AWS Getting Started Guide

The Aviatrix Platform provides a single pane of glass that enables you to manage and support a single or multicloud network architecture. The platform includes two elements, the Controller and CoPilot. The Controller manages your network operations and CoPilot provides a GUI interface for configuration and observability.

You can deploy the Aviatrix Platform through any of the four major CSP (Cloud Service Provider) marketplaces. This guide is specific to an AWS deployment. If you want to deploy to a different CSP, see the appropriate documentation.

Aviatrix recommends deployment on AWS or Azure, as these CSPs enable you to set up HA (High Availability) for resiliency.

This document shows you how to set up and launch the Aviatrix Platform, which includes Aviatrix Controller and Aviatrix CoPilot, through the AWS Marketplace:

  • If you are familiar with Terraform, it is possible to deploy an Aviatrix Platform instance by using Terraform modules. Please see the Aviatrix Terraform Modules here.

  • You can purchase this software immediately or subscribe to a free 30-day trial.

As a general cloud security best practice, do not use the root user credentials of your AWS account to launch the Aviatrix Platform or any other AWS resources in your AWS account.


Before launching the Aviatrix Platform from your AWS account, complete the following prerequisites. Please see Planning Your Controller Deployment for more information about these prerequisites.

  • Create a new, dedicated VPC for the Controller and CoPilot.

  • Save the CIDR range to be used for launching the UI.

  • Review optional steps, creating an S3 bucket and an Application Load Balancer, and complete them if needed for your configuration.

Subscribing to the Aviatrix Licenses

After completing the Prerequisite Checklist above, you can set up and launch your Aviatrix Platform.

Subscribing to the Aviatrix AMIs (Amazon Machine Images)

An Amazon Machine Image (AMI) contains the information required to launch an instance. Your Aviatrix Controller will be listed as an instance, or EC2 (Elastic Cloud Compute), on your AWS account.

For current pricing information, please see the page in the AWS Marketplace.

To launch your Controller, subscribe to the correct Aviatrix AMI from the AWS Marketplace.

  1. Log into the AWS Marketplace. Enter “Aviatrix” in the search bar under Search AWS Marketplace products. Several options appear. Note that you will need to subscribe to the first and third options in that order:

    • Aviatrix Secure Cloud Networking (Includes Free Trial)

    • Aviatrix CoPilot

    • Aviatrix Secure Networking Platform BYOL (Bring Your Own License)

    License Description

    Aviatrix Secure Cloud Networking (Includes Free Trial)

    With this licensing option, the AWS Marketplace receives usage data from your Controller and charges based on consumption of Aviatrix functionality as described within the offer.

    Aviatrix CoPilot

    License for Aviatrix CoPilot only. This subscription offers a 64-bit (x86) architecture.

    Aviatrix Secure Networking Platform BYOL (Bring Your Own License)

    This license offers the Aviatrix Controller and CoPilot image. It requires a separate licensing agreement directly with Aviatrix.

    Subscribe to this offer after subscribing to the "Aviatrix Secure Cloud Networking (Includes Free Trial)" license above.

  2. From the marketplace, select the Aviatrix Secure Cloud Networking (Includes Free Trial) listing and click View purchase options.

  3. Click Subscribe.

  4. In the green success banner that appears above, select Set up your account.

  5. Under Aviatrix Metered Controller Subscription, go down to the License dropdown menu and select one of the following options:

    • Free Trial (30 Days) - Select this option to subscribe to a free 30-day trial license. After 30 days, the billing for a full license begins.

    • Pay-As-You-Go with 24x7 Enterprise Support - Select this option to subscribe to a full license immediately.

  6. In the Email field, enter the email address for the admin user for this account. This email address must be a business email account.

  7. Click Verify email.

    A verification code is sent to the email address you entered.

  8. Enter that code into the Verification Code in this form and click Submit Form.

    Your subscription has been activated. You receive an email from with the subject line "License key for Aviatrix Metered Controller and CoPilot." This email contains your Customer ID and Subscription ID.

  9. Save this Customer ID and Subscription ID.

If you subscribed to the free trial license, you receive notification emails 14, seven, and one day before the free trial expires and billing begins.

Next, subscribe to the Aviatrix CoPilot license.

Subscribing to Aviatrix CoPilot

  1. Return to the AWS Marketplace and search for "Aviatrix CoPilot." Select this license to subscribe to it.

  2. On the subscription’s page, click Continue to Subscribe.

Next, follow the steps below to use the BYOL offer to activate the "Aviatrix Secure Cloud Networking (Includes Free Trial)" and CoPilot license.

Activating the Metered AMI through the BYOL (Bring Your Own License) Offer

After subscribing to the "Aviatrix Secure Cloud Networking (Includes Free Trial)" subscription, click on the link in the email you received to open the Aviatrix Secure Network Platform (BYOL) offer. On the offer’s page, click Continue to Subscribe.

