Centralized FireNet (AWS only)
In AWS (not AWS TGW), you can deploy a Centralized FireNet architecture that consists of one Primary and up to ten Secondary Transit FireNet gateways. This allows you to scale to more than 125 HPE-enabled Spokes and reduce the number of overall firewall deployments.
The Primary FireNet in a Centralized FireNet architecture is the Aviatrix Transit Gateway where firewalls are attached. The Primary FireNet can also have its own Spoke gateways and Site2Cloud or external connections. If desired you can use an AWS GWLB as the Primary FireNet.
When a regular Transit FireNet gateway is attached to Primary it is converted to Secondary automatically. Both Primary and Secondary FireNets are capable of cross-region peering.
In a situation where you currently have Transit FireNets directly attached to Spoke gateways, and you are going to convert one of these Transit FireNets to Primary without removing the Spokes, Aviatrix recommends connecting new Spokes to your Secondary FireNets for a cleaner architecture. |
Secondary FireNet gateways send traffic to the Primary FireNet to be inspected by the firewall. A Secondary FireNet can only attach to one Primary FireNet. Secondary FireNets can bypass Primary if the traffic does not require inspection. Traffic that does not require inspection is routed to the closest next hop.
Prerequisites for Centralized FireNet Architecture
-
You must launch a Transit gateway as per the current process and enable Transit FireNet.
-
Multi-tier Transit must be enabled on the Primary FireNet before attaching any Secondary FireNets.
-
Segmentation must be enabled on the gateways that will function as the Primary and Secondary FireNets before attachment occurs. You cannot enable segmentation after attachment.
-
Make sure SNAT/DNAT is not configured.
If AS-path Prepend is configured on the Primary FireNet, and Egress Through Firewall is also enabled, the AS path is not added to the default route advertised to any Secondary FireNets. |
Prerequisites for Secondary FireNets
Any FireNets that will function as a Secondary FireNet must meet the following criteria:
-
GWLB cannot be enabled
-
No firewalls attached
-
No egress static CIDR configured
-
No exclude CIDR configured
-
Egress through Firewall disabled (on the Firewall Network > List > Firenet page, select a Transit FireNet and click Details)
-
Traffic inspection disabled (on the Firewall Network > List > Firenet page, select a Transit FireNet and click Details)
Unavailable Features in Centralized FireNet
The following features are unavailable on Primary FireNet-enabled or Secondary FireNet-enabled gateways:
-
Rollback to previous release (since Centralized FireNet was not available prior to 7.0)
-
SNAT/DNAT (Primary and Secondary)
-
Disabling segmentation (Primary and Secondary — unless you detach first)
-
Disabling multi-tier transit on Primary (unless you detach first)
-
Configuring any FireNet attributes (Secondary only)
-
Inserting/associating firewall/FQDN gateway (Secondary)
For more information see: