Deploying a Spoke Gateway in a VPC/VNet for Secure Egress

Controller 8.0 and the enablement of the DCF feature is required to deploy a Spoke gateway from the Egress VPC/VNets tab.

A Spoke gateway must be deployed within a VPC or VNet before Local Egress can be applied.

To deploy a Spoke gateway within a VPC/VNet for Secure Egress:

  1. On the Security > Egress > Egress VPC/VNets tab, click Deploy Gateway next to a VPC/VNet that has a label of 'Unmanaged'.

  2. The Deploy Spoke Gateway on VPC/VNet dialog displays. The following fields are already populated and not editable:

    • Cloud

    • Account

    • Region

    • VPC/VNet

      Configure the following:

    Field Description

    Name

    Enter a name for the Spoke gateway.

    Instance Size

    The gateway instance size.

    When selecting the gateway size, note that the size you select affects your IPsec performance.

    High Performance Encryption

    To enable High Performance Encryption (HPE) for the Spoke Gateway, set this toggle to On. HPE enables 10Gbps and higher IPsec performance between two single Aviatrix Gateway instances or between a single Aviatrix Gateway instance and on-prem Aviatrix appliance.

    Instance sizes that support HPE are:

    • AWS: t3, t3a, c5n, c6in

    • Azure: Standard (except for B1ms, B2s, B4ms, B8ms, D1_v2, D2_v2, DS1_v2, DS2_v2, D2s_v3, D4s_v3, F2s_v2, F4s_v2)

    • GCP: n1-standard (except for standard-1 and standard-2), n1-highcpu (except for highcpu-2)

    You cannot turn High Performance Encryption On or Off after the Spoke Gateway is created.

    Attach to Transit Gateway (optional)

    Select a Transit gateway.

    BGP (optional)

    To enable the Spoke Gateway to run a BGP connection to external routers and dynamically exchange routes, set this toggle to On.

    Instance (Optional)

    Add a new gateway instance for High Availability.

    Attach to Subnet

    The subnet in which to create the Spoke gateway instance.

    Aviatrix recommends selecting a different subnet in a different availability zone from the other Spoke gateway instances.

    Public IP

    The public IP address of the gateway instance.

    (AWS only) To allocate a new EIP, leave Public IP as Allocate New Static Public IP.

    Resource Tags

    Add custom resource tags for the Spoke gateway.

To create a highly available (HA) gateway instance, click + Instance and designate the subnet and IP address of the gateway instance.

  • A Spoke Gateway can have up to 15 HA gateway instances.

  • All gateway instances are created in active-active mode.

  • A BGP-enabled Spoke Gateway can have only two HA gateway instances.

  1. In the Resource Tags section, you can add custom resource tags for the Transit Gateway.

    1. Click + Resource Tag.

    2. Enter a key to identify the resource and a value for the Key. The Key must be unique.

    3. Click the checkmark icon to add the key:value pair to the resource tags.

    4. Click Save.

  2. Click Save to deploy the Spoke gateway. After this is complete, you can apply local egress, monitor, and protect the VPC/VNet in which this Spoke gateway is deployed.

Related Topics