 Aviatrix Systems, Inc. 4555 Great America Pkwy Santa Clara CA 95054 USA http://www.aviatrix.com Tel: +1 844.262.3100
TABLE OF CONTENTS 1 Overview...1 1.1 Use Cases...1 1.1.1 On-Premise IPSec Termination...1 1.1.2 Cloud IPSec Termination...2 1.1.3 Connecting Networks with Overlapping CIDRs...2 2 Configuration Workflow...4 2.1 Prerequisites...4 2.1.1 For On-Premise IPSec Termination...4 2.1.2 For Cloud IPSec Termination...4 2.1.3 For Connecting Networks with Overlapping CIDRs...5 2.2 Configuration...5 2.2.1 For On-Premise IPSec Termination...6 2.2.2 For Cloud IPSec Termination...7 2.2.3 For Connecting Networks with Overlapping CIDRs...8 2.3 Troubleshooting...9 3 Appendix Support... 10 3.1 Aviatrix Support... 10
1 Overview Aviatrix is a next generation cloud networking solution built from the ground up for the public cloud. It simplifies the way you enable site to cloud, user to cloud and cloud to cloud secure connectivity and access. The Aviatrix solution requires no new hardware and deploys in minutes. The Aviatrix solution comprise of two components and a Controller. This configuration provides step by step instructions on how to deploy the Aviatrix Site2Cloud virtual appliance for IPSec termination. 1.1 Use Cases 1.1.1 On-Premise IPSec Termination In this use case, there is a need to connect a remote on-premise site to the cloud. Instead of configuring the IPSec termination on the edge device, which may put tier 1 applications at risk, an Aviatrix virtual appliance can be deployed on premise to terminate the IPSec tunnel. With this approach, no changes are needed on the edge device. The IPSec tunnel configuration is exported from the cloud Aviatrix controller and then is imported into the on-premise Aviatirx virtual appliance. AWS VPC / Azure VNet / GCP NET Remote On-Premise Site Edge Device Benefits 1. Quick and Easy to deploy up and running within minutes. 2. No changes on edge device 3. Supports popular hypervisors VMWare and Hyper-V 4. Supports all major public cloud providers (AWS, Azure, GCP) 5. No exchange of public cloud credentials is needed. 6. Central management with alerting and auditing Page 1 of 12
1.1.2 Cloud IPSec Termination In this use case, the remote site is another cloud network and there is a need to connect the two cloud networks together. What makes this situation unique is that the cloud networks may not necessarily belong to the same owner. For example, a SaaS provider have deployed their application in the cloud. This application needs to a customer s LDAP system or database, which is deployed in the customer s own cloud network. With the Aviatrix solution, the SaaS provider can export the IPSec configuration information from their system and provide it to their customer, which then can import it into their system. ACCOUNT 1: AWS VPC / Azure VNet / GCP NET Remote site - ACCOUNT 2: AWS VPC / Azure VNet / GCP NET Benefits 1. Quick and Easy to deploy up and running within minutes. 2. Supports all major public cloud providers (AWS, Azure, GCP) 3. No exchange of public cloud credentials is needed. 4. Central management with alerting and auditing 1.1.3 Connecting Networks with Overlapping CIDRs This use case is the same as the previous two use cases, except the source and destination networks have overlapping CIDRs (IP addresses). Page 2 of 12
AWS VPC / Azure VNet / GCP NET Remote On-Premise Site Edge Device CIDR: 10.1.0.0/16 CIDR: 10.1.0.0/16 SOURCE DESTINATION ACCOUNT 1: AWS VPC / Azure VNet / GCP NET Remote site - ACCOUNT 2: AWS VPC / Azure VNet / GCP NET CIDR: 10.1.0.0/16 CIDR: 10.1.0.0/16 SOURCE DESTINATION Benefits In additions to the benefits noted in the previous two use cases 1. Support overlapping IP addresses (source or destination) 2. No need to re-ip existing network 3. Easy to deploy SaaS cookie cutter networks. Page 3 of 12
