Connecting to on-prem network over GRE tunneling protocol in AWS is an alternative to IPsec. When GRE tunneling is used, Aviatrix Multi-cloud Transit Gateways interoperate directly with on-prem network devices over AWS Direct Connect.
When on-prem to cloud encryption is not required, using GRE allows you to achieve high performance throughput (10Gbps) without the need to deploy Aviatrix CloudN appliance.
The solution is shown in the diagram below,
where Aviatrix Multi-Cloud Transit Gateways connect to an on-prem Edge Router over Direct Connect.
This document gives step-by-step instructions on how to build Aviatrix Transit Gateway to External Device using GRE over AWS Direct Connect. In this Tech Note, you learn the following:
- Workflow on building underlay connectivity with AWS Direct Connect 10 Gbps capacity
- Workflow on deploying Aviatrix Transit Solution
- Workflow on establishing connectivity between Edge Router and Aviatrix Transit Gateway to form GRE tunnel
- Workflow on building GRE tunnel and BGP over GRE
- Workflow on enabling ECMP Load Balancing to achieve high performance
For more information about Multi-Cloud Transit Network and External Device, please see these documents:
- Multi Cloud Global Transit FAQ
- Global Transit Network Workflow Instructions (AWS/Azure/GCP/OCI)
- Aviatrix Transit Gateway to External Devices
- Transit Network Design Patterns
Important
- This solution supports only ActiveMesh 2.0, please check this doc How to migrate to ActiveMesh 2.0 for migration detail.
- This solution is not available to Azure and GCP as they do not support GRE.
- Reachability between Transit VPC CIDR and Edge Router is customers' responsibility which is typically done by Colocation data center providers.
- Workflow on building underlay connectivity for private network with AWS Direct Connect here is just an example. Please adjust the topology depending on your requirements.
- The Edge (WAN) Router runs a BGP session to AWS VGW via AWS Direct Connect where the Edge Router advertises its GRE IPs. AWS VGW advertises the AWS Transit VPC CIDR.
- Leverage Edge Router BGP ECMP feature.
- Configure multiple GRE tunnels for greater aggregate throughput.
Important
- Reachability between Transit VPC CIDR and Edge Router is the responsibility of customer.
- This feature is available for 6.3 and later. Upgrade Aviatrix Controller to at least version 6.3
- In this example, we are going to deploy the below VPCs in AWS:
- AWS Aviatrix Transit VPC (i.e. 10.1.0.0/16) by utilizing Aviatrix feature Create a VPC with Aviatrix FireNet VPC option enabled
- AWS Aviatrix Spoke VPC (i.e. 192.168.1.0/24) by utilizing Aviatrix feature Create a VPC as the previous step or manually deploying it in each cloud portal. Moreover, feel free to use your existing cloud network.
- Edge Router has high throughput supported on hardware interface(s) and GRE tunnel(s)
Building AWS Direct Connect is customer's responsibility. For more information about AWS Direct Connect, please see Connect Your Data Center to AWS.
Please adjust the topology depending on your requirements.
See Equinix ECX Fabric AWS Direct Connect if users select Equinix solution. This is just an example here. Make sure to select 10 Gbps capacity.
- Log in to the AWS VPC Portal and select Virtual Private Gateways under the Virtual Private Network (VPN) sidebar.
- Select the Virtual Private Gateway that you have the private virtual interface to AWS Direct Connect
- Click Actions.
- Select Attach to VPC.
- Select the AWS Transit VPC and click Yes, Attach.
Deploying the Aviatrix Multi-Cloud Transit Solution =================================================
Refer to Global Transit Network Workflow Instructions for the steps below. Please adjust the topology depending on your requirements.
- Follow this step Deploy the Transit Aviatrix Gateway to launch Aviatrix Transit gateway and enable HA with insane mode enabled in AWS Transit VPC
- In this example, sizes c5n.2xlarge and c5n.4xlarge are selected to benchmark performance.
Enabling Route Propagation on the Subnet Route Table where Aviatrix Transit Gateway Locates on AWS Portal
- Log in to the AWS VPC portal and locate the subnet route table where Aviatrix Transit Gateway is located.
- Select Route Propagation tab.
- Click Edit route propagation.
- Locate the AWS VGW that is associated with this Transit VPC and mark the Propagate checkbox.
- Click Save.
- Check whether the Propagate status is Yes.
Follow this step Deploy Spoke Gateways to launch Aviatrix Spoke gateway and enable HA with insane mode enabled in AWS Spoke VPC.
