Edge Transit Gateway Deployment Workflow for On-Premises

This document provides instructions for deploying a primary and secondary highly available (HA) Edge Transit Gateways on the Aviatrix Edge platform.

For an overview of Aviatrix Edge, see About Aviatrix Hybrid Cloud Edge.

Topology

The following diagram shows an example of network connectivity for Edge Transit Gateway to Transit Gateways in the cloud and Edge Spoke Gateways at remote sites.

eat onpremise topology

Prerequisites

Before you can deploy an Edge Transit Gateway on the Aviatrix Edge Platform:

  1. You must perform the prerequisite steps to procure and onboard your edge device. See Prerequisites for Edge Transit Gateway Deployment for On-Premises.

Aviatrix Edge Transit Gateway Deployment Workflow

To deploy an Edge Transit Gateway, first you need to procure and onboard your edge devices on the platform of your choice (see Prerequisites for Edge Transit Gateway Deployment for On-Premises).

Next, you deploy the primary and secondary highly available (HA) Edge Transit Gateways on the edge devices. For cloud connectivity, attach the primary Edge Transit Gateway to the Aviatrix Transit Gateway. For LAN-side connectivity, attach the primary Edge Transit Gateway and the Edge Spoke Gateway.

The workflow below guides you through these steps.

  1. Create the primary and secondary HA Edge Transit Gateways.

  2. Attach the primary Edge Transit Gateway to the Transit Gateway.

  3. Attach the primary Edge Transit Gateway to the Edge Spoke Gateway.

  4. Connect the Edge Spoke Gateway to an external device.

Creating the Primary and Secondary Edge Transit Gateway (Aviatrix Edge Platform)

To create a primary and secondary (HA) Edge Transit Gateway, follow these steps.

Step 1: Gateway Configuration

  1. In Aviatrix CoPilot, go to Cloud Fabric > Hybrid Cloud > Edge Gateways > Transit Gateways tab.

  2. Click + Transit Gateway, then provide the following information.

    Field

    Description

    Name

    Name for the Edge Gateway.

    The name must start with a letter and contain only letters, numbers, and dashes (no special characters or spaces) and it can be up to 50 characters long.

    Platform

    The platform account where you want to deploy the Edge Gateway.

    You can create and edit platform accounts in CoPilot by going to Cloud Fabric > Hybrid Cloud > Platforms tab. See Set Up the Aviatrix Edge Platform Account.

    Site

    Identifies the edge location.

    You can select an existing name or enter a new name for the edge location.

    High Availability

    The high availability mode.

    • Off creates only the primary Edge Gateway with one active peering.

    • On (Active Active Mode) enables Edge Gateway connections with all active peerings to perform load sharing and forward network traffic.

    Primary Device

    The edge device where you want to deploy the primary Edge Gateway.

    Secondary Device

    The edge device where you want to deploy the secondary (HA) Edge Gateway.

    The primary and secondary devices must have the same hardware configuration.

    Gateway Resource Size

    The gateway size.

    • Small - 2 vCPU - 4GB

    • Medium - 4 vCPU - 8GB

    • Large - 8 vCPU - 16GB

    • X-Large - 16 vCPU - 32GB

  3. Click Next to configure the gateway interfaces.

Step 2: Interface Configuration

By default, an Edge Transit Gateway has two interfaces: one WAN interface on eth0 and one Management interface on eth2. You will need these configuration information to configure the interfaces.

In the Interface Configuration section, configure the WAN and Management interfaces. If High Availability mode is selected, then configure both the primary and secondary Edge Gateways.

Configure the WAN Interface

Edge Transit Gateway on the Aviatrix Edge Platform supports up to 4 WAN interfaces.

  1. In Interface Configuration, click WAN, then provide the following information.

    Field

    Description

    Interface

    This is set to the Edge Gateway’s logical interface.

    Adding multiple WAN interfaces is applicable when the Edge Gateway is set up for BGP underlay to cloud service provider (CSP) or other Edge Transit Gateways.

    A maximum of four WAN interfaces per Edge Gateway is supported.

    Add an interface per CSP underlay (such as Direct Connect or Express Route).

    When Edge Gateway is not terminating CSP underlay, use one interface per Edge Gateway to connect to upstream router.

    IP Assignment

    The default is Static for static IP assignment.

    DHCP for dynamic IP address assignment is not supported.

    Interface Labels

    Name to identify the WAN interface.

