Privately connecting to partner VPCs as application Consumer or Provider

Requirement:

1. Partner's (consumer) VPC needs access to apps in your VPC

Partner should only be allowed to access specific VPCs

2. You need to access services in a provider's VPC

Applications should only be able to access specific provider VPCs and applications

Must provision a simple and secure access method without exposing the service to internet
Provide optionality of enforcing NGFW inspection
Provide visibility into how traffic is moving with ability to look at flows and take packet captures

1. Partner's (consumer) VPC needs access to apps in your VPC:

2. You need to access services in a provider's VPC

Very similar to the first requirement but in the opposite direction
Aviatrix Spoke GWs in the services VPC can also be configured to NAT the traffic
Configure DNAT rule for the IP provided by partner in Provider-VPC
Source application will point traffic to the DNAT IP configured on Spoke GWs of Services VPC
Aviatrix Transit builds encrypted communication
Optionally insert NextGen Firewalls for transparent inspection
Deploy Aviatrix CoPilot for visibility and day2 operations.

The following NAT configurations would be applied to the Aviatrix Spoke GWs

Traffic from apps in spoke-1 will be destined to the LB in dedicated services spoke
NLB should be configured with IP of the Aviatrix Spoke GWs (not instance-IDs) as target pool members
NLB will send the traffic to Aviatrix Spoke GWs on the GW IP
Aviatrix Spoke GWs will DNAT the traffic and send to actual destination in the provider VPC with its address as source
Return traffic will come to Aviatrix Spoke GWs, to LB and off to original source via Aviatrix Transit