Site2Cloud IPSec VPN Instructions


Aviatrix supports connectivity between its Gateways in the cloud and on-premise routers using a feature called Site2Cloud, as shown below. This document outlines how to get connectivity established between an Aviatrix Gateway in AWS, Azure, or GCP and your on-premise router or firewall.


Configuration Workflow

Create Site2Cloud Connection

  1. Login to your Aviatrix Controller.

  2. Select the Site2Cloud navigation item on the left navigation bar.

  3. Click on + Add New near the top of the Site2Cloud tab.

  4. Under Add a New Connection, enter the following:

    Field Description
    VPC ID / VNet Name Select the VPC or VNet where this tunnel will terminate in the cloud.
    Connection Type Unmapped unless there is an overlapping CIDR block.
    Connection Name Name this connection. This connection represents the connectivity to the edge device.
    Remote Gateway Type Generic, AWS VGW, Azure VPN, Aviatrix, or SonicWall. See below for additional details.
    Tunnel Type

    UDP or TCP


    TCP tunnel type requires an Aviatrix gateway on both sides.

    Algorithms Defaults will be used if unchecked. See below for more details.
    Encryption over ExpressRoute/ DirectConnect An additional field will be displayed if checked.
    Route Tables to Modify Only displayed if Encrypting over DirectConnect/ExpressRoute. Select the specific routes to encrypt
    Enable HA Additional fields are displayed when checked
    Primary Cloud Gateway Select the Gateway where the tunnel will terminate in this VPC.
    Remote Gateway IP Address IP address of the device.
    Pre-shared Key Optional. Enter the pre-shared key for this connection. If nothing is entered one will be generated for you.

Connection Type: Unmapped

For unmapped connections, the following two fields will be displayed:

Field Description
Remote Subnet Enter the CIDR representing the remote network.
Local Subnet The CIDR block of the local VPC/VNet subnet. If left blank, Aviatrix will use the full VPC/VNet CIDR.


The remote and local subnet fields can contain multiple values. Use a comma (,) to separate the values.

Connection Type: Mapped

For mapped connections, the following four fields will be displayed:

Field Description
Remote Subnet(Real) Enter the real CIDR of the remote network.
Remote Subnet(Virtual) Enter a virtual CIDR that will represent the real subnet.
Local Subnet(Real) The real CIDR block of the local VPC/VNet subnet. If left blank, Aviatrix will the full VPC/VNet CIDR.
Local Subnet(Virtual) Enter a vritual CIDR that will represent the real subnet.


The remote and local subnet fields can contain multiple values. Use a comma (,) to separate the values.


If you use multiple values for the real subnets, you must use an equal number of subnets in the virtual field.


1:1 mapping is supported as long as both sides are configured properly. For example, you can configure:

Remote Subnet(Real):
Remote Subnet(Virtual):

Local Subnet(Real):
Local Subnet(Virtual):
  1. Click OK

Configuration Details

Remote Gateway Type

Type Description
Generic Use this option for most third-party routers and firewalls.
AWS VGW For terminating on a AWS Virtual Private Gateway, select this option.
Azure VPN For terminating on Azure VPN Services
Aviatrix When terminating on an Aviatrix CloudN on-premise gateway.


If the Algorithms checkbox is unchecked, the default values will be used. If it is checked, you can set any of the fields defined below.

Phase 1 Autheentication
Phase 1 DH Groups
Phase 1 Encryption
Phase 2 Autheentication
Phase 2 DH Groups
Phase 2 Encryption

Remote and Local Subnet(s)

Enter the subnet(s) using a comma to delimit more than one CIDR.

If you leave the local subnet field blank, the default value is the VPC/VNet CIDR. If you enter a value, make sure you include the VPC/VNet as well.

These Local Subnets are advertised to Remote Subnets that the site2cloud connection can reach.

You can change these settings later.

Edit Connection

Once a connection is created, you can download the configuration or edit parameters. To do this, select Site2Cloud from the navigation menu and select the connection you just created.

Download Configuration

You can generate remote site configuration template.

Select the remote site device from the dropdowns provided. If your remote site device is not listed in the dropdown menu, simply select an available one in the menu or use the Generic/Vendor Independent template.

This template file that contains the gateway public IP address, VPC CIDR, pre-shared secret and encryption algorithm. Incorporate the information to your remote router/firewall configuration. If the remote gateway is a Aviatrix CloudN, go to site2cloud and simply import the downloaded configuration file and click OK.

Dead Peer Detection

This field is not applicable to Site2Cloud connection established by Transit Network workflow.

Dead Peer Detection (DPD) is a standard mechanism (RFC 3706) between IPSEC tunnels to send periodic messages to ensure the remote site is up.

By default DPD detection is enabled.

Manual BGP Advertised Network List

This field is only applicable to Site2Cloud connection established by Transit Network workflow.

By default, Aviatrix Transit GW advertises individual Spoke VPC CIDRs to VGW. You can override that by manually entering the intended CIDR list to advertise to VGW.

This feature is critical to limit the total number of routes carried by VGW (maximum is 100).

To enable it, click Site2Cloud on the left navigation bar, select the connection established by Step 3, click to edit. Scroll down to “Manual BGP Advertised Network List”, simply enter the field with a list of CIDR blocks separated by comma, then click “Change BGP Manual Spoke Advertisement”.

To disable the option, leave the field blank and click “Change BGP Manual Spoke Advertisement”.

Connected Transit

By default, Aviatrix Spoke VPCs do not have routing established to communicate with each other via Transit. They are completely segmented.

If you like to build a full mesh network where Spoke VPCs communicate with each other via Transit GW, you can achieve that by enabling “Connected Transit” mode. All connections are encrypted.

To enable this option, click Site2Cloud on the left navigation bar, select the connection established by Step 3, click to edit. Scroll down to “Connected Transit” to enable.

Note all Spokes should be either in HA mode or non HA mode. A mixed deployment where some Spokes have HA enabled while other don’t works in a normal environment, but does not work when a failover happens on a HA enabled Spoke.

Network Device Support

Aviatrix site2cloud supports all types of on-prem firewall and router devices that terminate VPN connection. Below are configuration examples to specific devices.

Additional Use Cases

Real world use cases sometimes require a combination of site2cloud and other features, such as SNAT and DNAT.

Here are a few documents in the Tech Notes session that demonstrate how you can solve some of them.


To check a tunnel state, go to Site2Cloud, the tunnel status appear next to the connection.

Diagnostics and troubleshooting options are available in the Diagnostics tab. You must first select the connection, and then select an Action, followed by OK.