Azure Getting Started Guide

Introduction

The Aviatrix cloud network solution consists of two components, the Controller and Gateways, both of which are Azure VMs (Virtual Machines). Gateways are launched from the Controller console to specific VNets. This guide helps you launch the Controller VM in Azure.

The following Marketplace subscriptions, described in the following table, are required. You will subscribe to these offerings through the Launch Aviatrix guided experience.

License or Offer Description

Aviatrix Cloud Network License Service1

The Aviatrix Cloud Network License Service provides the customer IDs (licenses) that are needed to access the Aviatrix Cloud Network Controller and Aviatrix Cloud Network CoPilot. This service also calculates Aviatrix bills based on usage. A free trial is available with this offer.

Aviatrix Cloud Network Controller2

This Bring Your Own License (BYOL) offer is for the Aviatrix Cloud Network Controller. This offer integrates with the Aviatrix Cloud Network License Service which issues a license and calculates billing.

Aviatrix Cloud Network CoPilot

This BYOL offer is for the Aviatrix Cloud Network CoPilot. This offer integrates with the Aviatrix Cloud Network License Service which issues a license and calculates billing.

1 Aviatrix Clod Network License Service was renamed from Aviatrix Metered Offer.

2 Aviatrix Cloud Network Controller deploys Controller 7.1.4105 and later. To deploy Controller version 7.1.4101 or earlier, subscribe to Aviatrix Secure Networking Platform BYOL.

If you subscribe to the free trial license, you receive notification emails 14, seven, and one day before the free trial expires and billing begins.

Complete the following instructions:

These instructions apply generally to both Azure commercial and Azure Government clouds for deploying an Aviatrix Controller. Note that some screenshots may show regions that are only available for commercial Azure accounts. Commercial Azure offers multiple regions worldwide while Azure Government offers four US regions: (US) USGov Virginia, (US) UsGov Arizona, (US) UsGov Iowa, and (US) UsGov.

For more information about Azure regions, click here.

Subscribing to the Aviatrix Cloud Network License Service

You must subscribe to the Aviatrix Cloud Network License Service before subscribing to the Aviatrix Cloud Network Controller.

  1. Go to the Azure Marketplace to subscribe to the Aviatrix Cloud Network License Service.

  2. Click Get it Now on the left side of the page.

  3. Mark the permissions checkbox and click Continue.

  4. Click Subscribe.

  5. Enter your Subscription name, Resource group, Name, and Recurring billing preference. Then, click Review + subscribe.

  6. Click Subscribe.

  7. After the subscription process completes, click Configure account now.

    It might take several seconds before the configuration button becomes active.

  8. Enter your email address in the Email field and click Submit.

You receive an email from admin@aviatrix.io with the subject line "License key for Aviatrix Metered Controller and CoPilot." This email contains your Controller customer ID, Copilot customer ID, and offer subscription ID. Save these values in a secure place to use later for onboarding.

You can click the link in this email to open the Azure Marketplace to the Aviatrix Secure Networking Platform BYOL (Bring Your Own License) page to continue with the subscription process.

Subscribing to the Aviatrix Cloud Network Controller Offer

After subscribing to the Aviatrix Cloud Network License Service and receiving your license key, you must subscribe to the Aviatrix Cloud Network Controller offer. . Go to the Azure Marketplace to subscribe to the Aviatrix Secure Networking Platform BYOL offer.

+ You can also access the marketplace from the link in the email you received after subscribing to the metered offer.

  1. Click Create.

  2. On the Basics tab, do the following:

    • Create a new Resource Group titled "aviatrix."

    • Name the virtual machine. Example: "aviatrixController."

    • For the instance size, at least 8GB of RAM is recommended (the B2ms instance size should be sufficient).

    • Select an authentication type.

    • Enter a username.

      Do not use "ubuntu" as username if you use password as the authentication type.

    • If you selected the password authentication type, enter a password.

      Azure - Create a Virtual Machine

  3. On the Disks tab, you can accept the defaults or enter your choices.

  4. On the Networking tab:

    • A default subnet and security group are preconfigured. You can accept the defaults.

    • For Public IP, click Create New.

    • At Assignment, select Static and click OK.

      static-ip

      Keep each Controller Security Group’s outbound rules at their default, open to Internet or All, to avoid blocking your Controller’s IP address from accessing the Internet.

  5. You can accept the defaults settings or modify the settings, as needed, on the Management, Monitoring, Advanced, and Tags tabs. No configuration changes are required.

