Frequently Asked Questins Versin 10-21-2016 Cpyright 2014-2016 Aviatrix Systems, Inc. All rights reserved. Aviatrix Clud Gateway What can it d fr me? Aviatrix Clud Gateway prvides an end t end secure netwrk slutin fr AWS, Azure and Ggle GClud. The slutin includes an enterprise OpenVPN access t VPC/VNet, encrypted ruting amng VPC/VNets and mnitring and lgging f link status and latency. The slutin enables yu t build a secure private netwrk spanning ne r mre public cluds where a user access any instance/vm with a private IP address directly. N mre bastin statins and jump hsts, the slutin gives user the seamless experience that they enjy when using the n-prem netwrk. In additin, Aviatrix Clud Gateway supprts encryptin ver AWS Direct Cnnect and Azure Express Rute. Architecturally, Aviatrix slutin is a centrally managed, lsely cupled and glbally deplyed platfrm built fr the clud frm the grund up. Key benefits? Scalable and highly available user VPN slutin. Integrated with clud prvider native ELB, the slutin scales ut t unlimited number f users and bandwidth. Supprts multi factr authenticatin: DUO, LDAP and OKTA. User prfile defined dynamic security access rules that allw administratr t determine access privilege f any given user t any resurces at the netwrk perimeter. Supprts Ge VPN fr a glbal VPN slutin deplyment where a VPN user autmatically cnnects t a nearest VPC. Supprts wide range f clients: Windws, OSX, Linux, Andrid, ios, and Chrmebk. Supprts event lgging with SumLgic, Lgstash, Splunk and remte syslg server. Supprts Split tunnel and full tunnel mde. N extra hp t ther VPC/VNets.
multi VPC, multi regin and multi clud (AWS, Azure and GClud) encrypted peering enables yu t build a full mesh secure netwrk in the clud with a single click. Plicy based stateful firewall at the VPC level fr bth access and deny t apps. Envirnment Stamping slutin fr repeatable enterprise SaaS deplyment. Create identical VPC envirnments with ne click fr each custmer. Uniquely mapping and addressing instances fr CludOps and develpers access. Integrate AWS Rute 53 DNS name service fr each accessing. Secure cnnectin t remte branch sites and interperability with legacy ruter/firewall device. Encryptin ver AWS Direct Cnnect and Azure Express Rute. Hw d I launch the prduct? The prduct cnsists f tw cmpnents, the cntrller and ne r mre gateways. The gateway is launched frm the cntrller. The cntrller prvides a central cnsle fr all prvisining, mnitring and upgrades f the services. The cntrller is available in AWS and Azure marketplace. It is als available as a GClud cmmunity image. Fr marketplace launch, search fr Aviatrix in marketplace. The cntrller shuld have an EIP (best practice) address and inbund TCP prt 443 pen fr it t wrk. Hw d I access the cntrller? Once yu have launched the instance, yu access the Cntrller instance via a web brwser. https://public_ip_address_f_the_cntrller_instance Lgin with username admin. The first time passwrd is the private IP address f the cntrller instance. Yu are required t change the passwrd at yur first lgin. Hw d I secure the cntrller? Only TCP prt 443 needs t be pened fr inbund traffic t the cntrller. If yu wish t reduce the scpe f surce addresses by specifying custm IP address, yu must include all gateway public IP addresses, in additin t yur wn public IP address. This is because gateways launched frm the cntrller use its public IP address t cmmunicate back t cntrller. Is Aviatrix Clud Gateway a SaaS ffer? N. Aviatrix Clud Gateway is a sftware prduct that is deplyed in yur wn netwrk perimeter. Onbarding Where d I start? The first time when yu lgin, cmplete Onbarding prcess. It takes a few steps. If yu have a BYOL license r use a cmmunity image, yu need t have a custmer ID prvided by Aviatrix t be able t use the prduct. Cntact supprt@aviatrix.cm if yu d nt have a custmer ID.
