Welcome to Aviatrix Docs

All Aviatrix product documentation can be found here. If you cannot find what you need, email us at support@aviatrix.com. Hats off to all who helped fix typos and mistakes. You can do that too by clicking the “Edit on GitHub” button on the top right corner of any document. Please also visit our main website for more information regarding use cases and upcoming events.

While all content is searchable, the site is organized into the following sections:

• Getting Started
• Onboarding and Accounts
• Gateway
• Transit Gateway Orchestrator
• Encrypted Transit Network
• Firewall Network (FireNet)
• CloudWAN
• Peering
• Site2Cloud
• OpenVPN®
• Security
• Useful Tools
• Settings
• Troubleshoot
• REST APIs
• Downloads
• Release Notes
• Tech Notes
• Good To Know
• Support Center
• IPmotion
• Troubleshooting Playbook

Getting Started

• Aviatrix Overview
• AWS Startup Guide
• Azure Startup Guide
• Oracle Cloud Infrastructure (OCI) Startup Guide
• Google Startup Guide
• Aviatrix Operations Overview
• Virtual Appliance CloudN
• Test Drive CloudN on Your Laptop
• AWS China Startup Guide
• Frequently Asked Questions

Onboarding and Accounts

• Onboarding and Account FAQs
• Access Account
• IAM Roles for Secondary Access Accounts
• Customize Aviatrix IAM Role Names for Secondary Accounts
• AWS IAM Policies
• Aviatrix IAM Policy Requirements
• Customize AWS-IAM-Policy for Aviatrix Controller
• Azure ARM
• GCP Credentials
• Oracle Cloud Infrastructure (OCI) Onboarding Guide
• Admin Users and Duo Sign in
• Aviatrix Companion Gateway
• Quick Tour
• Account with Access Key
• Account Audit

Gateway

• Gateway
• Gateway and Tunnel HA Options
• Gateway Audit

AWS Transit Gateway Orchestrator

• AWS TGW Orchestrator FAQ
• AWS Transit Gateway Orchestrator Plan
• AWS Transit Gateway Orchestrator Build
• TGW Approval
• AWS Transit Gateway Orchestrator Design Patterns
• Aviatrix Transit Gateway Encrypted Peering
• Migrating a CSR Transit to Next Gen Transit for AWS
• Migrating a DIY TGW to Aviatrix Managed TGW Deployment
• Aviatrix Transit Gateway to External Devices
• Global Transit Network Workflow Instructions (AWS/Azure/GCP/OCI)

Encrypted Transit Network

• Transit VPC/VNET FAQ
• Global Transit Network Workflow Instructions (AWS/Azure/GCP/OCI)
• Aviatrix Transit Gateway to External Devices
• Encrypted Transit Approval
• Transit Network Design Patterns
• Setup Transit Network using Aviatrix Terraform Provider
• Transit FireNet FAQ
• Transit FireNet Workflow
• ActiveMesh FAQ
• ActiveMesh Design Notes
• Aviatrix ActiveMesh Workflow
• Insane Mode Encryption FAQ
• ActiveMesh Insane Mode Encryption Performance
• Insane Mode CloudN Deployment Checklist

Firewall Network (FireNet)

• Firewall Network FAQ
• Firewall Network (FireNet) Workflow
• Firewall Network Design Patterns
• Setup API Access to Palo Alto Networks VM-Series
• Ingress Firewall Setup Solution
• Example Config for Palo Alto Network VM-Series
• Bootstrap Configuration Example for VM-Series
• Example Config for FortiGate VM in AWS
• Setup Firewall Network(Firenet)
• Deploy Checkpoint instance From AWS marketplace
• Setup Firewall Network(Firenet)
• Deploy PFsense instance From AWS marketplace
• Deploying a Barracuda CloudGen Firewall for use with the Aviatrix FireNet

