diff --git a/.readthedocs.yaml b/.readthedocs.yaml new file mode 100644 index 000000000..cd907238a --- /dev/null +++ b/.readthedocs.yaml @@ -0,0 +1,20 @@ +# .readthedocs.yaml +# Read the Docs configuration file +# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details + +# Required +version: 2 + +# Build documentation in the docs/ directory with Sphinx +sphinx: + configuration: conf.py + +# Optionally build your docs in additional formats such as PDF +#formats: +# - pdf + +# Optionally set the version of Python and requirements required to build your docs +python: + version: 3.7 + install: + - requirements: requirements.txt diff --git a/Downloads/AVPNC_img/3dots.png b/Downloads/AVPNC_img/3dots.png new file mode 100644 index 000000000..847d2371c Binary files /dev/null and b/Downloads/AVPNC_img/3dots.png differ diff --git a/Downloads/AVPNC_img/LDAPAuth.png b/Downloads/AVPNC_img/LDAPAuth.png new file mode 100644 index 000000000..d18ddc733 Binary files /dev/null and b/Downloads/AVPNC_img/LDAPAuth.png differ diff --git a/Downloads/AVPNC_img/MacBottomBar.png b/Downloads/AVPNC_img/MacBottomBar.png new file mode 100644 index 000000000..ef339b044 Binary files /dev/null and b/Downloads/AVPNC_img/MacBottomBar.png differ diff --git a/Downloads/AVPNC_img/MacClientLocation.png b/Downloads/AVPNC_img/MacClientLocation.png new file mode 100644 index 000000000..a287a403f Binary files /dev/null and b/Downloads/AVPNC_img/MacClientLocation.png differ diff --git a/Downloads/AVPNC_img/MacClientLocation2.png b/Downloads/AVPNC_img/MacClientLocation2.png new file mode 100644 index 000000000..4dc078bf2 Binary files /dev/null and b/Downloads/AVPNC_img/MacClientLocation2.png differ diff --git a/Downloads/AVPNC_img/MacCrendential.png b/Downloads/AVPNC_img/MacCrendential.png new file mode 100644 index 000000000..65ee56ada Binary files /dev/null and b/Downloads/AVPNC_img/MacCrendential.png differ diff --git a/Downloads/AVPNC_img/ProgressIcon.png b/Downloads/AVPNC_img/ProgressIcon.png new file mode 100644 index 000000000..6ba888205 Binary files /dev/null and b/Downloads/AVPNC_img/ProgressIcon.png differ diff --git a/Downloads/AVPNC_img/SamlAuth.png b/Downloads/AVPNC_img/SamlAuth.png new file mode 100644 index 000000000..7de0f19ce Binary files /dev/null and b/Downloads/AVPNC_img/SamlAuth.png differ diff --git a/Downloads/AVPNC_img/Settings.png b/Downloads/AVPNC_img/Settings.png new file mode 100644 index 000000000..70b70866f Binary files /dev/null and b/Downloads/AVPNC_img/Settings.png differ diff --git a/Downloads/AVPNC_img/TrayMenu.png b/Downloads/AVPNC_img/TrayMenu.png new file mode 100644 index 000000000..c37743fcd Binary files /dev/null and b/Downloads/AVPNC_img/TrayMenu.png differ diff --git a/Downloads/AVPNC_img/WinBottomBar.png b/Downloads/AVPNC_img/WinBottomBar.png new file mode 100644 index 000000000..87c8aa23c Binary files /dev/null and b/Downloads/AVPNC_img/WinBottomBar.png differ diff --git a/Downloads/AVPNC_img/WinClientLocation.png b/Downloads/AVPNC_img/WinClientLocation.png new file mode 100644 index 000000000..fd785966d Binary files /dev/null and b/Downloads/AVPNC_img/WinClientLocation.png differ diff --git a/Downloads/AVPNC_img/WinClientPopup.png b/Downloads/AVPNC_img/WinClientPopup.png new file mode 100644 index 000000000..719ba7507 Binary files /dev/null and b/Downloads/AVPNC_img/WinClientPopup.png differ diff --git a/Downloads/AVPNC_img/WinClientStartUp.png b/Downloads/AVPNC_img/WinClientStartUp.png new file mode 100644 index 000000000..8ec6bc709 Binary files /dev/null and b/Downloads/AVPNC_img/WinClientStartUp.png differ diff --git a/Downloads/AVPNC_img/add.png b/Downloads/AVPNC_img/add.png new file mode 100644 index 000000000..84e15e4fc Binary files /dev/null and b/Downloads/AVPNC_img/add.png differ diff --git a/Downloads/AVPNC_img/minus.png b/Downloads/AVPNC_img/minus.png new file mode 100644 index 000000000..5328620f1 Binary files /dev/null and b/Downloads/AVPNC_img/minus.png differ diff --git a/Downloads/cloudndownload.rst b/Downloads/cloudndownload.rst.obsolate similarity index 100% rename from Downloads/cloudndownload.rst rename to Downloads/cloudndownload.rst.obsolate diff --git a/Downloads/samlclient.rst b/Downloads/samlclient.rst index 11fbfa1a6..540ca0a0c 100755 --- a/Downloads/samlclient.rst +++ b/Downloads/samlclient.rst @@ -24,9 +24,9 @@ provides a seamless user experience when authenticating a VPN user through a SAM The VPN Client can be installed on desktop platforms and is supported on various OS like Windows, Mac and Linux. -Consult the VPN client `user guide `__ for how to use it. +Consult the VPN client `user guide `__ for how to use it. -Latest version: 2.6.6 - (Jan 29th 2020) `Changelog. `_ +Latest version: 2.14.14 - (April 27 2021) `Changelog. `_ Please ask your Aviatrix Administrator to upgrade the Aviatrix Controller to version 4.7.501 + to prevent seeing certificate errors -`Ref. `_ @@ -35,6 +35,8 @@ Windows |win| ************* The Windows client can be downloaded from `this link `__ +The Windows client checksum can be downloaded from `this link `__ + At the end of the installation, please install the TUN TAP driver if you haven't done so earlier. Please note that the client uses the default browser, and Microsoft Edge/IE is not supported @@ -45,6 +47,8 @@ Mac |mac| The Mac client can be downloaded from `this link `__. Please make sure that you are running macOS 10.12(Sierra) or higher. +The Mac client checksum can be downloaded from `this link `__. + If you have installed version 1.4.26 or lower, please uninstall before you install the newer version. Please note that the client uses the default browser, and Safari is not supported (will show certificate warnings) *********** @@ -59,18 +63,27 @@ If the icon is missing from the launcher, type AVPNC in the terminal to launch t Debian/Ubuntu ============= +Ubuntu20.04 LTS - `Debian file `__, +`Tar file `__, +`Debian file checksum `__, +`Tar file checksum. `__ Ubuntu18.04.1 LTS/Generic - `Debian file `__, -`Tar file. `__ +`Tar file `__, +`Debian file checksum `__, +`Tar file checksum. `__ Ubuntu18.04.3 LTS - `Debian file `__, -`Tar file. `__ - -Ubuntu16.04 LTS - `Debian file `__, `Tar file `__ +`Tar file `__, +`Debian file checksum `__, +`Tar file checksum. `__ -Ubuntu14.04 LTS - `Debian file `__, `Tar file `__ +Ubuntu16.04 LTS - `Debian file `__, +`Tar file `__, +`Debian file checksum `__, +`Tar file checksum. `__ -Note: Currently we do not support Fedora/Arch-Linux +Note: Currently we do not support Fedora/Arch-Linux. VPN Clients running on Ubuntu 14.04 are designated EOL. ************* @@ -85,18 +98,60 @@ tar -xvzf file.tar.gz; cd AVPNC_setup; sudo ./install.sh to install FIPS140-2 version ***************** -`Windows `__, `Mac `__ , `Ubuntu 18 tar `__, `deb `__ +`Windows `__, +`Checksum `__ + +`Mac `__ , +`Checksum `__ + +`Ubuntu 20 tar `__, +`Checksum `__ + +`Ubuntu 20 deb `__, +`Checksum `__ + +`Ubuntu 18 tar `__, +`Checksum `__ + +`Ubuntu 18 deb `__, +`Checksum `__ + +***************** +Archived Clients +***************** + +Ubuntu14.04 LTS - `Debian file `__, +`Tar file `__, +`Debian file checksum `__, +`Tar file checksum. `__ ******************* Development version ******************* These are preview images for the next release. -`Windows `__, `Mac `__ , `Linux tar `__, `Debian file `__, `Linux tar bionic `__, `Debian bionic `__, `Linux tar xenial `__, `Debian xenial `__, `Linux tar trusty `__, `Debian trusty `__, `FreeBSD `__ +`Windows `__, +`MacOS `__ , +`Debian Focal Fossa `__, +`Linux tar Focal Fossa `__, +`Linux tar `__, +`Debian file `__, +`Linux tar bionic `__, +`Debian bionic `__, +`Linux tar xenial `__, +`Debian xenial `__, +`Linux tar trusty `__, +`Debian trusty `__, +`FreeBSD `__ FIPS140-2 Dev version -`Windows `__, `Mac `__ , `Ubuntu-18 tar `__, `deb `__ +`Windows `__, +`Mac `__ , +`Ubuntu-20 tar `__ , +`Ubuntu-20 deb `__ , +`Ubuntu-18 tar `__, +`deb `__ OpenVPN is a registered trademark of OpenVPN Inc. diff --git a/Downloads/vpnclientguide.rst b/Downloads/vpnclientguide.rst new file mode 100644 index 000000000..169296943 --- /dev/null +++ b/Downloads/vpnclientguide.rst @@ -0,0 +1,267 @@ +.. meta:: + :description: Aviatrix VPN Client Guide + :keywords: SAML, openvpn, SSL VPN, remote user vpn, SAML client. Openvpn with SAML + +.. |win| image:: AVPNC_img/Win.png + +.. |mac| image:: AVPNC_img/Mac.png + +.. |lux| image:: AVPNC_img/Linux.png + +.. |bsd| image:: AVPNC_img/BSD.png + +.. |Client| image:: AVPNC_img/Client.png + :width: 400 + +.. |LDAPAuth| image:: AVPNC_img/LDAPAuth.png + :height: 200 + +.. |MacBottomBar| image:: AVPNC_img/MacBottomBar.png + :height: 30 + +.. |MacClientLocation| image:: AVPNC_img/MacClientLocation.png + :height: 50 + +.. |MacClientLocation2| image:: AVPNC_img/MacClientLocation2.png + :width: 400 + +.. |MacCrendential| image:: AVPNC_img/MacCrendential.png + :width: 300 + +.. |ProgressIcon| image:: AVPNC_img/ProgressIcon.png + :width: 400 + +.. |SamlAuth| image:: AVPNC_img/SamlAuth.png + :width: 300 + +.. |Settings| image:: AVPNC_img/Settings.png + :width: 400 + +.. |TrayMenu| image:: AVPNC_img/TrayMenu.png + :width: 150 + +.. |WinBottomBar| image:: AVPNC_img/WinBottomBar.png + :height: 40 + +.. |WinClientLocation| image:: AVPNC_img/WinClientLocation.png + :height: 400 + +.. |WinClientPopup| image:: AVPNC_img/WinClientPopup.png + :width: 400 + +.. |WinClientStartUp| image:: AVPNC_img/WinClientStartUp.png + :width: 400 + +.. |minus| image:: AVPNC_img/minus.png + :height: 16 + +.. |add| image:: AVPNC_img/add.png + :height: 16 + +.. |3dots| image:: AVPNC_img/3dots.png + :height: 16 + +============================== +Aviatrix VPN Client User Guide +============================== + +**************************************** +Installing and Launching the Application +**************************************** + +************* +Windows |win| +************* + +1. Download the Aviatrix VPN Client installer from `this link `__ + + Run the installer and follow the on screen instructions to install the application. + + If you have installed OpenVPN previously, TUN TAP drivers would have been installed. If they are not installed , you can install the same from the `this link `__ + +2. Save the OpenVPN configuration file (with the extension .ovpn) that was sent to you by your Admin, on to your machine. + +3. Open the “Aviatrix VPN Client” application by going to “Start Menu -> Aviatrix VPN Client-> Aviatrix VPN Client”. + + |WinClientLocation| + +4. A UAC window pops up. + + |WinClientPopup| + +5. Allow administrator access so that the application can modify the routing tables. The Aviatrix VPN Client window should come up which should look like. + + |WinClientStartUp| + +6. Skip to the `Using the Application <#using-the-application>`__ section if you do not need to install it on a Mac or Linux + +********* +Mac |mac| +********* + +1. Download the Aviatrix VPN Client installer from `this link `__ + + Follow the on-screen instructions to install the application + +2. Save the OpenVPN configuration file (with the extension .ovpn) that was sent to you by your Admin, on to your machine. + +3. Start the Aviatrix VPN Client application by going to LaunchPad and clicking on “Aviatrix VPN Client”. + + |MacClientLocation| + + |MacClientLocation2| + +4. A popup comes up to request sudo privelages to modify routing tables + + |MacCrendential| + +5. This opens the application window. + +6. Skip to the `Using the Application <#using-the-application>`__ section if you do not need to install it on Linux + +*********** +Linux |lux| +*********** + +1. Download the Aviatrix VPN Client installer from `this link `__ + +2. To install the application run the following commands + + tar -xvzf AVPC_linux.tar.gz + + sudo ./install.sh + +3. Save the OpenVPN configuration file (with the extension .ovpn) that was sent to you by your Admin, on to your machine. + +4. To open the “Aviatrix VPN Client” launch a new terminal and type AVPNC + +.. note:: + + This has been tested only on Ubuntu 16/14. Theoretically, it should work with other flavours of linux as well as long as openvpn is installed separately. + +.. _using_the_application: + +********************* +Using the Application +********************* + +There are 3 buttons on the bottom + + +1. |add| : This opens a window to choose the OpenVPN configuration (.ovpn) file. + + +2. |minus| : This deletes a item choosed in the Connection Profiles + + +3. |3dots| : This pops up a submenu including "Edit", "Sort", "Connection Log" and "Settings" + + + 3.1 "Edit": Modify a item choosed in the Connection Profiles + + 3.2 "Connection Log": Show every single connection's log + + 3.3 "Settings": Open the advanced settings + +************* +Windows |win| +************* + +1. There is a menu on the top of the App GUI + + 1.1 "File" has a menu to quit the App + + 1.2 "Help" has menu "About" to show the App information + +2. Closing the application window hides it to the system tray + + |WinBottomBar| + +********* +Mac |mac| +********* + +1. There is a menu on the top-left of the screen + + 1.1 "About" shows show the App information + + 1.2 "Quit" exit the App information + +2. Closing the application window hides it to the system tray + + |MacBottomBar| + + By a right click on Windows's or a click on Mac's system tray icon to show a menu + + |TrayMenu| + +3. There are 3 status icons that are shown in the window and on the tray. + + |ProgressIcon| + + +*********************** +Advanced Settings Page +*********************** + +|Settings| + +Here you can perform special operations if Troubleshooting is required + +1. Flush DNS: (Not for windows) Flushes the DNS configuration if there are internet issues after full tunnel VPN disconnection. Also turning the wifi/ethernet adapter on/off can fix some internet issues. + +2. Kill all OpenVPN process: (Not supported on Windows) Sends a soft kill to all running OpenVPN processes + +3. Force kill all OpenVPN process: Terminates other OpenVPN processes that are running abruptly + +4. Check VPN DNS server reachability: (MacOS only) If this option is checked, it will apply the VPC DNS servers in the MacOS system. If it is disabled, it will use the local DNS servers or other local DNS mechanism (e.g. CISCO Umbrella) + + +**************************** +Connecting to a SAML Gateway +**************************** + +Enter your IDP Credentials to login. + +Check doc `OpenVPN® with SAML Authentication `__ for detail. + +************************************************** +Connecting to a Gateway without any Authentication +************************************************** + +Just load the OpenVPN configuration(.ovpn) file on to the VPN Client and click on “Connect”. + +************************************************************* +Connecting to a Gateway with Username-Password Authentication +************************************************************* + +CloudN VPC supports a variety of authentication methods to verify VPN user credentials. Here’s a brief overview of how to enter user credentials for different authentication methods. + +LDAP: + + Enter username and password stored on LDAP server. + + Check doc `LDAP Configuration for Authenticating VPN Users `__ for detail. + +Google 2-step verification: + + Use your email address as the username. + + Password should be appended with the 6-digit code generated by Google authenticator app on your phone. + + E.g., If your email is "joe@examplecompany.com", the following username password combination of "joe@examplecompany.com" and "password123456" should be used where "password" is your account password and "123456" is the 6 digit-code. + +Duo Security Two-Factor Authentication: Mac and Windows users: + + An automatic approval request will be pushed to your registered cellphone. Select “Approve” to connect to VPN gateway. + +LDAP + Duo Security Two-Factor Authentication: + + Enter username and password for the LDAP server and an automatic approval request will be pushed to your registered cellphone. + + Select “Approve” to connect to VPN gateway. + +The username and password windows is shown + +|LDAPAuth| + diff --git a/HowTos/AdminUsers_DuoAuth.rst b/HowTos/AdminUsers_DuoAuth.rst index 664913122..d1fc8a44b 100644 --- a/HowTos/AdminUsers_DuoAuth.rst +++ b/HowTos/AdminUsers_DuoAuth.rst @@ -96,14 +96,14 @@ Follow the `instruction in `_ to Create Duo Authentication ------------------------- -To enable DUO, go to Settings -> Setup 2FA Login +To enable DUO, go to Settings -> Controller -> Duo Login Enter Duo integration key, secret key, and API hostname of your account in DUO website described earlier. Currently only DUO push is supported. Once it is created successfully, the Duo push login applies to all -users, including user admin. Every user (listed in settings -> Manage +users (admin is exempt). Every user (listed in settings -> Manage Accounts -> Users) who wishes to login to the system must have a matching user name in their DUO account. diff --git a/HowTos/AdminUsers_LDAP.rst b/HowTos/AdminUsers_LDAP.rst index 41409ffd3..f0e72bddc 100644 --- a/HowTos/AdminUsers_LDAP.rst +++ b/HowTos/AdminUsers_LDAP.rst @@ -87,7 +87,7 @@ Considerations * Once enabled, local user accounts will no longer be active. That is, if there is a user created in the Controller that does not match a user in LDAP, they will no longer be able to login to the Controller. .. note:: - The local `admin` account is always active even when this setting is enabled + The local `admin` account is active when ldap is used for controller login authentication as descrived above. Please note that if the `admin` account is disabled via "Settings/Controller/LoginCustomization" and if your ldap authentication is not working as expected for any reason(for eexamp, server is down or not reachable), you will get locked out of the controller till your ldap authentication process is back up. .. |imageLDAPForm| image:: AdminUsers_LDAP_media/controller_settings_ldap.png diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/cloudn_from_init_setup_to_dcx_using_linux_curl_command.rst b/HowTos/AviatrixAPI/CloudN_curl_examples/cloudn_from_init_setup_to_dcx_using_linux_curl_command.rst deleted file mode 100644 index 334d461e2..000000000 --- a/HowTos/AviatrixAPI/CloudN_curl_examples/cloudn_from_init_setup_to_dcx_using_linux_curl_command.rst +++ /dev/null @@ -1,278 +0,0 @@ -.. meta:: - :description: CloudN: From Initial-Setup to DataCenterExtension Using Linux curl command - :keywords: cloudn, init, setup, curl, dcx, datacenter extension - - -============================================================================= -CloudN: From Initial-Setup to DataCenterExtension Using Linux "curl" Command -============================================================================= - -| - -Description: -============ - * Thank you for choosing Aviatrix! This document demonstrates using the Linux "**curl**" command to operate an Aviatrix CloudN instance from Initial-Setup to DataCenterExtension creation. If you prefer using the command line interface over WebUI to work with CloudN, this doc is for you. - * We used a controller instance without configuring a valid cert for this demonstration. Therefore, the examples in this document use "-k" parameter when issuing a "curl" command in order to bypass the cert check. If you wish, you can configure your own valid cert on your controller. - -| - -Prerequisites -============= - * Aviatrix CloudN instance is up and running - * CloudN has already acquired an IP address by using one of the following CloudN commands... - - 1. Option A (static IP): setup_interface_static_address - - 2. Option B (DHCP): setup_interface_address <2ndary_dns> - -| - -Tips: -===== -If your value contains some special characters that cause the command to fail, you can search online for `"URL Encoder" `__, which is one of many tools that will convert the value into a valid format if you happen to encounter the problem. - -| - -Example List -============ - 1. `Login CloudN with private IP and get CID <#example01>`__ - 2. `Setup admin email <#example02>`__ - 3. `Change admin password <#example03>`__ - 4. `Login with new password and get CID <#example04>`__ - 5. `Setup Aviatrix customer ID <#example05>`__ - 6. `Setup Maximum number of VPC/VNets <#example06>`__ - 7. `List Maximum number of VPC/VNets <#example07>`__ - 8. `List Available CIDRs <#example08>`__ - 9. `Create Aviatrix-Cloud-Account (AWS-SecretKey based) <#example09>`__ - 10. `Create Aviatrix-Cloud-Account (Azure-ARM based) <#example10>`__ - 11. `Create DataCenterExtension (AWS-SecretKey, without VPN access) <#example11>`__ - 12. `Create DataCenterExtension (Azure-ARM, without VPN access) <#example12>`__ - -| - -.. _example01: - -**Example 01: Login CloudN with private IP and get CID** - -:: - - curl -k "https://10.67.0.2/v1/api?action=login&username=admin&password=10.67.0.2" - -|image1| - -| - -.. _example02: - -**Example 02: Setup admin email** - -:: - - curl -k "https://10.67.0.2/v1/api?action=add_admin_email_addr&CID=XXXXXXXXXX&admin_email=test@aviatrix.com" - -|image2| - -| - -.. _example03: - -**Example 03: Change admin password** - -:: - - curl -k "https://10.67.0.2/v1/api?action=change_password&CID=XXXXXXXXXX&account_name=admin&user_name=admin&old_password=10.67.0.2&password=Test123!" - -|image3| - -| - -.. _example04: - -**Example 04: Login with new password and get CID** - -:: - - curl -k "https://10.67.0.2/v1/api?action=login&username=admin&password=Test123!" - -|image4| - -| - -.. _example05: - -**Example 05: Setup Aviatrix customer ID** - -:: - - curl -k "https://10.67.0.2/v1/api?action=setup_customer_id&CID=XXXXXXXXXX&customer_id=XXXXXXXXXX" - -|image5| - -| - -.. _example06: - -**Example 06: Setup Maximum number of VPC/VNets** - -:: - - curl -k "https://10.67.0.2/v1/api?action=setup_max_vpc_containers&CID=XXXXXXXXXX&vpc_num=4" - -|image6| - -| - -.. _example07: - -**Example 07: List Maximum number of VPC/VNets** - -:: - - curl -k "https://10.67.0.2/v1/api?action=list_max_vpc_containers&CID=XXXXXXXXXX" - -|image7| - -| - -.. _example08: - -**Example 08: List Available CIDRs** - -:: - - curl -k "https://10.67.0.2/v1/api?action=list_cidr_of_available_vpcs&CID=XXXXXXXXXX" - -|image8| - -| - -.. _example09: - -**Example 09: Create Aviatrix-Cloud-Account (AWS-SecretKey based)** - -:: - - curl -k --data "action=setup_account_profile" - --data "CID=XXXXXXXXXX" - --data "account_name=my-cloud-account-AWS" - --data "account_password=Test123!" - --data "account_email=test@aviatrix.com" - --data "cloud_type=1" - --data "aws_account_number=123456789999" - --data "aws_iam=false" - --data "aws_access_key=XXXXXXXXXX" - --data "aws_secret_key=XXXXXXXXXX" - "https://10.67.0.2/v1/api" - -|image9| - -| - -.. _example10: - -**Example 10: Create Aviatrix-Cloud-Account (Azure-ARM based)** - -:: - - curl -k --data "action=setup_account_profile" - --data "CID=XXXXXXXXXX" - --data "account_name=my-cloud-account-ARM" - --data "account_password=Test123!" - --data "account_email=test@aviatrix.com" - --data "cloud_type=8" - --data "arm_subscription_id=XXXXXXXXXX" - --data "arm_application_endpoint=XXXXXXXXXX" - --data "arm_application_client_id=XXXXXXXXXX" - --data "arm_application_client_secret=XXXXXXXXXX" - "https://10.67.0.2/v1/api" - -|image10| - -| - -.. _example11: - -**Example 11: Create DataCenterExtension (AWS-SecretKey, without VPN access)** - -:: - - curl -k --data "action=create_container" - --data "CID=XXXXXXXXXX" - --data "account_name=my-cloud-account-AWS" - --data "cloud_type=1" - --data "vpc_reg=ca-central-1" - --data "vpc_name=my-dcx-name" - --data "vpc_net=10.67.128.0/19" - --data "vpc_size=t2.micro" - --data "internet_access=yes" - --data "public_subnet=yes" - --data "tunnel_type=tcp" - "https://10.67.0.2/v1/api" - -|image11| - -| - -.. _example12: - -**Example 12: Create DataCenterExtension (Azure-ARM, without VPN access)** - -:: - - curl -k --data "action=create_container" - --data "CID=XXXXXXXXXX" - --data "account_name=my-cloud-account-ARM" - --data "cloud_type=8" - --data "vpc_reg=West US" - --data "vpc_name=my-arm-dcx" - --data "vpc_net=10.67.96.0/19" - --data "vpc_size=Standard_D2" - --data "internet_access=yes" - --data "public_subnet=yes" - --data "tunnel_type=tcp" - "https://10.67.0.2/v1/api" - -|image12| - -| - - -.. |image1| image:: ./img_01_login_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image2| image:: ./img_02_setup_admin_email_result.PNG - :width: 2.00000 in - :height: 2.00000 in -.. |image3| image:: ./img_03_change_password_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image4| image:: ./img_04_login_with_new_password_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image5| image:: ./img_05_setup_customer_id_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image6| image:: ./img_06_setup_max_number_of_vpc_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image7| image:: ./img_07_list_max_number_of_vpc_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image8| image:: ./img_08_list_available_cidrs_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image9| image:: ./img_09_create_aws_account_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image10| image:: ./img_10_create_arm_account_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image11| image:: ./img_11_create_aws_dcx_result.png - :width: 2.00000 in - :height: 2.00000 in -.. |image12| image:: ./img_12_create_arm_dcx_result.png - :width: 2.00000 in - :height: 2.00000 in - - -.. disqus:: diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_01_login_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_01_login_result.png deleted file mode 100644 index 843134fd6..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_01_login_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_02_setup_admin_email_result.PNG b/HowTos/AviatrixAPI/CloudN_curl_examples/img_02_setup_admin_email_result.PNG deleted file mode 100644 index 7bae3a9d4..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_02_setup_admin_email_result.PNG and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_03_change_password_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_03_change_password_result.png deleted file mode 100644 index 902397617..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_03_change_password_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_04_login_with_new_password_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_04_login_with_new_password_result.png deleted file mode 100644 index d8073d86b..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_04_login_with_new_password_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_05_setup_customer_id_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_05_setup_customer_id_result.png deleted file mode 100644 index e25765069..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_05_setup_customer_id_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_06_setup_max_number_of_vpc_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_06_setup_max_number_of_vpc_result.png deleted file mode 100644 index 5acd4f49b..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_06_setup_max_number_of_vpc_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_07_list_max_number_of_vpc_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_07_list_max_number_of_vpc_result.png deleted file mode 100644 index ed3021e1f..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_07_list_max_number_of_vpc_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_08_list_available_cidrs_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_08_list_available_cidrs_result.png deleted file mode 100644 index 9093f437d..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_08_list_available_cidrs_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_09_create_aws_account_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_09_create_aws_account_result.png deleted file mode 100644 index 20fc74dd5..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_09_create_aws_account_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_10_create_arm_account_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_10_create_arm_account_result.png deleted file mode 100644 index f1a2fbb84..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_10_create_arm_account_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_11_create_aws_dcx_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_11_create_aws_dcx_result.png deleted file mode 100644 index 93061405a..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_11_create_aws_dcx_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/CloudN_curl_examples/img_12_create_arm_dcx_result.png b/HowTos/AviatrixAPI/CloudN_curl_examples/img_12_create_arm_dcx_result.png deleted file mode 100644 index df46929a7..000000000 Binary files a/HowTos/AviatrixAPI/CloudN_curl_examples/img_12_create_arm_dcx_result.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/ReadMe.txt b/HowTos/AviatrixAPI/ReadMe.txt deleted file mode 100644 index a689d63b2..000000000 --- a/HowTos/AviatrixAPI/ReadMe.txt +++ /dev/null @@ -1 +0,0 @@ -This directory contains files/documents that relate to Aviatrix REST API. diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_01_postman_login_execution_results.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_01_postman_login_execution_results.png deleted file mode 100644 index 819dee6d6..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_01_postman_login_execution_results.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_02_linux_curl_login_execution_results.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_02_linux_curl_login_execution_results.png deleted file mode 100644 index e4000fe3c..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_02_linux_curl_login_execution_results.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_03_python_login_execution_results.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_03_python_login_execution_results.png deleted file mode 100644 index fc6b558ab..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_03_python_login_execution_results.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_04_postman_create_account_execution_results.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_04_postman_create_account_execution_results.png deleted file mode 100644 index 06d04952e..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_04_postman_create_account_execution_results.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_05_linux_curl_create_account_execution_results.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_05_linux_curl_create_account_execution_results.png deleted file mode 100644 index ef8b7aa20..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_05_linux_curl_create_account_execution_results.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_06_python_create_account_execution_results.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_06_python_create_account_execution_results.png deleted file mode 100644 index 0da2978be..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_06_python_create_account_execution_results.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_07_postman_disable_ssl.png b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_07_postman_disable_ssl.png deleted file mode 100644 index f14050a93..000000000 Binary files a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/img_07_postman_disable_ssl.png and /dev/null differ diff --git a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/multiple_approaches_to_use_aviatrix_api.rst b/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/multiple_approaches_to_use_aviatrix_api.rst deleted file mode 100644 index 30c8b1dc9..000000000 --- a/HowTos/AviatrixAPI/multiple_approaches_to_use_aviatrix_api/multiple_approaches_to_use_aviatrix_api.rst +++ /dev/null @@ -1,289 +0,0 @@ -.. meta:: - :description: Multiple Approaches to Use Aviatrix API - :keywords: REST, API, CID, login, cloud account - -======================================= -Multiple Ways to Use Aviatrix API -======================================= - - -Introduction ------------- - -Aviatrix provides a REST/RESTful (Representational State Transfer) API to help customers to integrate Aviatrix products or to automate some routine tasks, such as backups for the Aviatrix controller, checking the status of active/live VPN users for management purposes, etc. - -| - -Tools ------ - -In this document, we demonstrate Aviatrix REST API invocation with the following tools. - 1. **Postman** - 2. Linux **"curl"** command - 3. Python **"requests"** module/library/package - 4. PowerShell - -| - -Value Format (URL Encoding) ---------------------------- - -If the input value contains certain special characters, such as '#' or '/' you may need to convert them to conform to a valid URL: - - -Tip: -""""" - -Use '%23' instead of '#'; use '%2F' instead of '/' - - -For example: -"""""""""""" - -If my Azure ARM Subscription ID is "abc#efg", instead of using... - - "arm_subscription_id=abc#efg" - -you need to use the following format instead... - - "arm_subscription_id=abc%23efg" - -| - -Tools to convert the value format ---------------------------------- - -There are many tools online that can do the job. Just simply google **"URL Encoder"**, and you can encode/convert the special character to the correct format. - -| - -How the Aviatrix REST API Works -------------------------------- - -In order to invoke most of the Aviatrix API(s), the user must have a valid **"CID"** (session ID) for security purposes. Moreover, a valid CID can be acquired through the Aviatrix **"login"** API. The examples are provided below. -Please refer to the `Aviatrix API site. `_ for the completed Aviatrix REST API list. - -| - -Examples: Invoke Aviatrix "login" API to get a valid CID --------------------------------------------------------- - -Postman -""""""" - - |image1| - - -.. Tip:: You may disable Postman SSL certificate verification for simple testing. See the follow screenshot. -.. - - - |image7| - - - -Linux "curl" command -"""""""""""""""""""" - -**Syntax:** - -:: - - ubuntu@ip-10-1-1-2:/$ curl -k --request POST \ - --url https://10.67.0.2/v1/api \ - --form action=login \ - --form 'username=admin' \ - --form 'password=MyPassword#' - - { - "return":true, - "results":"User login:admin in account:admin has been authorized successfully on controller 10.67.0.2 - - Please check email confirmation.", - "CID":"ntFqLV4NNr63sTmxp42S" - } - - ubuntu@ip-10-1-1-2:/$ - - -**Example:** - - |image2| - - -Python "requests" module -"""""""""""""""""""""""" - -**Example Code:** - -.. code-block:: python - - import requests - - # Controller configuration - base_url = "https://10.67.0.2/v1/api" - username = "admin" - password = "MyPassword" - action = "login" - CID = "" - - # Configuration for "login" API - payload = { - "action": action, - "username": username, - "password": password - } - - # Use "requests" module to invoke REST API - response = requests.post(url=base_url, data=payload, verify=False) - - # If login successfully - if True == response.json()["return"]: - CID = response.json()["CID"] - print("Successfully login to Aviatrix Controller. The valid CID is: " + CID) - - - -**Execution Result:** - - |image3| - -PowerShell Example -"""""""""""""""""""""""" -:: - - $params = @{"action"="login"; - >> "username"="admin"; - >> "password"="password"; - >> } - -:: - - Invoke-WebRequest -Uri $Uri -Method POST -Body $params - StatusCode : 200 - StatusDescription : OK - Content : {"return":true,"results":"User login:admin in account:admin has been authorized successfully - - Please check email confirmation.","CID":"RwuXX5KoJsTrOBAjXl9N"} - RawContent : HTTP/1.1 200 OK - Pragma: no-cache - X-Frame-Options: DENY - Strict-Transport-Security: max-age=77760000 - Content-Length: 158 - Cache-Control: no-store - Content-Type: text/json - Date: Tue, 10 Apr 2018 17:... - Forms : {} - Headers : {[Pragma, no-cache], [X-Frame-Options, DENY], [Strict-Transport-Security, max-age=77760000], - [Content-Length, 158]...} - Images : {} - InputFields : {} - Links : {} - ParsedHtml : mshtml.HTMLDocumentClass - RawContentLength : 158 - - - -Examples: Invoke Other Aviatrix APIs with a valid CID ----------------------------------------------------- - -.. Note:: - The following example demonstrates how to use the Aviatrix API **"setup_account_profile"** to create an Aviatrix **"Cloud Account"**. - - -Postman -""""""" - - |image4| - - -Linux "curl" command -"""""""""""""""""""" - - |image5| - - -Python -"""""" - -**Example Code:** - -.. code-block:: python - - import requests - - # Configuration for "setup_account_profile" API to create AWS IAM Role based account - payload = { - "action": "setup_account_profile", - "CID": "B4XvxZYJUTHNaMcK2Nf2", - "account_name": "my-AWS-operation-account", - "account_password": "!MyPassword", - "account_email": "test@aviatrix.com", - "cloud_type": "1", - "aws_account_number": "123456789999", - "aws_iam": "true", - "aws_access_key": "XXXXXXXXXXXXXXXXXXXXXX", - "aws_secret_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" - } - - # Use "requests" module to invoke REST API - response = requests.post(url="https://10.67.0.2/v1/api", data=payload, verify=False) - - # Display return message - print(response.json()) - - -**Execution Result:** - - |image6| - -PowerShell -""""""""""" -:: - - $paramsaccount = @{"action"="setup_account_profile"; - >> "CID"="RwuXX5KoJsTrOBAjXl9N"; - >> "account_name"="test_api"; - >> "account_password"="xxx"; - >> "account_email"="xxx.com"; - >> "cloud_type"=1; - >> "aws_account_number"="xxxx"; - >> "aws_access_key"="xxxx"; - >> "aws_secret_key"="xxxx"; - >> } - -:: - - Invoke-WebRequest -Uri $Uri -Method Post -Body $paramsaccount - - StatusCode : 200 - StatusDescription : OK - Content : {"return":true,"results":"An email confirmation has been sent to lyan@aviatrix.com"} - RawContent : HTTP/1.1 200 OK - Pragma: no-cache - X-Frame-Options: DENY - Strict-Transport-Security: max-age=77760000 - Content-Length: 84 - Cache-Control: no-store - Content-Type: text/json - Date: Tue, 10 Apr 2018 17:1... - Forms : {} - Headers : {[Pragma, no-cache], [X-Frame-Options, DENY], [Strict-Transport-Security, max-age=77760000], - [Content-Length, 84]...} - Images : {} - InputFields : {} - Links : {} - ParsedHtml : mshtml.HTMLDocumentClass - RawContentLength : 84 - - - -.. |image1| image:: ./img_01_postman_login_execution_results.png -.. |image2| image:: ./img_02_linux_curl_login_execution_results.png -.. |image3| image:: ./img_03_python_login_execution_results.png -.. |image4| image:: ./img_04_postman_create_account_execution_results.png -.. |image5| image:: ./img_05_linux_curl_create_account_execution_results.png -.. |image6| image:: ./img_06_python_create_account_execution_results.png -.. |image7| image:: ./img_07_postman_disable_ssl.png - - - -.. disqus:: diff --git a/HowTos/AviatrixAccountForAzure_media/Image03.png b/HowTos/AviatrixAccountForAzure_media/Image03.png index 6b17d9f08..ed8fe8bfd 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image03.png and b/HowTos/AviatrixAccountForAzure_media/Image03.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image04.png b/HowTos/AviatrixAccountForAzure_media/Image04.png index e9c35f0f3..1413b16e2 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image04.png and b/HowTos/AviatrixAccountForAzure_media/Image04.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image06.png b/HowTos/AviatrixAccountForAzure_media/Image06.png index 193b57af8..3fbbee6e2 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image06.png and b/HowTos/AviatrixAccountForAzure_media/Image06.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image07.png b/HowTos/AviatrixAccountForAzure_media/Image07.png index 6545fbf6e..e760fdadd 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image07.png and b/HowTos/AviatrixAccountForAzure_media/Image07.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image08.png b/HowTos/AviatrixAccountForAzure_media/Image08.png index 99aef6b8a..7a59f83f5 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image08.png and b/HowTos/AviatrixAccountForAzure_media/Image08.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image09.png b/HowTos/AviatrixAccountForAzure_media/Image09.png index 0a3f99597..c170ec625 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image09.png and b/HowTos/AviatrixAccountForAzure_media/Image09.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image10.png b/HowTos/AviatrixAccountForAzure_media/Image10.png index 96e39f095..7709c6059 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image10.png and b/HowTos/AviatrixAccountForAzure_media/Image10.png differ diff --git a/HowTos/AviatrixAccountForAzure_media/Image14.png b/HowTos/AviatrixAccountForAzure_media/Image14.png index cf1650453..bc1f339f1 100644 Binary files a/HowTos/AviatrixAccountForAzure_media/Image14.png and b/HowTos/AviatrixAccountForAzure_media/Image14.png differ diff --git a/HowTos/AviatrixLogging.rst b/HowTos/AviatrixLogging.rst index 0d3558b7d..b94fbed89 100644 --- a/HowTos/AviatrixLogging.rst +++ b/HowTos/AviatrixLogging.rst @@ -1,6 +1,6 @@ .. meta:: - :description: Data Analytics with Aviatrix Logs -Splunk and Sumo - :keywords: Splunk, Sumo, aviatrix logs, data analytics + :description: Data Analytics with Aviatrix Logs + :keywords: Rsyslog, Datadog, Splunk, Elastic Filebeat, Sumo, Netflow, Cloudwatch, aviatrix logs, data analytics @@ -19,36 +19,16 @@ to the logging server. Out of box integration is supported for the following log - Remote syslog (recommended to use) - - AWS CloudWatch - - Splunk Enterprise - - Datadog - Elastic Filebeat + - Splunk Enterprise/Cloud - Sumo Logic + - Datadog - Netflow + - AWS CloudWatch .. note:: We highly recommend user to use remote syslog (rsyslog) as log forwarder which is both efficient and the industry standard. Most log collectors support rsyslog as forwarder. We may only add new features to rsyslog going forward. -Here are the sample instructions to configure log services to collect from rsyslog forwarder. -"Note" box gives example of template needed for the config on the Aviatrix rsyslog logging service. - - - Splunk https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports - - .. note:: (No rsyslog template needed for splunk config) - - - - Datadog https://docs.datadoghq.com/integrations/rsyslog/?tab=datadogussite - - .. note:: <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% - - - %msg%\n - - (replace DATADOG_API_KEY with your datadog key) - - - Sumologic https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Cloud-Syslog-Source - - .. note:: <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [YOUR_TOKEN] %msg%\n - - (replace YOUR_TOKEN with your sumo token) - In addition to standard information on syslog, Aviatrix also provides capability for user VPN connections, VPN user TCP sessions, security @@ -71,16 +51,17 @@ Management System for further analysis: - `AviatrixUser `_ - `AviatrixLicenseVPNUsers `_ - `AviatrixRule `_ -- `AviatrixGwNetStats `_ -- `AviatrixGwSysStats `_ -- `AviatrixFQDNRule `_ -- `AviatrixTunnelStatusChange `_ -- `AviatrixCMD `_ +- `AviatrixGwNetStats `_ +- `AviatrixGwSysStats `_ +- `AviatrixFQDNRule `_ +- `AviatrixTunnelStatusChange `_ +- `AviatrixCMD `_ - `AviatrixBGPOverlapCIDR `_ - `AviatrixBGPRouteLimitThreashold `_ - `AviatrixGuardDuty `_ -- `AviatrixFireNet `_ -- `AviatrixVPNVersion `_ +- `AviatrixFireNet `_ +- `AviatrixVPNVersion `_ +- `AviatrixGatewayStatusChanged `_ Below are the details of each log keyword. @@ -199,17 +180,16 @@ Two example logs: :: - 2018-02-19T06:51:03.496447+00:00 ip-172-31-58-147 perfmon.py: AviatrixGwNetStats: - timestamp=2018-02-19 06:51:03.496156 name=gg public_ip=35.172.17.198.fifo - private_ip=172.31.58.147 interface=eth0 total_rx_rate=4.48Kb total_tx_rate=3.14Kb - total_rx_tx_rate=7.62Kb total_rx_cum=292.43MB total_tx_cum=169.99MB - total_rx_tx_cum=462.42MB + 2020-06-09T17:29:31.372628+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwNetStats: + timestamp=2020-06-09T17:29:31.371791 name=test public_ip=10.23.183.116.fifo private_ip=172.31.78.160 + interface=eth0 total_rx_rate=10.06Kb total_tx_rate=12.77Kb total_rx_tx_rate=2.85Kb + total_rx_cum=207.16MB total_tx_cum=1.2MB total_rx_tx_cum=208.36 - 2018-02-19T05:44:07.491705+00:00 ip-172-31-58-147 perfmon.py: AviatrixGwNetStats: - timestamp=2018-02-19 05:44:07.491411 name=gg public_ip=35.172.17.198.fifo - private_ip=172.31.58.147 interface=eth0 total_rx_rate=3.99Kb total_tx_rate=2.84Kb - total_rx_tx_rate=6.83Kb total_rx_cum=290.44MB total_tx_cum=168.48MB - total_rx_tx_cum=458.92MB + 2020-06-12T08:30:09.297478+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwNetStats: + timestamp=2020-06-12T08:30:09.296752 name=test public_ip=10.23.183.116.fifo private_ip=172.31.78.160 + interface=eth0 total_rx_rate=8.84Kb total_tx_rate=8.45Kb total_rx_tx_rate=17.29Kb + total_rx_cum=4.63MB total_tx_cum=6.8MB total_rx_tx_cum=11.44MB + AviatrixGwSysStats: ------------------- @@ -222,13 +202,16 @@ Two example logs: :: - May 17 00:23:20 ip-10-0-0-129 gwmon.py: AviatrixGwSysStats: - timestamp=2017-05-17 00:23:06.065548 name=wing-aws-aws-use-2-gw0000 - cpu_idle=100 memory_free=237048 disk_total=8115168 disk_free=4665560 + 2020-06-09T17:29:31.372822+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwSysStats: + timestamp=2020-06-09T17:29:31.371791 name=test cpu_idle=68 + memory_free=414640 memory_available=1222000 memory_total=1871644 + disk_total=16197524 disk_free=10982084 + + 2020-06-12T08:22:09.295660+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwSysStats: + timestamp=2020-06-12T08:22:09.294333 name=test cpu_idle=99 + memory_free=919904 memory_available=1264792 memory_total=1871644 + disk_total=16197524 disk_free=11409716 - May 17 00:28:20 ip-10-0-0-129 gwmon.py: AviatrixGwSysStats: - timestamp=2017-05-17 00:28:06.064229 name=wing-aws-aws-use-2-gw0000 - cpu_idle=100 memory_free=237072 disk_total=8115168 disk_free=4665560 AviatrixFQDNRule ---------------- @@ -349,28 +332,53 @@ Example log: :: 2020-02-07T11:38:48.276150-08:00 Controller-52.204.188.212 cloudxd: AviatrixVPNVersion: The VPN connection was rejected as it did not satisfy the minimum version requirements. Current version: AVPNC-2.4.10 Required minimum version: AVPNC-2.5.7 . The rejected VPN user name is tf-aws-52-tcplb-user1 + + +AviatrixGatewayStatusChanged +----------------------------- + +These log messages will be seen from the Controller's syslogs when a gateway's status changes + +Example log: + +:: + + 2020-03-29T00:09:13.201669+00:00 ip-10-88-1-63 cloudxd: AviatrixGatewayStatusChanged: status=down gwname=EMEA-ENG-VPNGateway + + 3. Logging Configuration at Aviatrix Controller ================================================ To enable logging at the Aviatrix Controller, go to Settings->Logging page. Once logging is enabled, both the Controller and all gateways will forward logs directly to the logging server. -Two examples for Remote Syslog and Logstash Forwarder follow below. + .. note:: A total of 10 profiles from index 0 to 9 are supported for remote syslog, while index 9 is reserved for CoPilot. + + Newly deployed gateway will be added to a profile if it is the only profile enabled in the index range of 0 to 8, + + If more than one profiles are enabled in the range of 0 to 8, the newly deployed gateway will not be added to any profile in the range of 0 to 8. User may use the advanced options in the logging "edit options" window to edit the exclude and include list. + + However newly deployed gateway will always be added to profile 9 which is reserved for Copilot to monitor. + 3.1 Remote Syslog ------------------ On the Aviatrix Controller: - a. Server: FQDN or IP address of the remote syslog server + a. Profile Index: select a profile to edit + #. Server: FQDN or IP address of the remote syslog server #. Port: Listening port of the remote syslog server (6514 by default) #. CA Certificate: Certificate Authority (CA) certificate #. Server Public Certificate: Public certificate of the controller signed by the same CA #. Server Private Key: Private key of the controller that pairs with the public certificate #. Protocol: TCP or UDP (TCP by default) - #. Optional Custom Template: (Deprecated) + #. Optional Custom Template: Useful when forwarding to 3rd party servers like Datadog or Sumo (Details bellow) On the Remote syslog server: - -Configure /etc/rsyslog.conf with the similar content depends on the version to enable tls connection + a. Install rsyslog and rsyslog-gnutls packages + #. Create a new config file in /etc/rsyslog.d with the similar content as in the following box depends on your rsyslog version to enable tls connection. Please make sure key paths are readable by the syslog user + #. Make sure the output directory /var/log is writable by rsyslog user/daemon + #. Restart rsyslog service and check port is listening and no error in /var/log/syslog + #. Confirm the port is allowed in the security group / fireware for incoming traffic (version <8) :: @@ -394,7 +402,7 @@ Configure /etc/rsyslog.conf with the similar content depends on the version to e & ~ -(version 8+) +(version >=8) :: global( @@ -432,6 +440,7 @@ Then #. syslog + 3.1.a Using Rsyslog to send logs to Sumo ------------------------------------------- @@ -443,14 +452,61 @@ Since Sumo agents on the controller and gateways tend to consume a lot of cpu/me #. Provide the port - obtained from the first step #. Upload the CA cert from Sumo pointed by their documentation #. Keep the Protocol set to TCP - #. For Optional Custom Template, copy the following string into a new text file and replace the string ADD_YOUR_SUMO_TOKEN_HERE with the token you received in the first step and upload it. Please do keep the square brackets around the token. - - :: + #. For Optional Custom Template, copy the following string and replace the string ADD_YOUR_SUMO_TOKEN_HERE with the token you received in the first step. Please do keep the square brackets around the token. + + .. note:: <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [YOUR_TOKEN] %msg%\\n + .. note:: The Aviatrix Controller expects certificates in PEM format. Attempting to upload the wrong format may return an Exception Error. To convert the DigiCert certificate downloaded from SumoLogic's documentation into PEM format, use the following command: openssl x509 -in DigiCertHighAssuranceEVRootCA.crt -inform der -outform pem -out DigiCertHighAssuranceEVRootCA.pem + +|rsyslog_template| -<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [ADD_YOUR_SUMO_TOKEN_HERE] %msg%\n +.. |rsyslog_template| image:: AviatrixLogging_media/rsyslog_template.png + :width: 6.50500in + :height: 6.20500in + +3.1.b Using Rsyslog to send logs to Datadog +--------------------------------------------- + #. Go to Controller/Settings/Logging/Remote Syslog and enable the service + #. Server: intake.logs.datadoghq.com + #. Port: 10516 + #. Protocol: TCP + #. For Optional Custom Template, copy the following string and replace the string DATADOG_API_KEY with your own key. Please do keep the square brackets around the token. - #. Click on Advanced, if you want to selectively send logs from only some gateways - #. Click on Enable + .. note:: <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% - - - %msg%\\n + + +3.1.c Using Rsyslog to send logs to Splunk +--------------------------------------------- + #. Follow the directions in `Splunk Monitornetworkports `_ to create a listener in Splunk. + #. Go to Controller/Settings/Logging/Remote Syslog and enable the service + #. Server: your Splunk server fqdn or ip + #. Port: your Splunk listener port + #. Protocol: TCP + #. Optional Custom Template: (leave blank) + + +3.1.d Using Rsyslog to send logs to Logstash (ElasticSearch/Kibana/ELK stack) +-------------------------------------------------------------------------------- + #. Follow the directions in `Logstash TCP input `_ to create a tcp listener in Logstash. + #. Go to Controller/Settings/Logging/Remote Syslog and enable the service + #. Server: your Logstash server fqdn or ip + #. Port: your Logstash listener port + #. Protocol: TCP + #. Optional Custom Template: (leave blank) + +A sample config of Logstash to work with Rsyslog in ELK stack v7 is +:: + + input { + syslog { + port => 6514 + } + } + + output { + elasticsearch { + hosts => ["127.0.0.1:9200"] + } + } 3.2 Filebeat Forwarder @@ -461,6 +517,30 @@ On the Aviatrix Controller: #. Optional Configuration File: (Deprecated) +A sample config of Logstash to work with Filebeat in ELK stack v7 is +:: + + input { + beats { + port => 5000 + } + } + + filter { + mutate { + rename => { + "[host][name]" => "[host]" + } + } + } + + output { + elasticsearch { + hosts => ["127.0.0.1:9200"] + } + } + + 3.3 Splunk Logging ------------------- On the Aviatrix Controller: @@ -472,6 +552,7 @@ On the Aviatrix Controller: Note: If "Import File" is selected for "How to configure", please provide the Splunk configuration file. + 3.4 Sumo Logic ------------------- On the Aviatrix Controller: @@ -485,6 +566,21 @@ Sumologic Collectors(eg: Controllers/Gateways) from SumoLogic servers. Please note that Sumo collector is memory intensive and needs instances with at least 2GB of memory - for AWS, t3.small, or higher depending on features deployed. + +3.5 DataDog Agent +------------------- +You may refer to this link, `DatadogIntegration `_ to set up. However, based on the past year experience, the vendor has changed the client root certificates for a few times. + a. You may disable DataDog Agent and re-enable it to fetch the current new root certificate. + #. Or, we highly recommend to follow above 3.1.b steps to use Remote Syslog as client to forward to any servers and will not encounter any of these cert issues. + +Before 5.3 release, DataDog agent woulld only upload metrics from the Aviatrix Controller and Gateways - from release 5.3, we also upload syslogs to bring it on par with Sumo and Splunk agent behavior. + + +3.6 Cloudwatch +------------------- +Please follow this link `AWS CloudWatch Integration `_ for instruction. + + 4. Log management system Apps ==================================== @@ -498,8 +594,7 @@ Splunk App for Aviatrix Splunk app for Aviatrix can be downloaded from `Splunkbase `_. -Click `here `_ to check -instructions on GitHub. +Click `SplunkforAviatrix `_ to check instructions on GitHub. **Sample** @@ -535,10 +630,14 @@ To configure Loggly integration through an intermediary syslog server relay: 3. Follow `this document `_ to configure the relay to send to Loggly -6. Netflow and Span port support -================================= -Starting from Release 4.0, Aviatrix Controller and gateways support netflow and span port. +6. Netflow +============= + +Aviatrix gateways support Netflow protocol v5 and v9. + +Please follow this link `Netflow Integration `_ to enable it. + diff --git a/HowTos/AviatrixLogging_media/rsyslog_template.png b/HowTos/AviatrixLogging_media/rsyslog_template.png new file mode 100644 index 000000000..00f5161d0 Binary files /dev/null and b/HowTos/AviatrixLogging_media/rsyslog_template.png differ diff --git a/HowTos/Aviatrix_Account_Azure.rst b/HowTos/Aviatrix_Account_Azure.rst index dfa8af7a6..b150388e0 100644 --- a/HowTos/Aviatrix_Account_Azure.rst +++ b/HowTos/Aviatrix_Account_Azure.rst @@ -3,69 +3,53 @@ :keywords: Aviatrix account, Azure, Aviatrix Azure account credential, API credential =========================================================== -Azure ARM +Azure Account Credential Setup =========================================================== -1.0 Overview +1. Overview ============= -This document helps you setup API credentials on Azure ARM. - -Aviatrix Cloud Controller uses Azure APIs extensively to launch Aviatrix +Aviatrix Controller uses Azure APIs extensively to launch Aviatrix gateways, configure encrypted peering and other features. -In order to use Azure API, you need to first create an Aviatrix Cloud -Account on the Aviatrix Cloud controller. This cloud account corresponds -to a valid Azure account with API credentials. +In order to use Azure API, you need to first create an Aviatrix `Access +Account `_ on the Aviatrix controller. This access account corresponds +to a valid Azure subscription with API credentials. You need to create an access account for each subscription. -The new Microsoft Azure (as opposed to Azure Classic) is significantly -different in how applications are authenticated and authorized to -interact with Azure Resource Manager APIs to manage resources, such as -Virtual Machines, Network, Storage Accounts, etc. +This document describes, for a given subscription, how to obtain the necessary information, +specifically Application ID, Application Key (Client secret), and +Application Directory ID to create an Aviatrix Access Account so that the Controller can execute APIs on that subscription. +There are 3 sections, make sure you go through all of them. -This document describes how to obtain the necessary information, -specifically Application ID, Application Key(Client secret), and -Application Directory ID to create an Aviatrix Cloud Account with step by -step instructions. There are 3 sections, make sure you go through all of -them. -| - - -2.0 Azure Permission Setup for Aviatrix +2. API and Permission Setup ======================================== Setting up Azure permission for Aviatrix involves three main steps. 1. Register Aviatrix Controller Application with Azure Active Directory -2. Grant Permissions +2. Assign a role to the Aviatrix Controller Application -3. Get Application ID, Application Key(Client secret) and Directory - ID +3. Get Application ID, Application Key (Client secret) and Directory ID **Important:** Complete the following steps in order. -2.1 Step 1 – Register Aviatrix Controller Application +2.1 – Register Aviatrix Controller Application ------------------------------------------------------- -Login to the Azure Portal. - -https://portal.azure.com +Login to the Azure Portal: https://portal.azure.com -***Register Aviatrix Controller*** -1. From the Azure portal click on "All services" and search for “Azure Active Directory” and click on “Azure Active Directory” - -|Image01| +1. From the Azure portal click on "All services" and search for “Azure Active Directory” and click on “Azure Active Directory”. 2. Click “App registrations". Do not choose "App registrations (Legacy)" -|Image03| +|image03| 3. Click “+ New registration” -|Image04| +|image04| a. Name = Aviatrix Controller @@ -75,76 +59,74 @@ https://portal.azure.com 3. Done -2.2 Step 2 – Grant Permissions -------------------------------- - +2.2 – Assign a role to the Aviatrix Application +------------------------------------------------------------ -***Grant Permissions*** 1. Login to the Azure portal 2. On the top left, click All services, search for “Subscriptions” -|Image11| + |image11| 3. Copy the Subscription ID (to notepad or a convenient location) -|Image12| +|image12| 4. Click on the Subscription ID 5. Then select “Access control (IAM)”. -|Image13| +|image13| -6. Click Add and then select the “Contributor” role. +6. Click Add and then select the “Contributor” role. If the "Contributor" role is too broad, you can later replace it with a custom role with specific permissions. Refer to `Use Azure IAM Custom Role `_ for instructions. 7. In the Select search field, type in “Aviatrix”. The Aviatrix Controller - app should show up. Select this one and click Select towards to the + (that you created in section 2.1) app should show up. Select this one and click Select towards to the bottom. -2.3 Step 3 – Get Application Information ------------------------------------------ - -**Get Application Information** +2.3 – Setup Information for Programmatic Sign in +------------------------------------------------------------ 1. From the Azure portal, click All services and search for “Azure Active Directory”. Click “App registrations” and then the application to see the Application (client) ID and Directory (tenant) ID. - |Image01| + |image01| 2. Retrieve the **Application (client) ID** and **Directory (tenant) ID**. A. Copy the Application ID and Directory ID for later use. - |Image14| + |image14| 3. Retrieve the **Client Secrets**. A. Click Certificates & secrets - B. Click New client secret + B. Click + New client secret - |Image06| + |image06| - C. Enter in the following + C. Enter in the following, and then click Add * Description = Aviatrix * Expires = Never - |Image07| + |image07| - E. Click Add + E. You should see the new secret as shown below. - |Image15| + |image15| F. Copy the secret. This will be used as the Application Key in the Aviatrix Controller. 5. Add **API permissions**. + Go to Azure Active Directory -> select the "Aviatrix Controller" application, click into the application. + A. Click API permissions |Image08| @@ -154,25 +136,49 @@ https://portal.azure.com C. Choose Azure Service Management |Image09| - - D. Select user_impersonation then Add permissions |Image10| 6. Done -At this point you should have the following information. +At this point you should have the following information to create an access account on Azure. + +========================================== ====================== +Access Account Setup Input Field Value +========================================== ====================== +Subscription ID From section 2.2 +Directory ID From section 2.3 +Application ID From section 2.3 +Application Key (Client Secret) From section 2.3 +========================================== ====================== + +Additional References +======================= + +If you need additional information, refer to `How to: Use the portal to create an Azure AD application and service principal that can access resources `_ on Azure documentation. + +Azure China notes +================== + +Deploying the Aviatrix Gateway in the Azure China Cloud +----------------------------------------------------------- + +Prerequisites: + +- You must already have a Microsoft Azure China account and Aviatrix Controller in AWS China to deploy an Aviatrix Gateway in the Azure China Cloud. + + +1. Create the Aviatrix Controller in your AWS China Cloud. Go to Onboarding and select Azure China. + +2. Enter the Aviatrix Customer ID. + +3. Enter the Certificate Domain. + +4. Create the Primary Access Account. -+-----------------------------------+---------------+ -| **Subscription ID** | From step 2 | -+-----------------------------------+---------------+ -| **Directory** **ID** | From step 3 | -+-----------------------------------+---------------+ -| **Application ID** | From step 3 | -+-----------------------------------+---------------+ -| **Application Key(Client secret)**| From step 3 | -+-----------------------------------+---------------+ +6. Deploy Aviatrix gateway from the Gateway page in the Aviatrix Controller or the Multi-Cloud Transit Solution page. +For more information, see “What is a China ICP License?” .. |image01| image:: AviatrixAccountForAzure_media/az-ad-01.PNG :width: 5.20313in diff --git a/HowTos/Aviatrix_Controller_API.rst b/HowTos/Aviatrix_Controller_API.rst deleted file mode 100644 index bb15e3910..000000000 --- a/HowTos/Aviatrix_Controller_API.rst +++ /dev/null @@ -1,11 +0,0 @@ -.. meta:: - :description: Aviatrix Controller API, points to real HTML URL - :keywords: Aviatrix API, Controller API - -=========================== -Aviatrix APIs -=========================== - -Click `this link `_ for Aviatrix API documentation. - -.. disqus:: diff --git a/HowTos/Azure_ingress_firewall_example.rst b/HowTos/Azure_ingress_firewall_example.rst new file mode 100644 index 000000000..40e4971f5 --- /dev/null +++ b/HowTos/Azure_ingress_firewall_example.rst @@ -0,0 +1,325 @@ +.. meta:: + :description: Azure ingress firewall network + :keywords: AVX Transit Architecture for Azure, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Azure virtual network peering + + +========================================================= +Azure Ingress Firewall Setup Solution +========================================================= + +This document illustrates a simple architecture for Ingress traffic inspection firewall that leverages Azure Load Balancers, `Transit FireNet for Azure `_, and `Azure Transit with Native Spoke VNets `_. The solution also allows +you to view the client IP address. + +The deployment is shown as the diagram below. + +|transit_firenet_vnet| + +The key idea is from FireNet point of view, the ingress inspection is simply a VNET to VNET traffic inspection. This is accomplished by + + #. Place an Internet facing Azure Application Gateway in a spoke VNET (in the diagram, this spoke VNET is called Ingress Spoke VNET) to load balance traffic to the VNET where applications reside (Application Spoke VNET). + + #. Manage Spoke Inspection Policies for the Application Spoke VNET traffic that requires inspection with the Aviatrix Transit VNET. + +In this unified architecture, firewalls can be used for Ingress, Egress, North-South and VNET to VNET filtering. The solution does not need Azure Load Balancers to directly attach to firewall instances which then requires firewall instances to source NAT the incoming traffic from the Internet. Firewall instances can scale out as applications scale for all traffic types. + +.. Note:: + + This architecture works for `Azure Application Gateway `_. You can create multiple load balancers in the Ingress Spoke VNET. + +1. Prerequisite Setup +-------------------------------- + +First of all, upgrade the Aviatrix Controller to at least version UserConnect-5.3.1428 + + - https://docs.aviatrix.com/HowTos/inline_upgrade.html + +In this instruction, we are going to deploy the below topology in Azure + +- Azure VNETs + + - Aviatrix Transit VNET (i.e. 192.168.23.0/24) + + - Ingress Spoke VNET (i.e. 10.20.0.0/16) + + - Application Spoke VNET (i.e. 10.21.0.0/16) + +- Azure Transit with Native Spoke VNets topology + +.. Note:: + + Aviatrix Transit FireNet for Azure Encrypted Transit topology also supports this Azure Ingress Firewall Solution. + +Deploy an Aviatrix Transit VNET +^^^^^^^^^^^^^^^^^^^^^ + +Create an Aviatrix Transit VNET by utilizing Aviatrtix feature `Create a VPC `_ with Aviatrix FireNet VPC option enabled + +- Go to the Aviatrix Controller Console. + +- Click on the link "Useful Tools -> Create a VPC" + +- Click on the button "+ Add new" to create a new VPC with Cloud Type Azure ARM + +- Enable the checkbox "Aviatrix FireNet VPC" + +Deploy an Ingress Spoke VNET +^^^^^^^^^^^^^^^^^^^^^ + +Create an Ingress Spoke VNET by utilizing Aviatrtix feature `Create a VPC `_ as the previous step or manually deploying it in Azure portal. Moreover, feel free to use your existing VNET. + +Deploy an Application Spoke VNET +^^^^^^^^^^^^^^^^^^^^^ + +Create an Application Spoke VNET by utilizing Aviatrtix feature `Create a VPC `_ as the previous step or manually deploying it in Azure portal. Moreover, feel free to use your existing Application VNET. + +Deploy Azure Transit with Native Spoke VNets topology +^^^^^^^^^^^^^^^^^^^^^ + +Follow `Global Transit Network Workflow Instructions (AWS/Azure/GCP/OCI) `_ to deploy Azure Transit with Native Spoke VNets topology. + +- Create an Aviatrix Transit Gateway in Aviatrix Transit VNET by following the step `Launch a Transit Gateway `_ as the following screenshot. + + .. important:: + + For Azure deployment, the Aviatrix Transit Gateway must be launched with the option Enable Transit FireNet Function enabled. The minimum Azure FireNet gateway size is Standard_B2ms. + +|azure_avx_transit_gw| + +- Attach both Ingress Spoke VNET and Application Spoke VNET via Azure native peering by following the step `Attach Azure ARM Spoke VNet via native peering `_ + +Manage Transit FireNet +^^^^^^^^^^^^^^^^^^^^^ + +Follow `Aviatrix Transit FireNet Workflow `_ to deploy manage FireNet policy, and firewall instances. + +- Manage a spoke inspection policy for the Application spoke VNET by referring to step `Manage Transit FireNet Policy `_ as the following screenshot. + +|azure_avx_manage_firenet_policy| + +- Deploy firewall instance in Aviatrix Transit VNET by following the step `Deploy Firewall Network `_ as the following screenshot. + + Here is the Firewall information in this example for your reference. Please adjust it depending on your requirements. + + ========================================== ========== + **Example setting** **Example value** + ========================================== ========== + Firewall Image Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1 + Firewall Image Version 9.1.0 + Firewall Instance Size Standard_D3_v2 + Management Interface Subnet Select the subnet whose name contains "gateway-and-firewall-mgmt" + Egress Interface Subnet Select the subnet whose name contains "FW-ingress-egress" + Username Applicable to Azure deployment only. “admin” as a username is not accepted. + Attach Check + ========================================== ========== + + |azure_avx_deploy_firewall| + +- Set up firewall configuration by referring to `Example Config for Palo Alto Network VM-Series `_ + + .. Note:: + + In Azure, instead of using pem file, please use username/password to ssh into firewall instance to reset password if needed. Additionally, use the same