Configuring an AWS Load Balancer with SSL in front of Aviatrix Controller


The Aviatrix Controller supports adding an SSL certificate. However, sometimes you may prefer to put an ALB in front of the Controller. This gives you the ability to associate it with a WAF, for example.


Step-by-Step Deployment Guide

Follow the steps below to put the Aviatrix Controller behind an AWS ALB:

  1. Login to the AWS console

  2. Go to Load Balancers for EC2 service in the region where your Aviatrix Controller is running

  3. Create a new load balancer


    See this guide for more information on AWS load balancing.

  4. Select Application Load Balancer and click Create

  5. Configure the load balancer. Be sure to select internet-facing Scheme and HTTPS for the Load Balancer Protocol of the only listener.


  6. Configure the Security Settings by selecting your SSL certificate and security policy.


  7. Select the appropriate security group. This security group should allow traffic on port 443 from your desired source network(s).

  8. Configure the routing with a new target group. The Target group should be configured with HTTPS protocol on port 443 and a Target type of instance. The Health check should use HTTPS Protocol and / Path.



    You may adjust the Interval to be larger than 30 seconds to lower the burden on your Controller.

  9. Find the Aviatrix Controller instance to register in the target group.


    After Add to registered is clicked you will see this:


  10. Review and Create the load balancer


  11. Collect the DNS name from the load balancer


  12. Create a DNS CNAME record pointing your desired name to the load balancer’s DNS name


    The DNS CNAME record must match the name used in the SSL cert or you will receive a warning in the browser.


    Here is an example setting up the entry in Route53:



If you have enabled controller HA, you can point your Auto Scaling Group to Target Group of your ELB for auto registration in the event of a failover. However, please note that Max value should be always 1. Having more than 1 active controller for any given set of services is not supported as documented here, if it is deployed behind an ELB