CloudWAN

• Aviatrix CloudWAN FAQ
• Aviatrix CloudWAN Workflow

Security

• Stateful Firewall FAQ
  • What is Aviatrix Stateful Firewall?
  • How many rules can be configured on a gateway?
  • What is the REST API to configure stateful firewall?
  • Is there limitation on the number of tags?
  • How to configure stateful firewall?
• Tag Based Security Policy
  • 1. Define a Tag
  • 2. Edit a Tag
  • 3. Apply Policy
  • 4. View Policy and Tags
  • 5. Example Use Case
• Egress FQDN FAQ
  • Why is Egress Control Filter needed?
  • What does the Aviatrix FQDN feature do?
  • How does it work?
  • How do I Enable 2 AZ HA for FQDN gateways?
  • How do I enable 3 AZ HA for FQDN gateways?
  • How does Aviatrix Egress FQDN compare to Squid Solution?
  • How do I Troubleshoot FQDN Problems?
• Egress Control Filter
  • Configuration Workflow
  • Exception Rule
  • Export
  • Import
  • Edit Source
  • Enable Private Network Filtering
  • Disable Private Network Filtering
  • Customize Network Filtering
• Egress FQDN Discovery
  • Start
  • Stop
  • Show
  • Download
• Egress FQDN View Log
• Amazon GuardDuty Integration
  • Configuration
  • Integration and Enforcements
• Public Subnet Filtering Gateway FAQ
  • What does Public Subnet Filtering gateway do?
• PrivateS3 FAQ
  • What is the security exposure when uploading files to AWS S3 over Direct Connect?
  • What is Aviatrix PrivateS3?
  • What are the benefits of PrivateS3?
  • How does PrivateS3 work?
  • How to deploy PrivateS3?
  • Can PrivateS3 work for traffic initiated from a VPC?
  • Is there an additional AWS data charge by going through the Aviatrix gateway?
  • Can PrivateS3 be deployed in TGW environment?
  • Can Direct Connect termination VPC be in a different region of managed S3 buckets?
  • Can PrivateS3 gateway be in a different region of managed S3 buckets?
  • Can PrivateS3 solution scale out?
  • How can I test PrivateS3?
  • How do I troubleshoot PrivateS3?
  • Why doesn’t AWS S3 list command work?
• PrivateS3 Workflow
  • Step 1. Launch an Aviatrix Gateway
  • Step 2. Enable/Edit PrivateS3
  • Step 3. Create on-prem DNS Private Zone

Peering

• Peering FAQ
• Peering
• Encrypted Transitive Peering
• Cluster Peering
• Multi Cloud: Connecting Azure to AWS and GCP
• Peering Over Route Limit

Site2Cloud

• Site2Cloud FAQs
• Site2Cloud IPSec VPN Instructions
• Aviatrix Gateway to Azure VPN Gateway
• Aviatrix Gateway to Aviatrix Gateway
• Aviatrix Gateway to AWS VGW
• Aviatrix Gateway to Oracle DRG
• Aviatrix Gateway to Palo Alto Firewall
• Aviatrix Gateway to Check Point(R77.30)
• Aviatrix Gateway to Check Point(R88.10)
• Aviatrix Gateway to Cisco ASA
• Aviatrix Gateway to Cisco IOS Router
• Aviatrix Gateway to Sonicwall
• Aviatrix Gateway to pfSense
• Aviatrix Gateway to FortiGate
• Aviatrix Gateway to Meraki MX64
• Aviatrix Gateway to Meraki vMX100
• Aviatrix Gateway to Juniper SRX
• CloudN for Site2Cloud
• Site2Cloud Case Study
• Encryption over DirectConnect/ExpressRoute
• Connect Networks With Overlap CIDRs
• Connect Overlapping VPC to On-prem

