Static Route-Based External Connection (Custom Mapped)
Connect overlapping networks between the cloud and on-premises from a Spoke Gateway using advanced mapping configurations.
In this document, Local Gateway refers to the Aviatrix gateway that you want to connect to a remote device.
External Connection Settings
For information about the options that you can configure for a Site2Cloud (S2C) external connection, refer to About External Connection Settings.
Workflow
To set up a Static Route-Based (Mapped) external connection:
-
In Aviatrix CoPilot, go to Networking > Connectivity > External Connections (S2C) tab.
-
From the + External Connection dropdown menu, select External Device.
-
In Create External Connection to External Device, provide the following information:
Field Description Name
A name for the connection.
Type
Select Static Routing over IPsec
Static Routing Type
Select Mapped NAT
Custom Mapped
To create a Custom Mapped connection, click on the Custom Mapped toggle switch to turn it On.
Local Gateway
The Local Gateway on which you want to create an external connection to a remote device.
Local Gateway
The name of the local gateway. This is the gateway in the cloud that will connect to an on-prem gateway or device.
Remote Device Type
-
Generic - Use this option for most third-party routers and firewalls.
-
Aviatrix - When terminating on Aviatrix cloud gateways or for peering Controllers in different networks.
In the Local Initiated Traffic section, provide the following information:
-
-
In the Local Initiated Traffic section, provide the following information:
Field Description Real Source Subnet CIDR(s)
Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.
If the Source Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Source Subnet network CIDR ranges. If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Source Subnet fields can contain multiple values. If the Source Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Source Subnet network CIDR ranges. Virtual Source Subnet CIDR(s)
Specify a list of virtual source network CIDRs that are mapped to the real source subnet (for example, for the real CIDRs listed above for the real source subnet, you can have these virtual source subnets: 192.168.7.0/24, 192.168.8.0/24).
Real Destination Subnet CIDR(s)
Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Destination Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.
If the Destination Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Destination Subnet network CIDR ranges. If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Local Subnet fields can contain multiple values. If the Destination Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Destination Subnet network CIDR ranges. Virtual Destination Subnet CIDR(s)
Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.
If the Source Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Source Subnet network CIDR ranges. If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Source Subnet fields can contain multiple values. If the Source Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Source Subnet network CIDR ranges. -
In the Remote Initiated Traffic section, provide the following information:
Field Description Real Source Subnet CIDR(s)
Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.
If the Source Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Source Subnet network CIDR ranges. If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Source Subnet fields can contain multiple values. If the Source Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Source Subnet network CIDR ranges. Virtual Source Subnet CIDR(s)
Specify a list of virtual source network CIDRs that are mapped to the real source subnet (for example, for the real CIDRs listed above for the real source subnet, you can have these virtual source subnets: 192.168.7.0/24, 192.168.8.0/24).
Real Destination Subnet CIDR(s)
Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Destination Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.
If the Destination Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Destination Subnet network CIDR ranges. If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Local Subnet fields can contain multiple values. If the Destination Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Destination Subnet network CIDR ranges. Virtual Destination Subnet CIDR(s)
Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.
If the Source Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Source Subnet network CIDR ranges. If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Source Subnet fields can contain multiple values. If the Source Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Source Subnet network CIDR ranges. -
In the IPsec Configuration section, provide the following information:
Field Description Attach Over
The underlying infrastructure of your network.
-
Private Network: Your underlying infrastructure is a private network, such as AWS Direct Connect and Azure ExpressRoute. When this option is selected, BGP over IPsec runs over private IP addresses.
-
Public Network: Your underlying infrastructure is a public network or the internet. When this option is selected, BGP over IPsec runs over public IP addresses.
Algorithms
The encryption algorithm and protocol to use for authenticating the communication between the Local gateway and the remote device.
-
Default: Uses the Aviatrix-supported encryption algorithm default values.
-
Custom: Allows you to modify any of the fields defined below.
-
Phase 1 Authentication
-
Phase 1 DH Groups
-
Phase 1 Encryption
-
Phase 2 Authentication
-
Phase 2 DH Groups
-
Phase 2 Encryption
-
Internet Key Exchange
Internet Key Exchange (IKE) is the protocol used for authentication and encryption of packets between the Aviatrix gateway and the on-premises device.
-
IKEv1: Connects to the remote site using IKEv1 protocol.
If you configure IKEv1 in a connection that uses certificate-based authentication and is connecting to another Aviatrix device, you must add the intermediate CAs in addition to the root CA. When an intermediate CA is renewed and re-authentication is attempted, the connection will go down until you add the new certificate.
-
IKEv2: Connects to the remote site using IKEv2 protocol. This is the recommended protocol.
-
-
In the Authentication section, provide the following information:
Field Description Authentication Method
The authentication method to use for the connection.
-
Pre-Shared Key: If you select Pre-Shared Key (PSK) authentication, you can provide the PSK when prompted (this is optional).
-
Certificate: If you select certificate-based authentication, in the Remote CA Certificate field, select the certificate you uploaded from your remote device.
-
-
In the Tunnel Configuration section, provide the following information:
Field Description Single IP HA
Enable this setting to set up High Availability (HA) instances for each new connection that can go up if the primary instance goes down. When active, each standby instance will use the same IP address as the remote connection.
Remote Device IP
The remote device’s interface IP address.
Local Gateway Instance
The Local Gateway’s IP address.
Pre-Shared Key (Optional)
The Pre-Shared Key configured on the remote device. If a Pre-Shared Key is not specified, the system auto-generates a key.
Remote Identifier SAN
If certificate-based authentication is selected, enter the Subject Alternative Name(SAN) of the remote CA Certificate.
-
Click Save.
The new static route-based external connection appears in the table.