AWS Infrastructure

How do I increase the size of the disk on my Gateway?

Follow these instructions to increase the size of your instance’s disk.

  • Login to the AWS console and locate the Aviatrix gateway instance
  • Click on Root device: /dev/sda1 and then click on EBS ID vol-xxxxxxxxxx link
  • With the volume selected, click Action > “Modify Volume” to change the Disk Size
  • Increase the value in the Size field. Click OK to start the resize process. Please make sure you wait until the state of the volume is “in-use - completed (100%)”
  • Select the Aviatrix gateway instance in the EC2 page. Click Reboot for the disk space to take effect. This will cause downtime (< 5 minutes) due to the reboot process
  • Confirm that the gateway is in a running state in AWS console
  • Login to your controller to run gateway diagnostics and submit to us. Please also upload the gateway tracelog

How do I save an EIP used for a Gateway?

  • When creating a new Gateway, the default option for “Allocate New EIP” is “on” – this would mean that the Aviatrix Controller would check out a new EIP from AWS Infrastructure. If this gateway is deleted, the Controller will release this EIP to the AWS Infrastructure. If you expect to keep the EIP in future, it is recommended that the “Allocate New EIP” option is unchecked and an available EIP is picked during the Gateway creating process.
  • If you are having issues with the Gateway and would like a new Gateway to replace the existing one and with the same EIP, the best way to do this is via “Controller GUI / Troubleshoot / Diagnostics / Gateway Tab / Gateway Replace”
  • If you want to transfer the EIP from one Aviatrix Gateway to another one, please follow the following steps (Example: GatewayA-EIPA, GatewayB-EIPB. Move EIPA to GatewayB) Note: Only supported in releases 4.0 and up. Using this for release 3.5 and lower will result in the loss of the EIP:
    • From the AWS Console, create a new EIP (Continuing the example: call this EIP-new)
    • From the Aviatrix Controller, go to “Controller GUI / Troubleshoot / Diagnostics / Gateway Tab / Migration,” pick the Gateway that you want to pick the EIP from, enter this new-EIP and click on OK. (Pick GatewayA and enter EIP-new. This will release EIPA)
    • On the Aviatrix Controller, on the same page, pick the Gateway that you want to receive the old EIP and enter the old-EIP. (Example: Pick Gateway B and enter EIPA. This will release EIPB)

How can I encrypt an EBS Volume on Controller/Gateway?

AWS does not allow EBS encryption during instance launch time. Follow instructions for Controller and Gateway

Why are IAM Roles/Policies important?

  • The Aviatrix Controller and its Gateways need access to AWS’s resources and to function as designed. Any loss in these access privileges could cause unpredictable behavior and performance of your network. This access is granted and managed through IAM roles and policies. For more information please refer the following documents
  • AWS has an IAM corner case - if an EC2 instance had an IAM role attached and then the role was deleted and added again, that EC2 instance’s roles and policies will not function in a predictable way. If you have deleted and added Aviatrix IAM roles, it might be good to detach the roles from your Controllers and Gateways and attach them again.
  • Aviatrix IAM policies might be updated - please make it a point to update them when you update the software on Aviatrix system

What do I do if my gateway instance is identified for retirement by AWS?

AWS will inform you when one of your instances is scheduled for retirement if the underlying hardware has issues or is being upgraded. Usually a start/stop from the AWS console will migrate the instance to newer hardware. Please check here for more information. Also, please open a support ticket with AWS for more information

How can I monitor the destination ports and ip addresses for instances in my VPC?

Aviatrix provides a Discovery function to do this. But you could also consider AWS’s flowlogs functionality on a vpc which will capture all incoming and outgoing traffic out of the vpc and will log either into S3 or into CloudWatch. Please follow the directions here and capture these logs. Capturing the outgoing port and IP address information will help you craft better Egress Control Policies.

Why do I get an email alert about my gateway with “Cloud Message Queue Failure” message?

