Configure CoPilot for the Aviatrix Platform

As a component in the Aviatrix Platform, CoPilot must communicate with other components in the platform to receive the data it requires. This section details the configuration of CoPilot for the Aviatrix platform. The integration points are typically configured for you as part of the CoPilot deployment process. If you encounter any problems with your CoPilot deployment, you can check to ensure these integration points are configured.

Integration with Controller

CoPilot must be able to reach Controller.

Associate CoPilot with Controller

In Aviatrix Controller, go Settings > CoPilot and enable the CoPilot Association option so that your CoPilot will be associated with your Controller.

Alternatively, you can associate your CoPilot with your Controller using the Associated Aviatrix Controller option on the Settings > Configuration > General tab in CoPilot.

Configure Controller’s access for CoPilot

  • Assign a static public IP address to CoPilot. For example, in EC2 console, you go to the Elastic IP section and assign an EIP to the CoPilot instance.

  • On Controller security groups, ensure 443 is open to the public IP of the CoPilot instance.

  • Configure a dedicated user account on Aviatrix Controller for CoPilot if desired.

If you are using RBAC, as of 1.1.5 CoPilot requires read-only access
access to ping and traceroute functions for diagnostic capabilities.

Setting Session Timeout for the Controller

On the Settings > Configuration > General tab, you use the Controller Session Timeout setting to determine how long sessions connected to the Controller can remain inactive before the current sessions time out (in minutes).

Integration with Gateways

CoPilot receives Netflow data from gateways. Gateways must be able to reach CoPilot.

In Controller > Settings > CoPilot, you can enable the CoPilot Security Group Management option so that your Controller can manage your CoPilot’s inbound security group rules and allow gateways to access your CoPilot virtual machine. If you choose not to enable the CoPilot Security Group Management option, you must add rules to your CoPilot’s inbound security group for each Aviatrix gateway IP for UDP port 5000, TCP port 5000 (if using private mode), and UDP port 31283. For more information about the CoPilot Security Group Management option, see the Controller product documentation.

Integration with Netflow

CoPilot receives Netflow data from gateways.

Enable Netflow for CoPilot Features

To use some features in CoPilot, such as FlowIQ and CostIQ features, ensure that the controller is configured to forward NetFlow logs to CoPilot:

  1. Log in to Aviatrix Controller.

  2. Go to Settings > Logging > NetFlow Agent.

  3. Use the static IP address of CoPilot as the Netflow server IP and UDP port 31283 (default, port is configurable).

  4. Use version 9.

  5. Tick the Advanced checkbox. In Gateways, verify all of your Aviatrix gateways are in the Include List.

    If you launch new gateways from your controller later, you must transfer the newly launched gateways to the Include List also. In addition, in your native cloud console, you must open your CoPilot security group for UDP 31283 from each newly launched gateway. If you enabled the CoPilot Security Group Management option in Controller (Controller > Settings > CoPilot > CoPilot Security Group Management) this will happen automatically.

  6. Click Enable.

    You should start seeing NetFlow in CoPilot after a few minutes.

Integration with Syslog

CoPilot receives syslog data.

Enable Syslog for CoPilot Audit Data

To use audit data in the CoPilot > Administration > Audit feature in CoPilot, configure syslog to be sent to CoPilot:

  1. Log in to Aviatrix Controller.

  2. Go to Settings > Logging > Remote Syslog.

  3. Choose Profile Index 9. Do not choose another index number. Index 9 is reserved for CoPilot.

  4. In Enable Remote Syslog, enter the profile name you want to use, the static IP address of CoPilot as the server, and UDP port 5000 (default).

  5. Tick the Advanced check box. In Gateways, verify all of your Aviatrix gateways are in the Include List.

    If you launch new gateways from your controller later, you must transfer the newly launched gateways to the Include List also. In addition, in your native cloud console, you must open your CoPilot security group for UDP 5000 from each newly launched gateway. If you enabled the CoPilot Security Group Management option in Controller (Controller > Settings > CoPilot > CoPilot Security Group Management) this will happen automatically.,

  6. Click Enable.

Resetting Controller IP in CoPilot

In the CoPilot > Settings > Configuration page, the Reset Controller IP option resets the IP address of the Controller with which CoPilot is associated.

Resetting Service Account in CoPilot

In the CoPilot > Settings > Configuration page, the Reset Service Account option resets the account to be used as the CoPilot service account.

Setting the Controller FQDN in CoPilot

In the CoPilot > Settings > Configuration > General page, you use the Controller Public IP/FQDN configuration option to specify the public IP address or the FQDN of your Controller.

  • If your organization’s team members log in to Aviatrix Controller via SAML, and you want them to be able to log in to CoPilot via SAML authentication also, this value must match the value you specified for the Single sign on URL SAML setting of your IdP application.

  • If you specified the Controller’s IP address in the SSO URL, specify the Controller IP address here.

  • If you specified the Controller’s FQDN in the SSO URL, specify the Controller FQDN here. For more information, see CoPilot Login via SAML in Aviatrix CoPilot Deployment Guide.