About Transit Gateway Settings

Your cloud provider account. The Aviatrix Controller uses your cloud provider’s account credentials to launch Aviatrix gateways via API calls.

To learn more about access accounts, see Accounts and Users.

Instance Size is the gateway instance size.

When selecting the gateway instance size, use the following guidelines of IPsec performance based on IPERF tests conducted between two gateways of the same size:

High Performance Encryption (HPE) is an Aviatrix technology that enables 10Gbps and higher IPsec performance between two single Aviatrix Gateway instances or between a single Aviatrix Gateway instance and on-prem Aviatrix appliance.

When a gateway instance is launched with High Performance Encryption enabled, the Aviatrix Controller will look for a spare /26 subnet segment to create a new public subnet "-insane" and launch the gateway on this subnet.

The instance sizes that support High Performance Encryption are:

For an overview of Aviatrix High Performance Encryption, see About High-Performance Encryption.

Transit Gateway peering connects two or more Aviatrix Transit Gateways that enables communication between Spoke VPCs/VNets via the Transit Gateways.

Enabling Transit Egress Capability ensures that this Transit Gateway is available to use in a Transit FireNet workflow or a Transit Egress workflow.

If you select AWS you can also enable the Gateway Load Balancer option (see definition below).

If you select GCP you must enter the subnet of a LAN VPC that will exchange traffic between the gateway and a firewall.

If you enable Transit Egress Capability on an AWS Transit Gateway you can also enable the Gateway Load Balancer. This is beneficial if the Transit Gateway is going to be used as a Transit FireNet with attached firewalls.

In AWS and GCP, BGP over LAN feature allows Aviatrix Transit Gateways to establish a connection with a pair of third-party instances, that are in the same VPC as the Transit Gateway, without using the IPsec or GRE tunneling protocol.

In Azure, BGP over LAN allows Aviatrix Transit Gateways to establish a connection with a pair of third-party instances, that are in the same VNet but different from the Transit Gateway VNet, without using the IPsec or GRE tunneling protocol.

Multiple BGP over LAN connections are supported, however, each connection can be connected to one or at most two third-party instances. For Azure, the two third-party instances must be in the same VNet.

When configuring BGP over LAN:

To learn more about BGP over LAN connections, refer to:

The Aviatrix Gateway High Availability feature enables you to create High Availability (HA) gateways for Spoke and Transit Gateways to minimize and reduce network downtime and improve network stability and performance.

When HA Spoke and Transit gateways are deployed, the Aviatrix Controller monitors your cloud network deployment, detects if a gateway is down and handles failover resolution automatically.

For an overview of the Aviatrix Gateway High Availability feature, see About Gateway High Availability.

Aviatrix Gateways are launched in a public subnet in AWS, GCP, and OCI. A public subnet in AWS VPC is defined as a subnet whose associated route table has a default route entry that points to the Internet gateway (IGW). To learn more about VPC and subnets, refer to this link.

If you do not have a VPC/VCN with public subnet in AWS, GCP, or OCI, you can use our Creating a VPC/VNet using CoPilot tool to create a VPC with fully populated public and private subnets in each AZ.

The Use VPC/VNet DNS Server feature enables you to set the default DNS server for the Aviatrix gateway.

When this feature is On, it removes the default DNS server for the Aviatrix Gateway and instructs the gateway to use the VPC or VNet DNS server configured in VPC or VNet DHCP option.

When this feature is Off, the Aviatrix Gateway will revert to use its built-in (default) DNS server.

For more information, see Using VPC/VNet DNS Server.

By default, Aviatrix Spoke VPCs and VNets do not have routing established to communicate with each other via the Transit Gateway. They are completely segmented.

The Connected Transit feature enables you to build a full mesh network where Spoke VPCs and VNets communicate with each other via the Transit Gateway. All connections are encrypted in Connected Transit mode.

By default, Aviatrix Transit Gateway does not advertise Transit VPC/VNet CIDR.

When this setting is enabled, Aviatrix Transit Gateway advertises the Transit VPC/VNet CIDR to VGW. The Controller programs the 3 RFC1918 routes in the AWS route table to point to the Transit Gateway. It also programs the learned routes from VGW into the AWS route table.

If you deploy instances in the Transit VPC/VNet, enabling Advertise Transit VPC CIDR mode allows the instance to communicate both to Spoke VPCs and the on-prem network, assuming the Spoke VPCs are in the RFC1918 range.

Use the Multi-Tier Transit setting to implement a hierarchical Transit Gateway architecture that permits packets to traverse more than two Aviatrix Transit Gateways. Previously, full-mesh transit peering was required. You can now connect two cloud service providers or regions through one peered connection. You must use ActiveMesh 2.0 to use multi-tier transit gateways, but full-mesh transit peering is not required.

Jumbo Frame improves Aviatrix Gateway throughput performance.

The GRO/GSO feature enables you to configure the gateway interface and enable or disable Generic Receive Offload (GRO) and Generic Segmentation Offload (GSO).

GRO/GSO is On by default to improve performance. You can set this feature to Off to minimize out of order packets for sensitive applications (like FTP), but there will be a performance throughput penalty.

This feature enables you to deploy a Transit Gateway connection to an external device where the external device, such as an on-premises firewall, does not support asymmetric routing on two tunnels.

Active-Standby mode applies to both BGP and Static Remote Route Based external connections.

When Active-Standby mode is enabled, the Transit Gateway connects to the external device with only one active peering connection forwarding network traffic and the other as standby.

If you enable Active-Standby mode, you can select the Failover Mode to determine the network’s behavior when the active peering connection goes down.

For more information, see About Active-Standby External Connection Configuration.

The Gateway Single AZ HA feature enables the Aviatrix Controller to monitor the health of the gateway instance and restart the gateway instance if it becomes unreachable. Gateway Single AZ HA is enabled by default.

Using Gateway Single AZ HA, you can select the gateway instance to restart.

When Gateway Single AZ HA status is On, the Aviatrix Controller attempts to restart the gateway instance. When status is Off, Controller does not attempt to restart the gateway instance.

Using the Change Interface(s) RX Queue Size, you can select a gateway and set the gateway’s interface(s) RX Queue Size.

Enable this setting to limit routes propagated to TGW to only three RFC 1918 CIDRs and specific non-RFC 1918 CIDRs. Limiting routes saves route propagation time.

Leave this setting disabled (the default setting) to maintain better segmentation behavior without improving performance.

AWS TGW Edge Segmentation allows you to further specify on each AWS TGW Aviatrix _Edge_Domain connection which domain the Transit Gateway can communicate with.

After you turn On this option you can build domain connection policies to specify which Network Domain this AWS TGW Aviatrix_Edge_Domain connection can communicate with.

For more information, see Configuring AWS TGW Edge Segmentation.