CoPilot Security Group Management
The CoPilot Security Group Management feature is available starting from Controller release 6.8. The feature is available for AWS and Azure CSPs and is enabled by default.
If Security Group Management needs to be disabled or re-enabled, you can do so from the CoPilot UI or the Controller UI:
-
From CoPilot UI, go to Settings > Configuration > General > Security.
-
From Controller UI, go to Settings > CoPilot > CoPilot Security Group Management.
|
AWS and Azure have rule limits that impact the CoPilot Security Group Management feature. This CoPilot feature is automatically disabled if the AWS security group quota or Azure Network Security Group (NSG) rule limit is reached. It is recommended that you monitor the AWS/Azure security group quota and update your rules configuration before the rule limit is reached. |
If the AWS or Azure rules are nearing their rule limits, you can request an increase for the security group quota/limit from AWS/Azure and then re-enable the CoPilot Security Group Management feature.
Please refer to the AWS VPC or Azure VNet product documentation for information about viewing and alerting on security group quotas/limits.
When Security Group Management Is Enabled
When CoPilot Security Group Management is enabled (default), the Controller creates a security group for the specified CoPilot virtual machine to manage its inbound security-group rules.
The feature adds gateway IP rules to customer-attached CoPilot security groups as well as CoPilot-created security groups. CoPilot comes with a base security group when it is first launched.
The Controller adds rules to the security group for each gateway IP for the following:
-
UDP port 5000 (default) — Enable Syslog for CoPilot Egress FQDN (Legacy) & Audit Data (from each gateway). Gateways send remote syslog data to CoPilot.
-
TCP port 5000 (default, if using Private Mode) — Enable Syslog for CoPilot Egress FQDN & Audit Data (from each gateway). Gateways send remote syslog data to CoPilot.
-
UDP port 31283 (default, port is configurable) — Enable NetFlow for CoPilot FlowIQ Data (from each gateway). Gateways send NetFlow to CoPilot.
The Controller adds the above rules for:
-
New gateways launched from the Controller after the feature is enabled.
-
Existing gateways launched from the Controller before the feature was enabled.
You can enable Security Group Management in CoPilot from Settings > Configuration > General.
When Security Group Management Is Disabled
When CoPilot Security Group Management is disabled, the Controller removes all gateway-specific inbound rules that it previously added to the CoPilot security group.
CoPilot comes with a base security group when it is first launched. The feature does not remove rules that were manually added to the base security group.
If CoPilot Security Group Management is turned off, ensure that port 443 is set to 0.0.0.0/32 (open to all) to maintain connectivity between Aviatrix CoPilot and Controller.
You can disable Security Group Management in CoPilot from Settings > Configuration > General.
Enable Security Group Management in CoPilot
CoPilot Security Group Management is enabled by default. You can disable or re-enable the feature from Settings > Configuration > General.
To enable the CoPilot Security Group Management feature from the CoPilot UI, complete the following steps:
-
Go to Settings > Configuration > General.
-
Under Security > Controller Security Group Management, do the following:
-
Set the slider to On.
-
Select the name of the CoPilot account from the dropdown menu and click Save.
-
-
Under Security > CoPilot Security Group Management, do the following:
-
Set the slider to On.
-
In VPC ID, select the ID of the VPC or VNet in which your CoPilot is located.
-
Select the ID of the CoPilot instance for which you want the Controller to manage security groups.
For a clustered CoPilot deployment, this is the ID of the Main Server CoPilot instance.
You can obtain the CoPilot instance ID from the CSP portal.
-
-
Click SAVE.