About Aviatrix Gateway Settings
The following configuration settings applies to Aviatrix Spoke and Transit gateways.
Public Subnet
Aviatrix Gateways are launched in a public subnet in AWS, GCP, and OCI. A public subnet in AWS VPC is defined as a subnet whose associated route table has a default route entry that points to the Internet gateway (IGW). To learn more about VPC and subnets, refer to this link.
If you do not have a VPC/VCN with public subnet in AWS, GCP, or OCI, you can use our "Create a VPC" tool to create a VPC with fully populated public and private subnet in each AZ.
Gateway Size
When selecting the gateway size, use the following guidelines of IPsec performance based on IPERF tests conducted between two gateways of the same size:
AWS Performance Numbers:
AWS Instance Size | Expected Throughput |
---|---|
T2 series |
Not guaranteed; it can burst up to 130Mbps |
c5.2xlarge, c5.4xlarge |
2Gbps - 2.5Gbps |
c5n.4xlarge |
25Gbps (with High Performance Encryption Mode) |
c5n.9xlarge |
70Gbps (with High Performance Encryption Mode) |
c5n.18xlarge |
70Gbps (with High Performance Encryption Mode) |
Azure Performance Numbers (without High Performance Encryption Mode):
Azure Instance Size | Expected Throughput |
---|---|
B series |
Not guaranteed; it can burst up to 260Mbps |
D/Ds series |
480Mbps - 1.2Gbps |
F Series |
approximately 450Mbps - 1.2Gbps |
SSD-based Virtual Machines are recommended. The names of SSD-based VMs have an “s” before the version number: “Standard_D1s_v2,” “Standard_D2s_v3,” etc. |
GCP Performance Numbers (without High Performance Encryption Mode):
GCP Instance Size | Expected Throughput |
---|---|
n1-standard-1, n1-standard-2, n1-highcpu-2 |
1.0 - 1.2 Gbps |
n1-standard-4, n1-highcpu-2 |
2.3 - 2.5 Gbps |
OCI Expected Throughput Numbers:
OCI Instance Shape | Throughput with Active Mesh | Throughput without Active Mesh |
---|---|---|
VM.Standard2.2 or larger |
1.8G |
900 Mbps |
With OCI you can choose a flexible shape to modify the Oracle CPU (OCPU) and memory configurations of your shape after it is deployed.
OCI Flex Shape | OCPU and RAM |
---|---|
FLEX4.16 |
E3 4 OCPU 8G RAM |
FLEX8.32 |
E3 8 OCPU 32G RAM |
FLEX16.32 |
E3 16 OCPU 32G RAM |
If you need IPsec performance beyond 2Gbps, refer to Aviatrix High Performance Encryption Mode. |
Enable NAT
You can enable NAT function during or after a gateway is launched. NAT function enables instances on private subnets in AWS, Azure, GCP, or OCI to access the Internet. When NAT is enabled, all route tables for private subnets in the VPC/VNet are programmed with a route entry that points the gateway as the target for route entry 0.0.0.0/0.
For more information, see Enabling NAT Functions
Enabling BGP
For Aviatrix Spoke Gateways, BGP must be enabled at gateway creation.
When an Aviatrix gateway is launched with BGP enabled, the gateway runs a BGP session to an external router to dynamically exchange routes. It also establishes an IPSEC tunnel to the router for packet forwarding (BGP is run over IPsec only).
A Spoke gateway with BGP enabled has a few restrictions compared to a non-BGP Spoke.
For more information, see:
Allocate New EIP (AWS)
Select this option to have the Aviatrix Gateway allocate a new EIP for the gateway from AWS. When the Aviatrix Gateway is deleted, the Controller will release this EIP. If this option is unchecked, the gateway will be allocated an unassociated EIP from the AWS account from which the gateway is launched. When the Aviatrix Gateway is deleted, the Controller will return this EIP to your AWS account without releasing it.
High Performance Encryption
High Performance Encryption (HPE) is an Aviatrix technology that enables 10Gbps and higher IPsec performance between two single Aviatrix Gateway instances or between a single Aviatrix Gateway instance and on-prem Aviatrix appliance.
When a gateway is launched with HPE enabled, the Aviatrix Controller will look for a spare /26 subnet segment to create a new public subnet "-insane" and launch the gateway on this subnet. The instance sizes that support HPE are c5 series and m5 series.
For more information about Aviatrix HPE for high-performance Transit Network, see Overview of Aviatrix High-Performance Encryption.
Add/Edit Tags
The Aviatrix Gateway is launched with a default tag name avx-gateway@private-ip-address-of-the-gateway. This option allows you to add additional AWS/Azure tags at gateway launch time that you can use for automation scripts.
Use VPC/VNet DNS Server
When enabled, this feature removes the default DNS server for the Aviatrix Gateway and instructs the gateway to use the VPC/VNet DNS server configured in VPC/VNet DHCP option.
When disabled, the Aviatrix Gateway will revert to use its built-in (default) DNS server.
When enabling this feature, the Controller checks to make sure the gateway can indeed reach the VPC/VNet DNS server; if not, an error is returned. |
For more information, see Using VPC/VNet DNS Server.
Jumbo Frame
Jumbo Frame improves Aviatrix Gateway throughput performance.
Jumbo Frame is enabled by default for AWS and OCI. It is not supported for Azure or GCP.
Encrypt EBS Volume (for AWS)
Encrypt EBS Volume feature applies only to Aviatrix gateway on AWS.
When Encrypt EBS Volume is enabled for a gateway, the gateway EBS volume is encrypted.
To configure, go to Gateway page, select the gateway, and click Edit. Scroll down to Encrypt Volume and click Encrypt.
The encrypting action takes up to 15 minutes. |
For more information, see Encrypting EBS Volume.
Reachable DNS Server IP Address
Aviatrix gateways are launched with a default public DNS server IP address 8.8.8.8 to ensure the gateway has access to Cloud Service Provider public resources such as SQS for Controller and gateway communication.
If you want to change to a different DNS server, mark the Specify a Reachable DNS Server IP Address checkbox to enter an alternative DNS IP address.
Designated Gateway
If a gateway is launched with the Designated Gateway feature enabled, the Aviatrix Controller will insert an entry for each address space defined by RFC1918:
-
10.0.0.0/8,
-
192.168.0.0/16, and
-
172.16.0.0/12
The target of each of these entries will point to the Aviatrix Gateway instance.
Once enabled, Transit VPC, Site2Cloud, and Encrypted Peering connections will no longer add additional route entries to the route table if the destination range is within one of these RFC1918 ranges. Instead, the Aviatrix Gateway will maintain the route table internally and will handle routing for these ranges.
The Designated Gateway feature is automatically enabled on Spoke Gateways created by the Transit Network workflow. |