username/password to login into firewall website. + +2. Launch an Apache2 Web server in Application Spoke VNET +------------------------------------- + +In Application Spoke VNET, create an Ubuntu Server 18.04 LTS virtual machine and install Apache2 HTTP Server with custom port 8080. + +======================== ============== +**Example setting** **Example value** +======================== ============== +Protocol HTTP +Port 8080 +======================== ============== + +.. Note:: + + Refer to `Install The Latest Apache2 HTTP Server ( 2.4.34 ) On Ubuntu 16.04 | 17.10 | 18.04 LTS Servers `_ to install Apache2 HTTP Server + + Refer to `How To Change Apache Default Port To A Custom Port `_ to use custom port 8080 + +3. Create Azure Application Gateway +------------------------------------- + +In Ingress Spoke VNET, create an Azure Application Gateway, make sure you select the following: + +- Create an Azure Application Gateway in Ingress Spoke VNET + + |azure_application_gw_creation| + +- Select "Public" for Frontend IP address type in section Frontends + + |azure_application_gw_frontend| + +- Select "IP address or hostname" for Target type and configure the private IP of Apache2 Web Server for Target in section Backends + + |azure_application_gw_backend| + +- Add a routing rule on Listener depending on your requirement + + + ======================== ============== + **Example setting** **Example value** + ======================== ============== + Frontend IP Public + Protocol HTTP + Port 80 + ======================== ============== + + + |azure_application_gw_routing_rule_listener| + + +- Add a routing rule on Backend targets and create a HTTP setting depending on your requirement + + |azure_application_gw_routing_rule_backend_target| + +- Click the button "Create new" on HTTP settings + + + |azure_application_gw_routing_rule_http_setting| + + + ======================== ================= + **Example setting** **Example value** + ======================== ================= + Bankend protocol HTTP + Backend port 8080 + ======================== ================= + + + |azure_application_gw_routing_rule_backend_target_02| + + +- Review the configuration and click the button "Create" at the page "Review + create" + +.. note:: + + Refer to the instruction `Quickstart: Direct web traffic with Azure Application Gateway - Azure portal `_ + + +4. Ready to go! +--------------- + +Make sure Server (backend pool) status is in Healthy state from the Azure portal page "Application Gateway -> Backend health". + +|azure_application_gw_health_check| + +Run a http request targeting on the Azure Application Gateway Public IP or DNS name. + +- Find the Frontend public IP address of Azure Application Gateway from the Azure portal page "Application Gateway -> Overview" + + |azure_application_gw_frontend_public_IP| + +- Copy the Frontend public IP address of Azure Application Gateway and paste it on a browser from your laptop/PC. + + |azure_browser| + +- Perform tcpdump with port 8080 on Apache2 Web server + + |azure_application_server_tcpdump| + +- Furthermore, Azure Application Gateway automatically preserves client original IP address in the HTTP header field "X-Forwarded-For (XFF)". Here is an HTTP packet example which is opened with Wireshark tool for your reference: + + |azure_application_server_wireshark| + +.. note:: + + `Does Application Gateway support x-forwarded-for headers? `_ + + `What is X-Forwarded-For `_ + + `How do I see X forwarded for in Wireshark? `_ + + +5. View Traffic Log on Firewall +--------------- + +You can view if traffic is forwarded to the firewall instance by logging in to the Palo Alto VM-Series console. Go to the page "Monitor -> Logs -> Traffic". Perform http/https traffic from your laptop/PC to the public IP or domain name of Azure Application Gateway. + +6. Capturing Client IP in logs +------------------------- + +To view the client IP address in the access log, follow the instructions in `How to save client IP in access logs `_. + +- Find and open Apache configuration file. + + :: + + #vim /etc/apache2/apache2.conf + +- In the LogFormat section, add %{X-Forwarded-For}i as follows: + + :: + + ... + LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + ... + +- Save your changes. + +- Reload the Apache service. + + :: + + #systemctl reload apache2 + +- Review the public/original client IP on apache2 access log + +|azure_application_server_apache2_accesslog| + + +.. |transit_firenet_vnet| image:: ingress_firewall_example_media/transit_firenet_vnet.png + :scale: 50% + +.. |azure_avx_transit_gw| image:: ingress_firewall_example_media/azure_avx_transit_gw.png + :scale: 30% + +.. |azure_avx_manage_firenet_policy| image:: ingress_firewall_example_media/azure_avx_manage_firenet_policy.png + :scale: 30% + +.. |azure_avx_deploy_firewall| image:: ingress_firewall_example_media/azure_avx_deploy_firewall.png + :scale: 30% + +.. |azure_application_gw_creation| image:: ingress_firewall_example_media/azure_application_gw_creation.png + :scale: 30% + +.. |azure_application_gw_frontend| image:: ingress_firewall_example_media/azure_application_gw_frontend.png + :scale: 30% + +.. |azure_application_gw_backend| image:: ingress_firewall_example_media/azure_application_gw_backend.png + :scale: 30% + +.. |azure_application_gw_routing_rule_listener| image:: ingress_firewall_example_media/azure_application_gw_routing_rule_listener.png + :scale: 30% + +.. |azure_application_gw_routing_rule_backend_target| image:: ingress_firewall_example_media/azure_application_gw_routing_rule_backend_target.png + :scale: 30% + +.. |azure_application_gw_routing_rule_backend_target_02| image:: ingress_firewall_example_media/azure_application_gw_routing_rule_backend_target_02.png + :scale: 30% + +.. |azure_application_gw_routing_rule_http_setting| image:: ingress_firewall_example_media/azure_application_gw_routing_rule_http_setting.png + :scale: 30% + +.. |azure_application_gw_health_check| image:: ingress_firewall_example_media/azure_application_gw_health_check.png + :scale: 30% + +.. |azure_application_gw_frontend_public_IP| image:: ingress_firewall_example_media/azure_application_gw_frontend_public_IP.png + :scale: 30% + +.. |azure_browser| image:: ingress_firewall_example_media/azure_browser.png + :scale: 30% + +.. |azure_application_server_tcpdump| image:: ingress_firewall_example_media/azure_application_server_tcpdump.png + :scale: 30% + +.. |azure_application_server_wireshark| image:: ingress_firewall_example_media/azure_application_server_wireshark.png + :scale: 30% + +.. |azure_application_server_apache2_accesslog| image:: ingress_firewall_example_media/azure_application_server_apache2_accesslog.png + :scale: 50% + +.. disqus:: + diff --git a/HowTos/CloudFormationResources.rst b/HowTos/CloudFormationResources.rst index f4de83bef..1dc6f5ab6 100644 --- a/HowTos/CloudFormationResources.rst +++ b/HowTos/CloudFormationResources.rst @@ -14,9 +14,9 @@ Managing Aviatrix Resources in CloudFormation Overview -------- -Automating Aviatrix components is managed by REST APIs on the Aviatrix Controller. However, many AWS customers use CloudFormation to automate their infrastructure within AWS. In order to call `Aviatrix REST APIs `__ from CloudFormation templates, a `Custom Resource `__ is required. +Automating Aviatrix components is managed by APIs on the Aviatrix Controller. However, many AWS customers use CloudFormation to automate their infrastructure within AWS. In order to call Aviatrix APIs from CloudFormation templates, a `Custom Resource `__ is required. -Aviatrix has developed a Custom Resource to facilitate automation of Aviatrix components from CloudFormation templates. This Custom Resource is backed by an AWS Lambda function that will invoke the appropriate REST API call using the `Aviatrix Python SDK `__. +Aviatrix has developed a Custom Resource to facilitate automation of Aviatrix components from CloudFormation templates. This Custom Resource is backed by an AWS Lambda function. Use this guide to set up your AWS account with the necessary components to automate Aviatrix from your CloudFormation templates. @@ -212,8 +212,6 @@ This resource allows you to create Aviatrix Gateways. +------------------+----------+------------------------------------------------+ | additional_args | Yes | Dictionary with additional arguments for this | | | | gateway. | -| | | | -| | | | See |linkAliasAPI|_ for available arguments | +------------------+----------+------------------------------------------------+ **Example** @@ -354,6 +352,3 @@ This sample shows how to create a new FQDN filter called `production` that is en .. |imageASMKey| image:: CloudFormationResources_media/asm_secret_key_name.png :width: 300px - -.. |linkAliasAPI| replace:: Aviatrix REST API -.. _linkAliasAPI: https://s3-us-west-2.amazonaws.com/avx-apidoc/API.htm#_connect_container diff --git a/HowTos/CloudN-config-drive-v1_4.rst b/HowTos/CloudN-config-drive-v1_4.rst deleted file mode 100644 index 0b73a7b17..000000000 --- a/HowTos/CloudN-config-drive-v1_4.rst +++ /dev/null @@ -1,360 +0,0 @@ -.. meta:: - :description: ClounN Config Drive - :keywords: CloudN, CloudN config drive, Aviatrix, hybrid cloud - -==================================================== -Auto Booting CloudN VM Using ISO File -==================================================== - -This document provides one method to boot CloudN VM automatically without the initial manual configuration stage for interface address. - -This method uses a customized ISO file when launching the virtual machine. - -Note: -CloudN can be downloaded from `this link: `_. - -1. Installation on VMware vSphere Client -========================================= - -Create the customized configuration -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -In order to boot CloudN that passes in interface address information, we need to create an ISO image containing both user-data and meta-data -in ISO9660 format. - -Creating user-data file ------------------------- - -In the following example, CloudN is designed to boot up with a -static ip address 10.10.0.10, netmask 255.255.0.0, gateway 10.10.0.1 and -dns-nameservers 8.8.8.8 and 8.8.4.4. Please note that “#cloud-config” is not -a comment but a directive to cloud-init. - -Sample contents of user-data: - -:: - - #cloud-config - - write_files - - path: /etc/network/interfaces - content: | - auto lo - iface lo inet loopback - auto eth0 - iface eth0 inet static - address 10.10.0.10 - netmask 255.255.0.0 - gateway 10.10.0.1 - dns-nameservers 8.8.8.8 8.8.4.4 - -.. Note:: If CloudN VM were to be deployed in a proxy environment, we would need to include additional proxy settings in the user-data. In the following sample, 10.10.0.21 is the IP address of the CloudN VM, 10.28.144.137 is the proxy IP address with port 8080, as shown in the example below. - -.. - -Sample contents of user-data (with proxy settings): - -:: - - #cloud-config - - write_files: - - path: /etc/sudoers.d/90-proxy - content: | - #Aviatrix http/https proxy integration - Defaults env_keep += "http_proxy https_proxy no_proxy" - - - path: /etc/network/interfaces - content: | - auto lo - iface lo inet loopback - auto eth0 - iface eth0 inet static - address 10.10.0.21 - netmask 255.255.0.0 - gateway 10.10.0.1 - dns-nameservers 8.8.8.8 8.8.4.4 - - bootcmd: - - - grep -q _proxy /etc/environment || (echo "http_proxy=http://10.28.144.137:8080"; echo - "https_proxy=http://10.28.144.137:8080"; echo "no_proxy=127.0.0.1,10.10.0.21") >> - /etc/environment - - - grep -q _proxy /etc/apache2/envvars || (echo "export - http_proxy=http://10.28.144.137:8080"; echo "export - https_proxy=http://10.28.144.137:8080"; echo "export no_proxy=127.0.0.1,10.10.0.21") >> - /etc/apache2/envvars - - -Create meta-data file ------------------------- - -:: - - instance-id: CloudN-local - local-hostname: CloudN-local - -Create the ISO -~~~~~~~~~~~~~~ - -After the user-data file and meta-data file are created, you can create the ISO by using this following command. - -:: - - ubuntu@ubuntu:~ $ genisoimage -o cloudn-10-10-0-10.iso -volid cidata -J - -r user-data meta-data - -Verify the ISO (optional) -~~~~~~~~~~~~~~~~~~~~~~~~~ - -:: - - ubuntu@ubuntu:~$ sudo mkdir /media/test_iso - - ubuntu@ubuntu:~$ sudo mount -o loop cloudn-10-10-0-10.iso - /media/test_iso - - mount: /dev/loop0 is write-protected, mounting read-only - - ubuntu@ubuntu:~$ cat /media/test_iso/user-data - - #cloud-config - - write_files: - - - path: /etc/network/interfaces - content: | - auto lo - iface lo inet loopback - auto eth0 - iface eth0 inet static - address 10.10.0.10 - netmask 255.255.0.0 - gateway 10.10.0.1 - dns-nameservers 8.8.8.8 8.8.4.4 - - ubuntu@ubuntu:~$ cat /media/test_iso/meta-data - - instance-id: CloudN-local - - local-hostname: CloudN-local - - ubuntu@ubuntu:~$ sudo umount /media/test_iso - -Deploy CloudN VM with the ISO -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Now you can deploy a CloudN VM with the cloudn-10-10-0-10.iso attached as a -CDROM to the VM. During the boot up process, the CloudN will be -configured with the customized configuration in user-data and meta-data. -Once the CloudN network is up, it will automatically download the latest -CloudN software. We will be able to access the web UI directly without -having to access the CloudN VM console to perform the initial interface -setup. - -|image0| - -|image1| - -After importing the CloudN ovf is completed, - -- Click on “Edit virtual machine settings” and select CD/DVD Drive - under the Hardware section. - -- Make sure the Device status “Connect at power on” option is checked - -- Click on “Use ISO image” to browse to the cloudn-10-10-0-10.iso. - -- Click “OK” to complete the Virtual Machine Settings. - -|image2| - -Power on the CloudN virtual machine. The configuration in -cloudn-10-10-0-10.iso will be read by cloud-init during the installation -process and CloudN will upgrade to default version when the network is -up. - -|image3| - -|image4| - -Once the CloudN login prompt is shown on the VM console, we can access -the https://10.10.0.10 to complete the admin’s email and password -initialization process. - -|image5| - -2. Installation on Linux KVM -============================= - -The same methods previously described to create the -cloudn-172-25-0-10.iso can be applied to KVM virtualization environment. - -Contents of user-data: -~~~~~~~~~~~~~~~~~~~~~~~ -:: - - #cloud-config - - write_files: - - - path: /etc/network/interfaces - content: | - auto lo - iface lo inet loopback - auto eth0 - iface eth0 inet static - address 172.25.0.10 - netmask 255.255.0.0 - gateway 172.25.0.1 - - dns-nameservers 8.8.8.8 8.8.4.4 - -.. Note: If your environment has proxy server for accessing Internet, you need to include that as described in the VMware section. - -.. - -Contents meta-data: -~~~~~~~~~~~~~~~~~~~ -:: - - instance-id: CloudN-local - - local-hostname: CloudN-local - -Create the ISO Image -~~~~~~~~~~~~~~~~~~~~~ - -:: - - ubuntu@ubuntu:~ $ genisoimage -o cloudn-172-25-0-10.iso -volid cidata -J - -r user-data meta-data - -Deploy CloudN VM with the ISO Image -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Copy the CloudN qcow2 image and cloudn-172-25-0-10.iso to the -/var/lib/libvirt/images. - -:: - - root@ubuntu1:/var/lib/libvirt/images# cp - /home/ubuntu/Downloads/CloudN-ovf-013017.qcow2 . - - root@ubuntu1:/var/lib/libvirt/images# cp - /home/ubuntu/Downloads/cloudn-172-25-0-10.iso . - - root@ubuntu1:/var/lib/libvirt/images# ls -l CloudN-kvm-013017.qcow2 - - -rw-r--r-- 1 root root 7761634304 Mar 19 22:09 CloudN-kvm-013017.qcow2 - - root@ubuntu1:/var/lib/libvirt/images# ls -l cloudn-172-25-0-10.iso - - -rw-r--r-- 1 root root 374784 Mar 19 22:11 cloudn-172-25-0-10.iso - -In this example below, a bridge interface “br1” is created and -eno1 is assigned to this “br1”. - -:: - - ubuntu@ubuntu1:~$ ifconfig - br1 Link encap:Ethernet HWaddr 00:30:48:b3:59:92 - inet addr:172.25.0.2 Bcast:172.25.255.255 Mask:255.255.255.0 - inet6 addr: fe80::230:48ff:feb3:5992/64 Scope:Link - UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 - RX packets:2060 errors:0 dropped:0 overruns:0 frame:0 - TX packets:507 errors:0 dropped:0 overruns:0 carrier:0 - collisions:0 txqueuelen:1000 - RX bytes:163384 (163.3 KB) TX bytes:74489 (74.4 KB) - - eno1 Link encap:Ethernet HWaddr 00:30:48:b3:59:92 - inet6 addr: fe80::230:48ff:feb3:5992/64 Scope:Link - UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 - RX packets:2076 errors:0 dropped:0 overruns:0 frame:0 - TX packets:559 errors:0 dropped:0 overruns:0 carrier:0 - collisions:0 txqueuelen:1000 - RX bytes:201572 (201.5 KB) TX bytes:83977 (83.9 KB) - Interrupt:21 Memory:fe600000-fe620000 - - enp4s0 Link encap:Ethernet HWaddr 00:30:48:b3:59:93 - UP BROADCAST MULTICAST MTU:1500 Metric:1 - RX packets:0 errors:0 dropped:0 overruns:0 frame:0 - TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 - collisions:0 txqueuelen:1000 - RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) - Interrupt:19 Memory:fe400000-fe420000 - - lo Link encap:Local Loopback - inet addr:127.0.0.1 Mask:255.0.0.0 - inet6 addr: ::1/128 Scope:Host - UP LOOPBACK RUNNING MTU:65536 Metric:1 - RX packets:656 errors:0 dropped:0 overruns:0 frame:0 - TX packets:656 errors:0 dropped:0 overruns:0 carrier:0 - collisions:0 txqueuelen:1 - RX bytes:107212 (107.2 KB) TX bytes:107212 (107.2 KB) - - virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 - inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 - UP BROADCAST MULTICAST MTU:1500 Metric:1 - RX packets:0 errors:0 dropped:0 overruns:0 frame:0 - TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 - collisions:0 txqueuelen:1000 - RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) - - ubuntu@ubuntu:~$ brctl show - bridge name bridge id STP enabled interfaces - br1 8000.003048b35992 no eno1 - virbr0 8000.000000000000 yes - -Create a new CloudN-1 by importing the CloudN-kvm-013017.qcow2 image -with the customized cloudn-172-25-0-10.iso - -:: - - root@ubuntu1:/var/lib/libvirt/images# virt-install --os-type linux - --os-variant ubuntu14.04 --import --disk - path=./CloudN-kvm-013017.qcow2,bus=virtio,format=qcow2,size=20 --name - CloudN-1 --ram 4096 --vcpus 2 --disk - path=./cloudn-172-25-0-10.iso,device=cdrom --network - bridge=br1,model=virtio --network bridge=br1,model=virtio --graphics spice - -.. Note:: You may need to install virt-viewer package on your Linux machine in order to use the SPICE graphics. - -A Virt Viewer window will pop up to show the installation process of -CloudN. Once the CloudN login prompt is shown on the Virt Viewer -console, we can access the https://172.25.0.10 to complete the admin’s -email and password initialization process. - -|image6| - -|image7| - -|image8| - -When you close the Virt Viewer window, the CloudN VM will continue running -and you will notice that the “Domain creation completed” on the terminal -that you executed virt-install command earlier. - -To shut down or delete the CloudN VM, you may use the Virtual Machine -Manager or virsh commands like any other VMs supported by Linux KVM. - -.. |image0| image:: CloudN-config-drive_media/image1.png - -.. |image1| image:: CloudN-config-drive_media/image2.png - -.. |image2| image:: CloudN-config-drive_media/image3.png - -.. |image3| image:: CloudN-config-drive_media/image4.png - -.. |image4| image:: CloudN-config-drive_media/image5.png - -.. |image5| image:: CloudN-config-drive_media/image6.png - -.. |image6| image:: CloudN-config-drive_media/image7.png - -.. |image7| image:: CloudN-config-drive_media/image8.png - -.. |image8| image:: CloudN-config-drive_media/image9.png - -.. disqus:: diff --git a/HowTos/CloudN-config-drive_media/image1.png b/HowTos/CloudN-config-drive_media/image1.png deleted file mode 100644 index 787ee27b7..000000000 Binary files a/HowTos/CloudN-config-drive_media/image1.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image2.png b/HowTos/CloudN-config-drive_media/image2.png deleted file mode 100644 index 9092970c7..000000000 Binary files a/HowTos/CloudN-config-drive_media/image2.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image3.png b/HowTos/CloudN-config-drive_media/image3.png deleted file mode 100644 index b3a7aa0e1..000000000 Binary files a/HowTos/CloudN-config-drive_media/image3.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image4.png b/HowTos/CloudN-config-drive_media/image4.png deleted file mode 100644 index c2a6cfaa4..000000000 Binary files a/HowTos/CloudN-config-drive_media/image4.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image5.png b/HowTos/CloudN-config-drive_media/image5.png deleted file mode 100644 index f4e4fa67e..000000000 Binary files a/HowTos/CloudN-config-drive_media/image5.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image6.png b/HowTos/CloudN-config-drive_media/image6.png deleted file mode 100644 index 76b4d35db..000000000 Binary files a/HowTos/CloudN-config-drive_media/image6.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image7.png b/HowTos/CloudN-config-drive_media/image7.png deleted file mode 100644 index dba9fbdab..000000000 Binary files a/HowTos/CloudN-config-drive_media/image7.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image8.png b/HowTos/CloudN-config-drive_media/image8.png deleted file mode 100644 index 667cb35d3..000000000 Binary files a/HowTos/CloudN-config-drive_media/image8.png and /dev/null differ diff --git a/HowTos/CloudN-config-drive_media/image9.png b/HowTos/CloudN-config-drive_media/image9.png deleted file mode 100644 index 79027d918..000000000 Binary files a/HowTos/CloudN-config-drive_media/image9.png and /dev/null differ diff --git a/HowTos/CloudN_insane_mode.rst b/HowTos/CloudN_insane_mode.rst index a97b71d81..53c2310aa 100644 --- a/HowTos/CloudN_insane_mode.rst +++ b/HowTos/CloudN_insane_mode.rst @@ -4,7 +4,7 @@ =============================================== -Insane Mode CloudN Deployment Checklist +Standalone CloudN Deployment Checklist =============================================== When Insane Mode is applied to improve encryption performance between on-prem and cloud, you need to deploy the Aviatrix hardware appliance CloudN. Making this use case work requires edge router configurations. This document lists the checklist you should follow in @@ -13,6 +13,10 @@ successfully deploying Insane Mode for hybrid connection. CloudN Insane Mode can be applied to hybrid connection by AWS Direct Connect or Azure Express Route. CloudN can also be applied to hybrid connection by Internet. +One CloudN supports `multiple Transit Gateways connections. `_ + +Starting in Release 6.2, Managed CloudN is the supported deployment model where CloudN configuration and operations are managed by the Controller. + Step 1. Understand Deployment Architecture ---------------------------------------------- @@ -49,11 +53,21 @@ Aviatrix CloudN Appliance with HA |deployment_ha| -Redundant DX Deployment +Redundant DX Deployment (Active/Standby) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In this deployment model, Direct Connects are being used in a Active/Standby mode. The Preferred path is indicated on the picture. + +.. note:: + The firewalls on the left side of the picture cannot handle asymmetric traffic which maybe the reason of having Direct Connect as Active/Standby |deployment_dual_dx| +Redundant DX Deployment (Active/Active) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In this deployment model, Direct Connects are Active / Active. One of the requirements would be for the firewall to handle asymmetric routing. + +|deployment_dual_dx_aa| + Step 1.2 Connection over Internet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -94,17 +108,16 @@ CloudN Interface Private IP Address Subnet Mask Default Gateway MTU Siz 1- WAN Not Required Not Required WAN port that connects edge router 2- LAN Not Required Not Required Not Required LAN port that connects edge router 3- MGMT Not Required Management port for CloudN configuration and software upgrade -4- HPE iLO (optional) Not Required Not Required Not Required HP Integrated Lights-Out +4- HPE iLO Not Required Not Required Not Required HP Integrated Lights-Out ===================== ================== =========== =============== =============== ================== ===================== ============================================================= 2.1 Internet Access ~~~~~~~~~~~~~~~~~~~~~~~~ -A CloudN appliance does not require a public IP address, but the management port requires outbound internet access on the management port for software upgrade. - -Here is the list of the public IP address that CloudN requires for outbound traffic. +A CloudN appliance does not require a public IP address, but the management port requires outbound internet access on the management port for software upgrade. Please see `Required Access for External Sites `_. - - www.carmelonetworks.com (54.149.28.255) for CloudN software upgrade. +.. note:: + You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. 2.2 BGP Requirement ~~~~~~~~~~~~~~~~~~~~~~~ @@ -132,16 +145,24 @@ Before powering up CloudN, make sure After you power up CloudN, first test that the CloudN interfaces are alive and connected properly by doing the following tests. a. From ASR, ping the CloudN LAN interface, WAN interface and Mgmt interface. - #. CloudN mgmt interface can ping Internet (From CloudN clish console) + #. CloudN mgmt interface can ping Internet (From CloudN cli console) 3.3 Upgrade CloudN to the Latest Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - a. Login to the CloudN console. Open a browser console and type: https://CloudN_Mgmt_IP_Address - #. Login with username "admin" and password "Aviatrix 123#" (You can change the password later) + a. Log in to the CloudN console. Open a browser console and type: https://CloudN_Mgmt_IP_Address. + #. Log in with username "admin" and the password provided by your Aviatrix Support Representative (You can change the password later). #. Upgrade CloudN to the latest. -3.4 Configure Insane Moode +3.4 Configure NTP Sync and SMTP Services +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + a. Add a firewall rule to allow CloudN’s MGMT outbound UDP port 123 access to ntp.ubuntu.com or to a local NTP server. + #. In the CloudN UI, go to Setting -> Controller -> System Time. Enter ntp.ubuntu.com or a local NTP server then select the Sync option. + #. Do a manual sync to the NTP server. + #. In the CloudN UI, go to Setting -> Controller -> Email. Setup the SMTP settings to allow CloudN to send alert emails. + +3.5 Configure Insane Mode ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From the Controller in AWS, configure Transit Setup Step 3 to CloudN, make sure to select all the correct options. @@ -153,7 +174,7 @@ From the Controller in AWS, configure Transit Setup Step 3 to CloudN, make sure #. After configuration, download the configure file and import to CloudN. #. If there is HA, import to CloudN HA. -3.5 Troubleshooting Tips +3.6 Troubleshooting Tips ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ a. Check on CloudN Console. Go to Site2Cloud, make sure the tunnel is up. @@ -190,6 +211,9 @@ From the Controller in AWS, configure Transit Setup Step 3 to CloudN, make sure .. |deployment_dual_dx| image:: insane_mode_media/deployment_dual_dx.png :scale: 30% +.. |deployment_dual_dx_aa| image:: insane_mode_media/deployment_dual_dx_aa.png + :scale: 30% + .. |ISR-sample-config| image:: insane_mode_media/ISR-sample-config.png :scale: 50% diff --git a/HowTos/CloudN_workflow.rst b/HowTos/CloudN_workflow.rst new file mode 100644 index 000000000..db8ebedd6 --- /dev/null +++ b/HowTos/CloudN_workflow.rst @@ -0,0 +1,753 @@ +.. meta:: + :description: Global Transit Network + :keywords: CloudN workflow, Transit hub, AWS Global Transit Network, Encrypted Peering, Transitive Peering, Insane mode, Transit Gateway, TGW, Managed CloudN + + +=============================================== +Managed CloudN Workflows +=============================================== + +Introduction +============ + +Aviatrix CloudN hardware appliance is deployed on-prem to connect to public cloud. It provides up to 25Gbps encryption performance over AWS Direct Connect and Azure Express Route. + +Aviatrix Managed CloudN enables you to manage CloudN hardware appliances by Aviatrix Controller as an `Aviatrix CloudN device `_. + +Benefits: +--------- + +- Ease of use: + + - Centrally manage all CloudN appliances from Aviatrix Controller without logging into each Standalone CloudN GUI individually for ongoing configuration and operation actions. + + - Simplifying connection configuration by removing manually importing S2C IPsec configuration method as in Standalone CloudN. + +- Enhanced visibility and troubleshooting: + + - Perform running diagnostics, upload tracelog and upgrade on Managed CloudN device the same way as an Aviatrix gateway. + + - Support backup/restore function + +- Active Mesh support: + + - Managed CloudN automatically load balance traffic to both Aviatrix Transit primary gateway and backup gateway + +- Scalability: + + - Support scale-out fashion to achieve higher IPsec throughput + +.. note:: + + - Managed CloudN only supports High-Performance (Insane Mode) encryption connection. It works with Aviatrix Transit Gateways with Insane Mode enabled. + + - This solution applies to over AWS Direct Connect, Azure ExpressRoute and Internet. + + - This solution applies to over GCP InterConnect starting from 6.3. + + - This solution in GCP supports only one tunnel per transit gateway for over Internet scenario. + +For more information and benefits about CloudN, please check out the below documents: + + `Insane Mode CloudN Deployment Checklist `_ + + `Insane Mode Encryption FAQ `_ + +This document describes a step-by-step Managed CloudN deployment workflow for R6.2 and later. It covers the following topics. + + - Workflow on Aviatrix CloudN + + - Workflow on Aviatrix Controller + + - Traffic Flow Verification + + - Troubleshooting Tips + + - Upgrade + + - Backup/Restore + + - Workflow on cleanup + + - FAQ + +Topology +================== + + |managed_cloudn_topology| + +Prerequisite +==================== + +Step 1.1 Order CloudN appliance +--------------------------------- + +`Order a CloudN appliance `_ and install it properly in your data center or data center provider + +Step 1.2 (Optional) FQDN name for Controller +----------------------------------------------- + +Create and register an FQDN Name for Aviatrix Controller public IP. This is useful if Controller has HA configured. + + +Step 1.3 (Optional) Remove the current connection +----------------------------------------------------- + +Skip if this is a brand new deployment) Remove/delete any Site2Cloud (IPsec) connection between Aviatrix Transit gateway and Standalone CloudN if you have any in your existing Standalone CloudN deployment + +Step 1.4 Upgrade to the latest +--------------------------------- + +`Upgrade `_ Aviatrix Controller to at least version 6.2 + +Step 1.5 Deploy VPCs, Aviatrix Multi-Cloud Transit Gateways, and Spoke Gateways +-------------------------------------------------------------------------------- + +Deploy Aviatrix Multi-Cloud Transit solution in the cloud. + + - Follow this `step `_ to launch Aviatrix Transit gateway with insane mode enabled. Recommended minimum size for Transit in AWS is c5n.4xlarge. Please refer to this `doc `_ for performance detail. + + - (Optional) Follow this `step `_ to launch Aviatrix Spoke gateway with insane mode enabled. Recommended minimum size for Spoke with insane mode in AWS is c5.2xlarge. Please refer to this `doc `_ for performance detail. Notes: Users has option to attach non-insane mode Spoke gateway to insane mode Transit gateway. + + - (Optional) Follow this `step `_ to attach Aviatrix Spoke gateway to Aviatrix Transit gateway + + +.. note:: + + In this example, Aviatrix Multi-Cloud Transit Gateway and Aviatrix Spoke Gateway with HPE are deployed in AWS platform. The workflow applies to Azure. + + +Workflow on Aviatrix CloudN +============================= + +Step 2.1 Open Controller inbound ports +-------------------------------------- + +CloudN is deployed inside a data center, it does not require any public IP addressees. However you need to collect the public IP for +the management interface (The ISP provided pubic IP) and open port 443 on the Controller for that public IP. + +Update Aviatrix Controller's inbound security group to allow TCP 443 from public IP address of the router of CloudN's MGMT interface + + - Open a browser + + - Navigate to the AWS portal + + - Sign in with AWS account + + - Find the security group which is associated with Aviatrix Controller + + - Configure inbound rule to allow TCP 443 from public IP address provided by the ISP where CloudN's management interface egresses to Internet. + + .. important:: + + This public IP address needs to be static. + +Step 2.2 Configure NTP Sync and SMTP Services +--------------------------------------------- + + - Add a firewall rule to allow CloudN’s MGMT outbound UDP port 123 access to ntp.ubuntu.com or to a local NTP server. + + - From the CloudN UI, go to Setting -> Controller -> System Time. Enter ntp.ubuntu.com or a local NTP server then select the Sync option. + + - Do a manual sync to the NTP server. + + - From the CloudN UI, go to Setting -> Controller -> Email, Setup SMTP settings to allow CloudN to send alert email. + +Step 2.3 Login CloudN GUI +-------------------------- + + - Open a browser + + - Navigate to the CloudN GUI with CloudN domain name/IP and port 443 + + - Sign in with CloudN login credentials + +Step 2.4 (Optional) Check whether CloudN requires a Controller IP migration +--------------------------------------------------------------------------------------------- + +This is a rare case. It is documented here for completeness. Skip if the Controller IP address has not been changed. + + - Navigate to the page "Troubleshoot -> Diagnostics -> Network" + + - Find the panel `CONTROLLER PUBLIC IP `_ + + - Perform function `CONTROLLER IP MIGRATION `_ if the message in the panel "CONTROLLER PUBLIC IP" guides users to execute it. + + .. note:: + + For private link connectivity such as AWS Direct Connect or Azure Express Route case, CloudN WAN interface is assigned a private IP, thus the message in the panel "CONTROLLER PUBLIC IP" displays "The public IP of this controller is NA. Controller was not able to reach www.carmelonetworks.com through the WAN interface(eth0)." + +Step 2.5 Managed CloudN management port outbound access +-------------------------------------------------------------------------------------------------------------------------- + +You