NetFlow Integration

Aviatrix gateways can forward NetFlow data to your designated service point including the CoPilot.

NetFlow version 5 and 9 are supported on gateways.

For basic information about NetFlow, see https://en.wikipedia.org/wiki/NetFlow.

Enable NetFlow on Aviatrix Gateways

To enable NetFlow on your Aviatrix gateways:

  1. From the CoPilot, go to Settings > Configuration > Logging Services.

  2. In the NetFlow Agent section, click Enable.

  3. Click Save.

To edit the NetFlow configuration:

  1. From the CoPilot, go to Settings > Configuration > Logging Services.

  2. In the NetFlow Agent section, click Edit Configuration.

  3. Input the IP address and the port number of the destination NetFlow service.

    If you want to analyze flow data by using the Aviatrix CoPilot FlowIQ feature, you input the IP address of the main CoPilot server instance and port number 31283.

  4. Select the protocol (UDP or TCP) and version (5 or 9).

    For TLS encryption, select TCP and turn On the TLS toggle.

    See TLS Encryption for NetFlow for more information.

  5. Select the Sampling Rate from 0.01 % to 100%.

  6. From the Advanced Settings, select the gateways to exclude for NetFlow data export.

  7. Click Save.

  8. (Optional) To use the NetFlow L7 mode Preview feature, select L7 mode. See NetFlow L7 Mode.

NetFlow L7 Mode

NetFlow L7 Mode enables the NetFlow agent on spoke gateways to forward L7 data that are in the flows to your designated NetFlow service point. L7 Mode is a Preview feature.

When L7 mode is enabled, Internet traffic that traverses spoke gateways is analyzed for flows that generate L7 data. When these flows are detected, the L7 fields are forwarded to the designated NetFlow service point.

Enabling L7 mode may impact traffic throughput for the spoke gateways. After enabling L7 mode, monitor your gateway CPU and throughput telemetry statistics in CoPilot and scale your gateways up if needed.

If you use Aviatrix CoPilot as your NetFlow service point, go to the CoPilot > Monitor > FlowIQ page, click the Application view, and then open the Records page to see the L7 data.

Note that some flows do not generate L7 data.

TLS Encryption for NetFlow

NetFlow is encrypted with TLS using Aviatrix-provided certificate when the NetFlow protocol is set to TCP. Go to Settings > Configuration > Logging Services from CoPilot and select TCP to turn On the TLS toggle.

When TLS encryption is enabled, the Aviatrix gateways use TLS to encrypt NetFlow data before sending it to the designated NetFlow service point.

The TLS encryption:

  • Secures sensitive operational data in transit.

  • Aligns with compliance requirements for encrypted observability traffic.

  • Reduces risk of data exposure.

If TCP is enabled before upgrading to Controller version 8.2, enable TLS manually after the upgrade. If TCP and TLS are enabled through API before upgrading to Controller 8.2, the TLS encryption stays after the upgrade.