The BYOL or Bring Your Own License offer is required to activate the metered license you subscribed to above. You will only be billed for the metered subscription.

Next, use a CloudFormation template to launch your Controller.

Launching the Aviatrix Platform with CloudFormation

A CloudFormation template provides a layer of abstraction that makes the configuration process simpler and easier by automating many of the minor steps. Use the default CloudFormation template to launch your Controller.

  1. In your AWS account, go to AWS Marketplace Subscriptions > select the Aviatrix Secure Networking Platform - BYOL subscription. Scroll down to the Agreement section, click the Actions dropdown menu, and select Launch CloudFormation stack.

  2. On the Configure this software page, click on the Fulfillment option dropdown menu and select CloudFormation Template.

    • Under Software version, select the most recent version.

    • Under Region, click on the dropdown menu in the top right corner and select the region in which you want to deploy the Controller.

    Make sure to choose the correct region before launching the Controller instance (see the “Creating a Dedicated VPC” prerequisite above). After launching a Controller instance, you can only change that instance’s region by stopping that Controller and deploying a new one.

  3. Click Continue to launch.

  4. On the Launch this software page, click on the Choose action dropdown menu and select Launch CloudFormation. Click Launch.

  5. Use the options on the Create Stack page to set up your Controller.

    • Step 1: Create Stack – Leave the settings on this page at their defaults. Click Next.

    • Step 2: Specify stack details

      Setting Value

      Stack name

      Enter a clear and recognizable name, such as “AviatrixController.”

      Which VPC should the Aviatrix Controller be deployed in?

      Select the dedicated VPC you created for the Aviatrix Controller. Please see the Prerequisite section.

      Which public subnet in the VPC?

      Select a public subnet in the VPC. Make sure this subnet is public (it has “public” in the name).

      IPv4 address(es) to include

      Enter the IP address for the main user or operator of the Aviatrix Controller. You can enter a CIDR block, but you must add /32 to limit the Controller’s access.

      Select Controller size

      Leave the size at the default, t3.large.

      IAM role creation

      * If this is the first time you have attempted to launch the Controller, leave this setting at New. * If this is the second or later attempt, click on the dropdown menu and select aviatrix-role-ec2.

      The Aviatrix Controller must be launched on a public subnet.

      • If this your first time launching an Aviatrix Controller, select the default setting New for IAM Role Creation.

      • If an Aviatrix IAM role has been created before, select aviatrix-role-ec2 for IAM Role Creation.

    • Step 3: Configure stack options – Leave the settings on this page at their defaults and click Next.

    • Step 4: Review Stack_Name – Review the settings to make sure they are correct. Mark the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox at the bottom of the page and click Submit.

Saving the Public and Private IP Address

Review the stack creation status under the Events tab, in the Status column. When the stack creation completes, its status changes to CREATE_COMPLETE.

If you experience a rollback error and cannot successfully launch the stack, please see the Troubleshooting section at the end of this document.
  1. Select the new Controller instance on the Aviatrix Controller instance’s Stacks page.

  2. Select the Outputs tab.

  3. Save the values for the Account ID, Elastic IP (EIP) address, and Private IP addresses listed on the Outputs tab. You will need to use these later to onboard the primary access account for AWS in your Controller.

    CloudFormation Outputs Tab
    You might have to refresh your browser window and/or AWS account to see your Stack displayed with an updated status.

Setting up the New Instance in AWS

  1. In the rare situation in which you deployed CoPilot before deploying this Controller, add Aviatrix CoPilot’s IP address to the Controller’s security group.

  2. Verify that your own device’s public IP address is listed as one of the Controller’s security group rules. This step ensures that you can open the deployed Controller successfully.

    To find your device’s IP address, you can search for “what is my IP” on your browser’s search engine. You can also check or

Add IP Addresses to the Controller’s Security Group Rules

  1. Navigate to your AWS account > EC2 > your Controller’s instance > Security tab.

  2. Scroll down and select the name of the Security group on the left side of the page.

  3. On the security group’s page, click Edit inbound security rules on the right.

  4. On the Edit inbound rules page, click Add New and enter the following information:

    Setting Value



    Port range

    Leave at 0




    Enter the CoPilot’s IP address followed by the CIDR block (/32 in the example screenshot).

    Description (optional)

    Aviatrix CoPilot Public IP address

  5. Click Save rules.

  6. Repeat the previous steps to add your own device’s Public IP address to the security group rules:

    Setting Value



    Port range

    Leave at 0




    Enter your device’s public IP address followed by the CIDR block: for example,

    Description (optional)

    To better remember which IP address this is later, you can enter the name of your device here and “public IP address.”

    If your IP address changes based on device or location, make sure to add those IP addresses to the Security group rules. Make sure this list contains only verified, secure IP addresses listed to limit access to your Controller.
    Later, when you launch gateways from your Controller, each gateway creates a new Security group. You will need to add your device’s IP address to each new gateway’s Security group.

    Keep each Controller Security Group’s outbound rules at their default, open to Internet or All, to avoid blocking your Controller’s IP address from accessing the Internet.

  7. Return to your instance’s page. If you have not already done so, save the Public IPv4 and Private IPv4 for your Controller.

    Save IP Addresses

Log In and Initialize

  1. To log into your Controller, navigate to your AWS account > EC2 > your Controller instance. Select the open address icon Open Address next to your Controller’s Public IP address near the top of the page.

    If you cannot open this Public IP address, make sure your device’s IP address is listed in the Controller instance’s inbound security rules.
  2. If a “Your connection is not private” warning appears, click Advanced > Proceed to your_Controller’s_Public_IP_Address.

  3. The Controller login page opens. Enter:

    • Username – admin

    • Password – Your Controller’s private IP address. This address is listed in the top right of the Controller instance’s page in AWS.

  4. Enter your email address. This email will be used for alerts as well as password recovery if needed.

  5. When prompted, change your password. Make sure this password is secure. If the (Optional) Proxy Configuration message appears, you can set up proxy configuration or click Skip and then OK.

    Set up proxy configuration to ensure that all Internet-bound HTTP and HTTPS traffic initiated by the Controller and gateways is forwarded to the proxy server first before entering the Internet. Such traffic includes all cloud provider API calls made by the Controller and gateways.

    Note that the domain name must be excluded by the proxy server from SSL or HTTPS termination.

  6. Click Run. The Controller upgrades itself to the latest software version. Wait for a few minutes for the process to finish.

The Controller upgrade takes about 3-5 minutes. When the upgrade is complete, you can log in. Use the username “admin” and your new password to log in.

Onboard your Access Account

After logging in and initializing, onboard your AWS account in your Controller.

  1. In your Controller, navigate to Onboarding in the left sidebar. Click on the AWS icon.

    Click AWS Icon
  2. Enter your AWS account’s Customer ID. This Customer ID was emailed to you when you subscribed to the license. If you do not have a Customer ID, please contact Aviatrix Support.

  3. Skip the Enter Certificate Domain field, which is only relevant for AWS China accounts.

  4. Under Create Primary Access Account - AWS, enter:

    • Account Name - A name for this account. Note that this name is only used within your Controller and does not need to match the name or ID from your AWS account.

    • AWS Account Number - Enter your 12-digit Account ID. To find this Account ID, open your AWS account and click on the dropdown menu in the top right corner. Select Account. Your Account ID is listed at the top of the page under Account Settings.

    • IAM role-based - Mark the Use IAM Roles checkbox.

      If you leave this checkbox unmarked, use the ARN values in the optional fields in this section to set up user roles. ARN values are only required if you are onboarding an account that is separate from the one from which you deployed the Controller.
  5. Click Create.

  6. Your AWS account is now onboarded. To verify your email address, open Settings > Controller. Enter the verification code sent to your email address. You can now use advanced settings to configure your IAM roles, launch gateways, and build a single- or multicloud network architecture.

To launch Aviatrix CoPilot, please see the CoPilot Deployment Guide.

Troubleshooting if the Stack Creation Fails

If your stack creation fails to launch your CoPilot instance in AWS, check the following settings:

  • Subscribing to the correct AMIs in the right order – If you purchased the software instead of subscribing to the free trial first, make sure you subscribed to the Aviatrix Secure Networking Cloud Networking (Includes Free Trial) license from the AWS Marketplace, then the Aviatrix Secure Cloud Networking listing, before launching the CloudFormation template.

  • CIDR block – When you enter the primary user’s IP address, make sure the address includes /32 to ensure that only this user can access the Controller (for now). You can add more users later by:

    • Creating new user accounts in CoPilot. See the CoPilot Users and Permissions document for more information about new users and permissions.

    • Through UserVPN using Single Sign On (SSO).

Post-Deployment Steps

After deploying your Aviatrix Platform and logging into Aviatrix CoPilot, complete these post-deployment steps to clean up your CloudFormation stack if you subscribed to the trial license but do not wish to continue to use the Aviatrix platform.

Protecting AWS Instances from Accidental Termination

First, disable accidental termination protection for your Aviatrix Controller and CoPilot instances

  1. In your AWS account, go to the EC2 > Instances page. Find your Aviatrix Controller and Aviatrix CoPilot instances in the list.

  2. Mark the checkboxes for your Aviatrix Controller and CoPilot instances. Click Actions > Instance Settings > Change termination protection > mark the Disable checkbox > click Save.

Disabling Security Group Management Access

Disable Security Group Management access in your Controller:

  1. First, log into your new Aviatrix CoPilot account. From there, log into your Controller by clicking the Application Information icon in the top right > selecting Aviatrix Controller.

  2. Use your username and password to log into the Controller.

  3. Go to Settings > Controller > Access Security tab > click Disable.

Keep each Controller Security Group’s outbound rules at their default, open to Internet or All, to avoid blocking your Controller’s IP address from accessing the Internet.