Edge Spoke Gateway Deployment Workflow on Equinix Network Edge
This document provides instructions for deploying a primary and secondary highly available (HA) Edge Spoke Gateways on the Equinix Network Edge.
For an overview of Aviatrix Edge, see About Aviatrix Hybrid Cloud Edge.
Topology
The following diagram shows an example of network connectivity for Aviatrix Edge Spoke Gateway to Transit Gateway in AWS. This topology shows Aviatrix Edge Spoke Gateway connection to an upstream WAN router which is used to terminate CSP underlay private connections.
The topology below shows Aviatrix Edge Spoke Gateway used to terminate CSP underlay private connections (which does not require upstream WAN router).
Aviatrix Edge Spoke Gateway requires the latest versions of Aviatrix Controller 7.1 and Aviatrix Edge Image 7.1 to support BGP underlay connectivity to CSP. |
Prerequisites
Before you can deploy an Aviatrix Edge Spoke Gateway on the Equinix platform, you must perform the prerequisite steps to set up an Equinix account, a Network Service Provider (NSP) platform account, and provide network access.
For instructions to perform these prerequisite steps, see Prerequisites for Edge Spoke Gateway Deployment on Equinix Network Edge.
Aviatrix Edge Spoke Gateway Deployment Workflow in Equinix
To deploy Aviatrix Edge Spoke Gateway, first you need to procure and onboard your edge device on the platform of your choice (see Prerequisites for Edge Spoke Gateway Deployment on Equinix Network Edge). Next, you deploy the Aviatrix Edge Gateway on the edge device and attach the Edge Gateway to the Aviatrix Transit Gateway for cloud connectivity. Then, configure the Edge Gateway for LAN-side connectivity.
This workflow provides the steps to create a primary and secondary (HA) Edge Gateway in Equinix Network Edge. It also provides the steps to attach the Edge Gateways to a Transit Gateway and connect the Edge Gateways to an external device, such as a LAN BGP router.
Creating the ZTP Cloud-Init for the Primary Edge Spoke Gateway (Equinix)
The Edge Gateway cloud-init ZTP file is used to provision the Edge Gateway virtual machine and create the Edge Gateway in Equinix Fabric.
To create the primary Edge Spoke Gateway cloud-init ZTP file, follow these steps.
-
In CoPilot, go to Cloud Fabric > Hybrid Cloud > Edge Gateways tab.
-
Click Spoke Gateways, then click + Spoke Gateway and provide the following information.
Field
Description
Name
Name for the Edge Gateway.
The name must start with a letter and contain only letters, numbers, and dashes (no special characters or spaces) and it can be up to 50 characters long.
Platform
The platform account where you want to deploy the Edge Gateway.
You can create and edit platform accounts in CoPilot by going to Cloud Fabric > Hybrid Cloud > Platforms tab. See Set Up the Aviatrix Edge Platform Account.
Site
Identifies the edge location.
You can select an existing name or enter a new name for the edge location. See Edge site.
ZTP File Type
This is set to cloud-init. See Edge Spoke Gateway High Availability.
Configuring the Edge Gateway Interfaces
By default, an Edge Spoke Gateway has three interfaces: one WAN interface on eth0, one LAN interface on eth1, and one Management interface on eth2. You can configure multiple WAN interfaces on the Edge Gateway, as needed. You will need these configuration information to configure the interfaces.
In the Interface Configuration section, configure the WAN, LAN, and Management interfaces for the Edge Gateway.
Configuring the WAN Interface
You can configure multiple WAN interfaces on the Edge Gateway. While up to 8 WAN interfaces is supported, Aviatrix recommends a maximum of 4 WAN interfaces per Edge Gateway.
-
Click + WAN Interface, then provide the following information.
Field
Description
Interface
This is set to the Edge Gateway’s logical interface.
Adding multiple WAN interfaces is applicable when Edge Gateway is set up for BGP underlay to CSP. Add an interface per CSP underlay (such as Direct Connect or Express Route). A maximum of 8 WAN interfaces per Edge Gateway is supported. When Edge Gateway is not terminating CSP underlay, use one interface per Edge Gateway to connect to upstream router.
IP Assignment
The default is Static for static IP assignment.
DHCP for dynamic IP address assignment is not supported.
Interface Labels
Name to identify the WAN interface.
BGP
Enables BGP underlay connection to cloud service provider (CSP) on the WAN interface.
Set BGP toggle On to set up BGP connection to cloud routers such as VGW, VNG, and Google cloud router.
Edge Gateway WAN support for BGP underlay to CSP is supported for AWS, Azure, and GCP. Interface Primary CIDR
The CIDR for the WAN interface.
Interface CIDR must be in the format interface_ip/netmask (for example, 192.18.20.1/24).
