Building a Single-Region Transit Network

This document provides instructions to build a hub-and-spoke network model across multiple clouds in a single-region with Aviatrix Spoke and Transit Gateways.

The hub-and-spoke model consists of an Aviatrix Transit Gateway and a set of Spoke Gateways, as shown in the diagram below. The network traffic flows between the Spoke VPCs through the Transit VPC.

srmc

Prerequisites

  1. If you have not launched an Aviatrix Controller, refer to the following Guides for your Cloud Service Provider:

  2. Identify a VPC/VNet and name it Transit VPC/VNet, in a region where you want to launch the Transit Gateway.

    We recommend using the Aviatrix Create a VPC tool with the option Transit + FireNet to create a Transit VPC/VNet that has all the necessary subnets and route tables fully populated.

    For a Transit network in AWS, see Prerequisites for a Transit Network in AWS.

  3. Create a VGW or reuse an existing VGW.

    The VGW should not be attached to the Transit VPC/VNet if you plan to launch Transit Gateway in the same VPC/VNet. This VGW can be attached to a different VPC/VNet if this VPC/VNet CIDR is different from the Transit VPC/VNet where the Transit Gateway is launched or in a different region and account. This VGW should be connected to on-prem either over Direct Connect or over the Internet.

Configuration Workflow

While the instructions below reference AWS, the workflow applies to any public cloud in which Aviatrix Transit Network is supported.

Follow these steps to build a single region Multicloud Transit Network:

  1. Create a Primary and High-Availability Transit Gateway.

  2. Create a Primary and High-Availability Spoke Gateway.

  3. Attach the Spoke Gateway to the Transit Gateway.

Creating a Transit Gateway

Follow the steps below to create a Transit Gateway and highly available Transit gateway instance.

  1. In CoPilot, navigate to Cloud Fabric > Gateways > Transit Gateways tab, and click + Transit Gateway.

  2. Create the Transit Gateway.

    Provide the following information for the Transit Gateway.

    Parameter

    Description

    Name

    Enter a name for the Transit gateway.

    Cloud

    Select the Cloud Service Provider (CSP) where to create the Transit Gateway.

    When you select AWS and Azure, you can use the dropdown menu to select Standard or Global, China, or GovCloud.

    Account

    Select the cloud access account for creating the Transit Gateway.

    Region

    Select the cloud region in which to create the Transit Gateway.

    VPC/VNet

    Select the VPC or VNet in the selected region in which to create the Transit Gateway.

    If the selected Transit gateway will be used in a Transit FireNet workflow, selecting a VPC/VNet that has the Transit + FireNet function enabled means that a particular set of /28 subnets have been created across two availability zones. This function is enabled when the VPC/VNet is created.

    Instance Size

    Select the gateway instance size.

    • When selecting Transit Gateway instance size, choose a t2 series for Proof of Concept (POC) or prototyping only. Transit Gateway of t2 series instance type has a random packet drop of 3% for packet size less than 150 bytes when interoperating with VGW. This packet drop does not apply to Spoke Gateway.

    • When selecting the gateway size, note that the size you select affects your IPsec performance. You can change the Transit Gateway size later.

    High Performance Encryption

    Set this toggle to On to enable High Performance Encryption (HPE) for the Transit Gateway.

    HPE enables 10Gbps and higher IPsec performance between two single Aviatrix Gateway instances or between a single Aviatrix Gateway instance and on-prem Aviatrix appliance.

    You cannot set High Performance Encryption to On or Off after the Transit Gateway is created.

    Peer to Transit Gateways

    Select the Transit Gateways to peer with this Transit Gateway.

    Use the Advanced Settings section to set the advanced gateway settings that may apply.

    Parameter

    Description

    Transit Egress Capability (all clouds except OCI and Alibaba)

    Set this toggle to On to add Transit Egress Capability to this Transit Gateway.

    Gateways that turn On Transit Egress Capability are now ready to have attachments added (FireNet or Transit Egress).

    For Azure and GCP, selecting Transit Egress Capability must occur when the gateway is created. Otherwise it will not display as an available Transit Gateway when adding FireNet or Transit Egress to a Transit Gateway.

    BGP over LAN (Azure and GCP)

    Set this toggle to On for BGP over LAN connections for this Transit Gateway.

    For Azure, also enter the number of BGP over LAN interfaces you need (maximum is eight).

    For GCP, select the subnet on which to apply the BGP over LAN connection.

    For GCP, you cannot set BGP over LAN to On after the Transit Gateway is created.

    Use the Instances section to create highly available Transit gateway instances.

    • A Transit Gateway can have up to two highly available gateway instances.

    • The gateway instances share the same properties as the Transit Gateway.

    • The gateway instances are created in active-active mode.

    To create a gateway instance, click + Instance and designate the subnet and IP address of the gateway instance.

    Parameter Description

    Attach to Subnet

    Select the subnet in which to create the Transit gateway instance.

    For best practice, select a different subnet in a different availability zone from the other Transit gateway instance.

    Public IP

    Select the public IP address of the gateway instance.

    (AWS only) To allocate a new EIP, leave Public IP as Allocate New Static Public IP.

  3. Click Save.

For more information about these settings, see Enabling Transit Gateway General Settings.

To monitor the progress of this gateway creation, see Monitoring the Progress of Gateway Creation.

Creating a Spoke Gateway

Follow the steps below to create a Spoke Gateway and highly available Spoke gateway instances.

