Configure CoPilot for the Aviatrix Platform
As a component in the Aviatrix Platform, CoPilot must communicate with other components in the platform to receive the data it requires. This section details the configuration of CoPilot for the Aviatrix platform. The integration points are typically configured for you as part of the CoPilot deployment process. If you encounter any problems with your CoPilot deployment, you can check to ensure these integration points are configured.
Integration with Controller
CoPilot must be able to reach Controller.
Associate CoPilot with Controller
In Aviatrix Controller, go Settings > CoPilot and enable the CoPilot Association option so that your CoPilot will be associated with your Controller. Once the CoPilot association is enabled, you can click the dotted-square button in the top right to use single sign-on for CoPilot.
Associate Controller with CoPilot
-
Go to CoPilot UI > Settings > Configuration > General > Associated Aviatrix Controller and click Reset Association to associate your CoPilot with your Controller.
-
On the Reset Controller Association page, check I understand the implications, then click Reset.
-
When logged out, enter username, password, and Controller IP.
If the Controller and CoPilot are in the same subnet, VPC, and region of the same cloud provider, or if the Controller and CoPilot can use a private IP for inbound network access, you can enter the private IP for the Controller. Otherwise, enter the Controller’s EIP.
-
Click Log In.
Configure Controller’s access for CoPilot
-
Assign a static public IP address to CoPilot. For example, in EC2 console, you go to the Elastic IP section and assign an EIP to the CoPilot instance.
-
On Controller security groups, ensure 443 is open to the public IP of the CoPilot instance.
-
Configure a dedicated user account on Aviatrix Controller for CoPilot if desired.
If you are using RBAC, as of 1.1.5 CoPilot requires read-only access |
Integration with Gateways
CoPilot receives NetFlow data from gateways. Gateways must be able to reach CoPilot.
In Controller > Settings > CoPilot, you can enable the CoPilot Security Group Management option so that your Controller can manage your CoPilot’s inbound security group rules and allow gateways to access your CoPilot virtual machine. If you choose not to enable the CoPilot Security Group Management option, you must add rules to your CoPilot’s inbound security group for each Aviatrix gateway IP for UDP port 5000, TCP port 5000 (if using private mode), and UDP port 31283. For more information about the CoPilot Security Group Management option, see the Controller product documentation.
Integration with NetFlow
CoPilot receives NetFlow data from gateways.
Enable NetFlow for CoPilot Features
To use some features in CoPilot, such as FlowIQ and CostIQ features, ensure that the controller is configured to forward NetFlow logs to CoPilot:
-
Log in to Aviatrix Controller.
-
Go to Settings > Logging > NetFlow Agent.
-
Use the static IP address of CoPilot as the NetFlow server IP and UDP port 31283 (default, port is configurable).
-
Use version 9.
-
Tick the Advanced checkbox. In Gateways, verify all of your Aviatrix gateways are in the Include List.
If you launch new gateways from your controller later, you must transfer the newly launched gateways to the Include List also. In addition, in your native cloud console, you must open your CoPilot security group for UDP 31283 from each newly launched gateway. If you enabled the CoPilot Security Group Management option in Controller (Controller > Settings > CoPilot > CoPilot Security Group Management) this will happen automatically.
-
Click Enable.
You should start seeing NetFlow in CoPilot after a few minutes.
Integration with Syslog
CoPilot receives syslog data.
Enable Syslog for CoPilot Audit Data
To use audit data in the CoPilot > Administration > Audit feature in CoPilot, configure syslog to be sent to CoPilot:
-
Log in to Aviatrix Controller.
-
Go to Settings > Logging > Remote Syslog.
-
Choose Profile Index 9. Do not choose another index number. Index 9 is reserved for CoPilot.
-
In Enable Remote Syslog, enter the profile name you want to use, the static IP address of CoPilot as the server, and UDP port 5000 (default).
-
Tick the Advanced check box. In Gateways, verify all of your Aviatrix gateways are in the Include List.
If you launch new gateways from your controller later, you must transfer the newly launched gateways to the Include List also. In addition, in your native cloud console, you must open your CoPilot security group for UDP 5000 from each newly launched gateway. If you enabled the CoPilot Security Group Management option in Controller (Controller > Settings > CoPilot > CoPilot Security Group Management) this will happen automatically.,
-
Click Enable.
Resetting Controller IP in CoPilot
In the CoPilot > Settings > Configuration page, click Reset Association to reset the IP address of the Controller with which CoPilot is associated.
Resetting Service Account in CoPilot
In the CoPilot > Settings > Configuration page, click Reset to reset the account to be used as the CoPilot service account.
Setting the Controller FQDN in CoPilot
In the CoPilot > Settings > Configuration > General page, you use the Controller Public IP/FQDN configuration option to specify the public IP address or the FQDN of your Controller.
-
If your organization’s team members log in to Aviatrix Controller via SAML, and you want them to be able to log in to CoPilot via SAML authentication also, this value must match the value you specified for the Single sign on URL SAML setting of your IdP application.
-
If you specified the Controller’s IP address in the SSO URL, specify the Controller IP address here.
-
If you specified the Controller’s FQDN in the SSO URL, specify the Controller FQDN here. For more information, see CoPilot Login via SAML in Aviatrix CoPilot Deployment Guide.