CoPilot IP Access List Management

AWS and Azure both have a limit on the number of allowed security group rules. For AWS, if you exceed the limit, you can enable IP Access List Management in CoPilot.

This feature is currently available in CoPilot only when running on Controller versions 7.1.3958, 7.1.4105 or later.

Rule Limits for Security Groups in AWS

There are circumstances when an AWS environment can exceed the CSP security group rule limit, resulting in the CoPilot Security Group Management feature not working. Because multiple rules are created per gateway for access and individual services, the number of gateways is restricted by the number of total rules you can create. CoPilot IP Access List Management is available as an alternative if you reach the AWS security group limit.

If you enable IP Access List Management, you must ensure that any AWS Security Group rules for TCP and UDP access to CoPilot on ports 5000 (TCP & UDP), 31282 (TCP), 31283 (TCP & UDP), and 31284 (TCP) are open to all. Ensure the ports are set to 0.0.0.0/0, otherwise communication between Controller and CoPilot, and Aviatrix Gateways and CoPilot, will be disrupted.

With IP Access List Management on, you can disable CoPilot Security Group Management. If you disable Security Group Management in CoPilot, existing Security Group rules for Syslog and NetFlow ports should be retained.

Before disabling CoPilot Security Group Management, read When Security Group Management Is Disabled.

Enable CoPilot IP Access List Management

To enable the CoPilot IP Access List Management feature, complete the following steps in AWS and in CoPilot.

This feature is currently available in CoPilot only when running on Controller versions 7.1.3958, 7.1.4105 or later.

To enable CoPilot IP Access List Management:

  1. Log in to your AWS console and do the following:

    1. Go to VPC > Security > Security Groups.

    2. In the Search field, select Tag, Contains, and type copilot.

      Example: Name : copilot

    3. For any item in the list named AviatrixCoPilotSecurityGroup, click the Security group ID.

    4. In the Details page, click Actions > Edit inbound rules.

    5. Change the Source IP to 0.0.0.0/0 for each security group rule and click Save rules.

  2. Log in to CoPilot and go to Settings > Configuration > General.

  3. Under Security > CoPilot IP Access List Management, set the slider to On, check "I have completed the setup”, and then click Save.

    If you need to disable IP Access List Management, set the slider to Off and click Save.