Azure Getting Started Guide

The Aviatrix Cloud Networking Platform is a management and control plane that enables you to manage and support a single or multicloud network architecture. You can deploy the platform, including Aviatrix Controller and CoPilot, through the Azure Marketplace.

Aviatrix Controller is a cloud instance of the Aviatrix software that processes network operations. The Controller manages connections, gateways, users, security, and other networking operations.

CoPilot is the Aviatrix software GUI used to configure all your network connections and policies, and monitor all gateways and traffic on your network. Customizable monitoring tools give you views of network resource usage, performance, security threats, and financial data.

Descriptions of the Aviatrix Subscription Offers

Four Azure Marketplace subscriptions, described in the following table, are available.

Launching a new Controller, or migrating Controller images, requires two offers from the Azure Marketplace:

  1. Aviatrix billing license

    There is one license offer.

  2. Aviatrix Controller subscription

    There are two Controller offers available, depending on the Aviatrix base image OS. All new deployments must use Aviatrix Cloud Network Controller, which is based on a more recent Linux OS version. The other Controller offer is for existing customers running an older image.

You can also subscribe to the CoPilot offer, which provides a UI for configuring and monitoring your network. This is optional, but recommended.

Offer

Required or Optional

Description

Aviatrix Cloud Network Controller

Required

This Bring Your Own License (BYOL) offer is for the Aviatrix Cloud Network Controller for all new deployments. This offer integrates with the Aviatrix Cloud Network License Service which issues a license and calculates billing. All new deployments use this offer.

Aviatrix Secure Networking Platform BYOL

Required

This BYOL metered offer is for Aviatrix Controllers being added to existing deployments running an older version of the operating system. This offer integrates with the Aviatrix Cloud Network License Service which issues a license and calculates billing.

Aviatrix Cloud Network CoPilot

Optional (recommended)

This BYOL offer is for the Aviatrix Cloud Network CoPilot. This offer integrates with the Aviatrix Cloud Network License Service which issues a license and calculates billing.

Aviatrix Cloud Network License Service

Required

The Aviatrix Cloud Network License Service provides the customer IDs (licenses) that are needed to access the Aviatrix Cloud Network Controller and Aviatrix Cloud Network CoPilot. This service also calculates Aviatrix bills based on usage, which are then sent to Azure Marketplace for customer billing purposes. A free trial is available with this offer.

Aviatrix Cloud Network License Service was renamed from Aviatrix Metered Offer.

Aviatrix Cloud Network Controller deploys Controller 7.1.4105 and later. To deploy Controller version 7.1.4101 or earlier, subscribe to Aviatrix Secure Networking Platform BYOL.

If you subscribe to the free trial license, you receive notification emails 14, seven, and one day before the free trial expires and billing begins.

When you subscribe to the Aviatrix Cloud Network License Service you receive a Customer ID (license key) by email. You must enter that ID when you subscribe to the Aviatrix Cloud Network Controller BYOL offer to deploy the Aviatrix Controller. You then subscribe to the Aviatrix Cloud Network CoPilot offer.

Complete the following instructions:

These instructions apply generally to both Azure commercial and Azure Government clouds for deploying an Aviatrix Controller. Some screenshots may show regions that are only available for commercial Azure accounts. Commercial Azure offers multiple regions worldwide while Azure Government offers limited US regions. See documentation about Azure Geographies or Azure Government for details.

Subscribing to the Aviatrix License Service Offer

You must subscribe to the Aviatrix Cloud Network License Service offer before subscribing to the Aviatrix Cloud Network Controller (BYOL) offer.

With the Aviatrix License, you are billed monthly. No upfront cost and pay as you go.
  1. Go to the Aviatrix Cloud Network License Service page on the Azure Marketplace.

  2. Click Get it Now on the left side of the page.

  3. Mark the permissions checkbox and click Continue.

  4. Click Subscribe.

  5. Enter your Subscription name, Resource group, Name, and Recurring billing preference. Then, click Review + subscribe.

  6. Click Subscribe.

  7. After the subscription process completes, click Configure account now.

    It might take several seconds before the configuration button becomes active.

  8. Enter your email address in the Email field and click Submit.

    You receive an email from admin@aviatrix.io with the subject line "License key for Aviatrix Metered Controller and CoPilot." This email contains your Controller customer ID, CoPilot customer ID, and offer subscription ID.

