If you're using the Aviatrix platform and deploying through IaC methods, you will know that Aviatrix has an extensive Terraform provider, as well as Terraform modules to make deployment super easy. However, in some cases, you cannot or don't want to use Terraform, but integrate directly with the controller API to deploy the Aviatrix components to attach a workload VPC or VNET to the existing Aviatrix transit with Aviatrix spoke gateways. In this post we will go through the steps to accomplish this.
Let's first start with the steps that we have to accomplish in sequence:
Get the information we need for using the controller API
The Aviatrix controller provides a rich API we can leverage to accomplish the goals if this post. You can find the Aviatrix postman API collections on the Aviatrix support portal. If you don't have an account, create one and after logging in, you should see a new menu entry API leading you to the API Downloads page. Download the Postman collection for your controller version and download the guide how to use the Postman collection.
You can open the collection in Postman. If you don't have postman installed just yet, download it here.
If you're unfamiliar with Postman, or API requests in general, there are some good tutorials out there that may help you gain a basic understanding, before continuing reading.
First thing we need to do, in order to work with the API, is obtain an authentication token, called the CID. But before we can do that, we need to set up the environment in Postman, so it has our authentication credentials to authenticate against the controller. Go to Environments in Postman, and set up your environment with these variables and fill out the actual IP address and user credentials in the initial value fields:
Once done, make sure this environment is saved and selected in the top right-hand corner.
We are now ready to make the API call to authenticate and obtain the CID.
There is a specific API call to achieve this and you will find it in the Postman collection under Initial Setup -> Log into Controller & Get CID.
Once we hit Send, we should get a successful response showing us the CID:
Ok, we're now good for any other API calls that we want to do.
Deploy the Aviatrix spoke gateways in our spoke VNET/VPC.
Lets assume you have the VNET or VPC already set up, and optionally already deployed your application. We assume you have created the subnets where you desire to deploy the Aviatrix spoke gateways. So our environment might look something like this:
In order to deploy the Aviatrix spoke gateways in the GW and HAGW subnets, we need a couple of details. The VPC ID and the subnet CIDR's for the respective subnets where to deploy the gateways.
Once we have that information, we can go into postman and look for the right API calls to use for spoke gateway creation. What's really helpful, is the fact that the postman collection is modeled the same way that the controller UI is. So we can easily find spoke gateway creation under Multi-Cloud Transit -> Setup -> Create Spoke Gateway.
We need to set the right values for the relevant parameters in the body of our request. The account_name must match with the access account on our Aviatrix controller where we want to deploy the gateway. Put in the other values for the VPC ID, the subnet CIDR and the gateway name as in the example below and hit Send.
After a couple of minutes, we should get a response telling us the deployment was successful:
We now have a single spoke gateway deployed as we can verify in the controller UI:
Our environment now looks like this:
If you want to deploy an HA pair of gateways for redundancy, we need to use a different API call. Let's go to Multi-Cloud Transit -> Setup -> Enable Spoke HA. Just like deploying the first gateway, we need to provide the right values in the body of this request. Set the gateway name to the name of the first gateway we just created, and configure the subnet where we want to deploy the second gateway (typically in a different AZ for better availability) as shown below and hit Send.
After a couple of minutes, we should see this executed successfully as well:
We now have an HA pair of spoke gateways deployed, as we can see in the controller UI:
Our environment now looks like this:
Understand which transit gateways are available to attach to.
Deploying the Spoke gateways is only part of the process. Next we need to attach them to our transit network. Lets see what transit gateways there are available for attaching our spokes to. We are going to use Multi-Cloud Transit -> Setup -> List Transit Gateways to provide us a list of transit gateways that already exist. We don't need to set any parameters in the body and can just hit Send straight away.
We get back a response with a list of transit gateways:
If we know which one to use, we're set for the next step. If we want to gather more details, we could check through Gateway -> Get Gateway Information. We need to put the gateway name in the request body as shown below:
Hit Send to get the response like this:
Once we have established, which transit gateway we want to attach our spoke to (e.g. the one in the same region), we can proceed to create the attachment.
Attach the spoke gateway to the transit gateway of our choosing.
We have decided to attach our spoke to the transit gateway with name "avx-eu-cntral-1-transit". Lets create our API call under Multi-Cloud Transit -> Setup -> Attach Spoke to Transit Gateway. We need to provide our spoke and transit gateway names as shown here:
After hitting send and waiting for a few seconds, we get back a successful response:
At this point, the Aviatrix controller will populate the spoke routing tables.
Our environment now look like this:
The transit gateways are connected to the rest of the network and provide connectivity to any destinations behind it.
Set up optional capabilities, like the security domain or Firenet inspection policy.
If segmentation or Firenet are deployed, we may want to set up the correct security domain and inspection policy for our spoke.
In order to enable Firenet inspection, use the API call under Multi-Cloud Transit -> Transit Firenet -> Add Spoke to Transit Firenet Inspection. Set the request parameters as shown below and hit send.
For setting up the security domain, lets first list all available security domains with Multi-Cloud Transit -> Segmentation -> List -> List Multi-Cloud Security Domains. We do not need to set any request parameters, so just hit send to get a list like this:
Next we can attach our spoke gateway to any of the available domains, by using Multi-Cloud Transit -> Segmentation -> Build -> Associate Attachment to Multi-Cloud Security Domain. Set the request parameters to reflect the desired security domain name and attachment name:
After sending the request, we can see it successfully attached:
That's it, you're all set!
Comments