Skip to main content
This document provides instructions for deploying a primary and secondary highly available (HA) Edge Spoke Gateways on self-managed VMware ESXi or an open-source Kernal-based Virtual Machine (KVM). For an overview of Aviatrix Edge, see About Aviatrix Hybrid Cloud Edge.

Topology

The following diagram shows an example of network connectivity for Aviatrix Edge Gateway to Transit Gateway in AWS. Edge Network Connectivity

Prerequisites

Before you deploy an Aviatrix Edge Gateway on VMware ESXi or KVM, ensure the prerequisite requirements are complete, see Prerequisites for Edge Spoke Deployment on VMware ESXi and KVM.

Aviatrix Edge Spoke Gateway Deployment Workflow

To deploy Aviatrix Edge Spoke Gateway, first you need to procure and onboard your edge device on the platform of your choice (see Prerequisites for Edge Spoke Deployment on VMware ESXi and KVM). Next, you deploy the Aviatrix Edge Gateway on the edge device and attach the Edge Gateway to the Aviatrix Transit Gateway for cloud connectivity. Then, configure the Edge Gateway for LAN-side connectivity. The diagram below provides a high-level view of the four-step process for deploying Aviatrix Edge Spoke Gateway in Aviatrix CoPilot. You have the option to use either VMware ESXi or an open-source Kernel-based Virtual Machine (KVM) to deploy the Edge Spoke Gateway VM and attach the ISO file. The ISO file is the equivalent of the Zero-Touch Provisioning (ZTP) token. ZTP allows to remotely deploy and provision network devices at remote locations. Edge Deployment Workflow This workflow provides the steps to create a primary and secondary (HA) Edge Gateway in VMware ESXi and KVM. It also provides the steps to attach the Edge Gateways to a Transit Gateway and connect the Edge Gateways to an external device, such as a LAN BGP router.
  1. Create the ZTP ISO for the primary Edge Gateway.
  2. Deploy the primary Edge Gateway Virtual Machine and Attach ZTP ISO.
  3. Create the ZTP ISO for the secondary Edge Gateway.
  4. Deploy the secondary Edge Gateway Virtual Machine and Attach ZTP ISO.
  5. Attach the primary Edge Gateway to a Transit Gateway.
  6. Connect the Edge Gateway to an external device.

Creating the ZTP ISO for the Edge Gateway (Self-Managed Platform)

You must have port 443 open to the IP address of the Aviatrix Controller. For the required port access for Edge Gateway deployment, refer to Aviatrix Edge Gateway Ports and Protocols. In Aviatrix CoPilot:
  1. Go to Cloud Fabric > Hybrid Cloud > Edge Gateways tab.
  2. Click + Spoke Gateways, then provide the following information.
Provide the following information.
ParameterDescription
NameName for the Edge Gateway.
PlatformSelect edge_admin.
SiteSelect an existing name or enter a new name to identify the edge location. Site names cannot contain spaces.
ZTP File TypeSelect the ZTP file type. For VMware ESXi, select iso. For KVM, select iso or cloud-init.
High AvailabilityHigh Availability is set to Off for the primary Edge Gateway. For the secondary (HA) Edge Gateways, select Active-Active or Active-Standby mode.
Deploying multiple Edge Gateways for the same site is supported. A maximum of 8 Edge Gateways are supported.
  1. Configure the WAN, LAN, and Management interfaces.

Configuring the Edge Gateway Interfaces

By default, an Aviatrix Edge Gateway has three interfaces: one WAN interface on eth0, one LAN interface on eth1, and one Management interface on eth2. You will need these configuration information to configure the interfaces. In the Interface Configuration section, configure the WAN, LAN, and Management interfaces for the Edge Gateway.

Configuring the WAN Interface

Click WAN, then provide the following information. For IP and DNS settings, enter using the applicable format. For example, if the Edge Gateway’s WAN IP is 10.1.1.151, enter 10.1.1.151/24 or what your netmask is.
ParameterDescription
IP AssignmentThe default is Static for static IP assignment. DHCP for dynamic IP address assignment is not supported.
Interface Labels(optional) A name to identify the WAN interface.
Interface CIDRThe CIDR for the WAN interface.
Default Gateway IPThe Default Gateway IP address for the WAN interface.
Public IP(optional) The Public IP address of the WAN interface.
To change or update the Edge Gateway WAN connectivity to Transit Gateway, you will need to first detach the Edge-to-Transit gateway attachment, if there is an attachment.

