Deploys a VPC/VNET/VCN and Aviatrix Spoke gateways. It is also possible to use an existing VPC/VNET/VCN. China and government regions are supported in both AWS and Azure and auto detected based on region name.

Check release notes for more details. Check Compatibility list for older versions.

See examples

The following variables are required:

The following variables are optional:

= AWS, = Azure, = GCP, = OCI, = Alibaba

Key	Supported_CSP's	Default value	Description
approved_learned_cidrs			A list of approved learned CIDRs.
attached		true	Set to false if you don't want to attach spoke to transit_gw.
attached_gw_egress		true	Set to false if you don't want to attach spoke to transit_gw_egress.
auto_advertise_s2c_cidrs		false	Auto Advertise Spoke Site2Cloud CIDRs.
availability_domain			Availability domain in OCI.
az_support		true	Set to false if the region does not support Availability Zones. (Automatically set to false for gov and dod regions)
az1		a az-1 b	Concatenates with region to form az names. e.g. eu-central-1a. Used for insane mode only.
az2		b az-2 c	Concatenates with region to form az names. e.g. eu-central-1b. Used for insane mode only.
bgp_ecmp		false	Enable Equal Cost Multi Path (ECMP) routing
bgp_hold_time			BGP hold time. Unit is in seconds.
bgp_polling_time			BGP route polling time. Unit is in seconds.
customer_managed_keys			Customer managed key ID for EBS Volume encryption.
customized_spoke_vpc_routes			A list of comma separated CIDRs to be customized for the spoke VPC routes. When configured, it will replace all learned routes in VPC routing tables, including RFC1918 and non-RFC1918 CIDRs. Example: 10.0.0.0/116,10.2.0.0/16
enable_active_standby		false	Enables Active-Standby Mode. Available only with HA enabled.
enable_bgp		false	Enable BGP for this spoke gateway.
enable_encrypt_volume		false	Set to true to enable EBS volume encryption for Gateway.
enable_learned_cidrs_approval		false	Switch to enable/disable CIDR approval for BGP Spoke Gateway.
fault_domain			Fault domain in OCI.
filtered_spoke_vpc_routes			A list of comma separated CIDRs to be filtered from the spoke VPC route table. When configured, filtering CIDR(s) or it’s subnet will be deleted from VPC routing tables as well as from spoke gateway’s routing table. Example: 10.2.0.0/116,10.3.0.0/16
gw_subnet			Subnet CIDR, for using an existing VPC. Required when use_existing_vpc is enabled. Make sure this is a public subnet.
ha_availability_domain			Availability domain in OCI for HA GW.
ha_cidr			The IP CIDR to be used to create ha_region spoke subnet. Only required when ha_region is set.
ha_fault_domain			Fault domain in OCI for HA GW.
ha_gw		true	Set to false if you only want to deploy a single Aviatrix spoke gateway
ha_region			Region for multi region HA. HA is multi-az single region by default, but will become multi region when this is set.
hagw_subnet			Subnet CIDR, for using an existing VPC. Required when use_existing_vpc is enabled and ha_gw is true. Make sure this is a public subnet.
included_advertised_spoke_routes			A list of comma separated CIDRs to be advertised to on-prem as Included CIDR List. When configured, it will replace all advertised routes from this VPC. Example: 10.4.0.0/116,10.5.0.0/16
insane_mode		false	Set to true to enable insane mode encryption
inspection		false	Set to true to enable east/west Firenet inspection. Only valid when transit_gw is East/West transit Firenet.
instance_size		t3.medium Standard_B1ms n1-standard-1 VM.Standard2.2 ecs.g5ne.large	The size of the Aviatrix spoke gateways
learned_cidrs_approval_mode			Learned CIDRs approval mode. Either "gateway" (approval on a per-gateway basis) or "connection" (approval on a per-connection basis).
local_as_number			Changes the Aviatrix Spoke Gateway ASN number before you setup Aviatrix Spoke Gateway connection configurations.
network_domain			Provide network domain name to which spoke needs to be deployed. Transit gateway must be attached and have segmentation enabled.
prepend_as_path			List of AS numbers to populate BGP AS_PATH field when it advertises to VGW or peer devices.
private_vpc_default_route		false	Program default route in VPC private route table.
rx_queue_size			Gateway ethernet interface RX queue size. Once set, can't be deleted or disabled.
single_az_ha		true	Set to false if Controller managed Gateway HA is desired
single_ip_snat		false	Specify whether to enable Source NAT feature in single_ip mode on the gateway or not. Please disable AWS NAT instance before enabling this feature. Currently only supports AWS(1) and AZURE(8)
skip_public_route_table_update		false	Skip programming VPC public route table.
spoke_bgp_manual_advertise_cidrs			Intended CIDR list to be advertised to external BGP router.
subnet_groups			Map of subnet groups to create for this spoke. Example: {"group1" = ["10.1.48.0/20~~subnet1", "10.1.64.0/20~~subnet2"], "group2" = ["10.2.48.0/20~~subnet3", "10.2.64.0/20~~subnet4"],}
subnet_pairs		2	Number of Public/Private subnet pairs created in the VPC.
subnet_size		28	Size of the Public/Private subnets in the VPC.
tags			Map of tags to assign to the gateway.
transit_gw_egress			Add secondary transit to attach spoke to (e.g. for dual transit firenet). When segmentation is used, transit_gw MUST be used for east/west transit.
transit_gw_egress_route_tables		[]	A list of route tables to propagate routes to for transit_gw_egress attachment.
transit_gw_route_tables		[]	A list of route tables to propagate routes to for transit_gw attachment.
tunnel_detection_time			The IPsec tunnel down detection time for the Spoke Gateway in seconds. Must be a number in the range [20-600]. Default is 60.
use_existing_vpc		false	Set to true to use an existing VPC in stead of having this module create one.
vpc_id			VPC ID, for using an existing VPC.

This module will return the following outputs: