Configuration Example for Multi-Cloud Transit Integration Azure VNG VPN

This document describes the configuration workflow for the following network diagram.


where there are two Spoke VNets, one with Aviatrix Spoke gateway ( and one native Spoke VNet (


Upgrade Aviatrix Controller to at least version 6.3.


We highly recommend you to ceate Azure Transit VNET by utilizing Aviatrix feature Create a VNet with Aviatrix FireNet VNet option enabled. Create a VNG in this Transit VNet.

Connect VNG on On-Prem

If you have already created VNG in Transit VNet, skip this section.

This section covers an example of building a VPN tunnel with Cisco IOS. For more information about Azure VPN, please check out the below documents:

Adjust the topology depending on your requirements.

Step 1.1 Create Virtual Network Gateway

  1. Login to Azure Portal and search “Virtual Network Gateway”.
  2. Click “Add” to create a new Virtual Network Gateway (VNG)


Field Description
Subscription Select a Azure Subscription
Name Any Name
Region Select Region e.g. West US2
Gateway type Select VPN
VPN type Select Route-based
SKU Any (e.g. VpnGw1)
Generation Any
Virtual Network Select Transit FireNet Gateway VNet
Public IP address Any
Public IP address name Any
Enable active-active mode Any (By default Disabled)
Configure BGP Select Enabled and give any ASN


This step may take up to 45 minutes to complete.

  1. Once VNG is created. Go to Azure Portal -> Virtual Network Gateway -> Configuration and note down Public IP Address and Default Azure BGP peer IP address

Step 1.2 Create Azure Local Network Gateways (LGW)

  1. Login to Azure Portal and search “Local network gateways”.
  2. Click “Add” to create a new Local Network Gateway


Field Description
Name Any
IP Address Any e.g. Cisco IOS Public IP
Configure BGP settings Check BGP checkbox
BGP ASN Any (e.g. 65002)
BGP peer IP address Any (e.g.
Subscription Select valid subscription
Resource group Any or Create new
Location Any (e.g. West US2)

Step 1.3 Create a VPN Connection

  1. Login to Azure Portal and search “Virtual network gateways”
  2. Click on VNG created earlier
  3. Select Connections
  4. Click “Add”


Field Description
Name Any
Connection type Select Site-to-Site (IPSec)
Virtual network gateway Select VNG just created
Local network gateway Select LNG just created
Shared key (PSK) Enter the value that matches the value Internet Key Exchange Configuration > Pre-Shared Key
Use Azure Private IP address Uncheck
Enable BGP Check
IKE Protocol Select IKEv2
  1. Select the VPN you just created and click the Download Configuration button along the top. At the dialog, select Cisco for the Vendor, IOS for the Device family and firmware version 15.x (IKEv2)

Click Download Configuration. You will use this file to create the other side of the tunnel.


Cisco IOS configuration is not accurate. Please modify it before use it.

Cisco IOS sample configuration used in this example:

Current configuration : 5983 bytes
hostname Cisco-IOS
username ec2-user privilege 15
crypto ikev2 proposal CSR-VPN-proposal
 encryption aes-cbc-256
 integrity sha1
 group 2
crypto ikev2 policy CSR-VPN-policy
 match address local
 proposal CSR-VPN-proposal
crypto ikev2 keyring CSR-VPN-keyring
  pre-shared-key Aviatrix123!
crypto ikev2 profile CSR-VPN-profile
 match address local
 match identity remote address
 authentication remote pre-share
 authentication local pre-share
 keyring local CSR-VPN-keyring
 lifetime 3600
 dpd 10 5 on-demand
crypto ipsec transform-set CSR-VPN-TransformSet esp-gcm 256
 mode tunnel
crypto ipsec profile CSR-VPN-IPsecProfile
 set transform-set CSR-VPN-TransformSet
 set ikev2-profile CSR-VPN-profile
interface Loopback11
 ip address
interface Tunnel11
 ip address
 ip tcp adjust-mss 1350
 tunnel source
 tunnel mode ipsec ipv4
 tunnel destination
 tunnel protection ipsec profile CSR-VPN-IPsecProfile
interface VirtualPortGroup0
 vrf forwarding GS
 ip address
 ip nat inside
 no mop enabled
 no mop sysid
interface GigabitEthernet1
 ip address dhcp
 ip nat outside
 negotiation auto
 no mop enabled
 no mop sysid
router bgp 65002
 bgp log-neighbor-changes
 neighbor remote-as 65515
 neighbor ebgp-multihop 255
 neighbor update-source Tunnel11
 address-family ipv4
  network mask
  neighbor activate
ip forward-protocol nd
ip tcp window-size 8192
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
ip route GigabitEthernet1
ip route Tunnel11
ip route Tunnel11
ip route vrf GS GigabitEthernet1 global

Connect Aviatrix Transit Gateway with VNG

Refer to Global Transit Network Workflow Instructions for the below steps. Please adjust the topology depending on your requirements.