Configuring the LAN Interface

Click LAN, then provide the following information.
ParameterDescription
IP AssignmentThe default is Static for static IP assignment. DHCP for dynamic IP address assignment is not supported.
VRRPIf you have Virtual Router Redundancy Protocol (VRRP) configured for the LAN router redundancy, set this switch to On.
Interface CIDRThe CIDR for the LAN interface.
VRRP Gateway IPThe Virtual IP (VIP) address, when VRRP is enabled.
Default Gateway IP(optional) The Default Gateway IP for the LAN interface.
Interface Labels(optional) A name to identify the LAN interface.
VLAN Interface If your LAN is segmented into virtual LANs (VLANs), click + VLAN Interface to add one or more VLAN sub-interfaces, then provide the following information for each VLAN sub-interface.
You cannot edit the VLAN ID after the Edge Gateway is created. To edit the VLAN sub-interface attributes, it is highly recommended to delete and recreate the VLAN sub-interface configuration.
ParameterDescription
Interface CIDRThe native VLAN interface IP address. This is the interface where the untagged packets are sent.
VRRP Gateway IPThe Virtual IP for the VRRP Gateway, when VRRP is enabled.
Default Gateway IPThe Default Gateway IP address for the native VLAN interface.
Interface Labels(optional) A name to identify this native VLAN interface.
VLAN Sub-Interfaces
VLAN IDThe VLAN ID. VLAN ID must be a number between 2 and 4092.
VLAN Interface CIDRThe VLAN sub-interface IP address.
VRRP Gateway IPThe Virtual IP for the VRRP Gateway, when VRRP is enabled.
Default Gateway IPThe Default Gateway IP address for this VLAN sub-interface.
Sub-Interface Tag(optional) A name to identify this VLAN sub-interface.

Configuring the MGMT Interface

Click MGMT, then provide the following information.
ParameterDescription
IP AssignmentSelect DHCP or Static, depending on your environment. This setting cannot be changed after the gateway is created.
Private NetworkIf the Management interface connection to the Aviatrix Controller is over a private network, set this switch to On. Leave the setting to Off, if the connection is over the public internet.
ParameterDescription
Egress CIDR (Optional)The CIDR range for the egress flow for the Management interface.
CoPilot creates the ISO file and downloads the file to your downloads folder. Next, log in to your VMware ESXi or KVM host and upload the ISO or cloud-init file to a datastore or storage device. Then, deploy the Edge Gateway VM instance and attach the ISO or cloud-init image file to complete the Edge Gateway creation and authentication with the Aviatrix Controller.
The ISO file expires after 24 hours. You cannot download it again and will have to repeat the above steps. You must mount the ISO file to an Edge VM to complete the Edge Gateway registration within 24 hours. See Deploying the Edge Gateway Virtual Machine Instance.

Creating a Highly Available Edge Gateway (Self-Managed Platform)

