AWS Getting Started Guide
The Aviatrix Controller is a management and control plane or a single pane of glass that enables you to manage and support a single or multicloud network architecture. You can deploy an Aviatrix Controller through any of the four major CSP (Cloud Service Provider) marketplaces:
-
AWS (Amazon Web Services)
-
Microsoft Azure
-
GCP (Google Cloud Platform)
-
OCI (Oracle Cloud Infrastructure)
Aviatrix recommends Controller deployment on AWS or Azure, as these CSPs enable you to set up HA (High Availability) for resiliency. This document shows you how to set up and launch an Aviatrix Controller through the AWS Marketplace.
The Aviatrix Controller enables you to design and manage your single or multicloud network architecture. Aviatrix CoPilot provides a global view of your multicloud network. CoPilot includes features like FlowIQ to analyze global network traffic and ThreatIQ to monitor for potential malicious activity. You can deploy and configure CoPilot after launching the Controller. |
If you are familiar with Terraform, it is possible to deploy a Controller by using Terraform modules. Please see the Aviatrix Terraform Modules on GitHub. |
As a general cloud security best practice, do not use the root user credentials of your AWS account to launch the Aviatrix Controller or any other AWS resources in your AWS account. |
Prerequisites
Before launching a Controller from your AWS account, complete the following prerequisites:
Setting up a Dedicated VPC
To organize and segment resources more easily, set up a dedicated VPC for your Controller. You can use an existing VPC or create a new one, depending on your organization’s resources and needs.
Choosing to Use an Existing VPC vs. Creating a New VPC
Using an Existing VPC | Creating a new VPC | |
---|---|---|
Cost |
Equal |
Equal unless your organization’s policy is to create a dedicated AWS account for each new VPC |
Network performance |
Equal |
Equal |
Simplicity and resiliency |
Maintaining a VPC with resources that have many different requirements may be more difficult |
Improved fault isolation in Day 2 operations, as it is less likely that changing components in the same location will harm the control plane’s connectivity |
If you choose to use an existing VPC, make sure it uses the settings specified below in the “Creating a New VPC” section.
Note that if you use a shared VPC, different accounts are not allowed to see each other’s instances. This is by design by AWS. In this case, put in a feature request with AWS to allow users inside RAM permissions to allow all accounts in each shared subnet to see all the instances in the subnet. Otherwise, features like CoPilot AppIQ, SmartGroups, and others will not work properly in your account. |
Creating a New VPC
-
Log into your AWS account, preferably an Infrastructure OU – Networking or Shared Services account.
-
If you have decided to launch a new VPC, go to VPC > Create VPC. Make sure this new VPC has the following settings:
Region – Before configuring any settings, click on the dropdown menu in the top right and select the region in which to locate this VPC.
In the example below, the current region is Oregon.
Setting | Value |
---|---|
Resources to create |
Select the VPC and more radio button. |
Name tag |
Enter a clear and recognizable name (such as “aviatrix-mgt” or “aviatrix-management”). |
IPv4 CIDR block |
Enter the IPv4 CIDR block for the Controller VPC. The minimum is /24; the maximum is /16. A best practice is to use RFC1918 ranges. |
IPv6 CIDR block |
No IPv6 CIDR block |
Tenancy |
Default |
Number of Availability Zones (AZs) |
Select 1 if you choose not to configure HA. One Availability Zone offers a simpler deployment but no resiliency. Select 2 if you require Controller resiliency through HA. |
Number of public subnets |
1 if you selected 1 Availability Zone above. 2 if you selected 2 Availability Zones. |
Number of private subnets |
0 |
NAT gateways ($) |
None |
VPC endpoints |
None |
DNS options |
Leave these settings at their defaults (both checkboxes marked). |
-
Click Create VPC. See the screenshot below to confirm your settings. This example VPC uses two Availability Zones and two public subnets to enable HA.
Saving the Management CIDR Range
Find and save the CIDR range for the device of the main Controller user. Note that this IP address is different from the IP for the VPC itself, which you configured when you launched the VPC.
To find a device’s IP address and determine this CIDR range, search for “what is my IP” on the browser’s search engine. You can also check icanhazip.com or ifconfig.io. |
Optional steps (not required for deployment): |
-
Create an S3 bucket for storage. An S3 bucket is not required to launch a Controller, but is required for HA (High Availability) and Backup and Restore Configuration.