must use the specified FDQN, IP address, and ports for Managed CloudN (registered to the Controller) and Standalone CloudN (de-registered from the Controller) implementations. Please see `Required Access for External Sites `_. + + .. note:: + + You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. + + + You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. + + + To check basic connectivity to Internet from CloudN device and to troubleshoot reachability issue to these addresses, follow the steps below. + + - Navigate to the page "Troubleshoot -> Diagnostics -> Network" + + - Find the panel `Network Connectivity Utility `_ + + - Enter fields for Hostname, Port, Gateway Name, and Protocol + + +--------------+--------------------------------------------------------------------+ + | **Field** | **Value** | + +--------------+--------------------------------------------------------------------+ + | Hostname | Refer to the FQDN/IP address on the Aviatrix Support webstie. | + +--------------+--------------------------------------------------------------------+ + | Port | Refer to the PORT on the Aviatrix Support webstie. | + +--------------+--------------------------------------------------------------------+ + | Gateway Name | Controller | + +--------------+--------------------------------------------------------------------+ + | Protocol | TCP | + +--------------+--------------------------------------------------------------------+ + + - Click the button "Go" to check connectivity + +Step 2.6 Register with Aviatrix Controller FQDN Name +------------------------------------------------------- + + - Navigate to the page "Settings -> Advanced -> Registration" or click the link "Managed CloudN" under UseCases drop down menu on the top + + |cloudn_register_controller_fqdn_link_managed_cloudn| + + - Find the panel "REGISTER CLOUDN AS A GATEWAY" + + - Enter Aviatrix Controller FQDN name + + |cloudn_register_controller_fqdn| + + .. important:: + + It is highly recommended to register CloudN with Aviatrix Controller’s FQDN name instead of its IP address for allowing Controller HA operation (allows the controller to be assigned to a different IP address). + + When your Aviatrix Controller's FQDN is mapped to a private IP address, make sure that CloudN’s MGMT primary DNS server or secondary DNS server can resolve the FQDN to its private IP address. + + Registering CloudN to Aviatrix Controller via private networks is not a fully supported scenario; please discuss this with the Aviatrix team during the planning phase before you finalize the design for the Managed CloudN deployment. + + - Enter Aviatrix Controller Username/Password with an admin user credential (any users in admin RBAC Groups) + + - Enter Gateway Name to represent this CloudN device + + - Click the button "Register" + + - Click the button "OK" to confirm + + - Wait for about 40-60 seconds to complete the registration process + +Workflow on Aviatrix Controller +======================================= + +Step 3.1 Login Aviatrix Controller +----------------------------------- + + - Open a browser + + - Navigate to the Aviatrix Controller + + - Sign in with Aviatrix account + +Step 3.2 Check if a Managed CloudN device is connected to Aviatrix Controller properly +------------------------------------------------------------------------------------------- + + - Navigate to the page "CLOUDN -> List/Edit" + + - Search for the Managed CloudN device + + - Check the state to make sure it is displayed "registered" on the column "State" + + |controller_managed_cloudn_registered_state| + +Step 3.3 (Optional) Discover a Managed CloudN device WAN interface +--------------------------------------------------------------------- + +This step is for building connection over internet. If you are building connection over Direct Connect, please jump to the next step directly. + + - Navigate to the page "CLOUDN -> Attach" + + - Find the panel 1) Prepare to Attach + + - Select the Managed CloudN device + + - Click the button "DISCOVER WAN INTERFACES" + + |controller_discover_wan_interfaces| + + - Select WAN interface in the drop-down menu + + - Update WAN primary interface and IP if needed + + - Click the button "APPLY" + +Step 3.4 Attach Managed CloudN +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +This step follows the instruction at `Attach a CloudN device to Aviatrix Transit Gateway `_. + + - Navigate to the page "CLOUDN -> Attach" + + - Find the panel 2) Attach Device to Cloud + + - Select the radio button "Aviatrix Transit Gateway" + + - Enter fields for Branch Name, Aviatrix Transit Gateway, Connection Name, Aviatrix Transit Gateway BGP ASN, CloudN's BGP ASN, CloudN LAN Interface Neighbor's IP, CloudN LAN Interface Neighbor's BGP ASN, and Over DirectConnect. + + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | **Field** | **Value** | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | Device Name | Select the Managed CloudN device | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | Aviatrix Transit Gateway | Select an Aviatrix Transit Gateway | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | Connection Name | A unique name for the connection (i.e. Managed-CloudN-to-Aviatrix-Transit-GW-connection) | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | Aviatrix Transit Gateway BGP ASN | Only BGP is supported. Enter BGP ASN number on Aviatrix Transit Gateway. (i.e. 65019) | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | CloudN's BGP ASN | Only BGP is supported. Enter BGP ASN number on the Managed CloudN device. (i.e. 65056) | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | CloudN LAN Interface Neighbor's IP | Enter Managed CloudN LAN Interface Neighbor's IP | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | CloudN LAN Interface Neighbor's BGP ASN | Only BGP is supported. Enter BGP ASN number on the Neighbor's Router. (i.e. 65122) | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + | Over DirectConnect | A checkbox to select whether the connection is over Direct Connect or Internet | + +-----------------------------------------+------------------------------------------------------------------------------------------+ + + - Click the button "ATTACH" + + |controller_attach_aviatrix_transit| + +Step 3.5 Check whether the Managed CloudN device is attached to Aviatrix Transit Gateway properly +----------------------------------------------------------------------------------------------------- + + - Navigate back to the page "CLOUDN -> List/Edit" + + - Search for the Managed CloudN device + + - Check the state is displayed "attached" on the column "State" + + |controller_managed_cloudn_attached_state| + +.. note:: + + The status "attached" here reflects only the management operation state, it does not reflect the attached connection state in real time. Please go to Site2Cloud page to monitor the connection status as below step. + +Step 3.6 Check whether the connection status is Up +--------------------------------------------------- + + - Navigate to the page "SITE2CLOUD -> Setup" + + - Locate the connection which is created in the previous step (i.e. Managed-CloudN-to-Aviatrix-Transit-GW-connection) + + - Check whether the connection status is Up as below example + + |controller_managed_cloudn_s2c_up_state| + +Step 3.7 Check Transit Gateway BGP status +------------------------------------------- + + - Navigate to the page "MULTI-CLOUD TRANSIT -> Advanced Config -> BGP" + + - Locate the connection which is created in the previous step (i.e. Managed-CloudN-to-Aviatrix-Transit-GW-connection) + + - Check whether the NEIGHBOR STATUS is established + +Traffic Flow Verification +========================= + +Traffic Flow Verification example was exercised "after S2C connection(s) is up and BGP connection(s) is established. The on-premise router is Cisco IOS with network loopback address 2.2.2.2/32. Aviatrix Transit VPC is 10.1.0.0/16. Aviatrix Spoke VPC is 192.168.1.0/24 and the private IP of the testing VM is 192.168.1.36/32. + + - Traffic from on-premise router Cisco IOS to cloud VM + + - Issue ICMP traffic from on-prem loopback interface to a Virtual IP of cloud instance + + |managed_cloudn_traffic_flow_verification_on_prem_router_issue_icmp| + + - Execute packet capture on the cloud instance + + |managed_cloudn_traffic_flow_verification_cloud_vm_tcpdump_icmp| + + - Traffic from cloud VM to on-premise router Cisco IOS + + - Issue ICMP traffic from cloud instance to on-prem loopback interface address + + |managed_cloudn_traffic_flow_verification_cloud_vm_issue_icmp| + +Troubleshooting Tips +==================== + +When an CloudN registers with an Aviatrix Controller properly as a Managed CloudN device, users can perform troubleshooting on a Managed CloudN device the same way as +an Aviatrix gateway in the cloud via Aviatrix Controller GUI. + +.. note:: + + Direct access to CloudN's local HTTPs URL/UI is still allowed for only Troubleshoot/Diagnostic reasons; access to any other menu items is not recommended nor supported. + +Running diagnostics +-------------------- + + - Navigate to the page "CLOUDN -> List/Edit" on Aviatrix Controller GUI + + - Search for the Managed CloudN device and select it + + - Click on the button "DIAG" to display drop down menu + + - Click on the button "Run" + + - Wait for a couple of minutes to complete the running diagnostics process + + - Click the button "Show" to display report + + - Click the button "Submit" to upload report to Aviatrix Support + + |controller_troubleshooting_tips_running_diagnostics| + +Upload tracelog +--------------- + + - Navigate to the page "CLOUDN -> List/Edit" on Aviatrix Controller GUI + + - Search for the Managed CloudN device and select it + + - Click on the button "DIAG" to display dropdown menu + + - Click on the button "Upload Tracelog" to upload tracelog to Aviatrix Support + + |controller_troubleshooting_tips_upload_tracelog| + +Download syslogs +---------------- + + - Navigate to the page "CLOUDN -> List/Edit" on Aviatrix Controller GUI + + - Search for the Managed CloudN device and select it + + - Click on the button "DIAG" to display dropdown menu + + - Click on the button "Download Syslog" + + |controller_troubleshooting_tips_download_syslogs| + +Force upgrade +------------- + + - Refer to `Force Upgrade doc `_ + + - Navigate to the page "TROUBLESHOOT -> Diagnostics -> Gateway" on Aviatrix Controller GUI + + - Search for the panel "Force Upgrade" + + - Select the Managed CloudN device on the "Gateway" dropdown menu + + - Click on the button "UPGRADE" to force upgrade the Managed CloudN device + + |controller_troubleshooting_tips_force_upgrade| + +Upgrade +======= + +When an CloudN registers with an Aviatrix Controller properly as a Managed CloudN device, the upgrade process on the Managed CloudN device is treated the same way +as an Aviatrix gateway in the cloud when Aviatrix Controller is upgraded. Please refer to `Inline Software Upgrade doc `_ for upgrading a Managed CloudN device from Aviatrix Controller. + +.. important:: + + * Once CloudN is registered to Aviatrix controller, if you wish to check the version of Managed-CloudNs, please go to Aviatrix controller -> Settings -> Maintenance -> Upgrade -> Gateway Upgrade Status. However, the software version you see from CloudN GUI locally would not change, and it stays with the version at the time when you register CloudN to Aviatrix controller. + + * With Managed CloudN, software upgrading directly from CloudN GUI is no longer needed, unless unexpected issues occur. In such case, please open a support ticket at `Aviatrix Support Portal `_. + + + +|correct_place_to_check_cloudN_version| + + +Backup/Restore +============== + +When a CloudN registers with an Aviatrix Controller properly as a Managed CloudN device, the backup/restore process on the Managed CloudN device is processed the same way as an +Aviatrix gateway in the cloud when the backup/restore function is performed on Aviatrix Controller. Please refer to `Controller Backup and Restore doc `_ for details. + +.. note:: + + Performing backup/restore function for Managed CloudN device via CloudN GUI is not supported. + +Workflow on cleanup +=================== + +De-register a Managed CloudN device from Aviatrix Controller +------------------------------------------------------------ + +Step 4.1 Perform feature "Detach Device from Cloud" on Aviatrix Controller GUI +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + - Open a browser + + - Navigate to the Aviatrix Controller + + - Sign in with Aviatrix account + + - Navigate to the page "CLOUDN -> Attach" + + - Find the panel "Delete Function -> 3> Detach Device from Cloud" + + - Select the connection from Managed CloudN to Aviatrix Transit gateway on the Attachment Name dropdown menu + + - Click on the button "DETACH" to disconnect the connection + + |controller_cloudwan_detach| + +Step 4.2 Perform feature "De-register a Device" on Aviatrix Controller GUI +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + - Open a browser + + - Navigate to the Aviatrix Controller + + - Sign in with Aviatrix account + + - Navigate to the page "CLOUDN -> Register" + + - Find the panel "Delete Function -> 2> De-register a Device" + + - Select the Managed CloudN device on the Branch Name dropdown menu + + - Click on the button "DE-REGISTER" to convert a Managed CloudN device back to a Standalone CloudN state + + |controller_cloudwan_deregister| + + .. note:: + + If these steps cannot convert a Managed CloudN device back to a Standalone CloudN state properly, please proceed Reset Configuration feature. + +Workflow on Reset Configuration +-------------------------- + +"Reset Configuration" feature enables users to remove all configuration on a Managed CloudN device from a corrupted state to a clean state. Please follow the below steps for "Reset Configuration". +This Reset Configuration feature is the last resort if users are not able to convert a Managed CloudN device back to a Standalone CloudN state through the steps above. + +Step 4.3 Perform feature "Reset Configuration" on Aviatrix Controller GUI +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + - Open a browser + + - Navigate to the Aviatrix Controller + + - Sign in with Aviatrix account + + - Navigate to the page "CLOUDN -> List/Edit" + + - Search for the Managed CloudN device and select it + + - Click on the button "DIAG" to display dropdown menu + + - Click on the button "Reset Configuration" + + - Wait for a couple of minutes to complete the Reset Configuration process + + |controller_cloudwan_factory_reset| + + .. note:: + + Normally, when users perform feature "Reset Configuration" on Aviatrix Controller GUI, Aviatrix Controller will notify Managed CloudN to perform "Reset Configuration". If Managed CloudN does not function "Reset Configuration" properly through Aviatrix Controller, users need to execute the step 4.4 below. + +(Optional) Step 4.4 Perform feature "Reset Configuration" on CloudN GUI +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + - Open a browser + + - Navigate to the CloudN GUI with CloudN domain name/IP and port 443 + + - Sign in with CloudN login credentials + + - Navigate to the page "Settings -> Advanced -> Registration" or click the link "Managed CloudN" under UseCases dropdown menu on the top + + |cloudn_register_controller_fqdn_link_managed_cloudn| + + - Find the panel "Reset Configuration" + + - Click the button "Reset" + + - Wait for a couple of minutes to complete the Reset Configuration process + + |cloudn_factory_reset| + + .. important:: + + If users need any assistance for Reset Configuration operation, please open a support ticket at `Aviatrix Support Portal `_. + +User Guide for Redundant DX Deployment +====================================== + +Active/Active +------------- + +|deployment_dual_dx_aa| + +The `Active/Active deployment model `_ is recommended. In this deployment +model, both CloudN appliances forward traffic and the underlying network links are fully utilized. + +.. important:: + + Aviatrix topology requirements: + + - Attach two CloudN appliances to Aviatrix Transit by following the above workflows. + + - Enable `BGP ECMP function `_ on Aviatrix Transit. + + On-prem topology requirements: + + - If firewalls are deployed, make sure there is no asymmetric routing issues or the firewalls are capable of handling asymmetric routing issues. + + - LAN routers should advertise the same AS path length to both CloudN appliances and enable ECMP feature. + +Active/Standby +-------------- + +|deployment_dual_dx| + +Aviatrix solution supports `Active/Standby deployment model `_, but one of the CloudN appliances and network connections stays at standby/idle mode. + +To deploy this topology, on-prem LAN router must advertise **longer BGP AS_PATH** to the Standby CloudN to ensure traffic direction from cloud to on-prem always routes to the Active CloudN when the connection is up. Once the connection on the Active CloudN is down, traffic will be directed towards the Standby CloudN based on BGP info. When the Active CloudN is recovered, traffic will switch back to the Active CloudN as it has **shorter BGP AS_PATH** length. + +Users can utilize `Connection AS Path Prepend `_ for the traffic direction from on-prem to cloud depending on requirement. + +FAQ +==== + +Q: What is the terminology of Standalone CloudN and Managed CloudN? + +Ans: In this document, the term "Standalone CloudN" refers to a CloudN device is not managed by an Aviatrix Controller; "Managed CloudN" refers to a CloudN device that is registered/managed by an Aviatrix Controller. + +Q: Could a Managed CloudN be converted back to a Standalone CloudN? + +Ans: Yes. While this is not recommended practice, you should be able to convert a Managed CloudN device back to a Standalone CloudN by following the `Workflow on cleanup `_. + +Q: Does Managed CloudN have Aviatrix High-Performance (Insane) mode supported? + +Ans: Yes. When a Managed CloudN device attaches to an Aviatrix Transit gateway with HA function enabled, High-Performance (Insane) mode tunnels to both primary and backup transit gateways are built automatically. + +Q: Can Managed CloudN solution support Azure Express Route? + +Ans: Yes, Managed CloudN runs over Azure Express Route. + +Q: Can we build a mixed topology in the deployment where some connections are from Managed CloudN and others are from Standalone CloudN in one CloudN appliance? + +Ans: No. We don't support this mixed topology. Once you decide to deploy Managed CloudN solution, you need to make sure there is no IPsec tunnel between Aviatrix Transit Gateway and Standalone CloudN before registering the Standalone CloudN to Aviatrix Controller. + +Q: Can one Standalone/Managed CloudN appliance connect to multiple links Direct Connect or Express Route? + +Ans: Yes. A CloudN appliance can build multiple of HPE connections to different Aviatrix Transit Gateways over multiple Direct Connect or Express Route. + +Q: Can one Aviatrix Transit Gateway connect to multiple of Managed CloudNs? + +Ans: Yes. An Aviatrix Transit Gateway can build multiple of HPE connections to different Managed CloudNs. + +Q: Can one Aviatrix Transit Gateway build mixed connections to different Standalone CloudN and Managed CloudN? + +Ans: Yes. While this is not recommended practice, an Aviatrix Transit Gateway is able to build mixed connections to different Standalone CloudN and Managed CloudN. This deployment is for migration stage only. + +Q: How to update the new Aviatrix Controller public IP for Managed CloudN? + +Ans: + +- Refer to `step 2.6 Register with Aviatrix Controller FQDN Name `_. + +- Navigate to the page "Settings -> Advanced -> Registration" or click the link "Managed CloudN" under UseCases drop down menu on the top on CloudN GUI + +- Find the panel "REGISTER CLOUDN AS A GATEWAY" + +- Enter the new Aviatrix Controller public IP + + .. important:: + + It is highly recommended that a FQDN name is used instead of an IP address for enhanced security and controller HA. + +- Click the button "Register" + +- Click the button "OK" to confirm + +Q: How to migrate a Standalone CloudN to a Managed CloudN? + +Ans: + +- `Upgrade `_ Aviatrix Controller and CloudN appliance to at least version 6.2 + +- Remove/delete any Site2Cloud (IPsec) connection between Aviatrix Transit gateway and Standalone CloudN + +- Follow `Workflow on Aviatrix CloudN `_ + +- Follow `Workflow on Aviatrix Controller `_ + +.. |managed_cloudn_topology| image:: CloudN_workflow_media/managed_cloudn_topology.png + :scale: 80% + +.. |cloudn_register_controller_fqdn_link_managed_cloudn| image:: CloudN_workflow_media/cloudn_register_controller_fqdn_link_managed_cloudn.png + :scale: 80% + +.. |cloudn_register_controller_fqdn| image:: CloudN_workflow_media/cloudn_register_controller_fqdn.png + :scale: 40% + +.. |controller_managed_cloudn_registered_state| image:: CloudN_workflow_media/controller_managed_cloudn_registered_state.png + :scale: 50% + +.. |controller_discover_wan_interfaces| image:: CloudN_workflow_media/controller_discover_wan_interfaces.png + :scale: 60% + +.. |controller_attach_aviatrix_transit| image:: CloudN_workflow_media/controller_attach_aviatrix_transit.png + :scale: 60% + +.. |controller_managed_cloudn_attached_state| image:: CloudN_workflow_media/controller_managed_cloudn_attached_state.png + :scale: 50% + +.. |controller_managed_cloudn_s2c_up_state| image:: CloudN_workflow_media/controller_managed_cloudn_s2c_up_state.png + :scale: 60% + +.. |managed_cloudn_traffic_flow_verification_on_prem_router_issue_icmp| image:: CloudN_workflow_media/managed_cloudn_traffic_flow_verification_on_prem_router_issue_icmp.png + :scale: 100% + +.. |managed_cloudn_traffic_flow_verification_cloud_vm_tcpdump_icmp| image:: CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_tcpdump_icmp.png + :scale: 100% + +.. |managed_cloudn_traffic_flow_verification_cloud_vm_issue_icmp| image:: CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_issue_icmp.png + :scale: 100% + +.. |controller_troubleshooting_tips_running_diagnostics| image:: CloudN_workflow_media/controller_troubleshooting_tips_running_diagnostics.png + :scale: 50% + +.. |controller_troubleshooting_tips_upload_tracelog| image:: CloudN_workflow_media/controller_troubleshooting_tips_upload_tracelog.png + :scale: 50% + +.. |controller_troubleshooting_tips_download_syslogs| image:: CloudN_workflow_media/controller_troubleshooting_tips_download_syslogs.png + :scale: 50% + +.. |controller_troubleshooting_tips_force_upgrade| image:: CloudN_workflow_media/controller_troubleshooting_tips_force_upgrade.png + :scale: 50% + +.. |controller_cloudwan_detach| image:: CloudN_workflow_media/controller_cloudwan_detach.png + :scale: 60% + +.. |controller_cloudwan_deregister| image:: CloudN_workflow_media/controller_cloudwan_deregister.png + :scale: 60% + +.. |cloudn_factory_reset| image:: CloudN_workflow_media/cloudn_factory_reset.png + :scale: 40% + +.. |controller_cloudwan_factory_reset| image:: CloudN_workflow_media/controller_cloudwan_factory_reset.png + :scale: 60% + +.. |deployment_dual_dx| image:: insane_mode_media/deployment_dual_dx.png + :scale: 30% + +.. |deployment_dual_dx_aa| image:: insane_mode_media/deployment_dual_dx_aa.png + :scale: 30% + +.. |correct_place_to_check_cloudN_version| image:: ./CloudN_workflow_media/correct_place_to_check_cloudN_version.png + :scale: 60% + +.. disqus:: diff --git a/HowTos/CloudN_workflow_media/cloudn_factory_reset.png b/HowTos/CloudN_workflow_media/cloudn_factory_reset.png new file mode 100644 index 000000000..e09206bbf Binary files /dev/null and b/HowTos/CloudN_workflow_media/cloudn_factory_reset.png differ diff --git a/HowTos/CloudN_workflow_media/cloudn_register_controller_fqdn.png b/HowTos/CloudN_workflow_media/cloudn_register_controller_fqdn.png new file mode 100644 index 000000000..efa22fabb Binary files /dev/null and b/HowTos/CloudN_workflow_media/cloudn_register_controller_fqdn.png differ diff --git a/HowTos/CloudN_workflow_media/cloudn_register_controller_fqdn_link_managed_cloudn.png b/HowTos/CloudN_workflow_media/cloudn_register_controller_fqdn_link_managed_cloudn.png new file mode 100644 index 000000000..bad75671a Binary files /dev/null and b/HowTos/CloudN_workflow_media/cloudn_register_controller_fqdn_link_managed_cloudn.png differ diff --git a/HowTos/CloudN_workflow_media/controller_attach_aviatrix_transit.png b/HowTos/CloudN_workflow_media/controller_attach_aviatrix_transit.png new file mode 100644 index 000000000..824e16e43 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_attach_aviatrix_transit.png differ diff --git a/HowTos/CloudN_workflow_media/controller_cloudwan_deregister.png b/HowTos/CloudN_workflow_media/controller_cloudwan_deregister.png new file mode 100644 index 000000000..cbc4f05b4 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_cloudwan_deregister.png differ diff --git a/HowTos/CloudN_workflow_media/controller_cloudwan_detach.png b/HowTos/CloudN_workflow_media/controller_cloudwan_detach.png new file mode 100644 index 000000000..224e2a5a5 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_cloudwan_detach.png differ diff --git a/HowTos/CloudN_workflow_media/controller_cloudwan_factory_reset.png b/HowTos/CloudN_workflow_media/controller_cloudwan_factory_reset.png new file mode 100644 index 000000000..dc62c446e Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_cloudwan_factory_reset.png differ diff --git a/HowTos/CloudN_workflow_media/controller_discover_wan_interfaces.png b/HowTos/CloudN_workflow_media/controller_discover_wan_interfaces.png new file mode 100644 index 000000000..332563853 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_discover_wan_interfaces.png differ diff --git a/HowTos/CloudN_workflow_media/controller_managed_cloudn_attached_state.png b/HowTos/CloudN_workflow_media/controller_managed_cloudn_attached_state.png new file mode 100644 index 000000000..086bc2842 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_managed_cloudn_attached_state.png differ diff --git a/HowTos/CloudN_workflow_media/controller_managed_cloudn_registered_state.png b/HowTos/CloudN_workflow_media/controller_managed_cloudn_registered_state.png new file mode 100644 index 000000000..8633bf124 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_managed_cloudn_registered_state.png differ diff --git a/HowTos/CloudN_workflow_media/controller_managed_cloudn_s2c_up_state.png b/HowTos/CloudN_workflow_media/controller_managed_cloudn_s2c_up_state.png new file mode 100644 index 000000000..309481908 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_managed_cloudn_s2c_up_state.png differ diff --git a/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_download_syslogs.png b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_download_syslogs.png new file mode 100644 index 000000000..affd6b9c1 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_download_syslogs.png differ diff --git a/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_force_upgrade.png b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_force_upgrade.png new file mode 100644 index 000000000..8dc666402 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_force_upgrade.png differ diff --git a/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_running_diagnostics.png b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_running_diagnostics.png new file mode 100644 index 000000000..e1759f782 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_running_diagnostics.png differ diff --git a/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_upload_tracelog.png b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_upload_tracelog.png new file mode 100644 index 000000000..af97643c8 Binary files /dev/null and b/HowTos/CloudN_workflow_media/controller_troubleshooting_tips_upload_tracelog.png differ diff --git a/HowTos/CloudN_workflow_media/correct_place_to_check_cloudN_version.png b/HowTos/CloudN_workflow_media/correct_place_to_check_cloudN_version.png new file mode 100644 index 000000000..0d315bd5e Binary files /dev/null and b/HowTos/CloudN_workflow_media/correct_place_to_check_cloudN_version.png differ diff --git a/HowTos/CloudN_workflow_media/managed_cloudn_topology.png b/HowTos/CloudN_workflow_media/managed_cloudn_topology.png new file mode 100644 index 000000000..6aa0b7cb3 Binary files /dev/null and b/HowTos/CloudN_workflow_media/managed_cloudn_topology.png differ diff --git a/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_issue_icmp.png b/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_issue_icmp.png new file mode 100644 index 000000000..d665d070a Binary files /dev/null and b/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_issue_icmp.png differ diff --git a/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_tcpdump_icmp.png b/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_tcpdump_icmp.png new file mode 100644 index 000000000..5a19c4369 Binary files /dev/null and b/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_cloud_vm_tcpdump_icmp.png differ diff --git a/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_on_prem_router_issue_icmp.png b/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_on_prem_router_issue_icmp.png new file mode 100644 index 000000000..6bf28497b Binary files /dev/null and b/HowTos/CloudN_workflow_media/managed_cloudn_traffic_flow_verification_on_prem_router_issue_icmp.png differ diff --git a/HowTos/Cluster_Peering_Ref_Design.rst b/HowTos/Cluster_Peering_Ref_Design.rst index a3b15c537..ca51359ae 100644 --- a/HowTos/Cluster_Peering_Ref_Design.rst +++ b/HowTos/Cluster_Peering_Ref_Design.rst @@ -131,7 +131,7 @@ highlighted. 3. You can create multiple clusters in a VPC. A gateway may also belong to different clusters. -4. For support, send an email to support@aviatrix.com. +4. For support, please open a support ticket at `Aviatrix Support Portal `_ 5. Enjoy! diff --git a/HowTos/CoPilot_media/image0.png b/HowTos/CoPilot_media/image0.png new file mode 100644 index 000000000..dacbcff9f Binary files /dev/null and b/HowTos/CoPilot_media/image0.png differ diff --git a/HowTos/CompanionGateway.rst b/HowTos/CompanionGateway.rst index 334e20c38..88416f61f 100644 --- a/HowTos/CompanionGateway.rst +++ b/HowTos/CompanionGateway.rst @@ -2,12 +2,12 @@ :description: Aviatrix Companion Gateway :keywords: aviatrix, companion, gateway, v2, version 2 -================================== -Aviatrix Companion Gateway -================================== +====================================== +Aviatrix Companion Gateway in Azure +====================================== -If you need to launch a gateway in Azure ARM, you must subscribe to +If you need to launch an Aviatrix gateway in Azure, you must subscribe to **Aviatrix Companion Gateway** in **Azure Marketplace**. This model removes the requirement to download the Aviatrix gateway image into your Azure account which typically takes more than 30 minutes, thus @@ -18,56 +18,47 @@ The following steps describe how to subscribe Aviatrix Companion Gateway in Azure marketplace. -.. raw:: html - -
- -