Before you can create the highly available Edge Gateway, the primary Edge Gateway must be deployed and its status must be Up. You must have port 443 open to the IP address of the Aviatrix Controller. For the required port access for Edge Gateway deployment, refer to Aviatrix Edge Gateway Ports and Protocols. To create a secondary (HA) Edge Gateway, follow these steps.
  1. In Aviatrix CoPilot, go to Cloud Fabric > Edge > Gateways tab.
  2. In the table, locate the primary Edge Gateway for which you want to create the HA gateway and click its Edit icon.
  3. In the Edit Edge Gateway dialog box, from the High Availability dropdown menu, select Active-Active or Active-Standby mode.
  4. In the Interfaces section, configure the WAN, LAN, and Management interfaces for the secondary (HA) Edge Gateway.
WAN Interface Click WAN, then provide the following information. For IP and DNS settings, enter using the applicable format. For example, if the Edge Gateway’s WAN IP is 10.1.1.151, enter 10.1.1.151/24 or what your netmask is.
ParameterDescription
IP AssignmentThe default is Static for static IP assignment. DHCP for dynamic IP address assignment is not supported.
Interface Labels(optional) A name to identify the WAN interface.
Interface CIDRThe CIDR for the WAN interface.
Default Gateway IPThe Default Gateway IP address for the WAN interface.
Public IP(optional) The Public IP address of the WAN interface.
LAN Interface Click LAN, then provide the following information.
ParameterDescription
IP AssignmentThe default is Static for static IP assignment. DHCP for dynamic IP address assignment is not supported.
VRRPIf you have Virtual Router Redundancy Protocol (VRRP) configured for the LAN router redundancy, set this switch to On.
Interface CIDRThe CIDR for the LAN interface.
VRRP Gateway IPThe Virtual IP (VIP) address, when VRRP is enabled.
Default Gateway IP(optional) The Default Gateway IP for the LAN interface.
Interface Labels(optional) A name to identify the LAN interface.
VLAN Interface Provide the following information for each VLAN sub-interface.
ParameterDescription
Interface CIDRThe native VLAN interface IP address. This is the interface where the untagged packets are sent.
Default Gateway IPThe Default Gateway IP address for the native VLAN interface.
Interface Labels(optional) A name to identify this native VLAN interface.
VLAN Sub-Interfaces
VLAN Interface CIDRThe VLAN sub-interface IP address.
Default Gateway IPThe Default Gateway IP address for this VLAN sub-interface.
VLAN configurations are added to the primary Edge Gateway. On the secondary Edge Gateway, some fields are disabled and non-editable, the field value appears when it is selected.
CoPilot creates the ISO file and downloads the file to your downloads folder. Next, log in to your VMware ESXi or KVM host and upload the ISO or cloud-init file to a datastore or storage device. Then, deploy the Edge Gateway VM instance and attach the ISO or cloud-init image file to complete the Edge Gateway creation and authentication with the Aviatrix Controller.
The ISO file expires after 24 hours. You cannot download it again and will have to repeat the above steps. You must mount the ISO file to an Edge VM to complete the Edge Gateway registration within the 24-hour timeframe.
See Deploying the Edge Gateway Virtual Machine Instance.

Deploying the Edge Gateway Virtual Machine Instance and Attaching the ZTP ISO

See:

Deploying the Edge Gateway Virtual Machine in VMware ESXi

To deploy the Edge Gateway virtual machine, follow these steps.
  1. If you have not downloaded the ESXi OVA file, download the file by using the link provided to you by Aviatrix Support. See Download the Aviatrix Secure Edge Image File.
  2. Log in to VMware vSphere Web client to access the ESXi host. You can use vSphere Web client to manage ESXi host, launch a VM, mount ISO files, and start and stop the Aviatrix Edge Gateway.
  3. Load the OVA file into the ESXi using vSphere, go to ESXi > Virtual Machines > Create/Register VM.
  4. Select Deploy a virtual machine from an OVF or OVA file and click Next.
  5. Enter a name for the Aviatrix Secure Edge VM and drag the OVA file into the blue pane, then click Next.
  6. In the Select storage page, select the storage device where to create the VM instance (the OVA is installed in this instance) and click Next.
  7. In the Deployment options window, enter the Network mappings for WAN, LAN, and MGMT network interfaces and select the Deployment type. (Refer to the pull-down menu or see Virtual Machine CPU and Memory Configurations.) If necessary, you can change the network interface mappings after deployment.
  8. Click Next.
  9. In the Ready to complete page, click Finish.
Next, attach the ISO file to Edge Gateway VM, which will auto-mount the media with the configuration file to be provision the Edge Gateway.

Attaching the ISO File to the Edge Gateway Virtual Machine in VMware ESXi

The ZTP ISO file can only be used for a single Aviatrix Secure Edge VM instance, and only one time for that instance.
The ZTP token expires after 24 hours. If you wait too long to boot up the VM with the attached ISO image, it will not work. In that case, delete the Edge Gateway in the Aviatrix CoPilot and create a new Edge Gateway to receive a new ISO file.
  1. Upload the ISO file downloaded from Aviatrix CoPilot to your VMware datastore.
  2. In vSphere, select the Aviatrix Secure Edge VM you created and click Edit settings.
  3. Select the Virtual Hardware tab.
  4. Next to CD/DVD Drive 1, click the dropdown menu and select Datastore ISO file.
  5. Next to CD/DVD Drive 1, ensure the Connect box is checked and click Save. Connect at power on is required when you attach the ISO image to the VM for the first time. If the VM is powered on at the time you attach the ISO image, select the ISO file and save the configuration to make the ISO available to ZTP.
  6. Next to the CD/DVD Media, click Browse, locate the datastore and select the ISO file you uploaded.
  7. Click Save. ZTP auto-mounts the ISO file and deploys the Edge Gateway on the VM.
Verify the Edge Gateway is Up (see Verifying the Edge Gateway Creation). Next, attach the Edge Gateway to the Transit Gateway.