Interface CIDR cannot be link-local CIDR. If you need to create a BGP underlay connection to cloud service provider (CSP) with a link-local IP address, you must enter the link-local IP address in the Link-local Underlay CIDR setting of the WAN interface.
Default Gateway IP
The Default Gateway IP address for the WAN interface.
-
If BGP is turned On, provide the following information:
Field
Description
Link-Local Underlay CIDR (GCP only)
The Link-Local Underlay CIDR is used for BGP underlay connections to cloud service provider (CSP).
If you need to create a BGP underlay connection to CSP with a link-local IP address, you must provide the Link-Local Underlay CIDR for the WAN interface in the format of link_local_underlay_ip/netmask (for example 169.254.100.3/24).
This is required for GCP. If terminating GCP Interconnect and using BGP underlay on Edge, provide the WAN Default Gateway of the peer IP address.
If Link-Local Underlay CIDR is configured, the Default Gateway IP should be in the same subnet as the Link-Local Underlay CIDR, otherwise, it should be in the same subnet as the WAN Interface CIDR.
Local ASN
The Local AS Number of the Edge Gateway.
Remote ASN
The AS Number of the CSP side peering connection such as private VIF on VGW (AWS) and VNG ASN (Azure).
Local Tunnel IP
The IP address of the Edge Gateway. This is the local peering PTP IP for BGP.
Remote Tunnel IP
The IP address of the CSP VNG or VGW peering PTP IP. (GCP is not supported).
Password (optional)
The MD5 authentication key.
-
To add another WAN interface, click + WAN again and provide the required information.
To change or update the Edge Gateway WAN connectivity to Transit Gateway, you will need to first detach the Edge-to-Transit gateway attachment, if there is an attachment.
Configuring the LAN Interface
To configure the Edge Gateway LAN interface, click + LAN Interface, then provide the following information.
Field |
Description |
Interface |
The Edge Gateway’s logical interface name. This is set to eth1. |
Interface Labels |
Name to identify the LAN interface. |
Interface CIDR |
The CIDR for the LAN interface. |
Default Gateway IP |
(Optional) The Default Gateway IP address for the LAN interface. |
Configuring the MGMT Interface
To configure the Edge Gateway Management interface:
-
Click MGMT, then click + MGMT Interface.
-
Leave the default settings and click Save.
Leave the Private Network setting to Off. In the Equinix Platform, the Management interface of the Edge Gateway is assigned the public IP address that is allocated by Equinix.
-
To create the ZTP cloud-init image file, click Save and Download Configuration.
If a required field is missing, the interface tab is highlighted to indicate there is an error.
CoPilot downloads the ZTP cloud-init file to your downloads folder.
Next, log in to your Equinix Portal and deploy the Edge Gateway VM instance and attach the cloud-init image file to complete the Edge Gateway creation and authentication with the Aviatrix Controller.
The cloud-init file is valid for 24 hours after you create it, so you must launch an Edge VM and deploy the Edge Gateway on the Equinix platform within that time. You will not be able to download the file again and will have to repeat the steps to recreate a new cloud-init file. See Launching the Edge Gateway in Equinix Network Edge.
Gateway Configuration
Field |
Description |
Name |
Name for the Edge Gateway. The name must start with a letter and contain only letters, numbers, and dashes (no special characters or spaces) and it can be up to 50 characters long. |
Platform |
The platform account where you want to deploy the Edge Gateway. You can create and edit platform accounts in CoPilot by going to Cloud Fabric > Hybrid Cloud > Platforms tab. |
Site |
Identifies the edge location. You can select an existing name or enter a new name for the edge location. |
ZTP File Type |
This is set to cloud-init. |
Interface Configuration
WAN Interface
Field |
Description |
||
Interface |
This is set to the Edge Gateway’s logical interface.
When Edge Gateway is not terminating CSP underlay, use one interface per Edge Gateway to connect to upstream router. |
||
Interface Labels |
Name to identify the WAN interface. |
||
BGP |
Enables BGP underlay connection to cloud service provider (CSP) on the WAN interface. Set BGP toggle On to set up BGP connection to cloud routers such as VGW, VNG, and Google cloud router.
|
||
Interface Primary CIDR |
The CIDR for the WAN interface. Interface CIDR must be in the format interface_ip/netmask (for example, 192.18.20.1/24).
