Quick Overview

The Aviatrix Cloud Network Platform consists of a centralized controller that is multi-cloud aware, intelligent cloud routers called gateways, and CoPilot, a day 2 platform providing visibility and analytics. An example of an Aviatrix managed deployment is provided below.

Aviatrix recently launched its Controller and CoPilot platform on Azure marketplace with two licensing models:

• Pay as you Go (PAYG)
• Bring your own License (BYOL)

In this document I’m going to demonstrate how to install the brain of a secure multi cloud network using the BYOL licensing model.

Infrastructure Configuration for Controller Deployment

Aviatrix Controller _is_ deployed in an existent VNET in a subnet. I’m going to create a new VNET, a dedicated resource group called aviatrix-mgmt-rg for the entire environment:

I’m going to use a /25 where I’m going to deploy my controller and my copilot:

Service Principal

I’m going to create a service principal and grant it access to my subscription. Later, I’m going to use it to onboard my azure subscription into my Controller.

Service principals are created under the Azure Active directory:

Select App Registrations on the left side panel and then click on “+ New Registration”:

• provide a name and click on the “Register” button at the end of the page

Now lets create a secret. On the left panel, click on “Certificates & Secrets”:

Click on “+ New client secret” and provide a Description to the client secret. Click “add”:

You will see the following:

• copy and save the secret id and value

Grant Access to the Subscription(s)

Under Subscription, select the subscription or subscriptions you will onboard into Aviatrix and click on “Role Assignment” on the right side:

• Pick up contributor (it could be more granular if necessary)

I search for the service principal I just created and select it:

Click on “Review and Assign”.

Blob

I’m going to create a blob called “backup” to store my controller backups:

Controller Deployment

Back to Azure Marketplace, search for Aviatrix and then click on Aviatrix Secure Networking Platform “chip”:

Click “Create”:

Provide the input for the ARM template: subscription, resource group, virtual machine name, region:

Scrolling down we have more parameters: size, username, ssh key, and inbound port rules:

I’m changing the default size to a D2as_v4 in my deployment. We recommend at least 8 Gig of memory.

Controller requires inbound 443 open to provide access to the GUI. Aviatrix support might need ssh to your controller in the case of an issue.

I’ll accept the defaults for disk and management. Next screen I’m going to configure Networking:

Change the Public IP Address from the Basic to Standard SKU.

We pick the vnet, subnet we created before. Click “Review and Create” for validation and then “Create”:

Download and save in a secure place the private key for the VM:

You can follow the steps the ARM is taking on the Deployement. It should not take longer than 5 minutes:

Controller Configuration

You can check the VM under Virtual Machines for the public and private IPs:

Browse to the PIP of the Controller instance. Username is admin and the default password is the private IP address:

Provide a valid email address as a mechanism to recover and or reset the admin password.

Set the admin password using password best practices:

The next step is the controller initial setup where the software is downloaded and installed:

Please use software version 6.5 at this time. Later we will upgrade to the latest version available.

Once the initial setup finishes setting up the software, the Controller is ready for its initial configuration and day 0 best practices:

Platform Upgrade:

• Settings -> Maintenance -> Dry Run and then Platform Upgrade:

Licensing if using BYOL:

Create account(s):

• The Aviatrix Controller is a multi-cloud and multi-accounts platform. The Controller uses your cloud provider API credentials to make API calls, for example, to launch an Aviatrix gateway instance, on behalf of your cloud accounts.
• One cloud credential is represented as an Aviatrix access account on the Controller.

Primary Access Account:

• use the information from the service principal created before under AAD

Application Key is the Secret Value of your client secret

Create a read-only user for CoPilot:

Create a user with admin privileges:

Disable Admin Login:

• Settings -> Controller -> Login Customization

Enable Controller Security Group Management to automatically manage the Controller instance’s inbound rules from gateways:

After this feature is enabled, you can now edit the security rules that are outside gateways public IP addresses to limit the source address range.

Enable backup (create a bucket first):

Apply Security Patches:

Apply Software Patches:

wow! we are ready to start configuring our azure cloud networking.

CoPilot Deployment

For more information on CoPilot, please check my previous post at https://medium.com/@rtrentin73/taking-the-left-seat-of-your-cloud-deployment-with-aviatrix-copilot-accf07cb0a46

CoPilot is deployed from the Marketplace as well:

Instance size (I am going to use the default for my lab environment):

Don’t forget to change the network (default) to the vpc and subnet(s) created before:

Once finished providing the inputs, click “Create” at the bottom of the page:

Download and store the private key:

Track the deployment using Deployment:

Copilot Configuration

Browse to the PIP and provide the Controller credentials and IP address:

Once the info is validated, provide the username and password for the user created for the CoPilot integration:

And finally the license (if using BYOL):

The first task after providing credentials, controller ip, and license is to add a data volume:

If not done before, create and attach a new disk to the CoPilot instance and return to the CoPilot Data Disk Setup:

CoPilot will automatically detect and configure additional disks:

The last step is to go back to the Controller and configure CoPilot IP address information to syslog:

A total of 10 profiles from index 0 to 9 are supported for remote syslog, while index 9 is reserved for CoPilot.

And netflow:

Also we can associate the CoPilot to the Controller to log in from the Controller to CoPilot without providing credentials (second icon at the top left corner from right to the left):

References

https://docs.aviatrix.com/StartUpGuides/azure-aviatrix-cloud-controller-startup-guide.htmlhttps://docs.aviatrix.com/StartUpGuides/azure-aviatrix-cloud-controller-startup-guide.html