Aviatrix Secure Edge on Megaport Virtual Edge Deployment Workflow

Aviatrix Secure Edge on Megaport Virtual Edge is available as a Preview Feature in CoPilot version 4.11 with Controller version 7.1.3958.

This document provides instructions for deploying Aviatrix Secure Edge on the Megaport Platform.

For an overview of Aviatrix Secure Edge, see Overview of Aviatrix Secure Edge.

Aviatrix Secure Edge Hybrid Cloud Solution in MegaPort Virtual Edge

The design below shows a high-level hybrid cloud solution with Aviatrix Platform leveraging Megaport fabric.

edge megaport topology

Prerequisites

Before you deploy an Aviatrix Edge Gateway on the Megaport Virtual Edge Platform:

  1. You must perform the prerequisite steps to set up a Megaport portal account and a network service provider platform account. For instructions on how to create these accounts, see Prerequisites for Aviatrix Secure Edge Deployment on Megaport Virtual Edge.

  2. You should be familiar with Aviatrix Edge Gateway interfaces and ports and protocols. See Edge Gateway WAN, LAN, VLAN, and Management Interface Support.

Aviatrix Secure Edge Deployment Workflow in Megaport

To deploy Aviatrix Secure Edge, first you need to procure and onboard your edge device on the platform of your choice (see Prerequisites for Aviatrix Secure Edge Deployment on Megaport Virtual Edge). Next, you deploy the Aviatrix Edge Gateway on the edge device and attach the Edge Gateway to the Aviatrix Transit Gateway for cloud connectivity. Then, configure the Edge Gateway for LAN-side connectivity.

This workflow provides the steps to create a primary and secondary (HA) Edge Gateway in Megaport Virtual Edge. It also provides the steps to attach the Edge Gateways to a Transit Gateway and connect the Edge Gateways to an external device, such as a LAN BGP router.

  1. Create the ZTP cloud-init for the primary Edge Gateway.

  2. Launch the primary Edge Gateway in Megaport Virtual Edge.

  3. Create the ZTP cloud-init for the secondary Edge Gateway.

  4. Launch the secondary Edge Gateway in Megaport Virtual Edge.

  5. Attach the primary Edge Gateway to the Transit Gateway.

  6. Connect the primary Edge Gateway to the external device.

Creating the ZTP Cloud-Init for the Primary Edge Gateway

The Edge Gateway cloud-init ZTP file is used to provision the Aviatrix Edge Gateway virtual machine and create the Edge Gateway in Megaport Virtual Edge (MVE).

To create the Edge Gateway cloud-init ZTP file, follow these steps.

  1. In CoPilot, go to Cloud Fabric > Edge > Gateways tab.

  2. Click + Gateway, then provide the following information.

    Parameter

    Description

    Name

    Name for the Edge Gateway.

    Platform

    The platform account where you want to deploy the Edge Gateway.

    You can create and edit platform accounts in CoPilot by going to Cloud Fabric > Edge > Platforms tab (see Set Up the Network Service Provider Platform Account).

    Site

    Select an existing name or enter a new name to identify the edge location.

    Site name cannot contain spaces.

    ZTP File Type

    This is set to cloud-init.

    High Availability

    High Availability is set to Off for the primary Edge Gateway.

    Deploying multiple Edge Gateways for the same site is supported. A maximum of 16 Edge Gateways is supported.

  3. Configure the WAN, LAN, and Management interfaces.

Configuring the Edge Gateway Interfaces

By default, an Aviatrix Edge Gateway has three interfaces: one WAN interface on eth0, one LAN interface on eth1, and one Management interface on eth2.

In the Interface Configuration section, configure the WAN, LAN, and Management interfaces for the Edge Gateway.

Configuring the WAN Interface

You can configure multiple WAN interfaces on the Edge Gateway. Megaport MVE supports a maximum of 5 interfaces. Aviatrix Edge Gateway requires at least 3 interfaces (WAN, LAN, and MGMT), additional two interfaces can be WAN interfaces.

  1. Click + WAN Interface, then provide the following information.

    Parameter Description

    Edge Gateway Interface

    This is set to eth0.

    Adding multiple WAN interfaces is applicable when Edge Gateway is used for BGP underlay to CSP. Add an interface per CSP underlay (such as Direct Connect or Express Route). Aviatrix recommends a maximum of 4 WAN interfaces per Edge Gateway.

    When Edge Gateway is not terminating CSP underlay, use one interface per Edge Gateway to connect to upstream router.

    DHCP for dynamic IP address assignment is not supported.

    Interface Labels

    Name to identify the WAN interface.

    BGP

    Enables BGP connection on the WAN interface when set On.

    WAN support for BGP underlay to CSP is supported for AWS and Azure.

    Interface CIDR

    The CIDR for the WAN interface.

    Default Gateway IP

    The Default Gateway IP address for the WAN interface.

    For CSP underlay, this is the remote side IP address of the BGP session on CSP VNG or VGW.

  2. If BGP is turned On, provide the following information:

    Parameter Description

    Local ASN

    The ASN of the Edge Gateway.

    Remote ASN

    The ASN of the CSP side peering connection such as private VIF on VGW (AWS) and VNG ASN (Azure).

    Password (optional)

    The MD5 authentication key.

  3. To add another WAN interface, click + WAN again and provide the required information.

To change or update the Edge Gateway WAN connectivity to Transit Gateway, you will need to first detach the Edge-to-Transit gateway attachment, if there is an attachment.

Next, configure the LAN interface.

Configuring the LAN Interface

  1. Click + LAN Interface, then provide the following information.

    Parameter

    Description

    Edge Gateway Interface

    This is set to eth1.

    DHCP for dynamic IP address assignment is not supported.

    Interface Labels

    Name to identify the LAN interface.

    Interface CIDR

    The CIDR for the LAN interface.

    Default Gateway IP

    (Optional) The Default Gateway IP address for the LAN interface.

    Next, configure the MGMT interface.

Configuring the Management Interface

  1. Click + MGMT interface. Leave the default settings.

    Leave the Private Network setting to Off. In the Megaport Fabric, the MGMT interface of the Edge Gateway is assigned the Public IP address that is allocated by Megaport.

  2. Click Save.

    If a required field is missing, the respective interface tab is highlighted to indicate there is an error.

    edge create error message nsp

  3. To create the ZTP cloud-init image file, click Save and Download Configuration.

    CoPilot downloads the ZTP cloud-init file to your Downloads folder.

    The cloud-init image file expires after 24 hours. You cannot download it again and will have to repeat the above steps to recreate the file. You must launch an Edge MVE on the Megaport platform and deploy the Edge Gateway within the 24 hours. See Launching the Edge Gateway in Megaport Virtual Edge.

Creating the ZTP Cloud-Init for the Secondary Edge Gateway (Megaport)

  • Before you can create the secondary highly available (HA) Edge Gateway, the primary Edge Gateway must be deployed and its status must be Up.

  • When creating the HA Edge Gateway, the primary Edge Gateway cannot have BGP underlay or BGP over LAN external connections. This does not apply when multiple Edge Gateways are created in the same site without HA configuration.

  • Edge Gateway high availability on the Megaport Platform is supported on the latest Aviatrix Controller release version.

To create a highly available (HA) Edge Gateway, follow these steps.

  1. Go to Cloud Fabric > Edge > Gateways tab.

  2. In the table, locate the primary Edge Gateway for which you want to create the HA gateway and click its Edit icon.

  3. In the Edit Edge Gateway dialog box, from the High Availability dropdown menu, select Active-Active or Active-Standby mode.

  4. Configure the WAN, LAN, and Management interfaces of the secondary (HA) Edge Gateway.

Configuring the Edge Gateway Interfaces

In the Interface Configuration section, configure the WAN, LAN, and Management interfaces of the secondary (HA) Edge Gateway.

Configuring the WAN Interface

You can configure multiple WAN interfaces on the Edge Gateway. Megaport MVE supports a maximum of 5 interfaces. Aviatrix Edge Gateway requires at least 3 interfaces (WAN, MGMT and LAN), additional two interfaces can be WAN interfaces.

  1. Click + WAN Interface, then provide the following information.

    Parameter Description

    Edge Gateway Interface

    This is set to eth0.

    Adding multiple WAN interfaces is applicable when Edge Gateway is used for BGP underlay to CSP. Add an interface per CSP underlay (such as Direct Connect or Express Route).

    When Edge Gateway is not terminating CSP underlay, use one interface per Edge Gateway to connect to upstream router.

    DHCP for dynamic IP address assignment is not supported.

    Interface Labels

    A name to identify this WAN interface.

    BGP

    To enable BGP on the Edge Gateway, set this switch to On.

    WAN support for BGP underlay to CSP is supported for AWS and Azure.

    Interface CIDR

    The CIDR for the WAN interface.

    Default Gateway IP

    The Default Gateway IP address for this WAN interface.

    For CSP underlay, this is the remote side IP address of the BGP session on CSP VNG or VGW.

  2. If BGP is turned On, provide the following information:

    Parameter Description

    Local ASN

    The ASN of the Edge Gateway.

    Remote ASN

    The ASN of the CSP side peering connection such as private VIF on VGW (AWS) and VNG ASN (Azure).

    Password (optional)

    The MD5 authentication key.
To change or update the Edge Gateway WAN connectivity to Transit Gateway, you will need to first detach the Edge-to-Transit gateway attachment, if there is an attachment.

Configuring the LAN Interface

  1. Click LAN, then provide the following information.

    Parameter

    Description

    Edge Gateway Interface

    This is set to eth1.

    DHCP for dynamic IP address assignment is not supported.

    Interface Labels

    Enter a name to identify this LAN interface.

    Interface CIDR

    The CIDR for the LAN interface.

    Default Gateway IP

    (Optional) The Default Gateway IP address for this LAN interface.

Configuring the Management Interface

  1. Click + MGMT interface. Leave the default settings and click Save.

    Leave the Private Network setting to Off. In the Megaport Fabric, the MGMT interface of the Edge Gateway is assigned the Public IP address that is allocated by Megaport.
    edge equinix ha mgmt interface

  2. To create the ZTP cloud-init image file, click Save and Download Configuration.

    CoPilot downloads the ZTP cloud-init file to your Downloads folder.

    The cloud-init image file expires after 24 hours. You cannot download it again and will have to repeat the above steps to recreate the file. You must launch an Edge MVE on the Megaport platform and deploy the Edge Gateway within the 24 hours. See Launching the Edge Gateway in Megaport Virtual Edge.

Alternative HA Configuration

  1. You can also deploy Edge Gateways in the same site which allows additional Edge Gateways to be deployed in the same site to act in the A/A mode. This is also called horizontal scaling mode.

  2. To deploy additional Gateways, following the same workflow as primary gateway, select the same site as the first gateway and leave the HA option off.

Launching the Edge Gateway in Megaport Virtual Edge

To launch the Aviatrix Edge Gateway in Megaport Virtual Edge (MVE), you must log in to your Megaport Portal to create the MVE and specify the cloud-init file for the Edge Gateway creation and create a Megaport Internet connection for the Management interface for the Edge Gateway authentication with the Aviatrix Controller. For instructions on how to create the MVE and Megaport Internet connection, see Aviatrix with Megaport Virtual Edge in the Megaport documentation.

You will need to create Megaport Internet VXC and attach to the eth2 interface of the Edge Gateway to allow the Edge Gateway access to the Aviatrix Controller.

Once the Aviatrix Edge MVE is created and provisioned, to complete the Edge Gateway authentication with the Aviatrix Controller, you must configure the Edge Gateway Management Egress IP address .

Configuring the Edge Gateway Management Egress IP Address

The Management Egress IP address of the Aviatrix Edge Gateway virtual device must be updated from the Aviatrix CoPilot so that the Security Group of the Aviatrix Controller is updated with the correct Egress IP address.