- - Step 1: Select Aviatrix Companion Gateway ------------------------------------------ -Go to `Azure Marketplace `__, search **“aviatrix”** +Go to `Azure Marketplace `_ to subscribe to Companion Gatewaay V8. -.. important:: For Aviatrix controller version 3.0.1 or before, please select **[aviatrix-companion-gateway]**. For Aviatrix controller version 3.1 or later, please select **[aviatrix-companion-gateway-v2]**. -.. -NOTE: The following screenshots are for Companion Gateway V2 + |companion_gw| - |image0| - -| Step 2: Deploy Programmatically ----------------------------------- - If you don't have Azure subscription yet, follow the Azure guide to create your subscription. - If you already have Azure subscription, click **Want to deploy programmatically? Get started ->** at the bottom of the page, as shown below: +Click **Want to deploy programmatically? Get started ->**, as shown below: -|image1| +|get_started| -| Step 3: Enable subscription ---------------------------- - In the next step, select **[Enable subscription]**, click **[Save]**, as shown - below: +Select **[Enable]**, click **[Save]**, as shown below -|image2| +|enable_program| -| That’s it! - For support, send email to support@aviatrix.com + For support, go to Aviatrix Support at https://support.aviatrix.com and open a ticket. .. |image0| image:: CompanionGateway_media/img_01.PNG .. |image1| image:: CompanionGateway_media/img_02.PNG .. |image2| image:: CompanionGateway_media/img_03_enable_and_save.PNG +.. |companion_gw| image:: CompanionGateway_media/companion_gw.png + :scale: 30% + +.. |get_started| image:: CompanionGateway_media/get_started.png + :scale: 30% +.. |enable_program| image:: CompanionGateway_media/enable_program.png + :scale: 30% .. disqus:: diff --git a/HowTos/CompanionGateway_media/companion_gw.png b/HowTos/CompanionGateway_media/companion_gw.png new file mode 100644 index 000000000..af7a41813 Binary files /dev/null and b/HowTos/CompanionGateway_media/companion_gw.png differ diff --git a/HowTos/CompanionGateway_media/enable_program.png b/HowTos/CompanionGateway_media/enable_program.png new file mode 100644 index 000000000..0e917dba0 Binary files /dev/null and b/HowTos/CompanionGateway_media/enable_program.png differ diff --git a/HowTos/CompanionGateway_media/get_started.png b/HowTos/CompanionGateway_media/get_started.png new file mode 100644 index 000000000..972a38580 Binary files /dev/null and b/HowTos/CompanionGateway_media/get_started.png differ diff --git a/HowTos/Configuring_CloudN_Examples_media/Drawing1.png b/HowTos/Configuring_CloudN_Examples_media/Drawing1.png deleted file mode 100644 index bdb730db4..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/Drawing1.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image016.png b/HowTos/Configuring_CloudN_Examples_media/image016.png deleted file mode 100644 index 640c8e578..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image016.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image017.png b/HowTos/Configuring_CloudN_Examples_media/image017.png deleted file mode 100644 index d0727567e..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image017.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image018.png b/HowTos/Configuring_CloudN_Examples_media/image018.png deleted file mode 100644 index 413165604..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image018.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image019.png b/HowTos/Configuring_CloudN_Examples_media/image019.png deleted file mode 100644 index db6a7ed8b..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image019.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image020.png b/HowTos/Configuring_CloudN_Examples_media/image020.png deleted file mode 100644 index 14561f6a6..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image020.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image021.png b/HowTos/Configuring_CloudN_Examples_media/image021.png deleted file mode 100644 index b973c9165..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image021.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image022.png b/HowTos/Configuring_CloudN_Examples_media/image022.png deleted file mode 100644 index 557023f8f..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image022.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image024.png b/HowTos/Configuring_CloudN_Examples_media/image024.png deleted file mode 100644 index 479013d18..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image024.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image026.png b/HowTos/Configuring_CloudN_Examples_media/image026.png deleted file mode 100644 index 4767ebce1..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image026.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image028.png b/HowTos/Configuring_CloudN_Examples_media/image028.png deleted file mode 100644 index 9dac830ff..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image028.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image030.png b/HowTos/Configuring_CloudN_Examples_media/image030.png deleted file mode 100644 index be8c5b5d8..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image030.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image032.png b/HowTos/Configuring_CloudN_Examples_media/image032.png deleted file mode 100644 index a3a95ab34..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image032.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image034.png b/HowTos/Configuring_CloudN_Examples_media/image034.png deleted file mode 100644 index 2f2f74f03..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image034.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image036.png b/HowTos/Configuring_CloudN_Examples_media/image036.png deleted file mode 100644 index 442dd2bdb..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image036.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image038.png b/HowTos/Configuring_CloudN_Examples_media/image038.png deleted file mode 100644 index 52aba6c96..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image038.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image040.png b/HowTos/Configuring_CloudN_Examples_media/image040.png deleted file mode 100644 index 40779e578..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image040.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image042.png b/HowTos/Configuring_CloudN_Examples_media/image042.png deleted file mode 100644 index 1da0f96ae..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image042.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image044.png b/HowTos/Configuring_CloudN_Examples_media/image044.png deleted file mode 100644 index 35ff39593..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image044.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image046.png b/HowTos/Configuring_CloudN_Examples_media/image046.png deleted file mode 100644 index 7b55dc92b..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image046.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image048.png b/HowTos/Configuring_CloudN_Examples_media/image048.png deleted file mode 100644 index 14425add7..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image048.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image050.png b/HowTos/Configuring_CloudN_Examples_media/image050.png deleted file mode 100644 index 8ca270ad9..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image050.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image052.png b/HowTos/Configuring_CloudN_Examples_media/image052.png deleted file mode 100644 index 915804917..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image052.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image054.png b/HowTos/Configuring_CloudN_Examples_media/image054.png deleted file mode 100644 index 41ea0051a..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image054.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image056.png b/HowTos/Configuring_CloudN_Examples_media/image056.png deleted file mode 100644 index b91146315..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image056.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image058.png b/HowTos/Configuring_CloudN_Examples_media/image058.png deleted file mode 100644 index 9b69ac372..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image058.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image060.png b/HowTos/Configuring_CloudN_Examples_media/image060.png deleted file mode 100644 index 4d1fa592b..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image060.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image062.png b/HowTos/Configuring_CloudN_Examples_media/image062.png deleted file mode 100644 index 067f2da59..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image062.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image064.png b/HowTos/Configuring_CloudN_Examples_media/image064.png deleted file mode 100644 index a5538858a..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image064.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image066.png b/HowTos/Configuring_CloudN_Examples_media/image066.png deleted file mode 100644 index a47fa56c6..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image066.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image068.png b/HowTos/Configuring_CloudN_Examples_media/image068.png deleted file mode 100644 index 432f1e1c3..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image068.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image070.png b/HowTos/Configuring_CloudN_Examples_media/image070.png deleted file mode 100644 index 81c8a056b..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image070.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image072.png b/HowTos/Configuring_CloudN_Examples_media/image072.png deleted file mode 100644 index d8fd756e7..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image072.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image074.png b/HowTos/Configuring_CloudN_Examples_media/image074.png deleted file mode 100644 index e17da96d5..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image074.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image076.png b/HowTos/Configuring_CloudN_Examples_media/image076.png deleted file mode 100644 index 5d002b155..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image076.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image078.png b/HowTos/Configuring_CloudN_Examples_media/image078.png deleted file mode 100644 index 808a1659a..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image078.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image080.png b/HowTos/Configuring_CloudN_Examples_media/image080.png deleted file mode 100644 index b1df49444..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image080.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image082.png b/HowTos/Configuring_CloudN_Examples_media/image082.png deleted file mode 100644 index f7dd4d47c..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image082.png and /dev/null differ diff --git a/HowTos/Configuring_CloudN_Examples_media/image084.png b/HowTos/Configuring_CloudN_Examples_media/image084.png deleted file mode 100644 index c4f217fb2..000000000 Binary files a/HowTos/Configuring_CloudN_Examples_media/image084.png and /dev/null differ diff --git a/HowTos/ContainerAccess.rst b/HowTos/ContainerAccess.rst index 9e1d44b4b..47623a2bb 100644 --- a/HowTos/ContainerAccess.rst +++ b/HowTos/ContainerAccess.rst @@ -220,7 +220,7 @@ Troubleshooting the TTL expired and the key-value store cleans up the old entry automatically. -For support, send email to support@aviatrix.com. +For support, please open a support ticket at `Aviatrix Support Portal `_ For feature request and feedback, click Make a wish at the bottom of each page. diff --git a/HowTos/Controller_Login_Okta_SAML_Config.rst b/HowTos/Controller_Login_Okta_SAML_Config.rst index afc219c1f..795d0bdf6 100644 --- a/HowTos/Controller_Login_Okta_SAML_Config.rst +++ b/HowTos/Controller_Login_Okta_SAML_Config.rst @@ -24,7 +24,7 @@ Before configuring SAML integration between Aviatrix and Okta, make sure the fol .. _aviatrix_controller: Aviatrix Controller -#################### +################### If you haven’t already deployed the Aviatrix controller, follow `the Controller Startup Guide `_. @@ -35,7 +35,6 @@ Okta Account A valid Okta account with admin access is required to configure the integration. - Configuration Steps ------------------- @@ -50,10 +49,9 @@ Follow these steps to configure Aviatrix to authenticate against your Okta IDP: .. _okta_saml_app: Create an Okta SAML App for Aviatrix -##################################### +#################################### .. note:: - This step is usually done by the Okta Admin. #. Login to the Okta Admin portal @@ -67,7 +65,7 @@ Create an Okta SAML App for Aviatrix | Sign on method | SAML 2.0 | +----------------+----------------+ - |image0| + |image0| #. General Settings @@ -85,16 +83,16 @@ Create an Okta SAML App for Aviatrix | App visibility | N/A | Leave both options unchecked | +----------------+-----------------+----------------------------------------+ - |image1| + |image1| #. SAML Settings * General - + +----------------------+----------------------------------------------------+ | Field | Value | +======================+====================================================+ - | Single sign on URL | ``https://[host]/flask/saml/sso/controller`` | + | Single sign on URL | ``https://[host]/flask/saml/sso/[Endpoint Name]`` | +----------------------+----------------------------------------------------+ | Audience URI | ``https://[host]/`` | | (SP Entity ID) | | @@ -106,52 +104,43 @@ Create an Okta SAML App for Aviatrix | Application username | Okta username | +----------------------+----------------------------------------------------+ - ``[host]`` is the hostname or IP of your Aviatrix controller. For example, ``https://controller.demo.aviatrix.live`` - - ``controller`` must be the SP name. Otherwise there will be an "SP is not present" error. + ``[host]`` is the hostname or IP of your Aviatrix controller. + ``[Endpoint Name]`` is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller. + The example uses ``aviatrix_saml_controller`` for ``[Endpoint Name]`` + ``https://[host]/#/dashboard`` must be set as the Default RelayState so that after SAML authenticates, user will be redirected to dashboard. - - |image2| - * Attribute Statements + + +----------------+-----------------+--------------------------------------+ + | Name | Name format | Value | + +================+=================+======================================+ + | FirstName | Unspecified | user.firstName | + +----------------+-----------------+--------------------------------------+ + | LastName | Unspecified | user.lastName | + +----------------+-----------------+--------------------------------------+ + | Email | Unspecified | user.email | + +----------------+-----------------+--------------------------------------+ - +----------------+-----------------+--------------------------------------+ - | Name | Name format | Value | - +================+=================+======================================+ - | FirstName | Unspecified | user.firstName | - +----------------+-----------------+--------------------------------------+ - | LastName | Unspecified | user.lastName | - +----------------+-----------------+--------------------------------------+ - | Email | Unspecified | user.email | - +----------------+-----------------+--------------------------------------+ - - |image3| + |image2| .. _okta_idp_metadata: Retrieve Okta IDP metadata -##################################### +########################## .. note:: - This step is usually completed by the Okta admin. -After the application is created in Okta, go to the `Sign On` tab for the application. Then, click on the `View Setup Instructions` button. +After the application is created in Okta, go to the `Sign On` tab for the application. +Copy the URL from the *Identity Provider metadata* link. This value will be used to configure the Aviatrix SP Endpoint. - |image4| +|image4| -Look for the section titled `Provide the following IDP metadata to your SP provider`. - - |image5| - -.. important:: - - Copy the text displayed. This value will be used to configure the SAML on the Aviatrix controller. - -You need to assign the application to your account. Please follow steps 11 through 14 at `Okta documentation `__ +Assign the application to your account +|image5| .. _aviatrix_saml_endpoint: @@ -159,30 +148,31 @@ Create Aviatrix SAML Endpoint ############################# .. note:: - This step is usually completed by the Aviatrix admin. #. Login to the Aviatrix Controller #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -#. Click `Enable` button +#. Click `ADD NEW` button |image6| - + +-------------------------+-------------------------------------------------+ | Field | Value | +=========================+=================================================+ - | IDP Metadata Type | Text | + | IDP Metadata Type | URL | +-------------------------+-------------------------------------------------+ - | IDP Metadata Text | ``Value Copied from Okta`` (Paste the value | - | | copied from Okta SAML configuration) | + | IDP Metadata URL | ``Value copied from Okta`` (Paste the value | + | | copied from Okta Sign On) | +-------------------------+-------------------------------------------------+ | Entity ID | Hostname | +-------------------------+-------------------------------------------------+ - | Access | Use either Admin or read-only | + | Access | Use either admin or read-only | | | | +-------------------------+-------------------------------------------------+ + + |image9| #. Click `OK` @@ -191,22 +181,20 @@ Create Aviatrix SAML Endpoint Test the Integration #################### +.. tip:: + You will need to assign the new Okta application to a test user's Okta account before clicking `Test`. + #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -#. Click the `Test` button next to ``controller`` - - .. tip:: - - You will need to assign the new Okta application to a test user's Okta account before clicking `Test`. +#. Click the `Test` button next to ``SAML endpoint name`` - |image7| + |image7| #. You should be redirected to Okta. Login with your test user credentials. - .. important:: - - If everything is configured correctly, once you have authenticated another windows should open with the test user's access. +.. important:: + If everything is configured correctly, once you have authenticated another windows should open with the test user's access. .. _validate_entire_process: @@ -216,14 +204,12 @@ Validate #. Logout of the Aviatrix Controller #. Login to the Aviatrix Controller by clicking the `SAML Login` button - |image8| + |image8| #. You should be redirected to Okta. Login with your test user credentials. - .. important:: - - If everything is configured correctly, once you have authenticated you will be redirected to the dashboard's controller. - +.. important:: + If everything is configured correctly, once you have authenticated you will be redirected to the dashboard's controller. Configure Okta for Multifactor Authentication (OPTIONAL) @@ -235,14 +221,13 @@ Please read this `article `__ if you're interested in using DUO in particular. - OpenVPN is a registered trademark of OpenVPN Inc. .. |logoAlias1| replace:: Aviatrix logo with red background -.. _logoAlias1: https://www.aviatrix.com/news/press-kit/logo-aviatrix.png +.. _logoAlias1: https://a.aviatrix.com/news/press-kit/logo-aviatrix-reverse.zip .. |logoAlias2| replace:: Aviatrix logo with transparent background -.. _logoAlias2: https://www.aviatrix.com/images/logo-reverse.png +.. _logoAlias2: https://a.aviatrix.com/news/press-kit/logo-aviatrix.zip .. |image0| image:: Controller_Login_Okta_SAML_media/image0.png @@ -262,5 +247,6 @@ OpenVPN is a registered trademark of OpenVPN Inc. .. |image8| image:: Controller_Login_Okta_SAML_media/image8.png +.. |image9| image:: Controller_Login_Okta_SAML_media/image9.png .. disqus:: diff --git a/HowTos/Controller_Login_Okta_SAML_media/image2.png b/HowTos/Controller_Login_Okta_SAML_media/image2.png index 74ec2fb23..1a0f387e9 100644 Binary files a/HowTos/Controller_Login_Okta_SAML_media/image2.png and b/HowTos/Controller_Login_Okta_SAML_media/image2.png differ diff --git a/HowTos/Controller_Login_Okta_SAML_media/image4.png b/HowTos/Controller_Login_Okta_SAML_media/image4.png index 6affd2855..e5eb85c11 100644 Binary files a/HowTos/Controller_Login_Okta_SAML_media/image4.png and b/HowTos/Controller_Login_Okta_SAML_media/image4.png differ diff --git a/HowTos/Controller_Login_Okta_SAML_media/image5.png b/HowTos/Controller_Login_Okta_SAML_media/image5.png index 216925d04..2117ecb33 100644 Binary files a/HowTos/Controller_Login_Okta_SAML_media/image5.png and b/HowTos/Controller_Login_Okta_SAML_media/image5.png differ diff --git a/HowTos/Controller_Login_Okta_SAML_media/image6.png b/HowTos/Controller_Login_Okta_SAML_media/image6.png index 24a17e9fa..e9c0b1758 100644 Binary files a/HowTos/Controller_Login_Okta_SAML_media/image6.png and b/HowTos/Controller_Login_Okta_SAML_media/image6.png differ diff --git a/HowTos/Controller_Login_Okta_SAML_media/image7.png b/HowTos/Controller_Login_Okta_SAML_media/image7.png index 0f018da7b..8c7408687 100644 Binary files a/HowTos/Controller_Login_Okta_SAML_media/image7.png and b/HowTos/Controller_Login_Okta_SAML_media/image7.png differ diff --git a/HowTos/Controller_Login_Okta_SAML_media/image8.png b/HowTos/Controller_Login_Okta_SAML_media/image8.png index ac3e1dc34..7a3321892 100644 Binary files a/HowTos/Controller_Login_Okta_SAML_media/image8.png and b/HowTos/Controller_Login_Okta_SAML_media/image8.png differ diff --git a/HowTos/Controller_Login_Okta_SAML_media/image9.png b/HowTos/Controller_Login_Okta_SAML_media/image9.png new file mode 100644 index 000000000..2742835a4 Binary files /dev/null and b/HowTos/Controller_Login_Okta_SAML_media/image9.png differ diff --git a/HowTos/Controller_Login_SAML_Config.rst b/HowTos/Controller_Login_SAML_Config.rst index 581789dd2..bee1c14ec 100644 --- a/HowTos/Controller_Login_SAML_Config.rst +++ b/HowTos/Controller_Login_SAML_Config.rst @@ -1,4 +1,4 @@ -.. meta:: +.. meta:: :description: Aviatrix Controller Login SAML Configuration :keywords: SAML, controller login, Aviatrix, idp, sp @@ -41,39 +41,39 @@ If you haven’t already deployed the Aviatrix controller, follow `the Controlle An IdP refers to an identity provider for SAML. This could be any provider that supports a SAML end point like `Okta <./SAML_Integration_Okta_IdP.html>`__, `OneLogin <./SAML_Integration_OneLogin_IdP.html>`__, `Google <./SAML_Integration_Google_IdP.html>`__, -`AWS SSO <./SAML_Integration_AWS_SSO_IdP.html>`__, and `Azure AD <./SAML_Integration_Azure_AD_IdP.html>`__. +`AWS SSO <./SAML_Integration_AWS_SSO_IdP.html>`__, `Azure AD <./SAML_Integration_Azure_AD_IdP.html>`__, and `PingOne <./SAML_Integration_PingOne_IdP.html>`__. You will require administrator access to create IdP endpoints for SAML. Check `IdP-specific SAML Integration <#idp-integration>`__ to see a list of guides for supported IdP's - - 3. Configuration Steps ---------------------- Follow these steps to configure Aviatrix to authenticate against IdP: - 1. Create `temporary Aviatrix SP Endpoint <#config-31>`__ for Aviatrix controller - 2. Create `SAML IdP App <#config-32>`__ with specific IdP - #. Retrieve `IdP Metadata <#config-33>`__ from IdP - #. Update `Aviatrix SP Endpoint <#config-34>`__ with IdP metadata - #. `Test the Integration <#config-35>`__ is set up correctly - #. `Validate <#config-36>`__ +1. Create `temporary Aviatrix SP Endpoint <#config-31>`__ for Aviatrix controller +2. Create `SAML IdP App <#config-32>`__ with specific IdP +#. Retrieve `IdP Metadata <#config-33>`__ from IdP +#. Update `Aviatrix SP Endpoint <#config-34>`__ with IdP metadata +#. `Test the Integration <#config-35>`__ is set up correctly +#. `Validate <#config-36>`__ .. _Config_31: 3.1 Create temporary Aviatrix SP Endpoint ######################################### -.. note:: +.. note:: This step is usually completed by the Aviatrix admin. - This endpoint will be updated later on in the guide. At this step, we will be using placeholder values. - Choose an endpoint name for your Aviatrix SAML endpoint which will be used throughout the guide. - This guide will use ``aviatrix_saml_controller`` as an example for the endpoint name. + This endpoint will be updated later on in the guide. + At this step, we will be using placeholder values. + +Choose an endpoint name for your Aviatrix SAML endpoint which will be used throughout the guide. +This guide will use ``aviatrix_saml_controller`` as an example for the endpoint name. #. Login to the Aviatrix Controller #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -#. Click `Add/Update` button +#. Click `ADD NEW` button |image3-1-1| @@ -107,8 +107,8 @@ Follow these steps to configure Aviatrix to authenticate against IdP: #. Click `OK` #. Depending on your IdP provider, you may need to upload SP metadata. After temporary SAML endpoint is created: - - Right click **SP Metadata** button next to the SAML endpoint and save file to your local machine. - - Click **SP Metadata** button, and copy the SP metadata as text +- Click **DOWNLOAD SP METADATA** button next to the SAML endpoint and save file to your local machine +- Click **SP METADATA** button, and copy the SP metadata as text .. _Config_32: @@ -116,7 +116,6 @@ Follow these steps to configure Aviatrix to authenticate against IdP: ############################################### .. note:: - This step is usually done by the IdP administrator. This section shows only a generalized process for creating a SAML application. Refer to the `IdP-specific SAML App Integration <#idp-integration>`_ section for links to detailed steps with each particular IdP. @@ -130,8 +129,8 @@ Create a SAML 2.0 app with the IdP Provider with the following values. #. Default RelayState* = .. important:: - - You can find these values in the controller under the `Settings` navigation item. Then, select `Controller` and go to the `SAML Login` tab. + You can find these values in the controller under the `Settings` navigation item. + Then, select `Controller` and go to the `SAML Login` tab. Click on the button for the respective value, and copy the URL on the new page. RelayState is currently not used by the Aviatrix SP @@ -144,17 +143,14 @@ The following SAML attributes are expected: #. Email (unique identifier for SAML) .. note:: - These values are case sensitive - .. _Idp_Integration: **IdP-specific SAML App Integration** .. note:: - - You will require administrator access to create IdP endpoints for SAML. + You will require administrator access to create IdP endpoints for SAML. These are guides with specific IdP's that were tested to work with Aviatrix SAML integration: @@ -164,10 +160,10 @@ These are guides with specific IdP's that were tested to work with Aviatrix SAML #. `Google <./SAML_Integration_Google_IdP.html>`__ #. `Okta <./SAML_Integration_Okta_IdP.html>`__ #. `OneLogin <./SAML_Integration_OneLogin_IdP.html>`__ +#. `PingOne <./SAML_Integration_PingOne_IdP.html>`__ Other tested IdP's include: -Ping Identity, VmWare VIDM, ForgeRock's OpenAM etc. - +VmWare VIDM, ForgeRock's OpenAM etc. .. _Config_33: @@ -182,6 +178,7 @@ After creating the IdP, you need to retrieve IdP Metadata either in URL or text #. Google - provides IdP metadata text #. Okta - provides IdP metadata URL #. OneLogin - provides IdP metadata URL +#. PingOne - provides IdP metadata URL .. _Config_34: @@ -189,43 +186,41 @@ After creating the IdP, you need to retrieve IdP Metadata either in URL or text ############################### .. note:: - - This step is usually completed by the Aviatrix admin. + his step is usually completed by the Aviatrix admin. Take note of the IdP Metadata type along with Text/URL your IdP provides, and if you need a custom SAML request template in the previous section. #. Login to the Aviatrix Controller #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -#. Click `Add/Update` button - - +-------------------------+-------------------------------------------------+ - | Field | Value | - +=========================+=================================================+ - | Endpoint Name | Unique name that you chose in step 3.1 | - +-------------------------+-------------------------------------------------+ - | IPD Metadata Type | Text or URL (depending on what was | - | | provided by the SAML provider) | - +-------------------------+-------------------------------------------------+ - | IdP Metadata Text/URL | IdP metadata URL/Text copied from the SAML | - | | provider configuration | - +-------------------------+-------------------------------------------------+ - | Entity ID | Select `Hostname` or `Custom` | - +-------------------------+-------------------------------------------------+ - | Custom Entity ID | Only visible if `Entity ID` is `Custom` | - +-------------------------+-------------------------------------------------+ - | Access | Select admin or read-only access | - +-------------------------+-------------------------------------------------+ - | Custom SAML Request | Depending on your specific | - | Template | IdP, you may have to check this option. | - | | Refer to `IdP-specific Integration <#idp-integration>`__ | - +-------------------------+-------------------------------------------------+ +#. Click `Edit` button + + +-------------------------+----------------------------------------------------------+ + | Field | Value | + +=========================+==========================================================+ + | Endpoint Name | Unique name that you chose in step 3.1 | + +-------------------------+----------------------------------------------------------+ + | IPD Metadata Type | Text or URL (depending on what was | + | | provided by the SAML provider) | + +-------------------------+----------------------------------------------------------+ + | IdP Metadata Text/URL | IdP metadata URL/Text copied from the SAML | + | | provider configuration | + +-------------------------+----------------------------------------------------------+ + | Entity ID | Select `Hostname` or `Custom` | + +-------------------------+----------------------------------------------------------+ + | Custom Entity ID | Only visible if `Entity ID` is `Custom` | + +-------------------------+----------------------------------------------------------+ + | Access | Select admin or read-only access | + +-------------------------+----------------------------------------------------------+ + | Custom SAML Request | Depending on your specific | + | Template | IdP, you may have to check this option. | + | | Refer to `IdP-specific Integration <#idp-integration>`__ | + +-------------------------+----------------------------------------------------------+ .. note:: - `Hostname` is the default for Entity ID, but if you have other apps using the same hostname, use a custom Entity ID. + `Hostname` is the default for Entity ID, but if you have other apps using the same hostname, use a custom Entity ID. - -#. Click `OK` +6. Click `OK` .. _Config_35: @@ -241,9 +236,8 @@ After creating the IdP, you need to retrieve IdP Metadata either in URL or text #. You should be redirected to IdP. Login with your test user credentials. - .. important:: - - If everything is configured correctly, once you have authenticated, another windows should open with the test user's access. +.. important:: + If everything is configured correctly, once you have authenticated, another windows should open with the test user's access. .. _Config_36: @@ -258,11 +252,8 @@ After creating the IdP, you need to retrieve IdP Metadata either in URL or text #. You should be redirected to IdP. Login with your test user credentials. - .. important:: - - If everything is configured correctly, once you have authenticated you will be redirected to the dashboard's controller. - - +.. important:: + If everything is configured correctly, once you have authenticated you will be redirected to the dashboard's controller. .. |logoAlias1| replace:: Aviatrix logo with red background .. _logoAlias1: https://www.aviatrix.com/news/press-kit/logo-aviatrix.png @@ -281,5 +272,4 @@ After creating the IdP, you need to retrieve IdP Metadata either in URL or text .. |image3-6| image:: Controller_Login_SAML_media/image3-6.png - .. disqus:: diff --git a/HowTos/Controller_Login_SAML_media/image3-1-1.png b/HowTos/Controller_Login_SAML_media/image3-1-1.png index c5e18061d..9853623f8 100644 Binary files a/HowTos/Controller_Login_SAML_media/image3-1-1.png and b/HowTos/Controller_Login_SAML_media/image3-1-1.png differ diff --git a/HowTos/Controller_Login_SAML_media/image3-1-2.png b/HowTos/Controller_Login_SAML_media/image3-1-2.png index ff713f744..8fd057f88 100644 Binary files a/HowTos/Controller_Login_SAML_media/image3-1-2.png and b/HowTos/Controller_Login_SAML_media/image3-1-2.png differ diff --git a/HowTos/Controller_Login_SAML_media/image3-2.png b/HowTos/Controller_Login_SAML_media/image3-2.png index 8782e383e..a4f0d31b1 100644 Binary files a/HowTos/Controller_Login_SAML_media/image3-2.png and b/HowTos/Controller_Login_SAML_media/image3-2.png differ diff --git a/HowTos/Controller_Login_SAML_media/image3-5.png b/HowTos/Controller_Login_SAML_media/image3-5.png index 0f018da7b..8c7408687 100644 Binary files a/HowTos/Controller_Login_SAML_media/image3-5.png and b/HowTos/Controller_Login_SAML_media/image3-5.png differ diff --git a/HowTos/Controller_Login_SAML_media/image3-6.png b/HowTos/Controller_Login_SAML_media/image3-6.png index 357ab8aaf..7a3321892 100644 Binary files a/HowTos/Controller_Login_SAML_media/image3-6.png and b/HowTos/Controller_Login_SAML_media/image3-6.png differ diff --git a/HowTos/CreateGCloudAccount.rst b/HowTos/CreateGCloudAccount.rst index 60f0a4209..29054c4a4 100644 --- a/HowTos/CreateGCloudAccount.rst +++ b/HowTos/CreateGCloudAccount.rst @@ -56,28 +56,11 @@ Enable Compute Engine API on the selected project, 4. click Enable. -Step 4: Enable GCloud Messaging Service -------------------------------------------- -The Aviatrix controller uses GCloud Pub/Sub messaging services to communicate -with the gateways. - -To enable Pub/Sub on the selected project, - -1. Go to your Google Cloud Platform console, at the upper left corner - left to Google Cloud Platform signage, click the 3 bars. A drop down - menu will appear. - -2. Select APIs and Services, at Dashboard, click on Enable APIs and Services - -3. On the Search box, input Cloud Pub/Sub API and select it from search result - -4. Click Enable. - -Step 5: Create Credential File +Step 4: Create Credential File ---------------------------------- -When you create a cloud account for GCloud, you are asked to upload a +When you create a cloud account Aviatrix Controller for GCloud, you will be asked to upload a GCloud Project Credentials file. Below are the steps to download the credential file from the Google Developer Console. @@ -86,20 +69,130 @@ credential file from the Google Developer Console. 