Security Group Management in CoPilot

The CoPilot Security Group Management feature is available for AWS and Azure CSPs and is enabled by default.

If CoPilot Security Group Management needs to be disabled or re-enabled, you can do so from the CoPilot UI at Settings > Configuration > General and scroll to Security.

AWS and Azure have rule limits that impact the CoPilot Security Group Management feature. This CoPilot feature will not work if the AWS security group quota or Azure Network Security Group (NSG) rule limit is reached.

It is recommended that you monitor the AWS or Azure security group quota and update your rules configuration before the rule limit is reached. See Security Group Management Rule Limit for more information.

If the AWS or Azure rules are nearing their rule limits, you can do one of the following:

  1. For AWS only: In CoPilot, turn off CoPilot Security Group Management and turn on CoPilot IP Access List Management.

    See Enabling CoPilot IP Access List Management.

  2. For AWS or Azure: Request an increase for the security group quota/limit from AWS or Azure and then re-enable the CoPilot Security Group Management feature.

Please refer to the AWS VPC or Azure VNet product documentation for information about viewing and alerting on security group quotas/limits.

When Security Group Management Is Enabled

When CoPilot Security Group Management is enabled (default), the Controller creates a security group for the specified CoPilot virtual machine to manage its inbound security-group rules.

The feature adds gateway IP rules to customer-attached CoPilot security groups as well as CoPilot-created security groups. CoPilot comes with a base security group when it is first launched.

The Controller adds rules to the security group for each gateway IP for the following:

  • UDP port 5000 (default)

    Enable Syslog for CoPilot Egress FQDN (Legacy) & Audit Data (from each gateway). Gateways send remote syslog data to CoPilot.

  • TCP port 5000 (default, if using Private Mode)

    Enable Syslog for CoPilot Egress FQDN & Audit Data (from each gateway). Gateways send remote syslog data to CoPilot.

  • TCP port 31282

    OpenTelemetry in CoPilot receives gateway NetFlow data on this port.

  • TCP port 31284

    OpenTelemetry in CoPilot receives Controller and gateway metrics and logs on this port.

  • TCP & UDP port 31283 (default, port is configurable)

    Enable NetFlow for CoPilot FlowIQ Data (from each gateway). Gateways send NetFlow to CoPilot.

The Controller adds the above rules for the following:

  • New gateways launched from the Controller after the feature is enabled.

  • Existing gateways launched from the Controller before the feature was enabled.

When Security Group Management Is Disabled

When CoPilot Security Group Management is disabled, the Controller removes all gateway-specific inbound rules that it previously added to the CoPilot security group.

CoPilot comes with a base security group when it is first launched. The feature does not remove rules that were manually added to the base security group.

If CoPilot Security Group Management is turned off, ensure that port 443 allows 0.0.0.0/0 (open to all) to maintain connectivity between Aviatrix CoPilot and Controller.

Disable CoPilot Security Group Management

When CoPilot Security Group Management is on, a rule is automatically added to the CoPilot instance’s inbound rule to allow the gateway to reach CoPilot. This feature is set to On by default.

If you turn this feature off, or if the Security Group rule limit is reached, you will have to either manually create inbound rules for any new gateways or you can enable CoPilot IP Access List Management to handle inbound access.

Read When Security Group Management Is Disabled before disabling this feature.

To disable CoPilot Security Group Management:

  1. Go to Settings > General and scroll to the Security section.

  2. On the CoPilot Security Group Management card, move the slider to Off and click Save.