Adding FireNet to a Transit Gateway

When FireNet is added to a Transit gateway, a firewall can be inserted into the Aviatrix Transit VPC/VNet. East-west and egress traffic is inspected by these firewalls, unless traffic inspection is explicitly disabled (by using an Egress FireNet or disabling the Traffic Inspection option).

Ensure you have completed any prerequisites before beginning.

See Minimum Gateway Instance Sizes for FireNet deployment for information on the interfaces/NICs created when you add FireNet to a Transit Gateway.

After adding FireNet to a Transit gateway you can:

Configuration Steps

On the FireNet tab, click +Add FireNet.

You can also add these FireNet types:
- Egress Transit FireNet: ensure that a Transit gateway (new or previously created) sends traffic to the Internet and does not perform any traffic inspection.
- AWS TGW FireNet: add FireNet functionality to your AWS Transit Gateway (TGW) or to a Native AWS Gateway Load Balancer.
In the Add FireNet to Transit Gateway dialog, select if you want to add FireNet to an existing Transit gateway or on a new Transit gateway.

If you are adding FireNet to an existing Transit gateway that has the BGP over LAN slider On, that Transit gateway must also have DNAT/SNAT configured.

Only Transit gateways that have the Transit Egress Capability toggle enabled (selected when you create a Transit gateway from Cloud Fabric > Gateways > Transit Gateways) are displayed in the Existing Transit Gateway List.

If creating a new Transit gateway, enter a name in the Name field.

Configure the following:

Field	Description
Cloud (prepopulated if creating on an existing Transit gateway)	Select Cloud type: AWS: Standard, GovCloud, China Azure: Global, GovCloud, China (same as above) GCP OCI
Name (new Transit gateway only)	Name for the FireNet
Account (pre-populated if creating on an existing Transit gateway)	Cloud Account Name
Region (pre-populated if creating on an existing Transit gateway) (AWS, Azure, OCI only)	Region in which to create the Transit gateway.
VPC/VNet (pre-populated if creating on an existing Transit gateway)	VPC/VNet where the Transit gateway will be deployed.
Instance Size (regardless of type of FireNet)	Minimum sizes: AWS: c5.xlarge Azure: Standard_B2ms GCP: n1-standard_1 OCI: VM.Standard2.4 The minimum size may vary if HPE is enabled.
High Performance Encryption (HPE)	Turn On HPE for the FireNet deployment, for higher throughputs.
Peer to Spoke Gateways (optional)	Select pre-existing Spoke gateways to connect to the Transit FireNet gateway. Traffic from these Spoke gateways is sent to the Transit FireNet gateway for firewall inspection.
Instances	Availability Domain (OCI only): Select the OCI domain within the region (selected above). Attach to Subnet: FireNet is launched in this public subnet. Add a second Instance row for the High Availability (HA) instance. Zone (GCP only): Zone in which to create the gateway. Fault Domain (OCI only): OCI failover mechanism. Public IP: Allocate a new, static public IP address to the new Transit gateway.
Primary FireNet (AWS only)	Select if you want this FireNet to be the Primary FireNet where firewalls are attached. Not applicable for Egress FireNet.
Secondary FireNet (AWS only)	Select if you want this to be a Secondary FireNet that will send traffic to the Primary FireNet to be inspected. Egress and traffic inspection are disabled when Secondary FireNet is selected. Not applicable for Egress FireNet.
Attach Secondary FireNets (AWS/Primary FireNet only)	Select the Secondary FireNets to attach to this Primary FireNet. Not applicable for Egress FireNet.
Attach to Primary FireNet (AWS/Secondary FireNet only)	Select the Primary FireNet to which to attach this Secondary FireNet. Not applicable for Egress FireNet.
Gateway Load Balancer (GWLB)	Slide On to enable the AWS Gateway Load Balancer (differs from the Native AWS Load Balancer, which is part of the AWS TGW FireNet workflow). If the Gateway Load Balancer option was turned On as part of the Transit Gateway creation workflow (for AWS), it will be On and disabled in the Transit FireNet creation workflow. If the Gateway Load Balancer option was left Off as part of the Transit Gateway creation workflow (for AWS), it will be Off and disabled in the Transit FireNet creation workflow. This toggle is On and disabled by default for Azure and GCP. In Azure and GCP, load balancers are created automatically after FireNet is added to the Transit gateway. In OCI this toggle is Off and disabled by default.
Traffic Inspection	If turned Off the FireNet gateway loops back all packets. Off by default if adding an Egress Transit FireNet. This means that only egress traffic will be inspected/routed to a firewall. If creating an AWS Transit Gateway with Secondary FireNet selected, Traffic Inspection is Off by default, and hidden.
Egress	Enable Egress (Internet-bound) traffic inspection. On by default if adding an Egress Transit FireNet. If creating an AWS Transit Gateway with Secondary Transit selected, Egress is Off by default, and hidden.

