Welcome to Aviatrix Docs

All Aviatrix product documentation can be found here. If you cannot find what you need, please reach out to us via Aviatrix Support Portal.

While all content is searchable, the site is organized into the following sections:

• Getting Started
• Onboarding and Accounts
• Gateway
• Multi-Cloud Transit Network
• Transit Gateway Orchestrator
• Firewall Network (FireNet)
• CloudN
• Peering
• Site2Cloud
• Monitoring
• CoPilot
• OpenVPN®
• Security
• Useful Tools
• Settings
• Downloads
• Release Notes
• Upgrade Aviatrix
• Security Updates
• Field Notices
• Tech Notes
• Good To Know
• Support Center

Getting Started

• Aviatrix Overview
• AWS Getting Started Guide
• Azure Startup Guide
• Oracle Cloud Infrastructure (OCI) Startup Guide
• Google Startup Guide
• Aviatrix Operations Overview
• Metered AMI Pricing Book
• Frequently Asked Questions

Onboarding and Accounts

• Onboarding and Account FAQs
• Access Account
• IAM Roles for Secondary Access Accounts
• AWS IAM Policies
• Aviatrix IAM Policy Requirements
• Customize AWS-IAM-Policy for Aviatrix Controller
• Azure Account Credential Setup
• Alibaba Cloud Account Credential Setup
• Use Azure IAM Custom Role
• GCP Credentials
• Oracle Cloud Infrastructure (OCI) Onboarding Guide
• Admin Users and Duo Sign in
• Aviatrix Companion Gateway in Azure
• Quick Tour
• Account with Access Key
• Account Audit
• Role-Based Access Control FAQ
• OCI IAM Least Privilege Policy

Gateway

• Launching a Gateway
• Subnet Information
• Select Gateway Size
• Specifying a Reachable DNS Server IP Address
• Enabling NAT
• Enabling BGP
• Allocating a New EIP in AWS
• Enabling SAML
• VPN CIDR Block
• MFA Authentication
• Max Connections
• Split Tunnel Mode
• Additional CIDRs
• Nameservers (Optional)
• Search Domains (Optional)
• Enable ELB
• ELB Name
• VPN Protocol
• Enable Client Certificate Sharing
• Enable Duplicate Connections
• VPN NAT
• Enable Policy Based Routing (PBR)
• Enable LDAP
• Gateway and Tunnel HA Options
• Gateway Audit (for AWS)
• Aviatrix Default Route Handling

Multi-Cloud Transit Network

• Multi-Cloud Global Transit FAQ
• Multi-Cloud Transit Network Workflow Instructions (AWS/Azure/GCP/OCI)
• Aviatrix Transit Gateway Encrypted Peering
• BGP
• Aviatrix Transit Gateway to External Devices
• Aviatrix Spoke Gateway to External Devices (BGP-Enabled Spoke)
• Encrypted Transit Approval
• Transit Advanced Config
• Multi-Cloud Transit Network Design Patterns
• Transit List
• Azure Transit Network Design Patterns
• Transit Network Segmentation FAQ
• Aviatrix Transit Network Segmentation Workflow
• ActiveMesh FAQ
• ActiveMesh Design Notes
• Aviatrix ActiveMesh Workflow
• Insane Mode Encryption FAQ
• ActiveMesh Insane Mode Encryption Performance
• Standalone CloudN Deployment Checklist
• Migrating TGW Orchestrator to Multi-Cloud Transit
• Multi-Cloud Transit Integration with Azure VNG
• GRE Tunneling for Multi-cloud Transit Gateway to On-Prem Workflow
• AWS Multi-Cloud Transit BGP over LAN Workflow
• Azure Multi-Cloud Transit BGP over LAN Workflow
• GCP Multi-Peer BGP over LAN Workflow

AWS Transit Gateway Orchestrator

• AWS TGW Orchestrator FAQ
• TGW Plan
• TGW Build
• Building a TGW Connect Attachment
• TGW List
• TGW Approval
• TGW Design Patterns
• Migrating a CSR Transit to AWS Transit Gateway (TGW)
• Migrating a DIY TGW to Aviatrix Managed TGW Deployment
• Aviatrix Transit Gateway to External Devices
• Multi-Cloud Transit Network Workflow Instructions (AWS/Azure/GCP/OCI)
• AWS TGW Connect over Direct Connect

Firewall Network (FireNet)

