- Overview
- Transit Gateways
- Spoke Gateways
- Specialty Gateways
- Gateway Management
- Settings
Purpose
The Overview page shows Aviatrix-managed and Aviatrix-unmanaged Gateways, their health status, their CPU and RAM utilization, and connectivity details across multiple clouds and edge sites.Elements
- Gateways count: Shows the count of Transit, Spoke, and Specialty Gateways.
- Filters: To filter the list of top 5, 10, 20, 50, or 100 Gateway instances based on the selected time period to view their utilization metrics.
- Most Utilized Gateway Instances: Shows the list of Gateway instances with the most CPU or memory usage.
- Least Utilized Gateway Instances: Shows the list of Gateway instances with the least CPU or memory usage.
- Gateway Instances with Highest Packet Drop Rate: Shows the list of Gateway instances with the highest packet drop rate.
Note: To download the Gateway utilization metrics data, click the download icon at the top-right corner of each card.
View Overview
View Overview
To view Gateway counts and utilization metrics:
- Go to Cloud Fabric > Gateways > Overview.
The Overview page appears with Gateway counts (Transit, Spoke, Specialty), utilization filters, and cards for most utilized, least utilized, and highest packet drop rate Gateways. - Optionally, use Time Period Selector, Start Date Field, End Date Field, and Show Top Dropdown to narrow the time range and number of Gateways.
- Click Apply to update the view.
- Optionally, click the download icon at the top-right of a card to download the metrics data for that card.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Transit Gateways | Shows the total number of Transit Gateways and indicates how many are down. |
| 2 | Spoke Gateways | Shows the total number of Spoke Gateways and indicates how many are down. |
| 3 | Specialty Gateways | Shows the total number of Specialty Gateways and indicates how many are down. |
| 4 | Time Period | Dropdown to select the time range for Gateway utilization metrics (e.g., Last 7 Days). |
| 5 | Start | Field to specify the start date for the selected time period. Set Time Period to Custom to enable this field. |
| 6 | End | Field to specify the end date for the selected time period. Set Time Period to Custom to enable this field. |
| 7 | Show Top | Dropdown to select the number of top Gateways to display based on utilization. |
| 9 | Most Utilized Gateway Instances | Shows Gateways with the highest CPU or memory utilization during the selected time period. |
| 10 | Least Utilized Gateway Instances | Shows Gateways with the lowest CPU or memory utilization during the selected time period. |
| 11 | Gateway Instances with Highest Packet Drop Rate | Shows Gateways experiencing the highest packet drop rate. |
Purpose
The Transit Gateways page lets you view the list of configured Transit Gateways and their details. A Transit Gateway is a core component of the Aviatrix Cloud Networking Platform that acts as a centralized hub in a hub-and-spoke topology. It facilitates connectivity between Spoke VPCs and VNets and on-premises data centers across AWS, Azure, Google Cloud, and Oracle Cloud. You can attach Transit Gateways to other Transit Gateways or Spoke Gateways over private or public networks with High Performance Encryption (HPE), and attach Azure Transit Gateways to Azure VNets through Native Peering.Elements
- + Transit Gateway button: Initiates the workflow to create a new Transit Gateway.
- Transit Gateway table: Shows the details for each Transit Gateway (cloud, account, region, VPC/VNet, status, attachments).
- Edit button: Edits the Transit Gateway configuration (instance size, IPv6, peering, BGP over LAN, HA instances).
- Manage Gateway Attachments button: Adds or removes Transit and Spoke Gateway attachments.
- Delete button: Deletes the Transit Gateway along with all of its instances and attachments.
- Actions button: Opens Gateway Diagnostics, Connectivity Diagnostics, BGP Diagnostics, and Resize Gateway.
- Gateway name link: Opens the Transit Gateway Details page with tabs for Details, Instances, Attachments, VPC/VNet Route Tables, Gateway Routes, Interface Stats, Route DB, Performance, and Settings.
Actions
View Transit Gateways
View Transit Gateways
To view the list of configured Transit Gateways and their details:
- Go to Cloud Fabric > Gateways > Transit Gateways.
The Transit Gateways page appears with a table of Transit Gateways. - Click a Transit Gateway name to view its details.
- Optionally, use the Search field or the Filter icon to find a Transit Gateway.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Name | Shows the name of the Transit Gateway. |
| 2 | Cloud | Shows the cloud provider where the Transit Gateway runs, such as AWS, Azure, GCP, and OCI. |
| 3 | Account | Shows the cloud account under which the Transit Gateway runs. |
| 4 | Region | Shows the cloud region where the Transit Gateway runs. |
| 5 | VPC/VNet | Shows the Virtual Private Cloud or Virtual Network that the Transit Gateway uses. |
| 6 | VPC/VNet CIDR | Shows the CIDR block that defines the IP address range of the VPC or VNet. |
| 7 | Subnet ID | Shows the unique ID of the subnet that the Transit Gateway uses. |
| 8 | Subnet CIDR | Shows the CIDR block that defines the IP address range of the subnet. |
| 9 | Public IP | Shows the public IP address that the Transit Gateway uses for external traffic. |
| 10 | Private IP | Shows the private IP address that the Transit Gateway uses for internal traffic. |
| 11 | Instance size | Shows the compute size that runs the Transit Gateway. |
| 12 | Status | Shows the current state of the Transit Gateway, example: Up and Down. |
| 13 | Configuration Status | Shows whether the Gateway configuration is Latest or Outdated. |
| 14 | High Performance Encryption | Shows whether high performance encryption is enabled to secure traffic. |
| 15 | Transit Gateway | Shows the number of attached Transit Gateways. |
| 16 | Spoke Gateway | Shows the number of attached Spoke Gateways. |
| 17 | Actions | Shows the actions that can be performed on the Transit Gateway. |
Create a Transit Gateway
Create a Transit Gateway
To create a Transit Gateway:
- Go to Cloud Fabric > Gateways > Transit Gateways.
A table appears with the list of Transit Gateways. - Click + Transit Gateway.
The Create Transit Gateway dialog appears.Note: A Transit Gateway supports up to 15 highly available gateway instances.
All gateway instances operate in an active-active state and continue forwarding traffic if a tunnel fails between a Transit VPC/VNet and Spoke VPC/VNet. - Provide the information. Refer to the Parameter Details table.
- Click Save.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Name | Enter a name for the Transit gateway. Ensure that the name:
|
| 2 | Cloud | Select the cloud provider where the Transit Gateway runs. |
| 3 | Account | Select the cloud account that creates the Transit Gateway. |
| 4 | Region | Select the cloud region where the Transit Gateway runs. |
| 5 | VPC | Select the VPC or VNet where the Transit Gateway runs. If the selected Transit gateway will be used in a Transit FireNet workflow, selecting a VPC/VNet that has the Transit + FireNet function enabled means that a particular set of /28 subnets have been created across two availability zones. This function is enabled when the VPC/VNet is created. |
| 6 | Instance Size | Select the compute size for the Spoke Gateway based on the Instance Size Details section. Important:
|
| 7 | High Performance Encryption | Enable High Performance Encryption (HPE) to secure traffic with higher throughput than the default IPsec throughput. |
| 8 | Support for IPv6 | Enable IPv6 support on the Transit Gateway. |
| 9 | Attach to Transit Gateways | Select Transit Gateways to attach to this Transit Gateway. |
| Advanced Settings | ||
| 10 | Transit Egress Capability (all clouds except OCI and Alibaba Cloud) | Enables Transit Egress Capability on the Transit Gateway. |
| 11 | Gateway Load Balancer (AWS only) | For AWS, if you enable Transit Egress Capability you can also enable the Gateway Load Balancer option, which creates a load balancer within the selected VPC. If this option is enabled here it will show as On and disabled if you add Transit FireNet to this gateway as part of the Transit FireNet workflow. |
| 12 | Subnet (GCP only) | For GCP, if you enable Transit Egress Capability you must also select a subnet. |
| 13 | BGP over LAN (Azure) | Enable BGP over LAN and enter the number of LAN interfaces. For Azure, also enter the number of BGP over LAN interfaces you need (maximum is eight). |
| 14 | BGP over LAN (GCP) | Enable BGP over LAN and select the subnet for it. For GCP, select the subnet on which to apply the BGP over LAN connection. For GCP, you cannot set BGP over LAN to On after the Transit Gateway is created. |
| Instances | ||
| 15 | Attach to Subnet | Select the subnet where the Transit Gateway instance runs. |
| 16 | Public IP | Assign a public IP address to the Transit Gateway instance. |
| Resource Tags | ||
| 17 | Resource Tags | Add key and value tags to identify the Transit Gateway. |
Edit a Transit Gateway
Edit a Transit Gateway
Note: To change the High Performance Encryption setting, delete the Transit Gateway and create a new one.
-
Go to Cloud Fabric > Gateways > Transit Gateways.
A table appears with the list of Transit Gateways. -
Locate the Transit Gateway to edit on the table and click the Edit icon on the right side of its row.
The Edit Transit Gateway dialog appears. -
The editable parameters are as follows:
- Instance Size
- Support for IPv6 (AWS and Azure only)
- Attach To Transit Gateways
- BGP over LAN (Azure only)
- Transit Egress Capability
Note: Changing BGP over LAN interfaces reboots the gateway and may cause traffic disruption.
- HA instances
Refer to the Parameter Details table for more details.
- Click Save.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Instance Size | Change the gateway’s instance size. |
| 2 | Attach To Transit Gateways | Add or remove Transit Gateway peering. |
| 3 | BGP over LAN (Azure only) | Enable BGP over LAN and set number of interfaces (Azure only). |
| 4 | Transit Egress Capability | Enable transit egress capability on the Transit Gateway. |
| 5 | Subnet (GCP only) | Select the subnet when Transit Egress Capability is enabled. |
| 6 | BGP over LAN (Azure) | Enable BGP over LAN and enter the number of LAN interfaces. |
| 7 | BGP over LAN (GCP) | Enable BGP over LAN and select the subnet for it. |
| 8 | Attach to Subnet | Attach a subnet to the new HA instance. |
| 9 | Public IP (AWS only) | Select a public IP for the new HA instance . |
| 10 | Resource Tags | Add or remove key and value tags to identify the Transit Gateway. |
Attach a Transit Gateway
Attach a Transit Gateway
To attach a Transit Gateway to the Transit Gateway:
- Go to Cloud Fabric > Gateways > Transit Gateways.
A table appears with the list of Transit Gateways. - Locate the Transit Gateway to attach on the table and click the Manage Gateway Attachments icon on the right side of its row.
The Manage Gateway Attachments dialog appears. - In the Manage Gateway Attachments dialog, click the Transit Gateway tab.
- Click + Attachment.
A Transit Gateway card appears. - In the Transit Gateway card, provide the information.
Refer to the Parameter Details table. - Click Save.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Transit Gateway | Select the Transit Gateway to attach to the Transit Gateway. |
| 2 | Max Performance | Creates the maximum number of High Performance Encryption (HPE) tunnels for the Transit-to-Transit attachment when set to On. The number of tunnels that are created depends on the gateway instance sizes. Note: Max Performance option is valid only when both Transit Gateways are launched with HPE enabled and are in the same cloud type. If Max Performance is Off, only one tunnel is created (even when HPE is enabled for both the Spoke and Transit Gateway). |
| 3 | Attach Over | Connectivity over a private or public network, when both Transit Gateways are launched with HPE enabled and are in the different cloud types.
|
| 4 | Single-Tunnel Mode | Creates a single tunnel connection for the Transit-to-Transit attachment. When set to On, a single tunnel is created. When set to Off, multiple High Performance Encryption (HPE) tunnels are created based on the gateway instance size. Single-Tunnel Mode is supported for private network connectivity. |
| 5 | Jumbo Frame | Enables Jumbo Frames for throughput performance when set to On. Jumbo Frame is supported for private network connectivity. |
| 6 | High Performance Encryption | Creates High Performance Encryption (HPE) tunnels between the Transit Gateways when set to On. Note: High Performance Encryption is valid when both Transit Gateways are launched with HPE enabled and are in the different cloud types connected over a public network. In Number of Tunnels, specify the number of tunnels to create.
If High Performance Encryption is Off, only one tunnel is created (even when HPE is enabled for both Transit Gateways). To switch between multiple tunnels or one tunnel, detach and reattach the Gateways. |
| 7 | Exclude Network CIDRs | Excludes network CIDRs from being propagated to the other Transit Gateway when set to On. In Excluded Network CIDRs, enter the CIDRs to be excluded. |
| 8 | Exclude TGW Connections | Excludes TGW connections from being advertised when set to On. In Local Gateway Excluded TGW Connections, select the TGW connection(s) to exclude from being advertised to the remote gateway. In Remote Gateway Excluded TGW Connections, select the TGW connection(s) to exclude from being advertised to the Transit Gateway. |
Attach a Spoke Gateway
Attach a Spoke Gateway
To attach a Spoke Gateway to the Transit Gateway:
- Go to Cloud Fabric > Gateways > Transit Gateways.
A table appears with the list of Transit Gateways. - Locate the Transit Gateway to attach on the table and click the Manage Gateway Attachments icon on the right side of its row.
The Manage Gateway Attachments dialog appears. - In the Manage Gateway Attachments dialog, click the Spoke Gateway tab.
- Click + Attachment.
A Spoke Gateway card appears. - In the Spoke Gateway card, provide the information.
Refer to the Parameter Details table. - Click Save.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Spoke Gateway | Select the Spoke Gateway to attach to the Transit Gateway. |
| 2 | Select Route Table | Enables custom route tables when set to On. From the Select Route Tables dropdown menu, select the custom route table(s) to attach to this Spoke Gateway. |
| 3 | Max Performance | Creates the maximum number of High Performance Encryption (HPE) tunnels for the Transit-to-Spoke attachment when set to On. The number of tunnels that are created depends on the gateway instance sizes. Note:
If Max Performance is Off, only one tunnel is created (even when HPE is enabled for both the Spoke and Transit Gateway). To switch between multiple tunnels or one tunnel, detach and reattach the Gateways. |
Attach an Azure VNet
Attach an Azure VNet
Note: This option is available only for Azure Transit Gateways.
- Go to Cloud Fabric > Gateways > Transit Gateways.
A table appears with the list of Transit Gateways. - Locate the Transit Gateway to attach on the table and click the Manage Gateway Attachments icon on the right side of its row.
The Manage Gateway Attachments dialog appears. - In the Manage Gateway Attachments dialog, click the Azure VNet tab.
- Click + Attachment.
The Azure VNet card appears. - In the Azure VNet card, select the Azure Spoke VNet to attach to the Transit Gateway.
- Click Save.
Detach a Transit Gateway Attachment
Detach a Transit Gateway Attachment
To detach a Transit Gateway from the Transit Gateway:
- Go to Cloud Fabric > Gateways > Transit Gateways.
A table appears with the list of Transit Gateways. - Locate the Transit Gateway to detach on the table and click the Manage Gateway Attachments icon on the right side of its row.
The Manage Gateway Attachments dialog appears. - In the Manage Gateway Attachments dialog, click the Transit Gateway tab, Spoke Gateway tab, or the Azure VNet tab.
- Hover over the attachment to view the Delete icon on the right side of the attachment.
- Click the Delete icon.
- Click Save to detach the attachment.
Delete a Transit Gateway
Delete a Transit Gateway
To delete a Transit Gateway:
- Go to Cloud Fabric > Gateways > Transit Gateways.
A table appears with the list of Transit Gateways. - Locate the Transit Gateway to delete on the table and click the Delete icon on the right side of its row.
The Delete Transit Gateway dialog appears. - Read and understand the warning message, and tick the checkbox to confirm the deletion.
- Click Delete.
Resize a Gateway
Resize a Gateway
Note: Changing a Gateway instance size changes the size for all gateway instances in that VPC or VNet. CoPilot does not allow changing an individual Gateway instance size (use Terraform for that).
Changing a Transit Gateway instance size may cause network traffic disruption. During AWS Spoke Gateway resizing, extended traffic loss may occur.
Changing a Transit Gateway instance size may cause network traffic disruption. During AWS Spoke Gateway resizing, extended traffic loss may occur.
- Go to Cloud Fabric > Gateways > Transit Gateways or Spoke Gateways.
A table appears with the list of Transit Gateways or Spoke Gateways. - Locate the Gateway to resize on the table and click the Actions button (three dots) on the right side of its row.
- Click Resize Gateway.
The Resize Gateway Instance dialog appears. - Select Resize Now or Schedule Resize.
- Select a Target Gateway Instance Size from the dropdown menu.
- Select a Maintenance Window from the dropdown menu for scheduling the resize.
- Click Resize Now or Schedule Resize to resize the Gateway.
Tip: Create an HA instance for the Gateway to ensure high availability during the resize.
View Transit Gateway Details
View Transit Gateway Details
To view Transit Gateway details, instances, attachments, and settings:
- Go to Cloud Fabric > Gateways > Transit Gateways.
A table appears with the list of Transit Gateways. - Click the Gateway Name in the table.
The Transit Gateway Details page opens with tabs for Details, Instances, Attachments, VPC/VNet Route Tables, Gateway Routes, Interface Stats, Route DB, Performance, and Settings. - Click each tab to view the corresponding information.
Parameter Details (Details Tab)
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| General Information | ||
| 1 | Account Name | Displays the cloud account name that owns the Transit Gateway. |
| 2 | Gateway Name | Displays the current name of the Transit Gateway. |
| 3 | Gateway Original Name | Displays the original name assigned during gateway creation. |
| 4 | VPC ID | Displays the ID of the VPC or VNet where the Transit Gateway runs. |
| 5 | Region | Displays the cloud region where the Transit Gateway runs. |
| 6 | Primary CIDR | Displays the primary CIDR block associated with the Transit Gateway VPC or VNet. |
| 7 | CIDRs | Displays all CIDR blocks associated with the Transit Gateway VPC or VNet. |
| 8 | Type | Displays the gateway deployment type. |
| 9 | GW Instance Public IP | Displays the public IP address of the Transit Gateway instance. |
| 10 | GW Instance Private IP | Displays the private IP address of the Transit Gateway instance. |
| 11 | GW Instance Size | Displays the instance size of the Transit Gateway. |
| 12 | GW EBS encryption | Displays whether EBS encryption is enabled for the gateway volume. |
| 13 | Direct Internet | Displays the direct internet access status. |
| 14 | Designated gateway | Displays whether the gateway acts as a designated gateway. |
| 15 | Extended public CIDRs | Displays extended public CIDR ranges if configured. |
| 16 | Single AZ gateway HA | Displays whether single availability zone high availability is enabled. |
| 17 | monitor subnets | Displays whether subnet monitoring is enabled. |
| 18 | ActiveMesh mode | Displays whether ActiveMesh mode is enabled. |
| 19 | Private Channel | Displays whether private channel is enabled. |
| 20 | Private OOB | Displays whether private out-of-band management is enabled. |
| 21 | Stateful Firewall | Displays the stateful firewall status. |
| 22 | Private S3 | Displays whether private S3 access is enabled. |
| 23 | Egress Control | Displays whether egress control is enabled. |
| 24 | public_dns_server | Displays the public DNS server configured for the gateway. |
| 25 | SNAT Enabled | Displays whether source NAT is enabled. |
| 26 | VPN Access | Displays whether VPN access is enabled. |
| 27 | IMDSv2 Enforcement | Displays whether IMDSv2 enforcement is enabled. |
| 28 | Transit Gateway | Displays whether the gateway functions as a Transit Gateway. |
| 29 | TGW Integration | Displays whether AWS TGW integration is enabled. |
| 30 | FireNet Function | Displays the FireNet function status. |
| Subnet Information | ||
| 31 | Subnet Name/ID | Displays the subnet name or subnet ID associated with the Transit Gateway. |
| 32 | Availability Zone | Displays the availability zone of the subnet. |
| 33 | IP CIDR | Displays the IP CIDR block of the subnet. |
| Certs Info | ||
| 34 | subject | Displays the subject information of the gateway certificate. |
| 35 | issuer | Displays the issuer information of the gateway certificate. |
| 36 | notBefore | Displays the certificate validity start time. |
| 37 | notAfter | Displays the certificate validity end time. |
Customize Attached Spoke VPC/VNet Route Tables
Customize Attached Spoke VPC/VNet Route Tables
The Customize Attached Spoke VPC/VNet Route Tables disables automatic route propagation to the attached Spokes VPC/VNet, overriding propagated CIDRs from other Spoke and Transit gateways and on-premises network.To customize attached spoke VPC/VNet route tables:
Note: The Customize Attached Spoke VPC/VNet Route Tables policy does not apply to AWS Transit Gateway (TGW) attached Spoke VPCs.
- Go to Cloud Fabric > Gateways > Transit Gateways.
A table appears with the list of Transit Gateways. - Locate the Transit Gateway to customize attached spoke VPC/VNet route tables on the table and click the Gateway name.
- Click the Settings tab and expand the Routing section.
- In the Customize Attached Spoke VPC/VNet Route CIDRs field, enter a comma-separated list of IPv4 or IPv6 CIDR ranges.
- Specifying CIDRs disables automatic route propagation to attached Spoke VPC/VNet route tables.
- The specified CIDRs override routes propagated from other Spoke Gateways, Transit Gateways, and on-premises networks.
Exclude Learned CIDRs to Attached Spoke VPC/VNet Route Tables
Exclude Learned CIDRs to Attached Spoke VPC/VNet Route Tables
The Exclude Learned CIDRs to Attached Spoke VPC/VNet Route Tables filters on-premises network CIDRs to the attached Spoke VPC or VNet route table entry. Specify a list of CIDRs to filter separated by commas.To exclude learned CIDRs to attached spoke VPC/VNet route tables:
Note: The Exclude Learned CIDRs to Attached Spoke VPC/VNet Route Tables policy does not apply to AWS Transit Gateway (TGW) attached Spoke VPCs.
- Go to Cloud Fabric > Gateways > Transit Gateways.
A table appears with the list of Transit Gateways. - Locate the Transit Gateway to exclude learned CIDRs to attached spoke VPC/VNet route tables on the table and click the Gateway name.
- Click the Settings tab and expand the Routing section.
- In the Exclude Learned CIDRs to Attached Spoke VPC/VNet Route CIDRs field, enter a comma-separated list of IPv4 or IPv6 CIDR ranges.
- Click Save to exclude the learned CIDRs to attached spoke VPC/VNet route tables.
Exclude CIDRs from Attached Spokes Advertisement
Exclude CIDRs from Attached Spokes Advertisement
The Exclude CIDRs from Attached Spokes Advertisement excludes VPC/VNet CIDRs (IPv4 and IPv6) from being advertised to on-premises.Enable this policy to attach Spoke VPC/VNets that contain overlapping CIDR blocks. Excluding the overlapping CIDRs allows the Aviatrix Controller to accept and attach the Spoke VPC/VNets.To exclude CIDRs from attached spokes advertisement:
- Go to Cloud Fabric > Gateways > Transit Gateways.
A table appears with the list of Transit Gateways. - Locate the Transit Gateway to exclude CIDRs from attached spokes advertisement on the table and click the Gateway name.
- Click the Settings tab and expand the Routing section.
- In the CIDRs field, enter a comma-separated list of IPv4 or IPv6 CIDR ranges.
- Click Save to exclude the CIDRs from attached spokes advertisement.
Note: The Exclude CIDRs from Attached Spokes Advertisement policy does not apply to CIDRs learned through BGP by another gateway.
Customize Transit VPC/VNet Routes
Customize Transit VPC/VNet Routes
The Customize Transit VPC/VNet Routes disables automatic route propagation to the Transit VPC or VNet, overriding propagated CIDRs from other Spoke and Transit gateways and on-premises network.When this policy is enabled on an Aviatrix Transit Gateway, all Spoke VPCs or VNets route tables are customized.To customize transit VPC/VNet routes:
Note: The Customize Transit VPC/VNet Routes policy does not apply to AWS Transit Gateway (TGW) attached Spoke VPCs.
- Go to Cloud Fabric > Gateways > Transit Gateways.
A table appears with the list of Transit Gateways. - Locate the Transit Gateway to customize transit VPC/VNet routes on the table and click the Gateway name.
- Click the Settings tab and expand the Routing section.
- In the Customize Transit VPC/VNet Routes CIDRs field, enter a comma-separated list of IPv4 or IPv6 CIDR ranges.