2. Select the project you are creating credentials for. -3. At Credentials, Click Create credentials, select Service account key, +3. At Credentials, Click Create credentials, select Service account, as shown below - |image1| + |service_account| + +4. At the Service Accounts, enter a Service account name and click Create. For Service account permissions, select Project, Editor, as shown below. + + |iam_credential| -4. At the Service account dropdown menu, select Compute Engine default - service account, select JSON. +5. Select a service account. Click the 3 skewer bar and select Create Key. Select JSON, click Create. -5. Click Create. The credential file will be downloaded to your local +6. Click Create. The credential file will be downloaded to your local computer. -6. Upload the Project Credential file to the Aviatrix controller at the GCloud +7. Upload the Project Credential file to the Aviatrix controller at the GCloud account create page. +Note: Creating Service Account with Restricted Access +----------------------------------------------------- +It is recommended to create the service account with the Editor role as mentioned in Step 5.4 but in some cases an organization might want +to further restrict permission for the service account. In such a situation Aviatrix recommendation is to have at least following roles assigned +to service account so that Aviatrix can perform its functions properly. For instance managing the compute resources, route tables, firewall rules, shared service vpc network etc. + +1. Compute Admin +2. Service Account User +3. Organization Administrator (required for GCP Shared VPC) +4. Project IAM Admin (required for GCP Shared VPC) + + |restricted_access| + +If an organization is currently using GCP Shared VPC or planning to use in future then it is a requirement to enable Organization Administrator +and Project IAM Admin as well. + +In addition to restricting the GCP roles, you can restrict the rights for those roles. You can grant roles permission to perform the following tasks: + +:: + + compute.addresses.create + compute.addresses.createInternal + compute.addresses.delete + compute.addresses.deleteInternal + compute.addresses.get + compute.addresses.list + compute.addresses.use + compute.addresses.useInternal + compute.disks.create + compute.disks.get + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.firewalls.list + compute.firewalls.update + compute.forwardingRules.create + compute.forwardingRules.delete + compute.forwardingRules.list + compute.globalOperations.get + compute.healthChecks.create + compute.healthChecks.delete + compute.healthChecks.useReadOnly + compute.httpHealthChecks.get + compute.httpHealthChecks.useReadOnly + compute.images.list + compute.images.useReadOnly + compute.instanceGroups.create + compute.instanceGroups.delete + compute.instanceGroups.get + compute.instanceGroups.update + compute.instanceGroups.use + compute.instances.create + compute.instances.delete + compute.instances.get + compute.instances.list + compute.instances.setMachineType + compute.instances.setMetadata + compute.instances.setTags + compute.instances.start + compute.instances.stop + compute.instances.updateNetworkInterface + compute.instances.use + compute.networks.addPeering + compute.networks.create + compute.networks.delete + compute.networks.get + compute.networks.list + compute.networks.removePeering + compute.networks.updatePolicy + compute.projects.get + compute.projects.setCommonInstanceMetadata + compute.regionBackendServices.create + compute.regionBackendServices.delete + compute.regionBackendServices.get + compute.regionBackendServices.update + compute.regionBackendServices.use + compute.regionOperations.get + compute.routes.create + compute.routes.delete + compute.routes.list + compute.subnetworks.create + compute.subnetworks.delete + compute.subnetworks.get + compute.subnetworks.list + compute.subnetworks.use + compute.subnetworks.useExternalIp + compute.targetPools.addInstance + compute.targetPools.create + compute.targetPools.delete + compute.targetPools.get + compute.targetPools.removeInstance + compute.targetPools.use + compute.zoneOperations.get + compute.zones.list + iam.serviceAccounts.actAs + logging.logEntries.create + pubsub.subscriptions.consume + pubsub.subscriptions.create + pubsub.subscriptions.delete + pubsub.subscriptions.get + pubsub.topics.attachSubscription + pubsub.topics.create + pubsub.topics.delete + pubsub.topics.get + pubsub.topics.publish + resourcemanager.projects.get + Troubleshooting Tips ---------------------- @@ -107,7 +200,7 @@ If cloud account creation fails, check the error message at the Aviatrix controller console and try again with the steps provided in this document. -For additional support, send an email to support@aviatrix.com +For additional support, please open a support ticket at `Aviatrix Support Portal `_ .. |image0| image:: GCloud_media/image1.png @@ -117,4 +210,13 @@ For additional support, send an email to support@aviatrix.com .. |image3| image:: GCloud_media/gcloud-enable-apis-and-services.png +.. |service_account| image:: GCloud_media/service_account.png + :scale: 30% + +.. |iam_credential| image:: GCloud_media/iam_credential.png + :scale: 30% + +.. |restricted_access| image:: GCloud_media/restricted_access.png + :scale: 30% + .. disqus:: diff --git a/HowTos/EnvironmentStamping.rst b/HowTos/EnvironmentStamping.rst index 5c7f475b2..8475dd5aa 100644 --- a/HowTos/EnvironmentStamping.rst +++ b/HowTos/EnvironmentStamping.rst @@ -145,7 +145,7 @@ The configuration workflow is as follows. It highlights the major steps. include the domain name. For example, an instance with nickname webfrontend should be accessed as webfrontend.mydevops.com -#. For support, send email to support@aviatrix.com. +#. For support, please open a support ticket at `Aviatrix Support Portal `_ #. For feature request, click Make a wish at the bottom of each page. diff --git a/HowTos/FAQ.rst b/HowTos/FAQ.rst index aaf67d3da..67e7e7f44 100644 --- a/HowTos/FAQ.rst +++ b/HowTos/FAQ.rst @@ -98,16 +98,27 @@ communicate back to the Controller. You can use the Controller Security Management feature to automatically manage the Controller instance's inbound rules from gateways. - Go to Settings -> Controller -> Security Group Management, select the `primary account `_, and click Enable. +.. note:: + + After this feature is enabled, you can now edit the security rules that are outside gateways public IP addresses to limit the source address range. + +AWS: +^^^^ + +AWS Network ACLs are not stateful, so they are not recommended for controlling access to/from Aviatrix Controllers and Gateways. + When this feature is enabled, the Controller will immediately create 4 security groups. Since each security group can support 50 security rules, the Controller can support up to 200 gateways. -:: +AZURE: +^^^^^^ - After this feature is enabled, you can now edit the security rules that are outside gateways public IP addresses to limit the source address range. +When this feature is enabled, the Controller utilizes the associated network security group which can support up to 1,000 security rules. + +.. note:: -(If you deploy Aviatrix SAML clients for user VPN access, you can follow `this document `_ to add security to the Controller.) + If you deploy Aviatrix SAML clients for user VPN access, you can follow `this document `_ to add security to the Controller. 2. Use signed certificate ########################## @@ -166,6 +177,10 @@ You can enable `SAML authentication for Controller login. `_ +11. Enable Login Banner +####################### + +This function is explained in detail `here `_ What are the events that the Aviatrix Controller monitors? -------------------------------------------------------------- @@ -179,7 +194,7 @@ What are the events that the Aviatrix Controller monitors? #. **Guard Duty integration** Alert and block malicious IP addresses. #. **Black hole route** Alert when VPC route table has inactive routes. #. **Public subnet** Alert when there are unwanted instances launched on specific public subnets. - #. **CPU/Memory/Disk** Alert when gateway memory or disk space reaches 95% of its capacity. + #. **CPU/Memory/Disk** Alert when gateway memory usage crosses 80% or disk space reaches 90% of its capacity. @@ -251,8 +266,7 @@ The first time when you login, complete the Onboarding process. It takes a few steps. If you have a BYOL license or use a community image, you need to have a -customer ID provided by Aviatrix to be able to use the product. Contact -support@aviatrix.com if you do not have a customer ID. +customer ID provided by Aviatrix to be able to use the product. Please open a support ticket at `Aviatrix Support Portal `_ if you do not have a customer ID. What is an Aviatrix Access Account? ------------------------------------- @@ -286,12 +300,8 @@ What is the support model? ----------------------------- -For support, send email to -`support@aviatrix.com `__. We also offer premium customers with 24x7 support. -To request a -feature, click Make a wish button at the bottom of each page. - - +For support, please open a support ticket at `Aviatrix Support Portal `_ or reach out to your respective Account Executive. +We also offer `Platinum `__ customers with 24x7 support. Logging and Monitoring ====================== @@ -352,7 +362,7 @@ Yes. Accounts -> Account Users -> Add A NEW USER, at Account Name field, select Is Aviatrix FIPS 140-2 compliant? ---------------------------------- -Yes. Aviatrix has achieved FIPS 140-2 compliant status with certificate number `#3475 `_ as listed at NIST site. +Yes. Aviatrix has achieved FIPS 140-2 compliant status with certificate number `#3273 `_ as listed at NIST site. What are the FIPS 140-2 compliant algorithms? ------------------------------------------------ @@ -370,7 +380,7 @@ Phase 2 DH Groups 2, 1, 5, 14, 15, 16, 17, 18 Phase 2 Encryption AES-256-CBC, AES-192-CBC, AES-128-CBC, AES-128-GCM-64, AES-128-GCM-96, AES-128-GCM-128, 3DES ======================= ========== -SSL VPN encryption algorithm is AES-256-CBC. +SSL VPN encryption algorithm set on the server is AES-256-CBC. For OpenVPN clients running a version 2.3 or lower the negotiated algorithm would be AES-256-CBC. For OpenVPN clients running 2.4 or higher, the negotiated algorithm would be AES-256-GCM due to NCP(Negotiable Crypto Parameters) SSL VPN authentication algorithm is SHA512. @@ -444,12 +454,12 @@ represents one or more use cases. You are charged for the specific use case you The details are explained in the table below. ============================================================= =============== ============================== -**Unit Type** **Cost/Unite** **Use Case** +**Unit Type** **Cost/Unit** **Use Case** ============================================================= =============== ============================== -Number of VPC-to-VPC IPSec Tunnel Connections within AWS $0.16 TGW VPC attachment, Aviatrix Spoke VPC attachment, encrypted peering, Transit Peering -Number of User or Client SSL VPN Connections $0.03 User VPN -Number of Gateways running Security Services $0.16 Aviatrix gateways with FQDN service -Number of VPC to Site or Multi cloud IPSec Tunnel Connections $0.48 Site2Cloud use case +Number of VPC-to-VPC IPSec Tunnel Connections within AWS $0.19 TGW VPC attachment, Aviatrix Spoke VPC attachment, encrypted peering, Transit Peering +Number of User or Client SSL VPN Connections $0.04 User VPN +Number of Gateways running Security Services $0.19 Aviatrix gateway with FQDN service +Number of VPC to Site or Multi cloud IPSec Tunnel Connections $0.58 Site2Cloud use case ============================================================= =============== ============================== How is security updates handled and delivered by Aviatrix? @@ -460,34 +470,6 @@ These are the steps: 1. **Field Notice** All Aviatrix customers are notified when a security update is available. #. **Security Patch** Aviatrix Controller provides a inline software patch to fix vulnerability with the instructions from the Field Notice. The updates do not require reboot of the Controller or gateways most of the time. -Is Aviatrix tunnel price expensive? ------------------------------------------ - -Aviatrix pricing is not expensive. Majority of Aviatrix unit price, such as FQDN, TGW attachment and Spoke gateway attachment is priced at -$0.16/unit. The table below compares annual cost of an Aviatrix tunnel to an EC2. - -As you can see, a tunnel or attachment cost is less than a single c5.xlarge or m5.xlarge cost. In a VPC, you may have tens or hundreds of instances that each costs more in a year than an Aviatrix tunnel. - -For example, if you have 100 instances in a VPC, the additional network cost introduced by Aviatrix is -about 1% of your compute cost. Even when -you scale to more VPCs, this cost ratio does not change. Designing a network that optimizes on network cost is -not a good idea. On the other hand, Aviatrix solution provides you many benefits in operations. - -========================= =============== ==================== -**Type** **Unit Price** **Annual Price** -========================= =============== ==================== -Aviatrix TGW attachment $0.16/hour $1401/year -Aviatrix FQDN gateway $0.16/hour $1401/year -t3.xlarge $0.164/hour $1436/year -t3.2xlarge $0.3328/hour $2915/year -m5.xlarge $0.192/hour $1681/year -m5.2xlarge $0.384/hour $3363/year -m5.4xlarge $0.768/hour $6727/year -c5.xlarge $0.17/hour $1489/year -c5.2xlarge $0.34/hour $2978/year -c5.4xlarge $0.68/hour $5956/year -========================= =============== ==================== - How to recover when a Controller software upgrade fails? ------------------------------------------------------------ @@ -503,25 +485,17 @@ Here is the best practice procedure to follow: What IP addresses does Controller need to reach out to? --------------------------------------------------------- -============================================ ============ =================== -Outbound IP Address Port Purpose -============================================ ============ =================== -www.carmelonetworks.com (54.149.28.255) TCP 443 Software upgrade -license.aviatrix.com (52.24.131.245) TCP 443 License update -diag.aviatrix.com (54.200.59.112) TCP 443 Remote debugging -customer-bucket.s3-us-west-2.amazonaws.com TCP 443 Diagnostics tracelog -AWS SQS TCP 443 Controller to gateway message queue. sqs.region.amazonaws.com, where region is represented by us-west-2, us-east-2, etc, the region where the Aviatrix gateway is launched. -AWS API TCP 443 AWS API access. ec2.amazonaws.com -Aviatrix gateways TCP 22 gateway diagnostics (on demand) -Aviatrix gateways TCP 443 Software upgrade to gateways -============================================ ============ =================== +Please see `Required Access for External Sites `_. -Since the Controller is deployed on a public subnet, to restrict the Controller outbound access, -you should use `Aviatrix Public Subnet Filter `_ -to configure Egress Control on the Controller by allowing whitelist to only the listed domain names. +.. note:: + You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com. +What IP addresses does an Aviatrix gateway need to reach out to? +---------------------------------------------------------------------- +Please see `Required Access for External Sites `_. -OpenVPN is a registered trademark of OpenVPN Inc. +.. note:: + You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix. Centralized Logging Within AWS Government Cloud --------------------------------------------------------- @@ -531,6 +505,13 @@ Aviatrix Controller hosted in AWS Public Cloud and receive logs from gateways in Cloud. In order for the Aviatrix Controller to be able to accept logs from gateways inside of the Government Cloud the Aviatrix controller must be hosted within AWS Government Cloud as well. +How does Aviatrix gateway support high availability in Azure? +--------------------------------------------------------------- + +Aviatrix support Azure Availability Zet for HA gateway that provides 99.95% of up time. + +Azure has started to introduce Availability Zone in some regions. Aviatrix will start to support this option in the future. + .. |image1| image:: FAQ_media/image1.png .. |deployment| image:: FAQ_media/deployment.png diff --git a/HowTos/FQDN_Whitelists_Ref_Design.rst b/HowTos/FQDN_Whitelists_Ref_Design.rst index 0d32ab3dd..3da5bec3e 100644 --- a/HowTos/FQDN_Whitelists_Ref_Design.rst +++ b/HowTos/FQDN_Whitelists_Ref_Design.rst @@ -88,7 +88,7 @@ However, if multiple tags are attached to the same gateway, then the mode (White Exception Rule =============== -Exception Rule is a system-wide mode. +Exception Rule is a system-wide mode. **Exception Rule only applies to whitelist**. By default, the Exception Rule is enabled. (The Exception rule box should be checked.) @@ -103,6 +103,8 @@ are dropped unless the specific destination IP address of the packet is listed in the Whitelist. The use case could be that certain old applications use hard coded destination IP address to access external services. +If blacklist is configured, client hello packets without SNI is allowed to pass as it should not match any rules. + Export ============== @@ -132,7 +134,12 @@ Edit Source Edit Source is available in Release 4.0 and later. Edit Source allows you to control which source IP in the VPC is qualified for a specific tag. The source IP -can be a subnet CIDR or host IP addresses. This provides fine-grained configuration. +can be a subnet CIDR or host IP addresses. This provides fine-grained configuration. + +.. important:: + If Edit Source is not configured, i.e., no source IP address ranges are selected, all packets arriving at the FQDN gateway + are applied to the filter tag. However if there are one or more source IP address ranges selected, any packets with + source IP addresses outside those ranges are dropped. In this regard, the distinguished Source is exclusive. For example, one use case is if you have two private subnets in a VPC: one deploys dev instances and another deploys prod instances. With the Edit Source feature, the dev instances can have different tags than @@ -141,28 +148,68 @@ the prod instances. Edit Source assumes you already attached a gateway to a tag. To go to the Edit Source page, click "Edit Source" at Egress FQDN Filter on a specific tag and follow -the example in the illustration below: +the example in the illustration below, the network appeared on the right hand of the panel go through the FQDN tag filtering while +the network on the left side of the panel are dropped. |source-edit| Enable Private Network Filtering ================================= -By checking this option, FQDN names that translate to private IP address range (RFC 1918) are subject to FQDN whitelist filtering function. The use case is if your destination hostname is indeed a private service and you wish to apply FQDN filtering, you can enable this option. +This is a global configuration that applies to all FQDN gateways. + +By checking this option, destination FQDN names that translate to private IP address range (RFC 1918) are subject to FQDN whitelist filtering function. The use case is if your destination hostname is indeed a private service and you wish to apply FQDN filtering, you can enable this option. + +To configure, go to Security -> Egress Control -> GLOBAL CONFIGS -> Enable Private Network Filtering. FQDN names that are resolved +to RFC 1918 range will be subject to FQDN filter function. Disable Private Network Filtering =================================== -By checking this option, packets with destination IP address of RFC 1918 range are also inspected. +This is a global configuration that applies to all FQDN gateways. + +By checking this option, packets with destination IP address of RFC 1918 range are not inspected. This is the default behavior. + +To configure, go to Security -> Egress Control -> GLOBAL CONFIGS -> Disable Private Network Filtering. FQDN names that are resolved +to RFC 1918 range will be subject to FQDN filter function. Customize Network Filtering ============================== +This is a global configuration that applies to all FQDN gateways. + When this option is selected, you can customize packet destination address ranges not to be filtered by FQDN. +To configure, go to Security -> Egress Control -> GLOBAL CONFIGS -> Customize Network Filtering. Select pre-defined RFC 1918 +range, or enter your own network range. + +This feature is not enabled as default. + +FQDN Name Caching +===================== + +This is a global configuration that applies to all FQDN gateways. + +If FQDN Name caching is enabled, the resolved IP address from FQDN filter is cached so that if subsequent TCP session matches the +cached IP address list, FQND domain name is not checked and the session is allowed to pass. + +We recommend you to disable Caching to prevent unwanted domain names to bypass filter as they resolve to the same IP address. For example, youtube.com shares the same destination IP address range as google.com. There is minimal performance impact by disabling the cache. + +To configure, go to Security -> Egress Control -> GLOBAL CONFIGS -> Caching -> click Enabled to disable it. + +This feature is enabled as default. + +Exact Match +============== + +This is a global configuration that applies to all FQDN gateways. + +If a FQDN rule does not have * an exact match is expected. If this global option is not enabled, FQDN rules use regex to match any FQDN names that are subset of the name. For example, if salesforce.com is a rule and Exact Match option is enabled, finance.salesforce.com is not a match and will be dropped. + +This feature is not enabled as default. -For support, send an email to support@aviatrix.com +For support, please open a support ticket at `Aviatrix Support Portal `_ Enjoy! diff --git a/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-add-domain-names.png b/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-add-domain-names.png index 24e60772e..053a6197e 100644 Binary files a/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-add-domain-names.png and b/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-add-domain-names.png differ diff --git a/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-enable-edit.png b/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-enable-edit.png index 8c4683342..3c1be9938 100644 Binary files a/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-enable-edit.png and b/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-enable-edit.png differ diff --git a/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-new-tag.png b/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-new-tag.png index b4cae3b44..af8a82269 100644 Binary files a/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-new-tag.png and b/HowTos/FQDN_Whitelists_Ref_Design_media/fqdn-new-tag.png differ diff --git a/HowTos/FQDN_Whitelists_Ref_Design_media/source-edit.png b/HowTos/FQDN_Whitelists_Ref_Design_media/source-edit.png index 2ae111ba6..866c2b662 100644 Binary files a/HowTos/FQDN_Whitelists_Ref_Design_media/source-edit.png and b/HowTos/FQDN_Whitelists_Ref_Design_media/source-edit.png differ diff --git a/HowTos/GCloud_media/iam_credential.png b/HowTos/GCloud_media/iam_credential.png new file mode 100644 index 000000000..72aac0590 Binary files /dev/null and b/HowTos/GCloud_media/iam_credential.png differ diff --git a/HowTos/GCloud_media/restricted_access.png b/HowTos/GCloud_media/restricted_access.png new file mode 100644 index 000000000..61b621f65 Binary files /dev/null and b/HowTos/GCloud_media/restricted_access.png differ diff --git a/HowTos/GCloud_media/service_account.png b/HowTos/GCloud_media/service_account.png new file mode 100644 index 000000000..e3c6e0a46 Binary files /dev/null and b/HowTos/GCloud_media/service_account.png differ diff --git a/HowTos/GeoVPN.rst b/HowTos/GeoVPN.rst index ab4409629..37f5237ac 100755 --- a/HowTos/GeoVPN.rst +++ b/HowTos/GeoVPN.rst @@ -129,9 +129,38 @@ Once you have Geo VPN enabled, you can add users. Follow these steps to add use #. Click **OK** |imageAddVPNUser| + +Manage Geo VPN configuration +++++++++++++++++++++++++++++ +Once you have Geo VPN feature enabled, you can centrally manage all the VPN gateways' configuration under the Geo VPN service. Follow these steps to configure them: +#. Click the **OpenVPN** navigation menu item +#. Click **Edit Config** +#. In the `VPC ID/VNet Name` drop down, select the Geo VPN service name created in the previous steps +#. Update the VPN configuration regarding to your requirement + +Advanced Settings - manage VPN configuration for individual DHCP setup +====================================================================== + +GeoVPN can use DHCP Setting for DNS name resolution from the cloud private network where the VPN gateway is deployed. This reduces latency as DNS service is likely to be closer to the source of the VPN user location. Follow these steps to configure DHCP configuration for individual VPN gateway: + +#. Click the **OpenVPN** navigation menu item +#. Click **Edit Config** +#. In the `VPC ID/VNet Name` drop down, select the specific VPC ID/VNet Name and LB/Gateway Name instead of Geo VPN service name +#. Update the supported VPN configuration as below regarding to your requirement in each VPN gateway + + - Additional CIDRs + + - Nameservers + + - Search Domains + + .. note:: + + The attributes “Additional CIDRs, Nameservers, and Search Domains” are able to be edited for individual LB//Gateway Name only if the split tunnel mode is selected under the Geo VPN service. +#. Check this `document `_ for more info. OpenVPN is a registered trademark of OpenVPN Inc. diff --git a/HowTos/HowTo_IAM_role.rst b/HowTos/HowTo_IAM_role.rst index 96c962af5..55dd15b28 100644 --- a/HowTos/HowTo_IAM_role.rst +++ b/HowTos/HowTo_IAM_role.rst @@ -149,6 +149,22 @@ this secondary account. e. Click Update Trust Policy +Notes for custom IAM role name feature: +======================================= + +If the primary access account is using a custom EC2 IAM role name for the controller, then any secondary IAM based access accounts must use an identical name for the EC2 IAM role. + +The primary and secondary access accounts must use identical names under the following conditions: + +- You are using custom IAM roles for the primary access account. + +- You are NOT using custom gateway IAM roles on the secondary account. + +Example: + +The controller is using 'custom-role-app' and 'custom-role-ec2' on a secondary access account. Custom role 'custom-role-ec2' also exists on the primary account because that is where the controller is hosted. + +When you launch a gateway under the secondary access account the controller takes the primary access account ec2 role name, in this case 'custom-role-ec2' and passes it to the API call to create the instance. The API call refers to a role on the secondary CSP account, not the role of the primary account. .. |image0| image:: IAM_media/image1.png :width: 6.50000in diff --git a/HowTos/HowTo_Setup_IPMotion.rst b/HowTos/HowTo_Setup_IPMotion.rst deleted file mode 100644 index 3b62262a7..000000000 --- a/HowTos/HowTo_Setup_IPMotion.rst +++ /dev/null @@ -1,330 +0,0 @@ -.. meta:: - :description: IPMotion - :keywords: IPMotion, AWS Server Migration Service, AWS Migration Hub - - -=================================================================== -Migrating VMs with Aviatrix IPMotion and AWS Migration Hub Service -=================================================================== - - - -1. Solution Overview -====================== - -This document describes how to migrate an on-prem VM to AWS while preserving its IP address. The migration tools we use are -AWS Migration Hub service (AWS Server Migration Service) and Aviatrix IPmotion, where Aviatrix IPmotion feature enables IP address preservation after a VM is migrated to AWS via AWS Server Migration Service. - -By preserving the IP address of an on-prem VM after migrating -to AWS, dependencies of this VM to other on-prems are automatically preserved, thus there is no need to discover the dependencies for migration purpose. There is no need to update on-prem security rules, AD, DNS and Load Balancers. - - - -2. Configuration Workflow -========================== - -The instructions in this section will use the following network diagram. -The CIDR and subnets may vary depending on your network setup; however, the -general principle will be the same. - -|image0| - - -2.1 Prerequisites -------------------------------- - -Before setting up Aviatrix IPMotion for migration, make sure -the following prerequisites are completed. - -1. Plan the Cloud Address and create an AWS VPC - -2. Setup AWS Server Migration Service (SMS) to create migrated AMIs - -3. Deploy an Aviatrix Virtual Appliance CloudN in On-Premise - - -These prerequisites are explained in detail below. - -2.1.1 Plan the Cloud Address and create an AWS VPC ---------------------------------------------------- - - -First identify the on-prem subnet from which you plan to migrate VMs. In this example, the subnet is 10.140.0.0/16 with two On-Prem VMs (10.140.0.45 and 10.140.0.46.) - -(In this illustration, the cloud subnet is a public subnet. There are other `design patterns `_ you can follow.) - -Then create an AWS VPC with a public subnet that has an identical CIDR as the on-prem subnet where migration is to take place. For example, create a VPC CIDR 10.140.0.0/16 with a public subnet 10.140.0.0/16 in region Oregon. Note that it is not necessary for the migrated VMs to have public IP addresses. - -=============================== ================================================================================ -**AWS Example Setting** **Value** -=============================== ================================================================================ -Cloud Type AWS -Region Oregon -VPC CIDR 10.140.0.0/16 -Public Subnet 10.140.0.0/16 -=============================== ================================================================================ - -2.1.2 Setup AWS Server Migration Service (SMS) to create a migrated AMI ------------------------------------------------------------------------- - -Please refer to "AWS Server Migration Service – Server Migration to the Cloud Made Easy!" for detail. - -`AWS Server Migration Service – Server Migration to the Cloud Made Easy! -`_ - -- Deploy the Server Migration Connector virtual appliance on On-Premise. - -=============================== ================================================================================ -**vCenter Setting** **Example** -=============================== ================================================================================ -Setup networks 10.140.0.0/16 -=============================== ================================================================================ - -- Configure the connector on On-Premise. - -=============================== ================================================================================ -**Connector Setting** **Example** -=============================== ================================================================================ -AWS Region US West (Oregon) -=============================== ================================================================================ - -- Import the server catalog on AWS SMS console - -=============================== ================================================================================ -**AWS SMS Setting** **Example** -=============================== ================================================================================ -Replication job ID VM which will be migrated to cloud (e.g. VM with ip 10.140.0.45) -=============================== ================================================================================ - -After completing the previous steps, a user is able to view and launch the migrated AMI in below console: - -i.) AWS -> Migration -> Server Migration Service - -|image1| - -ii.) AWS -> Compute -> EC2 -> Launch Instance - -|image2| - -Please confirm that the migrated AMI is ready on AWS console. -This document will describe how to integrate the migrated AMI with IPMotion feature in 3.2.2 Step b. - -2.1.3 Deploy an Aviatrix Virtual Appliance CloudN in On-Premise subnet ------------------------------------------------------------------------ - -The Aviatrix Virtual Appliance CloudN must be deployed and setup in the on-prem subnet where you plan to migrate VMs prior to configuring IPMotion. For example, the subnet is 10.140.0.0/16. Please refer to "Virtual Appliance CloudN" on how to deploy the Virtual Appliance CloudN. - -`Virtual Appliance CloudN -`_ - -Check and make sure you can access the Aviatrix Virtual Appliance CloudN dashboard and -login with an administrator account. The default URL for the Aviatrix -Virtual Appliance CloudN is: - -https:// - - -2.2 Configuration Steps ------------------------ - -Make sure the pre-configuration steps in the previous section are completed before proceeding. - - -2.2.1 Step a – Deploy Aviatrix IPMotion gateway ------------------------------------------------ - -The first step is to deploy an Aviatrix IPMotion gateway in AWS VPC. -Please refer to the "IPmotion Setup Instructions" for detail. - -`IPmotion Setup Instructions -`_ - -**Instructions:** - -a.1. Login to the Aviatrix Virtual Appliance CloudN - -a.2. Click on "IP Motion" in the left navigation bar - -a.3. For section 1> Specify the on-prem IP Address List, enter both the list of IP addresses of VMs that will be migrated and the list of IP addresses of VMs that will remain on-prem. - -=============================== ================================================================================ -**IPMotion Configuration** **Example** -=============================== ================================================================================ -On-prem Subnet IP List 10.140.0.45-10.140.0.46 -=============================== ================================================================================ - -a.4. Click “Specify”. - -a.5. Click "View" to check those specified IPs and its status. - -=============================== ================================================================================ -**Status Value** **Notes** -=============================== ================================================================================ -ON-PREM IP of VM in On-Prem -IN-CLOUD-STAGING IP of VM in staging Mode -IN-CLOUD IP of VM migrated to Cloud -=============================== ================================================================================ - -a.6. For section 2> Reserve IPmotion Gateway IP Address List, specify 10 IP addresses that are not being used by any running VMs and reserve these addresses for the Aviatrix IPmotion gateway. - -================================ ================================================================================ -**IPMotion Configuration** **Example** -================================ ================================================================================ -IPmotion Gateway Reserve IP List 10.140.0.200-10.140.0.210 -================================ ================================================================================ - -a.7. Click "View" to check those reserved IPs. - -a.8. For section 3> Launch an IPmotion Gateway in the AWS VPC, it launches an Aviatrix IPmotion gateway and builds an encrypted IPSEC tunnel between the subnet of On-Prem and AWS VPC. - -=============================== =================================================== -**Setting** **Value** -=============================== =================================================== -Cloud Type Choose AWS -Account Name Choose the account name -Region Choose the region of VPC (e.g. us-west-2) -VPC ID Choose the VPC ID of VPC -Gateway Name This name is arbitrary (e.g. IPMotion-GW) -Gateway Size t2.small is fine for testing. -Gateway Subnet Select the public subnet (e.g. 10.140.0.0/16) -=============================== =================================================== - -a.9. Click “Launch”. It will take a few minutes for the gateway to deploy. Do not proceed until the gateway is deployed. - -a.10. Done - -.. Note:: Next 2.2.2 Step b – Integrate Aviatrix IPMotion with AWS AMI will explain how to utilize section 4> Let's Move! to coordinate IP migration with the migrated AMI created by AWS SMS - -2.2.2 Step b – Integrate Aviatrix IPMotion with AWS AMI -------------------------------------------------------- - -This step explains how to integrate Aviatrix IPMotion with the AMI that a user migrated from On-Premise VM to AWS via AWS SMS earlier. - -b.1. Click on IP Motion in the left navigation bar of GUI of Aviatrix Virtual Appliance CloudN - -b.2. Navigate to section 4> Let's Move! - -b.3. Select the IP of VM which will be migrated to the cloud. (e.g. 10.140.0.45) - -b.4. Click "Staging". This is the preparation step for a user to shutdown the On-Prem VM with the selected IP and power up its corresponding cloud VM with the same IP. - -b.4.1. Shutdown the On-Prem VM via vCenter. (e.g. 10.140.0.45) - -b.4.2. Power up the AWS EC2 instance with that selected IP. (e.g. 10.140.0.45) - -b.4.2.1. Navigate to AWS -> Compute -> EC2 console - -b.4.2.2. Click "Launch Instance" - -b.4.2.3. Step 1: Choose an Amazon Machine Image (AMI) -> Click on the sidebar option "My AMIs" -> Click "Select" of the AMI which is created by AWS SMS - -b.4.2.4. Step 2: Choose an Instance Type - -b.4.2.5. Step 3: Configure Instance Details: - -b.4.2.5.1. In the first section, here is an example for the testing topology - -================================== =================================================== -**AWS Example Setting** **Value** -================================== =================================================== -Number of instances 1 -Purchasing Optional Uncheck this box is fine for testing -Network Choose the VPC ID of the planned VPC -Subnet Choose the Subnet ID of the planned Subnet -Auto-assign Public IP Enable is fine for testing -IAM role None is fine for testing -Shutdown behavior Stop is fine for testing -Enable termination protection Uncheck this box is fine for testing -Monitoring Uncheck this box is fine for testing -Tenancy Shared - Run a shared hardware instance is fine -================================== =================================================== - -b.4.2.5.2. (Important) In second section - Network interfaces, enter the selected IP (e.g. 10.140.0.45) - -|image3| - -b.4.2.6. Step 4: Add Storage: default settings is fine for testing. - -b.4.2.6. Step 5: Add Tags: default settings is fine for testing. - -b.4.2.7. Step 6: Configure Security Group -> Click "Create a new security group". For this testing topology, add a rule with a Type of "All traffic" and Source of "Custom - 10.140.0.0/16" to allow all traffic between On-Prem VM and Cloud VM. The User can further customize the firewall rules. - -|image4| - -b.4.2.8. Step 7: Review Instance Launch -> Click "Launch." It will take a few minutes for the EC2 instance to deploy. Do not proceed until the EC2 instance is deployed. - -b.5. (Optional) Click "View" in section 1> Specify the on-prem IP Address List to check status. That IP status will change from status "ON-PREM" to "IN-CLOUD-STAGING". - -b.6. Navigate back to the section 4> Let's Move! of IP Motion of GUI of Aviatrix Virtual Appliance CloudN - -b.7. Select IP "10.140.0.45" -> Click "Commit" - -b.8. (Optional) Click "View" of section 1> Specify the on-prem IP Address List to check status. That IP status will change from status "IN-CLOUD-STAGING" to "IN-CLOUD". - -b.9. Done - -2.2.3 Step c – Test Connectivity --------------------------------------------- - -This step explains how to test the connectivity between the On-Prem VM to the migrated VM in the cloud. - -**Instructions:** - -c.1. Browse the GUI of Aviatrix Virtual Appliance CloudN - -c.1.1. Click Troubleshoot in the sidebar -> Diagnostics -> Network -> Ping Utility. - -c.1.2. Enter the committed IP address -> click Ping. - -c.2. Test bi-directional end-to-end connectivity - -c.2.1. Login to the On-Prem VM (e.g. 10.140.0.46) - -c.2.2. Check ICMP protocol via command "ping 10.140.45" - -c.2.3. Login to the migrated EC2 (e.g. 10.140.0.45) - -c.2.4. Check ICMP protocol via command "ping 10.140.46" - -.. Note:: Make sure the security group of the migrated EC2 has ICMP allowed. Also make sure the migrated EC2 instance responds to Ping request. - - - -Troubleshooting -=============== - -1. Click button "View" of section 1> Specify the on-prem IP Address List of IPMotion of GUI of Aviatrix Virtual Appliance CloudN to check what state an IP address is at. - -2. Click button "Reset" if all things fail and you like to start over - -2.1. First of all, delete the IPmotion gateway by navigating to the sidebar and clicking "Gateway List" - -2.2. Select the gateway -> click Delete. It will take a few minutes to delete. Do not proceed until the gateway is deleted. - -2.3. After deletion is completed, go back to section 1> Specify the on-prem IP Address List of IPMotion and click button "Reset". - -2.4. You can then start it over by going through Step a – Deploy Aviatrix IPMotion gateway and Step b – Integrate Aviatrix IPMotion with AWS AMI again. - -3. Get Support email support@aviatrix.com for assistance. - -.. |image0| image:: ipmotion_media/image0_IPMotion_Configuration.PNG - :width: 5.03147in - :height: 2.57917in - -.. |image1| image:: ipmotion_media/image1_SMS_Console_AMI.PNG - :width: 5.03147in - :height: 2.57917in - -.. |image2| image:: ipmotion_media/image2_Launch_Instance_Console_AMI.PNG - :width: 5.03147in - :height: 2.57917in - -.. |image3| image:: ipmotion_media/image3_Network_interfaces.PNG - :width: 5.03147in - :height: 2.57917in - -.. |image4| image:: ipmotion_media/image4_SG.PNG - :width: 5.03147in - :height: 2.57917in - -.. disqus:: diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add_old.png b/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add_old.png deleted file mode 100644 index c6ce21784..000000000 Binary files a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add_old.png and /dev/null differ diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_old.png b/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_old.png deleted file mode 100644 index a61f4b299..000000000 Binary files a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_old.png and /dev/null differ diff --git a/HowTos/Ingress_Protection_Transit_FireNet_Fortigate.rst b/HowTos/Ingress_Protection_Transit_FireNet_Fortigate.rst new file mode 100644 index 000000000..76977eac2 --- /dev/null +++ b/HowTos/Ingress_Protection_Transit_FireNet_Fortigate.rst @@ -0,0 +1,521 @@ +.. meta:: + :description: Ingress Protection via Aviatrix Transit FireNet with Fortigate + :keywords: AVX Transit Architecture, Aviatrix Transit network, Transit DMZ, Ingress, Firewall, Fortigate + +============================================================== +Ingress Protection via Aviatrix Transit FireNet with Fortigate +============================================================== + +This document illustrates a widely deployed architecture for Ingress traffic inspection/protection firewall that leverages AWS Load Balancers, +`Transit FireNet for AWS `_ and +`Fortigate VM in AWS `_. + +Ingress traffic from Internet forwards to firewall instances first in Aviatrix Transit FireNet VPC and then reaches to application servers as shown +in the diagram below. In this design pattern, each firewall instance must perform + + #. Source NAT (SNAT) on its LAN interface that connects to the Aviatrix FireNet gateway + + #. Destination NAT (DNAT) to the IP of application server or application load balancer + +|transit_firenet_ingress| + +.. note:: + + This design pattern also supports multiple of firewalls (scale out fashion) for each Aviatrix Transit FireNet gateway. + +This document describes a step-by-step Ingress Protection via Aviatrix Transit FireNet with Fortigate deployment workflow for R6.1 and later. +In this note you learn how to: + + #. Workflow on Transit FireNet for AWS + + #. Workflow on AWS Application Load Balancer + + #. Workflow on Firewall instances - Fortigate + +For more information about Transit FireNet, please check out the below documents: + + `Transit FireNet FAQ `_ + + `Firewall Network Design Patterns `_ + +Prerequisite +==================== + +First of all, `upgrade `_ Aviatrix Controller to at least version 6.1 + +In this example, we are going to deploy the below VPCs in AWS + + - Aviatrix Transit FireNet VPC (i.e. 10.70.0.0/16) + + - Aviatrix Spoke VPC for Application (i.e. 10.3.0.0/16) + +Workflow on Transit FireNet for AWS +===================================== + +Refer to `Transit FireNet Workflow for AWS doc `_ for the below steps. Please adjust the topology depending on your requirements. + +Step 1.1. Deploy VPCs for Transit FireNet and Spoke for Applicaton +----------------------------------------------------------------- + + - Create an Aviatrix Transit VPC by utilizing Aviatrix feature `Create a VPC `_ with Aviatrix FireNet VPC option enabled + + - Create an Aviatrix Spoke VPC for Application by utilizing Aviatrtix feature `Create a VPC `_ as the previous step or manually deploying it in AWS portal. Moreover, feel free to use your existing VPC. + +Step 1.2. Deploy Aviatrix Multi-Cloud Transit Gateway and HA +---------------------------------------------------------- + + - Follow this step `Deploy the Transit Aviatrix Gateway `_ to launch Aviatrix Transit gateway and enable HA in Transit FireNet VPC + + - Connected Transit mode is not necessary for this Ingress inspection solution. + +Step 1.3. Deploy Spoke Gateway and HA +----------------------------------- + + - Follow this step `Deploy Spoke Gateways `_ to launch Aviatrix Spoke gateway and enable HA in Spoke VPC for Application + +Step 1.4. Attach Spoke Gateways to Transit Network +------------------------------------------------ + + - Follow this step `Attach Spoke Gateways to Transit Network `_ to attach Spoke Gateways to Transit Gateways + +Step 1.5. Configure Transit Firewall Network +------------------------------------------------ + + - `Configure Transit Firewall Network `_ + + - Adding spoke to the Inspected box for traffic inspection in 2> Manage FireNet Policy is not necessary for this Ingress solution as inbound traffic hit firewall instances first. + +Step 1.6. Launch and Associate Firewall Instance +------------------------------------------------ + + - `Subscribe Firewall Vendor in AWS Marketplace `_ for Fortigate Next Generation Firewall + + - Launch Fortigate Firewall instance for each Aviatrix Transit FireNet gateway by following this `step `_ + + +--------------------------+-------------------------------------------------------------+ + | **Example setting** | **Example value** | + +--------------------------+-------------------------------------------------------------+ + | Firewall Image | Fortinet FortiGate Next-Generation Firewall | + +--------------------------+-------------------------------------------------------------+ + | Firewall Image Version | 6.4.2 | + +--------------------------+-------------------------------------------------------------+ + | Firewall Instance Size | c5.xlarge | + +--------------------------+-------------------------------------------------------------+ + | Egress Interface Subnet | Select the subnet whose name contains "FW-ingress-egress". | + +--------------------------+-------------------------------------------------------------+ + | Key Pair Name (Optional) | The .pem file name for SSH access to the firewall instance. | + +--------------------------+-------------------------------------------------------------+ + | Attach | Check | + +--------------------------+-------------------------------------------------------------+ + + - Wait for a couple of minutes for the Fortigate Firewall instances to turn into Running Instance state + + - Will walk through how to set up basic configuration for FortiGate (Fortinet) in the later section 'Workflow on Firewall instances - Fortigate'. Please move on to the next section 'Workflow on AWS Application Load Balancer' first + +Workflow on AWS Application Load Balancer +========================================= + +This workflow example describes how to + + #. place an internet-facing AWS Load Balancer to load balance traffic to firewall instances in Transit FireNet + + #. place an internal AWS Load Balancer to load balance traffic to private application server in Application Spoke + + #. set up the related network components and private application web server with HTTP and port 8080 + +Please adjust the settings depending on your requirements. + +Step 2.1. Create an AWS Application Load Balancer with scheme Internet-facing +----------------------------------------------------------------------------- + +In Transit FireNet VPC, create an internet-facing AWS Application Load Balancer by following the steps below: + + - Select Application Load Balancer HTTP/HTTPS + + |Ingress_ALB| + + - Select items as follows in Step 1: Configure Load Balancer + + +---------------------+------------------------+-------------------------------------------------------------------+ + | **Section** | **Field** | **Value** | + +---------------------+------------------------+-------------------------------------------------------------------+ + | Basic Configuration | Scheme | internet-facing | + +---------------------+------------------------+-------------------------------------------------------------------+ + | | IP address type | ipv4 | + +---------------------+------------------------+-------------------------------------------------------------------+ + | Listeners | Load Balancer Protocol | HTTP | + +---------------------+------------------------+-------------------------------------------------------------------+ + | | Load Balancer Port | 8080 | + +---------------------+------------------------+-------------------------------------------------------------------+ + | Availability Zones | VPC | Aviatrix Transit FireNet VPC | + +---------------------+------------------------+-------------------------------------------------------------------+ + | | Availability Zones | select the subnet with *-Public-FW-ingress-egress-AZ-* in each AZ | + +---------------------+------------------------+-------------------------------------------------------------------+ + + |Ingress_Internet_ALB_Step_1_Configure_Load_Balancer| + + - Create a security group with Protocol TCP and Port 8080 in Step 3: Configure Security Groups + + |Ingress_Internet_ALB_Step_3_Configure_Security_Groups| + + - Select items as follows in Step 4: Configure Routing + + +--------------------------------+---------------+-------------------+ + | **Section** | **Field** | **Value** | + +--------------------------------+---------------+-------------------+ + | Target group | Target group | New target group | + +--------------------------------+---------------+-------------------+ + | | Target type | Instance | + +--------------------------------+---------------+-------------------+ + | | Protocol | HTTP | + +--------------------------------+---------------+-------------------+ + | | Port | 8080 | + +--------------------------------+---------------+-------------------+ + | Health checks | Protocol | HTTPS | + +--------------------------------+---------------+-------------------+ + | | Path | / | + +--------------------------------+---------------+-------------------+ + | Advanced health check settings | Port | override with 443 | + +--------------------------------+---------------+-------------------+ + | | Success codes | 302 | + +--------------------------------+---------------+-------------------+ + + |Ingress_Internet_ALB_Step_4_Configure_Routing| + + - Select firewall instances and click the button "Add to registered" in Step 5: Register Targets + + |Ingress_Internet_ALB_Step_5_Register_Targets_1| + + - Confirm the selected firewall instances are placed under the section "Registered targets" + + |Ingress_Internet_ALB_Step_5_Register_Targets_2| + + - Review the configuration in Step 6: Review + + |Ingress_Internet_ALB_Step_6_Review| + + - Wait for a couple of minutes and check firewall instances' healthy Status behind AWS Application Load Balancer + + |Internet_ALB_WEB_HTTP_8080_tg_healthcheck| + + .. note:: + + Targets healthy status behind AWS load balancer can be found on the page "EC2 -> Target groups -> selecting the target group -> Targets" in AWS portal. + +Step 2.2. Launch an Apache2 Web server in Application Spoke +----------------------------------------------------------- + +In Application Spoke, create an Ubuntu Server 18.04 LTS virtual machine and install Apache2 HTTP Server with custom port 8080 as a web application server. + ++---------------------+-------------------+ +| **Example setting** | **Example value** | ++---------------------+-------------------+ +| Protocol | HTTP | ++---------------------+-------------------+ +| Port | 8080 | ++---------------------+-------------------+ + +.. Note:: + + Refer to `Install The Latest Apache2 HTTP Server ( 2.4.34 ) On Ubuntu 16.04 | 17.10 | 18.04 LTS Servers `_ to install Apache2 HTTP Server + + Refer to `How To Change Apache Default Port To A Custom Port `_ to use custom port 8080 + +Step 2.3. Create an AWS Application Load Balancer with scheme Internal +---------------------------------------------------------------------- + +In Application Spoke VPC, create an internal AWS Application Load Balancer by refering to the steps below: + + - Select Application Load Balancer HTTP/HTTPS + + |Ingress_ALB| + + - Select items as follows in Step 1: Configure Load Balancer + + +---------------------+------------------------+-------------------------------------------------------------------+ + | **Section** | **Field** | **Value** | + +---------------------+------------------------+-------------------------------------------------------------------+ + | Basic Configuration | Scheme | internal | + +---------------------+------------------------+-------------------------------------------------------------------+ + | | IP address type | ipv4 | + +---------------------+------------------------+-------------------------------------------------------------------+ + | Listeners | Load Balancer Protocol | HTTP | + +---------------------+------------------------+-------------------------------------------------------------------+ + | | Load Balancer Port | 8080 | + +---------------------+------------------------+-------------------------------------------------------------------+ + | Availability Zones | VPC | Aviatrix Spoke VPC for application | + +---------------------+------------------------+-------------------------------------------------------------------+ + | | Availability Zones | select the subnet where private application servers locate | + +---------------------+------------------------+-------------------------------------------------------------------+ + + |Ingress_Internal_ALB_Step_1_Configure_Load_Balancer| + + - Create a security group with Protocol TCP and Port 8080 in Step 3: Configure Security Groups + + - Select items as follows in Step 4: Configure Routing + + +--------------------------------+---------------+-------------------+ + | **Section** | **Field** | **Value** | + +--------------------------------+---------------+-------------------+ + | Target group | Target group | New target group | + +--------------------------------+---------------+-------------------+ + | | Target type | Instance | + +--------------------------------+---------------+-------------------+ + | | Protocol | HTTP | + +--------------------------------+---------------+-------------------+ + | | Port | 8080 | + +--------------------------------+---------------+-------------------+ + | Health checks | Protocol | HTTP | + +--------------------------------+---------------+-------------------+ + | | Path | / | + +--------------------------------+---------------+-------------------+ + | Advanced health check settings | Port | traffic port | + +--------------------------------+---------------+-------------------+ + | | Success codes | 200 | + +--------------------------------+---------------+-------------------+ + + - Select private application server and click the button "Add to registered" in Step 5: Register Targets + + - Review the configuration in Step 6: Review + + |Ingress_Internal_ALB_Step_6_Review| + +Workflow on Firewall instances - Fortigate +========================================== + +This is just a simple example to set up Firwall for Ingress traffic. Please adjust the security settings depending on your requirements. + +Step 3.1. Set up basic configuration for FortiGate (Fortinet) +------------------------------------------------------------- + + - Refer to `Fortigate Example `_ to launch Fortigate in AWS and for more details. + + - `Reset Fortigate Next Generation Firewall Password `_ + + - `Configure Fortigate Next Generation Firewall port1 with WAN `_ + + - `Configure Fortigate Next Generation Firewall port2 with LAN `_ + + - `Create static routes for routing traffic to Spoke VPC `_ + +Step 3.2. Configure Destination NAT (DNAT) to the FQDN/IP of Internal Application Load Balancer +----------------------------------------------------------------------------------------------- + + - Login Fortigate GUI + + - Navigate to the page "Policy & Objects -> Virtual IPs" + + - Click the button "+ Create New" + + - Enter fields for Name, Comments, Interface, Type, External IP address, Mapped address, and Port Forwarding as follows: + + +-----------------+-----------------------+-----------------------------------------------+ + | **Section** | **Example setting** | **Example value** | + +-----------------+-----------------------+-----------------------------------------------+ + | Edit Virtual IP | VIP type | IPv4 | + +-----------------+-----------------------+-----------------------------------------------+ + | | Name | DNAT-to-Internal-ALB-WEB-HTTP-8080 | + +-----------------+-----------------------+-----------------------------------------------+ + | | Comments | DNAT-to-Internal-ALB-WEB-HTTP-8080 | + +-----------------+-----------------------+-----------------------------------------------+ + | Network | Interface | WAN (port1) | + +-----------------+-----------------------+-----------------------------------------------+ + | | Type | FQDN | + +-----------------+-----------------------+-----------------------------------------------+ + | | External IP address | Private IP of interface WAN (port1) | + +-----------------+-----------------------+-----------------------------------------------+ + | | Mapped address | Create a new tag 'Internal-ALB-WEB-HTTP-8080' | + +-----------------+-----------------------+-----------------------------------------------+ + | Port Forwarding | Status | enable | + +-----------------+-----------------------+-----------------------------------------------+ + | | Protocol | TCP | + +-----------------+-----------------------+-----------------------------------------------+ + | | External service port | 8080 | + +-----------------+-----------------------+-----------------------------------------------+ + | | Map to port | 8080 | + +-----------------+-----------------------+-----------------------------------------------+ + + |Ingress_Fortigate_DNAT| + + - Create a tag for Mapped address by clicking the button "+ Create" + + |Ingress_Fortigate_DNAT_Mapped_address| + + - Enter fields for Name, Type, FQDN, and Interface for Mapped address as follows: + + +---------------------+---------------------------------------------------------------------------------------------+ + | **Example setting** | **Example value** | + +---------------------+---------------------------------------------------------------------------------------------+ + | Name | Internal-ALB-WEB-HTTP-8080 | + +---------------------+---------------------------------------------------------------------------------------------+ + | Type | FQDN | + +---------------------+---------------------------------------------------------------------------------------------+ + | FQDN | DNS name of the internal AWS Application Load Balancer which is created in the previos step | + +---------------------+---------------------------------------------------------------------------------------------+ + | Interface | any | + +---------------------+---------------------------------------------------------------------------------------------+ + + |Ingress_Fortigate_DNAT_Mapped_address_2| + + .. important:: + + FQDN is the DNS name of the 'internal' AWS Application Load Balancer not 'internet-facing' AWS ALB. + + .. note:: + + DNS name of the AWS Application Load Balancer can be found on the page "EC2 -> Load Balancing -> Load Balancers -> selecting the Load balancer -> Description -> DNS name" + + +Step 3.3. Apply Destination NAT (DNAT) and configure Source NAT (SNAT) on firewall's LAN interface in Firewall Policy to allow Ingress traffic +---------------------------------------------------------------------------------------------------------------------------------------------- + + - Navigate to the page "Policy & Objects -> Firewall Policy" + + - Click the button "+ Create New" + + - Enter fields for Name, Incoming Interface, Outgoing Interface, Source, Destination, Service, Action, NAT, IP Pool Configuration as follows: + + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | **Section** | **Example setting** | **Example value** | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | Edit Policy | Name | Ingress-WEB-HTTP-8080 | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | Incoming Interface | WAN (port1) | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | Outgoing Interface | LAN (port2) | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | Source | all | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | Destination | Select the Virtual IPs 'DNAT-to-Internal-ALB-WEB-HTTP-8080' which is created in the previous step | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | Service | Create a new service for HTTP-8080 | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | Action | ACCEPT | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | Firewall / Network Options | NAT | Enable | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + | | IP Pool Configuration | Use Outgoing Interface Address | + +----------------------------+-----------------------+---------------------------------------------------------------------------------------------------+ + + .. important:: + + To enable DNAT function, need to select 'Virtual IPs' for Destination under Edit Policy. + + To enable SNAT function, need to enable NAT with IP Pool Configuration under Firewall / Network Options. + + |Ingress_Fortigate_Firewall_policy| + + - Create a new service for HTTP-8080 by clicking the button "+ Create" + + +------------------+---------------------+-----------------------+ + | **Section** | **Example setting** | **Example value** | + +------------------+---------------------+-----------------------+ + | New Service | Name | HTTP-8080 | + +------------------+---------------------+-----------------------+ + | | Category | Web Access | + +------------------+---------------------+-----------------------+ + | Protocol Options | Protocol Type | TCP/UDP/SCTP | + +------------------+---------------------+-----------------------+ + | | Address | IP Range with 0.0.0.0 | + +------------------+---------------------+-----------------------+ + | | Destination Port | TCP with port 8080 | + +------------------+---------------------+-----------------------+ + + |Ingress_Fortigate_Firewall_policy_service| + + - Review Firewall Policy + + |Ingress_Fortigate_Firewall_policy_review| + +Step 3.4. Repeat the above steps for all your firewall instances +---------------------------------------------------------------- + +Step 3.5. Reference +-------------------- + + - Inbound application traffic with firewall resiliency in `Amazon Web Services (AWS) Reference Architecture `_ + + - INBOUND APPLICATION TRAFFIC WITH FIREWALL RESILIENCY in `wp-aws-transit-gateway-cloud-services.pdf `_ + + - `FortiGate Cookbook `_ + +Ready to go! +============= + +Now firewall instances and private application server are ready to receive Ingress traffic! + +Open your browser and access the DNS of AWS Internet Application Load Balancer with HTTP and port 8080. + + |Ingress_private_WEB_server_access| + +.. |transit_firenet_ingress| image:: ingress_firewall_example_media/Ingress_Aviatrix_Transit_FireNet_topology.png + :scale: 30% + +.. |Ingress_ALB| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_ALB.png + :scale: 30% + +.. |Ingress_Internet_ALB_Step_1_Configure_Load_Balancer| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_1_Configure_Load_Balancer.png + :scale: 30% + +.. |Ingress_Internet_ALB_Step_3_Configure_Security_Groups| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_3_Configure_Security_Groups.png + :scale: 30% + +.. |Ingress_Internet_ALB_Step_4_Configure_Routing| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_4_Configure_Routing.png + :scale: 30% + +.. |Ingress_Internet_ALB_Step_5_Register_Targets_1| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_5_Register_Targets_1.png + :scale: 30% + +.. |Ingress_Internet_ALB_Step_5_Register_Targets_2| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_5_Register_Targets_2.png + :scale: 30% + +.. |Ingress_Internet_ALB_Step_6_Review| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internet_ALB_Step_6_Review.png + :scale: 30% + +.. |Internet_ALB_WEB_HTTP_8080_tg_healthcheck| image:: ingress_protection_transit_firenet_fortigate_media/Internet_ALB_WEB_HTTP_8080_tg_healthcheck.png + :scale: 30% + +.. |Ingress_Internal_ALB_Step_1_Configure_Load_Balancer| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internal_ALB_Step_1_Configure_Load_Balancer.png + :scale: 30% + +.. |Ingress_Internal_ALB_Step_6_Review| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Internal_ALB_Step_6_Review.png + :scale: 30% + +.. |Ingress_Fortigate_DNAT| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT.png + :scale: 30% + +.. |Ingress_Fortigate_DNAT_Mapped_address| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT_Mapped_address.png + :scale: 30% + +.. |Ingress_Fortigate_DNAT_Mapped_address_2| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_DNAT_Mapped_address_2.png + :scale: 30% + +.. |Ingress_Fortigate_Firewall_policy| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy.png + :scale: 30% + +.. |Ingress_Fortigate_Firewall_policy_service| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy_service.png + :scale: 30% + +.. |Ingress_Fortigate_Firewall_policy_review| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_Fortigate_Firewall_policy_review.png + :scale: 30% + +.. |Ingress_private_WEB_server_access| image:: ingress_protection_transit_firenet_fortigate_media/Ingress_private_WEB_server_access.png + :scale: 30% + +.. disqus:: + + + + +Ingress Protection via Aviatrix Transit Firenet for Multiple Applications + + +In case customer has a use case where they want to inspect traffic for multiple applications using the same FW, in that case we need to add more NAT rules on the firewall. + + +Recommended Steps + + +Create an additional subnet in the security VPC (/24) for the LB +Create additional ALB/NLB based on the number of applications +Add a SNAT/DNAT same as above for each application mapping it for the specific LB diff --git a/HowTos/Migration_From_Marketplace.rst b/HowTos/Migration_From_Marketplace.rst index 13863906d..4e1dc45ff 100644 --- a/HowTos/Migration_From_Marketplace.rst +++ b/HowTos/Migration_From_Marketplace.rst @@ -72,9 +72,7 @@ Step 4 - Launch new Aviatrix Controller Launch new Aviatrix Controller. Please refer to the `AWS Startup Guide `__ for steps. - .. tip:: - We highly recommend migrating to Metered AMI as it is more flexible and scalable as your business needs change over time. - + .. note:: To make best use of time, it is encouraged to launch the new Controller before stopping the old Controller in Step 2. @@ -86,6 +84,8 @@ Step 5 - Associate EIP On the AWS console, go to **EC2** > **Network & Security** > **Elastic IPs**, and associate the same EIP from step 3 to the new Aviatrix Controller. +If you have your old `controller behind an ELB `_, please note that you would have to remove the old controller instance from the listening group and add the new controller instance in its place. + Step 6 - Upgrade Controller =========================== diff --git a/HowTos/Quick_Tour.rst b/HowTos/Quick_Tour.rst index 3718647f1..ec3cde63d 100644 --- a/HowTos/Quick_Tour.rst +++ b/HowTos/Quick_Tour.rst @@ -77,8 +77,7 @@ design `__. Help """"" -Under the Help menu, check out FAQs and additional implementation guides. Send -an email to support@aviatrix.com to get immediate support. +Under the Help menu, check out FAQs and additional implementation guides. Please open a support ticket at `Aviatrix Support Portal `_ to get immediate support. OpenVPN is a registered trademark of OpenVPN Inc. diff --git a/HowTos/S2C_GW_ASA.rst b/HowTos/S2C_GW_ASA.rst index 5db041779..051a3c5d3 100644 --- a/HowTos/S2C_GW_ASA.rst +++ b/HowTos/S2C_GW_ASA.rst @@ -87,7 +87,7 @@ Network setup is as following: =============================== ================================================================= -For support, send an email to support@aviatrix.com. +For support, please open a support ticket at `Aviatrix Support Portal `_ .. |image0| image:: s2c_gw_asa_media/Doc1.png :width: 5.55625in diff --git a/HowTos/S2C_GW_CP.rst b/HowTos/S2C_GW_CP.rst index b1811af06..2b8f313a2 100644 --- a/HowTos/S2C_GW_CP.rst +++ b/HowTos/S2C_GW_CP.rst @@ -258,7 +258,7 @@ Refer to the `vSEC Gateway for Amazon Web Services Getting Started Guide `_ .. |image0| image:: s2c_gw_cp_media/DownloadSmartConsole.PNG :width: 5.55625in diff --git a/HowTos/S2C_GW_CP_88.rst b/HowTos/S2C_GW_CP_88.rst index cabac5ad6..7e399ea86 100644 --- a/HowTos/S2C_GW_CP_88.rst +++ b/HowTos/S2C_GW_CP_88.rst @@ -4,7 +4,7 @@ ============================================ -Aviatrix Gateway to Check Point(R88.10) +Aviatrix Gateway to Check Point(R80.10) ============================================ This document describes how to build an IPSec tunnel based site2cloud connection between Aviatrix Gateway and Check Point Firewall. To simulate an on-prem Check Point Firewall, we use a Check Point CloudGuard IaaS firewall VM at AWS VPC. diff --git a/HowTos/S2C_GW_IOS.rst b/HowTos/S2C_GW_IOS.rst index e85747a44..57b13d1b1 100644 --- a/HowTos/S2C_GW_IOS.rst +++ b/HowTos/S2C_GW_IOS.rst @@ -59,6 +59,7 @@ The network setup is as follows: 2.1 Either ssh into the Cisco router or connect to it directly through its console port. 2.2 Apply the following IOS configuration to your router: + Please note that from version 5.0, we use the gateway's public ip address as the identier, so the "match identity address" should use the public ip instead of the private ip as pointed in the picture below. |image1| @@ -81,7 +82,7 @@ The network setup is as follows: =============================== ================================================================= -For support, send an email to support@aviatrix.com. +For support, please open a support ticket at `Aviatrix Support Portal `_ .. |image0| image:: s2c_gw_ios_media/s2c_sample_config.png :width: 5.55625in diff --git a/HowTos/S2C_GW_PAN.rst b/HowTos/S2C_GW_PAN.rst index 8f7f118d6..001ef59f5 100644 --- a/HowTos/S2C_GW_PAN.rst +++ b/HowTos/S2C_GW_PAN.rst @@ -93,7 +93,7 @@ Configuration Workflow Peer Identification Peer public IP Address (if the controller version is below 5.0, it should be peer private IP) =============================== ========================================= - Note: In Palo Alto Networks offcial documents, it is not necessary to add the Peer Identification. However, to make sure the tunnel working, we recommend to add it. + Note: In Palo Alto Networks official documents, it is not necessary to add the Peer Identification. However, to make sure the tunnel working, we recommend to add it. In the event that IPSec tunnel is up but traffic is not passing between cloud and on-premises, you may want to enable NAT-T in Palo Alto Networks Firewall. |image3| diff --git a/HowTos/SAML_Integration_AWS_SSO_IdP.rst b/HowTos/SAML_Integration_AWS_SSO_IdP.rst index 1eca807f3..7f9a18089 100644 --- a/HowTos/SAML_Integration_AWS_SSO_IdP.rst +++ b/HowTos/SAML_Integration_AWS_SSO_IdP.rst @@ -14,11 +14,6 @@ Overview This guide provides an example on how to configure Aviatrix to authenticate against AWS SSO IdP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., AWS SSO) for authentication. -Visit one of the following links based on your use case: - - If integrating AWS SSO IdP with `Controller Login SAML Config `_ - If integrating AWS SSP IdP with `OpenVPN with SAML Authentication `_ - Before configuring SAML integration between Aviatrix and AWS SSO, make sure you have a valid AWS account with administrator access. .. tip:: @@ -31,24 +26,27 @@ Configuration Steps Follow these steps to configure Aviatrix to authenticate against your AWS SSO IdP: Step 1. Retrieve `Aviatrix SP Metadata <#awssso-saml-sp-metadata>`__ from the Aviatrix Controller + Step 2. Create an `AWS SSO SAML Application <#awssso-saml-app1>`__ for Aviatrix + Step 3. Retrieve `AWS SSO IdP metadata <#awssso-idp-metadata>`__ -Step 4. Continue Creating `AWS SSO SAML Application <#awssso-saml-app2>`__ for Aviatrix -Step 5. Update `Aviatrix SP Endpoint <#awssso-update-saml-endpoint>`__ in the Aviatrix Controller -Step 6. `Test the Integration <#awssso-test-integration>`__ is Set Up Correctly + +Step 4. Update `Aviatrix SP Endpoint <#awssso-update-saml-endpoint>`__ in the Aviatrix Controller + +Step 5. `Test the Integration <#awssso-test-integration>`__ is Set Up Correctly .. _awssso_saml_sp_metadata: -Retrieve Aviatrix SP Metadata from Aviatrix Controller -###################################################### +Step 1. Retrieve Aviatrix SP Metadata from Aviatrix Controller +############################################################## Before creating the AWS SSO SAML Application, AWS SSO requires the Service Provider (SP) metadata file from the Aviatrix Controller. You can create a temporary SP SAML endpoint to retrieve the SP metadata for now. Later on in the guide, the SP SAML endpoint will be updated. -Follow one of the links below according to your use case: +Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link's Configuration section: #. If integrating AWS SSO IdP with `Controller Login SAML Config `_ -#. If integrating AWS SSO IdP with `OpenVPN with SAML Authentication `_ +#. If integrating AWS SSO IdP with `OpenVPN with SAML Authentication `_ For AWS SSO, right click the **SP Metadata** button next to the SAML endpoint and save the file. @@ -57,16 +55,7 @@ For AWS SSO, right click the **SP Metadata** button next to the SAML endpoint an .. tip:: Save this XML file to your local machine. It will be uploaded to the AWS SSO IdP in the later steps. - -.. _awssso_saml_app1: - -Create an AWS SSO SAML Application (Part 1) -########################################### -.. note:: - - This step is usually done by the AWS SSO Admin. - -Before you start, pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_awssso**. But, it can be any string. +This step will ask you to pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_awssso**. It can be any string that will identify the SAML application you create in the IdP. We will use the string you select for the SAML application name to generate a URL for AWS SSO to connect with Aviatrix. This URL is defined below as **SP_ACS_URL**. This URL should be constructed as: @@ -76,6 +65,14 @@ We will use the string you select for the SAML application name to generate a UR Replace **<<>>** with the actual host name or IP address of your controller and **<<>>** with the ``[Endpoint Name]`` you chose to refer to the SAML application. +.. _awssso_saml_app1: + +Step 2. Create an AWS SSO SAML Application +########################################### +.. note:: + + This step is usually done by the AWS SSO Admin. + #. Login to your AWS console #. Go to the AWS Single Sign-On service #. Add a new Application (**Applications** > **Add a new application**) @@ -88,20 +85,6 @@ We will use the string you select for the SAML application name to generate a UR #. Enter a Display Name -.. _awssso_idp_metadata: - -Retrieve AWS SSO IdP metadata -############################# - -Copy the **AWS SSO IdP metadata file** URL. This URL will be provided to the Aviatrix SP endpoint later on. - - |imageCopyURL| - -.. _awssso_saml_app2: - -Create an AWS SSO SAML Application (Part 2) -########################################### - #. Scroll to **Application metadata** #. **Browse...