  1. In CoPilot, navigate to Cloud Fabric > Gateways > Spoke Gateways tab, and click + Spoke Gateway.

  2. Create the Spoke Gateway.

    Provide the following information for the Spoke Gateway.

    Parameter

    Description

    Name

    Enter a name for the Spoke Gateway.

    Cloud

    Select the Cloud Service Provider (CSP) where to create the Spoke Gateway.

    For AWS and Azure, you can use the dropdown menu to select Standard or Global, China, or GovCloud.

    Account

    Select the cloud access account for creating the Spoke Gateway.

    Region

    Select the cloud region in which to create the Spoke Gateway.

    VPC/VNet

    Select the VPC or VNet in the selected region in which to create the Spoke Gateway.

    Instance Size

    Select the gateway instance size.

    When selecting the gateway size, note that the size you select affects your IPsec performance.

    High Performance Encryption

    Set this toggle to On to enable High Performance Encryption (HPE) for the Spoke Gateway.

    HPE enables 10Gbps and higher IPsec performance between two single Aviatrix Gateway instances or between a single Aviatrix Gateway instance and on-prem Aviatrix appliance.

    You cannot turn High Performance Encryption On or Off after the Spoke Gateway is created.

    Attach to Transit Gateway

    Select the Transit Gateway to which to attach this Spoke Gateway.

    Use the Advanced Settings section to set the advanced gateway settings that may apply.

    Parameter

    Description

    BGP (all clouds)

    Set this toggle to On to enable the Spoke Gateway to run BGP connection to external routers and dynamically exchange routes.

    BGP over LAN (Azure only)

    Set this toggle to On for BGP connection over LAN.

    Enter the number of LAN interfaces you need (maximum is eight) for the BGP connection.

    You must set both BGP and BGP over LAN settings to On to enable BGP over LAN connection on the Spoke Gateway.

    Global VPC (GCP only)

    Set this toggle to On to connect the Spoke Gateway to a global VPC.

    Use the Instances section to create highly available Spoke gateway instances.

    • A Spoke Gateway can have up to 15 highly available gateway instances.

    • All gateway instances share the same properties as the Spoke Gateway.

    • All gateway instances are created in active-active mode.

    • A BGP-enabled Spoke Gateway can have up to two highly available gateway instances.

    • A Spoke Gateway with Site2Cloud, SNAT, DNAT, or FQDN enabled can have up to two highly available gateway instances.

    To create a gateway instance, click + Instance and designate the subnet and IP address of the gateway instance.

    Parameter Description

    Attach to Subnet

    Select the subnet in which to create the Spoke gateway instance.

    For best practice, select a different subnet in a different availability zone from the other Spoke gateway instances.

    Public IP

    Enter the public IP addresse of the gateway instance.

    (AWS only) To allocate a new EIP, leave Public IP as Allocate New Static Public IP.

  3. Click Save.

To monitor the progress of this gateway creation, see Monitoring Gateway Creation.

Attaching a Spoke Gateway to a Transit Gateway

To attach a Spoke Gateway to a Transit Gateway:

  1. In CoPilot, go to Cloud Fabric > Gateways > Spoke Gateways tab.

  2. In the table, locate the Spoke Gateway you want to attach and click the Manage Transit Gateway Attachment icon on the right side of its row.

  3. In the Manage Gateway Attachment dialog, click +Transit Gateway Attachment.

  4. From the Transit Gateway dropdown menu, select the Transit Gateway to attach the Spoke Gateway.

  5. Use the Advanced section to select custom route tables and enable multiple tunnels.

    Parameter

    Description

    Customize Route Table Attachment

    Set the toggle to On to enable custom route tables. Then, from the Select Route Tables dropdown menu, select the route table(s) to attach to this Spoke Gateway.

    Max Performance

    Set the toggle to On to create the maximum number of High Performance Encryption tunnels for the Spoke-to-Transit attachment.

    • Max Performance option is valid when both the Spoke and Transit gateways are launched with High Performance Encryption enabled and are in the same cloud type.

    • The number of tunnels that are created depends on the gateway instance sizes.

    • If Max Performance is Off, only one tunnel is created (even when HPE is enabled for both Spoke and Transit Gateway).

    • To switch between multiple tunnels or one tunnel, detach and reattach the Spoke Gateway to the Transit Gateway.

  6. Click Save.

  7. To attach another Transit Gateway to this Spoke Gateway, repeat the steps above.

Aviatrix Controller attaches the Spoke VPC/VNet to the Transit VPC by building encrypted peering between the Spoke Gateway and the Transit Gateway.

spoke vpc

View the Network Topology

After you have built the Multicloud Transit Network:

  • To view the network topology, open the Cloud Fabric > Topology page.

  • To view the Spoke to Transit Gateway connections and route table information, open the Gateway Instances page.

Transit Network APIs

You can automate multicloud transit network workflow configuration by using Terraform. If you are building a transit network by following this Multicloud Transit Network Workflow, you can follow this Terraform example.

Next Steps

You can peer Transit Gateways to expand your Aviatrix Transit Network across multiple clouds and regions. See Building Aviatrix Transit Gateway Peering.

You can connect the Transit Gateway to external devices such as on-prem firewalls and routers to connect to your datacenter. See Connecting the Transit Network to On-Premise.

You can connect the Transit Gateway to an Edge Gateway to extend your Aviatrix Transit Network to the network edge. see Extending Transit Network to Network Edge with Aviatrix Secure Edge.