    BGP

    Enables BGP underlay connection to cloud service provider (CSP) or other Edge Transit Gateways on the WAN interface.

    Set BGP toggle On to set up BGP connection to cloud routers such as VGW, VNG, and Google cloud router.

    Edge Gateway WAN support for BGP underlay to CSP is supported for AWS, Azure, and GCP.

    Interface Primary CIDR

    The CIDR for the WAN interface.

    DHCP for dynamic IP address assignment is not supported.

    Interface CIDR must be in the format interface_ip/netmask (for example, 192.18.20.1/24).

    Interface CIDR cannot be link-local CIDR.

    If you need to create a BGP underlay connection to cloud service provider (CSP) with a link-local IP address, you must enter the link-local IP address in the Link-local Underlay CIDR setting of the WAN interface.

    Interface Secondary CIDRs

    The secondary CIDRs for the WAN interface.

    Interface CIDR must be in the format interface_ip/netmask (for example, 192.18.20.1/24).

    The secondary CIDRs are used for High Performance Encryption (HPE) attachment peering connections over a private network between the Edge Transit Gateway to another Edge Transit Gateway or Edge Spoke Gateway. The secondary IP addresses (based on the secondary CIDRs) are automatically assigned to create the peering connections. You can define /32 CIDR for specific secondary IP address.

    Secondary CIDR cannot be link-local CIDR.

    Default Gateway IP

    The Default Gateway IP address for the WAN interface.

    For CSP underlay, this is the remote side IP address of the BGP session on CSP VNG or VGW.

    Public IP

    The public IP for the WAN interface.

    The public IP of the WAN interface is used for peering connections over the public network.

  2. If BGP is turned On, provide the following information.

    Field

    Description

    Link-Local Underlay CIDR (GCP only)

    The Link-Local Underlay CIDR is used for BGP underlay connections to cloud service provider (CSP).

    If you need to create a BGP underlay connection to CSP with a link-local IP address, you must provide the Link-Local Underlay CIDR for the WAN interface in the format of link_local_underlay_ip/netmask (for example 169.254.100.3/24).

    This is required for GCP. If terminating GCP Interconnect and using BGP underlay on Edge, provide the WAN Default Gateway of the peer IP address.

    If Link-Local Underlay CIDR is configured, the Default Gateway IP should be in the same subnet as the Link-Local Underlay CIDR, otherwise, it should be in the same subnet as the WAN Interface CIDR.

    Local ASN

    The Local ASN Number of the Edge Gateway.

    Remote ASN

    The AS Number of the CSP side peering connection such as private VIF on VGW (AWS) and VNG ASN (Azure).

    Local LAN IP

    The IP address of the Edge Gateway. This is the local peering PTP IP for BGP.

    Remote LAN IP

    The IP address of the CSP VNG or VGW peering PTP IP. (GCP is not supported).

    Password (optional)

    The MD5 authentication key.

  3. If BGP is turned On, in Gateway Configuration, enter the Local AS Number of the local Edge Gateway.

  4. To add another WAN interface, click + WAN Interface again and provide the required information.

    If a required field is missing, the interface tab is highlighted to indicate there is an error.

Configure the Management Interface

  1. In Interface Configuration, click MGMT, then provide the following information.

    Field

    Description

    Interface

    The Edge Gateway’s logical interface name.

    IP Assignment

    The MGMT interface defaults to DHCP.

    This setting cannot be changed.

    The Edge Gateway will automatically NAT out of the physical MGMT interface of the edge node when using the Aviatrix Edge platform.

    Private Network

    Leave this setting to Off.

    The Edge Gateway on the edge hardware requires public Internet reachability to connect to the Aviatrix Controller and Aviatrix Edge infrastructure in the cloud.

    Egress CIDR (Primary)

    The Egress CIDR is the public IP address which the Management interface uses.

    If the Public IP is used from Edge Gateway Management interface to establish connectivity to Aviatrix Controller, then configure the Public IP as the CIDR. The CIDR is then added to the Controller security group to allow incoming traffic from the Edge Gateway.

    Egress CIDR (Secondary)

    The Egress Public IP for the secondary Edge Gateway’s Management interface when High Availability is configured.

    If a required field is missing, the interface tab is highlighted to indicate there is an error.

  2. Click Next to view the interface mapping.

Step 3: Interface Mapping

Interface Mapping shows how the Edge Gateway’s logical interface names maps to the Edge Gateway’s Linux interface names.

