Creating a VPC/VNet using CoPilot

You can create a VPC/VNet in your cloud provider environment using the CoPilot user interface.

When you create a VPC/VNet by using CoPilot or other Aviatrix tools, the VPC/VNet will be listed as Aviatrix Managed in the CoPilot > Cloud Resources > Cloud Assets > VPC/VNets & Subnets page.

If you create a VPC/VNet for a FireNet deployment, we recommend you use Aviatrix tools to create the VPC/VNet and set the Transit + FireNet option.

To create a VPC/VNet with IPv6 support, refer to Support for IPv6 on CoPilot. To add enable IPv6 on an existing VPC/VNet, delete and recreate the VPC/VNet with IPv6 support enabled.

When you create a VNet in Azure, a default route of 0.0.0.0 is added, which points to the next hop type "None" in User Defined Route Table (UDR) for all private subnets it creates. Any public subnet it creates does not have such a UDR default route entry.

To create a VPC/VNet using CoPilot:

In CoPilot go to Cloud Resources > Cloud Assets > VPC/VNets & Subnets.
Click + VPC/VNet.
Specify the cloud provider in which to create the VPC/VNet.
Specify the cloud account that pertains to the VPC/VNet.
Specify the region in which to create the VPC/VNet.
Specify the IPv4 VPC/VNet CIDR for the VPC/VNet.
Specify the IPv6 allocation method for the VPC/VNet (AWS and Azure only).

See About Creating a VPC/VNet.
Specify the VPC Function. Options are Default or Transit + FireNet.

Default — See Default Behavior for Creating a VPC (AWS).

Transit + FireNet — See Creating a VPC/VNet for a FireNet Deployment.
(Optional for AWS/Azure) Specify Advanced Settings.

See Adjusting Subnet Size.

See Adjusting the Number of Subnet Pairs.
Click Save.

About Creating a VPC/VNet

This section discusses creating a VPC in AWS by using the CoPilot user interface.

Default Behavior for Creating a VPC (AWS)

By default, for the non-Transit VPCs, the Aviatrix Controller creates a pair of subnets (public and private) per availability zone.

The prefix lengths of the subnets the Controller creates will be VPC CIDR plus 4 bits. If your region has three availability zones, the Controller will create 6 subnets.

In addition, if the VPC you are creating has an address space of /16 (for example, 192.168.0.0/16, each subnet will get a prefix length of /20 (/16 + 4 bits).

Example:

For a VPC with address space 192.168.0.0/16 and in a region with three availability zones, the address allocation would look like this:

Subnet 1 (private az-a): 192.168.0.0/20

Subnet 2 (private az-b): 192.168.16.0/20

Subnet 3 (private az-c): 192.168.32.0/20

Subnet 4 (public az-a): 192.168.48.0/20

Subnet 5 (public az-b): 192.168.64.0/20

Subnet 6 (public az-c): 192.168.80.0/20

Set the IPv6 Allocation to one of the following options to enable IPv6 support on the VPC/VNet:

None: No IPv6 CIDR block is associated with the VPC/VNet.
Auto Assignment (AWS only): AWS automatically assigns an IPv6 CIDR block to the VPC from AWS’s pool of IPv6 addresses.
Manual Assignment (Azure only): Set the IPv6 Allocation to Manual Assignment, a VPC/VNet IPv6 CIDR field appears. Specify the IPv6 CIDR block you want to associate with the VNet.

When you create a VPC/VNet with IPv6 support, the Aviatrix Controller creates dual-stack subnets (IPv4 and IPv6) in each availability zone.

Creating a VPC for a FireNet Deployment

The Transit + FireNet option is for Transit VPCs or Transit FireNet VPCs. For these VPCs, the Controller creates a particular set of /28 subnets across two availability zones.

When you create a VPC for a FireNet deployment, specify the Transit + FireNet VPC option. When this option is set, the Controller creates a set of /28 subnets across two availability zones as shown in the table below.

Aviatrix FireNet VPC Public Subnet	Description
Public-gateway-and-firewall-mgmt-AZ-a	A /28 subnet (public in AWS/GCP/OCI) in AZ a for FireNet Gateway and firewall instance management interface.
Public-gateway-and-firewall-mgmt-AZ-b	A /28 subnet (public in AWS/GCP/OCI) in AZ b for FireNet HA Gateway and firewall instance management interface.
Public-FW-ingress-egress-AZ-a	A /28 subnet (public in AWS/GCP/OCI) in AZ a for firewall instance’s egress interface.
Public-FW-ingress-egress-AZ-b	A /28 subnet (public in AWS/GCP/OCI) in AZ b for firewall instance’s egress interface.

Aviatrix FireNet VPC Public Subnet

Description

Public-gateway-and-firewall-mgmt-AZ-a

A /28 subnet (public in AWS/GCP/OCI) in AZ a for FireNet Gateway and firewall instance management interface.

Public-gateway-and-firewall-mgmt-AZ-b

A /28 subnet (public in AWS/GCP/OCI) in AZ b for FireNet HA Gateway and firewall instance management interface.

Public-FW-ingress-egress-AZ-a

A /28 subnet (public in AWS/GCP/OCI) in AZ a for firewall instance’s egress interface.

Public-FW-ingress-egress-AZ-b

A /28 subnet (public in AWS/GCP/OCI) in AZ b for firewall instance’s egress interface.

Adjusting the Subnet Size

You cannot customize subnet size and pair count for Transit VPCs or Transit Firenet VPCs. For these VPCs, the controller creates a particular set of /28 subnets across two availability zones.

The Subnet Size field allows you to modify the default behavior of adding 4 bits to the prefix length of the VPC. Here you can specify the prefix length of the subnets you create, which will effectively determine the size of the subnets.

For instance, you may want to create larger subnets.

The number of subnet pairs defaults to 1 if the Subnet Size is specified, but the Number of Subnet Pair(s) is not.

Example:

For the same VPC (192.168.0.0/16) and Subnet Size specified as /19 you would have the following distribution:

Subnet 1 (private az-a): 192.168.0.0/19

Subnet 2 (public az-a): 192.168.32.0/19

The remaining address space from 192.168.64.0 to 192.168.255.255 will remain unused.

Adjusting the Number of Subnet Pairs

You cannot customize subnet size and pair count for Transit VPCs or Transit FireNet VPCs. For these VPCs, the controller creates a particular set of /28 subnets across two availability zones.

The Number of subnet pair(s) field allows you to specify the number of subnet pairs to be created within the VPC. Each pair consists of one public subnet and one private subnet.

The number of subnet pairs cannot exceed the number of availability zones in the region.

For instance, if you input 2 in the Number of subnet pairs field, the controller will create 2 pairs of subnets, resulting in 4 subnets (2 public and 2 private) in the VPC.

Example: For the Number of subnet pairs set as 2 in a region with 2 or more availability zones, the subnet creation could look like this:

Subnet 1 (private az-a): 192.168.0.0/19

Subnet 2 (private az-b): 192.168.32.0/19

Subnet 3 (public az-a): 192.168.64.0/19

Subnet 4 (public az-b): 192.168.96.0/19

It is mandatory to specify Subnet Size when configuring the custom Number of Subnet Pair(s). In the example above, the Subnet Size was specified as /19.

To create a VPC/VNet using CoPilot:

In CoPilot go to Cloud Resources > Cloud Assets > VPC/VNets & Subnets.
Click + VPC/VNet.
Configure the following:

Field

Description

Name

Enter a name for the VPC/VNet.

The name must begin with a letter, may include only letters, numbers, underscores, and dashes (excluding special characters or spaces), and must not exceed 30 characters in length.

Cloud

Select the cloud in which to create the VPC/VNet:

AWS
Azure
GCP
OCI
Alibaba

Account

Select the AWS account.

Region

Select the region in which to create the VPC/VNet.

VPC/VNet IPv4 CIDR

Specify the IPv4 VPC or VNet CIDR.

IPv6 Allocation (AWS and Azure only)

Select the IPv6 allocation method for the VPC/VNet.

VPC/VNET IPv6 CIDR (Azure only)

If you select Manual Assignment for the IPv6 Allocation, specify the IPv6 CIDR block you want to associate with the VNet.

VPC Function

Select Default or Transit + FireNet.

Subnet Size (optional)

Specify the prefix length of the subnets you create, which will effectively determine the size of the subnets.

You cannot customize subnet size and pair count for Transit VPCs or Transit FireNet VPCs. For these VPCs, the controller creates a particular set of /28 subnets across two availability zones.

It is mandatory to specify Subnet Size when configuring the custom Number of Subnet Pair(s).

Number of Subnet Pair(s) (optional)

Specify the number of subnet pairs to be created within the VPC. Each pair consists of one public subnet and one private subnet.

The number of subnet pairs cannot exceed the number of availability zones in the region.

Island VPCs

Island VPCs are virtual networks (VPCs/VNets) that are not part of a managed cloud environment. They are not peered or connected to the main VPC/VNet, or other VPC/VNets, in your organization. Island VPCs might be development environments, or host your production applications.

These isolated networks pose a security risk because they are not visible to cloud security teams and may not adhere to established security policies.

The primary concerns with island VPCs are their tendency to permit unrestricted outbound internet traffic and overlapping IP problems, because these VPC/VNets can reuse IP space.

You can provide egress protection to island VPCs with Aviatrix egress security features such as VPC/VNet protection and AI-powered insights.