Scribd
Upload
94 views16 pages

ACE Prof Mod3a - Multi-Cloud Segmentation Domains

This document discusses multi-cloud network segmentation (MCNS) which allows grouping of virtual networks (VNets/VPCs/VCNs) across multiple cloud regions and providers based on similar security policies. MCNS is policy-based and consistent across accounts, subscriptions and projects. It provides segmentation for edge/access networks including on-premises data centers, branches and extranets. MCNS configuration involves enabling transit gateways, creating segments/security domains, defining connection policies, and associating spoke gateways or site-to-cloud connections to the appropriate segments.

Uploaded by

Syed Asad Raza
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
94 views16 pages

ACE Prof Mod3a - Multi-Cloud Segmentation Domains

This document discusses multi-cloud network segmentation (MCNS) which allows grouping of virtual networks (VNets/VPCs/VCNs) across multiple cloud regions and providers based on similar security policies. MCNS is policy-based and consistent across accounts, subscriptions and projects. It provides segmentation for edge/access networks including on-premises data centers, branches and extranets. MCNS configuration involves enabling transit gateways, creating segments/security domains, defining connection policies, and associating spoke gateways or site-to-cloud connections to the appropriate segments.

Uploaded by

Syed Asad Raza
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Multi-Cloud Network

Segmentation (MCNS)

Solutions Engineering Team

www.aviatrix.com
Multi-Cloud Network Segmentation

● Provides network segmentation across multi-region and multi-cloud, including on-prem


environment

● Group VNets/VPCs/VCNs with similar security policies

● Define your own segments

2
Multi-Cloud Network Segmentation
Use Cases

3
Aviatrix Multi-Cloud Network Segmentation
Policy Based Network Segmentation
• Global Aviatrix Controller
Blue Segment
• Consistent / Repeatable
• Across accounts, subscriptions & projects Connection Policy
Green Segment

Cloud and Connection Agnostic


• Single cloud
• Intra-region or inter-region
• Multiple clouds VPC SS VPC VPC VPC VPC VPC VPC VPC VPC VNet VNet VNet

Edge/Access Segmentation
• On-Prem DCs Transit Transit Transit Transit Transit
VPC FireNet VPC FireNet VPC VNet FireNet
• Branches VPC

• Extranets
• Cloud Peering IT IT
BU1 BU2

On-Demand Compliance/Governance AWS - REGION1 GCP – REGION1 GCP – REGION2 AZURE - REGION1
• Security Posture within minutes
• Aviatrix control plane realizes the intent
• Zero-Trust
• Flexible
Site 2 Cloud Site 2 Cloud
• Automated Direct Express
Connect Route

Extranet Extranet BRANCH OFFICES

Data Center DATA CENTER

4
Multi-Cloud Network Segmentation
Configuration: Multi-Cloud Transit à Segmentation à Plan
Step 1 – Enable Transit Gateway for Segmentation

8
Multi-Cloud Network Segmentation
Configuration: Multi-Cloud Transit à Segmentation à Plan
Step 2 – Create Segments/Security Step 3 – Connection Policy
Domains

9
Multi-Cloud Network Segmentation
Configuration: Multi-Cloud Transit à Segmentation à Build
Step 4 – Associate Spoke Gateways or S2C connections to the Segments/Domains

10
Multi-Cloud Network Segmentation
Topology

OR-Spoke-1 OR-Spoke-3 OR-SS AZSC-Spoke-1 AZSC-Spoke-2


10.150.89.134 10.152.24.64 10.154.90.201 172.16.6.20 172.16.7.20

OR-Transit AZSC-Transit
6501 6502
3 0
10.160.0.0/16 172.16.10.0/16

6470
1

DATA CENTER Partner-1 Partner-2


10.200.0.0/16 10.201.0.0/16 10.202.0.0/16
65050

11
Multi-Cloud Network Segmentation
Blue Segment

OR-Spoke-1 OR-Spoke-3 OR-SS AZSC-Spoke-1 AZSC-Spoke-2


10.150.89.134 10.152.24.64 10.154.90.201 172.16.6.20 172.16.7.20

OR-Transit AZSC-Transit
6501 6502 Purple
3 0
10.160.0.0/16 172.16.10.0/16
Remote-Blue
Yellow

Local-Blue

6470
1

Transit

DATA CENTER Partner-1 Partner-2


10.200.0.0/16 10.201.0.0/16 10.202.0.0/16
65050

12
Multi-Cloud Network Segmentation
Red Segment

OR-Spoke-1 OR-Spoke-3 OR-SS AZSC-Spoke-1 AZSC-Spoke-2


10.150.89.134 10.152.24.64 10.154.90.201 172.16.6.20 172.16.7.20

Purple

OR-Transit AZSC-Transit
6501 6502
Remote-Red
3 0
10.160.0.0/16 172.16.10.0/16

6470
1

Local-Red

Transit

DATA CENTER Partner-1 Partner-2


10.200.0.0/16 10.201.0.0/16 10.202.0.0/16
65050

13
Another MCNS Example (Demo)

Aviatrix Controller

us-east-2 us-east-1 us-central1 West US

10.11.0.0/16 10.21.0.0/16 10.22.0.0/16 10.31.0.0/16 10.41.0.0/16 10.42.0.0/16

Spoke2 Spoke1 Spoke2 Spoke1 Spoke2


Spoke1

ASN:65101 ASN:65102 ASN:65201 ASN:65301


Transit1 Transit2 Transit4
Transit3

us-central1 10.30.0.0/16

10.10.0.0/16 10.20.0.0/16 10.40.0.0/16


Multi-Cloud Network Segmentation
On-Prem via ExpressRoute

AZSC-Spoke-1 AZSC-Spoke-2 OR-Spoke-1 OR-Spoke-3 OR-SS


172.16.6.20 172.16.7.20 10.150.89.134 10.152.24.64 10.154.90.201

AZSC-Transit OR-Transit
65020 65013

172.16.10.0/16 10.160.0.0/16

● Single DX or ER can be used to communicate


between On-Prem and multiple CSP resources
Equinix

65050
10.200.0.0/23

ON-PREM
DATA CENTER

18
Multi-Cloud Network Segmentation
Primary Secondary Transit Paths – Emerging Use Case

AZSC-Spoke-1 AZSC-Spoke-2 OR-Spoke-1 OR-Spoke-3 OR-SS


172.16.6.20 172.16.7.20 10.150.89.134 10.152.24.64 10.154.90.201

AZSC-Transit Longer AS-Path OR-Transit


65020 65013

172.16.10.0/16 10.160.0.0/16

65050
Primary 10.200.0.0/23

Backup ON-PREM
DATA CENTER

19
Multi-Cloud Network Segmentation
Packet Walk

AZSC-Spoke-2 workload-1 (Source IP): 172.16.7.20


OR-SS (Destination IP): 10.154.90.201

1. 172.16.7.20 sends a packet using RFC 1918 OR-SS AZSC-Spoke-2

summary routes to Aviatrix Spoke Gateway in its


10.154.90.201 172.16.7.20

own AZ
2. AZSC-Spoke1-AGW will forward the packet to
AZSC-Transit-AGW OR-Transit AZSC-Transit

3. AZSC-Transit-AGW will forward the packet to its 65013 65020

transit peer OR-Transit 10.160.0.0/16 172.16.10.0/16

4. OR-Transit gateway will forward the packet to OR-


SS-Spoke gateway
5. 10.154.90.201 will receive the packet from OR-SS
Spoke-AGW

22
Next: Security Domains
Thank you!

EVENTS COMMUNITY
aviatrix.com/events community.aviatrix.com

You might also like