• Firewall Network (FireNet) FAQ
• Firewall Network (FireNet) Workflow
• Transit FireNet FAQ
• Transit FireNet Workflow for AWS, Azure, GCP, and OCI
• Transit FireNet Design Patterns
• Firewall Network (FireNet) Advanced Config
• Setup API Access to Palo Alto Networks VM-Series
• AWS Ingress Firewall Setup Solution
• Azure Ingress Firewall Setup Solution
• Ingress Protection via Aviatrix Transit FireNet with Palo Alto in GCP
• Example Config for Palo Alto Network VM-Series in AWS
• Example Configuration for Palo Alto Networks VM-Series in Azure
• Example Config for Palo Alto Network VM-Series in GCP
• Example Config for Palo Alto Network VM-Series in OCI
• Bootstrap Configuration Example for VM-Series in AWS
• Bootstrap Configuration Example for VM-Series in Azure
• Example Config for FortiGate VM in AWS
• Example Config for FortiGate VM in Azure
• Bootstrap Configuration Example for FortiGate Firewall in AWS
• Bootstrap Configuration Example for FortiGate Firewall in Azure
• Example Config for Check Point VM in AWS
• Example Config for Check Point VM in Azure
• Bootstrap Configuration Example for Check Point Security Gateway in AWS/Azure
• Setting up Firewall Network (FireNet) for Netgate PFSense
• Deploying a PFsense Instance from the AWS Marketplace
• Setting up Firewall Network (FireNet)
• Deploying the Barracuda CloudGen Firewall Instance from the AWS Marketplace
• Logging in to Firewall and Configuring Interfaces
• Creating Static Routes for Routing of Traffic VPC-to-VPC
• Configuring Basic Traffic Policy to Allow Traffic
• Ready to Go
• Viewing the Traffic Log
• Scaling Out
• Firewall Network Design Patterns

CloudN

• Aviatrix Secure Edge FAQ
• Aviatrix Secure Edge Design Patterns
• Deploying Aviatrix Secure Edge
• Managed CloudN Workflows
• Aviatrix CloudWAN Workflow

Security

• Stateful Firewall FAQ
  • What is the Aviatrix Stateful Firewall?
  • Is there a limitation on the number of tags?
  • How do I configure a stateful firewall?
• Tag Based Security Policy
  • Defining a Tag
  • Editing a Tag
  • Applying Policy
  • Viewing Policy and Tags
  • Example Use Case
• Egress FQDN FAQ
  • Why is Egress Control Filter needed?
  • What does the Aviatrix FQDN feature do?
  • How does it work?
  • How do I enable 2 AZ HA for FQDN gateways?
  • How do I enable 3 AZ HA for FQDN gateways?
  • How does Aviatrix Egress FQDN compare to Squid and other solutions?
  • How do I troubleshoot FQDN problems?
• Egress Control Filter
  • Configuration Workflow
  • Exception Rule
  • Export
  • Import
  • Edit Source
  • Enabling Private Network Filtering
  • Disabling Private Network Filtering
  • Customizing Network Filtering
  • FQDN Name Caching
  • Exact Match
• Egress FQDN Discovery
  • Start
  • Stop
  • Show
  • Download
• Egress FQDN View Log
  • Detaching or Disabling FQDN
  • Removing a Tag
  • Downloading Logs
  • Editing Pass-through
• Amazon GuardDuty Integration
  • Configuration
  • Integration and Enforcements
  • Polling Time
• Public Subnet Filtering Gateway FAQ (AWS)
  • What does Public Subnet Filtering gateway do?
• PrivateS3 FAQ (AWS)
  • What is the security exposure when uploading files to AWS S3 over Direct Connect?
  • What is Aviatrix PrivateS3?
  • What are the benefits of PrivateS3?
  • How does PrivateS3 work?
  • How do I deploy PrivateS3?
  • Can PrivateS3 work for traffic initiated from a VPC?
  • Is there an additional AWS data charge by going through the Aviatrix Gateway?
  • Can PrivateS3 be deployed in TGW environment?
  • Can Direct Connect termination VPC be in a different region of managed S3 buckets?
  • Can PrivateS3 gateway be in a different region of managed S3 buckets?
  • Can PrivateS3 solution scale out?
  • How can I test PrivateS3?
  • How do I troubleshoot PrivateS3?
  • Does AWS S3 list command work?
  • Can Aviatrix Spoke Gateways be used for PrivateS3 function?
  • Is an S3 endpoint required for PrivateS3?
• PrivateS3 Workflow
  • Launching an Aviatrix Gateway
  • Creating Access Accounts
  • Enabling/Updating PrivateS3
  • Updating S3 Bucket Policy
  • Viewing/Deleting PrivateS3
  • Additional Configuration 1: Create an On-Prem DNS Private Zone
  • Additional Configuration 2: S3 Endpoint
  • Adding More PrivateS3 Gateways
  • Additional Read
• Secure Networking with Micro-Segmentation
  • Micro-Segmentation Components
  • Configuring Micro-Segmentation
  • Configuring the Polling Interval
  • Limitations

