Google Getting Started Guide
Introduction
The Aviatrix cloud network solution consists of two components, the Controller and Gateway, both of which are GCloud instances. The gateway is launched from the Controller browser console. This guide helps you to launch the Controller instance in GCloud:
Note that a GCloud project corresponds to an Aviatrix cloud account or an AWS (IAM) account with its own credentials. A network in a GCloud project is logically equivalent to a VPC in AWS, but with a few significant differences. For example, a network in GCloud project can have disparate subnets and a subnet can connect across regions.
The Aviatrix Controller is a secure multicloud networking platform. Aviatrix recommends you deploy your Controller in clouds that offer metered pricing, then deploy your gateways in any supported cloud. Metered pricing offers you a true pay-as-you-go option without any up-front commitments or contract negotiations. The AWS and Azure clouds offer metered pricing for running the Aviatrix Controller image. The GCP and OCI clouds do not offer metered pricing for running the Aviatrix Controller image. |
Prerequisites
Get a Customer ID from Aviatrix
Currently, the Aviatrix Controller for GCloud is only available through a community image for BYOL license. Send an email to info@aviatrix.com or open a support ticket at Aviatrix Support Portal with your organization name to request a customer ID. We offer a 30-day free trial license.
Creating a Google Cloud Platform (GCloud) Account
Aviatrix Cloud Connect is a software product that is launched in your own GCloud account. The Controller and the Gateways created from the Controller are all in your own network perimeter and completely under your control.
Create a GCloud account (https://cloud.google.com/). Go on to the next step if you have already done so.
Note that the Controller supports multiple accounts with each one associated with a different GCloud projects, but there needs to be at least one to start with.
Creating a GCloud Project
Log in to your GCloud account and go to the project page: https://console.cloud.google.com/project
Create a project. Go on to the next step if you have already created one. Note that the project ID will be used in referencing to this project by Aviatrix Controller.
For example, in a project called Aviatrix-UCC, the project ID is aviatrix-ucc-1214.
(Optional) Creating Networks
This step creates a network in the project created in the previous step.
When a new project is created, a default network is created. You may skip this step if you do not need to customize the network address range by creating a new network, or go on to the next step if you have done so.
Note that the Aviatrix Controller handles a GCloud network like a VPC in AWS. Whenever a network configuration is mentioned for GCloud, the term VPC is used. (The VNet is used for Azure.)
At the GCloud console, select the project that you have copied the Aviatrix Controller image to. Click the 3 bars. At the dropdown menu, select Networking. Click [+] Create Network.
If you plan to have multiple projects, we suggest you plan your subnets so that the network addresses do not overlap. Select Custom to create subnets. |
Copy Aviatrix Controller Image to Your Project
At your GCloud console (https://console.cloud.google.com), select the project where you want to launch your Controller. Click the 3 bars in the top left corner. At the dropdown menu, select Compute Engine, then select Images.
At the top screen, click [+] Create Image. Make sure to:
-
Select the project where you want to launch your Aviatrix Controller.
-
Fill in the image name: for example, aviatrix-ucc-083016.
-
Fill in the description.
-
At Source, select Cloud Storage File.
-
At Cloud Storage file, paste in the following text string: aviatrix300/aviatrix-cloud-services-gateway-032020-byol.tar.gz.
-
Click Create.
Launch the Aviatrix Controller from the Copied Image
At the GCloud console,
-
Select the project that you just copied the Aviatrix Controller image to. Click the 3 bars.
-
At the dropdown menu, select the Aviatrix Controller image, click [+] Create Instance.
-
Fill in Name for the instance, Zone and Machine type for the instance.
-
Make sure the Machine type is n1-standard-2 or larger.
-
For Identity and API access, select Allow full access to all Cloud APIs.
Alternatively,
At Access scopes, select Set access for each API, and then
Select Enabled for Cloud Pub/Sub.
Select Read Write for Compute.
