The purpose of this document is to provide the instructions for tuning network configurations for sub-10 seconds failover time when network address ranges on-prem and cloud are overlapping.
The scenario is described in the following diagram:
In the above diagram, Client-1 and Client-2 need to communicate with on-prem network. However, both Client-1 and Client-2 network address ranges overlap with each other, and worse yet, they both overlap with on-prem network address range (10.0.0.0/16). Such scenarios happen when Client-1, Client-2 and the on-prem networks belong to three different organizations.
The traditional solution is to build IPSEC tunnel between the two networks and use SNAT/DNAT rules to translate each addresses, as demonstrated in this example.. Such solution requires a potentially large number of SNAT/DNAT rules which is difficult to configure and maintain.
With the introduction of Mapped Site2Cloud for address overlapping networks , you no longer need to wrestle with the individual SNAT/DNAT rules.
Note
This example uses Aviatrix Gateway on client site to simulate fast convergence environment
Log in to the Controller console, go to Multi-CLOUD TRANSIT. Follow step 1, step 4 and step 6 respectively to launch transit and spoke gateways, and attach spoke gateways to transit.
Create VPN tunnel between Transit Gateway and On-prem.
Go to Controller Console -> Site2Cloud -> Setup.
Click "+Add New". Fill the form and click OK. Select "Mapped" for the Connection Type field.
Field | Value |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Go to Controller Console -> Site2Cloud -> Setup.
Click "+Add New". Fill the form and click OK. Select "unmapped" for the Connection Type field.
Field | Value |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Go to Controller Console -> Settings -> Advanced
- Click on "Tunnel" tab and change "Status Change Detection Time" and save settings.
Field | Value |
---|---|
|
|
|
|
- Click on "Keepalive" tab and modify Keepalive Template Configuration
Field | Value |
---|---|
|
|
Go to Aviatrix Controller's Console -> Site2Cloud -> Setup.
Select Spoke Gateway VPC, spoke gateway to client site2cloud connection and click "Edit"
- Make sure only one tunnel is UP and HA status Active-Standby
- DPD Timer is enabled, configure DPD timers as shown below and click "Save and Apply".
Field | Value |
---|---|
|
|
|
|
|
|
- Forward Traffic to Transit Gateway is enabled
- Event Triggered HA is enabled
Select Client VPC, client to spoke site2cloud connection and click "Edit"
- Make sure only one tunnel is UP and HA status Active-Standby
- DPD Timer is enabled, configure DPD timers as shown below and click "Save and Apply".
Field | Value |
---|---|
|
|
|
|
|
|
- Active Active HA is disabled
- Event Triggered HA is enabled
Bring down IPSec primary tunnel and measure convergence.
Done.