  1. Locate the public IP assigned by Megaport after Internet VXC is attached to the Aviatrix Edge Gateway eth2 interface.

    1. From Megaport Portal, go to Internet VXC attached to the Edge Gateway.

      edge virtual device ip megaport

    2. Click on the VXC Details and note down the public IP address (IPV4).

      edge virtual device ip megaport 2

  2. In Aviatrix CoPilot, navigate to Cloud Fabric > Edge > Gateways tab.

  3. In the table, locate the Edge Gateway and click its Edit icon on the right.

  4. In the Edit Edge Gateway dialog box, scroll to Interface Configuration section, and click MGMT.

  5. Update the Egress CIDR with the Public IP of the Edge Gateway VM from the Megaport VXC Details. Use public IP/32 format, for example 162.43.142.19/32.

    edge mgmt egress ip megaport

  6. Click Save.

Attaching the Edge Gateway to the Transit Gateway

Before you attach the Edge Gateway to the Transit Gateway, ensure the Local ASN Number is configured on both gateways.

You can attach an Edge Gateway to multiple Transit Gateways. Each attachment can be configured over the preferred WAN interface, connection over private VXC or public network, high-performance encryption, and Jumbo Frame.

  • To create a High Performance Encryption mode attachment, make sure the Transit Gateway is created with High Performance Encryption enabled.

  • If you want Jumbo Frame enabled on the Edge Gateway, make sure to enable Jumbo Frame on the Edge Gateway before you attach it to the Transit Gateway.

In Aviatrix CoPilot:

  1. Go to Cloud Fabric > Edge > Gateways tab.

  2. Locate the Edge Gateway, click the three dot vertical menu on the right, and select Manage Transit Gateway Attachment.

    edge-attach-edge-to-transit

  3. Click + Transit Gateway Attachment, then provide the following information.

    Field Description

    Transit Gateway

    From the dropdown menu, select the Transit Gateway to attach to the Edge Gateway.

    Connecting Edge Interfaces

    From the dropdown menu, select the WAN interface connection(s) to the Transit Gateway.

    Multiple WAN interfaces is supported.

  4. In the Advanced section, set the advanced gateway settings that apply.

    Field Description

    Attach over Private Network

    If the Edge WAN connection to the Transit Gateway is over a private network, set this toggle to On. For private VXC, this should be On.

    Leave it Off if the connection is over the public internet.

    Jumbo Frame

    If you want to use Jumbo Frames for the Transit-to-Edge Gateway connection, set this toggle to On.

    High Performance Encryption

    If you want to enable high-performance encryption for the Transit-to-Edge Gateway connection, set this toggle to On.

    In Number of Tunnels, enter the number of HPE tunnels to create.

    • For HPE over private network, setting number of tunnels count to 0 creates maximum tunnels based on the peering gateway size.

    • For HPE over public network, the number of tunnels count supported range is between 2 and 20.

  5. To attach the Edge Gateway to another Transit Gateway, click + Transit Gateway Attachment again and provide the required information.

  6. Click Save.

Next, connect the Edge Gateway to the external device.

Connecting the Edge Gateway to an External Device (BGP over LAN)

To connect the Edge Gateway to the LAN router using BGP over LAN, follow these steps.

  1. Navigate to Networking > Connectivity > External Connections (S2C) tab.

  2. Click + External Connection, then provide the following information.

    Parameter Description

    Name

    Name to identify the connection to the LAN router.

    Connect Local Gateway To

    Select External Device radio button, then from the dropdown menu, select BGP over LAN.

    Local Gateway

    The Edge Gateway to connect to the LAN router.

    Local ASN

    The Local AS number the Edge Gateway will use to exchange routes with the LAN router.

    This is automatically populated if the Edge Gateway is assigned an ASN already.

    Remote ASN

    The BGP AS number configured on the LAN router.

  3. Click + Connection and provide the following information.

    Parameter Description

    Remote LAN IP

    The IP address for the LAN router.

    Local LAN IP

    This is automatically populated with the Edge Gateway LAN interface IP address.
    edge external connection

  4. Click Save.