Planning Your CoPilot Deployment

This section discusses prerequisite information and tasks for deploying Aviatrix CoPilot.

It is assumed that you have already deployed Aviatrix Controller, either from a CSP or via Terraform. Aviatrix CoPilot works in tandem with Aviatrix Controller.

Subscribe to the Aviatrix CoPilot Offer in the Marketplace

For a CoPilot deployment, the first step is to log in to the CSP marketplace and subscribe to the CoPilot AMI. Search for the "Aviatrix CoPilot" offer.

Consult with your Aviatrix Sales Representative for the subscription you require if you are not sure.

To subscribe to a CoPilot offer in the cloud marketplace, use these steps:

  1. Log in to the marketplace of your chosen cloud provider using your provider user account credentials. CoPilot is available in the marketplaces for:

    • Amazon Web Services (AWS)

    • Google Cloud Platform

    • Microsoft Azure Marketplace

    • Oracle Cloud Infrastructure (OCI)

  2. Locate the "Aviatrix CoPilot" subscription offer and click Continue to Subscribe.

    Use the latest base image release version of the CoPilot AMI that is listed on the marketplace. For information about the latest Aviatrix CoPilot base image releases, see Aviatrix CoPilot Image Release Notes.

  3. When prompted, review the subscription pricing information and accept the terms and conditions. You may be prompted to confirm your subscription before moving on to configuration.

    • If you want to deploy CoPilot via the Controller UI or via Terraform scripts, you can stop here and refer to the instructions for each deploy method.

    • If you want to deploy CoPilot from your CSP marketplace, you can continue with the rest of the steps in Deploy CoPilot from the Marketplace.

Subscribing to the Aviatrix License

In addition to subscribing to the Aviatrix CoPilot offer, if you want to enable Aviatrix CoPilot add-on features, you must subscribe to the correct license:

  • In AWS, subscribe to the Aviatrix Secure Cloud Networking (Includes Free Trial) license.

  • In Azure, GCP, or OCI, subscribe to the Aviatrix Secure Networking Platform Metered 2208-Universal 24x7 Support license.

For existing Controller deployments, if you want to enable the latest CoPilot add-on features such as CostIQ and Aviatrix Billing, you must subscribe to and accept terms for the Aviatrix Secure Networking Platform Metered 2208-Universal 24x7 Support subscription offer in the CSP marketplace.

To obtain the Aviatrix Secure Networking Platform Metered 2208-Universal 24x7 Support Subscription, follow the steps below:

  1. At the CSP marketplace, subscribe to and accept terms for the corrected subscription:

    • In AWS, the Aviatrix Secure Cloud Networking (Includes Free Trial).

    • In Azure, GCP, or OCI, the Aviatrix Secure Networking Platform 2208-Universal 24x7 Support offer.

  2. Take note of your Customer ID for this offer. Click Subscribe.

  3. Locate the left-side menu on the Controller user interface. From SETTINGS > Controller, click License.

  4. Enter your Customer ID into the Setup Aviatrix Customer ID field, and click Save.

CoPilot licensing is unified with Controller licensing (they use the same customer ID).

Obtain a Static Public IP Address

You must have a static public IP address available for your CoPilot deployment. In AWS, this would be a public elastic IP address (EIP). Be sure you have a static public IP address available before your deployment. CSPs have limits on how many static IP addresses you can have at one time. Refer to each CSP documentation for the exact number of static IP addresses you can have at one time.

Obtain Sufficient Security Group (SG) Rule Quotas

You must have a sufficient quota for security group rules in your CSP environment.

In the CSP environment, check the quota you have for security group rules. Make sure you have enough quota to support the SG rules you require for CoPilot and Controller.

For each Aviatrix gateway in your infrastructure:

  • 2 rules are required for the CoPilot SG (port 5000 for syslog, port 31283 for Netflow), and

  • 1 rule is required for the Controller SG (port 443)

For example, if you have 100 gateways, you require 200 SG rules for CoPilot and 100 SG rules for Controller.

In addition, consider the number of future gateways you may deploy if you decide to expand your infrastructure. When obtaining the rule quota in the CSP environment, obtain enough quota to account for future gateways so the quota limit is not reached when you deploy them.

If CoPilot Security Group Management is enabled and the AWS security group quota or Azure Network Security Group (NSG) rule limit is reached, the CoPilot Security Group Management feature will be disabled.

Determine Instance (VM) Sizing for Your CoPilot Deployment

You must consider how much memory and CPU you require for your CoPilot instance (virtual machine) and whether you need a single instance or cluster of instances.

The configuration of the virtual machine that you provision for your CoPilot deployment depends on the scale and the kind of networking infrastructure you have planned according to your business requirements. Work with your Aviatrix Sales representative to determine your sizing requirements. For minimum requirements and guidelines for instance (virtual machine) sizing and system requirements, see CoPilot Requirements.

Create User Account to be Used as CoPilot Service Account

You need to create a CoPilot service account in Aviatrix Controller for CoPilot services. During the Initial Setup of CoPilot, you will need to enter the credentials of this CoPilot service account.

To create a user account that will be used as CoPilot service account, perform the following steps:

  1. Log in to Controller with administrative privileges.

  2. From ACCOUNTS > Permission Groups, click +ADD NEW.

  3. Enter a unique group name. Click OK.

  4. Choose the group name that you have created for the CoPilot service account. Click Manage Permission.

  5. Click +ADD NEW.

  6. Click the permissions that you want to assign to this group. For example, Firewall Network and Gateway. If you want to give full access except Settings, click AllWrite. Click OK to continue.

    • Each permission group has its own relevant privileges. To access CoPilot features, the CoPilot service account must be assigned corresponding permissions.

    • The CoPilot ThreatIQ feature and Distributed Cloud Firewall feature require the CoPilot service account have a minimum of all_firewall_network_write permissions. The CoPilot gateway scaling feature requires all_gateway_write permissions. You must add these two permissions to your CoPilot service account if you want to use the ThreatIQ, Firewalling and Gateway features to manage your spokes and transits.

    • If you want to give all permissions (admin user), choose all_write to give full access to all CoPilot features.

  7. Go to ACCOUNTS > Account Users, click +ADD NEW to add a new user.

  8. Enter user name, user email, and password. You may need to choose a meaningful name, such as cp-service-acct. Choose the group you created for CoPilot service account. Then click OK.

  9. When this new user is displayed in the username list, you have successfully created a CoPilot service account.

See more details about CoPilot’s Service Account.