Aviatrix Controller is a multi cloud and multi accounts platform. The Controller uses your cloud provider API credentials to make APIs calls, for example, to launch an Aviatrix gateway instance, on behalf of your cloud accounts.
One cloud credential is represented as an Aviatrix access account on the Controller. The Controller supports multiple Aviatrix accounts. One Aviatrix account may represent multiple cloud credentials, one from each cloud. For example, an Aviatrix account name DevOps can have an IAM role for AWS, Azure ARM credential and GCP credential.
Starting from release 3.2, access account for AWS only consists of the 12 digit account ID.
For Azure, the account information consists of Azure ARM credentials.
For GCP (Google Cloud), the account information consists of GCP credentials.
For AWS China, please refer Account with Access Key.
The Aviatrix account structure is shown in the diagram below, where admin is the default user for the primary access account.
To add more admin users, refer to this doc.
Setup primary access account for AWS cloud¶
For AWS, a primary access account is created during onboarding process. Using this account credential, the Controller can launch gateways and build connectivity on VPCs that belong to this AWS account.
Setup additional access account for AWS cloud¶
After you go through the onboarding process and create the primary access account, you can create additional or secondary Aviatrix access accounts on the Controller. This allows you to launch gateways and build connectivity across different AWS accounts.
The configuration steps are shown below:
The above diagram is described in the following steps.
- Go to Aviatrix -> Accounts -> Access Accounts
- +New Account, to create this new secondary account.
- Enter a unique account name. For example, BU-Group-3
- Check AWS.
- Check IAM role-based (enabled by default).
- Enter the secondary account’s AWS 12 digit account number.
- Click Launch CloudFormation Script that takes to AWS Console and run CloudFormation script to setup IAM roles, policies and establish a trust relationship with the primary account. When finished, return to this page and proceed to the next step.
- Click OK.
- The new secondary account should be created.
- Now you can create connectivity between two VPCs in different AWS accounts.
Setup additional access account using Terraform¶
If you use Terraform to create more access account, you need to run the CloudFormation script on each secondary account first, then use Terraform account resource to create the account.
Follow the above section, but only execute step 7 to run the CloudFormation script that creates IAM roles, policies and build trust relationship to the primary account (the Controller account).
The CloudFormation is necessary to create IAM roles, policies and establish trust relationship with the primary account (The account where Controller is launched.)