Deploying Aviatrix Secure Edge on Equinix Network Edge
This document provides instructions for deploying Aviatrix Secure Edge on Equinix Network Edge.
For an overview of Aviatrix Secure Edge, see Overview of Aviatrix Secure Edge.
Aviatrix Secure Edge Network Connectivity
The following diagram shows an example of network connectivity for Aviatrix Secure Edge Gateway to Transit Gateway in AWS. This topology shows Aviatrix Secure Edge connection to an upstream WAN router which is used to terminate CSP underlay private connections.
The topology below shows Aviatrix Secure Edge used to terminate CSP underlay private connections (which does not require upstream WAN router).
Aviatrix Secure Edge requires Aviatrix Controller 7.1 and Aviatrix Secure Edge Image 7.1 to support BGP underlay connectivity to CSP. |
Aviatrix Secure Edge Deployment Workflow
To deploy Aviatrix Secure Edge on Equinix Network Edge, follow these steps.
Creating Aviatrix Edge Gateway Cloud-Init ZTP File
The Edge Gateway cloud-init ZTP file is used to provision the Aviatrix Edge Gateway virtual device in Equinix Fabric.
To create the Edge Gateway cloud-init ZTP file, follow these steps.
-
In CoPilot, navigate to Cloud Fabric > Edge > Edge Gateways tab.
-
Click + Edge Gateway.
Provide the following information to set up your Edge Gateway.
Setting
Description
Name
Enter a name for the Edge Gateway.
Platform
Click on this dropdown menu and select the platform where you want to deploy the Edge Gateway. You can create and edit platforms in CoPilot under Cloud Fabric > Edge > Platforms tab.
Site
Enter a site ID to identify the edge location.
ZTP File Type
This is set to cloud-init.
High Availability
High Availability is disabled by default in this release and not supported. Deploying Edge Gateways with different site names is supported but not more than 1 in each site.
Configure the Edge Gateway WAN Interface
Provide the following information for the Edge Gateway WAN interface.
Setting | Description |
---|---|
Edge Gateway Interface |
This is set to eth0. Adding multiple WAN interfaces is applicable when Edge Gateway is used for BGP underlay to CSP. Add an interface per CSP underlay (such as Express Route or BGP). When Edge Gateway is not terminating CSP underlay, use one interface per Edge Gateway to connect to upstream router. |
IP Assignment |
Select Static to assign a static IP address for this WAN interface. DHCP for dynamic IP address assignment is not supported. |
Interface Tag |
Enter a name to identify this WAN interface. |
BGP |
To enable BGP on the Edge Gateway, click this switch to On. |
Interface CIDR |
Enter the CIDR for the WAN interface. |
Default Gateway IP |
Enter the Default gateway IP address for this WAN interface. |
If BGP is turned On, provide the following information:
Setting | Description |
---|---|
Local ASN |
The ASN of the Edge Gateway. |
Remote ASN |
The ASN of the CSP side peering connection such as private VIF on VGW (AWS) and VNG ASN (Azure). |
Local Tunnel IP |
The IP address of the Edge Gateway. This is the local peering PTP IP for BGP. |
Remote Tunnel IP |
The IP address of the CSP VNG or VGW peering PTP IP. (GCP and Oracle are also supported). |
Password |
(Optional) Required for connection to AWS. |
To change or update the Edge Gateway WAN connectivity to Transit Gateway, you will need to first detach the Edge-to-Transit gateway attachment, if there is an attachment. |
Configure the Edge Gateway LAN Interface
Provide the following information for the Edge Gateway LAN interface.
Setting |
Description |
Edge Gateway Interface |
This is set to eth1. |
IP Assignment |
Select Static to assign a static IP address for this LAN interface. This interface is used for LAN side BGP connection. DHCP for dynamic IP address assignment is not supported. |
Interface Tag |
Enter a name to identify this LAN interface. |
BGP |
Click this switch to turn BGP mode On or Off. |
Interface CIDR |
Enter the CIDR for the LAN interface. |
Default Gateway IP |
(Optional) Enter the Default gateway IP address for this LAN interface. |
Configure the Edge Gateway Management Interface
In Equinix Network Edge deployment, the Management interface of the Edge Gateway is assigned the IP address that is allocated by Equinix. The ZTP file that is generated by CoPilot includes the parameters needed for Edge Gateway to get the IP addresses from Equinix. The ZTP file will include these settings {"mgmt_ip": "$PUBLIC_ADDRESS_WITH_MASK", "mgmt_default_gateway": "$PUBLIC_GATEWAY"} If the ZTP file does not include the settings for “mgmt_ip” and “mgmt_default_gateway” with the values as indicated above, please modify the downloaded ZTP file to include these values. |
-
Click + MGMT interface. Leave the default settings and click Save.
-
To create the ZTP cloud-init image file, click Save and Download Configuration.
Below is an example configuration of ZTP file with Aviatrix Edge Gateway setup with BGP underlay to CSPs in Equinix.
WAN, LAN, and MGMT configuration example:
CoPilot downloads the ZTP cloud-init file to your Downloads folder.
The cloud-init file is valid for 24 hours after you create it, so you must launch an Edge VM on Equinix platform within that timeframe, as you cannot download it again and will have to recreate the cloud-init file.