What is an Aviatrix Clud Accunt? An Aviatrix Clud Accunt is specific and unique n the cntrller. It cntains clud credentials, fr example, yur AWS IAM Access Key ID and Secret Key. The cntrller uses these credential t launch Aviatrix gateways by using clud APIs. An Aviatrix Clud Accunt can crrespnd t multiple clud accunt. Fr example, it can cntain credentials fr an AWS IAM accunt, Azure accunt and GClud accunt. Hw d I upgrade sftware? Click Settings -> Upgrade. This upgrades t the latest release f the cntrller sftware. When a new release becmes available, an alert message appears n Dashbard. Is there a reference design example? Check ut multiple Reference Designs under Help menu. What is the supprt mdel? Fr supprt, send email t supprt@aviatrix.cm. T request a feature, click Make a wish buttn at the bttm f each page. Scale Out VPN Slutins Hw d I launch a VPN gateway? Click Gateways -> Create Gateway -> Create The cntrller launches an Aviatrix gateway instance in AWS/Azure/GClud. The gateway instance must be launched frm a public subnet. Yu need t give it a name (The name is presented as a Gateway Name field), this name becmes part f the instance name with a prefix CludOps. In the Create page, select VPN Access t enable OpenVPN server capability. There is a default VPN CIDR 192.168.43.0/24. But yu can change it, make sure the CIDR is utside the existing and future VPC CIDR range. This VPN CIDR is where VPN server assign virtual IP address t each user when she cnnects. Yu can select Save Template t save the gateway template. When yu cme t the page the next time, mst f the fields are pre ppulated. Yu may change any f the fields. Hw d I scale ut VPN slutin? Yu can launch multiple VPN gateways in the same VPC at the Create Gateway time. While launching a gateway, select yes fr Enable AWS ELB. This will autmatically create an AWS ELB (fr the first gateway) and register the gateway with the newly created lad balancer. VPN traffic will be lad balanced acrss these multiple gateways. It is required t have cnsistent gateway cnfiguratin when ELB is enabled. Fr example, authenticatin methds, tunnel mdes and PBR cnfiguratins shuld be identical. Hw d I setup Okta authenticatin fr VPN? Fllw the link: Hw t setup Okta fr Aviatrix VPN gateway
Hw d I enable Ge VPN? If yu have glbal wrkfrce that needs t access the clud, Ge VPN ffers a superir slutin. Ge VPN enables a VPN user t cnnect t a nearest VPC that hsts Aviatrix VPN gateway. T enable Ge VPN, g t VPC/VNet -> VPN Access -> Ge VPN. Hw d I add a VPN user? After at least ne gateway is created, yu can add VPN users. Click VPCs -> VPN Access -> Users -> Add t add a VPN user. When a user is added, an email is sent t the user with instructins n hw t dwnlad client sftware and cnnect t VPN server. If yu like t assign user prfile based plicies, yu need t create prfiles first, see the next sectin. What user devices are VPN client sftware supprted? Windws, MAC, Linux, Chrmebk, Andrid and ios devices are supprted. Is NAT capability supprted n the gateway? Yes, yu can enable NAT functin at gateway launch time. When enabled, instances n the private subnet can access Internet directly. If full tunnel mde is selected, yu may want t enable NAT t allw instances in the VPC t have direct Internet access. Is full tunnel mde supprted n the gateway? Yes, bth split tunnel and full tunnel mdes are supprted. Yu can specify the mde at the gateway launch time. Full tunnel means all user traffic is carried thrugh the VPN tunnel t the gateway, including Internet bund traffic. Split tunnel means nly traffic destined t the VPC and any additinal netwrk range is carried thrugh the VPN tunnel t the gateway. Any Internet bund traffic des nt g thrugh the tunnel. Can the maximum number f simultaneus cnnectins t VPN gateway be cnfigured? Yes, yu can set the maximum number f cnnectins at the gateway launch time. User Prfile Based Security Plicies What is user prfile based security plicy? In VPN access, a user is dynamically assigned a virtual IP address when cnnected t a gateway. It is highly desirable t define resurce access plicies based n the users. Fr example, yu may want t have a plicy fr all emplyees, a different plicy fr partners and a still different plicy fr cntractrs. Yu may even give different plicies t different departments and business grups.
The prfile based security plicy lets yu define security rules t a target address, prtcl and prts. The default rule fr a prfile can be cnfigured as deny all r allw all during prfile creatin. This capability allws flexible firewall rules based n the users, instead f a surce IP address. Hw d I setup prfile based security plicies? When a user cnnects t a VPC, the security plicies assciated with the prfile that the user is assigned t are applied t the VPN gateway instance that user lgs in. This effectively blcks traffic frm entering the netwrk. Click VPCs -> VPN Access -> Prfiles t create prfiles, then click Edit Plicies t add rules. Yu can add multiple f them, then click n Save. Hw d I assign a user t a prfile? When yu create a VPN user at VPCs -> VPN Access -> Users -> Add, yu can select prfile ptin t assign the user t a specific prfile. What if I want t change prfile plicies? Yu can change prfile plicies any time. Hwever, the users wh are currently active in sessin will nt receive the new plicy. The user need t discnnect and recnnect t VPN fr the new plicy t take effect. Hw d I change a user s prfile prgrammatically? The cntrller prvides a REST API which can be invked t change a user s prfile. Refer t API dcument under Help menu. During this peratin, the user s existing VPN sessin will be terminated. The new prfile plicy will take effect when he r she lgs in again. The use case fr this feature is t allw administratr t quarantine a VPN user fr security reasns. User Authenticatin Is DUO multi-factr authenticatin supprted? Yes. If yur enterprise has a DUO accunt with multi-factr authenticatin, it can be integrated int the VPN slutin. Frm Gateways tab, click Create. At tw-step authenticatin drp dwn menu, select DUO, then enter yur cmpany Integratin Key, Secret Key and API hstname. T btain Integratin Key, Secret key and API hstname, lgin t DUO website as an admin, www.du.cm, click n the left panel Applicatins, click Prtect an Applicatin belw. Scrll dwn the applicatin list and select OpenVPN (click Prtect this Applicatin), the next screen shuld reveal the credentials yu need t cnfigure n the Aviatrix cntrller. Currently advanced feature such as Trusted Device and Trusted Netwrks are nt supprted. Send us a request if yu like t integrate these features. Hw d I cnfigure LDAP authenticatin? LDAP cnfiguratin is part f the Gateway creatin when VPN Access is enabled. Enter the necessary parameters and click Enable buttn t enable LDAP authenticatin fr VPN clients. If yur LDAP server is cnfigured t demand client certificates fr incming TLS cnnectins, uplad a client certificate in PEM frmat (This certificate shuld cntain a public and private key pair).