The S3 bucket you use or create for Controller HA and Backups does not need to have public access enabled and should be configured to restrict general public access. |
-
Create an Application Load Balancer with a Web Application Firewall (WAF) for additional security. This configuration requires a second subnet in a different Availability Zone. See this article for more information.
Prerequisite Checklist
Make sure you have completed these prerequisites before launching your Controller:
-
Launched a dedicated VPC with settings listed above
-
Saved the CIDR range for the main user of the Controller
-
Reviewed the optional steps above (creating an S3 bucket and an Application Load Balancer) and completed them if needed for your configuration
Launching the Controller
After completing the Prerequisite Checklist above, you can set up and launch your Aviatrix Controller.
Subscribing to the Aviatrix AMIs (Amazon Machine Images)
An Amazon Machine Image (AMI) contains the information required to launch an instance. Your Aviatrix Controller will be listed as an instance, or EC2 (Elastic Cloud Compute), on your AWS account.
For current pricing information, please see the page in the AWS Marketplace. |
To launch your Controller, subscribe to the correct Aviatrix AMI from the AWS Marketplace.
-
Log into the AWS Marketplace. Enter “Aviatrix” in the search bar under Search AWS Marketplace products. Several options appear. Note that you will need to subscribe to the first and third options in that order:
-
Aviatrix Secure Cloud Networking (Includes Free Trial)
-
Aviatrix CoPilot
-
Aviatrix Secure Networking Platform BYOL (Bring Your Own License)
-
License | Description |
---|---|
Aviatrix Secure Cloud Networking (Includes Free Trial) |
With this licensing option, the AWS Marketplace receives usage data from your Controller and charges based on consumption of Aviatrix functionality as described within the offer. |
Aviatrix CoPilot |
License for Aviatrix CoPilot only. This subscription offers a 64-bit (x86) architecture. |
Aviatrix Secure Networking Platform BYOL (Bring Your Own License) |
This license offers the Aviatrix Controller and CoPilot image. It requires a separate licensing agreement directly with Aviatrix. Subscribe to this offer after subscribing to the "Aviatrix Secure Cloud Networking (Includes Free Trial)" license above. |
-
From the marketplace, select the Aviatrix Secure Cloud Networking (Includes Free Trial) listing and click View purchase options.
-
Click Subscribe.
-
In the green success banner that appears above, select Set up your account.
-
Under Aviatrix Metered Controller Subscription, go down to the License dropdown menu and select one of the following options:
-
Free Trial (30 Days) - Select this option to subscribe to a free 30-day trial license. After 30 days, the billing for a full license begins.
-
Pay-As-You-Go with 24x7 Enterprise Support - Select this option to subscribe to a full license immediately.
-
-
In the Email field, enter the email address for the admin user for this account. This email address must be a business email account.
-
Click Verify email. A verification code is sent to the email address you entered.
-
Enter that code into the Verification Code in this form and click Submit Form.
Your subscription has been activated. You receive an email from admin@aviatrix.com with the subject line "License key for Aviatrix Metered Controller and CoPilot." This email contains your Customer ID and Subscription ID.
-
Save this Customer ID and Subscription ID.
If you subscribed to the free trial license, you receive notification emails 14, seven, and one day before the free trial expires and billing begins. |
Next, subscribe to the Aviatrix CoPilot license.
Subscribing to Aviatrix CoPilot
-
Return to the AWS Marketplace and search for "Aviatrix CoPilot." Select this license to subscribe to it.
-
On the subscription’s page, click Continue to Subscribe.
Next, follow the steps below to use the BYOL offer to activate the "Aviatrix Secure Cloud Networking (Includes Free Trial)" and CoPilot license.
Activating the Metered AMI through the BYOL (Bring Your Own License) Offer
After subscribing to the "Aviatrix Secure Cloud Networking (Includes Free Trial)" subscription, click on the link in the email you received to open the Aviatrix Secure Network Platform (BYOL) offer. On the offer’s page, click Continue to Subscribe.
The BYOL or Bring Your Own License offer is required to activate the metered license you subscribed to above. You will only be billed for the metered subscription. |
Next, use a CloudFormation template to launch your Controller.
