Securing Aviatrix Controller

Best practices dictate that the Aviatrix Controller should not be widely accessible from the internet. Access should be limited to (1) management range of IPs coming from the Enterprise or the Datacenter, and (2) access to/from each of the deployed gateways for general communication/keep-alives.

However, the exception to that rule is the VPN Access as users need to authenticate to the controller from wherever they connect, whether at home or the local Starbucks.

In order to accommodate for both functions in a secure manner, please follow the instructions below to secure your controller.

Pre-requisites

Before you start, make sure you have the latest software by checking the Dashboard. If an alert message (!New) appears, click !New to download the latest software.

We assume you already know how to deploy Aviatrix solution, if you need help, check out this reference design.

We also assume that you know how to create resources in the AWS console

Configuration Workflow

  1. Go to your AWS console and under EC2->Load Balancer, click on “Create Load Balancer”:

Type: Application Load Balancer

Name: << Insert LB name >>

Scheme: internet-facing

IP address Type: ipv4

  1. Add Listener HTTPS port 443

    Listeners:

    Protocol: HTTPS(443)

  2. In the Availability Zones section, select the VPC and AZ where your Aviatrix Controller currently resides.

  3. Availability zones: Select all sub regions

  4. Click next.

  5. For certificate upload from ACM or use your self/CA signed certificates.

    Note: for self signed certificate select Security Policy: ELBSecurityPolicy-2015-05

  6. Click next.

  7. Configure security groups to make it accessible to the world

    Type: ALL TCP

    Protocol: TCP

    Port Range: 0-65535

    Source: 0.0.0.0/0

  8. Click next.

  9. On the Configure routing page Create a new target group for HTTPS:443 :

    Target group: New target group

    Name: << Insert Target group name >>

    Protocol: HTTPS

    Port: 443

    Target type: instance

  10. Heal checks:

    Protocol: HTTPS

    Path: /

  11. Click next

  12. On the Register target page select the Aviatrix Controller instance and click “add to register”

  13. Click on next to go to review page

  14. Review and then click on “Create”

  15. Select the new loadbalancer, on the lower tabs select Listeners

  16. Select the current listener on port 443 and click on “View/Edit Rules”

  17. Add new rule:

    If:

    Path-pattern: /flask

    Then:

    Forward: << Select the recently created Target Group >>

On the Controller #. Configure SAML by accessing controller through loadbalancer DNS name. This will generate everything, URLS and certs with respect to DNS name

NOTE:

Controller’s security group for 443 must allow from Loadbalancer’s internal IP address which can be usually VPC CIDR

Optional:

To Block general access:

  1. Create dummy target group pointing to invalid port path rule / will be pointing to dummy target group path rule /flask will be pointing to valid target group at HTTPS 443 to controller