Creating a Geo VPN Gateway

If you have a global workforce that needs to access the cloud with the best user experience, build a cloud network with Geo VPN access capability.

The geolocation VPN feature combines the Aviatrix scale-out VPN solution with latency-based routing to dynamically route VPN users to the nearest VPN access gateway based on the latency between the user and the gateways.

Geo VPN service is currently only available for AWS cloud.

To create a Geo VPN Gateway instance in AWS:

  1. Go to Aviatrix CoPilot > Cloud Fabric > UserVPN > VPN Gateways tab.

  2. Click the Geo VPN toggle.

  3. Click +Geo VPN Gateway and configure the following:

    Setting Description


    Enter a name for the gateway.


    Geo VPN is only available in standard AWS cloud.


    Select the cloud account in which to launch the gateway. These accounts are onboarded through CoPilot > Cloud Resources > Cloud Accounts.


    Select the region in which to launch the gateway.


    Select the VPC or VNet in which to launch the gateway.

    Instance Size

    Select the size of the gateway instance.

    High Performance Encryption

    For more information, see the “About High Performance Encryption” document.


    To add a gateway stance, click + Instance.

    VPN Access Configuration

    The following fields are only available when you are adding the first Geo VPN gateway to an account.

    ELB (selected and disabled by default)

    Elastic Load Balancing is required for Geo VPN gateways.

    ELB Name

    Enter the name of the Elastic Load Balancer.

    VPN Protocol

    Select the ELB VPN protocol: TCP or UDP.

    For Geo VPN gateways, all primary and HA instances for a Geo VPN gateway need to have the same VPN protocol.

    Max Connections (Per Gateway Instance)

    Maximum number of active VPN users allowed to be connected to this gateway. The default is 100.

    When you change this address, make sure the number is smaller than the VPN CIDR block. The UserVPN VPN CIDR Block allocates 4 IP addresses for each connected VPN user; when the VPN CIDR Block is a /24 network, it supports about 60 users.


    Click on this dropdown menu and select an authentication option:

    • None (Certificate-Only)

    • Duo

    • LDAP

    • LDAP + Duo

    • Okta

    • SAML

    Split Tunnel

    Turn Split Tunnel on to ensure only the specified CIDR ranges go through the VPN tunnel. When you turn this setting on, new fields appear below.

    Policy-Based Routing

    Policy-Based Routing (PBR) enables you to route VPN traffic to a different subnet with its default gateway.

    By default, all VPN traffic is NATed and sent to VPN gateway’s eth0 interface. If you want to force the VPN traffic to go out on a different subnet other than VPN gateway eth0 subnet, you can specify a PBR Subnet in the VPC and the PBR Default gateway.

    Split Tunnel options

    Additional CIDR(s)

    (Optional) The VPC CIDR where the VPN gateway is deployed is the default CIDR that VPN gateway pushes to the VPN client. Leave it blank if you do not need it.

    When Split Tunnel Mode is enabled, the Additional CIDRs specifies a list of destination CIDR ranges that will also go through the VPN tunnel.

    This is a useful field when you have multiple VPC/VNets that the VPN user needs to access.


    (Optional) When Split Tunnel Mode is enabled, you can instruct the VPN gateway to push down a list of DNS servers to your desktop, so that a VPN user is connected, it will use these DNS servers to resolve domain names.

    Search Domain(s)

    (Optional) Split Tunnel Mode enables you to specify a list of search domains. The supplied domain name is appended to the search domain to create an FQDN (Fully Qualified Domain Name) that is queried to the Nameserver.

    Windows VPN clients support a maximum of 10 search-domain entries. The OpenVPN service supports only up to 10 on the Windows OS.

    Geo VPN Configuration options


    Select the cloud account where the DNS domain is hosted.

    Domain Name

    Enter the hosted domain name.

    This domain name must be hosted by AWS Route53 in the selected account.

    Service Name

    The hostname that users will connect to. A DNS record will be created for this name in the specified domain name.

    For more information on these gateway settings, see UserVPN Gateway Settings.

  1. Click Create.

Your gateway is created. To view the task’s progress, go to Monitoring > Notifications > select the Tasks tab.

If enabling GeoVPN fails, make sure the Domain Name you enter is a registered name under AWS Route 53 in a public hosted zone. In addition, this Domain name must be hosted in the account that you have access privilege. If the domain name is hosted by another account, you will not be able to add the DNS record.