Deploying the Edge Gateway Virtual Machine in KVM

Before you begin, on the KVM Linux host ensure the LAN, WAN, and MGMT network bridges are associated with the physical ethernet interfaces on the KVM sever. Refer to KVM product documentation.
KVM Hypervisor does not support configuration of RX/TX queue size during runtime. RX/TX queue size should be configured during Edge Gateway VM bootup. See Enabling Multiqueue virtio-net on KVM.
  1. If you have not downloaded the KVM QCOW2 file, download the file by using the link provided to you by Aviatrix Support. See Download the Aviatrix Secure Edge Image File.
  2. Launch Virtual Machine Manager UI to access the KVM host.
  3. Create a new virtual machine from an existing disk image. a. From the File menu, select New virtual machine. b. Select the option Import existing disk image. c. Click Forward.
  4. Provide the path to the KVM QCOW2 file and specify the operating system type and version. a. Enter the path or use the Browse button to locate the KVM QCOW2 file you previously downloaded. b. For OS type, select Linux. c. For Version, select Ubuntu 18.04 LTS. d. Click Forward.
  5. Enter the memory and CPU settings for the Edge Gateway VM and click Forward.
  6. Enter a name for the Edge Gateway VM and check the Customize configuration before install checkbox, then click Finish.
  7. Add the LAN and MGMT virtual bridge interfaces. a. Click Add Hardware. b. In Add New Virtual Hardware, select Network from the left pane and add two additional network interfaces for the LAN and MGMT virtual bridges. The virtual bridge for the WAN interface is automatically added as part of the VM image creation. c. For Network source, select the name of the virtual bridge for the LAN interface. d. For Device model, select virtio. e. Repeat steps a and b and add the virtual bridge for the MGMT interface.
  8. Choose the storage device and attach the ISO file to the VM. a. In Add New Virtual Hardware, select Storage from the left pane. b. Select the option Select or create custom storage. c. Click Manage. d. Locate and select the KVM iso file which you previously uploaded. e. Click Choose Volume. f. Click Finish.
  9. Click Begin Installation to create the Edge Gateway VM on the KVM host.
After the VM is created, ZTP auto-mounts the ISO file and deploys the Edge Gateway on the VM. Verify the Edge Gateway is Up (see Verifying the Edge Gateway Creation). Next, attach the Edge Gateway to the Transit Gateway.

Attach an Edge Spoke Gateway to a Transit Gateway

To attach an Edge Spoke Gateway to a Transit Gateway, perform the prerequisites then create the attachment.

Prerequisites

Before you create the attachment:
  • Ensure Local ASN Number is configured on Edge and Transit Gateway.
  • If the Edge to Transit Gateway attachment is over public network, you need to update the WAN Public IP on the Edge Gateway.
    1. Go to Cloud Fabric > Hybrid Cloud > Edge Gateways tab.
    2. Click Spoke Gateways.
    3. Locate the Edge Gateway, and click its Edit icon on the right.
    4. In Edit Edge Gateway, go to Interface Configuration and click WAN.
    5. In Public IP, click Discover.
    6. Verify the WAN Public IP and click Save.

