Managing Access Accounts

The Aviatrix Controller is a multicloud and multi-accounts platform. The Controller uses your cloud provider API credentials to make API calls, for example, to launch an Aviatrix gateway instance, on behalf of your cloud accounts.

One cloud credential is represented as an Aviatrix access account on the Controller. The Controller supports multiple Aviatrix accounts. One Aviatrix account can have multiple service accounts from different clouds, one from each cloud. For example, an Aviatrix account named DevOps can have an access account for AWS, Azure ARM credentials, and GCP credentials.

The Aviatrix account structure is shown in the diagram below, where admin is the default user for the primary access account.

account-structure

To add more admin users, refer to Admin Users and Duo Sign in.

Aviatrix Primary Access Account

The primary access account is the first account on the Controller. This is the account you used to launch the Controller through the AWS, Azure, GCP, or OCI marketplaces, and the account where that Controller remains. For example, if you launched your Controller through the AWS marketplace, your primary access account is an AWS account.

After setting up your primary access account, you can:

  • Launch Aviatrix Gateways in the VPC/VNets that belong to this account.

  • Add access accounts from other Cloud Service Providers. For example, if you launched your Aviatrix Controller through the Azure marketplace, your can add access accounts for AWS, GCP, and OCI.

Aviatrix Access Account Best Practices

An Aviatrix Cloud Account corresponds to one cloud account of one cloud type. You can create multiple Cloud Accounts to support multi cloud and multi account deployment environment.

Setting up a Primary Access Account for AWS Cloud

For AWS, a primary access account is created during the onboarding process. Using this account credential, the Controller can launch gateways and build connectivity on VPCs that belong to this AWS account.

Setting Up Additional Access Accounts for Different Clouds

After you go through the onboarding process and create the primary access account, you can create additional Aviatrix access accounts on the Controller. This allows you to launch gateways and build connectivity across different cloud accounts. For example, if you create a primary access account in Azure, where you launched your Controller, you can add additional access accounts for AWS, GCP, and OCI.

To launch an additional access account:

  1. Go to your Aviatrix Controller > Accounts > Access Accounts.

  2. Click + Add New to create this new access account.

  3. Enter a unique account name: for example, BU-Group-3.

  4. Mark the radio button for the appropriate Cloud Service Provider. The fields below change based on which Cloud Service Provider you chose. See the following documents for more information on adding access accounts in each cloud:

  5. After entering the information required, scroll down and select any RBAC or permission groups this account should belong to.

  6. Click OK.

  7. The new access account is created.

  8. Now you can create connectivity between two VPC/VNets in different cloud accounts.

Setting Up Additional Access Accounts Using Terraform (AWS)

If you use Terraform to create more AWS access accounts, you need to run the CloudFormation script on each secondary account first, then use Terraform account resource to create the account.

The CloudFormation is necessary to create IAM roles and policies and to establish a trust relationship with the primary account (the account where the Controller is launched.)

Account Audit

The Aviatrix Controller periodically checks the accounts it manages to make sure they are intact.

For AWS Account Audit

  1. The Controller instance’s IAM role aviatrix-role-ec2 is attached to the instance.

  2. The Controller instance’s IAM role aviatrix-role-app exists.

  3. An access account IAM role aviatrix-role-ec2 exists.

  4. An access account IAM role aviatrix-role-app exists.

  5. An access account IAM role aviatrix-role-ec2 has associated policies.

  6. An access account IAM role aviatrix-role-app has associated policies.

  7. An access account has a trust relationship to the primary account (the Controller’s AWS account).

  8. An access account has an expired, deleted, or invalid credential.

If any of the above conditions fail, the Controller sends out an alert email and logs the event. In addition, the Controller will also send an alert email on behalf of any of the above condition failures reported by a gateway upon the first detection and subsequently every 24 hours until the problem is rectified.

Note the event requires immediate attention; otherwise, it can lead to catastrophic operation outage. Go through the above conditions to repair the configuration.

If you need help, please open a support ticket at the Aviatrix Support Portal.

  • Account auditing does not work with the new enhancement "customized IAM role name" in 6.4. In the current design, the account auditing feature looks for the Aviatrix standard IAM role names, which are aviatrix-role-app and aviatrix-role-ec2 and the Aviatrix standard policy name, which is aviatrix-app-policy.

  • The account auditing feature also does not work if the IAM app role has more than one policy attached because only the first policy is used.

For Azure Account Audit

For the Azure account audit, the process audits the authentication details against the established Azure account credential setups. If the account audit fails, check the account authentication setups. See details in Azure Account Credential Setup.

For GCP Account Audit

For the GCP account audit, the process audits the authentication details against the established GCP account credential setups. If the account audit fails, check the account authentication setups. See details in GCP Account Credential Setup.