Aviatrix Secure Edge on On-Premises Deployment Workflow
This document provides instructions for deploying an Aviatrix Edge Gateway on the Aviatrix Edge Platform.
The following deployment scenarios are supported:
-
Single Virtual LAN (VLAN) connected to the Edge Gateway via a single vNIC.
-
Multiple VLANs connected to the Edge Gateway via a single vNIC (Trunk Port) and sub-interfaces for each VLAN.
-
Virtual Router Redundancy Protocol (VRRP) on Edge Gateway.
-
LAN-side BGP.
-
Connectivity to single or multiple Transit Gateways from Edge Gateway.
For an overview of Aviatrix Secure Edge, see Overview of Aviatrix Secure Edge.
Prerequisites
Before you can deploy an Aviatrix Edge Gateway on the Aviatrix Edge Platform:
-
You must perform the prerequisite steps to procure and onboard your edge device. See Prerequisites for Aviatrix Secure Edge Deployment for On-Premises.
-
You should be familiar with Aviatrix Secure Edge Interfaces and Ports and Protocols. See Edge Gateway WAN, LAN, VLAN, and Management Interface Support.
Aviatrix Secure Edge Deployment Workflow
To deploy Aviatrix Secure Edge, first you need to procure and onboard your edge device on the platform of your choice (see Prerequisites for Aviatrix Secure Edge Deployment for On-Premises). Next, you deploy the Aviatrix Edge Gateway on the edge device and attach the Edge Gateway to the Aviatrix Transit Gateway for cloud connectivity. Then, configure the Edge Gateway for LAN-side connectivity.
The diagram below provides a high-level view of the process for deploying Aviatrix Secure Edge in Aviatrix CoPilot.
This workflow provides the steps to create a primary Edge Gateway in Aviatrix Edge Platform. It also provides the steps to attach the Edge Gateway to a Transit Gateway and connect the Edge Gateway to an external device, such as a LAN BGP router.
Creating the Edge Gateway (Aviatrix Edge Platform)
In Aviatrix CoPilot:
-
Go to Cloud Fabric > Edge > Gateways tab.
-
Click + Edge Gateway, then provide the following information.
Parameter
Description
Name
Name for the Edge Gateway.
Platform
The platform account where you want to deploy the Edge Gateway.
You can create and edit platform accounts in CoPilot by going to Cloud Fabric > Edge > Platforms tab (see Set Up the Aviatrix Edge Platform Account).
Site
Select an existing name or enter a new name to identify the edge location.
Site name cannot contain spaces.
High Availability
Select the high availability mode.
-
Off creates only the primary Edge Gateway with one active peering.
-
On (Active Standby Mode) enables Edge connection with one active peering and one standby peering. Only the active peering forwards network traffic. The network switches to the standby peering when the primary peering goes down.
-
On (Active Active Mode) enables all Edge connections with active peering to perform load sharing and forward network traffic.
Preemptive
Preemptive is turned On only when High Availability is turned On with Active Standby Mode. The Preemptive is set on the Primary gateway.
-
On enables the network to automatically switch back to the primary gateway when the primary gateway connection is back up.
-
Off enables the network to continue to use the standby gateway even after the primary gateway is back up, until you initiate a manual switchover.
Primary Device
Name of the edge device where you want to deploy the primary Edge Gateway.
Secondary Device
Name of the edge device where you want to deploy the secondary (HA) Edge Gateway.
The primary and secondary device must have the same hardware configuration. Gateway Resource Size
Select a size for this gateway.
-
Configuring the Edge Gateway Interfaces
By default, an Aviatrix Edge Gateway has three interfaces: one WAN interface on eth0, one LAN interface on eth1, and one Management interface on eth2. You will need these configuration information to configure the interfaces.
In the Interface Configuration section, configure the WAN, LAN, and Management interfaces for the Edge Gateway.
Configuring the WAN Interface
Click WAN, then provide the following information.
| For IP and DNS settings, enter using the applicable format. For example, if the Edge Gateway’s WAN IP is 10.1.1.151, enter 10.1.1.151/24 or what your netmask is. |
Parameter |
Description |
IP Assignment |
The default is Static for static IP assignment. DHCP for dynamic IP address assignment is not supported. |
Interface Labels |
Name to identify the WAN interface. |
Interface CIDR |
The CIDR for the WAN interface. |
Default Gateway IP |
The Default Gateway IP address for the WAN interface. |
Public IP |
(optional) The WAN interface’s egress Public IP address. |
Egress Management IP (Optional) |
The CIDR range for the egress for the MGMT interface. |
| To change or update the Edge Gateway WAN connectivity to Transit Gateway, you will need to first detach the Edge-to-Transit gateway attachment, if there is an attachment. |
Configuring the LAN Interface
Click LAN, then provide the following information.
| Parameter | Description |
|---|---|
IP Assignment |
The default is Static for static IP assignment. DHCP for dynamic IP address assignment is not supported. |
VRRP |
To enable Virtual Router Redundancy Protocol (VRRP) on the Edge Gateway, set this switch to On. |
VLAN Interface
If your LAN is segmented into virtual LANs (VLANs), click + VLAN Interface to add one or more VLAN sub-interfaces, then provide the following information for each VLAN sub-interface.
