About Aviatrix Gateway Settings

The following configuration settings applies to Aviatrix Spoke and Transit gateways.

Public Subnet

Aviatrix Gateways are launched in a public subnet in AWS, GCP, and OCI. A public subnet in AWS VPC is defined as a subnet whose associated route table has a default route entry that points to the Internet gateway (IGW). To learn more about VPC and subnets, refer to this link.

If you do not have a VPC/VCN with public subnet in AWS, GCP, or OCI, you can use our "Create a VPC" tool to create a VPC with fully populated public and private subnet in each AZ.

Gateway Size

When selecting the gateway size, use the following guidelines of IPsec performance based on IPERF tests conducted between two gateways of the same size:

AWS Performance Numbers:

AWS Instance Size Expected Throughput

T2 series

Not guaranteed; it can burst up to 130Mbps

c5.2xlarge, c5.4xlarge

2Gbps - 2.5Gbps

c5n.4xlarge

25Gbps (with High Performance Encryption Mode)

c5n.9xlarge

70Gbps (with High Performance Encryption Mode)

c5n.18xlarge

70Gbps (with High Performance Encryption Mode)

Azure Performance Numbers (without High Performance Encryption Mode):

Azure Instance Size Expected Throughput

B series

Not guaranteed; it can burst up to 260Mbps

D/Ds series

480Mbps - 1.2Gbps

F Series

approximately 450Mbps - 1.2Gbps

SSD-based Virtual Machines are recommended. The names of SSD-based VMs have an “s” before the version number: “Standard_D1s_v2,” “Standard_D2s_v3,” etc.

GCP Performance Numbers (without High Performance Encryption Mode):

GCP Instance Size Expected Throughput

n1-standard-1, n1-standard-2, n1-highcpu-2

1.0 - 1.2 Gbps

n1-standard-4, n1-highcpu-2

2.3 - 2.5 Gbps

OCI Expected Throughput Numbers:

OCI Instance Shape Throughput with Active Mesh Throughput without Active Mesh

VM.Standard2.2 or larger

1.8G

900 Mbps

With OCI you can choose a flexible shape to modify the Oracle CPU (OCPU) and memory configurations of your shape after it is deployed.

OCI Flex Shape OCPU and RAM

FLEX4.16

E3 4 OCPU 8G RAM

FLEX8.32

E3 8 OCPU 32G RAM

FLEX16.32

E3 16 OCPU 32G RAM

If you need IPsec performance beyond 2Gbps, refer to Aviatrix High Performance Encryption Mode.

Gateway Resize

You can change Gateway Size if needed to change gateway throughput. The gateway will restart with a different instance size.

If you use Availability Set when launching Azure gateways, different classes of VM sizes can be resized interchangeably.

Enable NAT

You can enable NAT function during or after a gateway is launched. NAT function enables instances on private subnets in AWS, Azure, GCP, or OCI to access the Internet. When NAT is enabled, all route tables for private subnets in the VPC/VNet are programmed with a route entry that points the gateway as the target for route entry 0.0.0.0/0.

For more information, see Enabling NAT Functions

Enabling BGP

For Aviatrix Spoke Gateways, BGP must be enabled at gateway creation.

When an Aviatrix gateway is launched with BGP enabled, the gateway runs a BGP session to an external router to dynamically exchange routes. It also establishes an IPSEC tunnel to the router for packet forwarding (BGP is run over IPsec only).

A Spoke gateway with BGP enabled has a few restrictions compared to a non-BGP Spoke.

For more information, see:

Allocate New EIP (AWS)

Select this option to have the Aviatrix Gateway allocate a new EIP for the gateway from AWS. When the Aviatrix Gateway is deleted, the Controller will release this EIP. If this option is unchecked, the gateway will be allocated an unassociated EIP from the AWS account from which the gateway is launched. When the Aviatrix Gateway is deleted, the Controller will return this EIP to your AWS account without releasing it.

High Performance Encryption

High Performance Encryption (HPE) is an Aviatrix technology that enables 10Gbps and higher IPsec performance between two single Aviatrix Gateway instances or between a single Aviatrix Gateway instance and on-prem Aviatrix appliance.

When a gateway is launched with HPE enabled, the Aviatrix Controller will look for a spare /26 subnet segment to create a new public subnet "-insane" and launch the gateway on this subnet. The instance sizes that support HPE are c5 series and m5 series.

For more information about Aviatrix HPE for high-performance Transit Network, see Overview of Aviatrix High-Performance Encryption.

Add/Edit Tags

The Aviatrix Gateway is launched with a default tag name avx-gateway@private-ip-address-of-the-gateway. This option allows you to add additional AWS/Azure tags at gateway launch time that you can use for automation scripts.

Use VPC/VNet DNS Server

When enabled, this feature removes the default DNS server for the Aviatrix Gateway and instructs the gateway to use the VPC/VNet DNS server configured in VPC/VNet DHCP option.

When disabled, the Aviatrix Gateway will revert to use its built-in (default) DNS server.

When enabling this feature, the Controller checks to make sure the gateway can indeed reach the VPC/VNet DNS server; if not, an error is returned.

For more information, see Using VPC/VNet DNS Server.

Jumbo Frame

Jumbo Frame improves Aviatrix Gateway throughput performance.

Jumbo Frame is enabled by default for AWS and OCI. It is not supported for Azure or GCP.

Encrypt EBS Volume (for AWS)

Encrypt EBS Volume feature applies only to Aviatrix gateway on AWS.

When Encrypt EBS Volume is enabled for a gateway, the gateway EBS volume is encrypted.

To configure, go to Gateway page, select the gateway, and click Edit. Scroll down to Encrypt Volume and click Encrypt.

The encrypting action takes up to 15 minutes.

For more information, see Encrypting EBS Volume.

Reachable DNS Server IP Address

Aviatrix gateways are launched with a default public DNS server IP address 8.8.8.8 to ensure the gateway has access to Cloud Service Provider public resources such as SQS for Controller and gateway communication.

If you want to change to a different DNS server, mark the Specify a Reachable DNS Server IP Address checkbox to enter an alternative DNS IP address.

Designated Gateway

If a gateway is launched with the Designated Gateway feature enabled, the Aviatrix Controller will insert an entry for each address space defined by RFC1918:

  • 10.0.0.0/8,

  • 192.168.0.0/16, and

  • 172.16.0.0/12

The target of each of these entries will point to the Aviatrix Gateway instance.

Once enabled, Transit VPC, Site2Cloud, and Encrypted Peering connections will no longer add additional route entries to the route table if the destination range is within one of these RFC1918 ranges. Instead, the Aviatrix Gateway will maintain the route table internally and will handle routing for these ranges.

The Designated Gateway feature is automatically enabled on Spoke Gateways created by the Transit Network workflow.