Typically, this message is sent when a gateway is not able to access the messages from the controller via AWS’ SQS, either because it cannot resolve/reach AWS SQS or does not have the permissions to retrieve the messages from AWS SQS(i.e. DNS, network connectivity, system issues, IAM permissions). Please check the following:

  • Please run gateway diagnostics by going to “Controller/Troubleshoot/Diagnostics/Gateway” and pick the gateway and run diagnostics test and “submit” them to us. You can also review the results by referring to the service descriptions in diagnostics.
  • Please make sure that the DNS can resolve public FQDN’s and not just private FQDN’s
  • Go to “Controller/Troubleshoot/Diagnostics/Network/GatewayUtility”, pick the gateway and ping - to see if it can resolve names and if it has network connectivity.
  • Check that this gateway has the right IAM policies
    • Check that your controller and the gateway instances have “aviatrix-role-ec2” role attached to it on the AWS console
    • Check that the policies attached to this role are correct by going to “Controller/Accounts/AccountAudit” and run account audit on the account that this gateway belongs to. If needed, please update the policies - To update IAM policy to latest please got to “Controller/Accounts/Access Accounts/SelectAccount Name/click 3 dots/UpdatePolicy” and click OK.
    • Go to AWS Console > IAM > Roles > click on aviatrix-role-ec2 > check that aviatrix-assume-role-policy policy is attached > click on the policy name > {} JSON > it should be like
    • Go to AWS Console > IAM > Roles > click on aviatrix-role-app > check that aviatrix-app-policy policy is attached > click on the policy name > {} JSON > it should be like
    • If the gateway is not on the same account as the Controller, please make sure that this access account has trust relationship to the primary account (the Controller’s AWS account). The role “aviatrix-role-app” should be trusting it’s own account and the controller’s account. In the case of the primary account(which hosts the controller), it should trust it’s own account.
  • Please make sure that both your controller and gateway have an EIP associated and not just a PublicIP/PrivateIP
  • Please note that this check is done once a day - after you address the issues, please wait for 24 hours from the previous alert to see if you will receive another alert
  • Sometimes, this could be a transient issue which will resolve due to temporary DNS/network failures
  • If you are not able to find and address the issue, please upload the tracelogs for this gateway and send an email to to open a new ticket.

How do you launch a controller in GovCloud?

Pre-deployment checklist:
  • Prepare a VPC with a public subnet (i.e., with route points to IGW) to launch the controller.
  • Go to EC2/Network & Security/Key Pairs to create a key pair.
  • Note that AWS US-EAST region does not support t2.large. Pick t3.large instead to avoid deployment failure.
Launch from CloudFormation template:
  • Copy the Aviatrix CloudFormation template URL from your AWS commercial cloud account as follows:
  • Launch the CloudFormation template by following these steps:
    • Login to your GovCloud account
    • Go to Service/CloudFormation/Create Stack, enter the Aviatrix CloudFormation template URL copied in the previous step
    • Click Next and follow the typical CloudFormation Deployment process.
Launch from EC2/Instances/Launch Instance/AWS Marketplace manually:
  • You would need to create the Aviatrix-role-ec2, Aviatrix-role-app, Aviatrix-assume-role-policy and Aviatrix-app-policy manually. In addition, you would need to change the Resource of AssumeRole Action in Aviatrix-assume-role-policy from “arn:aws:iam:::role/aviatrix-” to “arn:aws-us-gov:iam:::role/aviatrix-”, making sure the arn is pointing to using aws-us-gov.
  • Launch the controller by picking an Aviatrix image under EC2/Instances/Launch Instance/AWS Marketplace.
Other notes:
  • Goto Accounts/Access Accounts/Add Account
  • Pick AWS and uncheck IAM role-based checkbox
  • Populate your AWS Access Key ID/Account Number/Secret key.
  • Controller VPC tracker is not yet supported for GovCloud

Can I change my AWS Access Account auth between IAM role based and Accesskey?

You can change between IAM rolebased and accesskey based authentication on AWS accounts from “Controller/Accounts/AccessAccounts/SelectAccount/Edit” when there are no resources on this account. If any resources, such as Gateway’s are created, you will not be able to switch over

How do I recover if my Instance Profile ARN goes missing on “aviatrix-role-ec2”?

If the roles are deleted by accident, AWS might get into a weird state where the “Instance Profile ARN” might be missing. You would have to use the aws cli as mentioned at to recover from this situation. The actual command would be “aws iam add-role-to-instance-profile –role-name aviatrix-role-ec2 –instance-profile-name aviatrix-role-ec2”. You might have to remove the role aviatrix-role-ec2 on the controller and/or gateways and add it back. Wait for a couple minutes for this to take effect.