Instance Size
Instance Size is the gateway instance size.
When selecting the gateway instance size, use the following guidelines of IPsec performance based on IPERF tests conducted between two gateways of the same size.
For additional guidance on gateway sizing, refer to the Gateway Sizing Best Practices Guide.
|
If you need IPsec performance beyond 2Gbps, refer to ActiveMesh HPE Performance Benchmark. |
AWS Performance Numbers
AWS Instance Size |
Expected Throughput |
T2 series |
Not guaranteed; it can burst up to 130Mbps |
c5.2xlarge, c5.4xlarge |
2Gbps - 2.5Gbps |
c5n.4xlarge |
25Gbps (with High Performance Encryption (HPE) Mode) |
c5n.9xlarge |
70Gbps (with HPE Mode) |
c5n.18xlarge |
70Gbps (with HPE Mode) |
AWS Storage
-
Volume type: EBS gp3 or gp2
|
Aviatrix Gateways on AWS support EBS gp3 in addition to gp2 starting with the 7.1.3958 release. Changing the gateway instance size does not change the EBS volume type. You can change the EBS volume type by following the AWS documentation. |
Azure Performance Numbers (without High Performance Encryption Mode)
Azure Instance Size |
Expected Throughput |
B series |
Not guaranteed; it can burst up to 260Mbps |
D/Ds series |
480Mbps - 1.2Gbps |
F Series |
Approximately 450Mbps - 1.2Gbps |
GCP Performance Numbers (without High Performance Encryption Mode)
GCP Instance Size |
Expected Throughput |
n1-standard-1, n1-standard-2, n1-highcpu-2 |
1.0 - 1.2 Gbps |
n1-standard-4, n1-highcpu-2 |
2.3 - 2.5 Gbps |
OCI Expected Throughput Numbers
| OCI Instance Shape | Throughput with ActiveMesh | Throughput without ActiveMesh |
|---|---|---|
VM.Standard2.2 or larger |
1.8G |
900 Mbps |
With OCI you can choose a flexible shape to modify the Oracle CPU (OCPU) and memory configurations of your shape after it is deployed.
OCI Flex Shape |
OCPU and RAM |
FLEX4.16 |
E4 4 OCPU 16G RAM |
FLEX8.32 |
E4 8 OCPU 32G RAM |
FLEX16.32 |
E4 16 OCPU 32G RAM |
OCI Flex Shape |
OCPU and RAM |
FLEX4.16 |
E5 4 OCPU 16G RAM |
FLEX8.32 |
E5 8 OCPU 32G RAM |
FLEX16.32 |
E5 16 OCPU 32G RAM |
OCI Flex Shape |
OCPU and RAM |
FLEX4.16 |
E6 4 OCPU 16G RAM |
FLEX8.32 |
E6 8 OCPU 32G RAM |
FLEX16.32 |
E6 16 OCPU 32G RAM |
Gateway Resize
You can change gateway instance size, if needed, to change gateway throughput. The gateway instance will restart with a different instance size.
IPsec Tunnel Configurations
Aviatrix IPsec tunnels comply NIST standards, and support AES-256-GCM and Perfect Forward Secrecy (PFS) using DH21. The supported configurations are as follows:
-
Spoke–Transit
-
Transit–Transit
-
Transit FQDN gateway
-
Transit Edge-as-Spoke
Both Greenfield (new deployments) and Brownfield (existing deployments) environments are supported.
Greenfield Deployments
Upgrade the Controller to version 8.2.0 or later. After controller upgrade, by default, existing IPsec tunnels continue using the configured encryption settings.
To apply AES-256-GCM and PFS for the new gateway deployments, follow the steps:
-
Navigate to Cloud Fabric > Gateways > Settings > Advanced Security.
-
Turn On Strong Cipher Support for Encryption.
-
Turn On Perfect Forward Secrecy (PFS) for IPSec.
-
Click Save.
The new gateway installations and peering will use strong cipher automatically.
Brownfield Deployments
Upgrade the Controller to version 8.2.0 or later.
To apply AES-256-GCM and PFS for the existing gateway deployments, follow the steps:
-
Navigate to Cloud Fabric > Gateways > Settings > Advanced Security.
-
Turn On Strong Cipher Support for Encryption.
-
Turn On Perfect Forward Secrecy (PFS) for IPSec if requried.
-
Click Save.
-
Navigate to Cloud Fabric > Gateways > Transit Gateways/Spoke Gateways.
-
Click a gateway to apply AES-256-GCM and PFS.
-
Under the gateway options, click Settings > General.
-
Turn On Strong Cipher Support for Encryption.
-
Turn On Perfect Forward Secrecy (PFS) for IPSec if required.
-
Click Save.
The AES-256-GCM and PFS is applied to the gateway.
Based on the Strong Cipher and PFS settings, the following IPsec tunnel configurations are supported:
| Configuration | Encryption Algorithm |
|---|---|
Strong Cipher is enabled; PFS is enabled |
AES-256-GCM with DH21 |
Strong Cipher is enabled; PFS is disabled |
AES-256-GCM without PFS |
Strong Cipher is disabled; PFS is enabled |
AES-128-GCM with DH21 |
Strong Cipher is disabled; PFS is disabled |
AES-128-GCM only |