Can I cmbine LDAP and DUO authenticatin? Yes. With bth LDAP and DUO authenticatin methds enabled n a gateway, when launching the VPN client, a remte user will have t enter his r her LDAP user credentials and then apprve the authenticatin request received n a registered mbile device t lgin t VPN. Is OKTA supprted? Yes. OKTA with MFA is als supprted. Fllw the instructins Plicy Based Ruting Hw des Plicy Based Ruting (PBR) wrk? When PBR is enabled at gateway launch time, all VPN user traffic arrives at the gateway will be frwarded t a specified IP address defined as PBR default gateway. User must specify the PBR Subnet which in AWS must be in the same availability zne as Ethernet 0 interface f the gateway. When PBR feature is cmbined with encrypted peering capability, VPN user shuld be able t access any instances in the peered VPC/VNets. This helps build an end t end clud netwrking envirnment. Fr details, check ut ur reference design. Anther use case fr Plicy Based Ruting is if yu like t rute all Internet bund traffic back t yur wn firewall device n Prem, r lg all user VPN traffic t a specific lgging device, PBR lets yu accmplish that. Lgging and Mnitring Hw d I frward syslg events t my Lgstash server? Click n Settings-> Lgging ->LgStash lgging and input the required parameters t enable frwarding f cntrller syslg events and all gateways syslg and auth lg t a Lgstash server. SUMO Lgic, Splunk and rsyslg are als supprted. What are the mnitring capabilities? Active VPN users are displayed n the Dashbard. Click n any username, the user VPN cnnectivity histry is displayed. Yu can als discnnect a user frm the dashbard. Is there an Operatr accunt? Yes, yu can create an peratr accunt. This peratr accunt can nly view dashbard and discnnect an active user frm the dashbard. T create an Operatr accunt, g t Settings -> Accunts -> Add. At the accunt name, type in Operatr and give it a passwrd and email ntificatin address. Yu d nt need t enter AWS credentials.
Encrypted peering What can Aviatrix encrypted peering d? Aviatrix encrypted peering builds an encrypted tunnel between tw VPC/VNet with a single click. The VPC and/r VNet can be acrss regin and acrss clud. The slutin enables yu t build a full mesh encrypted netwrk. Yu can enable stateful firewalls n each VPC/VNet t add additinal security measures. Hw d I cnfigure encrypted peering? Step 1: At Gateway menu, create a gateway in ne existing VPC/VNet. VPN access may be disabled. Step 2: Repeat Step 1 with a different VPC ID r VNet Name. Step 3: At VPC/VNet Menu -> Encrypted Peering -> Add. Select the tw gateway names and click Save. Envirnment Stamping Netwrking What des Envirnment Stamping netwrking feature d? Envirnment Stamping (envstamping) takes advantage f the unique nature f Virtual Private Clud (VPC) and ffers a deplyment architecture that is secure and scalable. envstamping prvides a deplyment slutin where yu can create identical envirnments such as identical VPC CIDRs and access instances in the VPC seamlessly and securely via encrypted tunnel, as shwn in the picture belw: In the abve picture, each managed VPC shares identical CIDRs, instances private IP addresses and security grups. CludOps and develpers access VPC instances by cnnecting t the gateway in the management VPC via Aviatrix VPN capability.
Wh shuld be deplying this mdel? This deplyment mdel allws fr infinite scale f deplyment, it is suitable fr SaaS prviders, develpment and testing. With this mdel, SaaS prvider can ffer secure and single tenant t its enterprise custmers, while being able t access instances fr maintenance and supprt. Fr example, a SaaS prvider can ffer an enterprise custmer its wn AWS accunt and VPC envirnment. Custmer data is cmpletely islated frm thers. Only authrized persnal can access custmer instances fr maintenance and trubleshting. What is the wrkflw t enable this feature? Refer t this link fr wrkflw steps. Administratin Can there be multiple admins? Yes. Username admin is the default admin user. But yu can create multiple users with admin privilege. Check ut a reference design under Help t learn mre abut setting up multiple admin users. Is there 2FA supprt t lg in t the cnsle? Yes. In additin t passwrd lgin, DUO authenticatin is supprted.