Launching Aviatrix Edge Gateway in Equinix Network Edge
To launch the Aviatrix Edge Gateway in Equinix Network Edge, see Create an Aviatrix Edge in the Equinix documentation. Demo video: Step-by-Step Guide to Deploy Aviatrix Secure Edge on Equinix Network Edge on Vimeo.
You will need to create an Access Control List Template to allow CoPilot access to the Aviatrix Edge virtual device. |
Once the Aviatrix Edge virtual device is created and provisioned, an email is sent to the notification email you provided informing that the Aviatrix Edge virtual device is provisioned.
Creating the Access Control List Template for CoPilot
The Access Control List Template defines the inbound rules for the Aviatrix Edge Gateway virtual device to allow specific inbound traffic. Aviatrix Controller and CoPilot needs to communicate with the Aviatrix Edge Gateway. Inbound traffic from the Controller and CoPilot must be allowed on the Edge Gateway virtual device.
Controller’s IP address will be automatically allowed based on the cloud-init. |
To define the inbound rules for CoPilot, in the CreateNew Access Control List Management Template page, provide the following information.
-
In the Basic Details section, enter a name for the Access Control List template and a description.
-
In the Inbound Rules section, enter the following information:
-
For IP Address Subnet, enter the CoPilot public or private IP address.
-
For Protocol, select IP from the drop-down.
-
For Description (Optional), enter a description for this rule.
-
Click Add Rule.
-
-
To create the Access Control List template, click Create Template.
Configuring the Edge Gateway Management Egress IP Address
The Management Egress IP address of the Aviatrix Edge Gateway virtual device must be updated from the Aviatrix CoPilot so that the Security Group is updated with the correct Egress IP address.
-
Locate the public IP assigned by Equinix during Aviatrix Edge virtual device creation.
-
From Equinix Fabric Portal, go to Network Edge > Virtual Device Inventory > Details and locate the public IP address of the device.
-
-
In CoPilot, navigate to Cloud Fabric > Edge > Edge Gateways tab.
-
Select the Edge Gateway.
-
Click MGMT interface and update the Egress CIDR with the public IP from the Equinix Fabric Portal as shown below.
-
Click Save.
Attaching the Edge Gateway to the Transit Gateway
You can attach an Edge Gateway to multiple Transit Gateways. Each attachment can be configured with different parameters, such as connecting interfaces, connection over private or public network, high-performance encryption, and Jumbo Frame.
In Aviatrix CoPilot:
-
Go to Cloud Fabric > Edge > Edge Gateways tab.
-
Locate the Edge Gateway, click the three dot vertical menu on the right, and select Manage Transit Gateway Attachment.
Provide the following information.
Field Description Transit Gateway
From the dropdown menu, select the Transit Gateway to attach to the Edge Gateway.
Connecting Edge Interfaces
From the dropdown menu, select the WAN interface connection(s) to the Transit Gateway.
-
Use the Advanced section to set the advanced gateway settings that apply.
Field Description Attach over Private Network
If the Edge WAN connection to the Transit Gateway is over a private network, set this toggle to On. Leave it Off if the connection is over the public internet.
Jumbo Frame
If you want to use Jumbo Frames for the Transit-to-Edge Gateway connection, set this toggle to On.
Ensure that Jumbo Frame is enabled on the Edge Gateway before you attach the Edge Gateway to the Transit Gateway. High Performance Encryption
If you want to enable high-performance encryption for the Transit-to-Edge Gateway connection, set this toggle to On.
Ensure that the Transit Gateway is created with High Performance Encryption enabled before you attach the Edge Gateway. Max Performance
Max Performance is set to On when High Performance Encryption is enabled for both the Transit and Edge Gateway.
In Number of Tunnels, enter the number of HPE tunnels to create. The number of tunnels depends on the Edge Gateway instance size:
-
small: 4 tunnels
-
medium: 8 tunnels
-
large and x-large: up to 50 tunnels
-
-
To attach the Edge Gateway to another Transit Gateway:
-
Click + Transit Gateway Attachment again.
-
From the Transit Gateway drop-down menu, select another Transit Gateway.
-
Provide the required information.
-
-
Click Save.
Connecting the Edge Gateway to an External Device (BGP over LAN)
To connect the Edge Gateway to the LAN router using BGP over LAN, follow these steps.
-
Navigate to Networking > Connectivity > External Connections (S2C) tab.
-
Click + External Connection.
Provide the following information.
Setting Description Name
Enter a unique name to identify the connection to the LAN router.
Connect Local Gateway To
Select External Device radio button, then from the dropdown menu, select BGP over LAN.
Local Gateway
Select the Edge Gateway you created.
Local ASN
Enter the BGP AS number the Edge Gateway will use to exchange routes with the LAN router.
This is automatically populated if the Edge Gateway is assigned an ASN already. Remote ASN
Enter the BGP AS number configured on the LAN router.
-
Click + Connection and provide the following information.
Settings Description Remote Gateway Instance IP
Local LAN IP
This is automatically populated with the Edge Gateway LAN interface IP address.
Remote LAN IP
Enter the LAN router IP address for BGP peering.
-
Click Save.