- Click Save to customize the transit VPC/VNet routes. A notification appears confirming the customization of the transit VPC/VNet routes.
Purpose
The Spoke Gateways section lets you view, create, edit, attach, detach, delete, and resize Aviatrix Spoke Gateways. A Spoke Gateway is a component of the Aviatrix Platform that you deploy on Spoke VPCs or VNets in a hub-and-spoke network topology. It enables connectivity between Spoke VPCs and VNets and other network endpoints, such as on-premises data centers, remote offices, or other cloud environments. Network traffic between Spoke VPCs and VNets and other endpoints flows through the Transit VPC or VNet.Elements
- + Spoke Gateway button: Initiates the workflow to create a new Spoke Gateway.
- Spoke Gateway table: Shows the details for each Spoke Gateway (cloud, account, region, VPC/VNet, status, attachments).
- Edit button: Edits the Spoke Gateway configuration (instance size, IPv6, Transit Gateway attachments, HA instances).
- Manage Gateway Attachments button: Adds or removes Transit Gateway, Egress Transit FireNet, and Spoke Gateway attachments.
- Delete button: Deletes the Spoke Gateway along with all of its instances and attachments.
- Actions button: Opens Gateway Diagnostics, Connectivity Diagnostics, and BGP Diagnostics.
- Gateway name link: Opens the Spoke Gateway Details page with tabs for Details, Instances, Attachments, VPC/VNet Route Tables, Gateway Routes, Interface Stats, Performance, and Settings.
Actions
View Spoke Gateways
View Spoke Gateways
To view the list of Spoke Gateways and their details:
- Go to Cloud Fabric > Gateways > Spoke Gateways.
The Spoke Gateways page appears with a table of Spoke Gateways and the + Spoke Gateway button. - Optionally, use the Search field or the Filter icon to find a Spoke Gateway.
- Optionally, click Edit on a row to edit the Spoke Gateway configuration.
- Optionally, click Manage Gateway Attachments on a row to add or remove Transit Gateway, Egress Transit FireNet, and Spoke Gateway attachments.
- Optionally, click Delete on a row to delete the Spoke Gateway along with all instances and attachments.
- Optionally, click Actions on a row to open Gateway Diagnostics, Connectivity Diagnostics, or BGP Diagnostics.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Cloud | Shows the cloud provider where the Spoke Gateway runs, example: AWS, Azure, and GCP. |
| 2 | Account | Shows the cloud account under which the Spoke Gateway runs. |
| 3 | Region | Shows the cloud region where the Spoke Gateway runs. |
| 4 | VPC or VNet | Shows the Virtual Private Cloud or Virtual Network used by the Spoke Gateway. |
| 5 | VPC or VNet CIDR | Shows the CIDR block that defines the IP address range of the VPC or VNet. |
| 6 | Subnet ID | Shows the unique ID of the subnet used by the Spoke Gateway. |
| 7 | Subnet CIDR | Shows the CIDR block that defines the IP address range of the subnet. |
| 8 | Public IP | Shows the public IP address used by the Spoke Gateway for external traffic. |
| 9 | Private IP | Shows the private IP address used by the Spoke Gateway for internal traffic. |
| 10 | Instance size | Shows the compute size that runs the Spoke Gateway. |
| 11 | Status | Shows the current operational state of the Spoke Gateway, example: Up or Down. |
| 12 | Configuration status | Shows whether the Gateway configuration is Latest or Outdated. |
| 13 | High performance encryption | Shows whether high performance encryption is enabled for the Spoke Gateway. |
| 14 | Transit Gateway | Shows the number of Transit Gateways attached to the Spoke Gateway. |
| 15 | Attachments | Shows the number of active attachments associated with the Spoke Gateway. |
Create a Spoke Gateway
Create a Spoke Gateway
To create a Spoke Gateway:
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Click + Spoke Gateway to create a new Spoke Gateway.
The Create Spoke Gateway dialog appears. - Click + Instance to create a new instance for a Highly Available (HA) Spoke Gateway.Note: A Spoke Gateway supports up to 15 gateway instances.
All gateway instances operate in an active-active state and continue forwarding traffic if a tunnel fails between a Spoke VPC/VNet and Transit VPC/VNet. For best practice, deploy each HA gateway instance in separate public subnets across different availability zones when available. - Provide the information in the following Parameter Details section.
- Click Save to create the Spoke Gateway.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| Spoke Gateway Configuration | ||
| 1 | Name | Enter a unique name for the Spoke Gateway. Ensure that the name:
|
| 2 | Cloud | Select the cloud provider where the Spoke Gateway runs. |
| 3 | Account | Select the cloud account used to create the Spoke Gateway. |
| 4 | Region | Select the cloud region where the Spoke Gateway runs. |
| 5 | VPC | Select the VPC or VNet where the Spoke Gateway runs. |
| 6 | Instance size | Select the compute size for the Spoke Gateway based on the Instance Size Details section. Note: The instance size affects the IPsec performance of the Spoke Gateway. |
| 7 | High performance encryption | Enable High Performance Encryption (HPE) to secure traffic with higher throughput than the default IPsec throughput. |
| 8 | Support for IPv6 | Enable IPv6 support on the Spoke Gateway. |
| 9 | Attach to Transit Gateway | Select the Transit Gateway to attach to the Spoke Gateway. |
| 10 | Attach to Egress Transit FireNet | Select the Egress Transit FireNet to attach to the Spoke Gateway. |
| 11 | Customize route table | Enable route table customization for the Spoke Gateway attachment. |
| Advanced Settings | ||
| 12 | BGP | Enable Border Gateway Protocol for dynamic routing. |
| 13 | BGP over LAN (Azure only) | Enable BGP over LAN and specify the number of LAN interfaces. |
| 14 | Global VPC (GCP) | Enable connection to a global VPC. |
| Instances | ||
| 15 | Attach to subnet | Select the subnet where the Spoke Gateway runs. |
| 16 | Public IP | Assign a public IP to the Spoke Gateway. |
| Resource Tags | ||
| 17 | Resource tags | Add a key and its value to identify the Spoke Gateway. |
Edit a Spoke Gateway
Edit a Spoke Gateway
To edit a Spoke Gateway:
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Locate the Spoke Gateway to edit on the table and click the Edit icon on the right side of its row.
The Edit Spoke Gateway dialog appears. - To change the Instance Size, from the Instance Size dropdown menu, select a new size.
- (AWS and Azure only) To enable or disable IPv6 support, toggle the Support for IPv6 slider to On or Off.
- To attach a Transit Gateway, from Attach To Transit Gateway dropdown, select a Transit Gateway to attach the Spoke Gateway.
- To delete a Transit Gateway attachment, in Attach To Transit Gateway, click the delete icon next to the Transit Gateway attachment.
- To add a HA Spoke Gateway:
- In the Instances section, click + Instance. A new card appears.
- In the new card, select a subnet in a different availability zone (AZ) from the primary Spoke Gateway.
- Enter the Public IP address of the HA Spoke Gateway.
- To delete a HA Spoke Gateway, in the Instances section, click the delete icon next to the HA Spoke Gateway.
- Click Save to save the changes made to the Spoke Gateway.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Instance Size | Change the compute size of the Spoke Gateway. For details, refer to the Instance Size Details section. |
| 2 | Transit Gateway Attachment | Change or update the attached Transit Gateway. |
| 3 | Customize Route Table | Enable or disable route table customization. |
| 4 | BGP | Enable or disable Border Gateway Protocol. |
| 5 | BGP over LAN (Azure only) | Enable BGP over LAN and set the number of LAN interfaces. |
| 6 | +Instance | Add a highly available gateway instance. |
| 7 | Attach to Subnet | Attach a subnet to the new instance. |
| 8 | Public IP | Select a public IP for a new HA instance (cloud-specific). |
| 9 | Resource Tags | Add or remove key and value tags to identify the Spoke Gateway. |
Attach a Transit Gateway
Attach a Transit Gateway
To attach a Transit Gateway:
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Locate the Spoke Gateway to attach on the table and click the Manage Gateway Attachment icon on the right side of its row.
The Manage Gateway Attachment dialog appears. - In the Manage Gateway Attachments dialog, click the Transit Gateway tab and then click + Attachment. The Transit Gateway card appears.