Do not check the Firewall box to Allow HTTPS Traffic. Aviatrix recommends you improve security by removing any 0.0.0.0 entries on port 443 not allowing the Aviatrix Controller to the world. |
-
Click Create.
Option #2: Deploy Aviatrix Controller in GCP Marketplace (Preview mode)
-
Go to GCP marketplace.
-
Find the product "Aviatrix Secured Networking Platform - BYOL".
-
Click Launch.
-
Make sure the selected Machine type has at least 2 vCPUs with 8 GB memory.
-
Boot Disk is SSD Persistent Disk with 32 GB.
Do not check the Firewall box to Allow HTTPS Traffic. Aviatrix recommends you improve security by removing any 0.0.0.0 entries on port 443 not allowing the Aviatrix Controller to the world. |
-
Click Deploy.
Accessing the Aviatrix Controller
After the instance is created, click the Controller instance name, and note its External IP address and Internal IP address. Go to https://External_IP_of_the_controller.
At the login prompt, type "admin" for username and type the internal IP address for the password, as shown below:
Follow the initial setup process to set up an admin email address and password and install the latest software. Log in again with your new admin password.
Any resources created by the Controller, such as Aviatrix gateways, GCP routing tables, subnets, LB, etc., must be deleted from the Controller. If you delete them directly on AWS console, the Controller’s view of resources will be incorrect, which will lead to features not working properly. |
Onboarding your GCP Account
Introduction
Before creating a cloud account for GCloud/GCP on the Aviatrix Controller, follow the steps below to make sure you have the credentials set up for API calls.
1. Create a GCloud or GCP account (https://cloud.google.com/). Continue to the next step if you have already done so.
The Controller supports multiple accounts with each account associated with a different GCloud projects, but there needs to be at least one account to start with. |
2. Create a GCloud Project.
Enabling Compute Engine API on the Selected Project
-
Go to your Google Cloud Platform console, click on the dropdown menu in the top left, and select APIs and Services. At the Dashboard, click Enable APIs and Services.
-
In the Search box, enter "Compute Engine API" and select it from search results.
-
Click Enable.
Creating a Credential File
When you create a cloud account on the Aviatrix Controller for GCloud, you will upload a GCloud Project Credentials file. Follow the steps below to download the credential file from the Google Developer Console.
-
Open the Credential page.
-
Select the project you are creating credentials for.
-
At Credentials, click Create credentials and select Service account as shown below.
-
At the Service Accounts, enter a service account name and click Create. For Service account permissions, select Project, Editor, as shown below.
-
Select a service account. Select the Keys tab and click the Add Key dropdown menu, and select Create new key.
-
Select the JSON radio button and click Create.
-
Click Create. The credential file downloads to your local computer.
-
Upload the Project Credential file to the Aviatrix Controller at the Gcloud account create page.
Creating a Service Account with Restricted Access
We recommend creating the service account with the Editor role as mentioned, but in some cases an organization might want to further restrict permission for the service account. In such a situation Aviatrix recommendation is to have at least following roles assigned to service account so that Aviatrix can perform its functions properly, such as managing the compute resources, route tables, firewall rules, shared service VPC network, etc.
-
Compute Admin
-
Service Account User
-
Organization Administrator (required for GCP Shared VPC)
-
Project IAM Admin (required for GCP Shared VPC)
If an organization is currently using GCP Shared VPC or planning to use in future, then enabling Organization Administrator and Project IAM Admin is also required.