  6. When you are finished making all of your selections, click Review + subscribe.

    After several seconds, the Create button becomes active.

  7. Click Create.

  8. If you selected the option to use an SSH public key for authentication, the Generate new key pair window displays. Click Download private key and create resource.

    Resource creation takes several seconds.

    The private key is not stored by Azure or Aviatrix. This is the only opportunity to download the key. Keep the key in a safe place in case you need it in the future.

  9. When a message displays indicating the deployment is complete, click Go to resource to see resource details.

  10. Find the VM’s public IP address, as shown below:

    VM

  11. Use a browser to access the Controller VM. In this example, it is https://52.188.7.xxx

  12. At the login page, enter "admin" as the username.The initial password is the internal IP address of the VM.

  13. Log into your new Controller.

  14. After logging in, click on the Onboarding tab.

Any resources created by the Controller, such as Aviatrix gateways, Azure routing entries, subnets, etc., must be deleted from the Controller console. If you delete them directly on Azure console, the Controller’s view of the resources will be incorrect, which will lead to features not working properly.

Onboarding your Azure Account in the Aviatrix Controller

Onboarding helps you set up an account on the Aviatrix Controller that corresponds to an Azure account with policies so that the Controller can launch gateways using Azure APIs.

Follow the Azure Accounts document to create an Aviatrix account that corresponds to your Azure account credential.

  • You can create a single Aviatrix account that corresponds to AWS, Azure, and Google Cloud account credentials.This is a multicloud platform.

  • For information about how to subscribe to an Aviatrix License if you subscribe to a trial license and it expires, see Aviatrix Licensing.

Subscribing Gateway and Firewall Offers to Azure Private Marketplace for Aviatrix Deployments

Depending on your company’s security policies, you may need to add and subscribe Aviatrix gateways and firewalls to Azure private marketplace using PowerShell. This document explains how to use PowerShell commands to add and subscribe gateways and firewalls in Azure and partner firewall offers to your Private Azure Marketplace.

Since our gateway images are not publicly available, you cannot subscribe to these offers directly in your private marketplace through the Azure portal. Please follow the instructions below to complete the subscription process.

For general instructions about adding offers to your Azure Private Marketplace, see Manage a private Azure Marketplace using PowerShell. Please be noted that this page contains the most current updates and commands. The examples in the following sections demonstrate how to apply these instructions.

Subscribing an Aviatrix Gateway Offer to Azure Private Marketplace

  1. Log into your Azure account. Make sure that you have the admin permission to run the following commands.

  2. Run the following command to install the necessary packages:

    Install-Module -Name AZ.Marketplace

  3. (Optional) If you have multiple Azure subscriptions, see Manage a private Azure Marketplace using PowerShell for more details about how to choose an appropriate subscription.

  4. Run the following command to list all images published by Aviatrix in the Azure Marketplace:

    az vm image list --publisher aviatrix --all --output table

    Save the <publisher>/<offer> for the OfferId which you will need in the following steps. In this example, it is aviatrix-systems.aviatrix-gateway.

  5. (Optional) Run the following command to get your Private StoreID, if needed:

    Get-AzMarketplacePrivateStore

  6. Run the following command to retrieve the specific image as required by the Controller from the private Marketplace:

    Get-AzMarketplacePrivateStoreOffer <PrivateStoreId> -OfferId <OfferId>

    Where:

    • <PrivateStoreId> is the PrivateStoreID you just retrieved from the previous step. For example, e796cf6d-fb86-4621-99b5-6764cafeee58

    • <OfferId> is publisherId.offerId. For example, aviatrix-systems.aviatrix-gateway

      For example:

      Get-AzMarketplacePrivateStoreOffer e796cf6d-fb86-4621-99b5-6764cafeee58 -OfferId aviatrix-systems.aviatrix-gateway

  7. Run the following command to accept the terms of the image on Azure Private Marketplace:

    az vm image accept-terms --urn <urn>

    Where:

    • <urn> is the urn value you retrieved from the previous step. For example aviatrix-systems:aviatrix-gateway:aviatrix-gateway-g3:20240512.1500.0.

  8. Run the following command to add a gateway offer to Azure Private Marketplace if your offer is not in Azure Private Marketplace.

    $Params = @{
privateStoreId = "<privateStoreId>"
collectionId = "<collectionId>"
offerId = "<offerId>"
SpecificPlanIdLimitation =@("<SpecificPlanIdLimitation>")
}
Set-AzMarketplacePrivateStoreCollectionOffer @Params

    Where:

    • <privateStoreId> is the privateStoreId you retrieved from the previous step.

