About Aviatrix Edge Gateway Interfaces and Ports and Protocols

The following sections describe the virtual machine instance configuration, network interfaces, ports and protocols, and access requirements for Aviatrix Edge Gateway deployment.

Virtual Machine CPU and Memory Configurations

The following table provides CPU and memory configurations of the virtual machine instance supported for the Aviatrix Edge Gateway deployment.

Deployment Type Hardware Profile Storage Requirements Note

Small

2 vCPU - 4GB

64 GB

<1Gbps Throughput

Medium

4 vCPU - 8GB

64 GB

<5Gbps throughput

Large

8 vCPU - 16GB

64 GB

~10Gbps throughput

X-Large

16 vCPU - 32GB

64 GB

~10Gbps throughput

We recommend that you not change the Edge VM resource allocation after deploying it. Aviatrix support may not be able to assist with any issue that occurs on a system with customized resource allocation.

Over subscription of host resources can lead to a reduction of performance and your instance could become unstable. We recommend that you follow the guidelines and the best practices for your host hypervisor.

Aviatrix Edge Gateway Interfaces and Ports and Protocols

edge network connectivity

Aviatrix Edge Gateway Network Interfaces

By default, an Aviatrix Edge Gateway has three interfaces: one WAN interface on eth0, one LAN interface on eth1, and one Management interface on eth2.

Interface Description

WAN (eth0)

Provides connectivity to the Aviatrix Transit Gateway.

When deploying Aviatrix Edge in on-premise locations, the connectivity to Transit Gateway is via the WAN interface and requires a default gateway to provide the underlay connectivity to the CSP and Layer 3 reachability to the Transit Gateway’s Private or Public IP.

LAN (eth1)

Provides connectivity to the LAN network.

LAN network can be either VLAN network in on-premise or use BGP. When using BGP, a BGP-enabled router is required to peer with Edge Gateway LAN interface via BGP over LAN.

Management (eth2)

Provides connectivity to the Aviatrix Controller, Aviatrix CoPilot, Aviatrix software download and tracelog upload.

Requires a default gateway, DNS access, and Internet access.

  • The default WAN interface must be configured on eth0.

  • The default LAN interface must be configured on eth1.

  • The default route is supported only on the default WAN and LAN interfaces.

Aviatrix Edge Gateway Ports and Protocols

The Aviatrix Edge Gateway requires outbound access to communicate with the Aviatrix Controller. You must allow access on these ports on your firewall.

  • MGMT: TCP 443 access to the Aviatrix Controller’s public IP address

  • MGMT: TCP 443 access to the Aviatrix Controller’s private IP address (only permit this access if you selected Management over Private Network for management IP connectivity)

  • WAN: UDP 500/4500

Additional required outbound ports are described in the table below.
Source Destination Port Purpose

WAN eth0

Aviatrix Transit Gateway eth0 private or public IP address.

If multiple WAN interfaces are configured, this access must be allowed for all WAN links.

UDP 500

IPsec

WAN eth0

Aviatrix Transit Gateway eth0 private or public IP address.

If multiple WAN interfaces are configured, this access must be allowed for all WAN links.

UDP 4500

IPsec

Mgmt eth2

DNS server

UDP 53

DNS lookup

Mgmt eth2

Aviatrix Controller FQDN or private or public IP address.

TCP 443

Edge to Controller

Mgmt eth2

Aviatrix CoPilot FQDN or private or public IP address.

UDP 5000

Syslog

Mgmt eth2

Aviatrix CoPilot FQDN or private or public IP address.

UDP 31283

Netflow

  • If the Management egress IP is provided at the time of creating an Edge gateway, Aviatrix will program the Controller’s gateway security group with the required security rules (see above) that will allow the Edge gateway to connect to the Controller. We will also program the CoPilot’s security group with rules for netflow and syslog.

  • If you don’t know the Management egress IP at the time of creating an Edge Gateway, you can add the Management egress IP for the gateway at a later time and Aviatrix will add the required rules to the Controller’s gateway security group enabling the Edge gateway to connect to the Controller and likewise for CoPilot.

  • You could also choose to manage the Controller and CoPilot’s security groups and add the required rules to allow the Edge gateway to connect to the Controller and CoPilot.

WAN Interfaces on Edge Gateway

Aviatrix Secure Edge supports single or multiple WAN interfaces. Single WAN interface is applicable in on-premise locations. Multiple WAN interfaces can be used in Equinix Network Edge platform (see Multiple WAN Interface Support (Equinix Platform).

When deploying Aviatrix Edge in on-premise locations, the connectivity to Transit Gateway is via the WAN interface and requires a default gateway to provide the underlay connectivity to the CSP.

edge network onprem wan interface

Multiple WAN Interface Support (Equinix Platform)

When deploying Aviatrix Secure Edge in Equinix Network Edge, multiple WAN interfaces can be leveraged for connectivity to Transit Gateways deployed in different CSPs over private connections such as Direct Connect and Express Route. The WAN interface on Aviatrix Edge Gateway can support BGP where the private CSP virtual connections can terminate directly on the Edge Gateway. Aviatrix Edge Gateway enables the CSP virtual connection as the underlay to reach the Transit Gateways.

edge network equinix wan interface

Enabling Additional WAN Interface

Additional WAN interfaces is only supported on the Equinix platform.

When configuring Edge Gateway WAN interfaces, additional WAN interfaces can only be configured on eth3, eth4, and so on. While up to 8 WAN interfaces is supported, Aviatrix recommends a maximum of 4 WAN interfaces per Edge Gateway.

Additional WAN interface can be added during or after the primary Edge Gateway is created.

During Edge Gateway creation, in Interface Configuration, click WAN > + WAN Interface to configure additional WAN interface.

edge network multi wan create

Turn on BGP to set up peering connection to the Direct Connect or Express Route circuits via Equinix to CSPs.

You can also set up additional WAN interfaces after the Edge Gateway is created from the Edge Gateway’s edit page.

LAN Interface on Edge Gateway

Aviatrix Secure Edge supports LAN interface with either BGP or VLAN support towards on-premises. BGP is used when on-premises networks are learned via BGP, in which case a BGP router on LAN can be peered with Edge Gateway. This setup is also applicable to Edge Gateway deployed on Equinix Network Edge platform.

VLAN interfaces on Edge Gateway can be used on-premises when Edge Gateway is used as a LAN router. VRRP is also supported in this scenario with Active/Standby support on Edge gateways.

Multiple VLAN Interface Support (Aviatrix Edge Platform)

Aviatrix Edge Gateway supports multiple VLAN interface on the LAN ethernet port. This is applicable when using Aviatrix Edge Gateway in on-premise locations where the Edge Gateway is used as a LAN router with VLANs terminating on the Edge Gateway.

Enabling Additional VLAN Interface

Additional VLAN interface can be added during or after the primary Edge Gateway is created supporting trunked ports (multiple VLAN tags).

During Edge Gateway creation, in Interface Configuration, click LAN > + VLAN Interface to configure additional VLAN interface.

See Planning Aviatrix Secure Edge Deployment for On-Premise for the prerequisites steps before deploying an Edge Gateway.

edge network vlan create

You can also set up additional VLAN interfaces after the Edge Gateway is created from the Edge Gateway’s edit page.