Static Route-Based External Connection (Mapped)

Connect overlapping networks between the cloud and on-prem from a Spoke Gateway.

To set up a static route-based (Mapped) external connection:

  1. Go to Networking > Connectivity > External Connections (S2C) tab.

  2. Click + External Connection.

  3. Select or enter the following values:

Parameter

Description

Name

A name for this connection.

Connect Public Cloud to

Select the External Device radio button. Click on the dropdown menu and select Static Route-Based (Mapped).

To create a Custom Mapped connection, click on the Custom Mapped toggle switch to turn it On. See the Custom Mapped section below for instructions.

Local Gateway

The name of the local gateway. This is the gateway in the cloud that will connect to an on-prem gateway or device.

Real Local Subnet CIDR(s)

Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

If the Local Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Local Subnet network CIDR ranges.
If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Local Subnet fields can contain multiple values. If the Local Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Local Subnet network CIDR ranges.

Virtual Local Subnet CIDR(s)

Specify a list of virtual local network CIDRs that are mapped to the real local subnet (for example, for the real CIDRs listed above for the real local subnet, you can have these virtual local subnets: 192.168.7.0/24, 192.168.8.0/24).

Remote Gateway Type

  • Generic - Use this option for most third-party routers and firewalls.

  • Aviatrix - When terminating on Aviatrix cloud gateways or for peering Controllers in different networks.

Any other Remote Gateways listed here are only valid with Controller version 6.7 or lower. If using a higher Controller version, only select Generic or Aviatrix.

Real Remote Subnet CIDR(s)

Specify a list of the destination network CIDRs that will be encrypted (for example, 10.10.1.0/24, 10.10.2.0/24).

Virtual Remote Subnet CIDR(s)

Specify a list of virtual remote network CIDRs that are mapped to the real remote subnet (for example, for the real CIDRs listed above, you can have these virtual remote subnets: 192.168.1.0/24, 192.168.2.0/24).

Custom Mapped Connection

Parameter

Description

Local Gateway

The name of the local gateway. This is the gateway in the cloud that will connect to an on-prem gateway or device.

Remote Gateway Type

  • Generic - Use this option for most third-party routers and firewalls.

  • Aviatrix - When terminating on Aviatrix cloud gateways or for peering Controllers in different networks.

Local Initiated Traffic

Real Source Subnet CIDR(s)

Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

If the Source Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.
If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Source Subnet fields can contain multiple values. If the Source Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.

Virtual Source Subnet CIDR(s)

Specify a list of virtual source network CIDRs that are mapped to the real source subnet (for example, for the real CIDRs listed above for the real source subnet, you can have these virtual source subnets: 192.168.7.0/24, 192.168.8.0/24).

Real Destination Subnet CIDR(s)

Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Destination Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

If the Destination Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Destination Subnet network CIDR ranges.
If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Local Subnet fields can contain multiple values. If the Destination Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Destination Subnet network CIDR ranges.

Real Source Subnet CIDR(s)

Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

If the Source Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.
If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Source Subnet fields can contain multiple values. If the Source Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.

Remote Initiated Traffic

Real Source Subnet CIDR(s)

Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

If the Source Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.
If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Source Subnet fields can contain multiple values. If the Source Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.

Virtual Source Subnet CIDR(s)

Specify a list of virtual source network CIDRs that are mapped to the real source subnet (for example, for the real CIDRs listed above for the real source subnet, you can have these virtual source subnets: 192.168.7.0/24, 192.168.8.0/24).

Real Destination Subnet CIDR(s)

Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Destination Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

If the Destination Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Destination Subnet network CIDR ranges.
If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Local Subnet fields can contain multiple values. If the Destination Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Destination Subnet network CIDR ranges.

Real Source Subnet CIDR(s)

Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

If the Source Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.
If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Source Subnet fields can contain multiple values. If the Source Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.

Advanced Settings

Parameter

Description

Authentication Method

You can authenticate the connection using PSK or certificate-based authentication.

  • Pre-Shared Key: If you select PSK-based authentication, you can provide the Pre-shared Key when prompted (this is optional). This key comes from your firewall UI.

  • Certificate-Based: If you select certificate-based authentication, in the Remote CA Certificate field, select the certificate you uploaded from your firewall.

Over Private Network

Select this option if your underlying infrastructure is private network, such as AWS Direct Connect and Azure ExpressRoute. See the "How does it work" section for more details. When this option is selected, BGP and IPsec run over private IP addresses.

IKev2

Select the option to connect to the remote site using the IKEv2 protocol. This is the recommended protocol.

If you configure IKEv1 in a connection that uses certificate-based authentication and is connecting to another Aviatrix device, you must add the intermediate CAs in addition to the root CA. When an intermediate CA is renewed and re-authentication is attempted, the connection will go down until you add the new certificate.

A Transit Gateway cannot have both an IKEv1 and an IKEv2 external connection.

Algorithms

If the Algorithms checkbox is unmarked, the default values will be used. If it is marked, you can set any of the fields defined below.

  • Phase 1 Authentication

  • Phase 1 DH Groups

  • Phase 1 Encryption

  • Phase 2 Authentication

  • Phase 2 DH Groups

  • Phase 2 Encryption

Connection

+Single IP HA

Enable this setting to set up High Availability (HA) instances for each new connection that can go up if the primary instance goes down. When active, each standby instance will use the same IP address as the remote connection.

Remote Gateway IP

Enter the IP address for the remote gateway.

  • Local Tunnel IP - Enter the IP address for the local tunnel.

  • Local Gateway Instance

  • Remote Tunnel IP - Enter the IP address for the remote tunnel.

  • Pre-Shared Key - Enter the pre-shared key for this connection.

  1. Click Save.

The new static route-based external connection appears in the table.