- In the Transit Gateway card, provide the information in the following Parameter Details section.
- Click Save to create the attachment.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Transit Gateway | Select the Transit Gateway to attach to the Spoke Gateway. |
| Advanced | ||
| 2 | Customize Route Table Attachment | Enable or disable route table customization. |
| 3 | Select Route Tables | Select the custom route tables. after enabling the Customize Route Table Attachment. |
| 4 | Max Performance | Creates the maximum number of High Performance Encryption (HPE) tunnels for the Transit-to-Spoke attachment when set to On. The number of tunnels that are created depends on the gateway instance sizes. Note:
To switch between multiple tunnels or one tunnel, detach and reattach the Spoke Gateway to the Transit Gateway. |
Attach an Egress Transit FireNet
Attach an Egress Transit FireNet
Note: Disable SNAT on the Spoke Gateway before attaching to an Egress Transit FireNet.
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Locate the Spoke Gateway to attach on the table and click the Manage Transit Gateway Attachment icon on the right side of its row.
The Manage Transit Gateway Attachment dialog appears. - In the Manage Transit Gateway Attachment dialog, click the Egress Transit FireNet tab and then click + Transit Gateway Attachment. The Egress Transit FireNet card appears.
- In the Egress Transit FireNet card, provide the information in the following Parameter Details section.
- Click Save to create the attachment.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Transit Gateway | Select the Transit Gateway to attach to the Spoke Gateway. |
| Advanced | ||
| 2 | Customize Route Table Attachment | Enable or disable route table customization. |
| 3 | Select Route Tables | Select the custom route tables. after enabling the Customize Route Table Attachment. |
| 4 | Max Performance | Creates the maximum number of High Performance Encryption (HPE) tunnels for the Transit-to-Spoke attachment when set to On. The number of tunnels that are created depends on the gateway instance sizes. Note:
To switch between multiple tunnels or one tunnel, detach and reattach the Spoke Gateway to the Transit Gateway. |
Attach a Spoke Gateway
Attach a Spoke Gateway
To attach a Spoke Gateway:
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Locate the Spoke Gateway to attach on the table and click the Manage Gateway Attachment icon on the right side of its row.
The Manage Gateway Attachment dialog appears. - In the Manage Gateway Attachment dialog, click the Spoke Gateway tab.
- Click + Spoke Gateway Attachment. The Spoke Gateway dropdown menu appears.
- Select a Spoke Gateway from the Spoke Gateway dropdown menu.
- Click Save to create the attachment.
Detach a Spoke Gateway Attachment
Detach a Spoke Gateway Attachment
To detach a Spoke Gateway attachment:
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Locate the Spoke Gateway to detach the attachment on the table and click the Manage Gateway Attachment icon on the right side of its row.
The Manage Gateway Attachment dialog appears. - In the Manage Gateway Attachment dialog, click the Spoke Gateway tab, Transit Gateway tab, or Egress Transit FireNet tab.
- Hover over the attachment to view the Delete icon on the right side of the attachment.
- Click the Delete icon.
- Click Save to detach the Spoke Gateway attachment.
Delete a Spoke Gateway
Delete a Spoke Gateway
To delete a Spoke Gateway:
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Locate the Spoke Gateway to delete on the table and click the Delete icon on the right side of its row.
The Delete Spoke Gateway dialog appears. - Read and understand the warning message, and tick the checkbox to confirm the deletion.
- Click Delete to delete the Spoke Gateway.
Resize a Gateway
Resize a Gateway
Refer to the Resize a Gateway section under Transit Gateways.
View Spoke Gateway Details
View Spoke Gateway Details
To view Spoke Gateway details, instances, attachments, and settings:
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Click the Gateway name in the table.
The Spoke Gateway Details page opens with tabs for Details, Instances, Attachments, VPC/VNet Route Tables, Gateway Routes, Interface Stats, Performance, and Settings. - Click each tab to view the corresponding information.
Parameter Details (Details Tab)
| Sl. No. | CoPilot parameter name | Description |
|---|---|---|
| 1 | Gateway Name | Displays the current name of the Spoke Gateway. |
| 2 | Account Name | Displays the cloud account that owns the Spoke Gateway. |
| 3 | Cloud | Displays the cloud provider where the Spoke Gateway runs. |
| 4 | Region | Displays the cloud region where the Spoke Gateway runs. |
| 5 | VPC/VNet | Displays the VPC or VNet associated with the Spoke Gateway. |
| 6 | Primary CIDR | Displays the primary CIDR block of the Spoke Gateway VPC/VNet. |
| 7 | Instance Size | Displays the instance size of the Spoke Gateway. |
| 8 | High Performance Encryption | Displays whether high performance encryption is enabled. |
| 9 | BGP | Displays whether BGP is enabled on the Spoke Gateway. |
| 10 | BGP over LAN | Displays whether BGP over LAN is enabled, if supported. |
Parameter Details (Instances Tab)
| Sl. No. | CoPilot parameter name | Description |
|---|---|---|
| 1 | Name | Displays the name of the gateway instance. |
| 2 | Availability Zone | Displays the availability zone where the instance runs. |
| 3 | Subnet ID | Displays the subnet ID where the instance runs. |
| 4 | Status | Displays the operational status of the instance. |
| 5 | Public IP | Displays the public IP address assigned to the instance. |
| 6 | Private IP | Displays the private IP address assigned to the instance. |
Parameter Details (VPC/VNet Route Tables Tab)
| Sl. No. | CoPilot parameter name | Description |
|---|---|---|
| 1 | Route Table ID | Identifier for the route table. |
| 2 | Destination CIDR | CIDR block for the route. |
| 3 | Target | Next hop for the route. |
Parameter Details (Gateway Routes Tab)
| Sl. No. | CoPilot parameter name | Description |
|---|---|---|
| 1 | Route Type | Indicates whether the route is learned or static. |
| 2 | Destination CIDR | CIDR block for the route. |
| 3 | Next Hop | Gateway or interface used for forwarding traffic. |
Parameter Details (Performance Tab)
| Sl. No. | CoPilot parameter name | Description |
|---|---|---|
| 1 | CPU Usage | Percentage of CPU utilization. |
| 2 | Memory Usage | Percentage of memory utilization. |
| 3 | Bandwidth | Network throughput in Mbps or Gbps. |
Spoke Gateway Settings
The Settings tab displays configuration settings for the Spoke Gateway. Key settings include:- Routing: Spoke Gateway routing policies (Configure Private VPC/VNet Default Route, Skip Public VPC/VNet Route Table, Auto Advertise Spoke Site2Cloud CIDRs, Customize Spoke VPC/VNet Route Table, Exclude Learned CIDRs to Spoke VPC/VNet Route Table, Customize Spoke Advertised VPC/VNet CIDRs, Update Encrypted Spoke VPC/VNet CIDRs). Expand the Routing section to configure these policies.
- Gateway Management DNS Server: By default, Aviatrix gateways use the built-in Aviatrix Default DNS Server. You can choose Cloud VPC/VNet DNS Server to force the gateway to use the Cloud VPC/VNet private DNS Server.
- Jumbo Frames: Improves Aviatrix Gateway throughput performance. Jumbo Frame is enabled by default for AWS and OCI; it is not supported for Azure or GCP.
- GRO/GSO: Enables you to configure the gateway interface and enable or disable Generic Receive Offload (GRO) and Generic Segmentation Offload (GSO). GRO/GSO is On by default.
- Gateway Single AZ HA: Enables the Aviatrix Controller to monitor the health of the gateway instance and restart it if unreachable. Enabled by default.
- Change Interface(s) RX Queue Size: Lets you select a Gateway and set the Gateway interface RX Queue Size.
- Active-Standby: Enables deployment of a BGP-enabled Spoke Gateway connection to an external device that does not support asymmetric routing on two tunnels.
Configure Private VPC/VNet Default Route
Configure Private VPC/VNet Default Route
To configure the Private VPC/VNet Default Route policy on a Spoke Gateway (minimizes VPC private routing table programming; programs a default route in the Transit VPC private routing table to point to the Spoke Gateway):
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Click the Spoke Gateway name.
The Spoke Gateway Details page opens. - Click the Settings tab and expand the Routing section.