  9. Save these values in a secure place to use later for onboarding.

Next, you must subscribe to the Aviatrix Cloud Network Controller offer.

Subscribing to the Aviatrix Controller Offer

After subscribing to the Aviatrix license and receiving your license key, you must subscribe to the Aviatrix Controller offer to activate your subscription.

  1. Go to the Azure Marketplace to subscribe to the Aviatrix Cloud Network Controller offer.

    Alternatively, search for "Aviatrix Controller."

  2. Click on the subscription offer, and then click Get It Now.

  3. On the Create this app in Azure window, click Continue.

  4. On the Aviatrix Cloud Network Controller window, click Create.

    If you want to view Azure recommended size choices, click "Start with a pre-set configuration". Do not choose the "Deploy programmatically" option.

  5. On the Basics tab, do the following:

    • Create a new Resource Group. Example: "aviatrix."

    • Name the virtual machine. Example: "aviatrixController."

      screenshot of the Azure Create a Virtual Machine form
    • For the instance size, at least 8GB of RAM is recommended (the B2ms instance size should be sufficient).

    • Select an authentication type.

    • Enter a username.

      Do not use "ubuntu" as username if you use password as the authentication type.

    • If you selected the password authentication type, enter a password.

      continued screenshot of the Azure Create a Virtual Machine form
  6. On the Disks tab, you can accept the defaults or enter your choices.

  7. On the Networking tab:

    • A default subnet and a security group are preconfigured. You can accept the defaults.

    • Scroll to Select inbound ports and select HTTPS(443).

      screenshot of inbound port field

      A warning message displays about access to the VM. However, this port must be open so Controller has access to the internet.

  8. You can accept the default settings or modify the settings, as needed, on the Management, Monitoring, Advanced, and Tags tabs. No configuration changes are required.

  9. When you are finished making all of your selections, click Review + subscribe.

    After several seconds, the Create button becomes active.

  10. Click Create.

  11. If you selected the option to use an SSH public key for authentication, the Generate new key pair window displays. Click Download private key and create resource.

    Resource creation takes several seconds.

    The private key is not stored by Azure or Aviatrix. This is the only opportunity to download the key. Keep the key in a safe place because you will need it in the future.
  12. When a message displays indicating the deployment is complete, click Go to resource to see resource details.

  13. Find the VM’s public IP address, which you will use to access the Controller.

    screenshot of the Virtual Machines page in Azure
  14. Scroll to the Networking section of the VM page and make a note of the private IP address, which is your login password.

  15. Use a browser to access the Controller VM’s public IP address.

  16. At the login page, enter "admin" as the username.

    The initial password is the internal private IP address of the VM.

  17. Log into your new Controller.

  18. After logging in, click on the Onboarding tab.

Any resources created by the Controller, such as Aviatrix gateways, Azure routing entries, subnets, etc., must be deleted from the Controller console. If you delete them directly on Azure console, the Controller’s view of the resources will be incorrect, which will lead to features not working properly.

Onboarding Your Azure Account in the Aviatrix Controller

Onboarding helps you set up an account on the Aviatrix Controller that corresponds to an Azure account with policies so that the Controller can launch gateways using Azure APIs.

Follow the Azure Accounts document to create an Aviatrix account that corresponds to your Azure account credential.

  • You can create a single Aviatrix Controller on Azure and manage your Azure, AWS, and Google cloud accounts from that Controller. This is a multicloud platform.

  • For information about how to subscribe to an Aviatrix License if you subscribe to a trial license and it expires, see Aviatrix Licensing.

Subscribing to the Aviatrix CoPilot Offer

For a CoPilot deployment, the first step is to log in to the CSP marketplace and subscribe to the Aviatrix Cloud Network CoPilot offer.

  1. Log in to the Azure Marketplace using your provider user account credentials and go to Aviatrix Cloud Network CoPilot.

    Alternatively, search for "Aviatrix CoPilot."

  2. Click on the subscription offer, review the subscription pricing information, and then click Get It Now.

  3. On the Create this app in Azure window, click Continue.

    If you prefer to deploy CoPilot by using Terraform scripts, you can stop here and refer to the instructions for that deployment method.
  4. On the Aviatrix Cloud Network CoPilot window, click Create.

    If you want to view Azure recommended size choices, click "Start with a pre-set configuration". Do not choose the "Deploy programmatically" option.

