Static Policy-Based External Connection

Connect to a remote site that supports policy-based VPN with static configuration from any local gateway (Unmapped) or connect overlapping networks between the cloud and on-prem from any local gateway (Mapped).

To set up an static policy-based external connection:

  1. Go to Networking > Connectivity > External Connections (S2C) tab.

  2. Click + External Connection.

  3. Select or enter the following values:




A name for this connection.

Connect Public Cloud To

Select the External Device radio button. Click on the dropdown menu and select Static Policy-Based.

Local Gateway

The name of the local gateway. This is the gateway in the cloud that will connect to an on-prem gateway or device.

Local Subnet CIDR(s)

The subnet CIDR range(s) for the local gateway.

Remote Gateway Type

  • Generic - Use this option for most third-party routers and firewalls.

  • Aviatrix - When terminating on Aviatrix cloud gateways or for peering Controllers in different networks.

Any other Remote Gateways listed here are only valid with Controller version 6.7 or lower. If using a higher Controller version, only select Generic or Aviatrix.

Remote Subnet CIDR(s)

The subnet CIDR range(s) for the remote gateway, or the on-prem gateway you are connecting to the cloud.

Advanced Settings

Authentication Method

You can authenticate the connection using PSK or certificate-based authentication.

  • Pre-Shared Key - If you select PSK-based authentication, you can provide the Pre-shared Key when prompted (this is optional). This key comes from your firewall UI.

  • Certificate-Based - If you select certificate-based authentication, in the Remote CA Certificate field, select the certificate you uploaded from your firewall.

Over Private Network

Select this option if your underlying infrastructure is private network, such as AWS Direct Connect and Azure ExpressRoute. See the "How does it work" section for more details. When this option is selected, BGP and IPsec run over private IP addresses.


Select the option to connect to the remote site using the IKEv2 protocol. This is the recommended protocol.

If you configure IKEv1 in a connection that uses certificate-based authentication and is connecting to another Aviatrix device, you must add the intermediate CAs in addition to the root CA. When an intermediate CA is renewed and re-authentication is attempted, the connection will go down until you add the new certificate.

A Transit Gateway cannot have both an IKEv1 and an IKEv2 external connection.


If the Algorithms checkbox is unmarked, the default values will be used. If it is marked, you can set any of the fields defined below.

  • Phase 1 Authentication

  • Phase 1 DH Groups

  • Phase 1 Encryption

  • Phase 2 Authentication

  • Phase 2 DH Groups

  • Phase 2 Encryption


Single IP HA

Enable this setting to set up High Availability (HA) instances for each new connection that can go up if the primary instance goes down. When active, each standby instance will use the same IP address as the remote connection.


Click here to add a remote gateway, or an on-prem gateway to connect to the cloud.

  • Remote Gateway IP - Enter the IP address for the remote gateway.

  • Local Gateway Instance - Enter the IP address for the local gateway.

  • Local Tunnel IP

  • Remote Tunnel IP

  • Pre-Shared Key - Enter the pre-shared key for this connection.

  1. Click Save.

The new static route-based external connection appears in the table.