- Enable Configure Private VPC/VNet Default Route as needed.
- Click Save to apply the change.
Note: The Configure Private VPC/VNet Default Route policy is only supported for Spoke Gateways in AWS.
Skip Public VPC/VNet Route Table
Skip Public VPC/VNet Route Table
To skip public VPC/VNet route table programming on a Spoke Gateway (minimizes VPC public routing table programming for non-RFC 1918 route changes from the attached Transit Gateway):
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Click the Spoke Gateway name.
The Spoke Gateway Details page opens. - Click the Settings tab and expand the Routing section.
- Enable Skip Public VPC/VNet Route Table as needed.
- Click Save to apply the change.
Note: Skip Public VPC/VNet Route Table is only supported for Spoke Gateways in AWS. Customize Spoke VPC/VNet Route Table and this feature are mutually exclusive.
Enable Auto Advertise Spoke Site2Cloud CIDRs
Enable Auto Advertise Spoke Site2Cloud CIDRs
To enable Auto Advertise Spoke Site2Cloud CIDRs (routes are auto advertised or removed for remote and local virtual CIDRs when Site2Cloud connection is created or deleted, or status changes to up or down, or Spoke-to-Transit link goes down):
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Click the Spoke Gateway name.
The Spoke Gateway Details page opens. - Click the Settings tab and expand the Routing section.
- Enable Auto Advertise Spoke Site2Cloud CIDRs as needed.
- Click Save to apply the change.
Note: This routing policy is only supported for mapped Site2Cloud connections on AWS, AWS GovCloud, GCP, and Azure, and Azure GovCloud.
Customize Spoke VPC/VNet Route Table
Customize Spoke VPC/VNet Route Table
To customize the Spoke VPC/VNet route table by specifying CIDRs (disables automatic route propagation and overrides propagated CIDRs from other Spoke and Transit gateways and on-premises networks):
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Click the Spoke Gateway name.
The Spoke Gateway Details page opens. - Click the Settings tab and expand the Routing section.
- In Customize Spoke VPC/VNet Route Table (or CIDRs), enter a comma-separated list of IPv4 or IPv6 CIDRs. Only the specified CIDRs are programmed to the Spoke VPC/VNet route table.
- Click Save to apply the change. To disable the policy, leave the CIDRs field empty and save.
Exclude Learned CIDRs to Spoke VPC/VNet Route Table
Exclude Learned CIDRs to Spoke VPC/VNet Route Table
To exclude specific on-premises learned CIDRs from the Spoke VPC/VNet route table (filter which CIDRs are propagated):
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Click the Spoke Gateway name.
The Spoke Gateway Details page opens. - Click the Settings tab and expand the Routing section.
- In Exclude Learned CIDRs to Spoke VPC/VNet Route Table, enter a comma-separated list of IPv4 or IPv6 CIDRs to filter out from the route table.
- Click Save to apply the change.
Customize Spoke Advertised VPC/VNet CIDRs
Customize Spoke Advertised VPC/VNet CIDRs
To selectively exclude Spoke VPC/VNet CIDRs from being advertised to on-premises (only CIDRs in the list are advertised; useful for overlapping CIDRs):
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Click the Spoke Gateway name.
The Spoke Gateway Details page opens. - Click the Settings tab and expand the Routing section.
- In Customize Spoke Advertised VPC/VNet CIDRs, enter or select the IPv4 or IPv6 CIDRs to advertise to on-premises (include list).
- Click Save to apply the change.
Update Encrypted Spoke VPC/VNet CIDRs
Update Encrypted Spoke VPC/VNet CIDRs
To update the Spoke VPC/VNet route tables with newly added CIDRs from the cloud (without detaching or re-attaching the Spoke Gateway):
- Go to Cloud Fabric > Gateways > Spoke Gateways.
A table appears with the list of Spoke Gateways. - Click the Spoke Gateway name.
The Spoke Gateway Details page opens. - Click the Settings tab and expand the Routing section.
- Use Update Encrypted Spoke VPC/VNet CIDRs (or the equivalent action) to query the cloud and update the Spoke VPC/VNet route tables with any added CIDRs.
- Click Save if required to apply the update.
Note: Update Encrypted Spoke VPC/VNet CIDRs is supported on AWS, Azure, and GCP.
Purpose
The Specialty Gateways page lets you view, create, edit, and delete Specialty Gateways. A Specialty Gateway is an Aviatrix gateway designed for use cases that fall outside the roles of standard Spoke or Transit Gateways. These include Public Subnet Filtering (PSF) Gateways, which provide ingress and egress security for AWS public subnets where instances have public IP addresses, as well as VPN Gateways and FQDN Gateways used for domain-based egress filtering, often in conjunction with Transit FireNet or Transit Egress workflows.Elements
- + Gateway button: Opens a menu to add a Specialty Gateway (Public Subnet Filtering Gateway or Other).
- Specialty Gateway table: Shows the details for each Specialty Gateway (name, cloud, type, account, region, VPC/VNet, status).
- Edit button: Edits the Specialty Gateway configuration (instance size, subnet attachment, public IP).
- Actions button: Opens Gateway Diagnostics, Connectivity Diagnostics, and Resize Gateway.
- Delete button: Deletes the Specialty Gateway along with its instances and attachments.
- Gateway name link: Opens the Specialty Gateway Details page.
Actions
View Specialty Gateways
View Specialty Gateways
To view the list of configured Specialty Gateways and their details:
- Go to Cloud Fabric > Gateways > Specialty Gateways.
The Specialty Gateways page appears with a table of PSF Gateways, VPN Gateways, and FQDN Gateways. - Optionally, use the Search field or Filter icon to find a Specialty Gateway.
- Click a Specialty Gateway name to view its details.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Name | Shows the name of the Specialty Gateway. |
| 2 | Cloud | Shows the cloud provider where the Gateway runs (for example, AWS, Azure, or GCP). |
| 3 | Type | Shows the Specialty Gateway type (for example, Public Subnet Filtering, VPN, or FQDN). |
| 4 | Account | Shows the cloud account that owns the Gateway. |
| 5 | Region | Shows the cloud region where the Gateway runs. |
| 6 | VPC/VNet | Shows the VPC or VNet where the Gateway runs. |
| 7 | VPC/VNet CIDR | Shows the CIDR range of the VPC or VNet. |
| 8 | Subnet ID | Shows the subnet ID where the Gateway instance runs. |
| 9 | Subnet CIDR | Shows the CIDR range of the subnet. |
| 10 | Public IP | Shows the public IP address used by the Gateway. |
| 11 | Private IP | Shows the private IP address used inside the VPC or VNet. |
| 12 | Status | Shows the current Gateway state (for example, Up or Down). |
| 13 | Configuration Status | Shows whether the Gateway configuration is Latest or Outdated. |
| 14 | Instance Size | Shows the compute size used by the Gateway instance. |
Create a Specialty Gateway
Create a Specialty Gateway
To create a Specialty Gateway (VPN or FQDN):
- Go to Cloud Fabric > Gateways > Specialty Gateways.
A table appears with the list of Specialty Gateways. - Click + Gateway and select Other.
The Create Specialty Gateway dialog appears. - Provide the information. Refer to the Parameter Details table.
- Optionally, click + Instance to add HA instances.
- Click Save.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Name | Enter a name for the Specialty Gateway. The name must start with a letter, include only letters, numbers, underscores, and dashes, and not exceed 50 characters. |
| 2 | Cloud | Select the cloud provider where the Specialty Gateway runs. |
| 3 | Account | Select the cloud account that creates the Specialty Gateway. |
| 4 | Region | Select the cloud region where the Specialty Gateway runs. |
| 5 | VPC/VNet | Select the VPC or VNet where the Specialty Gateway runs. |
| 6 | Instance Size | Select the compute size for the Specialty Gateway. |
| 7 | High Performance Encryption | Enable High Performance Encryption for the Specialty Gateway. |
| 8 | Attach to Subnet | Select the subnet where the Specialty Gateway instance runs. |
| 9 | Public IP | Assign a public IP address to the Specialty Gateway instance. |
| 10 | Resource Tags | Add key and value tags to identify the Specialty Gateway. |
Create a Public Subnet Filtering Gateway
Create a Public Subnet Filtering Gateway
To create a Public Subnet Filtering (PSF) Gateway:A notification appears confirming the creation of the Public Subnet Filtering Gateway.
