The Containment Era is here. →Explore

aviatrix logoAviatrix
Under Active Attack
Summarize with:
ChatGPTClaudePerplexityGoogle AIGrok

Network management is complex and multi-layered. Our Tech Deep Dive series is made for cloud architects, engineers, developers, operations, platform, and security teams who want the deeper technical explanation of the Aviatrix solution. We’ll explore the particular details of what makes our data plane, feature set, and configuration work, and how they empower networking teams.

In this post, Tim McConnaughy, Technical Marketing Engineer, explains how the Aviatrix data plane uses the hub and spoke model, SDN-orchestrated IPsec fabrics, and patented High Performance Encryption technology to maximize both security and performance.

For cloud infrastructure, securing and optimizing network performance across distributed environments remains one of the biggest challenges facing enterprises today. Traditional networking approaches often fall short when applied to cloud native architectures, leaving organizations struggling with performance bottlenecks, security gaps, and operational complexity.

This blog post will explore how Aviatrix has revolutionized this space through an innovative data plane solution that leverages software-defined networking principles to orchestrate high-performance IPsec fabrics across cloud service provider networks.

What You'll Learn:

  • How Aviatrix's hub and spoke IPSec fabric architecture centralizes and simplifies network management

  • How Aviatrix's software-defined Controller increases throughput

  • The advantages of Aviatrix's patented High Performance Encryption (HPE) solution

Hub and Spoke IPsec Fabrics: The Foundation of Secure Cloud Connectivity

The traditional approach to cloud networking often involves direct connections between virtual private clouds or virtual networks, creating a complex mesh of point-to-point connections that becomes increasingly difficult to manage as organizations scale. Aviatrix addresses this challenge through its hub and spoke IPsec fabric architecture, which provides a centralized approach to cloud connectivity while maintaining the security and performance requirements of cloud workloads.

In the Aviatrix data plane model, spoke VPCs or VNets contain the actual cloud workloads and applications that organizations run in their cloud environments. Each spoke deployment includes one or more network virtual appliances that are responsible for establishing secure IPsec connections. These spoke appliances connect to centralized hub appliances deployed in dedicated hub VPCs that contain no workloads other than the networking infrastructure itself.

How the Hub and Spoke Model Streamlines Traffic Flows

From a traffic flow perspective, spoke VPCs route their east-west traffic through the hub when communicating with other workloads in different spokes, ensuring consistent security policy enforcement and centralized traffic inspection capabilities. Similarly, north-south traffic destined for on-premises resources flows through the hub, providing a single point of policy enforcement and monitoring for hybrid cloud connectivity.

The hub and spoke model simplifies network management by reducing the number of connections that must be maintained and monitored.

Rather than managing individual connections between every pair of VPCs, administrators can focus on the spoke-to-hub connections, dramatically reducing operational overhead while facilitating consistent security policy application across the entire network fabric.

SDN-Orchestrated IPsec Fabrics: Breaking the Traditional Performance Barrier

The true innovation of the Aviatrix data plane lies in its software-defined networking Controller, which orchestrates the entire IPsec fabric. This data plane fundamentally improves how encryption is implemented in cloud environments. Traditional IPsec solutions face significant performance limitations because they rely on single-threaded processing models that cannot effectively utilize the multiple CPU cores available in modern virtual machine instances.

By the Numbers: How the Aviatrix SDN Controller Increases Throughput

Cloud Service Providers' native IPsec VPN solutions are typically limited to between 1.25 Gbps and 2 Gbps regardless of the underlying connection capacity, even when organizations have direct connections to the cloud with 10 Gbps or more bandwidth available. This limitation stems from the fundamental architecture of traditional IPsec implementations, which establish single tunnels between endpoints and direct all traffic through a single CPU core, regardless of how many cores are available in the virtual machine.

The Aviatrix SDN Controller addresses this limitation through intelligent orchestration of multiple IPsec tunnels between network virtual appliances. Under normal circumstances, the Controller establishes connections between one to two network virtual appliances on each side of the connection, enabling throughput capabilities in the 4-8 Gbps range. This represents a significant improvement over traditional IPsec solutions and provides organizations with the performance necessary to maximize their cloud infrastructure investments.

The Controller manages all aspects of the IPsec fabric automatically, including:

  • Encryption algorithm selection

  • Key rotation schedules

  • Tunnel establishment procedures.

This automation eliminates the manual configuration and ongoing maintenance typically associated with IPsec deployments. It reduces both the potential for human error and the operational overhead required to maintain secure connectivity across cloud environments.

Aviatrix's Competitive Advantage: High Performance Encryption (HPE) Technology

While the standard Aviatrix IPsec fabric provides significant performance improvements over traditional solutions, the company's most significant innovation lies in its patented High Performance Encryption technology.

With Aviatrix High Performance Encryption Mode tunneling, IPsec encryption can achieve 10Gbps, 25Gbps and beyond, leveraging the multiple CPU cores available and using SDN orchestration.

Aviatrix Gateways leverage patented technology to aggregate processing cores and tunnels to achieve wire-speed IPsec throughput up to 100 Gbps, a huge advancement in cloud encryption capabilities.

The technical implementation of High Performance Encryption involves the SDN Controller orchestrating a sophisticated multiplexing approach across multiple IPsec tunnels. Rather than relying on a single tunnel that can only utilize one CPU core, the Aviatrix solution creates multiple distinct IPsec flows that can be distributed across all available CPU cores in the virtual machine instance and setting up a multiplex of IPsec tunnels that overcome the technical limitations. This approach allows SDN to handle the pain of managing and multiplexing traffic flows while securing the entire connection at near wire speed.

