The Aviatrix Controller is a multi-cloud and multi-accounts platform. The Controller uses your cloud provider API credentials to make API calls, for example, to launch an Aviatrix gateway instance, on behalf of your cloud accounts.
One cloud credential is represented as an Aviatrix access account on the Controller. The Controller supports multiple Aviatrix accounts. One Aviatrix account may represent multiple cloud credentials, one from each cloud. For example, an Aviatrix account name DevOps can have an IAM role for AWS, Azure ARM credentials, and GCP credentials.
Starting from release 3.2, an access account for AWS only consists of the 12-digit account ID.
- For Azure, the account information consists of Azure ARM credentials.
- For GCP (Google Cloud), the account information consists of GCP credentials.
- For AWS China, please refer Account with Access Key.
The Aviatrix account structure is shown in the diagram below, where admin is the default user for the primary access account.
To add more admin users, refer to this doc.
Setting up a Primary Access Account for AWS Cloud¶
For AWS, a primary access account is created during the onboarding process. Using this account credential, the Controller can launch gateways and build connectivity on VPCs that belong to this AWS account.
Setting Up Additional Access Accounts for AWS Cloud¶
After you go through the onboarding process and create the primary access account, you can create additional or secondary Aviatrix access accounts on the Controller. This allows you to launch gateways and build connectivity across different AWS accounts.
The configuration steps are shown below:
The above diagram is described in the following steps.
- Go to Aviatrix -> Accounts -> Access Accounts
- Click +New Account to create this new secondary account.
- Enter a unique account name: for example, BU-Group-3.
- Mark the AWS checkbox.
- Mark the IAM role-based checkbox (enabled by default).
- Enter the secondary account’s AWS 12-digit account number.
- Click Launch CloudFormation Script to go to the AWS Console and run the CloudFormation script to setup IAM roles and policies and establish a trust relationship with the primary account. When finished, return to this page and proceed to the next step.
- Click OK.
- The new secondary account is created.
- Now you can create connectivity between two VPCs in different AWS accounts.
Setting Up Additional Access Accounts Using Terraform¶
If you use Terraform to create more access accounts, you need to run the CloudFormation script on each secondary account first, then use Terraform account resource to create the account.
Follow the above section, but only execute step 7 to run the CloudFormation script that creates IAM roles, policies and build trust relationship to the primary account (the Controller account).
The CloudFormation is necessary to create IAM roles and policies and to establish a trust relationship with the primary account (the account where the Controller is launched.)