Enabling Local Internet Breakout at Network Edge

Aviatrix Secure Edge solution offers local internet breakout capability. This capability allows the Edge Gateway to route traffic from on-premise and remote sites to remote destinations via overlay tunnels and route internet-based traffic directly to the local ISP at the edge location. In SD-WAN networks typically, by routing internet-based traffic locally, you avoid the need to send internet traffic to your central datacenter for processing, which reduces network latency and costs.

To support local internet breakout, the Edge Gateway functions as a stateful firewall. Using the Edge Gateway’s SNAT feature, you define the rules that the Edge Gateway uses to route traffic from the remote sites to the Aviatrix Transit Gateway to cloud and the internet.

To define SNAT rules for local internet breakout on the Edge Gateway:

In Aviatrix CoPilot, go to Cloud Fabric > Edge > Edge Gateways tab.
In the table, select the Edge Gateway for which you want to enable local internet breakout.
Click the Edge Gateway’s Settings tab and expand the Network Address Translation (NAT) section.

Set the Source NAT toggle to On.

There are two types of SNAT

Single IP - will source NAT all traffic to the private IP of the Edge Gateway.
Customized SNAT – allows more granular configuration of NAT rules. If running multiple Edge Gateways, customized SNAT needs to be configured on both Edge Gateways.

Customized SNAT Requirements

Setting	Description
Src CIDR	This is a qualifier condition that specifies a source IP address range where the rule applies. When left blank, this field is not used.
Src Port	This is a qualifier condition that specifies a source port that the rule applies. When left blank, this field is not used.
Dest CIDR	This is a qualifier condition that specifies a destination IP address range where the rule applies. When left blank, this field is not used and a default route 0.0.0.0/0 pointing to Aviatrix Gateway will be programmed into Cloud platform routing table.
Dest Port	This is a qualifier condition that specifies a destination port where the rule applies. When left blank, this field is not used.
Protocol	This is a qualifier condition that specifies a destination port protocol where the rule applies. When left blank, this field is not used.
Connection	This is a qualifier condition that specifies output interface where the rule applies. When left blank, this field is not used.
Mark	This is a qualifier condition that specifies output connection where the rule applies. When left blank, this field is not used.
SNAT IPs	This is a rule field that specifies the changed source IP address when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule fields must be specified for this rule to take effect. Multiple translated source IP addresses are supported, they are specified as a range, for example, 100.100.1.5 - 100.100.1.10.
SNAT Port	This is a rule field that specifies the changed source port when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule fields must be specified for this rule to take effect.
Apply Route Entry	Not applicable on the Edge Gateway.
Exclude Route Table	Not applicable on the Edge Gateway.

Setting

Description

Src CIDR

This is a qualifier condition that specifies a source IP address range where the rule applies. When left blank, this field is not used.

Src Port

This is a qualifier condition that specifies a source port that the rule applies. When left blank, this field is not used.

Dest CIDR

This is a qualifier condition that specifies a destination IP address range where the rule applies. When left blank, this field is not used and a default route 0.0.0.0/0 pointing to Aviatrix Gateway will be programmed into Cloud platform routing table.

Dest Port

This is a qualifier condition that specifies a destination port where the rule applies. When left blank, this field is not used.

Protocol

This is a qualifier condition that specifies a destination port protocol where the rule applies. When left blank, this field is not used.

Connection

This is a qualifier condition that specifies output interface where the rule applies. When left blank, this field is not used.

Mark

This is a qualifier condition that specifies output connection where the rule applies. When left blank, this field is not used.

SNAT IPs

This is a rule field that specifies the changed source IP address when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule fields must be specified for this rule to take effect. Multiple translated source IP addresses are supported, they are specified as a range, for example, 100.100.1.5 - 100.100.1.10.

SNAT Port

This is a rule field that specifies the changed source port when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule fields must be specified for this rule to take effect.

Apply Route Entry

Not applicable on the Edge Gateway.

Exclude Route Table

Not applicable on the Edge Gateway.