Miscellaneous notes on Aviatrix.
Usually updated on Fridays.
New and updated notes are placed at the top.


Updating the Aviatrix Controller IAM Policy:
When deploying the Aviatrix controller in AWS for the first time, the AWS CloudFormation template that launched your controller may not have the most current IAM policy definitions for the IAM roles it creates for the controller to use. To remedy this, right after your controller is launched and you’ve logged on for the first time, do the following:

  1. Define your Primary access account. Go to Onboarding > AWS > Create Primary Access Account. This is the AWS account that your controller lives in.
  2. Now go to Accounts > Access Accounts. Highlight the Primary access account you just created and click “Update Policy”. This will update the IAM policy applied to the IAM roles your controller will be using to the latest and greatest.

How to use an AWS ACM Certificate with your Aviatrix controller:
To apply an ACM public certificate to your UI sessions with the Aviatrix controller you’ll need to use a Load Balancer and attach your certificate to it. Here’s what I did:

  1. Create a Network Load Balancer (NLB)
  2. Create a TLS:443 listener on your NLB and attach your ACM certificate.
  3. Create a target group and add your Aviatrix controller EC2 instance as an instance target.
  4. Associate your target group with the listener you just created.
  5. Create a DNS entry for your Aviatrix controller (one that comports with your ACM certificate) and point it to your NLB with an A-alias record in Route 53.

You should now be able to logon to your Aviatrix controller UI without seeing any security warnings from your browser.


Aviatrix controller IAM permission errors despite correct IAM policy If you encounter a situation where the Aviatrix controller is unable to perform a task due to IAM AccessDenied errors for an action that it does in fact have IAM permissions to perform – there’s a good chance that your AWS Organization has an SCP installed that is overriding your IAM policy and denying the action. Check the service control policies (SCP) in your AWS Organization setup for any conflicting policies.


Terraform and Aviatrix