Aviatrix Blog 
Network management is complex and multi-layered. Our Tech Deep Dive series is made for cloud architects, engineers, developers, operations, platform, and security teams who want the deeper technical explanation of the Aviatrix solution. We’ll explore the particular details of what makes our data plane, feature set, and configuration work, and how they empower networking teams.
In this post, Tim McConnaughy, Technical Marketing Engineer, explains how the Aviatrix data plane uses the hub and spoke model, SDN-orchestrated IPsec fabrics, and patented High Performance Encryption technology to maximize both security and performance.
For cloud infrastructure, securing and optimizing network performance across distributed environments remains one of the biggest challenges facing enterprises today. Traditional networking approaches often fall short when applied to cloud-native architectures, leaving organizations struggling with performance bottlenecks, security gaps, and operational complexity.
This blog post will explore how Aviatrix has revolutionized this space through an innovative data plane solution that leverages software-defined networking principles to orchestrate high-performance IPsec fabrics across cloud service provider networks.
What You’ll Learn:
- How Aviatrix’s hub and spoke IPSec fabric architecture centralizes and simplifies network management
- How Aviatrix’s software-defined Controller increases throughput
- The advantages of Aviatrix’s patented High Performance Encryption (HPE) solution
Hub and Spoke IPsec Fabrics: The Foundation of Secure Cloud Connectivity
The traditional approach to cloud networking often involves direct connections between virtual private clouds or virtual networks, creating a complex mesh of point-to-point connections that becomes increasingly difficult to manage as organizations scale. Aviatrix addresses this challenge through its hub and spoke IPsec fabric architecture, which provides a centralized approach to cloud connectivity while maintaining the security and performance requirements of cloud workloads.
In the Aviatrix data plane model, spoke VPCs or VNets contain the actual cloud workloads and applications that organizations run in their cloud environments. Each spoke deployment includes one or more network virtual appliances that are responsible for establishing secure IPsec connections. These spoke appliances connect to centralized hub appliances deployed in dedicated hub VPCs that contain no workloads other than the networking infrastructure itself.
How the Hub and Spoke Model Streamlines Traffic Flows
From a traffic flow perspective, spoke VPCs route their east-west traffic through the hub when communicating with other workloads in different spokes, ensuring consistent security policy enforcement and centralized traffic inspection capabilities. Similarly, north-south traffic destined for on-premises resources flows through the hub, providing a single point of policy enforcement and monitoring for hybrid cloud connectivity.
The hub and spoke model simplifies network management by reducing the number of connections that must be maintained and monitored.
Rather than managing individual connections between every pair of VPCs, administrators can focus on the spoke-to-hub connections, dramatically reducing operational overhead while facilitating consistent security policy application across the entire network fabric.
SDN-Orchestrated IPsec Fabrics: Breaking the Traditional Performance Barrier
The true innovation of the Aviatrix data plane lies in its software-defined networking Controller, which orchestrates the entire IPsec fabric. This data plane fundamentally improves how encryption is implemented in cloud environments. Traditional IPsec solutions face significant performance limitations because they rely on single-threaded processing models that cannot effectively utilize the multiple CPU cores available in modern virtual machine instances.
By the Numbers: How the Aviatrix SDN Controller Increases Throughput
Cloud Service Providers’ native IPsec VPN solutions are typically limited to between 1.25 Gbps and 2 Gbps regardless of the underlying connection capacity, even when organizations have direct connections to the cloud with 10 Gbps or more bandwidth available. This limitation stems from the fundamental architecture of traditional IPsec implementations, which establish single tunnels between endpoints and direct all traffic through a single CPU core, regardless of how many cores are available in the virtual machine.
The Aviatrix SDN Controller addresses this limitation through intelligent orchestration of multiple IPsec tunnels between network virtual appliances. Under normal circumstances, the Controller establishes connections between one to two network virtual appliances on each side of the connection, enabling throughput capabilities in the 4-8 Gbps range. This represents a significant improvement over traditional IPsec solutions and provides organizations with the performance necessary to maximize their cloud infrastructure investments.
The Controller manages all aspects of the IPsec fabric automatically, including:
- Encryption algorithm selection
- Key rotation schedules
- Tunnel establishment procedures.
This automation eliminates the manual configuration and ongoing maintenance typically associated with IPsec deployments. It reduces both the potential for human error and the operational overhead required to maintain secure connectivity across cloud environments.
Aviatrix’s Competitive Advantage: High Performance Encryption (HPE) Technology
While the standard Aviatrix IPsec fabric provides significant performance improvements over traditional solutions, the company’s most significant innovation lies in its patented High Performance Encryption technology.
With Aviatrix High Performance Encryption Mode tunneling, IPsec encryption can achieve 10Gbps, 25Gbps and beyond, leveraging the multiple CPU cores available and using SDN orchestration.
Aviatrix Gateways leverage patented technology to aggregate processing cores and tunnels to achieve wire-speed IPsec throughput up to 100 Gbps, a huge advancement in cloud encryption capabilities.
The technical implementation of High Performance Encryption involves the SDN Controller orchestrating a sophisticated multiplexing approach across multiple IPsec tunnels. Rather than relying on a single tunnel that can only utilize one CPU core, the Aviatrix solution creates multiple distinct IPsec flows that can be distributed across all available CPU cores in the virtual machine instance and setting up a multiplex of IPsec tunnels that overcome the technical limitations. This approach allows SDN to handle the pain of managing and multiplexing traffic flows while securing the entire connection at near wire speed.
The implementation typically requires cloud service provider peering between the VPCs to establish the private network links necessary for maximum performance. However, the Aviatrix Controller manages this complexity by automatically, establishing the required peering relationships and configuring the multiple tunnel endpoints without manual intervention. This automation ensures that organizations can achieve maximum performance levels without requiring deep expertise in the specific networking constructs of each cloud platform.
High Performance Encryption represents more than just a performance improvement; it fundamentally changes the economics of cloud encryption. Organizations can now encrypt all traffic flows without concern for performance penalties, enabling comprehensive security postures that were previously impractical due to throughput limitations. This capability is especially valuable for organizations with high-volume data transfers, real-time applications, or compliance requirements that mandate encryption for all data in transit.
Experience the Aviatrix Advantage
The Aviatrix data plane solution represents a fundamental shift in how organizations can approach cloud networking and security. By combining the proven benefits of hub and spoke architectures with the innovation of SDN-orchestrated IPsec fabrics and patented High Performance Encryption technology, Aviatrix enables enterprises to achieve the security, performance, and operational simplicity necessary for successful cloud transformation.
- Explore more technical deep dives into the Aviatrix solution here.
- Learn more about how the Aviatrix Secure High-Performance Datacenter Edge solution uses High Performance Encryption to optimize hybrid networking.