Deploying Aviatrix Secure Edge in On-Premises
This document provides instructions for deploying an Aviatrix Edge Gateway on the Aviatrix Edge platform for deployment in datacenters, large campus and office locations for cloud to edge connectivity.
For an overview of Aviatrix Secure Edge, see Overview of Aviatrix Secure Edge.
The following deployment scenarios are supported:
-
Single VLAN connected to the Edge Gateway via a single vNIC.
-
Multiple VLANs connected to the Edge Gateway via a single vNIC (Trunk Port) and sub-interfaces for each VLAN.
-
VRRP on Edge Gateway.
-
LAN-side BGP.
-
Local breakout via SNAT on Edge GW.
-
Connectivity to single or multiple Transit Gateways from Edge Gateway.
Prerequisites
Before you can deploy an Aviatrix Edge Gateway on the Aviatrix Edge Platform:
-
You must perform the prerequisite steps to procure and onboard your edge device. See Planning Aviatrix Secure Edge Deployment for On-Premise.
-
You should be familiar with Aviatrix Secure Edge Interfaces and Ports and Protocols. See About Aviatrix Edge Gateway Interfaces and Ports and Protocols.
Aviatrix Secure Edge Deployment Workflow
The diagram below provides a high-level view of the process for deploying Aviatrix Secure Edge in Aviatrix CoPilot.
Creating the Edge Gateway
In Aviatrix CoPilot:
-
Go to Cloud Fabric > Edge > Edge Gateways tab.
-
Click + Edge Gateway.
Provide the following information to create your Edge Gateway.
Parameter
Description
Name
Enter a name for the Edge Gateway.
Platform
From the dropdown menu, select the platform where you want to deploy the Edge Gateway.
You can create and edit platforms in CoPilot under Cloud Fabric > Edge > Platforms tab.
Site
Enter a site ID to identify the edge location.
High Availability
From the dropdown menu, select the high availability mode.
-
On (Active Standby Mode) enables Edge connection with one active peering and one standby peering. Only the active peering forwards network traffic. The network switches to the standby peering when the primary peering goes down.
-
On (Active Active Mode) enables all Edge connections with active peering to perform load sharing and forward network traffic.
Preemptive
Preemptive is turned On only when High Availability is turned On with Active Standby Mode. The Preemptive is set on the active gateway.
-
On enables the network to automatically switch back to the active gateway when the active gateway connection is back up.
-
Off enables the network to continue to use the standby gateway even after the active gateway is back up, until you initiate a manual switchover.
Primary Device
Enter the name of the primary edge device where you want to deploy the Edge Gateway.
Secondary Device
Enter the name of the secondary edge device where you want to deploy the second Edge Gateway.
The primary and secondary device must have the same hardware configuration. Gateway Resource Size
Click on this dropdown menu and select a size for this gateway.
-
-
Configure the Edge Gateway’s WAN interface. In the Interface Configuration section, click + WAN Interface, then provide the following information.
For IP and DNS settings, enter using the applicable format. For example, if the Edge Gateway’s WAN IP is 10.1.1.151, enter 10.1.1.151/24 or what your netmask is. Parameter Description IP Assignment
The default is Static for static IP assignment.
DHCP for dynamic IP address assignment is not supported.
Interface Tag
Enter a name to identify the WAN interface.
Interface CIDR
Enter the CIDR for the WAN interface.
Default Gateway IP
Enter the Default gateway IP address for the WAN interface.
Primary DNS (Optional)
Enter the primary DNS server IP address.
Secondary DNS (Optional)
Enter the secondary DNS server IP address, if available.
Public IP
Enter the WAN interface’s egress Public IP address.
Egress Management IP (Optional)
Enter the CIDR range for the egress for the WAN interface.
Bandwidth (Optional)
To change or update the Edge Gateway WAN connectivity to Transit Gateway, you will need to first detach the Edge-to-Transit gateway attachment, if there is an attachment. -
Configure the Edge Gateway’s LAN interface. In the Interface Configuration section, click + LAN Interface, then provide the following information.
Parameter Description IP Assignment
The default is Static for static IP assignment.
DHCP for dynamic IP address assignment is not supported.
VRRP
To enable Virtual Router Redundancy Protocol (VRRP) on the Edge Gateway, click this switch to On.
To configure VLAN interfaces:
Click + VLAN Interface to add one or more VLAN interfaces.
Provide the following information.
Parameter Description Interface CIDR
Enter the native VLAN interface IP address.
This interface is where untagged packets are sent.
Default Gateway IP, VRRP Gateway IP
Enter the Default gateway IP address.
-
If VRRP is enabled, enter the VRRP Gateway IP address.
-
If VRRP is disabled, enter the Default gateway IP address for the native VLAN interface.
Interface Tag
Enter a name to identify this native VLAN interface.
VLAN ID
Enter the VLAN ID.
VLAN ID must be a number between 2 and 4092.
VLAN Interface CIDR
Enter the VLAN’s interface IP address.
Default Gateway IP
Enter the Default gateway IP address for this VLAN interface.
Sub-Interface Tag
Enter a name to identify this VLAN interface.
VLAN configurations are added to the primary and secondary Edge Gateways. If the properties are shared, the fields are disabled on the secondary and non-editable, but the value appears as primary values are selected.
-
-
Configure the Edge Gateway’s MGMT interface. In the Interface Configuration section, click + MGMT Interface, then provide the following information.
Parameter Description IP Assignment
The MGMT interface defaults to DHCP. The Edge Gateway will automatically NAT out of the physical MGMT interface of the edge node when using the Aviatrix Edge Platform. This setting cannot be changed.
Private Network
Leave this setting as is. The Edge Gateway on the edge hardware requires public/Internet reachability to connect to the Aviatrix Controller and Aviatrix Secure Edge infrastructure in the cloud.
Parameter
Description
Egress CIDR (Optional)
Enter the CIDR range for the egress for this Management interface.
Verifying Edge Gateway Creation
-
From the left sidebar, go to Monitor > Notifications > Tasks tab.
-
In the table, click on the gateway create task to see the progress.
Depending on the settings you configured, it lists the following stages of the gateway creation:
-
Creates the primary instance
-
Updates the primary instance’s interface configurations
-
Creates the HA instance.
-
Updates the HA instance’s interface configurations.
-
Attaching the Edge Gateway to the Transit Gateway
You can attach an Edge Gateway to multiple Transit Gateways. Each attachment can be configured with different parameters, such as connecting interfaces, connection over private or public network, high-performance encryption, and Jumbo Frame.
In Aviatrix CoPilot:
-
Go to Cloud Fabric > Edge > Edge Gateways tab.
-
Locate the Edge Gateway, click the three dot vertical menu on the right, and select Manage Transit Gateway Attachment.
Provide the following information.
Field Description Transit Gateway
From the dropdown menu, select the Transit Gateway to attach to the Edge Gateway.
Connecting Edge Interfaces
From the dropdown menu, select the WAN interface connection(s) to the Transit Gateway.
-
Use the Advanced section to set the advanced gateway settings that apply.
Field Description Attach over Private Network
If the Edge WAN connection to the Transit Gateway is over a private network, set this toggle to On. Leave it Off if the connection is over the public internet.
Jumbo Frame
If you want to use Jumbo Frames for the Transit-to-Edge Gateway connection, set this toggle to On.
Ensure that Jumbo Frame is enabled on the Edge Gateway before you attach the Edge Gateway to the Transit Gateway. High Performance Encryption
If you want to enable high-performance encryption for the Transit-to-Edge Gateway connection, set this toggle to On.
Ensure that the Transit Gateway is created with High Performance Encryption enabled before you attach the Edge Gateway. Max Performance
Max Performance is set to On when High Performance Encryption is enabled for both the Transit and Edge Gateway.
In Number of Tunnels, enter the number of HPE tunnels to create. The number of tunnels depends on the Edge Gateway instance size:
-
small: 4 tunnels
-
medium: 8 tunnels
-
large and x-large: up to 50 tunnels
-
-
To attach the Edge Gateway to another Transit Gateway:
-
Click + Transit Gateway Attachment again.
-
From the Transit Gateway drop-down menu, select another Transit Gateway.
-
Provide the required information.
-
-
Click Save.
Connecting the Edge Gateway to an External Device (BGP over LAN)
To connect the Edge Gateway to the LAN router using BGP over LAN, follow these steps.
-
Navigate to Networking > Connectivity > External Connections (S2C) tab.
-
Click + External Connection.
Provide the following information.
Setting Description Name
Enter a unique name to identify the connection to the LAN router.
Connect Local Gateway To
Select External Device radio button, then from the dropdown menu, select BGP over LAN.
Local Gateway
Select the Edge Gateway you created.
Local ASN
Enter the BGP AS number the Edge Gateway will use to exchange routes with the LAN router.
This is automatically populated if the Edge Gateway is assigned an ASN already. Remote ASN
Enter the BGP AS number configured on the LAN router.
-
Click + Connection and provide the following information.
Settings Description Remote Gateway Instance IP
Local LAN IP
This is automatically populated with the Edge Gateway LAN interface IP address.
Remote LAN IP
Enter the LAN router IP address for BGP peering.
-
Click Save.