Aviatrix CloudWAN FAQ¶
What is the Aviatrix CloudWAN?¶
Aviatrix CloudWAN manages and automates secure connectivity of on-prem Cisco IOS Routers to the cloud. The IPSEC connection terminates with AWS Transit Gateway (TGW), Aviatrix Transit Gateway or Azure Virtual WAN.
Starting in Release 6.2, CloudWAN also manages Aviatrix CloudN appliance for high performance encryption connection (up to 25Gbps) from on-prem to the cloud.
This document focuses on CloudWAN for Cisco IOS devices. For configuration information on CloudN appliance, refer to Managed CloudN Workflow.
CloudWAN can be used to fulfill the following tasks.
- Manage multiple Cisco IOS Routers from the Aviatrix Controller. This includes uploading and viewing the IOS configuration, making configuration changes and monitoring the health and stats of these routers.
- Automate secure connection of Cisco IOS routers to the Aviatrix Transit Gateway or AWS TGW with IPSEC VPN over the Internet, thus allowing them to be part of the Transit Network where they gain connectivity to Spoke VPCs.
What are the CloudWAN deployment architectures?¶
There are three ways to deploy CloudWAN.
CloudWAN Deployment 1¶
CloudWAN can be deployed to connect with Aviatrix Transit Network as shown below
CloudWAN Deployment 2¶
Alternatively you can deploy CloudWAN as an attachment to TGW where the Aviatrix Transit Gateway functions as edge to the TGW.
CloudWAN Deployment 3¶
In this deployment IPsec tunnels are built directly to TGW VPN.
CloudWAN Deployment on Azure¶
CloudWAN can terminate branch router IPSEC connection with Aviatrix Transit Gateway deployed in Azure, as shown in the diagram below.
What are the benefits of CloudWAN?¶
- No Friction Leverage what you have already invested in the on-prem edge router for connecting to the cloud.
- Shortest Latency Leverage AWS Global Accelerator or Azure backbone to connect your on-prem routers to the nearest cloud provider edge and route through the their backbone with the optimal path.
- Automation Avoid human errors and the complexity of VPN configuration when building VPN connections to the cloud.
- Centrally Managed Use the single pane of glass to both provision and monitor router health and stats.
How does CloudWAN work in AWS?¶
CloudWAN leverages AWS Global Accelerator and the AWS backbone for the shortest latency path to the cloud.
For example, if the application is in us-west-2 and you have a branch office in Singapore country. If you built an IPSEC tunnel to the gateway in us-west-2 without deploying CloudWAN, the traffic initiated from Singapore typically traverse through many ISP carriers and eventually to AWS us-west-2. On the other hand, with CloudWAN, traffic from Singapore gets to the first ISP, hops onto the AWS edge in the area and moves through the uncongested AWS backbone to us-west-2. Both latency and jitter should be minimal.
Can I use CloudWAN just to manage the Cisco routers?¶
Yes. You can use CloudWAN for making changes to the routers from a central place, even if you are not ready to connect the on-prem routers to the cloud.
What are the use cases for CloudWAN?¶
CloudWAN can be used to connect branch routers to the cloud directly. It can also be used to manage routers you deploy in the branch or partner network where you have full access.
Can CloudWAN manage other vendor devices?¶
No. Currently CloudWAN only manages Cisco IOS routers.
How many routers can CloudWAN manage?¶
If the on-prem router terminates with Aviatrix Transit Gateway, there is no limitation on how many routers can be connected.
What are the requirements to deploy CloudWAN?¶
General requirement is to have each managed Cisco router needs Internet access and a public IP address.
Please make sure the following items are properly configured in Cisco IOS router.
- Please make sure Cisco router’s login username is set to privilege 15
Cisco IOS CLI examples:username admin privilege 15 password 0 password username administrator privilege 15 secret 5 $1$WbTk$uk7Au2PkCardkaM3BCcIS. username superuser privilege 15
- Please make sure line vty is set to “privilege level 15” and ssh is included for “transport input”
Cisco IOS CLI example:line vty 1 4 privilege level 15 login local transport input ssh
- Please enable ip ssh in Cisco IOS, either password authentication, private key authentication, or both. Please refer to: https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html
- Please enable scp server in Cisco IOS
Cisco IOS CLI example:ip scp server enable
What routing protocols are supported on CloudWAN?¶
CloudWAN supports BGP and static routing.
Can CloudWAN support branch to branch communications?¶
When BGP is enabled on the branch router, CloudWAN can route traffic between branches.
How should I secure my IOS router?¶
When a router is attached, an ACL rule to permit TCP port 22 access from the Aviatrix Controller.
What Cisco routers are supported?¶
Cisco routers that run IOS Classic and IOS XE are supported. For example, ISR G2, ASR and ISR G3.