| You cannot edit the VLAN ID after the Edge Gateway is created. To edit the VLAN sub-interface attributes, it is highly recommended to delete and recreate the VLAN sub-interface configuration. |
Parameter |
Description |
Interface CIDR |
The native VLAN interface IP address. This interface is where untagged packets are sent. |
VRRP Gateway IP |
The Virtual IP for the VRRP Gateway, when VRRP is enabled. |
Default Gateway IP |
The Default Gateway IP address for the native VLAN interface. |
Interface Labels |
Name to identify the native VLAN interface. |
VLAN Sub-Interfaces |
|
VLAN ID |
The VLAN ID. VLAN ID must be a number between 2 and 4092. |
VLAN Interface CIDR |
The VLAN sub-interface IP address. |
VRRP Gateway IP |
The Virtual IP for the VRRP Gateway, when VRRP is enabled. |
Default Gateway IP |
The Default Gateway IP address for this VLAN sub-interface. |
Sub-Interface Tag |
Name to identify this VLAN sub-interface. |
VLAN configurations are added to the primary and secondary Edge Gateway. If the properties are shared, the fields are disabled on the secondary and non-editable, but the value appears as primary values are selected.
Configuring the MGMT Interface
Click MGMT, then provide the following information.
| Parameter | Description |
|---|---|
IP Assignment |
The MGMT interface defaults to DHCP. The Edge Gateway will automatically NAT out of the physical MGMT interface of the edge node when using the Aviatrix Edge Platform. This setting cannot be changed. |
Private Network |
Leave this setting to Off. The Edge Gateway on the edge hardware requires public Internet reachability to connect to the Aviatrix Controller and Aviatrix Secure Edge infrastructure in the cloud. |
Parameter |
Description |
Egress CIDR (Optional) |
The CIDR range for the egress for this Management interface. |
|
If a required field is missing, the interface tab is highlighted to indicate there is an error. 
|
Verifying Edge Gateway Creation
-
From the left sidebar, go to Monitor > Notifications > Tasks tab.
-
In the table, click on the gateway create task to see the progress.
Depending on the settings you configured, it lists the following stages of the gateway creation:
-
Creates the primary instance
-
Updates the primary instance’s interface configurations
-
Creates the HA instance.
-
Updates the HA instance’s interface configurations.
-
Attaching the Edge Gateway to the Transit Gateway
Prerequisites
Before you attach the Edge Gateway to the Transit Gateway, perform these prerequisite steps.
-
Ensure Local ASN Number is configured on Edge and Transit Gateway.
-
If the Edge to Transit Gateway attachment is over public network, you need to update the WAN Public IP on the Edge Gateway.
-
Go to Cloud Fabric > Edge > Gateways tab.
-
Locate the Edge Gateway, and click its Edit icon on the right.
-
In Edit Edge Gateway, scroll to the Interfaces section and click WAN.
-
In Public IP, click Discover.
-
Verify the WAN Public IP and click Save.
-
Attach Edge Gateway to Transit Gateway
You can attach an Edge Gateway to multiple Transit Gateways. Each attachment can be configured with different parameters, such as connecting interfaces, connection over private or public network, high-performance encryption, and Jumbo Frame.
|
In Aviatrix CoPilot:
-
Go to Cloud Fabric > Edge > Gateways tab.
-
Locate the Edge Gateway, click the three-dot vertical menu on the right, and select Manage Transit Gateway Attachment.
Click + Transit Gateway Attachment, then provide the following information.
Parameter Description Transit Gateway
From the dropdown menu, select the Transit Gateway to attach to the Edge Gateway.
Connecting Edge Interfaces
From the dropdown menu, select the WAN interface connection to the Transit Gateway.
In the Advanced section, set the advanced gateway settings that apply.
Parameter Description Attach over Private Network
If the Edge WAN connection to the Transit Gateway is over a private network, set this toggle to On.
Leave it Off if the connection is over the public internet.
Jumbo Frame
If you want to use Jumbo Frames for the Transit-to-Edge Gateway connection, set this toggle to On.
High Performance Encryption
If you want to enable high-performance encryption for the Transit-to-Edge Gateway connection, set this toggle to On.
In Number of Tunnels, enter the number of HPE tunnels to create.
-
For HPE over private network, setting the number of tunnels count to 0 creates maximum tunnels based on the peering gateway size.
-
For HPE over public network, the number of tunnels count supported range is between 2 and 20.
To attach the Edge Gateway to another Transit Gateway, click + Transit Gateway Attachment again and provide the required information.
-
-
Click Save.
Connecting the Edge Gateway to an External Device (BGP over LAN)
To connect the Edge Gateway to the LAN router using BGP over LAN, follow these steps.
-
Navigate to Networking > Connectivity > External Connections (S2C) tab.
-
Click + External Connection, then provide the following information.
Parameter Description Name
Name to identify the connection to the LAN router.
Connect Local Gateway To
Select External Device radio button, then from the dropdown menu, select BGP over LAN.
Local Gateway
The Edge Gateway to connect to the LAN router.
Local ASN
The Local AS number the Edge Gateway will use to exchange routes with the LAN router.
This is automatically populated if the Edge Gateway is assigned an ASN already. Remote ASN
The BGP AS number configured on the LAN router.
-
Click + Connection and provide the following information.
Parameter Description Remote LAN IP
The IP address for the LAN router.
Local LAN IP
This is automatically populated with the Edge Gateway LAN interface IP address.
-
Click Save.