VPN with Overlapping Networks on GCP using Aviatrix
We recently ran into an interesting scenario where we had to configure a site-to-site VPN between one of our customer’s VPC (let’s assume 10.1.0.0/24 ) and an on-premise network (again, the CIDR is 10.10.0.0/24). We all know that it’s not directly possible to configure connectivity between two networks with colliding CIDR ranges unless you use something like PNAT (Policy NAT) on both sides (or Policy twice NAT on one side). If you would like to know more about the problem of overlapping networks and possible solutions, read this excellent article from practicalnetworking.net.
After looking at multiple solutions both on and off Google Cloud Marketplace, we zeroed in on Aviatrix, because they were the first to respond to our queries via their chatbot on the website and it also turned out to be the right solution for us technically and cost-wise too.
What follows is a tutorial that explains how to connect two GCP VPCs of the same CIDR range (since I can’t easily emulate an on-prem network, let’s just assume one of these VPCs is on-premise) using Aviatrix.
Prerequisites
I assume that you are already familiar with Google Cloud Platform and have a project to try this on. This tutorial uses gcloud commands wherever possible instead of taking you through multiple screenshots of the GCP console to create VPCs etc. I also assume that you have an Aviatrix trial license. If not, you may request one here
What will be build
In this tutorial, we will deploy the following.
We will also configure the Aviatrix Controller, Aviatrix Gateway, VPN gateway on the on-premise VPC and a VPN tunnel. Below is the diagram that represents this setup at a high level
So let’s get started! :)
Setup Aviatrix Controller
I assume you already have gcloud setup. Authenticate and set the project
gcloud auth logingcloud config set project yourown-aviatrix-poc
Create a management VPC and a subnet, this is where the Aviatrix controller goes
You need a firewall rule to allow yourself access to aviatrix GUI once it's provisioned. The below command opens access for 0.0.0.0/0 , but you should limit access to necessary IP addresses / CIDR ranges
It’s a good idea to reserve a static public IP for your Aviatrix controller VM so that you can map it to a DNS record and also, you can freely start/stop the VM without having to lookup for the changed IP
gcloud compute addresses create aviatrix-ip --region=asia-south1//get the IP address you just created
gcloud compute addresses describe aviatrix-ip
Create the Aviatrix controller VM image. Note that I am currently using a source as a public GCS bucket. You can get the latest source URI from Aviatrix documentation here
Create a VM from this image, and use the public IP we created in the previous step.
Once the instance is up, access it on the browser using it’s public IP. The user name and password for initial login are Admin and the internal IP address of the controller VM respectively.
After logging in, go through the one-time onboarding process. Go to “Onboarding” on the menu and choose Google Cloud Platform
Enter the customer ID here (you will receive this from your trial request, or via direct email, if you already purchased Aviatrix). Enter an account name you like, enter the GCP project name and upload a credential file of a service account that has enough access to launch instances, etc. You can check the detailed privileges needed at this link
We will come back to the Aviatrix Controller UI later, for now, let’s proceed with the next steps.
Create VPCs that emulate production and on-premise networks
We are going to create two VPCs, a “Production network” in the Mumbai region and an “On-premise network” in the Delhi region. We will create necessary firewall rules on both VPCs
Create prod-vpc-mumbai VPC , prod-subnet-mumbai subnet with the CIDR range 10.1.0.0/24 . Similarly, create onpre-vpc-delhi VPC, onprem-subnet-delhi with the same CIDR range, 10.1.0.0/24
We are going to create a couple of VMs: vm-01, vm-02 in “prod” and “on-prem” networks respectively to test connectivity. So it’s useful to whitelist IaP for secure SSH access. Let’s create those firewall rules
Let’s go ahead and launch these VMs now.
So now we have two VPCs with the same CIDR range. Next, we need to configure an aviatrix gateway in the “production network”.
Configure Aviatrix spoke gateway in prod VPC
Come back to the Aviatrix controller UI. We will now launch a spoke gateway in prod-vpc-mumbai VPC. A gateway is nothing but an appliance that runs in a VM.
Go to :https://your.controller.piblic.ip/#/transitnetwork/setup , and scroll down to find the Spoke Gateway. Fill your respective details. You will see the account name you have created in the first step in the dropdown. We will choose “Enable SNAT” because our gateway is going to be the NAT gateway for the spoke VPC.
Click on Create and this should launch a VM in the production VPC. It will take a few min, you can track progress here
While the gateway is being provisioned, let’s go ahead and create a VPN Gateway for our on-premise VPC.
The aviatrix gateway would have completed provisioning now. Take a note of its public IP address. We will go ahead and establish a tunnel from on-premise VPN gateway to the gateway.
Note that the remote network IP range is the virtual CIDR range of production VPC — 172.16.0.0/24. Go ahead and create. The remote peer IP address is the IP address of Aviatrix gateway we provisioned above in Prod VPC (Mumbai).
On to the final step now, we will configure a site2cloud connection from Aviatrix controller for the gateway we provisioned using mapped NAT.
Configure Prod VPC to Onprem Tunnel (Site2Cloud connection in Aviatrix)
Go to the controller UI once again, and navigate to site2cloud. Click on Add New under “Create New Site2Cloud connection”. Fill the options like below
The remote gateway is the IP address of VPN gateway from on-prem VPC. Also, pay attention to the pre-shared key, and the virtual subnets. We are configuring the gateway to map the local real CIDR with a virtual and similarly remote on-prem subnet with a virtual CIDR.
Once created, you can go to diagnostics and see if the spoke connection is up
You will also see that the VPN Tunnel we created is also up now
Testing Connectivity
We are finally ready to run some tests and see if VM-01 and VM-02 can communicate with each other. Before we do that, let’s create firewall rules to enable access. So the Prod-VPC-Mumbai should accept connections from the virtual CIDR range of Onpre-VPC-Delhi and vice versa. Let’s create those rules
You can now connect to these respective VMs and do a ping test
Another cool thing in GCP is you can run “connectivity tests” under network intelligence and see how the packets flow
Cleanup
If you have followed this article so far, it's likely you have created multiple VMs that will result in costs. Please clean up the respective resources.
Hope you found this useful! Happy Hybrid networking! :)