Peering

• Peering FAQ
• Peering
• Encrypted Transitive Peering
• Cluster Peering
• Multi-Cloud: Connecting Azure to AWS and GCP
• Peering Over Route Limit

Site2Cloud

• Site2Cloud FAQs
• Site2Cloud IPsec VPN Instructions
• Site2Cloud Certificate-Based Authentication
• Aviatrix Gateway to Azure VPN Gateway
• Aviatrix Gateway to Aviatrix Gateway
• Aviatrix Gateway to AWS VGW
• Aviatrix Gateway to Oracle DRG
• Aviatrix Gateway to Palo Alto Firewall
• Aviatrix Gateway to Check Point(R77.30)
• Aviatrix Gateway to Check Point(R80.10)
• Aviatrix Gateway to Cisco ASA
• Aviatrix Gateway to Cisco IOS Router
• Aviatrix Gateway to Sonicwall
• Aviatrix Gateway to pfSense
• Aviatrix Gateway to FortiGate
• Aviatrix Gateway to Meraki MX64
• Aviatrix Gateway to Meraki vMX100
• Aviatrix Gateway to Juniper SRX
• CloudN for Site2Cloud
• Site2Cloud Case Study
• Encryption over Direct Connect/ExpressRoute
• Solving Overlapping Networks with Network Mapped IPsec
• Overlapping Network Connectivity Solutions
• Connect Networks With Overlap CIDRs
• Connect Overlapping VPC/VNet to On-prem
• Periodic Ping

Monitoring

• Monitoring Your Network

CoPilot

• Aviatrix CoPilot Release Notes
• Aviatrix CoPilot Image Release Notes
• Aviatrix CoPilot Overview
• Aviatrix CoPilot Deployment Guide
• Aviatrix CoPilot User Reference Guide
• Aviatrix CoPilot FAQs
• Aviatrix CoPilot Reference Documentation

