Table of Contents

Description

Last week I got asked by a customer what I think about the AWS Firewall and if it would be wise for him to implement it in his environment.
I browsed fast through the various tech documents about it, got initially confused and realised that this is not one of those topics that I was going to understand fast and move on.

I invested more time into it, started reading about rule groups, stateless, statefull rules and … I needed a break. There was surely no quick answer in sight.

Going into the topic even deeper I reached the proverbial French saying “je ne sais quoi”.

Would I implement this firewall in my own environment ?

Maybe
Then again I’m a perfectionist, always afraid of failing…

I tend to find limitations, restrictions, imperfections and get easily disappointed.

If you want to learn I invite you to join me in this journey :)

Continue reading

Table of Contents

Description

A customer recently asked me about extending his existing Aviatrix environment from Azure to GCP.
This came with a small caveat.

In GCP he is using Functions.
One of those functions needs to:

  • reach a backend in Azure
  • be accessed from the Internet
  • be accessed by customers landing over Site2Cloud connections on Spokes

My initial lab setup for this scenario looked similar to this

Can you see the challenge here?
Wherever I would deploy a GCP function, it would just live outside the VPC by default.
I would NOT be able to control where traffic flows.
NOT able to easily apply various layers of security to it.
Have NO straightforward and consistent way to monitor what happens in real time and take measures in case I need to troubleshoot and fix its functionality.
I would be walking blind in the dark and get annoyed with the whole process.

For any challenge there is a solution :)
That’s the reason I chose to be a techie.

Continue reading

Table of Contents

Description

This will NOT be a 5 min reading article.
It will require more time but it will cover all areas of interest :)
Most importantly, at the end, your Setup will WORK.

Kudos to Adam, my colleague, who first tested this in his lab.
It served as a basis for both me and the customer later on.

To start things off, a little while back someone asked me how he can have:
Incoming Traffic from Outside -> Azure Aviatrix Environment with FW Inspection -> Spoke with his Application
and also Preserve the source IP address when it hits the FW Rules.

Why this ?

He wanted to use the real source IP for logging and filtering purposes on Aviatrix FireNet attached FWs.
Pretty understandable and reasonable.

He read our article from here:
Spoke Ingress with Application Gateway
He saw the Diagram:

but noticed that the Azure Application Gateway does SNAT and as such his Firenet Firewalls are not seeing the original User IP of the request.

One could argue that the X-Forwarded-For header added by the Azure Application Gateway can be used to preserve the original IP…

Do you see a corner case here ?
I for one did not at the beginning. I always rush through things.

What if your Application is NOT a WebApp and as such there is NO HTTP Header where to add the X-Forwarded-For to?

Continue reading

Welcome to my first post since I joined Aviatrix.
What is Aviatrix for the first time reader?

In very simple words:

  • Cisco/Juniper = the foundation for On-Prem solutions and traditional Datacenters.
  • Aviatrix steps in when it comes to the world of Multicloud.
    Connectivity, Visibility, Security in the datapath, Cloud born and IaaS powered (Terraform).

Spoiler Alert - Security on top
Log4J Detect & Block with Aviatrix inside your Cloud Environment

Coming back on topic…
Any system you deploy comes with its own alerting capabilities.
Most alerting capabilities offer first the functionality of sending emails to a noc or operations list where the Engineer On Duty usually monitors the events and takes action.
Simple, right?
Not when you’re growing and you have multiple different departments and solutions running in your company…each one sending you emails for each event that takes place.

A “normal” day in the life of an engineer can easily turn into this (yes, that is my very own mailbox):

I’ve been through this, especially when coming back after a bank holiday and it has always been painful to figure out what is still DOWN.
It was also challenging not to skip some alerts while rushing through emails and then be called later in the day to be asked why connectivity between some application components still does not work => Headache moment…

What if there was a different way of doing it ?
What about the Chatops model ?
MS Teams, Slack, Webex and the list goes on.

A pop-up you can never easily ignore :)

Scroll down to see how you can both personalise your Aviatrix alerts as well as have them delivered on an MS Teams chat channel.

Continue reading

Author's picture

Mihai Tanasescu

All Rounder and Jack of all trades (master of none? :) ).
Sailing the Cloud world with my fantastic team@Aviatrix, former Network, Systems Engineer (Cisco, Juniper, Linux, Openshift, Openstack).
A flavor of Security added to the mix (Offensive Security OSCE).
If there’s anything new and cool, then I like to learn about it. I’m also a fan of deep diving under the hood of a product to see what makes it tick as well as what breaks it.

Solutions Architect @ Aviatrix

Switzerland