Encrypt EBS Volume


Aviatrix starts to support enabling EBS encryption by default when users launch gateway since release 6.0.


This feature is used to encrypt your gateway EBS volume. Note that you will need to disable the Gateway Single AZ HA on your gateway prior if you are running a release prior to 5.2 before encrypting its EBS volume. On 5.2 release and later you do not need to disable the Single AZ HA before encrypting.


You need to add below rules into your IAM role policies (“aviatrix-app-policy”).

    "Effect": "Allow",
    "Action": [
    "Resource": "*"

How to add IAM rules?

Step1: Go to your AWS account and select IAM service.


Step2: Select “Roles”, then double click the role name “aviatrix-role-app.”


Step3: Click “JSON”, then put the rules into the JSON file. Then click “Review policy”.


Step4: Click “Save changes” to finish editing aviatrix-app-policy


How to encrypt gateway EBS volume via Aviatrix controller?

Step1: Go to your Aviatrix controller page, and select “Gateway” page.

Step2: Select the gateway which you want to encrypt, then click “Edit” button.


Step3: Check the current status of Gateway EBS volume.


Step4: Scroll down to “Encrypt Volume” and Click “Encrypt” button to encrypt the EBS. Please wait for the encryption process to complete.



The controller will use Default “AWS Managed Keys” to encrypt your EBS volume. Otherwise, you can use your* “Customer Managed Key ID” to encrypt the gateway EBS volume. How to create AWS Customer Managed Key ID?

Step5: Check the encrypted volume. You may need to refresh the controller “Gateway” page to check the status of Gateway’s EBS volume.


Step6: You can check the result on your AWS console. It’s on EC2 -> Volume page.



You can see that the gateway EBS volume was encrypted. Also, the previous unencrypted volume will be kept. Please make sure to add “aviatrix-role-app” to the CMK as Key users in KMS when you want to replace or resize the gateway later.