OpenVPN®

• Configuring Aviatrix User SSL VPN
  • Additional Information
  • Configuration Workflow
  • Conclusion
• Aviatrix OpenVPN® FAQs
  • How do I launch a VPN Gateway?
  • How can I avoid managing multiple VPN user certs?
  • How do I scale out VPN solution?
  • How do I setup Okta authentication for VPN?
  • How do I enable Geo VPN?
  • How do I add a VPN user?
  • What user devices are VPN client software supported?
  • Is NAT capability supported on the gateway?
  • Can the maximum number of simultaneous connections to VPN gateway be configured?
  • What is user profile-based security policy?
  • How do I set up profile-based security policies?
  • How do I assign a user to a profile?
  • What if I want to change profile policies?
  • How do I change a user’s profile programmatically?
  • How to set User VPN License Threshold Notification?
  • Is DUO multi-factor authentication supported?
  • How do I configure LDAP authentication?
  • Can I combine LDAP and DUO authentication?
  • Is OKTA supported?
  • How does Policy-Based Routing (PBR) work?
  • What are the monitoring capabilities?
  • Does the Aviatrix OpenVPN® solution support SAML client?
  • When should I use the Aviatrix VPN client?
  • Are multiple VPN configuration profiles supported by the Aviatrix VPN client?
  • What is “Client Certificate Sharing”?
  • How do I fix the Aviatrix VPN timing out too quickly?
  • Where do I find the log for the Aviatrix Client?
  • Why can’t my VPN client access a newly created VPC/VNet?
  • How do I turn off NAT with an OpenVPN® Gateway?
  • What IP Address is used for NAT’ing the VPN Clients?
  • What is User Defined Email Notification?
  • How to customize popup messages after a VPN user is connected?
  • How to set a minimum Aviatrix VPN client software version for OpenVPN® connection?
  • What is Download SAML VPN Client?
• Aviatrix OpenVPN® Feature Highlights
  • VPN Management
  • Authentication Options
  • Authorization
  • Scale Out Performance
  • Logging Integration
  • Client Software
• User VPN Performance Guide for Deployment
  • Aviatrix Gateway OpenVPN® throughput
  • VPN Client throughput benchmark
  • Simultaneous Clients on a Given VPN Gateway
• OpenVPN® Design for Multi-Accounts and Multi-VPC/VNets
  • Multiple VPC/VNets in One Region
  • Multiple VPC/VNets in Multi-Regions, Split Tunnel
  • Multiple VPC/VNets in Multi Regions, Full Tunnel, your own firewall
  • Use an AWS Transit Gateway to Access Multiple VPCs in One Region
  • User VPN Solution for Multi Cloud
• VPN Access Gateway Selection by Geolocation of User
  • Overview
  • VPN Access Details
  • Configuration Workflow
  • Advanced Settings : Managing VPN Configuration for Individual DHCP Setup
• UDP LoadBalanced VPN using DNS
  • Configuration Workflow
• LDAP Configuration for Authenticating VPN Users
  • Overview
  • Configuration Details
• Okta Authentication with Okta API Token
  • Overview
  • Obtaining the API Token from Okta
  • Setting up Okta Authentication
  • Creating User(s)
  • Validating
• Duo Authentication
  • Getting Duo API Credentials
  • Connecting Aviatrix VPN with Duo
  • Validating
• OpenVPN® with SAML Authentication
  • Overview
  • Pre-Deployment Checklist
  • Configuration
• SAML Profile as an Attribute
• OpenVPN® with SAML Authentication on Okta IDP
  • Overview
  • Pre-Deployment Checklist
  • Configuration Steps
• OpenVPN® with SAML Authentication on Google IDP
  • Overview
  • Pre-Deployment Checklist
  • Configuration Steps
• OpenVPN® with SAML Authentication on OneLogin IdP
  • Overview
  • Pre-Deployment Checklist
  • Configuration Steps
  • Testing the Integration
• OpenVPN® with SAML Authentication on AWS SSO IdP
  • Overview
  • Pre-Deployment Checklist
  • Configuration Steps
  • Validating
• OpenVPN® with SAML Authentication on Azure AD IdP
  • Overview
  • Pre-Deployment Checklist
  • Configuration Steps
  • Validating
• OpenVPN® with SAML Authentication on Centrify IDP
  • Overview
  • Pre-Deployment Checklist
• Anonymous Internet Surfing
  • Solution Overview
  • Configuration Workflow
  • Troubleshooting
• Developer’s Sandbox
  • Objective
  • Solution
  • Configuration Workflow
• External PKI for OpenVPN Certificates
• VPN User Accelerator
• Use IPv6 for User VPN Access
  • The Problem
  • Prerequisite
  • Launching an Aviatrix Gateway
  • Adding VPN Networks for Split Tunnel
  • Adding a VPN User
  • Scaling out VPN Gateways
  • Adding More VPC/VNets
  • Troubleshooting Tips
• Use AWS Transit Gateway to Access Multiple VPCs in One Region
  • Creating a TGW
  • Creating a Security Domain
  • Building Connection Policies
  • Attaching VPCs to TGW
  • Launching a VPN Gateway
  • Configuring VPN Gateway
  • Configuring Aviatrix VPN Client
  • Last Steps
• Setting up Okta SAML with Profile Attribute
  • How a VPN Profile Works
  • Setting up the Okta Profile Attribute
  • Defining a New Attribute
  • Defining an Attribute Mapping
  • Assigning the VPN Profile to Each SAML User
  • Validation
• Setting up PingOne for Customers Web SAML App with Profile Attribute
  • How a VPN Profile Works
  • Setting up PingOne for Customers Profile Attribute
  • Defining a New User Attribute
  • Defining an Attribute Mapping
  • Assigning VPN Profile to Each SAML User
  • Validation
• Azure Controller Security for SAML Based Authentication VPN Deployment
  • Azure Application Gateways and the Aviatrix Controller
  • Prerequisites
  • Securing the Aviatrix Controller for SAML Based Authentication Behind an Azure Application Gateway

Useful Tools

• VPC Tracker
• Create a VPC/VNet
• Discover Unencrypted Traffic

Settings

• Controller Backup and Restore
• Controller HA in AWS
• Upgrade Aviatrix Controller and Gateways
• Inline Software Upgrade for 6.4 and Earlier Releases
• Logging
• Emails and Alert Configuration
• Advanced Config
• Controller LDAP Login Configuration
• Netflow Integration
• AWS CloudWatch Integration
• Aviatrix Controller Login with SAML Authentication
• Certificate Management Overview
• Controller Certificate Management
• Gateway Certificate Management
• FIPS 140-2 Module
• Controller Configuration
• Migrating Your Aviatrix Controller
• Migrating Gateway Images
• Private Mode