- Go to Cloud Fabric > Gateways > Specialty Gateways.
A table appears with the list of Specialty Gateways. - Click + Gateway and select Public Subnet Filtering Gateway.
The Create Public Subnet Filtering Gateway dialog appears. - Provide the information. Refer to the Parameter Details table.
- Click Save.
Important: If you enabled the Distributed Cloud Firewall (DCF) feature, the DCF on PSF Gateways feature is also available from Security > Distributed Firewall > Settings. Route tables must be selected when creating the PSF Gateway to be monitored and enforced by any DCF rules the PSF Gateway is part of.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Name | Enter a name for the PSF Gateway. The name must start with a letter, include only letters, numbers, underscores, and dashes, and not exceed 50 characters. |
| 2 | Cloud | Select the cloud provider (AWS Standard, GovCloud, or China). |
| 3 | Account | Select the cloud account that creates the PSF Gateway. |
| 4 | Region | Select the cloud region where the PSF Gateway runs. |
| 5 | VPC | Select the VPC in the selected region where the PSF Gateway runs. |
| 6 | Instance Size | Select the compute size for the PSF Gateway. The instance size must be at least t3.medium if you create a DCF rule with Intrusion Detection or TLS Decryption for the PSF Gateway. |
| 7 | Attach to Unused Subnet | Select the subnet where the PSF Gateway instance runs. The Controller creates a public subnet and route table for the PSF Gateway. |
| 8 | Route Table | Select the route tables whose associated public subnets are protected. Route tables must be selected here to be monitored and enforced by DCF rules. |
| 9 | Resource Tags | Add key and value tags to identify the PSF Gateway. |
Edit a Specialty Gateway
Edit a Specialty Gateway
To edit a Specialty Gateway:
- Go to Cloud Fabric > Gateways > Specialty Gateways.
A table appears with the list of Specialty Gateways. - Locate the Specialty Gateway and click the Edit icon on the row.
The Edit Specialty Gateway or Edit PSF Specialty Gateway dialog appears. - Change the editable parameters (Instance Size, subnet attachment, Public IP).
- Click Save.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Instance Size | Change the compute size of the Specialty Gateway. |
| 2 | Attach to Subnet | Attach a subnet to a new HA instance. |
| 3 | Public IP | Select a public IP for a new HA instance. |
Delete a Specialty Gateway
Delete a Specialty Gateway
To delete a Specialty Gateway:
- Go to Cloud Fabric > Gateways > Specialty Gateways.
A table appears with the list of Specialty Gateways. - Remove any attachments to other Specialty Gateways before deleting.
- Locate the Specialty Gateway and click the Delete icon on the row.
The Delete Specialty Gateway or Delete PSF Specialty Gateway dialog appears. - Read the warning message and tick the checkbox to confirm the deletion.
- Click Delete.
- Software Upgrade
- Image Upgrade
- Gateway Rollback
Purpose
The Software Upgrade page shows a table of Aviatrix gateways and their current software versions, allowing for bulk software upgrades.Elements
- Status Indicators: Displays Controller Version, Latest Software Version, and Upgrade Available count for gateways.
- Upgrade Controller button: Button to upgrade the Aviatrix Controller software to the latest version.
- Software Upgrade table: Displays the Current Software Version for each gateway and the parameters on the following Parameter Details section.
- Checkbox: Selects individual gateways for software upgrade.
- Actions button: Provides options for Dry Run and Upgrade Software for the selected gateways.
- Dry Run: Simulates the upgrade process to validate compatibility before execution.
- Upgrade Software: Initiates the software upgrade.
Actions
View Software Upgrade
View Software Upgrade
To view the Software Upgrade page and gateway versions:
- Go to Cloud Fabric > Gateways > Gateway Management > Software Upgrade.
The Software Upgrade page appears with status indicators (Controller Version, Latest Software Version, Upgrade Available count) and a table of gateways with their current and available versions. - Optionally, use the Search field or Filter icon to find a gateway.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Name | Shows the name of the gateway. |
| 2 | Current Software Version | Shows the software version currently running on the gateway. |
| 3 | Available Version | Shows the latest version available for upgrade. |
| 4 | Dry Run Status | Shows the status of the most recent dry run (for example, Passed or Failed). |
| 5 | Upgrade Status | Indicates whether the upgrade completed successfully. |
Run Dry Run
Run Dry Run
To run a dry run to validate compatibility before upgrading:
- Go to Cloud Fabric > Gateways > Gateway Management > Software Upgrade.
A table appears with the list of gateways. - Select the checkboxes for the gateways to validate.
- Click Actions and select Dry Run.
Upgrade Software
Upgrade Software
To upgrade gateway software:
- Go to Cloud Fabric > Gateways > Gateway Management > Software Upgrade.
A table appears with the list of gateways. - Select the checkboxes for the gateways to upgrade.
- Click Actions and select Upgrade Software.
Purpose
The Image Upgrade page shows a table of Aviatrix gateways and their current image versions, allowing for bulk image upgrades.Elements
- Status Indicators: Displays Controller Version, Latest Image Version, and Upgrade Available count for gateways.
- Upgrade Controller button: Button to upgrade the Aviatrix Controller image to the latest version.
- Image Upgrade table: Displays the Current Image Version for each gateway and the parameters on the following Parameter Details section.
- Checkbox: Selects individual gateways for image upgrade.
- Upgrade Image button: Upgrades image for the selected gateways.
Actions
View Image Upgrade
View Image Upgrade
To view the Image Upgrade page and gateway image versions:
- Go to Cloud Fabric > Gateways > Gateway Management > Image Upgrade.
The Image Upgrade page appears with status indicators (Controller Version, Latest Image Version, Upgrade Available count) and a table of gateways with their current and available image versions. - Optionally, use the Search field or Filter icon to find a gateway.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Name | Shows the name of the gateway. |
| 2 | Current Image Version | Shows the image version currently running on the gateway. |
| 3 | Available Image Version | Shows the latest image version available for upgrade. |
| 4 | Dry Run Status | Shows the status of the most recent dry run for image upgrade. |
| 5 | Upgrade Status | Indicates whether the image upgrade completed successfully. |
Upgrade Image
Upgrade Image
To upgrade gateway images:After the upgrade completes, verify the Current Image Version column to confirm the expected image version.
- Go to Cloud Fabric > Gateways > Gateway Management > Image Upgrade.
A table appears with the list of gateways. - Select the checkboxes for the gateways to upgrade.
- Click Upgrade Image.
- Monitor the progress in the status window.
Note: The system selects the compatible gateway image version based on the current software version of the Controller. Image upgrades may cause brief traffic disruption. Schedule upgrades during maintenance windows or low-traffic periods.
Purpose
The Gateway Rollback page shows a table of Aviatrix gateways and their current and rollback software versions, current and rollback image versions, allowing for bulk rollback operations.Elements
- Rollback button: Starts the rollback process for the selected gateways.
- Gateway Rollback table: Displays the Current Software Version, Rollback Software Version, Current Image Version, and Rollback Image Version for each gateway and the parameters on the following Parameter Details section.
- Checkbox: Selects individual gateways for rollback.
Actions
View Gateway Rollback
View Gateway Rollback
To view the Gateway Rollback page and rollback versions:
- Go to Cloud Fabric > Gateways > Gateway Management > Gateway Rollback.
The Gateway Rollback page appears with a table of gateways showing current and rollback software and image versions. - Optionally, use the Search field or Filter icon to find a gateway.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Name | Shows the name of the gateway. |
| 2 | Previous Version | Shows the version available for rollback. |
| 3 | Rollback Status | Indicates whether the rollback completed successfully. |
| 4 | Last Upgrade Status | Shows the status of the most recent upgrade before rollback. |
Roll Back Gateway
Roll Back Gateway
To roll back a gateway to the previous version:A notification appears when the rollback completes. Verify the Rollback Status column to confirm success.
- Go to Cloud Fabric > Gateways > Gateway Management > Gateway Rollback.
A table appears with the list of gateways and their rollback versions. - Select the checkboxes for the gateways to roll back.
- Click Rollback.
Important: A gateway upgrade rollback causes temporary service disruption. Schedule rollbacks during maintenance windows when possible.