Use the interface mapping as a reference when performing any diagnostic or troubleshooting on the Aviatrix Platform. These interface names are used in the Aviatrx log files and error messages.

Field

Description

Interface

The Edge Gateway’s logical interface name.

Primary Gateway Ethernet Interface

The primary Edge Gateway’s Linux interface name.

Secondary Gateway Ethernet Interface

The secondary (HA) Edge Gateway’s Linux interface name.

The secondary gateway interface mappings are shown only when high availability is configured for the primary Edge Gateway.

Backup Peering

If the Edge Gateway is deployed in Active-Active high availability mode:

  1. In Backup Peering, select a WAN interface to use to establish the attachment peering between the primary and HA Edge Gateway.

  2. Select whether the attachment is over a Private Network or Public Network.

  3. Click Done to create the primary and HA gateways.

Step 4: Verify the Edge Gateway Creation

See, Verifying the Edge Gateway Creation.

Gateway Configuration

Field

Description

Name

Name for the Edge Gateway.

The name must start with a letter and contain only letters, numbers, and dashes (no special characters or spaces) and it can be up to 50 characters long.

Platform

The platform account where you want to deploy the Edge Gateway.

You can create and edit platform accounts in CoPilot by going to Cloud Fabric > Hybrid Cloud > Platforms tab.

Site

Identifies the edge location.

You can select an existing name or enter a new name for the edge location.

High Availability

The high availability mode.

  • Off creates only the primary Edge Gateway with one active peering.

  • On (Active Active Mode) enables Edge Gateway connections with all active peerings to perform load sharing and forward network traffic.

Preemptive

Determines the network’s behavior when the primary gateway goes down.

Preemptive is applicable only when High Availability is set to On with Active Standby Mode. The Preemptive is set on the primary gateway.

  • On enables the network to automatically switch back to the primary gateway when the primary gateway connection is back up.

  • Off enables the network to continue to use the standby gateway even after the primary gateway is back up, until you initiate a manual switchover.

Primary Device

The edge device where you want to deploy the primary Edge Gateway.

Secondary Device

The edge device where you want to deploy the secondary (HA) Edge Gateway.

The primary and secondary devices must have the same hardware configuration.

Gateway Resource Size

The gateway size.

  • Small - 2 vCPU - 4GB

  • Medium - 4 vCPU - 8GB

  • Large - 8 vCPU - 16GB

  • X-Large - 16 vCPU - 32GB

Interface Configuration

For IP settings, use the applicable format. For example, if the Edge Gateway’s WAN IP is 10.1.1.151, enter 10.1.1.151/24 to indicate the netmask.

WAN Interface

You can configure up to 4 WAN interfaces for the primary Edge Gateway.

Field

Description

Interface

This is set to the Edge Gateway’s logical interface.

Adding multiple WAN interfaces is applicable when the Edge Gateway is set up for BGP underlay to cloud service provider (CSP) or other Edge Transit Gateways.

A maximum of four WAN interfaces per Edge Gateway is supported.

Add an interface per CSP underlay (such as Direct Connect or Express Route).

When Edge Gateway is not terminating CSP underlay, use one interface per Edge Gateway to connect to upstream router.

IP Assignment

The default is Static for static IP assignment.

DHCP for dynamic IP address assignment is not supported.

Interface Labels

Name to identify the WAN interface.

BGP

Enables BGP underlay connection to cloud service provider (CSP) or other Edge Transit Gateways on the WAN interface.

Set BGP toggle On to set up BGP connection to cloud routers such as VGW, VNG, and Google cloud router.

Edge Gateway WAN support for BGP underlay to CSP is supported for AWS, Azure, and GCP.

Interface Primary CIDR

The CIDR for the WAN interface.

DHCP for dynamic IP address assignment is not supported.

Interface CIDR must be in the format interface_ip/netmask (for example, 192.18.20.1/24).

Interface CIDR cannot be link-local CIDR.

If you need to create a BGP underlay connection to cloud service provider (CSP) with a link-local IP address, you must enter the link-local IP address in the Link-local Underlay CIDR setting of the WAN interface.

Interface Secondary CIDRs

The secondary CIDRs for the WAN interface.

Interface CIDR must be in the format interface_ip/netmask (for example, 192.18.20.1/24).