In this example, sizes c5n.2xlarge and c5n.4xlarge are selected to benchmark performance.
Follow this step Attach Spoke Gateways to Transit Network to attach Aviatrix Spoke Gateways to Aviatrix Transit Gateways in AWS.
Cisco ASR is used as an Edge Router in this example.
Checking Whether the Edge Router has Learned AWS Transit VPC CIDR via the BGP Session Between Edge Router and AWS Direct Connect
- Log in to the Edge Router (i.e. Cisco ASR)
- Check whether Edge Router has learned AWS Transit VPC CIDR via the BGP session between Edge Router and AWS Direct Connect by issuing the related "show ip bgp" command
Simple Cisco IOS example:
#show ip bgp
In this example, we use ASR loopback interface with an unique IP address as a GRE source IP.
Create a loopback interface and assign an IP to itself as a GRE source IP.
Simple Cisco IOS example:
#configure t (config)#interface Loopback77 (config-if)#ip address 192.168.77.1 255.255.255.255
Advertising that GRE source IP on Edge Router to the BGP Session Between Edge Router and AWS Direct Connect
The purpose of this step is to let AWS VGW learn the GRE source IP on Edge Router via BGP session between Edge Router and AWS Direct Connect, so that Aviatrix Transit Gateway can reach the GRE source IP on Edge Router to form GRE tunnel over AWS Direct Connect.
To demonstrate this concept in a simple fashion, we utilize IOS "ip prefix-list" function and apply it on BGP neighbor with direction out function to distribute GRE source IP.
Create a prefix list that defines GRE source IP on Edge Router for BGP advertisement.
Simple Cisco IOS example:
#configure t (config)#ip prefix-list Router-to-VGW description Advertised GRE source CIDRs 192.168.77.X/32 to build GRE tunnels (config)#ip prefix-list Router-to-VGW seq 10 permit 192.168.77.1/32
Apply this prefix list to outgoing BGP advertisements
Simple Cisco IOS example:
#configure t (config)#router bgp 65000 (config-router)#address-family ipv4 (config-router-af)#neighbor 169.254.253.17 prefix-list Router-to-VGW outNotes:
The IP 169.254.253.17 in this example here is the AWS Direct Connect BGP Peer IP.
- Log in to the AWS VPC portal and locate the subnet route table where Aviatrix Transit Gateway is located.
- Select the Routes tab.
- Check whether there is a route entry "GRE source IP on Edge Router pointing to AWS VGW."
- Log in to your Aviatrix Controller and navigate to Multi-Cloud Transit > Setup > External Device tab.
- Select option External Device > BGP > GRE.
- Use the fields below to set up GRE tunnel to Edge Router.
Transit VPC Name Select the Transit VPC ID where Transit GW was launched. Connection Name Provide a unique name to identify the connection to external device. Aviatrix Transit Gateway BGP ASN Configure a BGP AS number that the Transit GW will use to exchange routes with external device. Primary Aviatrix Transit Gateway Select the Transit GW. Enable Remote Gateway HA Don't check this option in this example. Over Private Network Check this option since AWS Direct Connect is underlay network Remote BGP AS Number Configure a BGP AS number that Edge Router will use to exchange routes with Transit GW Local Tunnel IP Leave it blank in this example. Remote Tunnel IP Leave it blank in this example.
- Click Connect to generate GRE tunnel and BGP session over it.
- Navigate to Site2Cloud > Setup.
- Select the connection that you created with “Connection Name” in the previous step
- Click Edit.
- Select Cisco as Vendor type, ISR, ASR or CSR as Platform, and IOS(XE) as Software for this example.
- Click Download Configuration.
- Open the downloaded GRE configuration file.
- Populate these values as follows based on your setup throughout the Tunnel Interface Configuration.
- <tunnel_number1>: the primary GRE tunnel interface number connecting Aviatrix Transit Primary Gateway (i.e. 11)
- <tunnel_number2>: the secondary GRE tunnel interface number connecting Aviatrix Transit HA Gateway (i.e. 12)
- <ios_wan_interface1>: the IP which is assigned on the Loopback interface as an GRE source IP (i.e. 192.168.77.1)
- <ios_wan_interface2>: the IP which is assigned on the Loopback interface as an GRE source IP (i.e. 192.168.77.1)
- Copy and paste the updated Tunnel Interface Configuration into Edge Router
Simple Cisco IOS example:
interface Tunnel 11 ip address 169.254.61.205 255.255.255.252 ip mtu 1436 ip tcp adjust-mss 1387 tunnel source 192.168.77.1 tunnel destination 10.1.0.185 ip virtual-reassembly no keepalive exit interface Tunnel 12 ip address 169.254.173.77 255.255.255.252 ip mtu 1436 ip tcp adjust-mss 1387 tunnel source 192.168.77.1 tunnel destination 10.1.1.27 ip virtual-reassembly no keepalive exit
- Open the downloaded GRE configuration file and copy and paste the BGP Routing Configuration into Edge Router.