Field

Description

Cloud (prepopulated if creating on an existing Transit gateway)

Select Cloud type:

AWS: Standard, GovCloud, China
Azure: Global, GovCloud, China (same as above)
GCP
OCI

Name (new Transit gateway only)

Name for the FireNet

Account (pre-populated if creating on an existing Transit gateway)

Cloud Account Name

Region (pre-populated if creating on an existing Transit gateway) (AWS, Azure, OCI only)

Region in which to create the Transit gateway.

VPC/VNet (pre-populated if creating on an existing Transit gateway)

VPC/VNet where the Transit gateway will be deployed.

Instance Size (regardless of type of FireNet)

Minimum sizes:

AWS: c5.xlarge
Azure: Standard_B2ms
GCP: n1-standard_1
OCI: VM.Standard2.4

The minimum size may vary if HPE is enabled.

High Performance Encryption (HPE)

Turn On HPE for the FireNet deployment, for higher throughputs.

Peer to Spoke Gateways (optional)

Select pre-existing Spoke gateways to connect to the Transit FireNet gateway. Traffic from these Spoke gateways is sent to the Transit FireNet gateway for firewall inspection.

Instances

Availability Domain (OCI only): Select the OCI domain within the region (selected above).
Attach to Subnet: FireNet is launched in this public subnet.
Add a second Instance row for the High Availability (HA) instance.
Zone (GCP only): Zone in which to create the gateway.
Fault Domain (OCI only): OCI failover mechanism.
Public IP: Allocate a new, static public IP address to the new Transit gateway.

Primary FireNet (AWS only)

Select if you want this FireNet to be the Primary FireNet where firewalls are attached.

Not applicable for Egress FireNet.

Secondary FireNet (AWS only)

Select if you want this to be a Secondary FireNet that will send traffic to the Primary FireNet to be inspected.

Egress and traffic inspection are disabled when Secondary FireNet is selected.

Not applicable for Egress FireNet.

Attach Secondary FireNets (AWS/Primary FireNet only)

Select the Secondary FireNets to attach to this Primary FireNet.

Not applicable for Egress FireNet.

Attach to Primary FireNet (AWS/Secondary FireNet only)

Select the Primary FireNet to which to attach this Secondary FireNet.

Not applicable for Egress FireNet.

Gateway Load Balancer (GWLB)

Slide On to enable the AWS Gateway Load Balancer (differs from the Native AWS Load Balancer, which is part of the AWS TGW FireNet workflow).

If the Gateway Load Balancer option was turned On as part of the Transit Gateway creation workflow (for AWS), it will be On and disabled in the Transit FireNet creation workflow. If the Gateway Load Balancer option was left Off as part of the Transit Gateway creation workflow (for AWS), it will be Off and disabled in the Transit FireNet creation workflow.

This toggle is On and disabled by default for Azure and GCP. In Azure and GCP, load balancers are created automatically after FireNet is added to the Transit gateway.

In OCI this toggle is Off and disabled by default.

Traffic Inspection

If turned Off the FireNet gateway loops back all packets.

Off by default if adding an Egress Transit FireNet. This means that only egress traffic will be inspected/routed to a firewall.

If creating an AWS Transit Gateway with Secondary FireNet selected, Traffic Inspection is Off by default, and hidden.

Egress

Enable Egress (Internet-bound) traffic inspection.

On by default if adding an Egress Transit FireNet.

If creating an AWS Transit Gateway with Secondary Transit selected, Egress is Off by default, and hidden.

Click Add.

If you are attaching Secondary FireNets to Primary (AWS only), the Attach Secondary FireNet to Primary FireNet dialog displays.