In addition to restricting the GCP roles, you can restrict the rights for those roles. You can grant roles permission to perform the following tasks:
compute.addresses.create compute.addresses.createInternal compute.addresses.delete compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.disks.create compute.disks.get compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.list compute.firewalls.update compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.list compute.globalOperations.get compute.healthChecks.create compute.healthChecks.delete compute.healthChecks.useReadOnly compute.httpHealthChecks.create compute.httpHealthChecks.get compute.httpHealthChecks.useReadOnly compute.images.list compute.images.useReadOnly compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.update compute.instanceGroups.use compute.instances.create compute.instances.delete compute.instances.get compute.instances.list compute.instances.setDeletionProtection compute.instances.setMachineType compute.instances.setMetadata compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.updateNetworkInterface compute.instances.use compute.networks.addPeering compute.networks.create compute.networks.delete compute.networks.get compute.networks.list compute.networks.removePeering compute.networks.updatePolicy compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.create compute.regionBackendServices.delete compute.regionBackendServices.get compute.regionBackendServices.update compute.regionBackendServices.use compute.regionOperations.get compute.routes.create compute.routes.delete compute.routes.list compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.addInstance compute.targetPools.create compute.targetPools.delete compute.targetPools.get compute.targetPools.removeInstance compute.targetPools.use compute.zoneOperations.get compute.zones.list iam.serviceAccounts.actAs logging.logEntries.create pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.publish resourcemanager.projects.get
Onboarding your GCP Account in Your Controller
To onboard this GCP account into your Aviatrix Controller, use the following steps.
-
Open your Controller and go to Onboarding > click Google Cloud Platform.
-
Under Enter Aviatrix Customer ID, enter the customer ID you received in an email.
-
Skip the Enter Certificate Domain field.
-
Under Create Primary Access Account, enter the following information.
Parameter | Description |
---|---|
Account Name |
Enter a clear Account Name. |
Gcloud Project ID (Optional) |
In the Gcloud Project ID field, enter the name of the Gcloud project for this account. |
Gcloud Project Credentials |
Click Choose file and choose the correct JSON file downloaded from your GCP account. |
-
Click Create.
Onboarding Multiple GCP Service Accounts
The Controller supports multiple Service Accounts from different GCloud projects. Onboard each GCP account separately using a unique Account Name, the correct Project ID for each project, and the JSON credentials file from the main Management Account.
For example, you may need to set up a Service Account in the first or Management GCP Project, and then give that Service Account access to a second Gcloud Project where they can deploy gateways.
-
First, in your GCP account, create the first or Management Project and the secondary project.
-
Create a Service Account from within the Management Project.
-
Generate a JSON file from the Management Project. This JSON file is the credentials file you will use while onboarding this account in your Controller.
-
Give this Service Account permission to access the secondary project.
-
Log into your Controller and go to Onboarding > Google Cloud Platform. Enter a clear Account Name, use the Management Project Name as the Gcloud Project ID, and upload the JSON credentials file. Click Create.
-
Now, onboard the secondary account. Enter a clear Account Name that helps you distinguish these projects, use the secondary project’s ID as the Project ID, and upload the same JSON credentials file from the Management Project. Click Create.
Now, your Controller has access to the Management Project and the secondary project where you can deploy gateways.
Resource Names
The maximum length of a gateway cannot exceed 50 characters when configuring Aviatrix Google Cloud gateway. Other resource names like subnet and VPC have a maximum character limit of 63, a requirement for Google Cloud.
Launching Gateway
The following gateway sizes are supported for GCloud:
'n1-standard-1','n1-highcpu-2', 'n1-standard-2', 'n1-highmem-2', 'n1-highcpu-4', 'n1-standard-4', 'n1-highmem-4', 'n1-highcpu-8', 'n1-standard-8','n1-highmem-8', 'n1-highcpu-16', 'n1-standard-16', 'n1-highmem-16','n1-highcpu-32', 'n1-standard-32', 'n1-highmem-32'
Support
Check out the Help menu for Frequently Asked Questions (FAQs), Reference Design and Release Notes. All features have descriptions embedded and should be self-explanatory.
An alert message will be displayed on the Dashboard menu when a new release becomes available.
For support, please open a support ticket at Aviatrix Support Portal.
If the cloud account creation fails, check the error message on your Aviatrix Controller and try again with the steps provided in this document.
For additional support, please open a support ticket at Aviatrix Support Portal
If no GCloud account has been set up, you will be guided through the onboarding process. It takes only a few steps. Once that is done, follow the quick tour guide to start launching gateways.