Controller Security Group Management
You can use the Controller Security Group Management feature to automatically manage the Controller instance’s inbound rules from gateways.
When enabled, each time you deploy an Aviatrix gateway, a rule will be automatically added to the Controller instance’s inbound rule to allow the gateway to reach the Controller. Only TCP port 443 needs to be opened for inbound traffic to the Controller. Gateways launched from the Controller use its public IP address to communicate back to the Controller.
To enable the feature, go to the Controller Security Group Management card in the CoPilot > Settings > Configuration > Security section, select the primary access account, and then set the toggle to the On position.
After the Controller Security Group Management feature is enabled, you can edit the security rules that are outside gateways public IP addresses to limit the source address range. When specifying the custom IP addresses to allow access, you must include your own public IP address.
Controller Security Group Management and Amazon Web Services (AWS)
AWS Network ACLs are not stateful, so they are not recommended for controlling access to/from Aviatrix Controllers and Gateways.
When Controller Security Group Management is enabled, the Controller will immediately create 4 security groups. Since each security group can support 50 security rules, the Controller can support up to 200 gateways.