Azure Multicloud Transit BGP over LAN Workflow
Introduction
Transit BGP to LAN allows Aviatrix Transit Gateways to communicate with a pair of instances in different VNets in Azure without running any tunneling protocol such as IPsec or GRE. One use case is to interoperate with third-party virtual appliances such as SD-WAN cloud instances that do not have the capability to support BGP over any tunneling protocols.
For example, integrating with SD-WAN gateways can be deployed as below where an Aviatrix Multicloud Transit Gateway connects to a third-party cloud instance in different VNets in Azure.
This document describes step-by-step instructions on how to build an Aviatrix Transit Gateway to External Device using BGP over LAN in Azure:
-
Workflow on Deploying Aviatrix Multicloud Transit Solution
-
Workflow on Launch Third-Party Cloud Instances
-
Workflow on Building BGP over LAN
For other BGP over LAN workflows, please see the below documents:
For more information about Multicloud Transit Network and External Device, please check out the below documents:
-
ActiveMesh 2.0 is required. To migrate to ActiveMesh 2.0, see Migrating from Classic Aviatrix Encrypted Transit Network to Aviatrix ActiveMesh Transit Network.
-
This solution is available in AWS and Azure. To configure this solution for AWS, see AWS Multicloud Transit BGP over LAN Workflow. Please adjust the topology depending on your requirements.
-
LAN interfaces for Aviatrix Transit Primary and third-party cloud instance must be in the different VNets.
-
One BGP over LAN connection per gateway is supported.
The key ideas for this solution are:
-
A BGP session establishes between a third-party cloud instance and Aviatrix Transit Gateway via each LAN interface in different VNets.
-
Data plane traffic also runs between a third-party cloud instance and Aviatrix Transit Gateway via each LAN interface without a tunnel protocol such as IPsec and GRE.
Prerequisites
-
This feature is available for 6.3 and later. Upgrade Aviatrix Controller to at least version 6.3.
-
In this example, we are going to deploy the below VNets in Azure:
-
Transit VNets (i.e. 10.1.0.0/16 and 10.2.0.0/16) by creating a VNet with the Aviatrix FireNet VNet option enabled.
-
Spoke VNets (i.e. 192.168.11.0/24 and 192.168.21.0/24) by creating a VNet as per the previous step or manually deploying it in each cloud portal. Moreover, feel free to use your existing cloud network.
-
-
Third-party cloud instance has high throughput supported.
Deploying Aviatrix Multicloud Transit Solution
Refer to Global Transit Network Workflow Instructions for the below steps. Please adjust the topology depending on your requirements.
-
Deploy Aviatrix Multicloud Transit Gateway and HA with High Performance Encryption Mode enabled in Transit VNet.
Mark the BGP Over LAN checkbox to enable that function. |
See Performance Benchmarks for more information about Gateway size and benchmark performance.
-
Deploy Spoke Gateway and HA to launch Aviatrix Spoke gateway and enable HA with insane mode enabled in Spoke VNet.
-
(Optional) Attach Azure ARM Spoke VNet via native peering if users prefer not to encrypt the traffic between the Transit VNet and the Spoke VNet. In this example, this approach is selected to benchmark: Performance Benchmarks.
Launch Third-Party Cloud Instances
Deploy third-party cloud instances in a separate Transit VNet.
-
Create a third-party cloud instance and put MGMT interface in public gateway subnet.
-
Create a new public WAN subnet and a dedicated routing table for WAN interface if needed.
-
Create a new private LAN subnet and a dedicated routing table for LAN interface.
-
Make sure the function IP forwarding function on third-party cloud instance’s interfaces is enabled.
An Aviatrix Transit Gateway and third-party cloud instance CANNOT be deployed in the same Transit VNet. |
Building BGP over LAN
Creating Azure VNet Peering Between Aviatrix Transit VNet and Third-Party Cloud Instance Transit VNet
-
Log in to the Aviatrix Controller and navigate to Native Peering > Azure.