Purpose
The Settings page shows GCP Global VPC Configuration, Rollback On Gateway Creation Error, and Global BGP Communities Support for Aviatrix gateways.Elements
- GCP Global VPC Configuration card: Section to configure global VPC settings to tag VMs in GCP.
- Rollback On Gateway Creation Error toggle: Option to enable automatic rollback if gateway creation fails.
- Global BGP Communities Support card: Option to enable or disable global BGP communities support across gateways.
- Auto Derivation toggle: Toggle to enable or disable automatic assignment of BGP communities to routes.
- Reset Gateway Overrides button: Button to reset any custom gateway overrides to default settings.
Actions
Edit IPsec Settings: Greenfield
Edit IPsec Settings: Greenfield
Aviatrix supports the following IPsec (AES-256-GCM and Perfect Forward Secrecy (PFS) using DH21) configurations:
Upgrade the Controller to version 8.2.0 or later. After the controller upgrade, by default, existing IPsec tunnels continue using the configured encryption settings.To apply AES-256-GCM and PFS for the new gateway deployments:
- Spoke—Transit
- Transit—Transit
- Transit—FQDN
- Transit—Edge-as-Spoke
| Configuration | Encryption Algorithm |
|---|---|
| Strong Cipher is enabled; PFS is enabled | AES-256-GCM with DH21 |
| Strong Cipher is enabled; PFS is disabled | AES-256-GCM without PFS |
| Strong Cipher is disabled; PFS is enabled | AES-128-GCM with DH21 |
| Strong Cipher is disabled; PFS is disabled | AES-128-GCM only |
- Go to Cloud Fabric > Gateways > Settings > Advanced Security.
- Turn On Strong Cipher Support for Encryption.
- Turn On Perfect Forward Secrecy (PFS) for IPSec.
- Read and understand the warning message, and tick the checkbox to confirm the changes.
- Click Save.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | GCP Global VPC Configuration | Settings for global VPC configuration in GCP, including VM tagging method. |
| 2 | Virtual Machines Tagging Method | Defines how tags are applied to virtual machines (e.g., Tag on Changes). |
| 3 | Rollback on Gateway Creation Error | Enables automatic rollback if gateway creation fails. |
| 4 | Global BGP Communities Support | Toggles support for global BGP communities across gateways. |
| 5 | Auto Derivation | Enables or disables automatic derivation of BGP settings. |
| 6 | Reset Gateway Overrides | Resets any custom gateway overrides to default settings. |
| 7 | Alert Thresholds | Configures CPU, memory, and bandwidth thresholds for alerts. |
| 8 | Upgrade Mode | Defines upgrade behavior (manual or automatic) for gateways. |
Edit IPsec Settings: Brownfield
Edit IPsec Settings: Brownfield
Aviatrix supports the following IPsec (AES-256-GCM and Perfect Forward Secrecy (PFS) using DH21) configurations:
To apply AES-256-GCM and PFS for the existing gateway deployments:
- Spoke—Transit
- Transit—Transit
- Transit—FQDN
- Transit—Edge-as-Spoke
| Configuration | Encryption Algorithm |
|---|---|
| Strong Cipher is enabled; PFS is enabled | AES-256-GCM with DH21 |
| Strong Cipher is enabled; PFS is disabled | AES-256-GCM without PFS |
| Strong Cipher is disabled; PFS is enabled | AES-128-GCM with DH21 |
| Strong Cipher is disabled; PFS is disabled | AES-128-GCM only |
- Upgrade the Controller to version 8.2.0 or later.
- Go to Cloud Fabric > Gateways > Settings > Advanced Security.
- Turn On Strong Cipher Support for Encryption.
- Turn On Perfect Forward Secrecy (PFS) for IPSec.
- Read and understand the warning message, and tick the checkbox to confirm the changes.
- Click Save.
- Go to Cloud Fabric > Gateways > Transit Gateways/Spoke Gateways.
A table appears with the list of Transit Gateways and Spoke Gateways. - Locate the Transit Gateway or Spoke Gateway to apply AES-256-GCM and PFS on the table and click the Gateway name to open the Gateway Details page.
- Click the Settings tab.
- Turn On Strong Cipher Support for Encryption.
- Turn On Perfect Forward Secrecy (PFS) for IPSec.
- Read and understand the warning message, and tick the checkbox to confirm the changes.
- Click Save. The AES-256-GCM and PFS is applied to the gateway.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | GCP Global VPC Configuration | Settings for global VPC configuration in GCP, including VM tagging method. |
| 2 | Virtual Machines Tagging Method | Defines how tags are applied to virtual machines (e.g., Tag on Changes). |
| 3 | Rollback on Gateway Creation Error | Enables automatic rollback if gateway creation fails. |
| 4 | Global BGP Communities Support | Toggles support for global BGP communities across gateways. |
| 5 | Auto Derivation | Enables or disables automatic derivation of BGP settings. |
| 6 | Reset Gateway Overrides | Resets any custom gateway overrides to default settings. |
| 7 | Alert Thresholds | Configures CPU, memory, and bandwidth thresholds for alerts. |
| 8 | Upgrade Mode | Defines upgrade behavior (manual or automatic) for gateways. |
Configure GCP Global VPC
Configure GCP Global VPC
To configure GCP Global VPC tagging for spoke gateways:
- Go to Cloud Fabric > Gateways > Settings.
The Settings page appears with GCP Global VPC Configuration, Rollback On Gateway Creation Error, and Global BGP Communities Support. - In the GCP Global VPC Configuration card, click Modify.
- Select the tagging method: Tag on Changes (recommended), Auto Tag, or Manage Manually.
- Optionally, exclude virtual machines from GCP Global VPC routing by selecting them from the dropdown.
- Optionally, use the notification button to start or stop notifications when instances are discovered and tagged.
- Click Save.
Parameter Details
| Sl. No. | CoPilot Parameter Name | Description |
|---|---|---|
| 1 | Virtual Machines Tagging Method | Tag on Changes: Reevaluates tags when gateway or connection configuration changes. Auto Tag: Monitors VMs and adds or removes tags automatically. Manage Manually: Tagging is done through the GCP console. |
| 2 | Exclude Virtual Machines | Exclude specific VMs from GCP Global VPC routing; excluded VMs remain accessible through global routing tables. |
| 3 | Notifications | Start or stop notifications when instances are discovered and tagged. |
Reapply GCP Global VPC Tags
Reapply GCP Global VPC Tags
To reapply GCP Global VPC tags after new subnets are added:The operation syncs VPC subnets, updates routing tables, and applies tags to new or existing VMs in newly deployed regions.
- Go to Cloud Fabric > Gateways > Settings.
The Settings page appears with the GCP Global VPC Configuration card. - In GCP Global VPC Configuration, click Reapply Tags.
Note: Reapply Tags is available only for Tag on Changes and Auto Tag configurations.
Enable or Disable Rollback on Gateway Creation Error
Enable or Disable Rollback on Gateway Creation Error
To disable automatic rollback when gateway creation fails (to keep the gateway instance for debugging):
- Go to Cloud Fabric > Gateways > Settings.
The Settings page appears. - In Rollback on Gateway Creation Error, set the toggle to Off.
- Click Save.
Enable Global BGP Communities Support
Enable Global BGP Communities Support
To enable global BGP communities across gateways:
- Go to Cloud Fabric > Gateways > Settings.
The Settings page appears. - In the Global BGP Communities Support card, click the Global BGP Communities Support toggle to On.
- Click Save.
Enable Auto-Derivation of BGP Communities
Enable Auto-Derivation of BGP Communities
To enable auto-derivation of BGP community tags:
- Go to Cloud Fabric > Gateways > Settings.
The Settings page appears. - In the Global BGP Communities Support card, set Global BGP Communities Support to On.
- Set Auto Derivation to On.
- In Community Prefix, enter the first 16-bit prefix (0–65535) of the BGP community tag format.
- Click Save.
Reset Gateway Overrides
Reset Gateway Overrides
To reset all gateway-level BGP communities overrides to the global setting:
- Go to Cloud Fabric > Gateways > Settings.
The Settings page appears. - Locate the Global BGP Communities Support card.
- Click Reset Gateway Overrides.
- Click Reset to confirm.