  5. In the Create a virtual machine form complete the provisioning steps for the Basics section by specifying the subscription, resource group, VM name, and size values and other values as needed for the Project details, Instance details, and Administrator account details sections. Take note of the Instance (Virtual Machine) System Requirements for CoPilot. Click Next: Disks.

  6. You must attach at least one data disk to your CoPilot VM to be used for expandable storage. This is in addition to the 25GB root disk that comes with CoPilot. Click Create and attach a new disk or Attach an existing disk to add and attach an additional disk.

    cplt-azr-attach-disk
  7. Specify the disk options you want or click OK to accept the default disk options.

  8. Click Next: Networking and specify the network interface details.

    For Public IP, click Create new. In the Create public IP address dialog, for Assignment, select Static and click OK.

  9. Complete the rest of the provisioning steps for the Management, Advanced, and Tags sections.

  10. Click Next: Review + create. If blank, type your phone number in the Preferred phone number field. If the validation passed, review your settings and click Create.

    Verify that your instance is up and running in the Azure console.

  11. After the instance is created, and you receive a message that your deployment is complete, click on Go to resource. Select the copilot instance name and take note of its External IP address.

  12. Go to your Controller instance in your cloud service provider. Add your CoPilot IP address into your Controller security group with TCP protocol and port 443 on the cloud service provider so that CoPilot server can communicate with Controller API.

  13. You are ready to launch CoPilot in your web browser and perform initial setup. See Initial Setup of CoPilot.

Subscribing Gateway and Firewall Offers to Azure Private Marketplace for Aviatrix Deployments

Depending on your company’s security policies, you may need to add and subscribe Aviatrix gateways and firewalls to Azure private marketplace using PowerShell. This document explains how to use PowerShell commands to add and subscribe gateways and firewalls in Azure and partner firewall offers to your Private Azure Marketplace.

Since our gateway images are not publicly available, you cannot subscribe to these offers directly in your private marketplace through the Azure portal. Please follow the instructions below to complete the subscription process.

For general instructions about adding offers to your Azure Private Marketplace, see Manage a private Azure Marketplace using PowerShell. Please be noted that this page contains the most current updates and commands. The examples in the following sections demonstrate how to apply these instructions.

Subscribing an Aviatrix Gateway Offer to Azure Private Marketplace

  1. Log into your Azure account. Make sure that you have the admin permission to run the following commands.

  2. Run the following command to install the necessary packages:

    Install-Module -Name AZ.Marketplace
  3. (Optional) If you have multiple Azure subscriptions, see Manage a private Azure Marketplace using PowerShell for more details about how to choose an appropriate subscription.

  4. Run the following command to list all images published by Aviatrix in the Azure Marketplace:

    az vm image list --publisher aviatrix --all --output table

    Save the <publisher>/<offer> for the OfferId which you will need in the following steps. In this example, it is aviatrix-systems.aviatrix-gateway.

  5. (Optional) Run the following command to get your Private StoreID, if needed:

    Get-AzMarketplacePrivateStore
  6. Run the following command to retrieve the specific image as required by the Controller from the private Marketplace:

    Get-AzMarketplacePrivateStoreOffer <PrivateStoreId> -OfferId <OfferId>

    Where:

    • <PrivateStoreId> is the PrivateStoreID you just retrieved from the previous step. For example, e796cf6d-fb86-4621-99b5-6764cafeee58

    • <OfferId> is publisherId.offerId. For example, aviatrix-systems.aviatrix-gateway

      For example:

      Get-AzMarketplacePrivateStoreOffer e796cf6d-fb86-4621-99b5-6764cafeee58 -OfferId aviatrix-systems.aviatrix-gateway
  7. Run the following command to accept the terms of the image on Azure Private Marketplace:

    az vm image accept-terms --urn <urn>

    Where:

    • <urn> is the urn value you retrieved from the previous step. For example aviatrix-systems:aviatrix-gateway:aviatrix-gateway-g3:20240512.1500.0.

  8. Run the following command to add a gateway offer to Azure Private Marketplace if your offer is not in Azure Private Marketplace.

    $Params = @{
    privateStoreId = "<privateStoreId>"
    collectionId = "<collectionId>"
    offerId = "<offerId>"
    SpecificPlanIdLimitation =@("<SpecificPlanIdLimitation>")
    }
    Set-AzMarketplacePrivateStoreCollectionOffer @Params

    Where:

    • <privateStoreId> is the privateStoreId you retrieved from the previous step.

