Configure CoPilot for the Aviatrix Platform
As a component in the Aviatrix Platform, CoPilot must communicate with other components in the platform to receive the data it requires. This section details the configuration of CoPilot for the Aviatrix platform. The integration points are typically configured for you as part of the CoPilot deployment process. If you encounter any problems with your CoPilot deployment, you can check to ensure these integration points are configured.
Integration with Controller
CoPilot must be able to reach Controller. See Associate Con
Associate CoPilot with Controller
In Aviatrix Controller, go Settings > CoPilot and enable the CoPilot Association option so that your CoPilot will be associated with your Controller. Once the CoPilot association is enabled, you can click the dotted-square button in the top right to use single sign-on for CoPilot.
Associate Controller with CoPilot
-
In the CoPilot UI, go to Settings > Configuration > General > Associated Aviatrix Controller and click Reset Association to associate your CoPilot with your Controller.
-
On the Reset Controller Association page, check I understand the implications, and then click Reset.
-
When logged out, enter username, password, and Controller IP.
If the Controller and CoPilot are in the same subnet, VPC, and region of the same cloud provider, or if the Controller and CoPilot can use a private IP for inbound network access, you can enter the private IP for the Controller. Otherwise, enter the Controller’s EIP.
-
Click Log In.
Configure Controller’s access for CoPilot
-
Assign a static public IP address to CoPilot. For example, in EC2 console, you go to the Elastic IP section and assign an EIP to the CoPilot instance.
-
On Controller security groups, ensure 443 is open to the public IP of the CoPilot instance.
-
Configure a dedicated user account on Aviatrix Controller for CoPilot if desired.
If you are using RBAC, as of 1.1.5 CoPilot requires read-only access |
Integration with Gateways
CoPilot receives NetFlow data from gateways. Gateways must be able to reach CoPilot.
In Controller > Settings > CoPilot, you can enable the CoPilot Security Group Management option so that your Controller can manage your CoPilot’s inbound security group rules and allow gateways to access your CoPilot virtual machine. If you choose not to enable the CoPilot Security Group Management option, you must add rules to your CoPilot’s inbound security group for each Aviatrix gateway IP for UDP port 5000, TCP port 5000 (if using private mode), and UDP port 31283. For more information about the CoPilot Security Group Management option, see the Controller product documentation.
Integration with NetFlow
CoPilot receives NetFlow data from gateways.
Enable NetFlow for CoPilot Features
To use some features in CoPilot, such as FlowIQ and CostIQ features, ensure that the controller is configured to forward NetFlow logs to CoPilot:
-
Log in to Aviatrix CoPilot UI.
-
Go to Settings > Configuration > Logging Services > NetFlow Agent, click Enable.
-
The static IP address of CoPilot will be pre-filled as the NetFlow server IP. Use UDP port 31283 (default, port is configurable). You can also select TCP as the protocol. Note that changing the protocol may result in network disruption.
-
Use version 9.
-
(Optional) To use the NetFlow L7 mode Preview feature, select L7 mode. See NetFlow L7 Mode.
-
Select the Advanced checkbox. In Gateways, verify all of your Aviatrix gateways are in the Include List.You can choose any gateways to be excluded
If you launch new gateways from your controller later, you must transfer the newly launched gateways to the Include List also. In addition, in your native cloud console, you must open your CoPilot security group for UDP 31283 from each newly launched gateway. If you enabled the CoPilot Security Group Management option in CoPilot (CoPilot > Settings > Configuration > General > Security > CoPilot Security Group Management) this will happen automatically.
You should start seeing NetFlow in CoPilot after a few minutes.
NetFlow L7 Mode
NetFlow L7 Mode enables the NetFlow agent on spoke gateways to forward L7 data that are in the flows to your designated NetFlow service point. L7 Mode is a Preview Feature.
When L7 mode is enabled, Internet traffic that traverses spoke gateways is analyzed for flows that generate L7 data. When these flows are detected, the L7 fields are forwarded to the designated NetFlow service point.
Enabling L7 mode may impact traffic throughput for the spoke gateways. After enabling L7 mode, monitor your gateway CPU and throughput telemetry statistics in CoPilot and scale your gateways up if needed.
If you use Aviatrix CoPilot as your NetFlow service point, you can view L7 data by going to the CoPilot > Monitor > FlowIQ page, clicking on the Application view, and then opening the Records page.
Note that some flows do not generate L7 data.
Integration with Syslog
CoPilot receives syslog data.
Enable Syslog for CoPilot Audit Data
To use audit data in the CoPilot > Administration > Audit feature in CoPilot, configure syslog to be sent to CoPilot:
-
Log in to Aviatrix Controller.
-
Go to Settings > Logging > Remote Syslog.
-
Choose Profile Index 9. Do not choose another index number. Index 9 is reserved for CoPilot.
-
In Enable Remote Syslog, enter the profile name you want to use, the static IP address of CoPilot as the server, and UDP port 5000 (default).
-
Tick the Advanced check box. In Gateways, verify all of your Aviatrix gateways are in the Include List.
If you launch new gateways from your controller later, you must transfer the newly launched gateways to the Include List also. In addition, in your native cloud console, you must open your CoPilot security group for UDP 5000 from each newly launched gateway. If you enabled the CoPilot Security Group Management option in Controller (Controller > Settings > CoPilot > CoPilot Security Group Management) this will happen automatically.,
-
Click Enable.
Resetting Controller IP in CoPilot
In the CoPilot > Settings > Configuration page, click Reset Association to reset the IP address of the Controller with which CoPilot is associated.
Resetting Service Account in CoPilot
In the CoPilot > Settings > Configuration page, click Reset to reset the account to be used as the CoPilot service account.
Setting the Controller FQDN in CoPilot
In the CoPilot > Settings > Configuration > General page, you use the Controller Public IP/FQDN configuration option to specify the public IP address or the FQDN of your Controller.
-
If your organization’s team members log in to Aviatrix Controller via SAML, and you want them to be able to log in to CoPilot via SAML authentication also, this value must match the value you specified for the Single sign on URL SAML setting of your IdP application.
-
If you specified the Controller’s IP address in the SSO URL, specify the Controller IP address here.
-
If you specified the Controller’s FQDN in the SSO URL, specify the Controller FQDN here. For more information, see CoPilot Login via SAML in Aviatrix CoPilot Deployment Guide.