Multicloud Transit Routing and Networking FAQs

  • 10 July 2020
  • 0 replies

Userlevel 5
Badge +1

Are there any BGP route limitations in Aviatrix?

There are no limitations.

Does VNet peering have route limits like AWS?

You have a limit of 500 VNet Peers. Anytime you need to change a CIDR or add a new subnet you need to break ALL the peerings. Which means it will cause an outage. The same challenges apply in AWS.

Using Aviatrix TG, can AWS applications talk to applications in GCP or Azure?

Absolutely, and it's very easy to do.            

Does Aviatrix GWs still work if the controller is down?

Yes. Controller is not in the data path.

Does Aviatrix Gateway and controller run on Linux VM's?

Yes. But they are launched from the marketplace and automated, you do not have to do anything on a terminal.

If the Aviatrix Transit Gateway is provided by Aviatrix, does that work for a customer only hosted across AWS?

Aviatrix Transit works across AWS/Azure/GCP/OCI.

Will subnets in the Transit Gateway have routes to all other VPC's and connect to networks? 

Yes. And you can launch spokes from the hub into any cloud, too.

Who configures the TGWs? Would it be the customers or the cloud providers?

We provision, orchestrate, and configure the TGW. We do not ingest existing TGWs.

Does TGW support transitive peering between connected TGW's?

Yes, you can Transit via the TGW, between two other TGWs.

Is the firewall functionality built in to the Aviatrix gateways?    

We have a basic firewall built in. Typically, customers use the NGFW they are used to.

What is the difference between TGW and VGW in AWS? Both are used to connect VPCs to on-premise networks, right?

The AWS-TGW and VGW are different. The TGW is for transit routing and VGP is like your VPN concentrator in the Cloud to build VPN IPSec tunnels.

Does the AWS Transit allow multiple transit gateways within a single region?    

They do, but you can’t peer them with each other. So it's like having islands of connectivity.

How many gateways can a single Aviatrix controller manage?

A single Aviatrix controller can manage thousands of gateways.

Do the controllers in HA act as Active/Active or Active/Standby?

They act as Active/Standby.

Is the Aviatrix security domain managed in the controller?


Does packet inspection happen at a Gateway Level?


Is certificate based encryption from hosted PKI supported for encryption between Aviatrix Gateways?

You can find more information about this here:

Is the Aviatrix Gateway available with built in VPN support for end user connectivity?

Yes. OpenVPN.

Can we replace Cloud Gateway Router with Aviatrix Gateway router?

Yes. This depends on the use case. In the ExpressRoute use case, that gateway becomes the underlaying network for the tunnels we build over the top.

In the case of multiple DirectConnect and ExpressRoute circuits, how does Aviatrix choose the best one for specific traffic, latency, and bandwidth?

It is a very common design for a lot of enterprise customers. There are different options available. Mainly enterprises are using BGP AS_PATH, Filtering and other BGP related features to influence the routing. This can be seen in the case studies here:

What is wrong with SNAT?

When you use SNAT, the source IP changes to FW IP. Now you have lost visibility of the original source. One impact is that you can't use Security Groups at the destination to restrict traffic to specific sources, as everything would look like coming from the same FW IP.

What’s the difference between the Aviatrix TGW and the Aviatrix GW router in the Transit VNet?

It’s the same thing. When you deploy Aviatrix Gateway in Transit, it is referred to as the Aviatrix Transit Gateway.

Can we run a routing protocol between a VPC and Transit GW?

Not with the AWS native solution.

Are the route advertisements from TGW dynamic when running BGP?

Yes, if you attach a CIDR to the TGW via a VPC attachment, it will be advertised dynamically. However, you have zero control over that in AWS. It's a blast. There is no visibility, no control, no traffic engineering support.

How can VPCs within the same region talk without transit peering?

This can happen through direct VPC-to-VPC peering.

Can you connect directly from your transit to O365 SaaS if your transit lives in AWS?

Yes, so essentially O365 is a SaaS offering that is internet facing. Any resources in AWS looking to leverage O365 would simply egress out the Internet to access these services.  Aviatrix can orchestrate firewall services for those AWS environments needing access.

When deploying the Aviatrix GWS at every spoke VNet/VPC, would the IPsec peer to its Transit Aviatrix GW automatically?

Yes, you are right. But that's just the beginning, Aviatrix adds much more control, like defining which VPCs need L4 vs L7 inspection, routing native ingress traffic from the internet, route advertisement and control to Direct Connect, and more.

0 replies

Be the first to reply!