Planning Your CoPilot Deployment
This section discusses prerequisite information and tasks for deploying Aviatrix CoPilot only with Google Cloud (GCP) and OCI (Oracle Cloud Infrastructure).
For Microsoft Azure deployment information, see Azure Getting Started Guide.
For AWS deployment information, see AWS Getting Started Guide.
| Ensure you have already deployed Aviatrix Controller, either from a CSP or via Terraform, before deploying CoPilot. Aviatrix CoPilot works in tandem with Aviatrix Controller. |
Platform Requirements
For information about licensing requirements, browser support, system requirements, and more, see CoPilot Requirements.
Verify IAM Role
Verify that your Controller instance Access Account has the IAM role aviatrix-role-ec2 attached to it. Make sure the aviatrix-app-policy policy has been added to the aviatrix-role-ec2 role in order to make sure you will be able to migrate your CoPilot data in the future if necessary.
Obtain a Static Public IP Address
You must have a static public IP address available for your CoPilot deployment on Google Cloud and OCI. Be sure you have a static public IP address available before your deployment.
CSPs have limits on how many static IP addresses you can have at one time. Refer to each CSP documentation for the exact number of static IP addresses you can have at one time.
Ensure Sufficient Security Group (SG) Rule Quota
You must have a sufficient quota for security group rules in your cloud environment.
In the CSP environment, check the quota you have for security group rules. Make sure you have enough quota to support the SG rules you require for CoPilot and Controller.
For each Aviatrix gateway in your infrastructure, 3 rules are required:
-
2 rules are needed for the CoPilot SG (port 5000 for syslog, port 31283 for NetFlow)
-
1 rule is needed for the Controller SG (port 443)
For example, if you have 100 gateways, you require 200 SG rules for CoPilot and 100 SG rules for Controller.
In addition, consider the number of future gateways you may deploy if you decide to expand your infrastructure. When obtaining the rule quota in the CSP environment, obtain enough quota to account for future gateways so the quota limit is not reached when you try to deploy them.
| If CoPilot Security Group Management is enabled and the Azure Network Security Group (NSG) rule limit is reached, the CoPilot Security Group Management feature will be disabled. |
Determine Instance (VM) Sizing for Your CoPilot Deployment
The CoPilot sizing is automated in AWS and Microsoft Azure deployments. For AWS deployments see, AWS Getting Started Guide. For Azure deployments see, Azure Getting Started Guide. Sizes can be modified after deployment, if needed.
For your Google Cloud or OCI deployments, you must consider how much memory and CPU you require for your CoPilot instance (virtual machine).
The configuration of the virtual machine that you provision for your CoPilot deployment depends on the scale and the kind of networking infrastructure you have planned according to your business requirements. Work with your Aviatrix Sales representative to determine your sizing requirements. For minimum requirements and guidelines for instance (virtual machine) sizing, see CoPilot Requirements.
Ensure Internet Access
CoPilot requires Internet access. You must select a subnet(availability zone) with outbound Internet access when specifying the subnet for each CoPilot instance. This is also true if you are using_private mode_.
Provide Service Ports
CoPilot requires the following service ports:
-
TCP port 443 from anywhere user access
Needed to reach CoPilot via HTTPS connection using a web browser.
-
UDP port 5000 (default)
Enable Syslog for CoPilot Egress FQDN & Audit Data (from each gateway). Gateways send remote syslog to CoPilot.
-
TCP port 5000 (default)
For private mode, enable Syslog for CoPilot Egress FQDN & Audit Data (from each gateway). Gateways send remote syslog to CoPilot.
-
UDP port 31283 (default, port is configurable)
Enable NetFlow for CoPilot FlowIQ Data (from each gateway). Gateways send Netflow to CoPilot.
For Pre-6.8 Controller Releases Only
In your cloud console, in the security group page of your CoPilot VM/instance, add entries FOR EACH of your Aviatrix gateways:
-
For the UDP ports, change the default inbound rule of 0.0.0.0/0 to the IP addresses of your Aviatrix gateways.
-
Open your CoPilot Security Group for UDP 31283 from all of your Aviatrix gateways.
-
Open your CoPilot Security Group for UDP 5000 from all of your Aviatrix gateways.
-
For port 443, you can allow only your and other trusted user’s IP addresses.
Each time you launch a new gateway from your Controller, you must also add a CIDR entry for it.
Starting from Controller 6.8, you can enable the CoPilot Security Group Management feature to allow your Controller to open CoPilot access to the above ports for all of your Aviatrix gateways. You enable the feature in CoPilot at Settings > Configuration > General, under Security. See CoPilot Security Group Management.
-
Ensure Available Storage
You must attach at least one data disk (data volume) to your CoPilot instance to be used for expandable storage. This is a secondary data storage separate from the root disk that comes with CoPilot. For more information, see CoPilot Disk (Volume) Management. You can choose the disk type (volume type) that meets your business needs given the size of your environment.
Create User Account to Be Used as CoPilot Service Account
For your Google Cloud or OCI deployments, you need to create a CoPilot service account in Aviatrix Controller for CoPilot services. During the Initial Setup of CoPilot, you will need to enter the credentials of this CoPilot service account.
Creation of a service account is automated in Azure and AWS deployments. For Azure deployments, see Azure Getting Started Guide. For AWS deployments, see AWS Getting Started Guide.
The following task can also be used to create a new CoPilot service account if an existing account is deactivated.
To create a user account that will be used as CoPilot service account, perform the following steps:
-
Log in to Controller with administrative privileges.
-
From ACCOUNTS > Permission Groups, click +ADD NEW.
-
Enter a unique group name and click OK.
-
Choose the group name that you have created for the CoPilot service account and click Manage Permission.
-
Click +ADD NEW.
-
Click the permissions that you want to assign to this group.
For example, Firewall Network and Gateway. If you want to give full access except Settings, click AllWrite. Click OK to continue.
-
Each permission group has its own relevant privileges. To access CoPilot features, the CoPilot service account must be assigned corresponding permissions.
-
The CoPilot ThreatIQ feature and Distributed Cloud Firewall (DCF) feature require the CoPilot service account have a minimum of
all_firewall_network_writepermissions. The CoPilot Gateway Scaling feature requiresall_gateway_writepermissions. You must add these two permissions to your CoPilot service account if you want to use the ThreatIQ, DCF and Gateway features to manage your Spoke and Transit gateways. -
If you want to give all permissions (admin user), choose
all_writeto give full access to all CoPilot features.
-
-
Go to ACCOUNTS > Account Users, click +ADD NEW to add a new user.
-
Enter user name, user email, and password. You may need to choose a meaningful name, such as cp-service-acct. Choose the group you created for CoPilot service account. Then click OK.
-
When this new user is displayed in the username list, you have successfully created a CoPilot service account.
See more details about CoPilot’s Service Account.
Configure the Timeout Value for Load Balancer (optional)
If you are configuring a Load Balancer in your CSP (that you will deploy in front of CoPilot), ensure that the timeout value is at least ten minutes.
| Aviatrix recommends performing the initial disk setup via this procedure and not via the Load Balancer. |