Attach Edge Spoke Gateway to Transit Gateway

To create a High Performance Encryption attachment peering, make sure the Transit Gateway is created with High Performance Encryption enabled.
If you want Jumbo Frame enabled for the attachment peering, make sure to enable Jumbo Frame on the Edge Gateway before you attach it to the Transit Gateway.
To create the attachment:
  1. In Aviatrix CoPilot, go to Cloud Fabric > Hybrid Cloud > Edge Gateways tab.
  2. Click Spoke Gateways.
  3. Locate the Edge Spoke Gateway, and click Manage Gateway Attachments icon on the right side of the row.
  4. In Manage Gateway Attachments > Transit Gateway tab, click +Attachment and provide the following information.
FieldDescription
Transit GatewayThe Transit Gateway in cloud to attach.
Local Edge Gateway InterfaceThe WAN interface of the local Edge Spoke Gateway to use for the attachment.
Attach OverThe connection between the Edge gateways. It can be over a Private Network or the Public Network.
ActiveMeshActiveMesh enables full mesh peering between the local and remote Edge gateways. For full mesh peering, set ActiveMesh toggle On.
Jumbo FrameJumbo Frame improves performance for the connection between the Edge gateways. Jumbo Frame is applicable when the attachment is over a Private network. To use Jumbo Frames for the connection , set Jumbo Frame toggle to On.
Number of HPE TunnelsThe number of High Performance Encryption (HPE) tunnels to create for the attachment peering. Single creates a single tunnel. Maximum creates the maximum tunnels based on the gateway sizes and the number of interface IPs on the peering gateway. This option is available only for connection over a Private network. Custom allows you to specify the number of tunnels to create.
To attach the Edge Spoke Gateway to another Transit Gateway, click + Attachment again and provide the required information.
You can attach an Edge Spoke Gateway to multiple Transit Gateways. Each attachment can be configured with different parameters, such as connecting interfaces, connection over private or public network, high-performance encryption, and Jumbo Frame.
  1. Click Save.

Manage Gateway Attachments

You can attach an Edge Spoke Gateway to multiple Transit Gateways. Each attachment can be configured with different parameters, such as connecting interfaces, connection over private or public network, high-performance encryption, and Jumbo Frame. Click + Attachment and provide the required information.
FieldDescription
Transit GatewayThe Transit Gateway in cloud to attach.
Local Edge Gateway InterfaceThe WAN interface of the local Edge Spoke Gateway to use for the attachment.
Advanced
FieldDescription
Attach OverThe connection between the Edge gateways. It can be over a Private Network or the Public Network.
ActiveMeshActiveMesh enables full mesh peering between the local and remote Edge gateways. For full mesh peering, set ActiveMesh toggle On.
Jumbo FrameJumbo Frame improves performance for the connection between the Edge gateways. Jumbo Frame is applicable when the attachment is over a Private network. To use Jumbo Frames for the connection , set Jumbo Frame toggle to On.
Number of HPE TunnelsThe number of High Performance Encryption (HPE) tunnels to create for the attachment peering. Single creates a single tunnel. Maximum creates the maximum tunnels based on the gateway sizes and the number of interface IPs on the peering gateway. This option is available only for connection over a Private network. Custom allows you to specify the number of tunnels to create.
Next, connect the Edge Gateway to the external device.

Connecting Edge Spoke Gateway to an External Device (BGP over LAN)

For LAN-side connectivity, you can connect the Edge Spoke Gateway to an external device, such as a LAN BGP router. To connect the Edge Gateway to the LAN BGP router, follow these steps.
  1. In CoPilot, navigate to Networking > Connectivity > External Connections (S2C) tab.
  2. From + External Connection To dropdown menu, select External Device, then provide the following information.
FieldDescription
NameName to identify the connection to the LAN router.
Connect UsingSelect BGP.
TypeSelect LAN.
Local GatewayThe Edge Gateway that you want to connect to the LAN router.
Local ASNThe Local AS number that the Edge Gateway will use to exchange routes with the LAN router. This is automatically populated if the Edge Gateway is assigned an ASN already.
  1. In LAN Configuration, provide the following information.
FieldDescription
Remote ASNThe BGP AS number that is configured on the LAN router.
Remote LAN IPThe IP address of the LAN router.
Local LAN IPThis is automatically populated with the Edge Gateway’s LAN interface IP address.
  1. Click Save.

Enabling Multiqueue virtio-net on KVM

Multiqueue virtio-net allows network performance to scale with the number of vCPUs, by allowing packet processing (packet sending and receiving) through multiple TX and RX queues. To enable Multiqueue virtio-net support on KVM, when launching the Edge Gateway VM using virt-install, add the driver_queues parameter to the network interface details. 
--network bridge=<bridge-name>, model=virtio,driver_queues=N
where N is the number of vCPUs.

Prerequisites

Troubleshooting Edge Gateway Connectivity