Troubleshoot

• Logs
• Diagnostics
• Error Messages
• How to Troubleshoot Azure RM Gateway Launch Failure
• ELB Status
• FlightPath

Downloads

• Aviatrix VPN Client
• Aviatrix VPN Client

Release Notes

• Aviatrix Controller and Gateway Release Notes
• Aviatrix Controller and Gateway Image Release Notes
• Aviatrix CoPilot Release Notes
• Aviatrix CoPilot Image Release Notes
• Aviatrix VPN Client Release Notes

Upgrade Aviatrix

• Upgrade Aviatrix Controller and Gateways
  • Overview of the Aviatrix Controller and Gateways Upgrade
  • Prepare for the Aviatrix Upgrade
  • Procedures for Upgrading Aviatrix Controller and Gateways
  • Verify your Upgrade Status
  • Rolling Back Gateway Software
  • Troubleshooting

Security Updates

• PSIRT Advisories
• Security Patches
• Security Update Policy

Field Notices

• Field Notices

Tech Notes

• Hybrid Network Load Balancing (NLB)
• Datadog Integration
• Launch Aviatrix Controller Manually
• Using Aviatrix to Build a Site to Site IPsec VPN Connection
• Aviatrix Controller Security for SAML auth based VPN Deployment
• Azure Controller Security for SAML Based Authentication VPN Deployment
• How to Connect Office to Multiple AWS VPCs with AWS Peering
• Site2Cloud With Customized SNAT
• Site2Cloud with NAT to fix overlapping VPC subnets
• Site2Cloud to a Public IP Address
• Accessing a Virtual IP address instance via Aviatrix Transit Network
• Aviatrix Active Mesh with customized SNAT and DNAT on spoke gateway
• Connecting Meraki Network to Aviatrix Transit Network
• Reserve For On-Prem Use
• AWS Managed Microsoft AD for Aviatrix
• Extending Your vmware Workloads to Public Cloud
• How to Build a Zero Trust Cloud Network Architecture with Aviatrix
• AWS Global Transit Network
• Connect to Floating IP Addresses in Multiple AWS AZs
• Egress NAT to a Pool of IP Addresses
• AWS Transit Gateway Route Limit Test Validation
• Transit Gateway ECMP for DMZ Deployment Limitation Test Validation
• Transit Gateway Egress VPC Firewall Limitation Test Validation
• AWS Transit Gateway Orchestrator
• Aviatrix NEXT GEN TRANSIT with customized SNAT and DNAT features
• Use IPv6 to Connect Overlapping VPC CIDRs
• Aviatrix Transit Architecture for Azure
• NAT for non-tunnel-bound Traffic
• Migrating from Classic Aviatrix Encrypted Transit Network to Aviatrix ActiveMesh Transit Network
• OpenVPN + FQDN Filter Solution
• Enable SAML App for a group of users in G-Suite using Organization
• Transit FireNet Workflow for AWS
• Transit FireNet Workflow with AWS Gateway Load Balancer (GWLB)
• Transit FireNet Workflow for Azure
• Using Subnet Inspection in Azure to Redirect Subnet-Level Traffic to Aviatrix Transit FireNet and NGFW
• Transit FireNet Workflow for GCP
• Transit FireNet Workflow for OCI
• Using Aviatrix Site2Cloud tunnels to access VPC Endpoints in different regions
• Multi-cloud Transit Gateway Peering over Private Network Workflow
• Multi-cloud Transit Gateway Peering over Public Network Workflow
• Aviatrix in AWS Outposts
• Tuning For Sub-10 Seconds Failover Time in Overlapping Networks
• Aviatrix BGP over LAN with Cisco Meraki in AWS
• Configuring Azure Multi-Peer BGP Over LAN Workflow
• Configuring Azure Multi-Peer BGP over LAN with Azure Route Server Integration
• Rescure PKI Agent Certificate

Good To Know

• CloudFormation Condition Function Example
• AWS Network Limits and Limitations
• AWS Transit Gateway Limits
• Survey of DevOps Tools
• Multi Cloud Region Affinity and Latency
• General Glossary
• Aviatrix Glossary
• Multi-Cloud Rosetta Stone

Support Center

• Operations

Legal Notices

• Legal Notices