Launching the Controller with CloudFormation
A CloudFormation template provides a layer of abstraction that makes the configuration process simpler and easier by automating many of the minor steps. Use the default CloudFormation template to launch your Controller.
-
In your AWS account, go to AWS Marketplace Subscriptions > select the Aviatrix Secure Networking Platform - BYOL subscription. Scroll down to the Agreement section, click the Actions dropdown menu, and select Launch CloudFormation stack.
-
On the Configure this software page, click on the Fulfillment option dropdown menu and select CloudFormation Template.
-
Under Software version, select the most recent version.
-
Under Region, click on the dropdown menu in the top right corner and select the region in which you want to deploy the Controller.
-
Make sure to choose the correct region before launching the Controller instance (see the “Setting up a Dedicated VPC” prerequisite above). After launching a Controller instance, you can only change that instance’s region by stopping that Controller and deploying a new one. |
-
Click Continue to launch.
-
On the Launch this software page, click on the Choose action dropdown menu and select Launch CloudFormation. Click Launch.
-
Use the options on the Create Stack page to set up your Controller.
-
Step 1: Create Stack – Leave the settings on this page at their defaults. Click Next.
-
Step 2: Specify stack details –
-
Setting | Value |
---|---|
Stack name |
Enter a clear and recognizable name, such as “AviatrixController.” |
Which VPC should the Aviatrix Controller be deployed in? |
Select the dedicated VPC you created for the Aviatrix Controller. Please see the Prerequisite section. |
Which public subnet in the VPC? |
Select a public subnet in the VPC. Make sure this subnet is public (it has “public” in the name). |
IPv4 address(es) to include |
Enter the IP address for the main user or operator of the Aviatrix Controller. You can enter a CIDR block, but you must add /32 to limit the Controller’s access. |
Select Controller size |
Leave the size at the default, t3.large. |
IAM role creation |
* If this is the first time you have attempted to launch the Controller, leave this setting at New. * If this is the second or later attempt, click on the dropdown menu and select aviatrix-role-ec2. |
The Aviatrix Controller must be launched on a public subnet.
|
-
Step 3: Configure stack options – Leave the settings on this page at their defaults and click Next.
-
Step 4: Review Stack_Name – Review the settings to make sure they are correct. Mark the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox at the bottom of the page and click Submit.
Saving the Public and Private IP Address
Review the stack creation status under the Events tab, in the Status column. When the stack creation completes, its status changes to CREATE_COMPLETE.
If you experience a rollback error and cannot successfully launch the stack, please see the Troubleshooting section at the end of this document. |
-
Select the new Controller instance on the Aviatrix Controller instance’s Stacks page.
-
Select the Outputs tab.
-
Save the values for the Account ID, Elastic IP (EIP) address, and Private IP addresses listed on the Outputs tab. You will need to use these later to onboard the primary access account for AWS in your Controller.
You might have to refresh your browser window and/or AWS account to see your Stack displayed with an updated status. |
Setting up the New Instance in AWS
-
In the rare situation in which you deployed CoPilot before deploying this Controller, add Aviatrix CoPilot’s IP address to the Controller’s security group.
-
Verify that your own device’s public IP address is listed as one of the Controller’s security group rules. This step ensures that you can open the deployed Controller successfully.
To find your device’s IP address, you can search for “what is my IP” on your browser’s search engine. You can also check icanhazip.com or ifconfig.io. |
Add IP Addresses to the Controller’s Security Group Rules
-
Navigate to your AWS account > EC2 > your Controller’s instance > Security tab.
-
Scroll down and select the name of the Security group on the left side of the page.
-
On the security group’s page, click Edit inbound security rules on the right.
-
On the Edit inbound rules page, click Add New and enter the following information:
Setting | Value |
---|---|
Type |
HTTPS |
Port range |
Leave at 0 |
Source |
Custom |
Address |
Enter the CoPilot’s IP address followed by the CIDR block (/32 in the example screenshot). |
Description (optional) |
Aviatrix CoPilot Public IP address |
-
Click Save rules.