You can check the FireNet creation progress on the Monitor > Notifications > Tasks tab.

Egress Transit FireNet

A Transit Gateway that has Egress FireNet added receives egress traffic from attached Spoke Gateways and then sends that traffic via any attached firewalls to the Internet. Egress Transit FireNet does not inspect east-west or north-south traffic.

An Egress Transit FireNet cannot be used in an external connection. It also cannot peer with other Transit Gateways.

Field	Description
Cloud (prepopulated if creating on an existing Transit gateway)	Select Cloud type: AWS: Standard Azure: Global GCP OCI
Name (new Transit gateway only)	Name for the FireNet
Account (pre-populated if creating on an existing Transit gateway)	Cloud Account Name
Region (pre-populated if creating on an existing Transit gateway) (AWS, Azure, OCI only)	Region in which to create the Transit gateway.
VPC/VNet (pre-populated if creating on an existing Transit gateway)	VPC/VNet where the Transit gateway will be deployed.
Instance Size (regardless of type of FireNet)	Minimum sizes: AWS: c5.xlarge Azure: Standard_B2ms GCP: n1-standard_1 OCI: VM.Standard2.4 The minimum size may vary if HPE is enabled.
High Performance Encryption (HPE)	Turn On HPE for the FireNet deployment, for higher throughputs.
Peer to Spoke Gateways (optional)	Select pre-existing Spoke gateways to connect to the Transit FireNet gateway. Traffic from these Spoke gateways is sent to the Transit FireNet gateway for firewall inspection.
Instances	Availability Domain (OCI only): Select the OCI domain within the region (selected above). Attach to Subnet: FireNet is launched in this public subnet. Add a second Instance row for the High Availability (HA) instance. Zone (GCP only): Zone in which to create the gateway. Fault Domain (OCI only): OCI failover mechanism. Public IP: Allocate a new, static public IP address to the new Transit gateway.
Gateway Load Balancer (GWLB)	Off by default for AWS On and disabled by default for Azure, GCP Off and disabled by default for OCI When this setting is On, it enables the AWS Gateway Load Balancer (differs from the Native AWS Load Balancer, which is part of the AWS TGW FireNet workflow). In Azure and GCP, load balancers are created automatically after FireNet is added to the Transit gateway.
Traffic Inspection	Turned Off and disabled by default. This means that only egress traffic will be inspected/routed to a firewall. If turned Off the FireNet gateway loops back all packets.
Egress	Enable Egress (Internet-bound) traffic inspection. On and disabled by default.

Field

Description

Cloud (prepopulated if creating on an existing Transit gateway)

Select Cloud type:

AWS: Standard
Azure: Global
GCP
OCI

Name (new Transit gateway only)

Name for the FireNet

Account (pre-populated if creating on an existing Transit gateway)

Cloud Account Name

Region (pre-populated if creating on an existing Transit gateway) (AWS, Azure, OCI only)

Region in which to create the Transit gateway.

VPC/VNet (pre-populated if creating on an existing Transit gateway)

VPC/VNet where the Transit gateway will be deployed.

Instance Size (regardless of type of FireNet)

Minimum sizes:

AWS: c5.xlarge
Azure: Standard_B2ms
GCP: n1-standard_1
OCI: VM.Standard2.4

The minimum size may vary if HPE is enabled.

High Performance Encryption (HPE)

Turn On HPE for the FireNet deployment, for higher throughputs.

Peer to Spoke Gateways (optional)

Select pre-existing Spoke gateways to connect to the Transit FireNet gateway. Traffic from these Spoke gateways is sent to the Transit FireNet gateway for firewall inspection.

Instances

Availability Domain (OCI only): Select the OCI domain within the region (selected above).
Attach to Subnet: FireNet is launched in this public subnet.
Add a second Instance row for the High Availability (HA) instance.
Zone (GCP only): Zone in which to create the gateway.
Fault Domain (OCI only): OCI failover mechanism.
Public IP: Allocate a new, static public IP address to the new Transit gateway.

Gateway Load Balancer (GWLB)

Off by default for AWS
On and disabled by default for Azure, GCP
Off and disabled by default for OCI

When this setting is On, it enables the AWS Gateway Load Balancer (differs from the Native AWS Load Balancer, which is part of the AWS TGW FireNet workflow).