If you need to create a BGP underlay connection to cloud service provider (CSP) with a link-local IP address, you must enter the link-local IP address in the Link-local Underlay CIDR setting of the WAN interface. |
||
Link-Local Underlay CIDR (GCP only) |
The Link-Local Underlay CIDR is used for BGP underlay connections to cloud service provider (CSP). If you need to create a BGP underlay connection to CSP with a link-local IP address, you must provide the Link-Local Underlay CIDR for the WAN interface in the format of link_local_underlay_ip/netmask (for example 169.254.100.3/24). This is required for GCP. If terminating GCP Interconnect and using BGP underlay on Edge, provide the WAN Default Gateway of the peer IP address. If Link-Local Underlay CIDR is configured, the Default Gateway IP should be in the same subnet as the Link-Local Underlay CIDR, otherwise, it should be in the same subnet as the WAN Interface CIDR. |
||
Default Gateway IP |
The Default Gateway IP address for the WAN interface. |
WAN BGP
Field |
Description |
Local ASN |
The Local AS Number of the Edge Gateway. |
Remote ASN |
The AS Number of the CSP side peering connection such as private VIF on VGW (AWS) and VNG ASN (Azure). |
Local Tunnel IP |
The IP address of the Edge Gateway. This is the local peering PTP IP for BGP. |
Remote Tunnel IP |
The IP address of the CSP VNG or VGW peering PTP IP. (GCP is not supported). |
Password (optional) |
The MD5 authentication key. |
LAN Interface
Field |
Description |
Interface |
The Edge Gateway’s logical interface name. This is set to eth1. |
Interface Labels |
Name to identify the LAN interface. |
Interface CIDR |
The CIDR for the LAN interface. |
Default Gateway IP |
(Optional) The Default Gateway IP address for the LAN interface. |
MGMT Interface
Field |
Description |
Interface |
This is set to eth2. |
Private Network |
Leave this setting to Off. In the Equinix Platform, the MGMT interface of the Edge Transit Gateway is assigned the Public IP address that is allocated by Equinix. |
Egress CIDR (Optional) |
The CIDR range for the egress for this Management interface. |
Creating the ZTP Cloud-Init for the Secondary Edge Gateway (Equinix)
|
To create a highly available secondary (HA) Edge Gateway, follow these steps.
-
Go to Cloud Fabric > Edge > Gateways tab.
-
In the table, locate the primary Edge Gateway for which you want to create the HA gateway and click its Edit icon.
-
In the Edit Edge Gateway dialog box, from the High Availability dropdown menu, select Active-Active or Active-Standby mode.
-
In the Interface Configuration section, configure the WAN, LAN, and Management interfaces of the secondary (HA) Edge Gateway.
WAN Interface
Click + WAN Interface, then provide the following information.
Parameter Description Edge Gateway Interface
This is set to eth0.
Adding multiple WAN interfaces is applicable when Edge Gateway is used for BGP underlay to CSP. Add an interface per CSP underlay (such as Direct Connect or Express Route). When Edge Gateway is not terminating CSP underlay, use one interface per Edge Gateway to connect to upstream router.
DHCP for dynamic IP address assignment is not supported.
Interface Labels
A name to identify this WAN interface.
BGP
To enable BGP on the Edge Gateway, set this switch to On.
WAN support for BGP underlay to CSP is supported for AWS and Azure. Interface CIDR
The CIDR for the WAN interface.
Default Gateway IP
The Default Gateway IP address for this WAN interface.
Public IP
The WAN interface’s egress Public IP address.
If BGP is turned On, provide the following information:
Parameter Description Local ASN
The ASN of the Edge Gateway.
Remote ASN
The ASN of the CSP side peering connection such as private VIF on VGW (AWS) and VNG ASN (Azure).
Local Tunnel IP
The IP address of the Edge Gateway. This is the local peering PTP IP for BGP.
Remote Tunnel IP
The IP address of the CSP VNG or VGW peering PTP IP. (GCP is not supported).
Password (optional)
The MD5 authentication key.
To change or update the Edge Gateway WAN connectivity to Transit Gateway, you will need to first detach the Edge-to-Transit gateway attachment, if there is an attachment. LAN Interface
Click LAN, then provide the following information.
Parameter
Description
Edge Gateway Interface
This is set to eth1.
DHCP for dynamic IP address assignment is not supported.
Interface Labels
Enter a name to identify this LAN interface.
BGP
For BGP over LAN, set this switch to turn BGP mode On.
Interface CIDR
The CIDR for the LAN interface.
Default Gateway IP
(Optional) The Default Gateway IP address for this LAN interface.
Management Interface
Click + MGMT interface. Leave the default settings and click Save.
Leave the Private Network setting to Off. In the Equinix Platform, the MGMT interface of the Edge Gateway is assigned the Public IP address that is allocated by Equinix.
To create the ZTP cloud-init image file, click Save and Download Configuration.
CoPilot downloads the ZTP cloud-init file to your Downloads folder.
The cloud-init file is valid for 24 hours after you create it, so you must launch an Edge VM on Equinix platform within that time, as you cannot download it again and will have to recreate the cloud-init file.
Deploying the Edge Gateway in Equinix Network Edge
To launch the Aviatrix Edge Gateway in Equinix Network Edge, see Create an Aviatrix Edge in the Equinix documentation. Demo video: Step-by-Step Guide to Deploy Aviatrix Secure Edge on Equinix Network Edge on Vimeo.