-
Repeat the previous steps to add your own device’s Public IP address to the security group rules:
Setting | Value |
---|---|
Type |
HTTPS |
Port range |
Leave at 0 |
Source |
Custom |
Address |
Enter your device’s public IP address followed by the CIDR block: for example, 44.257.233.220/32. |
Description (optional) |
To better remember which IP address this is later, you can enter the name of your device here and “public IP address.” |
If your IP address changes based on device or location, make sure to add those IP addresses to the Security group rules. Make sure this list contains only verified, secure IP addresses listed to limit access to your Controller. |
Later, when you launch gateways from your Controller, each gateway creates a new Security group. You will need to add your device’s IP address to each new gateway’s Security group. |
+
Keep each Controller Security Group’s outbound rules at their default, open to Internet or All, to avoid blocking your Controller’s IP address from accessing the Internet. |
-
Return to your instance’s page. If you have not already done so, save the Public IPv4 and Private IPv4 for your Controller.
Onboarding your AWS Account in your Aviatrix Controller
After launching your Controller instance in AWS, you can log in and initialize your account.
Log In and Initialize
-
To log into your Controller, navigate to your AWS account > EC2 > your Controller instance. Select the open address icon next to your Controller’s Public IP address near the top of the page.
If you cannot open this Public IP address, make sure your device’s IP address is listed in the Controller instance’s inbound security rules. |
-
If a “Your connection is not private” warning appears, click Advanced > Proceed to your_Controller’s_Public_IP_Address.
-
The Controller login page opens. Enter:
-
Username – admin
-
Password – Your Controller’s private IP address. This address is listed in the top right of the Controller instance’s page in AWS.
-
-
Enter your email address. This email will be used for alerts as well as password recovery if needed.
-
When prompted, change your password. Make sure this password is secure. If the (Optional) Proxy Configuration message appears, you can set up proxy configuration or click Skip and then OK.
Set up proxy configuration to ensure that all Internet-bound HTTP and HTTPS traffic initiated by the Controller and gateways is forwarded to the proxy server first before entering the Internet. Such traffic includes all cloud provider API calls made by the Controller and gateways.
Note that the domain name .aviatrix.com must be excluded by the proxy server from SSL or HTTPS termination.
-
Click Run. The Controller upgrades itself to the latest software version. Wait for a few minutes for the process to finish.
The Controller upgrade takes about 3-5 minutes. When the upgrade is complete, you can log in. Use the username “admin” and your new password to log in. |
Onboard your Access Account
After logging in and initializing, onboard your AWS account in your Controller.
-
In your Controller, navigate to Onboarding in the left sidebar. Click on the AWS icon.
-
Enter your AWS account’s Customer ID. This Customer ID was emailed to you when you subscribed to the license. If you do not have a Customer ID, please contact Aviatrix Support.
-
Skip the Enter Certificate Domain field, which is only relevant for AWS China accounts.
-
Under Create Primary Access Account - AWS, enter:
-
Account Name - A name for this account. Note that this name is only used within your Controller and does not need to match the name or ID from your AWS account.
-
AWS Account Number - Enter your 12-digit Account ID. To find this Account ID, open your AWS account and click on the dropdown menu in the top right corner. Select Account. Your Account ID is listed at the top of the page under Account Settings.
-
IAM role-based - Mark the Use IAM Roles checkbox.
-
If you leave this checkbox unmarked, use the ARN values in the optional fields in this section to set up user roles. ARN values are only required if you are onboarding an account that is separate from the one from which you deployed the Controller. |
-
Click Create.
-
Your AWS account is now onboarded. To verify your email address, open Settings > Controller. Enter the verification code sent to your email address. You can now use advanced settings to configure your IAM roles, launch gateways, and build a single- or multicloud network architecture.
To launch Aviatrix CoPilot, please see the CoPilot Deployment Guide. |
You need to deploy a separate Controller to use AWS China. |
Troubleshooting if the Stack Creation Fails
If your stack creation fails to launch your Controller instance in AWS, check the following settings:
-
Subscribing to the AMI first – Make sure you subscribed to the "Aviatrix Secure Cloud Networking (Includes Free Trial)" license from the AWS Marketplace before launching the CloudFormation template.
-
IAM roles – If this attempt was the first time you tried to launch your Controller, make sure the value is set to New. In later attempts, click on the dropdown menu and select aviatrix-role-2.
-
CIDR block – When you enter the primary user’s IP address, make sure the address includes /32 to ensure that only this user can access the Controller (for now). You can add more users later by:
-
Creating new user accounts in the Controller. See this document for more information about new users and permissions.
-
Through OpenVPN using Single Sign On (SSO).
-