The secondary CIDRs are used for High Performance Encryption (HPE) attachment peering connections over a private network between the Edge Transit Gateway to another Edge Transit Gateway or Edge Spoke Gateway. The secondary IP addresses (based on the secondary CIDRs) are automatically assigned to create the peering connections. You can define /32 CIDR for specific secondary IP address.

Secondary CIDR cannot be link-local CIDR.

Default Gateway IP

The Default Gateway IP address for the WAN interface.

For CSP underlay, this is the remote side IP address of the BGP session on CSP VNG or VGW.

Public IP

The public IP for the WAN interface.

The public IP of the WAN interface is used for peering connections over the public network.

WAN BGP

Field

Description

Local ASN

The Local AS Number of the Edge Gateway.

Remote ASN

The AS Number of the CSP side peering connection such as private VIF on VGW (AWS) and VNG ASN (Azure).

Local LAN IP

The IP address of the Edge Gateway. This is the local peering PTP IP for BGP.

Remote LAN IP

The IP address of the CSP VNG or VGW peering PTP IP. (GCP is not supported).

Password (optional)

The MD5 authentication key.

MGMT Interface

Field

Description

IP Assignment

The MGMT interface defaults to DHCP.

This setting cannot be changed.

The Edge Gateway will automatically NAT out of the physical MGMT interface of the edge node when using the Aviatrix Edge platform.

Private Network

Leave this setting to Off.

The Edge Gateway on the edge hardware requires public Internet reachability to connect to the Aviatrix Controller and Aviatrix Edge infrastructure in the cloud.

Egress CIDR (Primary)

The Egress CIDR is the public IP address which the Management interface uses.

If the Public IP is used from Edge Gateway Management interface to establish connectivity to Aviatrix Controller, then configure the Public IP as the CIDR. The CIDR is then added to the Controller security group to allow incoming traffic from the Edge Gateway.

Egress CIDR (Secondary)

The Egress Public IP for the secondary Edge Gateway’s Management interface when High Availability is configured.
If a required field is missing, the interface tab is highlighted to indicate there is an error.

Interface Mapping

Interface Mapping shows how the Edge Gateway’s logical interface names maps to the Gateway’s Linux interface names. These interface names are used in the Aviatrx log files and error messages. The mapping is provided for your reference when performing any diagnostic and troubleshooting on the Aviatrix Platform.

Field

Description

Interface

The Edge Gateway’s logical interface name.

Primary Gateway Ethernet Interface

The primary Edge Gateway’s Linux interface name.

Secondary Gateway Ethernet Interface

The secondary (HA) Edge Gateway’s Linux interface name.

The secondary gateway interface mappings are shown only when high availability is configured for the primary Edge Gateway.

Creating an Edge Transit Gateway to Transit Gateway Attachment

  • To create a High Performance Encryption (HPE) attachment, make sure the Transit Gateway in the cloud is created with HPE enabled.

  • If you want to use Jumbo Frames for the attachment, make sure to enable Jumbo Frames on the Edge Transit Gateway and the Transit Gateway in the cloud before you create the attachment.

To attach an Edge Transit Gateway to a Transit Gateway in the cloud:

  1. In Aviatrix CoPilot, go to Cloud Fabric > Hybrid Cloud > Edge Gateways > Transit Gateways tab.

  2. Locate the Edge Transit Gateway to which you want to attach the Transit Gateway, then click the Manage Gateway Attachments icon on the right side of the row.

  3. In Manage Gateway Attachments > Transit Gateway tab, click + Attachment and provide the following information.

    Field

    Description

    Transit Gateway

    From the dropdown menu, select the Transit Gateway you want to attach to the Edge Transit Gateway.

    Local Edge Gateway Interface

    From the dropdown menu, select the WAN interface of the local Edge Gateway.

    Attach Over

    From the dropdown menu, select whether the connection between the Edge Gateways is over a Private Network or the Public Network.

    Jumbo Frame

    If you want to use Jumbo Frames for the connection between the Edge Gateways, set Jumbo Frame toggle to On.

    Jumbo Frame option is applicable when the attachment is over a private network.

    High Performance Encryption

    If you want to enable High Performance Encryption (HPE) for the connection between the Edge Gateways, set High Performance Encryption toggle to On.

    Number of Tunnels

    From the dropdown menu, select the number of HPE tunnels to create.

    • Max Tunnels creates the maximum tunnels based on the gateway sizes and the number of interface IPs on the peering gateway.