You will need to create an Access Control List Template to allow CoPilot access to the Aviatrix Edge virtual device. |
Once the Aviatrix Edge virtual device is created and provisioned, an email is sent to the notification email you provided informing that the Aviatrix Edge virtual device is provisioned.
Creating the Access Control List Template for CoPilot
The Access Control List Template defines the inbound rules for the Aviatrix Edge Gateway virtual device to allow specific inbound traffic. Aviatrix Controller and CoPilot needs to communicate with the Aviatrix Edge Gateway. Inbound traffic from the Controller and CoPilot must be allowed on the Edge Gateway virtual device.
Controller’s IP address will be automatically allowed based on the cloud-init. |
To define the inbound rules for CoPilot, in the CreateNew Access Control List Management Template page, provide the following information.
-
In the Basic Details section, enter a name for the Access Control List template and a description.
-
In the Inbound Rules section, enter the following information:
-
For IP Address Subnet, enter the CoPilot public or private IP address.
-
For Protocol, select IP from the drop-down.
-
For Description (Optional), enter a description for this rule.
-
Click Add Rule.
-
-
To create the Access Control List template, click Create Template.
Configuring the Edge Gateway Management Egress IP Address
The Management Egress IP address of the Aviatrix Edge Gateway virtual device must be updated from the Aviatrix CoPilot so that the Security Group is updated with the correct Egress IP address.
-
Locate the public IP assigned by Equinix during Aviatrix Edge virtual device creation.
-
From Equinix Fabric Portal, go to Network Edge > Virtual Device Inventory > Details and locate the Public IP address of the device.
-
-
In Aviatrix CoPilot, navigate to Cloud Fabric > Edge > Gateways tab.
-
In the table, locate the Edge Gateway and click its Edit icon on the right.
-
In the Edit Edge Gateway dialog box, scroll to Interface Configuration section, and click MGMT.
-
Update the Egress CIDR with the Public IP from the Equinix Fabric Portal.
-
Click Save.
Attaching the Edge Gateway to the Transit Gateway
Before you attach the Edge Gateway to the Transit Gateway, ensure the Local ASN Number is configured on both gateways.
You can attach an Edge Gateway to multiple Transit Gateways. Each attachment can be configured with different parameters, such as connecting interfaces, connection over private or public network, high-performance encryption, and Jumbo Frame.
|
In Aviatrix CoPilot:
-
Go to Cloud Fabric > Edge > Gateways tab.
-
Locate the Edge Gateway, click the three dot vertical menu on the right, and select Manage Transit Gateway Attachment.
Click + Transit Gateway Attachment, then provide the following information.
Field Description Transit Gateway
From the dropdown menu, select the Transit Gateway to attach to the Edge Gateway.
Connecting Edge Interfaces
From the dropdown menu, select the WAN interface connection(s) to the Transit Gateway.
Multiple WAN interfaces is supported.
In the Advanced section, set the advanced gateway settings that apply.
Field Description Attach over Private Network
If the Edge WAN connection to the Transit Gateway is over a private network, set this toggle to On.
Leave it Off if the connection is over the public internet.
Jumbo Frame
If you want to use Jumbo Frames for the Transit-to-Edge Gateway connection, set this toggle to On.
High Performance Encryption
If you want to enable high-performance encryption for the Transit-to-Edge Gateway connection, set this toggle to On.
In Number of Tunnels, enter the number of HPE tunnels to create.
-
For HPE over private network, setting number of tunnels count to 0 creates maximum tunnels based on the peering gateway size.
-
For HPE over public network, the number of tunnels count supported range is between 2 and 20.
To attach the Edge Gateway to another Transit Gateway, click + Transit Gateway Attachment again and provide the required information.
-
-
Click Save.
Connecting the Edge Gateway to an External Device (BGP over LAN)
For LAN-side connectivity, you can connect the Edge Spoke Gateway to an external device, such as a LAN BGP router.
To connect the Edge Gateway to the LAN BGP router, follow these steps.
-
In CoPilot, navigate to Networking > Connectivity > External Connections (S2C) tab.
-
Click + External Connection, then provide the following information.
Parameter Description Name
Name to identify the connection to the LAN router.
Connect Local Gateway To
Select External Device radio button, then from the dropdown menu, select BGP over LAN.
Local Gateway
The Edge Gateway that you want to connect to the LAN router.
Local ASN
The Local AS number that the Edge Gateway will use to exchange routes with the LAN router.
This is automatically populated if the Edge Gateway is assigned an ASN already. Remote ASN
The BGP AS number that is configured on the LAN router.
-
Click + Connection and provide the following information.
Parameter Description Remote LAN IP
The IP address for the LAN router.
Local LAN IP
This is automatically populated with the Edge Gateway LAN interface IP address.
-
Click Save.