Simple Cisco IOS example:
router bgp 65000 bgp log-neighbor-changes neighbor 169.254.61.206 remote-as 65212 neighbor 169.254.61.206 timers 10 30 30 neighbor 169.254.173.78 remote-as 65212 neighbor 169.254.173.78 timers 10 30 30 ! address-family ipv4 redistribute connected neighbor 169.254.61.206 activate neighbor 169.254.61.206 soft-reconfiguration inbound neighbor 169.254.173.78 activate neighbor 169.254.173.78 soft-reconfiguration inbound maximum-paths 4 exit-address-family
- Create a prefix list that defines CIDR where server locates in on-prem/co-location for BGP advertisement.
Simple Cisco IOS example:
#configure t (config)#ip prefix-list Router-To-Transit-GRE description Advertised on-prem CIDRs 10.220.5.0/24 (config)#ip prefix-list Router-To-Transit-GRE seq 10 permit 10.220.5.0/24
- Apply the prefix list to outgoing BGP advertisements.
Simple Cisco IOS example:
#configure t (config)#router bgp 65000 (config-router)#address-family ipv4 (config-router-af)#neighbor 169.254.61.206 prefix-list Router-To-Transit-GRE out (config-router-af)#neighbor 169.254.173.78 prefix-list Router-To-Transit-GRE out
- Navigate back to Aviatrix Controller and open Site2Cloud > Setup.
- Find the connection that you created with Connection Name in the previous step.
- Check the Tunnel Status.
- Go to Multi-Cloud Transit > List.
- Select the Transit Primary Gateway that was created in the previous step.
- Click Details/Diag.
- Scroll down to Connections > On-prem Connections.
- Find the connection that you created with Connection Name in the previous step and check the Tunnel Status.
- Go to Multi-Cloud Transit > BGP.
- Find the connection that you created with Connection Name in the previous step and check the BGP Status.
- Building multiple GRE tunnels by repeating "Build connectivity between Edge Router and Aviatrix Transit Gateway".
- Build multiple BGP over GRE tunnels by repeating "Build GRE tunnel and BGP over GRE".
In this example, we build up to 4 pairs of GRE connections (total up to 8 tunnels) to benchmark performance.
- Navigate back to Aviatrix Controller
- Go to Multi-Cloud Transit > Advanced Config > Edit Transit Tab.
- Select the Transit Gateway that was created in the previous step.
- Scroll down to BGP ECMP and enable it.
- Go to Multi-Cloud Transit > List.
- Select the Transit Primary Gateway that was created in the previous step.
- Click DETAILS/DIAG.
- Scroll down to Gateway Routing Table.
- Click Refresh.
- Search for the on-prem CIDR in the Destination column.
- Check whether there are multiple GRE tunnels with same Metric and Weight under the same route entry.
Configure "maximum-paths" with higher number of equal-cost routes in BGP settings so that BGP will install in the routing table. In this example, we configure "maximum-paths 8" to achieve high performance over multiple GRE tunnels.
Simple Cisco IOS example:
#configure t (config)#router bgp 65000 (config-router)#address-family ipv4 (config-router-af)#maximum-paths 8
Modify ECMP Load Balancing algorithm depending on traffic type.
Simple Cisco IOS example:
#configure t (config)#ip cef load-sharing algorithm include-ports source destination
Check whether BGP install equal-cost routes in the routing table by issuing the related command "show ip bgp."
At this point, run connectivity and performance test to ensure everything is working correctly.
| Aviatrix Gateway size | 3 pairs of GRE connections (total 6 tunnels) | 4 pairs of GRE connections (total 8 tunnels) |
| C5n.2xlarge | 8.0 - 8.3 (Gbps) | 8.3 - 9.1 (Gbps) |
| C5n.4xlarge | 9.0 - 9.3 (Gbps) | 9.2 - 9.3 (Gbps) |
1.6 - 2.4 (Gbps) for both sizes C5n.2xlarge and C5n.4xlarge