Lecture Notes: Secure Cloud Networking Architecture with Aviatrix

Speakers

Discussion on how to build a secure cloud networking architecture with Aviatrix.
Aim to provide a consistent, repeatable, and secure cloud network across multiple cloud providers.

Aviatrix provides a networking and security platform that overlays on top of native cloud constructs.
Customers include various well-known brands.
Aviatrix layers on top of native cloud service provider (CSP) architectures like AWS, Azure, GCP, etc.
Focus on multi-cloud Network consistency, visibility, control, security, and automation.
Central orchestration and visibility with Aviatrix Controller and CoPilot.

Inconsistent Architectures: Different architectures for different clouds (AWS, Azure, etc.). Lack of consistency and visibility across clouds and within individual clouds.
Complex Network Management: Multiple cloud accounts, different routing and security policies, and management tools per cloud.
Manual Configuration: Typical cloud network setup involves manual configurations, which are error-prone and non-repeatable.
Learning Curve: Different learning required for each cloud's networking and security setup.
Distributed Workloads: Challenges in managing security for distributed workloads across regions and clouds.
Perimeter Control: Difficult to maintain a secure, well-defined perimeter in a cloud environment. Easy access to and from the internet creates security risks.
High Costs: Using cloud-native constructs can be expensive.

Aviatrix Controller: Centrally manages and orchestrates cloud networks. Allows multi-cloud deployments from a single controller instance in any cloud (AWS, Azure, GCP, OCI, etc.). Not SaaS or managed services—customers own and operate it.
Aviatrix Gateways: Deployed within VPCs/VNets providing end-to-end encrypted tunnels, acting as the data plane.
Aviatrix CoPilot: Provides visibility and analysis of network traffic, topology mapping, netflow traffic, and operational metrics.

Multi-Cloud Networking: Connects different cloud environments with a consistent architecture and centralized management.
High-Performance Encryption: Full line-rate encryption between VPCs, on-prem, and other facilities. Supports up to 90 Gbps throughput.
Service Chaining: API calls to integrate third-party services (e.g., firewalls, SSL encryption).
Embedded Security: Distributed firewalling and consistent security policies across multiple clouds.
Network Segmentation: Label-based segmentation policies that follow workloads regardless of the cloud or region.
Enterprise Operational Visibility: Central view of network traffic, issues, and threats through CoPilot.
Cost Optimization: Sharing and accurately billing the usage of shared services.

Integrates firewalls directly into the network fabric, providing distributed inspection and enforcement.
Reduces the complexity and cost of managing central firewalls.
Enhances security: blocks known malicious IPs, handles threat prevention, manages micro-segmentation, and handles encryption.
Provides abilities for zero-day threat hunting and anomaly detection.
Reduces NAT gateway costs by centralizing security at the egress point.

Modules: Aviatrix provides a robust set of modules for automating cloud networking with Terraform. Modules allow abstracted and reusable code constructs.
Integration: Capable of integrating with existing CI/CD pipelines.
High Maturity: Proven reliability and extensive usage of Aviatrix Terraform provider.
Ease of Use: Simplifies cloud deployments with reduced lines of code and higher efficiency.

Training Programs: Aviatrix offers structured learning paths and professional certifications (ACE, Ace Design Expert, specialty training like SAP, automation, etc.).
Community Involvement: Active community platform for sharing insights and solving issues collaboratively.

Topology Mapping: Visual representation of network components and connections across multi-cloud environments.
FlightPath: Network troubleshooting tool providing details of routing paths, security group policies, ACLs, and possible network issues.
ThreatIQ: Threat detection and remediation within network traffic using threat intelligence databases.
Geo-Blocking: Blocking traffic from/to specific geographies.
CostIQ: Analyzes and allocates costs of shared services to appropriate cost centers based on usage.

The layered approach was demonstrated using Aviatrix CoPilot, showcasing its capabilities in network visibility, threat management, and troubleshooting.
Provided responses to live questions, detailing latency impacts, integration with CI/CD pipelines, and cost savings.