    • <offerId> is the offerId you retrieved from the previous step.

    • <collectionId> is the offerId you retrieved from the previous step.

    • <SpecificPlanIdLimitation> is the SpecificPlanIdLimitation or sku you retrieved from the previous steps.

      Use the same value of the privateStoreId for collectionId.

      For example:

      $Params = @{
privateStoreId = "e796cf6d-fb86-4621-99b5-6764cafeee58"
collectionId = "e796cf6d-fb86-4621-99b5-6764cafeee58"
offerId = "aviatrix-systems.aviatrix-gateway"
SpecificPlanIdLimitation =@("aviatrix-gateway-g3")
}
Set-AzMarketplacePrivateStoreCollectionOffer @Params

      Replace the offerID and SpecificPlanldLimitation values with the correct values according to your Controller’s current software version. Use the following table:

      Release offerID SpecificPlanIdLimitation

      >= 6.7

      aviatrix-systems.aviatrix-companion-gateway-v10

      aviatrix-companion-gateway-v10u

      >=6.8

      aviatrix-systems.aviatrix-companion-gateway-v13

      aviatrix-companion-gateway-v13u

      >=6.9

      aviatrix-systems.aviatrix-companion-gateway-v15

      aviatrix-companion-gateway-v15u-6-9

      >=7.0

      aviatrix-systems.aviatrix-companion-gateway-v16

      aviatrix-companion-gateway-v16

      >=7.1.3958

      aviatrix-systems.aviatrix-gateway

      aviatrix-gateway-g3

    The Aviatrix Gateway image is now part of your Azure Private Marketplace. You can now deploy Aviatrix Gateways for Azure from the Aviatrix Controller.

  9. Run the following command to validate whether the image is now available in the Private Marketplace:

    Get-AzMarketplacePrivateStoreOffer  <PrivateStoreId> -OfferId <OfferId>

    For example:

    Get-AzMarketplacePrivateStoreOffer e796cf6d-fb86-4621-99b5-6764cafeee58 -OfferId aviatrix-systems.aviatrix-gateway

Example Code

Below is a full example code snippet that demonstrates the workflow:

# Install the AZ.Marketplace module
Install-Module -Name AZ.Marketplace

# List all images published by Aviatrix in the Azure Marketplace
az vm image list --publisher aviatrix --all

# Get the Private StoreID
Get-AzMarketplacePrivateStore

# Validate the Private Marketplace offer
Get-AzMarketplacePrivateStoreOffer -PrivateStoreId e796cf6d-fb86-4621-99b5-6764cafeee58 -OfferId aviatrix-systems.aviatrix-gateway

# Accept the terms of the image on Azure Private Marketplace
az vm image accept-terms --urn aviatrix-systems:aviatrix-gateway:aviatrix-gateway-g3:20240512.1500.0

# Add the offer to Azure Private Marketplace
$Params = @{
    privateStoreId = "e796cf6d-fb86-4621-99b5-6764cafeee58"
    collectionId = "e796cf6d-fb86-4621-99b5-6764cafeee58"
    offerId = "aviatrix-systems.aviatrix-gateway"
    SpecificPlanIdLimitation =@("aviatrix-gateway-g3")
}
Set-AzMarketplacePrivateStoreCollectionOffer @Params

# Validate whether the image is now available in the Private Marketplace
Get-AzMarketplacePrivateStoreOffer e796cf6d-fb86-4621-99b5-6764cafeee58 -OfferId aviatrix-systems.aviatrix-gateway

Subscribing an Aviatrix Firewall Offer to Your Private Marketplace

Repeat the steps above to add an offer for the Azure Firewall to your Private Marketplace. Use the table below to find the correct Publisher and OfferID values.

Name Publisher OfferID (plan product) SKU (plan name)

PAN

paloaltonetworks

vmseries1, vmseries-flex

bundle1, bundle2, byol

Fortinet

fortinet

fortinet_fortigate-vm_v5

fortinet_fg-vm fortinet_fg-vm_payg fortinet_fg-vm_payg_20190624

Check Point

checkpoint

check-point-cg-r81, check-point-cg-r8110

sg-ngtp, sg-ngtx, sg-byol, mgmt-byol

After following these steps, you can now deploy Azure Firewalls from your Azure Private Marketplace through the Aviatrix Controller.