Aviatrix for Google Cloud Platform

Aviatrix Cloud Networking Solutions for Google Cloud Platform

Aviatrix cloud networking solutions empower CloudOps and cloud infrastructure engineers to be self-sufficient in managing cloud network infrastructure and network security. The product is fully integrated with Google Cloud Platform (GCP) networking to enable CloudOps engineers to easily build and scale their hybrid or all-in-cloud environments on GCP.

Aviatrix solutions complement GCP networking capabilities by providing the following additional capabilities:

  • SSL-based enterprise secure remote access.
  • Encrypted multi-cloud peering.
  • Encrypted cross-project peering.
  • Encrypted site-to-GCP scalable connectivity.
  • Encryption on Google Cloud Interconnect.

Unlike traditional networking virtual devices, Aviatrix provides a centrally managed and point-and-click and REST API-driven secure network solution for GCP. The central controller builds encrypted tunnel connections and security services by integrating with GCP infrastructure to launch gateway instances, modify GCP network routing tables, enforce security policies, and leverage other GCP services.

Aviatrix Networking and GCP Reference Architecture

The following figure illustrates a typical cloud network architecture in which Aviatrix controller and Aviatrix gateways are deployed in GCP networks that belong to the end customer or enterprise. Aviatrix controller is deployed in one of the customer’s GCP networks. The controller deploys the Aviatrix gateways that enable the services, which are described in the sections below.

GCP Cross-network and Cross-project Encrypted Peering

Cross-network encrypted peering enables enterprises to build full-mesh, partial-mesh, or hub-and-spoke connectivity between their GCP Virtual Private Cloud (VPC) networks.

A typical enterprise footprint in GCP has multiple projects owned by different business groups. A GCP project can span the globe across all GCP regions. Aviatrix Cloud Networking Solution for GCP provides point-and-click peering between GCP projects (cross-project peering) without any manual configuration of routing and other network level changes that are difficult to perform and maintain.

This solution, based on the Aviatrix central controller, simplifies cross-project peering. Highlights include:

  • High availability with standby tunnel and automatic failover.
  • Automatic discovery of GCP.
  • Automatic discovery of networks.
  • Configuration of routing across GCP networks; no static routes necessary.
  • Policy-based routing.
  • Stateful inspection for TCP port filtering at a GCP network level.

Multi-Cloud Encrypted Peering

Multi-cloud peering enables enterprises that deploy their public cloud across multiple cloud providers to connect securely to one another.

GCP VPC networks can now peer with Amazon Web Services (AWS) VPCs and Azure Virtual Networks (VNets). This inter-cloud networking feature enables GCP users to set up a multi-public cloud environment, and enables many IT application use cases such as cloud-to-cloud migration, cloud-to-cloud backup, and cloud-to-cloud disaster recovery.

GCP Multi-Cloud Encrypted Peering

Aviatrix cloud networking solution for GCP supports point-and-click peering between GCP, AWS, and Azure without any manual configuration of routing or other changes that are difficult to perform manually and maintain. Highlights include:

  • Highly available with standby tunnel and auto failover
  • Auto-discovery AWS, Azure and GCP VPC networks
  • Configuration of routing across VPCs/VNETs (no static routes necessary)
  • Policy-based routing
  • Statefull firewalling for TCP port based filtering at a VPC and VNET level
  • Point-and-click peering

Site or Branch Office Peering

Branch office or site-to-cloud peering enables enterprise sites or branch offices to connect to GCP via IPsec connections over the Internet.
GCP Multi-Cloud Encrypted Peering

Aviatrix gateway is a highly scalable multi-function network services gateway that can support hundreds of IPsec connections from enterprise site or branch offices. Aviatrix gateways also support Source and Destination NAT functions (SNAT/DNAT), to overcome overlapping IP problems and other complex IP scenarios between GCP and the customer sites.

  • Offers high availability with standby tunnel and automatic failover.
  • Supports large-scale IPsec VPN termination.
  • Supports static route configuration.
  • Supports overlapping IP address ranges between GCP and on-premises network.
  • Supports policy-based routing.
  • Supports stateful inspection for TCP port-based filtering at GCP network level.
  • Supports IPsec interoperability with all standard IPsec routers and firewalls.

