About Public Subnet Filtering Gateway Settings

This document describes the settings you can configure for an Aviatrix Public Subnet Filtering Gateway.

About Public Subnet Filtering Gateway Settings

This section describes the settings you that configure to create a Public Subnet Filtering Gateway.

You create a Public Subnet Filtering Gateway in CoPilot by going to CoPilot > Cloud Fabric > Gateways > Specialty Gateways tab or typing Speciality Gateways in the navigation search.

Account

Your cloud provider account. The Aviatrix Controller uses your cloud provider’s account credentials to launch Aviatrix gateways via API calls.

To learn more about access accounts, see Accounts and Users.

Instance Size

Instance Size is the gateway instance size.

When selecting the gateway instance size, use the following guidelines of IPsec performance based on IPERF tests conducted between two gateways of the same size:

AWS Performance Numbers

AWS Instance Size Expected Throughput

T2 series

Not guaranteed; it can burst up to 130Mbps

c5.2xlarge, c5.4xlarge

2Gbps - 2.5Gbps

c5n.4xlarge

25Gbps (with High Performance Encryption (HPE) Mode)

c5n.9xlarge

70Gbps (with HPE Mode)

c5n.18xlarge

70Gbps (with HPE Mode)

Azure Performance Numbers (without High Performance Encryption Mode)

Azure Instance Size Expected Throughput

B series

Not guaranteed; it can burst up to 260Mbps

D/Ds series

480Mbps - 1.2Gbps

F Series

approximately 450Mbps - 1.2Gbps

GCP Performance Numbers (without High Performance Encryption Mode)

GCP Instance Size Expected Throughput

n1-standard-1, n1-standard-2, n1-highcpu-2

1.0 - 1.2 Gbps

n1-standard-4, n1-highcpu-2

2.3 - 2.5 Gbps

OCI Expected Throughput Numbers

OCI Instance Shape Throughput with Active Mesh Throughput without Active Mesh

VM.Standard2.2 or larger

1.8G

900 Mbps

With OCI you can choose a flexible shape to modify the Oracle CPU (OCPU) and memory configurations of your shape after it is deployed.

OCI Flex Shape OCPU and RAM

FLEX4.16

E3 4 OCPU 8G RAM

FLEX8.32

E3 8 OCPU 32G RAM

FLEX16.32

E3 16 OCPU 32G RAM

If you need IPsec performance beyond 2Gbps, refer to ActiveMesh HPE Performance Benchmark.

Gateway Resize

You can change gateway instance size, if needed, to change gateway throughput. The gateway instance will restart with a different instance size.

Attach to Unused Subnet

PSF gateways are launched in a public subnet in AWS. A public subnet in an AWS VPC is defined as a subnet whose associated route table has a default route entry that points to the Internet gateway.

If you do not have a VPC with a public subnet in AWS, you can use our Create a VPC tool to create a VPC with fully populated public subnets in each AZ.

Route Table

Select a route table in which the associated public subnets are protected. Route tables must be selected here to be monitored and enforced by any Distributed Cloud Firewall rules the PSF gateway is part of.

About Public Subnet Filtering Gateway General Settings

This section describes the advanced settings that you can configure for a Public Subnet Filtering Gateway.

You access a Public Subnet Filtering Gateway’s advanced settings in CoPilot by going to CoPilot > Cloud Fabric > Gateways > Specialty Gateways tab or typing Speciality Gateways in the navigation search, then go to the gateway’s Settings tab.

Use VPC/VNet DNS Server

The Use VPC/VNet DNS Server feature enables you to set the default DNS server for the Aviatrix gateway.

When this feature is On, it removes the default DNS server for the Aviatrix Gateway and instructs the gateway to use the VPC or VNet DNS server configured in VPC or VNet DHCP option.

When this feature is Off, the Aviatrix Gateway will revert to use its built-in (default) DNS server.

When enabling this feature, the Controller checks to make sure the gateway can indeed reach the VPC/VNet DNS server; if not, an error is returned.

For more information, see Using VPC/VNet DNS Server.

Jumbo Frame

Jumbo Frame improves Aviatrix Gateway throughput performance.

  • Jumbo Frame is enabled by default for AWS and OCI. It is not supported for Azure or GCP.

  • If the gateway is used in a Transit FireNet configuration, ensure that the associated firewall also has Jumbo Frame enabled.

GRO/GSO

The GRO/GSO feature enables you to configure the gateway interface and enable or disable Generic Receive Offload (GRO) and Generic Segmentation Offload (GSO).

GRO/GSO is On by default to improve performance. You can set this feature to Off to minimize out of order packets for sensitive applications (like FTP), but there will be a performance throughput penalty.

Gateway Single AZ HA

The Gateway Single AZ HA feature enables the Aviatrix Controller to monitor the health of the gateway instance and restart the gateway instance if it becomes unreachable. Gateway Single AZ HA is enabled by default.

Using Gateway Single AZ HA, you can select the gateway instance to restart.

When Gateway Single AZ HA status is On, the Aviatrix Controller attempts to restart the gateway instance. When status is Off, Controller does not attempt to restart the gateway instance.

If you’re using Terraform to create Aviatrix gateways, you must enable the single_az_ha flag in the aviatrix_gateway resource. See Aviatrix Provider.

Change Interface(s) RX Queue Size

Using the Change Interface(s) RX Queue Size, you can select a gateway and set the gateway’s interface(s) RX Queue Size.

  • A larger RX queue size introduces high latency in forwarding packets.

  • A smaller RX queue size has low latency but will drop packets early when forwarding packets.

Related Topics