In Azure and GCP, load balancers are created automatically after FireNet is added to the Transit gateway.

Traffic Inspection

Turned Off and disabled by default. This means that only egress traffic will be inspected/routed to a firewall.

If turned Off the FireNet gateway loops back all packets.

Egress

Enable Egress (Internet-bound) traffic inspection.

On and disabled by default.

AWS TGW FireNet

You can add FireNet functionality to an AWS TGW (deployed as part of the AWS TGW Orchestrator workflow) or to the Native AWS Gateway Load Balancer. A Firewall Domain must be created in the AWS TGW before adding FireNet functionality.

Field	Value
Add AWS TGW FireNet To	Transit Gateway Native AWS Gateway Load Balancer
Transit Gateway	Select a new or existing AWS Transit gateway
Name	Enter a name for the new AWS TGW Transit gateway (pre-populated if you select an existing AWS Transit gateway)
Account (Transit Gateway)	Cloud Account Name
Region (Transit Gateway)	Region in which to create the AWS TGW Transit gateway.
VPC	Transit Gateway: VPC where the AWS TGW Transit gateway will be deployed. Native AWS Gateway Load Balancer: VPC where the Load Balancer will be deployed.
Instance Size (Transit Gateway)	c5.xlarge is the recommended minimum
High Performance Encryption (Transit Gateway)	Turn On HPE for the FireNet deployment, for higher throughputs.
Attach to Subnet (Transit Gateway)	The AWS TGW FireNet is launched in this public subnet.
Public IP (Transit Gateway)	The public IP address for this gateway.
Gateway Load Balancer (Transit Gateway)	Off by default
Traffic Inspection	If turned Off, the FireNet gateway loops back all packets.
Egress	Turn On to enable egress (Internet-bound) traffic inspection.
AWS TGW Firewall Domain	Select a previously configured AWS TGW Firewall Domain (a network domain of the Firewall Domain type added to an AWS TGW). The Aviatrix Firewall Domain is a FireNet-dedicated Network Domain. The AWS TGW FireNet is deployed in this domain.

Field

Value

Add AWS TGW FireNet To

Transit Gateway
Native AWS Gateway Load Balancer

Transit Gateway

Select a new or existing AWS Transit gateway

Name

Enter a name for the new AWS TGW Transit gateway (pre-populated if you select an existing AWS Transit gateway)

Account (Transit Gateway)

Cloud Account Name

Region (Transit Gateway)

Region in which to create the AWS TGW Transit gateway.

VPC

Transit Gateway: VPC where the AWS TGW Transit gateway will be deployed.
Native AWS Gateway Load Balancer: VPC where the Load Balancer will be deployed.

Instance Size (Transit Gateway)

c5.xlarge is the recommended minimum

High Performance Encryption (Transit Gateway)

Turn On HPE for the FireNet deployment, for higher throughputs.

Attach to Subnet (Transit Gateway)

The AWS TGW FireNet is launched in this public subnet.

Public IP (Transit Gateway)

The public IP address for this gateway.

Gateway Load Balancer (Transit Gateway)

Off by default

Traffic Inspection

If turned Off, the FireNet gateway loops back all packets.

Egress

Turn On to enable egress (Internet-bound) traffic inspection.

AWS TGW Firewall Domain

Select a previously configured AWS TGW Firewall Domain (a network domain of the Firewall Domain type added to an AWS TGW). The Aviatrix Firewall Domain is a FireNet-dedicated Network Domain. The AWS TGW FireNet is deployed in this domain.

You can enable intra-domain inspection for VPCs in an AWS TGW FireNet here.

Attaching Secondary FireNet to Primary FireNet (AWS only)

Click here for more information on Primary and Secondary FireNet.

If you created and saved a Primary FireNet configuration that included Secondary FireNet attachments, after saving you are prompted to attach your Secondary FireNet to Primary.

Confirm that the Network Segmentation and Gateway Settings information is correct for this Primary/Secondary attachment.
Enter the Local ASN number for the FireNet gateways (Primary and Secondary). This is the ASN of the BGP device on your side of the connection.
Select the checkbox to indicate your acceptance of configuration changes on the Transit FireNet gateways.
If the configuration is satisfactory, click Proceed. If not, click Cancel and edit your FireNet configuration.