    • <offerId> is the offerId you retrieved from the previous step.

    • <collectionId> is the offerId you retrieved from the previous step.

    • <SpecificPlanIdLimitation> is the SpecificPlanIdLimitation or sku you retrieved from the previous steps.

      Use the same value of the privateStoreId for collectionId.

      For example:

      $Params = @{
      privateStoreId = "e796cf6d-fb86-4621-99b5-6764cafeee58"
      collectionId = "e796cf6d-fb86-4621-99b5-6764cafeee58"
      offerId = "aviatrix-systems.aviatrix-gateway"
      SpecificPlanIdLimitation =@("aviatrix-gateway-g3")
      }
      Set-AzMarketplacePrivateStoreCollectionOffer @Params

      Replace the offerID and SpecificPlanldLimitation values with the correct values according to your Controller’s current software version. Use the following table:

      Release offerID SpecificPlanIdLimitation

      >= 6.7

      aviatrix-systems.aviatrix-companion-gateway-v10

      aviatrix-companion-gateway-v10u

      >=6.8

      aviatrix-systems.aviatrix-companion-gateway-v13

      aviatrix-companion-gateway-v13u

      >=6.9

      aviatrix-systems.aviatrix-companion-gateway-v15

      aviatrix-companion-gateway-v15u-6-9

      >=7.0

      aviatrix-systems.aviatrix-companion-gateway-v16

      aviatrix-companion-gateway-v16

      >=7.1.3958

      aviatrix-systems.aviatrix-gateway

      aviatrix-gateway-g3

    The Aviatrix Gateway image is now part of your Azure Private Marketplace. You can now deploy Aviatrix Gateways for Azure from the Aviatrix Controller.

  9. Run the following command to validate whether the image is now available in the Private Marketplace:

    Get-AzMarketplacePrivateStoreOffer  <PrivateStoreId> -OfferId <OfferId>

    For example:

    Get-AzMarketplacePrivateStoreOffer e796cf6d-fb86-4621-99b5-6764cafeee58 -OfferId aviatrix-systems.aviatrix-gateway

Example Code

Below is a full example code snippet that demonstrates the workflow:

# Install the AZ.Marketplace module
Install-Module -Name AZ.Marketplace

# List all images published by Aviatrix in the Azure Marketplace
az vm image list --publisher aviatrix --all

# Get the Private StoreID
Get-AzMarketplacePrivateStore

# Validate the Private Marketplace offer
Get-AzMarketplacePrivateStoreOffer -PrivateStoreId e796cf6d-fb86-4621-99b5-6764cafeee58 -OfferId aviatrix-systems.aviatrix-gateway

# Accept the terms of the image on Azure Private Marketplace
az vm image accept-terms --urn aviatrix-systems:aviatrix-gateway:aviatrix-gateway-g3:20240512.1500.0

# Add the offer to Azure Private Marketplace
$Params = @{
    privateStoreId = "e796cf6d-fb86-4621-99b5-6764cafeee58"
    collectionId = "e796cf6d-fb86-4621-99b5-6764cafeee58"
    offerId = "aviatrix-systems.aviatrix-gateway"
    SpecificPlanIdLimitation =@("aviatrix-gateway-g3")
}
Set-AzMarketplacePrivateStoreCollectionOffer @Params

# Validate whether the image is now available in the Private Marketplace
Get-AzMarketplacePrivateStoreOffer e796cf6d-fb86-4621-99b5-6764cafeee58 -OfferId aviatrix-systems.aviatrix-gateway

Subscribing an Aviatrix Firewall Offer to Your Private Marketplace

Repeat the steps above to add an offer for the Azure Firewall to your Private Marketplace. Use the table below to find the correct Publisher and OfferID values.

Name Publisher OfferID (plan product) SKU (plan name)

PAN

paloaltonetworks

vmseries1, vmseries-flex

bundle1, bundle2, byol

Fortinet

fortinet

fortinet_fortigate-vm_v5

fortinet_fg-vm fortinet_fg-vm_payg fortinet_fg-vm_payg_20190624

Check Point

checkpoint

check-point-cg-r81, check-point-cg-r8110

sg-ngtp, sg-ngtx, sg-byol, mgmt-byol

After following these steps, you can now deploy Azure Firewalls from your Azure Private Marketplace through the Aviatrix Controller.