-
Click + New Peering.
-
Select VNet where Aviatrix Transit gateway locates as Peer1.
-
Select VNet where third-party cloud instance locates as Peer2.
-
Click OK.
Configuring BGP over LAN on Aviatrix Transit Gateway
-
Log in to the Aviatrix Controller.
-
Go to Multi-Cloud Transit > Setup > External Connection.
-
Select option External Device > BGP > LAN.
-
Enter the following information in the fields provided.
Transit VPC Name |
Select the Transit VPC ID where Transit GW was launched |
Connection Name |
Provide a unique name to identify the connection to external device |
Aviatrix Transit Gateway BGP ASN |
Configure a BGP AS number that the Transit GW will use to exchange routes with external device |
Primary Aviatrix Transit Gateway |
Select the Transit GW |
Enable Remote Gateway HA |
Check this option in this example to connect two external devices |
Remote BGP AS Number |
Configure a BGP AS number that third-party cloud primary instance will use to exchange routes with Aviatrix Transit Primary |
Remote VNet Name |
Select the Transit VNet where third-party cloud instance locates |
Remote LAN IP |
Use the private IP of the LAN interface of the third-party cloud primary instance |
Local LAN IP |
Aviatrix detects the Local LAN IP automatically |
Remote BGP AS Number (Backup) |
Configure a BGP AS number that third-party cloud HA instance will use to exchange routes with Aviatrix Transit HA |
Remote LAN IP (Backup) |
Use the private IP of the LAN interface of the third-party cloud HA instance |
Local LAN IP (Backup) |
Aviatrix detects the Local LAN IP automatically |
-
To generate BGP session over LAN, click Connect.
(Optional) Downloading the BGP over LAN configuration sample from Aviatrix Controller
-
Navigate to Site2Cloud > Setup.
-
Select the connection that you created with Connection Name in the previous step.
-
Click Edit.
-
Select Vendor type, Platform, and Software.
-
Click Download Configuration.
Configuring BGP over LAN on Third-Party Cloud Instance
-
Log in to the Azure portal.
-
Create a user-defined routing table with default route (0.0.0.0/0) pointing nexthop to Aviatrix Primary Transit’s LAN IP for the subnet where third-party cloud primary instance’s LAN interface locates.
-
Create a user-defined routing table with default route (0.0.0.0/0) pointing nexthop to Aviatrix HA Transit’s LAN IP for the subnet where third-party cloud HA instance’s LAN interface locates for HA deployment.
-
(Optional) Open the downloaded BGP over LAN configuration file.
-
Log in third-party cloud instance.
-
Program route to send traffic to Aviatrix Transit’s LAN IP through third-party cloud instance’s LAN interface.
-
Configure those related BGP and LAN info on third-party cloud instance.
-
Check whether the function 'eBGP multi-hop' is enabled if BGP session is not established.
-
Repeat those steps for HA deployment.
Customer must create a default route 0.0.0.0/0 in the third-party cloud instance’s LAN route table to point to Aviatrix Transit’s LAN IP over VNET peering in Azure. |
Verifying LAN status on Aviatrix Controller
-
Navigate back to Aviatrix Controller.
-
Go to Site2Cloud > Setup.
-
Under Create a New Site2Cloud Connection, find the connection that you created with Connection Name in the previous step.
-
Check the Tunnel Status.
Then:
-
Go to Multi-Cloud Transit > List.
-
Select the Transit Primary Gateway that was created in the previous step.
-
Click Details/Diag.
-
Scroll down to Connections > On-prem Connections.
-
Under On-prem Connections, find the connection that you created with Connection Name in the previous step.
-
Check the Tunnel Status in the Status column.
Ready to Go
At this point, run connectivity and performance test to ensure everything is working correctly.
Performance Benchmarks
Additional Read
Additional read can be found on this short blog, Need of conventional BGP support in the cloud.