User VPN Flashcards
5 principles of Aviatrix User VPN
1 - Connect users to public cloud resources
2 - Cloud native (not backhaul to on-prem DC first)
3 - Least latency access
4 - enterprise grade: identity provider intergration
5 - multi-cloud repeatability
What clients are supported with Aviatrix User VPN
OpenVPN
Aviatrix VPN
Aviatrix VPN client is preferred when?
- Client has MacOs, Windows, Linux or BSD
- require SAML authentication directly from VPN client software
Aviatrix User VPN Automates …..
Launch cloud native loadbalancer
automate target groups to attache VPN gateways to LB
domain name of the vpn endpoint
connection ip created for .ovpn cert file to provide to clients
seemless relaunch of VPN gateways ofter deletion without reissue new .ovpn files (same IP)
A profile can be __________ with multiple users
associated
a user can be _________ with multiple profiles
associated
security based on use not _______
source IP
supports _______ profiles
multiple
__________ firewall rules
Automates
Geo VPN usage:
dynamically route VPN users to nearest Aviatrix VPN gateway based upon latency between user and gateways
users directed to AWS Route 53/Azure DNS that uses latency based routing policy OR choose between available regions
Default User VPN CIDR Block
192.168.43.0/24
Client Certificate Sharing facets
Disabled by default
Multiple users share same ovpn file
only used when authenticating with IDP
controller sess individual users, maintains history
How to preserver Client IP
VPN NAT must be disabled
VPN CIDRs must be advertised to transit for return traffic
PBR stands for?
Policy Based Routing
Reasons to use PBR Routing
Route VPN traffic via different gateway
anonymous web surfing
backhauling user traffic to cloud firewalls
user VPN client connection options
1 - Enforce minimum VPN client version
2 - Duplicate connections (disable for single connection policy)
To segment VPN users, tunnel access can be _______ OR _______
Split Tunnel (specify certain CIDRs) Full Tunnel - All user IP sessions including Internet IP sessions go thru VPN tunnel
Aviatrix UserVPN authentication supports SAML …
Secure assertion markup language
support IDPs like Azure AD, Okta, Duo, Office365
user accounts onboarded on the IDP portal
users can be onboarded on Aviatrix if SAML is NOT required
FQDN Egress Filtering types (3)
HTTP - support wildcards
HTTPS - support wildcard after analyzing Server Name Identification in TLS
Other TCP/UDP, SFTP/SSH - does not support wildcards
Egress FQDN filtering facets
HA secure for workloads or applications
centrally managed by controller
Filters internet bound egress traffic from workloads
filter tcp/udp traffic
filter destination host names allow/deny list
support wildcard and tags
supports instance in public/private subnets