      This option is available only for connection over a private network.

    • Custom allows you to specify the number of tunnels to create.

    Excluded Network CIDRs

    If you want to exclude CIDRs from the local Edge Gateway from being propagated to the remote Edge Gateway, set Excluded Network CIDRs toggle to On.

    In Excluded Network CIDRs field, enter the CIDRs to be excluded.

  4. To attach the Edge Transit Gateway to another Transit Gateway, click + Attachment again and provide the required information.

    You can attach an Edge Transit Gateway to multiple Transit Gateways. Each attachment can be configured with different parameters, such as connecting WAN interfaces, connection over private or public networks, and enabling high-performance encryption.

  5. Click Save.

Creating an Edge Transit Gateway to Edge Spoke Gateway Attachment

If you want to use Jumbo Frames for the attachment peering connection between the Edge Gateways, make sure to enable Jumbo Frames on the Edge Gateways before you create the attachment.

To attach an Edge Transit Gateway to an Edge Spoke Gateway:

  1. In Aviatrix CoPilot, go to Cloud Fabric > Hybrid Cloud > Edge Gateways > Transit Gateways tab.

  2. Locate the Edge Transit Gateway to which you want to attach the Edge Spoke Gateway, then click the Manage Gateway Attachments icon on the right side of the row.

  3. In Manage Gateway Attachments > Spoke Gateway tab, click + Attachment and provide the following information.

    Field

    Description

    Spoke Gateway

    From the dropdown menu, select the Edge Spoke Gateway you want to attach to the Edge Transit Gateway.

    Local Edge Gateway Interface

    From the dropdown menu, select the WAN interface of the local Edge Gateway.

    Remote Edge Gateway Interface

    From the dropdown menu, select the WAN interface of the remote Edge Gateway you want to attach.

    Attach Over

    From the dropdown menu, select whether the connection between the Edge Gateways is over a Private Network or the Public Network.

    • On the Aviatrix Edge Platform (AEP), Edge Transit Gateway to Edge Spoke Gateway peering for high performance encryption over private and public networks is supported.

    • On the Equinix and Megaport platforms, Edge Transit Gateway to Edge Spoke Gateway peering for high performance encryption is supported over private networks only.

    • Regular encryption is supported over both private and public networks for all environments.

    Jumbo Frame

    If you want to use Jumbo Frames for the connection between the Edge Gateways, set Jumbo Frame toggle to On.

    Jumbo Frame option is applicable when the attachment is over a private network.

    High Performance Encryption

    If you want to enable High Performance Encryption (HPE) for the connection between the Edge Gateways, set High Performance Encryption toggle to On.

    Number of Tunnels

    From the dropdown menu, select the number of HPE tunnels to create.

    • Max Tunnels creates the maximum tunnels based on the gateway sizes and the number of interface IPs on the peering gateway.

      This option is available only for connection over a private network.

    • Custom allows you to specify the number of tunnels to create.

  4. To attach the Edge Transit Gateway to another Edge Spoke Gateway, click + Attachment again and provide the required information.

    You can attach an Edge Transit Gateway to multiple Edge Spoke Gateways. Each attachment can be configured with different parameters, such as connecting WAN interfaces, connection over private or public networks, and enabling high-performance encryption.

  5. Click Save.

Connecting the Edge Gateway to an External Device (BGP over LAN)

For LAN-side connectivity, you can connect the Edge Gateway to an external device, such as a LAN BGP router.

To connect the Edge Gateway to the LAN BGP router, follow these steps.

  1. In CoPilot, navigate to Networking > Connectivity > External Connections (S2C) tab.

  2. From + External Connection To dropdown menu, select External Device, then provide the following information.

    Field Description

    Name

    Name to identify the connection to the LAN router.

    Connect Local Gateway To

    Select External Device radio button, then from the dropdown menu, select BGP over LAN.

    Local Gateway

    The Edge Gateway that you want to connect to the LAN router.

    Local ASN

    The Local AS number that the Edge Gateway will use to exchange routes with the LAN router.

    This is automatically populated if the Edge Gateway is assigned an ASN already.

    Remote ASN

    The BGP AS number that is configured on the LAN router.

  3. Click + Connection and provide the following information.

    Field Description

    Remote LAN IP

    The IP address for the LAN router.

    Local LAN IP

    The Edge Gateway’s WAN interface primary IP address.

  4. Click Save.