Remote Access: SSL VPN

Aviatrix Cloud Connect (ACC) enables enterprise-class secure remote access to GCP. Aviatrix SSL VPN to GCP offers global-scale, full-function remote access VPN capabilities. It enables an enterprise's employees and partners to directly connect into GCP over VPN.
GCP Remote Access

Combined with Aviatrix cross-project and inter-cloud peering, ACC allows users to securely access their environments with a single certificate, even if they are spread across multiple projects, networks, and cloud providers. This capability can greatly reduce user VPN management time for CloudOps. Comprehensive orchestration, monitoring, and logging can bring greater efficiencies to deployment and operation.

  • Supports remote access for end users to connect to the cloud directly.
  • Supports wide range of clients: Windows, OS X, Linux, Chromebook, Android, and iOS.
  • Supports a scalable and highly available Cloud VPN solution.
    • Integrated with GCP load balancing, the solution scales to very large number of VPN gateways to serve thousands of users and bandwidth.
  • Supports multi-factor authentication: Duo, LDAP, and Okta.
  • Supports SAML authentication with Aviatrix proprietary VPN clients for Windows, OS X, and Linux.
  • Supports user-profile based access rules that allow administrators to define and enforce access privilege to any resources (network, protocols, and ports) in GCP VPC at the perimeter of the enterprise cloud network.
  • Supports the following log forwarders for remote logging: Logstash, Splunk, Sumo Logic, and rsyslog.
  • Supports split-tunnel and full-tunnel mode. Split-tunnel mode allows additional CIDRs to be pushed to client.
  • Supports modular configuration to support incremental configuration as your environment scales.
  • Supports active user dashboard and user browsing activity.
  • Requires no extra hop to access instances in different projects.
  • Supports policy-based multi-region and multi-cloud (AWS, Azure, and GCP) encrypted peering.
  • Supports multiple accounts for different business groups and projects.

Encryption on Google Cloud Interconnect

To businesses adopting hybrid cloud architecture, GCP provides dedicated connectivity to their environment using Cloud Interconnect.
GCP Encryption

Cloud Interconnect allows GCP customers to connect to Google using enterprise-grade connections with higher availability and/or lower latency than their existing Internet connections. Connections are offered by Cloud Interconnect service provider partners, and may offer higher SLAs than standard Internet connections. GCP also supports direct connections to its network through direct peering. Customers who cannot meet GCP at its peering locations, or do not meet peering requirements, may benefit from Cloud Interconnect.

Compared to connections over the internet, Cloud Interconnect is reliable and offers faster speeds, lower latency, and increased security.

Cloud Interconnect provides a private high bandwidth, low latency link between a customer’s on-premises network and GCP without going through the Internet. But packets between on-premises edge and GCP travel through exchange points, and third-party provider networks are not encrypted.

Often, enterprises require encryption for security and compliance reasons. GCP edge gateways that terminate Cloud Interconnect links do not support encryption on Cloud Interconnect links.

Aviatrix provides a powerful solution to enable high performance encryption on top of an established Cloud Interconnect link to a customer site, as shown in the diagram above. Highlights include:

  • No additional hardware is required to encrypt traffic.
  • The central controller offers point-and-click deployment.
  • The Aviatrix Gateway interoperates with third-party IPsec-enabled routing and firewall devices.
  • Aviatrix gateways support 1:1 redundancy for high availability. The controller monitors all IPsec tunnel status. If the tunnel goes down, the controller automatically reprograms the cloud infrastructure routing table to switch to a standby gateway instance.
  • The controller provides diagnostic capabilities for troubleshooting the gateway and IPsec tunnel status.
  • Extensive logging allows administrators to have complete visibility of network traffic.

Related Resources

Deployment Guides

Documents to download, deploy and manage Aviatrix controller and gateway in Google Cloud Platform.

Walkthrough Videos

A series of videos providing step-by-step instructions on how to deploy the Aviatrix Cloud Controller in Google Cloud.

White Papers

Strategic and technical white papers offer insights into the benefits of hybrid cloud networking.