2 Configuration Workflow 2.1 Prerequisites The prerequisites vary depending on the desired use case (see previous section). Please review the following before configuration the Site2Cloud IPSec tunnel. 2.1.1 For On-Premise IPSec Termination In this deployment, the Aviatrix gateway will be deployed on-premise for the IPSec termination. AWS VPC / Azure VNet / GCP NET Remote On-Premise Site Edge Device SOURCE DESTINATION Confirm and check the following: 1. Make sure the hypervisor that you re using is supported a. VMWare ESXi 5.0 or later b. Windows 2012 R2 or later Hyper-V 2. On the source side, make sure the and a terminating gateway is deployed and running. 3. For the on-premise virtual appliance a. Requires a static IP address (internal) b. Requires access to a DNS server c. Requires outbound ports i. TCP 443 ii. UDP 4500 & 500 4. Create static route for cloud network a. In order for on-premise devices to reach the cloud network, they must be routed to the virtual appliance. 2.1.2 For Cloud IPSec Termination In this deployment, the Aviatrix gateway will be deployed in the cloud for IPSec termination. Page 4 of 12
ACCOUNT 1: AWS VPC / Azure VNet / GCP NET Remote site - ACCOUNT 2: AWS VPC / Azure VNet / GCP NET SOURCE DESTINATION Confirm and check the following: 1. On the source and destination side, make sure the Aviatrix controllers and gateways are deployed and running. 2.1.3 For Connecting Networks with Overlapping CIDRs In order to overcome the overlapping CIDR, a virtual CIDR is setup on both the source and destination Aviatrix gateway. Endpoints in the source and destination networks will communicate with each other over the virtual CIDR. Chose a virtual CIDR that does not overlap with your existing environment. AWS VPC / Azure VNet / GCP NET Remote On-Premise Site Edge Device CIDR: 10.1.0.0/16 Virtual CIDR: 10.21.0.0/16 Virtual CIDR: 10.22.0.0/16 CIDR: 10.1.0.0/16 SOURCE DESTINATION ACCOUNT 1: AWS VPC / Azure VNet / GCP NET Remote site - ACCOUNT 2: AWS VPC / Azure VNet / GCP NET CIDR: 10.1.0.0/16 Virtual CIDR: 10.21.0.0/16 Virtual CIDR: 10.22.0.0/16 CIDR: 10.1.0.0/16 SOURCE DESTINATION 2.2 Configuration Page 5 of 12
2.2.1 For On-Premise IPSec Termination Step 1 Deploy the Aviatrix Virtual Appliance 1. Download the virtual appliance for your hypervisor. Download 2. Import the virtual appliance into your virtualization environment 3. Once the virtual appliance boots up, login to the CLI console. The default login is admin / Aviatrix123# 4. Use the following command to configure the static IP address on the virtual appliance: setup_interface_static_address ip_address subnet_mask default_gateway primar_dns secondary_dns Example: setup_interface_static_address 10.1.1.2 255.255.255.0 10.1.1.1 8.8.8.8 8.8.4.4 5. Login to the virtual appliance web GUI. The default URL is: https://static_ip_address Default login is: admin / static_ip_address (i.e. 10.1.1.2) The system will prompt for a recovery email address and then prompt you to change the default password. The virtual appliance will initialize after the password change. Afterwards, login to the console with the new password. 6. Update the License key. Click Settings > License. Under Customer ID, enter in your customer ID and click Save. If you don t have one, contact Aviatrix at support@aviatrix.com. 7. Done. Step 2 Setup Site2Cloud connection on Source Side 1. Login to the on the source side. 2. Click Site2Cloud -> +Add New a. VPC ID/VNet Name Select the network for the IPSec termination b. Connection Type Unmapped c. Connection Name Type in a name of the connection d. Remote Gateway IP Address This is the public IP that your on-premise virtual appliance uses to reach the internet. e. Primary Gateway Select the gateway on the source side (cloud) that will terminate the IPSec f. Remote Subnet Type in the network on the on-premise side. If there are more than one network, use a comma (i.e. 172.31.1.0/24,172.31.2.0/24) g. Local Subnet Type in the network on the cloud side. If there are more than one network, use a comma (i.e. 172.31.1.0/24,172.31.2.0/24). Page 6 of 12