OpenVPN®

• Configuring Aviatrix User SSL VPN
  • Additional Information
  • Configuration Workflow
  • Conclusion
• Aviatrix OpenVPN® FAQs
  • How do I launch a VPN gateway?
  • How can I avoid managing multiple VPN user certs?
  • How do I scale out VPN solution?
  • How do I setup Okta authentication for VPN?
  • How do I enable Geo VPN?
  • How do I add a VPN user?
  • What user devices are VPN client software supported?
  • Is NAT capability supported on the gateway?
  • Is full tunnel mode supported on the gateway?
  • Can the maximum number of simultaneous connections to VPN gateway be configured?
  • What is user profile based security policy?
  • How do I setup profile based security policies?
  • How do I assign a user to a profile?
  • What if I want to change profile policies?
  • How do I change a user’s profile programmatically?
  • Is DUO multi-factor authentication supported?
  • How do I configure LDAP authentication?
  • Can I combine LDAP and DUO authentication?
  • Is OKTA supported?
  • How does Policy Based Routing (PBR) work?
  • What are the monitoring capabilities?
  • Does the Aviatrix OpenVPN® solution support SAML client?
  • When should I use the Aviatrix VPN client?
  • Are multiple VPN configuration profiles supported by the Aviatrix VPN client?
  • What is “Client Certificate Sharing”?
  • How do I fix the Aviatrix VPN timing out too quickly?
  • Where do I find the log for the Aviatrix Client?
  • Why can’t my VPN client access a newly created VPC?
  • How do I turn off NAT with an OpenVPN® gateway?
  • What IP Address is used for NAT’ing the VPN Clients?
• Aviatrix OpenVPN® Feature Highlights
  • VPN Management
  • Authentication Options
  • Authorization
  • Scale Out Performance
  • Logging Integration
  • Client Software
• OpenVPN® Design for Multi Accounts and Multi VPCs
  • Multiple VPCs in one region
  • Multiple VPCs in multi regions, split tunnel
  • Multiple VPCs in multi regions, full tunnel, your own firewall
  • Use AWS Transit Gateway to Access Multiple VPCs in One Region
  • User VPN Solution for Multi Cloud
• VPN Access Gateway Selection by Geolocation of User
  • Overview
  • VPN Access Details
  • Configuration Workflow
• UDP LoadBalanced VPN using DNS
  • Configuration Workflow
• LDAP Configuration for Authenticating VPN Users
  • Overview
  • Configuration Details
• Okta Authentication with Okta API Token
  • Overview
  • Obtain API Token from Okta
  • Setup Okta Authentication
  • Create User(s)
  • Validate
• Duo Authentication
  • Get Duo API Credentials
  • Connect Aviatrix VPN with Duo
  • Validate
• OpenVPN® with SAML Authentication
  • 1. Overview
  • 2. Pre-Deployment Checklist
  • 3. Configuration
• SAML Profile as an Attribute
• OpenVPN® with SAML Authentication on Okta IDP
  • Overview
  • Pre-Deployment Checklist
  • Configuration Steps
• OpenVPN® with SAML Authentication on Google IDP
  • Overview
  • Pre-Deployment Checklist
  • Configuration Steps
• OpenVPN® with SAML Authentication on OneLogin IdP
  • Overview
  • Pre-Deployment Checklist
  • Configuration Steps
  • Test the Integration
• OpenVPN® with SAML Authentication on AWS SSO IdP
  • Overview
  • Pre-Deployment Checklist
  • Configuration Steps
  • Validate
• OpenVPN® with SAML Authentication on Azure AD IdP
  • Overview
  • Pre-Deployment Checklist
  • Configuration Steps
  • Validate
• OpenVPN® with SAML Authentication on Centrify IDP
  • Overview
  • Pre-Deployment Checklist
• Anonymous Internet Surfing
  • 1. Solution Overview
  • 2. Configuration Workflow
  • Troubleshooting
• Developer’s Sandbox
  • Objective
  • Solution
  • Configuration Workflow
• External PKI for OpenVPN Certificates
• VPN User Accelerator
• Use IPv6 for User VPN Access
  • The Problem
  • Prerequisite
  • Step 1. Launch Aviatrix gateway
  • Step 2. Add VPN Networks for Split Tunnel
  • Step 2. Add VPN User
  • Step 3. Scale out VPN gateways
  • Step 4. Add more VPCs
  • Troubleshooting Tips
• Use AWS Transit Gateway to Access Multiple VPCs in One Region
  • 1. Create a TGW
  • 2. Create a Security Domain
  • 3. Build Connection Policies
  • 4. Attach VPCs to TGW
  • 5a. Launch a VPN Gateway
  • 5b. Configure VPN Gateway
  • 6. Configure Aviatrix VPN Client
  • 7. Last Steps

