Aviatrix Answers

What should I understand about overcoming AWS and Azure networking limits?


Key Concepts
5 minute read


Overcoming VPN Connection Limits

Cloud Network Resource Default Limit Hard Limit
AWS VPN Connections Per Region 50 50
AWS VPN Connections per VPC 10 10
Azure User Defined Route Tables 200 200
Azure User Defined Routes per Route Tables 400 400

Aviatrix Site2Cloud feature is an easy, manageable way to overcome these provider limits on VPN connectivity. It also has advanced features like handling overlapping IP addresses. More about this here: “How can cloud app providers use Aviatrix to connect with their customers?

Overcoming Peering and Route Table Limits

Cloud Network Resource Default Limit Hard Limit
AWS VPC Peering Connections per VPC 50 125
AWS Static Routes per Route Table 50 100
AWS BGP advertised routes per route table 100 100

Cloud providers’ peering limits can be further complicated by legacy protocols like BGP. Aviatrix AVX Gateways offer encrypted, high performance peering without filling up the Cloud Route Tables. More about this here: “How does Aviatrix help overcome the 100 routes limit for AWS routing tables?

Overcoming Security groups and Network ACL Limits

Cloud Network Resource Default Limit Hard Limit
AWS Security Groups per VPC 500 500
AWS Inbound or Outbound rules per Security Group 60 SG rules per interface
cannot exceed 300.
AWS Security Groups per Network Interface 5 26
AWS Network ACLs per VPC 200 200
AWS Rules per Network ACL 20 40

Aviatrix can operate as a light-weight stateful firewall (layer 4) to avoid cumbersome host level security configurations: https://docs.aviatrix.com/Solutions/build_zerotrust_cloud_network.html

Enterprises also run into these security rule limitations because there is a requirement to whitelist approved domain names. Aviatrix has an AWS recommended solution for whitelisting Domain Name (FQDN filtering): “How can I create Internet ingress and egress security patterns for AWS?

Understanding Limits for Peering, Route Table Entries, Direct Connect and Express Route

Cloud Network Resource Default Limit Hard Limit
AWS Virtual Interfaces per AWS Direct Connect 50 50
AWS Active Direct Connects per region 10 10
AWS Routes per BGP Session on a Private VIF 100 100
AWS Routes per BGP Session on a Public VIF 1000 1000
Azure ExpressRoute ExpressRoute circuits per subscription 10 10
Azure ExpressRoute circuits per region per subscription 10 10

Building a next-gen transit network can overcome these limitations. Aviatrix transit is a software defined, low TCO solution so you can practice network-as-code and scale beyond provider limits.

These provider limits were referenced from: