Cloud Service Providers’ IPsec VPN solutions are limited to 1.25 Gbps regardless if you have a direct connection to the cloud with 10 Gbps or more. The reason is that CSP VPN gateways establishes a single tunnel and because of that the ethernet interface of those virtual devices can only direct incoming packets to a single core limiting the performance to a single CPU core, regardless how many CPU cores there are.

Insane Mode
Aviatrix Insane Mode tunneling techniques establishes multiple tunnels between two virtual routers allowing all CPU cores to be used for performance scaling with the CPU resources.

Aviatrix Insane Mode can achieve 10Gbps, 25Gbps and beyond, leveraging multiple CPU cores in a single instance. The following Google Cloud compute engine models supports Insane Mode:
- n1-highcpu-4
- n1-highcpu-8
- n1-highcpu-16
- n1-highcpu-32
- n2-highcpu-4
- n2-highcpu-8
- n2-highcpu-16
- n2-highcpu-32
- c2-standard-4
- c2-standard-8
- c2-standard-16
- c2-standard-30
- c2-standard-60
Use Cases
- High performance Encrypted Transit
- High performance Encrypted Peering performance
- High performance encryption over Direct Connect/ExpressRoute/FastConnect/InterConnect
- Overcome CSP Gateways performance and route limits
Performance Results

Constraints
- Gateway subnet should be at least a /26
- It is recommended to avoid deploying other instances in the same subnet
Deployment
The insane mode is enable during the deployment. If using terraform the mc_transit module insane_mode = true variable triggers its deployment. Here is my tf file:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
module "mc_transit" { | |
source = "terraform-aviatrix-modules/mc-transit/aviatrix" | |
version = "v2.0.0" | |
cloud = var.cloud | |
cidr = var.vpcs["firenet"] | |
region = var.region | |
account = var.account | |
enable_transit_firenet = true | |
enable_bgp_over_lan = var.bgpolan | |
insane_mode = var.insane | |
lan_cidr = var.vpcs["lan"] | |
bgp_lan_interfaces = [{ | |
vpc_id = aviatrix_vpc.bgpolan.name | |
subnet = var.vpcs["bgpolan"] | |
}] | |
ha_bgp_lan_interfaces = [{ | |
vpc_id = aviatrix_vpc.bgpolan-ha.name | |
subnet = var.vpcs["bgpolan-ha"] | |
}] | |
} | |
module "firenet_1" { | |
source = "terraform-aviatrix-modules/mc-firenet/aviatrix" | |
version = "1.0.0" | |
transit_module = module.mc_transit | |
firewall_image = var.firewall_image | |
firewall_image_version = var.firewall_image_version | |
#bootstrap_bucket_name_1 = var.storage_bucket_name | |
egress_cidr = var.vpcs["egress"] | |
egress_enabled = false | |
inspection_enabled = true | |
instance_size = var.instance_size | |
mgmt_cidr = var.vpcs["mgmt"] | |
password = var.password | |
} | |
module "mc-spoke" { | |
for_each = { | |
"spoke30" = "spoke50" | |
"spoke40" = "spoke60" | |
} | |
source = "terraform-aviatrix-modules/mc-spoke/aviatrix" | |
version = "1.1.2" | |
account = var.account | |
cloud = var.cloud | |
name = "gcp-${each.value}-${var.region}" | |
region = var.region | |
cidr = var.vpcs["${each.value}"] | |
inspection = true | |
transit_gw = module.mc_transit.transit_gateway.gw_name | |
ha_gw = true | |
instance_size = var.instance_size | |
single_az_ha = false | |
insane_mode = var.insane | |
} | |
resource "aviatrix_vpc" "bgpolan" { | |
cloud_type = 4 | |
account_name = var.account | |
name = "gcp-bgpolan-${var.region}" | |
subnets { | |
name = "gcp-bgpolan-${var.region}" | |
region = var.region | |
cidr = var.vpcs["bgpolan"] | |
} | |
} | |
resource "aviatrix_vpc" "bgpolan-ha" { | |
cloud_type = 4 | |
account_name = var.account | |
name = "gcp-bgpolan-ha-${var.region}" | |
subnets { | |
name = "gcp-bgpolan-ha-${var.region}" | |
region = var.region | |
cidr = var.vpcs["bgpolan-ha"] | |
} | |
} |
It deploys a BGPoLAN enabled HPE (insane) FireNet hub with 2 x FortiGates and 2 x spokes for testing. If deploying the transit gw from the Controller GUI there is a checkbox to enable/disable HPE:

Exploring
Insane Mode between between a Transit GW and a Spoke Gateway, the Aviatrix Controller automatically creates the underlying peering connection and builds the tunnels over it:

We can count 15 tunnels between a transit gw and a spoke with insane mode enabled :
- we can see the private IPs are used to form the tunnels

A “vanilla” gateway uses the public ip and we count only two tunnels per transit-spoke pair:

2 thoughts on “Going “Insane” fast with Aviatrix High Performance Encryption (HPE)”