The implementation typically requires cloud service provider peering between the VPCs to establish the private network links necessary for maximum performance. However, the Aviatrix Controller manages this complexity by automatically, establishing the required peering relationships and configuring the multiple tunnel endpoints without manual intervention. This automation ensures that organizations can achieve maximum performance levels without requiring deep expertise in the specific networking constructs of each cloud platform.

High Performance Encryption represents more than just a performance improvement; it fundamentally changes the economics of cloud encryption. Organizations can now encrypt all traffic flows without concern for performance penalties, enabling comprehensive security postures that were previously impractical due to throughput limitations. This capability is especially valuable for organizations with high-volume data transfers, real-time applications, or compliance requirements that mandate encryption for all data in transit.

Experience the Aviatrix Advantage

The Aviatrix data plane solution represents a fundamental shift in how organizations can approach cloud networking and security. By combining the proven benefits of hub and spoke architectures with the innovation of SDN-orchestrated IPsec fabrics and patented High Performance Encryption technology, Aviatrix enables enterprises to achieve the security, performance, and operational simplicity necessary for successful cloud transformation.

Share This Article
Connect With Us

Ready to see Aviatrix in action?

Get a personalized live demo walkthrough or explore our latest deep-dive cloud threat research intelligence.

Get a DemoThreat Research Center
Recent Articles
Hours, Not Years SANS Just Confirmed the Patch Window Is Gone

Hours, Not Years: SANS Just Confirmed the Patch Window Is Gone

Jun 25, 20264 min read
Validated Containment Architecture for Gemini Enterprise Agent Platform Blog Image

Validated Containment Architecture for Gemini Enterprise Agent Platform

Jun 24, 20266 min read
Top 8 Kubernetes Security Companies for 2026 Ranked

Top 8 Kubernetes Security Companies for 2026 Ranked

Jun 23, 202610 min read
Why the Fable AI Ban Proves the Containment Era Has Arrived

Why the Fable AI Ban Proves the Containment Era Has Arrived

Jun 22, 20269 min read
View All Articles
Tim McConnaughy
About the Author

Tim McConnaughy

Technical Marketing Engineer (TME)

Tim is an expert in hybrid and multicloud networking and Kubernetes. His previous roles include network administrator, system administrator, firewall jockey, collaboration engineer, network consultant, as well as a network and cloud network architect. He has been in the industry over 15 years and has written various books about networking and co-hosts a cloud networking podcast called Cables2Clouds.

View Full Biography
Learn Center

Keep Reading

Related Articles

Hours, Not Years: SANS Just Confirmed the Patch Window Is Gone
Hours, Not Years SANS Just Confirmed the Patch Window Is Gone
Cloud Network Security
Hours, Not Years: SANS Just Confirmed the Patch Window Is Gone
Doug Merritt
Doug Merritt

Jun 25, 2026

4 min read
Read More
Validated Containment Architecture for Gemini Enterprise Agent Platform
Validated Containment Architecture for Gemini Enterprise Agent Platform Blog Image
Cloud Native Security Fabric
Validated Containment Architecture for Gemini Enterprise Agent Platform
Chris McHenry
Chris McHenry

Jun 24, 2026

6 min read
Read More
Top 10 Threat Intelligence Feeds for Real-Time Cyber Defense
Top 10 Threat Intelligence Feeds for Real-Time Cyber Defense
Zero Trust
Top 10 Threat Intelligence Feeds for Real-Time Cyber Defense
Harshvardhan Verma
Harshvardhan Verma

Mar 25, 2026

9 min read
Read More
Top 8 Kubernetes Security Companies for 2026 Ranked
Top 8 Kubernetes Security Companies for 2026 Ranked
Cloud Network Security
Top 8 Kubernetes Security Companies for 2026 Ranked
Jason Haworth
Jason Haworth

Jun 23, 2026

10 min read
Read More
AI Agent Network Security: Why Identity Alone Won't Contain a Compromised Agent
AI Agent Network Security Why Identity Alone Won't Contain a Compromised Agent
Zero Trust
AI Agent Network Security: Why Identity Alone Won't Contain a Compromised Agent
Matt Snyder
Matt Snyder

Jun 18, 2026

7 min read
Read More
Why the Fable AI Ban Proves the Containment Era Has Arrived
Why the Fable AI Ban Proves the Containment Era Has Arrived
Zero Trust
Why the Fable AI Ban Proves the Containment Era Has Arrived
Jason Haworth
Jason Haworth

Jun 22, 2026

9 min read
Read More

Featured Categories

95a2292256ee0f5750aa745fc7d21d39c8ae2870

ACE Program

Explore Category
Rectangle 3966

Customers

Explore Category
5a9318112c7cc265fab072924a2acaa2122a1c9f

Cloud Network Security

Explore Category
Aws-card

AWS

Explore Category
partner_card

Partners

Explore Category
cloud networking heroes

Cloud Networking Heroes

Explore Category
azure_card

Azure

Explore Category
events_card

Events

Explore Category

Secure The Connections Between Your Clouds and Cloud Workloads

Leverage a security fabric to meet compliance and reduce cost, risk, and complexity.

Request Executive BriefingUnder Active Attack?
Cta pattren Image