Hedgehog Transit Gateway Demonstration

Hedgehog CTO Manish Vachharajani explained how Hedgehog gateway peering functions as a new component to overcome limitations of switch-based VPC peering. While switch-based peering offers full cut-through bandwidth, traditional switches lack the CPU and RAM for stateful network functions like firewalling, NAT, and handling large routing tables or TCP termination. The Hedgehog Gateway addresses this by leveraging a CPU-rich, high-bandwidth server positioned in the traffic flow between VPCs. This commodity hardware, combined with modern NICs featuring hardware offloads for NAT and VXLAN, can achieve significant throughput (initially targeting 40 Gbps, with plans for 100 Gbps and higher). The gateway operates by acting as a VTEP and selectively advertising routes to attract specific traffic, performing necessary network transformations (including implied NAT as demonstrated), and then re-encapsulating and transmitting packets to their destination VPC.

Sergei Lukianov, Chief Architect, demonstrated VPC peering with basic firewall functions that aim to replace Zipline’s existing Palo Alto Firewalls. The demo illustrated how the gateway enables communication between VPCs with overlapping IP addresses by performing NAT. This involves the gateway advertising NAT’d IP prefixes into the VRFs of peered VPCs, allowing traffic to be routed through the gateway. The demonstration highlighted the comprehensive visibility provided by Hedgehog’s data plane on the gateway, offering insights into traffic flow that traditional switches often lack. While introducing a slight latency increase due to the additional hops (though the demo used debug images, exaggerating this), the gateway offers significantly more flexibility and functionality than switch-based peering.

Looking ahead, Hedgehog plans to enhance the gateway’s capabilities by moving the software onto DPUs (Data Processing Units) within the host, such as NVIDIA Bluefield, for improved performance and scalability. This approach would significantly reduce latency and allow for deeper network extension into virtual environments like VMs and containers. The gateway also includes basic security functionalities like ACLs and port forwarding, with a roadmap to add more advanced features like DDoS protection, IDS/IPS, and Layer 7 inspection as per customer demand or open-source contributions. Furthermore, Hedgehog aims to support multi-data center deployments through Kubernetes Federation, allowing independent clusters to connect via gateway tunnels while presenting a unified API to the end-user.