Useful Tools

• VPC Tracker
• Create a VPC

Settings

• Controller Backup and Restore
• Controller HA in AWS
• Inline Software Upgrade
• Logging
• Emails and Alert Configuration
• Advanced Config
• Controller LDAP Login Configuration
• Netflow Integration
• AWS CloudWatch Integration
• Aviatrix Controller Login with SAML Authentication
• Controller Certificate Management
• FIPS 140-2 Module
• Controller Configuration
• Migrating Aviatrix Controller AMI
• Controller Migration in AWS

Troubleshoot

• Logs
• Diagnostics
• Error Messages
• How to Troubleshoot Azure RM Gateway Launch Failure
• FlightPath

REST APIs

• Aviatrix APIs
• Multiple Ways to Use Aviatrix API
• REST API Example

Terraform

• Aviatrix Terraform Tutorial
• Aviatrix Terraform Provider
• Aviatrix Terraform: Export

Downloads

• CloudN Virtual Appliance
• Aviatrix VPN Client

Release Notes

• Release Notes
• Aviatrix VPN Client Changelog
• Field Notices

Tech Notes

• Auto Booting CloudN VM Using ISO File
• Hybrid Network Load Balancing (NLB)
• Datadog Integration
• Launch Aviatrix Controller Manually
• Using Aviatrix to Build a Site to Site IPsec VPN Connection
• Aviatrix Controller Security for SAML auth based VPN Deployment
• How to Connect Office to Multiple AWS VPCs with AWS Peering
• Site2Cloud With Customized SNAT
• Site2Cloud with NAT to fix overlapping VPC subnets
• Site2Cloud to a Public IP Address
• Connecting Meraki Network to Aviatrix Transit Network
• Reserve For On-Prem Use
• Deploying Spoke without Programming RFC1918 Routes
• AWS Managed Microsoft AD for Aviatrix
• Extending Your vmware Workloads to Public Cloud
• How to Build a Zero Trust Cloud Network Architecture with Aviatrix
• AWS Global Transit Network
• Connect to Floating IP Addresses in Multiple AWS AZs
• Egress NAT to a Pool of IP Addresses
• AWS Transit Gateway Route Limit Test Validation
• Transit Gateway ECMP for DMZ Deployment Limitation Test Validation
• Transit Gateway Egress VPC Firewall Limitation Test Validation
• AWS Transit Gateway Orchestrator
• High Performance Encryption with InsaneMode
• Aviatrix NEXT GEN TRANSIT with customized SNAT and DNAT features
• Use IPv6 to Connect Overlapping VPC CIDRs
• Next Gen Transit Architecture for Azure
• NAT for non-tunnel-bound Traffic
• Migrating from Classic Aviatrix Encrypted Transit Network to Aviatrix ActiveMesh Transit Network
• OpenVPN FQDN Filter Solution
• Enable SAML App for a group of users in G-Suite using Organization

Good To Know

• AWS Inter Region Latency
• Azure Inter Region Latency
• Google Cloud Inter Region Latency
• CloudFormation Condition Function Example
• AWS Network Limits and Limitations
• AWS Transit Gateway Limits
• Survey of DevOps Tools
• Multi Cloud Region Affinity and Latency

Support Center

• Aviatrix Support Center
• Operations
• Controller
• OpenVPN Gateway
• Transit Solution
• Security: Egress FQDN Control and Firewall
• Logging
• Site2Cloud
• IPSec
• AWS Infrastructure
• GCP Infrastructure
• Terraform
• Aviatrix Support Ticket Submission & Priority Guidelines
• Useful Tools
• CloudN

IPmotion

• IPmotion Setup Instructions
• Migrating VMs with Aviatrix IPMotion and AWS Migration Hub Service
• IPmotion Design Patterns
• IPmotion Dependency Discovery

Troubleshooting Playbook

• Aviatrix Troubleshooting Playbook Overview
• AWS IAM Service Troubleshooting Playbook
• Aviatrix Controller Troubleshooting Playbook
• Aviatrix Gateway Troubleshooting Playbook
• Aviatrix OpenVPN End to End traffic Troubleshooting Playbook
• Aviatrix Site2Cloud End to End traffic Troubleshooting Playbook