h. Pre-shared Key Leave blank 3. Click Ok. 4. After the connection is created, click on it and then download the configuration file a. Vendor Aviatrix b. Platform UCC c. Software 1.0 5. Save the file to a convenient location 6. Done Step 3 Import the configuration file to the virtual appliance 1. Login the virtual appliance s web GUI 2. Click Site2Cloud > +Add New a. Click the Import button on the lower right hand corner b. Select the configuration file that you saved in the previous step c. Verify that the information is correct 3. Click OK. 4. Done Congratulations. The configuration is complete. Please allow up to 2 for the tunnel to come up. 2.2.2 For Cloud IPSec Termination Step 1 Setup Site2Cloud connection on source side 1. Login to the on the source side. 2. Click Site2Cloud -> +Add New a. VPC ID/VNet Name Select the network for the IPSec termination b. Connection Type Unmapped c. Connection Name Type in a name of the connection d. Remote Gateway IP Address This is the public IP of the Aviatrix gateway on the destination side that will terminate the IPSec. e. Primary Gateway Select the gateway on the source side (cloud) that will terminate the IPSec f. Remote Subnet Type in the network on the destination side. If there are more than one network, use a comma (i.e. 172.31.1.0/24,172.31.2.0/24) g. Local Subnet Type in the network on the source side. If there are more than one network, use a comma (i.e. 172.31.1.0/24,172.31.2.0/24). h. Pre-shared Key Leave blank 3. Click Ok. Page 7 of 12
4. After the connection is created, click on it and then download the configuration file a. Vendor Aviatrix b. Platform UCC c. Software 1.0 5. Save the file to a convenient location 6. Done Step 2 Import the configuration file on the destination side 1. Login the on the destination side. 2. Click Site2Cloud > +Add New a. Click the Import button on the lower right hand corner b. Select the configuration file that you saved in the previous step c. Verify that the information is correct 3. Click OK. 4. Done Congratulations. The configuration is complete. Please allow up to 2 for the tunnel to come up. 2.2.3 For Connecting Networks with Overlapping CIDRs If you are deploying the Aviatrix gateway on site, please see the above section on how to Deploy the Aviatrix Virtual Appliance for your hypervisor. The rest of the instructions are the same and are as follow: Step 1 Setup Site2Cloud connection on source side 7. Login to the on the source side. 8. Click Site2Cloud -> +Add New a. VPC ID/VNet Name Select the network for the IPSec termination b. Connection Type Mapped c. Connection Name Type in a name of the connection d. Remote Gateway IP Address This is the public IP of the Aviatrix gateway on the destination side that will terminate the IPSec. e. Primary Gateway Select the gateway on the source side (cloud) that will terminate the IPSec f. Remote Subnet (Real) Type in the real network on the destination side. If there are more than one network, use a comma (i.e. 172.31.1.0/24,172.31.2.0/24). In this example, the subnet is 10.1.0.0/16 g. Remote Subnet (Virtual) - Type in the virtual network on the destination side. In this example, the subnet is 10.22.0.0/16 h. Local Subnet (Real) Type in the real network on the source side. In this example, the subnet is 10.1.0.0/16 Page 8 of 12
i. Local Subnet (Virtual) Type in the virtual network on the source side. Since the real and virtual networks are the same in this example, just type in 10.21.0.0/16 again. j. Pre-shared Key Leave blank 9. Click Ok. 10. After the connection is created, click on it and then download the configuration file a. Vendor Aviatrix b. Platform UCC c. Software 1.0 11. Save the file to a convenient location 12. Done Step 2 Import the configuration file on the destination side 5. Login the on the destination side. 6. Click Site2Cloud > +Add New a. Click the Import button on the lower right hand corner b. Select the configuration file that you saved in the previous step c. Verify that the information is correct 7. Click OK. 8. Done 2.3 Troubleshooting Tunnel status can be checked from the Controller. From the Controller GUI: 1. Click Site2Cloud -> Diagnostics 2. Select the following: a. VPC ID / VNet / NET = Select the network that your gateway is in b. Connection = Select the connection you want to troubleshoot c. Gateway = Select the gateway that is terminating the tunnel d. Action = Select the diagnostics that you want to see 3. Click OK. Page 9 of 12
3 Appendix Support 3.1 Aviatrix Support Standard: 8x5 Enterprise Phone Support, email support, product-specific knowledge-base and user forum is included. For Additional levels of support and support offers please visit: www.aviatrix.com/support Page 10 of 12