Aviatrix Docs :: Documentation

CloudN Deployment Checklist

When High Performance Encryption Mode is applied to improve encryption performance between on-prem and cloud, you need to deploy the Aviatrix hardware appliance CloudN. Making this use case work requires edge router configurations. This document lists the checklist you should follow in successfully deploying High Performance Encryption Mode for hybrid connection.

CloudN Insane Mode can be applied to hybrid connection by AWS Direct Connect or Azure ExpressRoute. CloudN can also be applied to hybrid connection by Internet.

One CloudN supports multiple Transit Gateway connections.

Managed CloudN is the supported deployment model where CloudN configuration and operations are managed by the Controller.

Understand deployment architecture, or how routing works in this use case.
Connection over AWS Direct Connect or Azure ExpressRoute: if you use AWS Direct Connect or Azure ExpressRoute to connect to your data center, the deployment architecture is demonstrated in the diagram below. The diagram uses AWS Direct Connect for illustration purposes, but the architecture applies to Azure Express Route.

insane mode howto dx

The key ideas for this AWS scenario are:

The edge (WAN) router runs a BGP session to VGW (AWS) where the edge router advertises a CloudN WAN subnet network and the VGW advertises the Transit VPC CIDR.
CloudN LAN interface runs a BGP session to the edge router where the edge router advertises on-prem network address range to CloudN LAN interface.
CloudN WAN interface runs a BGP session to Aviatrix Transit Gateway in the Transit VPC where Aviatrix Transit Gateway advertises all Spoke VPC CIDRs to CloudN and CloudN advertises on-prem network to the Aviatrix Transit Gateway.

Following are a few common deployment architectures.

Single Aviatrix CloudN Appliance

Deployment

The sample configuration on an ISR is as follows.

Sample Config

Aviatrix CloudN Appliance with HA

Deployment HA

Redundant DX Deployment (Active/Standby)

In this deployment model, Direct Connects and ExpressRoutes are being used in an Active/Standby mode. The Preferred path is indicated on the image.

The firewalls on the left side of the picture cannot handle asymmetric traffic, which may be the reason for having Direct Connect as Active/Standby.

Deployment Dual DX

Redundant DX Deployment (Active/Active)

In this deployment model, Direct Connects/ExpressRoutes are Active / Active. One of the requirements would be for the firewall to handle asymmetric routing.

Deployment Dual DX AA

Connection over Internet

If you use high speed Internet to connect to a data center, the deployment architecture is described as below.

"Insane Mode How-To Internet

Key ideas are listed below:

CloudN LAN and WAN interfaces do not use public IP addresses. It relies on edge router or Firewall NAT function and Internet connectivity.
CloudN LAN interface runs a BGP session to the edge router where the edge router advertises on-prem network address range to CloudN LAN interface.
CloudN WAN interface runs a BGP session to Aviatrix Transit Gateway in the Transit VPC/VNet where Aviatrix Transit Gateway advertises all Spoke VPC/VNet CIDRs to CloudN and CloudN advertises on-prem network to the Aviatrix Transit Gateway.

Example deployment diagram:

Deployment Internet

Pre-deployment Request Form

After you understand the deployment architecture and decide to move forward for this deployment, the next step is to fill out the CloudN Appliance Request Form.

The Aviatrix support team configures a CloudN appliance based on your input in the Request Form, then ships the appliance. Deployment topology for Aviatrix CloudN is as follows:

Insane Beta

The key information in the Request Form that you must fill in is explained below.

CloudN Interface	Default Gateway	MTU Size	Primary DNS Server	Secondary DNS Server	Note
1 - WAN			Not Required	Not Required	WAN port that connects edge router
2 - LAN	Not Required		Not Required	Not Required	LAN port that connects edge router
3 - MGMT		Not Required			Management port for CloudN configuration and software upgrade
4 - HPE iLO		Not required	Not required	Not required	HP Integrated Lights-Out

CloudN Interface

Private IP Address

Subnet Mask

Default Gateway

MTU Size

Primary DNS Server

Secondary DNS Server

Note

1 - WAN

Not Required

WAN port that connects edge router

2 - LAN

Not Required

LAN port that connects edge router

3 - MGMT

Not Required

Management port for CloudN configuration and software upgrade

4 - HPE iLO

Not required

HP Integrated Lights-Out

Internet Access

A CloudN appliance does not require a public IP address, but the management port requires outbound internet access on the management port for software upgrade. Please see Required Access for External Sites (you must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign up at https://support.aviatrix.com).

BGP Requirement

BGP is required between the LAN port of the appliance and the on-prem router for route propagation.

Deployment Checklist

Before Powering Up CloudN

Before powering up CloudN, make sure:

The CloudN WAN cable, LAN cable and Management cable are properly plugged in to ASR and switches.
Check the interface of ASR to CloudN WAN interface, make sure Proxy ARP is enabled (ip proxy-arp).
ASR DX (Direct Connect) or ExpressRoute interface should only advertise CloudN WAN interface subnet network to VGW.
ASR LAN (Datacenter facing) interface does not advertise Transit VPC/VNet CIDR to datacenter.
ASR to CloudN LAN interface advertises datacenter networks.
The VGW is attached to the Transit VPC/VNet.
AWS Transit VPC/VNet Route Propagation is enabled.
If there is an edge firewall in front of the edge router, make sure the firewall opens UDP port 500 and UDP port 4500 for traffic from the CloudN WAN Interface. CloudN builds an IPsec tunnel between CloudN WAN interface and Aviatrix Transit Gateway. The BGP session between the two interfaces is inside the tunnel.

Power up CloudN

After you power up CloudN, first test that the CloudN interfaces are alive and connected properly by doing the following tests.

From ASR, ping the CloudN LAN interface, WAN interface and Mgmt interface. #. CloudN mgmt interface can ping Internet (From CloudN cli console).

Upgrade CloudN to the Latest Software

Log in to the CloudN console. Open a browser console and type: https://CloudN_Mgmt_IP_Address.
Log in with username "admin" and the password provided by your Aviatrix Support Representative (You can change the password later).
Upgrade CloudN to the latest.

Configure NTP Sync and SMTP Services

Add a firewall rule to allow CloudN’s MGMT outbound UDP port 123 access to ntp.ubuntu.com or to a local NTP server.
In the CloudN UI, go to Setting > Controller > System Time. Enter ntp.ubuntu.com or a local NTP server then select the Sync option.
Do a manual sync to the NTP server.
In the CloudN UI, go to Setting > Controller > Email. Set up the SMTP settings to allow CloudN to send alert emails.

Configure High Performance Encryption Mode

From the Controller in AWS, configure Transit Setup Step 3 to CloudN, make sure to select all the correct options.

CloudN IP Address is the CloudN WAN IP address
CloudN Neighbor IP Address is the ASR to the CloudN LAN interface IP address
After configuration, download the configure file and import to CloudN.
If there is HA, import to CloudN HA.

Troubleshooting Tips

Check on CloudN Console. Go to Site2Cloud, make sure the tunnel is up.
Check on CloudN Console, Go to Troubleshoot > Diagnostics > BGP, make sure the tunnel is up. Check BGP learned routes.
Check on the Controller. Go to Transit Network > Advanced Config > BGP, make sure BGP is learning routes. Also check Diagnostics to execute BGP commands.
Check on the Controller. Go to Controller > Site2Cloud and check the Site2Cloud and BGP status.