Planning Your CoPilot Deployment
This section discusses prerequisite information and tasks for deploying Aviatrix CoPilot with Microsoft Azure, Google Cloud, and OCI (Oracle Cloud Infrastructure).
For AWS deployment information, see AWS Getting Started Guide.
Ensure you have already deployed Aviatrix Controller, either from a CSP or via Terraform, before deploying CoPilot. Aviatrix CoPilot works in tandem with Aviatrix Controller. |
Subscribe to the Aviatrix CoPilot Offer in the Marketplace
For a CoPilot deployment, the first step is to log in to the CSP marketplace and subscribe to the CoPilot AMI. On Microsoft Azure, Google Cloud, and OCI, search for the "Aviatrix CoPilot" offer.
For AWS deployments, use the Aviatrix launch experience at launch.aviatrix.com. For more information, see the AWS Getting Started Guide.
Consult with your Aviatrix Sales Representative for the subscription you require if you are not sure.
To subscribe to a CoPilot offer in the cloud marketplace for Azure, Google Cloud, or OCI use these steps:
-
Log in to the marketplace of your chosen cloud provider using your provider user account credentials.
-
Locate the "Aviatrix CoPilot" subscription offer and click Continue to Subscribe.
Use the latest base image release version of the CoPilot AMI that is listed on the marketplace. For information about the latest Aviatrix CoPilot base image releases, see Aviatrix CoPilot Image Release Notes.
-
When prompted, review the subscription pricing information and accept the terms and conditions. You may be prompted to confirm your subscription before moving on to configuration.
-
If you want to deploy CoPilot via the Controller UI or via Terraform scripts, you can stop here and refer to the instructions for each deploy method.
-
If you want to deploy CoPilot from your CSP marketplace, you can continue with the rest of the steps in Deploy CoPilot from the Marketplace.
-
Subscribing to Aviatrix Add-on Features
For existing Controller deployments on Azure, Google Cloud or OCI, if you want to enable Aviatrix CoPilot add-on features, you must subscribe to the following:
-
For Azure: Aviatrix Secure Networking Platform - BYOL
-
For Google Cloud: Aviatrix Secure Networking Platform Metered 2208-Universal 24x7 Support
-
For OCI: Aviatrix Secure Networking Platform - BYOL
For AWS deployments see, AWS Getting Started Guide.
To obtain the appropriate subscription, complete the following steps:
-
At the Azure, Google Cloud, or OCI marketplace, subscribe to and accept terms for the appropriate Aviatrix Secure Networking Platform offer.
-
Make a note of your Customer ID for this offer. Click Subscribe.
-
In the Controller UI navigation pane, go to Settings > Controller and click License.
-
Enter your Customer ID into the Setup Aviatrix Customer ID field, and click Save.
CoPilot licensing is unified with Controller licensing (they use the same customer ID). -
In CoPilot, enable the optional features you want to use.
Obtain a Static Public IP Address
You must have a static public IP address available for your CoPilot deployment on Azure, Google Cloud, and OCI. Be sure you have a static public IP address available before your deployment.
CSPs have limits on how many static IP addresses you can have at one time. Refer to each CSP documentation for the exact number of static IP addresses you can have at one time.
Obtain Sufficient Security Group (SG) Rule Quotas
You must have a sufficient quota for security group rules in your Azure, Google Cloud, or OCI environment. For AWS deployments see, AWS Getting Started Guide.
In the CSP environment, check the quota you have for security group rules. Make sure you have enough quota to support the SG rules you require for CoPilot and Controller.
For each Aviatrix gateway in your infrastructure:
-
2 rules are required for the CoPilot SG (port 5000 for syslog, port 31283 for Netflow), and
-
1 rule is required for the Controller SG (port 443)
For example, if you have 100 gateways, you require 200 SG rules for CoPilot and 100 SG rules for Controller.
In addition, consider the number of future gateways you may deploy if you decide to expand your infrastructure. When obtaining the rule quota in the CSP environment, obtain enough quota to account for future gateways so the quota limit is not reached when you deploy them.
If CoPilot Security Group Management is enabled and the Azure Network Security Group (NSG) rule limit is reached, the CoPilot Security Group Management feature will be disabled. |
Determine Instance (VM) Sizing for Your CoPilot Deployment
For your Azure, Google Cloud, or OCI deployments, you must consider how much memory and CPU you require for your CoPilot instance (virtual machine) and whether you need a single instance or cluster of instances.
The CoPilot sizing is automated in AWS deployments. For AWS deployments see, AWS Getting Started Guide.
The configuration of the virtual machine that you provision for your CoPilot deployment depends on the scale and the kind of networking infrastructure you have planned according to your business requirements. Work with your Aviatrix Sales representative to determine your sizing requirements. For minimum requirements and guidelines for instance (virtual machine) sizing and system requirements, see CoPilot Requirements.
Create User Account to be Used as CoPilot Service Account
For your Azure, Google Cloud, or OCI deployments, you need to create a CoPilot service account in Aviatrix Controller for CoPilot services. During the Initial Setup of CoPilot, you will need to enter the credentials of this CoPilot service account.
Creation of a service account is automated in AWS deployments. For AWS deployments see, AWS Getting Started Guide.
To create a user account that will be used as CoPilot service account, perform the following steps:
-
Log in to Controller with administrative privileges.
-
From ACCOUNTS > Permission Groups, click +ADD NEW.
-
Enter a unique group name. Click OK.
-
Choose the group name that you have created for the CoPilot service account. Click Manage Permission.
-
Click +ADD NEW.
-
Click the permissions that you want to assign to this group. For example, Firewall Network and Gateway. If you want to give full access except Settings, click AllWrite. Click OK to continue.
-
Each permission group has its own relevant privileges. To access CoPilot features, the CoPilot service account must be assigned corresponding permissions.
-
The CoPilot ThreatIQ feature and Distributed Cloud Firewall feature require the CoPilot service account have a minimum of
all_firewall_network_write
permissions. The CoPilot gateway scaling feature requiresall_gateway_write
permissions. You must add these two permissions to your CoPilot service account if you want to use the ThreatIQ, Firewalling and Gateway features to manage your spokes and transits. -
If you want to give all permissions (admin user), choose
all_write
to give full access to all CoPilot features.
-
-
Go to ACCOUNTS > Account Users, click +ADD NEW to add a new user.
-
Enter user name, user email, and password. You may need to choose a meaningful name, such as cp-service-acct. Choose the group you created for CoPilot service account. Then click OK.
-
When this new user is displayed in the username list, you have successfully created a CoPilot service account.
See more details about CoPilot’s Service Account.