The Containment Era is here. →Explore

Network management is complex and multi-layered. Our Tech Deep Dive series is made for cloud architects, engineers, developers, operations, platform, and security teams who want the deeper technical explanation of the Aviatrix solution. We’ll explore the particular details of what makes our dataplane, feature set, and configuration work, and how they empower networking teams.

One of the biggest challenges of creating a hybrid network is working with multiple connectivity providers such as cloud service providers (CSPs), middle-mile colocation providers such as Megaport and Equinix, and even traditional WAN providers. AWS, Microsoft Azure, Google Cloud, Oracle, and Alibaba all use different structures, hierarchies, rulesets, policies, and default settings, to say nothing of the complexity of integrating other hybrid networks.

Trying to design and manage a network that spans two or more of these clouds, not to mention plenty of environments, applications, and other third-party solutions, is just as difficult as banking or working with employees across different countries with various currencies, taxes, and laws. Building a hybrid cloud network gives you freedom in flexibility, negotiation, cost optimization, and design, but without the right management solution, your network grows into a sprawling mess held together with bubbling gum and bailing wire.

Aviatrix SmartGroups are one simple feature that helps every team involve in networking – cloud architects, developers, DevOps, SecOps, and IT – to create a simple and consistent multicloud architecture. SmartGroups organize and categorize a vast and diverse network to empower you to create uniform security policies, resiliency options, high performance, and cost awareness in every site and location.

Here’s how they work.

SmartGroup Tags: Identity-Based Categorization

The key to Aviatrix SmartGroups are cloud-agnostic, universal tags that you can use to group any resource – AWS or Google VPCs, Azure VNets, Oracle VCNs, cloud accounts, regions, or any other resource managed from your Aviatrix CoPilot account. You can create SmartGroups to represent departments, business units, teams, projects, or other groupings for your business for which you want to set network-wide policies.

Using SmartGroup Tags

When you create an Aviatrix SmartGroup, you can classify it based on four types of tags:

  • CSP (cloud service provider) resource tags: these tags identify resources you can group. This is the best and easiest classification method, as this automatically includes new resources created in the Cloud with the same set of tags. In Google Cloud, you configure “labels” that can be selected as tags when creating your SmartGroup.

  • Resource attributes: classify by account or region.

  • IP addresses or CIDRs: for resources that are not tagged, you can directly specify IP addresses or CIDRs.

  • Edge sites (for policy-based routing): select an Edge Site ID used in a previously created Edge Gateway. These tags help you connect edge sties to your network

Harnessing the Power of Kubernetes SmartGroups

Aviatrix SmartGroups work seamlessly with another industry solution for simplified networking: Kubernetes. Kubernetes containerized networking offers new flexibility and agility, but Kubernetes clusters recycle IP addresses rapidly and bypass traditional subnet policies, limiting how granular you can get with security policies. Kubernetes SmartGroups enable you to filter and group pods by namespaces, services, or wildcard patterns, enabling granular policies that align with Kubernetes’ dynamic nature.

Using SmartGroups to Create Security Policies

After categorizing your network resources based on tags, you can set up security policies for each SmartGroup or multiple SmartGroups. This is where Aviatrix’s multicloud solution really harmonizes your network. Security policies within each cloud provider only work within that cloud provider, but cross-cloud connections are much harder to protect. These SmartGroup security policies empower you to build network-wide, multicloud, multi-region security policies you can easily create and enforce.

When you create a policy using our Distributed Cloud Firewall solution, you can use microsegmentation by selecting which SmartGroups are included in the policy. Here are some examples of policies you can set:

  • Deny traffic between a SmartGroup that covers all cloud resources in one region and a SmartGroup that includes resources in another region. This policy could help prevent lateral movement across your network.

  • Allow traffic between a SmartGroup that contains AWS and Google Cloud resources and another SmartGroup that contains Azure and OCI resources. This policy establishes multicloud connectivity between these resources.

  • Deny certain resources to reach resources based on geography, such as China, Russia or the US depending on the use case.

  • Allow Kubernetes resources to access corporate container registry resources while denying access to public (untrusted) container registries on the Internet.

For a step-by-step guide to creating SmartGroups and policies, see our technical documentation.

If your network feels like a patchwork of resources, regions, cloud accounts, and services, Aviatrix SmartGroups provide simplicity, consistency, and security.

Share This Article
Connect With Us

Ready to see Aviatrix in action?

Get a personalized live demo walkthrough or explore our latest deep-dive cloud threat research intelligence.

Gartner Report

Gartner Strategic Roadmap for Zero Trust Security Programs 2025 Report

Download and gain actionable insights to advance your cloud security strategy.

Download Now!
Recent Articles
Introducing the Aviatrix In Progress Podcast

Introducing the “In Progress” Podcast

Jul 08, 20263 min read
Zero Trust vs. Containment - Are They the Same?

Zero Trust vs. Containment: The Security Architecture Gap

Jul 07, 202610 min read
Validated Containment Architecture for AI Agent Harnesses Blog Image

Validated Containment Architecture for AI Agent Harnesses - OpenClaw / NemoClaw

Jul 01, 20264 min read
Every Team Has AI Tools Now. Is One Your Next Incident

Every Team Has AI Tools Now. Is One Your Next Incident?

Jun 30, 202612 min read

Keep Reading

Related Articles

Featured Categories

95a2292256ee0f5750aa745fc7d21d39c8ae2870

ACE Program

Explore Category
Rectangle 3966

Customers

Explore Category
5a9318112c7cc265fab072924a2acaa2122a1c9f

Cloud Network Security

Explore Category
Aws-card

AWS

Explore Category
partner_card

Partners

Explore Category
cloud networking heroes

Cloud Networking Heroes

Explore Category
azure_card

Azure

Explore Category
events_card

Events

Explore Category

Secure The Connections Between Your Clouds and Cloud Workloads

Leverage a security fabric to meet compliance and reduce cost, risk, and complexity.

Cta pattren Image