Step 2.1 Deploy Aviatrix Multi-Cloud Transit Gateway and HA in Azure

Step 2.2 Connect Transit FireNet Gateway with VNG

This step assumes VNG is already deployed in the Transit VNet.

  • Go to Multi-Cloud Transit -> Step 3 Connect to VGW / External Device / Aviatrix CloudN / Azure VNG
  • Select Azure VNG radio button
  • Select Primary Aviatrix Transit Gateway in the drop down menu. Note if VNG has not been deployed in the Transit VNet, this step cannot complete.
  • VNG Name will populate automatically
  • Click Connect


Step 2.3 Check Effective routes info on Azure portal

  • Login Azure Portal

  • Search for “Network interfaces” on the search bar

  • Select Aviatrix Transit Gateway’s interface

  • Navigate to the page “Effective routes” by clicking the link “Effective routes” under the section “Support + troubleshooting”

  • Check route entry for On-prem pointing Next Hop Type Virtual network gateway


Attach Spoke VNet to Aviatrix Transit Gateway

Step 3.1 Deploy Aviatrix Spoke Gateway in Spoke VNet

  • Create Azure VNET for Aviatrix Spoke Gateway by utilizing Aviatrix feature Create a VPC or manually deploy it in cloud portal or feel free to use existing virtual network.

Step 3.2 Launch Spoke Gateway and HA

  • Follow this step Deploy Spoke Gateways to launch Aviatrix Spoke gateway and enable HA with insane mode enabled in Azure Spoke VNET. Insane mode is optional.
  • Instance size of at least Standard_D5_v2 will be required for Insane Mode Encryptions for higher throughput. Please refer to this doc for performance detail.

Step 3.3 (Optional) Create Spoke VNet

  • If you do not have any Spoke VNet, create one by using Aviatrix feature Create a VPC or manually do so in Azure portal.

Step 3.3 Attach Spoke Gateways to Transit Network

Ready to go!

Now you should be able to send traffic from cloud to on-prem as well as on-prem to cloud over Azure Express Route.

For FireNet deployment, follow the Transit FireNet workflow.


This section covers the end-to-end packet for troubleshooting purposes. This section covers the following:

  • Packet Flow when Inspection is disabled and traffic initiated from on-prem
  • Packet Flow when Inspection is disabled and traffic initiated from cloud
  • Packet Flow when Inspection is enabled and traffic initiated from cloud
  • Packet Flow when Inspection is enabled and traffic initiated from on-prem

Before we start the packet walk hop by hop first make sure IPSec tunnel is connected and BGP session is up

Azure Portal


Cisco IOS

Interface output to make sure all interfaces and tunnels are up.


“Show ip bgp summary” shows BGP session status and if IOS learning any routes via BGP


Check IPSec IKEv2 tunnel status crypto_IOS_output

Traffic Initiated from On-Prem and Inspection is disabled

In this example, following VNETs in Azure will be used:

  • Azure Aviatrix Transit VNET (i.e.
  • Azure Aviatrix Spoke VNETs (i.e.


Traffic flow from on-prem Cisco IOS Router with subnet and Loopback to Cloud Azure Native Spoke VNET (

Lets start at Cisco IOS and verify if Spoke CIDR is learned and what is the Next Hop to reach to Spoke VNET.


Next Hop of Spoke VNET should be VPN termination point so it should be the IP address of VNG.

  • Login to Azure Portal and search “Virtual network gateways”
  • Go to Virtual network gateways, select Virtual Network Gateway created earlier
  • Click Configuration inside VNG and verify the IP address of Next Hop


Traffic reached at VNG which is terminated at the Cloud. Now login to Azure Portal -> All resources -> VNG Route table to check what is the Next hop to reach Spoke VNET.


VNG route table showing next hop which is a IP of Loadbalancer


Next we need to check the LB rules and see what is the LB backend pool name


Once we know pool name then we go to Backend Pool and check the next hop IP address


LB should be pointing to Transit Gateway. Go Aviatrix Controller console and verify the private IP address of Aviatrix Transit FireNet Gateway.


Next go to transit and check if Transit has route to reach to Spoke VNET


Transit is showing it is going via IP How do we verify that IP??



Traffic Initiated from Cloud and Inspection is disabled

In this example, following VNETs in Azure will be used:

  • Azure Aviatrix Transit VNET (i.e.
  • Azure Aviatrix Spoke VNETs (i.e.


Traffic flow from Cloud Azure Native Spoke VNET ( to on-prem Cisco IOS Router with subnet and Loopback

Lets start from Spoke and verify if IOS routes are learned and what is the Next Hop to reach to on-prem.


Spoke showing next-hop as transit (Transit FireNet Gateway)


Transit FireNet Gateway showing the destination via eth2 ( In order to verify the next hop, we need to Transit FireNet Gateway interface eth2 and capture the subnet name to verify the pool address.



Once traffic reach to VNG, we can verify that now VNG routing table is showing the destination IP via VPN tunnel.