** to the **SP Metadata** file saved in the `previous step (Step 1) <#awssso-saml-app>`_ #. Leave the **Application start URL** blank @@ -132,10 +115,22 @@ As shown below: #. Click **Save changes** +.. _awssso_idp_metadata: + +Step 3. Retrieve AWS SSO IdP metadata +##################################### + +Copy the **AWS SSO IdP metadata file** URL. This URL will be provided to the Aviatrix SP endpoint later on. + + |imageCopyURL| + +.. _awssso_saml_app2: + + .. _awssso_update_saml_endpoint: -Update Aviatrix SP Endpoint -########################### +Step 4. Update Aviatrix SP Endpoint +################################### .. note:: @@ -189,19 +184,22 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. _awssso_test_integration: -Test the Integration -#################### +5. Test the Integration +######################## .. tip:: Be sure to assign users to the new application in AWS Single Sign-on service prior to validating. You can use AWS SSO Directory service under AWS SSO page to assign users. If you do not assign your test user to the Aviatrix SAML application, you will receive an error. Continue with testing the integration by visiting one of the following links based on your use case: -1. If integrating AWS SSO IdP with `Controller Login SAML Config `_ +1. If integrating AWS SSO IdP with `Controller Login SAML Config `__ + #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -2. If integrating AWS SSO IdP with `OpenVPN with SAML Authentication `_ + +2. If integrating AWS SSO IdP with `OpenVPN with SAML Authentication `__ + #. Expand `OpenVPN®` in the navigation menu and click `Advanced` #. Stay on the `SAML` tab diff --git a/HowTos/SAML_Integration_Azure_AD_IdP.rst b/HowTos/SAML_Integration_Azure_AD_IdP.rst index c19c0db2a..09f9e859e 100644 --- a/HowTos/SAML_Integration_Azure_AD_IdP.rst +++ b/HowTos/SAML_Integration_Azure_AD_IdP.rst @@ -20,12 +20,7 @@ Overview This guide provides an example on how to configure Aviatrix to authenticate against Azure AD IdP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., Azure AD) for authentication. -Visit one of the following links based on your use case: - - If integrating Azure AD IdP with `Controller Login SAML Config `_ - If integrating Azure AD IdP with `OpenVPN with SAML Authentication `_ - -Before configuring SAML integration between Aviatrix and Azure AD, make sure you have a valid Azure AD account with administrator access. +Before configuring SAML integration between Aviatrix and Azure AD, make sure you have a valid Azure AD Premium subscription account with administrator access. Configuration Steps @@ -33,18 +28,29 @@ Configuration Steps Follow these steps to configure Aviatrix to authenticate against your Azure AD IdP: -Step 1. Create a `Azure AD SAML Application <#azuread-saml-app>`__ for Aviatrix -Step 2. Retrieve `Azure AD IdP metadata <#azuread-idp-metadata>`__ -Step 3. Update `Aviatrix SP Endpoint <#azuread-update-saml-endpoint>`__ in the Aviatrix Controller -Step 4. `Test the Integration <#azuread-test-integration>`__ is Set Up Correctly +Step 1. Create a `temporary Aviatrix SP Endpoint <#aviatrix-endpoint>`__ in the Aviatrix Controller +Step 2. Create an `Azure AD SAML Application <#azuread-saml-app>`__ for Aviatrix in the Azure Portal's Premium Subscription Account -.. _azuread_saml_app: +Step 3. Retrieve the `Azure AD IdP metadata <#azuread-idp-metadata>`__ + +Step 4. Update the `Aviatrix SP Endpoint <#azuread-update-saml-endpoint>`__ in the Aviatrix Controller -Create an Azure AD SAML App for Aviatrix +Step 5. `Test the Integration <#azuread-test-integration>`__ is Set Up Correctly + + +.. _aviatrix_endpoint: + +Step 1. Create an Aviatrix SP Endpoint ######################################## -Before you start, pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_azuread**. But, it can be any string. +Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link's Configuration section: + + If integrating Azure AD IdP with `Controller Login SAML Config `_ + + If integrating Azure AD IdP with `OpenVPN with SAML Authentication `_ + +This step will ask you to pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_azuread**. It can be any string that will identify the SAML application you create in the IdP. We will use the string you select for the SAML application name to generate a URL for Azure AD to connect with Aviatrix. This URL is defined below as **SP_ACS_URL**. This URL should be constructed as: @@ -54,6 +60,11 @@ We will use the string you select for the SAML application name to generate a UR Replace **<<>>** with the actual host name or IP address of your controller and **<<>>** with the ``[Endpoint Name]`` you chose to refer to the SAML application. +.. _azuread_saml_app: + +Step 2. Create an Azure AD SAML App for Aviatrix +################################################ + **Connect to Azure** Login to your Azure portal @@ -114,7 +125,7 @@ Click **Single sign-on** below **Manage** | Relay State | (leave blank) | +----------------------------+-----------------------------------------+ - |imageSAMLSettings| + The links for the SAML Identifier, Reply URL, and Sign on URL should point to the Application Gateway domain instead of the Aviatrix controller. **User Attributes** @@ -134,11 +145,14 @@ Click **Single sign-on** below **Manage** |imageUserAttrs| +#. Verify that the Namespace URI is blank like so for each claim. + + |imageAttributeURI| .. _azuread_idp_metadata: -Retrieve Azure AD IdP metadata -############################## +Step 3. Retrieve the Azure AD IdP metadata +########################################## **SAML Signing Certificate** @@ -155,18 +169,19 @@ Click **Save** .. _azuread_update_saml_endpoint: -Update Aviatrix SP Endpoint -########################### +Step 4. Update the Aviatrix SP Endpoint +####################################### .. note:: This step is usually completed by the Aviatrix admin. - Azure AD IdP provides IdP Metadata through text obtained in `Retrieve Azure AD IdP metadata (Step 2) <#azuread-idp-metadata>`_. + Azure AD IdP provides IdP Metadata through text obtained in `Retrieve Azure AD IdP metadata (Step 3) <#azuread-idp-metadata>`_. Azure AD IdP requires a custom SAML request template. Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case: #. If integrating Azure IdP with `Controller Login SAML Config `_ + #. If integrating Azure IdP with `OpenVPN with SAML Authentication `_ +----------------------------+-----------------------------------------+ @@ -197,14 +212,9 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. code-block:: xml + $Issuer - - - - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport - - .. note:: @@ -214,19 +224,19 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. _azuread_test_integration: -Test the Integration -#################### +Step 5. Test the Integration +############################ .. tip:: Be sure to assign users to the new application in Azure AD prior to validating. If you do not assign your test user to the Aviatrix SAML application, you will receive an error. Continue with testing the integration by visiting one of the following links based on your use case: -1. If integrating Azure AD IdP with `Controller Login SAML Config `_ +1. If integrating Azure AD IdP with `Controller Login SAML Config `__ #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -2. If integrating Azure AD IdP with `OpenVPN with SAML Authentication `_ +2. If integrating Azure AD IdP with `OpenVPN with SAML Authentication `__ #. Expand `OpenVPN®` in the navigation menu and click `Advanced` #. Stay on the `SAML` tab @@ -245,3 +255,4 @@ You can quickly validate that the configuration is complete by clicking on the * .. |imageUserAttrs| image:: azuread_saml_media/azure_ad_saml_user_attrs.png .. |imageSAMLSettings| image:: azuread_saml_media/azure_ad_saml_settings.png .. |imageSAMLMetadata| image:: azuread_saml_media/azure_ad_saml_metadata.png +.. |imageAttributeURI| image:: azuread_saml_media/azure_ad_claim_edit.png diff --git a/HowTos/SAML_Integration_Centrify_IdP.rst b/HowTos/SAML_Integration_Centrify_IdP.rst index fe4757fa8..65bdd1377 100644 --- a/HowTos/SAML_Integration_Centrify_IdP.rst +++ b/HowTos/SAML_Integration_Centrify_IdP.rst @@ -14,11 +14,6 @@ Overview This guide provides an example on how to configure Aviatrix to authenticate against Centrify IdP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (SP) that redirects browser traffic from client to IdP for authentication. -Visit one of the following links based on your use case: - - If integrating Centrify IdP with `Controller Login SAML Config `_ - If integrating Centrify IdP with `OpenVPN with SAML Authentication `_ - Before configuring SAML integration between Aviatrix and Centrify, make sure you have a valid Centrify account with administrator access. Configuration Steps @@ -27,15 +22,19 @@ Configuration Steps Follow these steps to configure Aviatrix to authenticate against your Azure AD IdP: Step 1. Retrieve `Aviatrix SP Metadata <#centrify-saml-sp-metadata>`__ from the Aviatrix Controller + Step 2. Create a `Centrify SAML Application <#centrify-saml-app>`__ for Aviatrix + Step 3. Retrieve `Centrify IdP metadata <#centrify-idp-metadata>`__ + Step 4. Update `Aviatrix SP Endpoint <#centrify-update-saml-endpoint>`__ in the Aviatrix Controller + Step 5. `Test the Integration <#centrify-test-integration>`__ is Set Up Correctly .. _centrify_saml_sp_metadata: -Retrieve Aviatrix SP Metadata from Aviatrix Controller -###################################################### +Step 1. Retrieve Aviatrix SP Metadata from Aviatrix Controller +############################################################### Before creating the Centrify SAML Application, Centrify requires the Service Provider (SP) metadata file from the Aviatrix Controller. You can create a temporary SP SAML endpoint to retrieve the SP metadata for now. Later on in the guide, the SP SAML endpoint will be updated. @@ -62,8 +61,8 @@ For Centrify, right click the **SP Metadata** button next to the SAML endpoint a .. _centrify_saml_app: -Create a Centrify SAML App for Aviatrix -####################################### +Step 2. Create a Centrify SAML App for Aviatrix +############################################### 1. From the Centrify App->Add New App->Custom, select SAML and click on “Add”. Click yes and close the prompt. This lets you configure the application. @@ -117,8 +116,8 @@ Create a Centrify SAML App for Aviatrix .. _centrify_idp_metadata: -Retrieve Centrify IdP metadata -############################## +Step 3. Retrieve Centrify IdP metadata +####################################### #. Copy the metadata URL from the Trust page. @@ -126,7 +125,7 @@ Retrieve Centrify IdP metadata .. _centrify_update_saml_endpoint: -Update Aviatrix SP Endpoint +Step 4. Update Aviatrix SP Endpoint ########################### .. note:: @@ -163,8 +162,8 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. _centrify_test_integration: -Test the Integration -#################### +Step 5. Test the Integration +############################# .. tip:: Be sure to assign users to the new application in Centrify prior to validating. If you do not assign your test user to the Aviatrix SAML application, you will receive an error. diff --git a/HowTos/SAML_Integration_Google_IdP.rst b/HowTos/SAML_Integration_Google_IdP.rst index 687698b46..3e82d293b 100644 --- a/HowTos/SAML_Integration_Google_IdP.rst +++ b/HowTos/SAML_Integration_Google_IdP.rst @@ -14,11 +14,6 @@ Overview This guide provides an example on how to configure Aviatrix to authenticate against a Google IdP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., Google) for authentication. -Visit one of the following links based on your use case: - - If integrating Google IdP with `Controller Login SAML Config `_ - If integrating Google IdP with `OpenVPN with SAML Authentication `_ - Before configuring SAML integration between Aviatrix and Google, make sure you have a valid Google account with administrator access. Configuration Steps @@ -26,49 +21,53 @@ Configuration Steps Follow these steps to configure Aviatrix to authenticate against your Google IdP: -Step 1. Create a `Google SAML Application <#google-saml-app1>`__ for Aviatrix +Step 1. Create a `temporary Aviatrix SP Endpoint <#aviatrix-endpoint>`__ in the Aviatrix Controller -Step 2. Retrieve `Google IdP metadata <#google-idp-metadata>`__ +Step 2. Create a `Google SAML Application <#google-saml-app1>`__ for Aviatrix -Step 3. Continue Creating `Google SAML Application <#google-saml-app2>`__ for Aviatrix +Step 3. Retrieve `Google IdP metadata <#google-idp-metadata>`__ Step 4. Update `Aviatrix SP Endpoint <#google-update-saml-endpoint>`__ in the Aviatrix Controller Step 5. `Test the Integration <#google-test-integration>`__ is Set Up Correctly +.. _aviatrix_endpoint: -.. _google_saml_app1: +Step 1. Create an Aviatrix SP Endpoint +######################################## -Create a Google SAML App for Aviatrix -##################################### +Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link's Configuration section: -.. note:: + If integrating Google IdP with `Controller Login SAML Config `_ - This step is usually done by the Google Admin. + If integrating Google IdP with `OpenVPN with SAML Authentication `_ -#. Login to the Google Admin portal -#. Follow `Google documentation `__ to create a new **custom** application. +This step will ask you to pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_google**. It can be any string that will identify the SAML application you create in the IdP. - Click on the `Setup My Own Custom App` +We will use the string you select for the SAML application name to generate a URL for Google IdP to connect with Aviatrix. This URL is defined below as **SP_ACS_URL**. This URL should be constructed as: - |imageStep1| +``https://<<>>/flask/saml/sso/<<>>`` -.. _google_idp_metadata: +.. tip:: -Retrieve Google IdP metadata -############################ + Replace **<<>>** with the actual host name or IP address of your controller and **<<>>** with the ``[Endpoint Name]`` you chose to refer to the SAML application. - Scroll down to `Option 2`. Click the `Download` button next to the `IdP metadata` label. - |imageStep2| +.. _google_saml_app1: - The IdP metadata text will be used to configure the Aviatrix SP Endpoint. +Step 2. Create a Google SAML App for Aviatrix +############################################### +.. note:: -.. _google_saml_app2: + This step is usually done by the Google Admin. -Continue Creating Google SAML App for Aviatrix -############################################## +#. Login to the Google Admin portal +#. Follow `Google documentation `__ to create a new **custom** application. + + Click on the `Setup My Own Custom App` + + |imageStep1| #. Basic Information @@ -132,15 +131,27 @@ Continue Creating Google SAML App for Aviatrix #. Open the Service Provider Details for the SAML application just created. Uncheck `Signed Response`. #. Click `Save` +.. _google_idp_metadata: + +Step 3. Retrieve Google IdP metadata +##################################### + + Scroll down to `Option 2`. Click the `Download` button next to the `IdP metadata` label. + + |imageStep2| + + The IdP metadata text will be used to configure the Aviatrix SP Endpoint. + + .. _google_update_saml_endpoint: -Update Aviatrix SP Endpoint -############################# +Step 4. Update Aviatrix SP Endpoint +################################### .. note:: This step is usually completed by the Aviatrix admin. - Google IdP provides IdP Metadata through text obtained in `Retrieve Google IdP metadata (Step 2) `_. + Google IdP provides IdP Metadata through text obtained in `Retrieve Google IdP metadata (Step 3) `_. Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case: @@ -176,8 +187,8 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. _google_test_integration: -Test the Integration -#################### +Step 5. Test the Integration +############################ .. tip:: @@ -186,17 +197,19 @@ Test the Integration Continue with testing the integration by visiting one of the following links based on your use case: 1. If integrating Google IdP with `Controller Login SAML Config `_ + #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab + 2. If integrating Google IdP with `OpenVPN with SAML Authentication `_ + #. Expand `OpenVPN®` in the navigation menu and click `Advanced` #. Stay on the `SAML` tab You can quickly validate that the configuration is complete by clicking on the **Test** button next to the SAML endpoint. - .. |logoAlias1| replace:: Aviatrix logo with red background .. _logoAlias1: https://www.aviatrix.com/news/press-kit/logo-aviatrix.png diff --git a/HowTos/SAML_Integration_Okta_IdP.rst b/HowTos/SAML_Integration_Okta_IdP.rst index 03e3ddd09..a50249d96 100644 --- a/HowTos/SAML_Integration_Okta_IdP.rst +++ b/HowTos/SAML_Integration_Okta_IdP.rst @@ -14,38 +14,45 @@ Overview This guide provides an example on how to configure Okta as an IdP for an Aviatrix SAML SP (endpoint). When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., Okta) for authentication. -Visit one of the following links based on your use case: - - If integrating Okta IdP with `Controller Login SAML Config `_ - If integrating Okta IdP with `OpenVPN with SAML Authentication `_ - Before configuring SAML integration between Aviatrix and Okta, make sure you have a valid Okta account with administrator access. - Configuration Steps ------------------- Follow these steps to configure Aviatrix to authenticate against your Okta IdP: -Step 1. Create an `Okta SAML App <#okta-saml-app>`__ for Aviatrix +Step 1. Create a `temporary Aviatrix SP Endpoint <#aviatrix-endpoint>`__ in the Aviatrix Controller + +Step 2. Create an `Okta SAML App <#okta-saml-app>`__ for Aviatrix in the Okta Portal + +Step 3. Retrieve `Okta IdP metadata <#okta-idp-metadata>`__ + +Step 4. Update `Aviatrix SP Endpoint <#okta-update-saml-endpoint>`__ in the Aviatrix Controller + +Step 5. `Test the Integration <#okta-test-integration>`__ is Set Up Correctly + +.. _aviatrix_endpoint: + +Step 1. Create an Aviatrix SP Endpoint +######################################## -Step 2. Retrieve `Okta IdP metadata <#okta-idp-metadata>`__ +Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link's Configuration section: -Step 3. Update `Aviatrix SP Endpoint <#okta-update-saml-endpoint>`__ in the Aviatrix Controller + If integrating Okta IdP with `Controller Login SAML Config `_ -Step 4. `Test the Integration <#okta-test-integration>`__ is Set Up Correctly + If integrating Okta IdP with `OpenVPN with SAML Authentication `_ .. _okta_saml_app: -Create an Okta SAML App for Aviatrix -#################################### +Step 2. Create an Okta SAML App for Aviatrix +############################################ .. note:: This step is usually done by the Okta Admin. #. Login to the Okta Admin portal -#. Follow `Okta documentation `__ to create a new application. +#. Follow `Okta documentation `__ to create a new application. (Use Okta Classic UI to create the app) +----------------+----------------+ | Field | Value | @@ -55,7 +62,7 @@ Create an Okta SAML App for Aviatrix | Sign on method | SAML 2.0 | +----------------+----------------+ - |image0| + |image0| #. General Settings @@ -73,7 +80,7 @@ Create an Okta SAML App for Aviatrix | App visibility | N/A | Leave both options unchecked | +----------------+-----------------+----------------------------------------+ - |image1| + |image1| #. SAML Settings @@ -87,63 +94,61 @@ Create an Okta SAML App for Aviatrix | Audience URI | ``https://[host]/`` | | (SP Entity ID) | | +----------------------+----------------------------------------------------+ - | Default RelayState | | + | Default RelayState | ``https://[host]/#/dashboard`` | +----------------------+----------------------------------------------------+ | Name ID format | Unspecified | +----------------------+----------------------------------------------------+ | Application username | Okta username | +----------------------+----------------------------------------------------+ - ``[host]`` is the hostname or IP of your Aviatrix controller. For example, ``https://controller.demo.aviatrix.live`` + ``[host]`` is the hostname or IP of your Aviatrix controller. - ``[Endpoint Name]`` is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller. The example uses ``dev`` for ``[Endpoint Name]`` - - |image2| + ``[Endpoint Name]`` is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller. + The example uses ``aviatrix_saml_controller`` for ``[Endpoint Name]`` + + ``https://[host]/#/dashboard`` must be set as the Default RelayState so that after SAML authenticates, user will be redirected to dashboard. * Attribute Statements - +----------------+-----------------+--------------------------------------+ - | Name | Name format | Value | - +================+=================+======================================+ - | FirstName | Unspecified | user.firstName | - +----------------+-----------------+--------------------------------------+ - | LastName | Unspecified | user.lastName | - +----------------+-----------------+--------------------------------------+ - | Email | Unspecified | user.email | - +----------------+-----------------+--------------------------------------+ - - |image3| - - -#. You need to assign the application to your account. Please follow steps 11 through 14 at `Okta documentation `__ + +----------------+-----------------+--------------------------------------+ + | Name | Name format | Value | + +================+=================+======================================+ + | FirstName | Unspecified | user.firstName | + +----------------+-----------------+--------------------------------------+ + | LastName | Unspecified | user.lastName | + +----------------+-----------------+--------------------------------------+ + | Email | Unspecified | user.email | + +----------------+-----------------+--------------------------------------+ + |image2| .. _okta_idp_metadata: -Retrieve Okta IdP metadata -########################## +Step 3. Retrieve Okta IdP metadata +################################## .. note:: - This step is usually completed by the Okta admin. #. After the application is created in Okta, go to the `Sign On` tab for the application. #. Copy the URL from the *Identity Provider metadata* link. This value will be used to configure the Aviatrix SP Endpoint. - |image4| +|image4| +3. Assign the application to your account +|image8| .. _okta_update_saml_endpoint: -Update Aviatrix SP Endpoint -########################### +Step 4. Update Aviatrix SP Endpoint +################################### .. note:: This step is usually completed by the Aviatrix admin. - Okta IdP provides IdP Metadata through text or URL obtained in `Retrieve Okta IdP metadata (Step 2) <#okta-idp-metadata>`_. + Okta IdP provides IdP Metadata through text or URL obtained in `Retrieve Okta IdP metadata (Step 3) <#okta-idp-metadata>`_. Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case: @@ -174,8 +179,8 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. _okta_test_integration: -Test the Integration -#################### +Step 5. Test the Integration +############################# .. tip:: Be sure to assign users to the new application in Okta prior to validating. If you do not assign your test user to the Aviatrix SAML application, you will receive an error. @@ -205,16 +210,16 @@ See this `article `_ - If integrating OneLogin IdP with `OpenVPN with SAML Authentication `_ - Before configuring SAML integration between Aviatrix and OneLogin, make sure you have a valid OneLogin account with administrator access. - Configuration Steps ------------------- Follow these steps to configure Aviatrix to authenticate against your OneLogin IdP: -Step 1. Create a `OneLogin SAML App <#onelogin-saml-app>`__ for Aviatrix +Step 1. Create a `temporary Aviatrix SP Endpoint <#aviatrix-endpoint>`__ in the Aviatrix Controller -Step 2. Retrieve `OneLogin IdP metadata <#onelogin-idp-metadata>`__ +Step 2. Create a `OneLogin SAML App <#onelogin-saml-app>`__ for Aviatrix in OneLogin's Portal -Step 3. Update `Aviatrix SP Endpoint <#onelogin-update-saml-endpoint>`__ in the Aviatrix Controller +Step 3. Retrieve `OneLogin IdP metadata <#onelogin-idp-metadata>`__ -Step 4. `Test the Integration <#onelogin-test-integration>`__ is Set Up Correctly +Step 4. Update `Aviatrix SP Endpoint <#onelogin-update-saml-endpoint>`__ in the Aviatrix Controller -.. _onelogin_saml_app: +Step 5. `Test the Integration <#onelogin-test-integration>`__ is Set Up Correctly -Create a OneLogin SAML App for Aviatrix -####################################### -.. note:: +.. _aviatrix_endpoint: - This step is usually done by the OneLogin Admin. +Step 1. Create an Aviatrix SP Endpoint +######################################## -Before you start, pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_onelogin**. But, it can be any string. +Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link's Configuration section: + + If integrating OneLogin IdP with `Controller Login SAML Config `_ + + If integrating OneLogin IdP with `OpenVPN with SAML Authentication `_ + +This step will ask you to pick a short name to be used for the SAML application name ``[Endpoint Name]``. In the notes below we will refer to this as **aviatrix_onelogin**. It can be any string that will identify the SAML application you create in the IdP. We will use the string you select for the SAML application name to generate a URL for OneLogin to connect with Aviatrix. This URL is defined below as **SP_ACS_URL**. This URL should be constructed as: @@ -53,6 +52,14 @@ We will use the string you select for the SAML application name to generate a UR Replace **** with the actual host name or IP address of your controller and **** with the ``[Endpoint Name]`` you chose to refer to the SAML application. +.. _onelogin_saml_app: + +Step 2. Create a OneLogin SAML App for Aviatrix +################################################ +.. note:: + + This step is usually done by the OneLogin Admin. + #. Login to OneLogin as an administrator #. To add a new app go to **Applications** > **Applications** > click **Add Apps** @@ -77,7 +84,7 @@ We will use the string you select for the SAML application name to generate a UR +====================+======================================================+ | RelayState | Blank | +--------------------+------------------------------------------------------+ - | Audience | **SP_ACS_URL** | + | Audience(Entity ID)| **SP Entity ID** | +--------------------+------------------------------------------------------+ | Recipient | **SP_ACS_URL** | +--------------------+------------------------------------------------------+ @@ -88,7 +95,7 @@ We will use the string you select for the SAML application name to generate a UR +--------------------+------------------------------------------------------+ | Single Logout URL | Blank | +--------------------+------------------------------------------------------+ - | Login URL | Blank | + | Login URL | **SP Login(Test) URL** | +--------------------+------------------------------------------------------+ | SAML not valid | 3 (default) | | before | | @@ -96,9 +103,11 @@ We will use the string you select for the SAML application name to generate a UR | SAML not valid | 3 (default) | | on or after | | +--------------------+------------------------------------------------------+ - | SAML initiator | OneLogin (default) | + | SAML initiator | Service Provider | + +--------------------+------------------------------------------------------+ + | SAML nameID format | Transient | +--------------------+------------------------------------------------------+ - | SAML nameID format | Email (default) | + | SAML issuer type | Specific (default) | +--------------------+------------------------------------------------------+ | SAML signature | Assertion | | element | | @@ -108,6 +117,8 @@ We will use the string you select for the SAML application name to generate a UR | SAML encryption | TRIPLEDES-CBC (default) | | method | | +--------------------+------------------------------------------------------+ + | Sign SLO Response | Unchecked (default) | + +--------------------+------------------------------------------------------+ | SAML | 1440 (default) | | sessionNotOnOrAfter| | +--------------------+------------------------------------------------------+ @@ -115,7 +126,11 @@ We will use the string you select for the SAML application name to generate a UR | AttributeValue tag | | | for empty values | | +--------------------+------------------------------------------------------+ - + | Sign SLO Request | Unchecked (default) | + +--------------------+------------------------------------------------------+ + + |imageConfiguration| + #. Click **Save** #. Click on the **Parameters** tab #. Add the following custom parameters (case sensitive) @@ -144,23 +159,23 @@ We will use the string you select for the SAML application name to generate a UR .. _onelogin_idp_metadata: -Retrieve OneLogin IdP metadata -############################## +Step 3. Retrieve OneLogin IdP metadata +###################################### -#. Click on **SSO** tab -#. Copy the **Issuer URL** for the next step. This URL will be provided to the Aviatrix SP Endpoint. +#. Click on **More actions** dropdown +#. Copy the URL from the **SAML Metadata** for the next step. This URL will be provided to the Aviatrix SP Endpoint. |imageOLSSOTab| .. _onelogin_update_saml_endpoint: -Update Aviatrix SP Endpoint -########################### +Step 4. Update Aviatrix SP Endpoint +################################### .. note:: This step is usually completed by the Aviatrix admin. - OneLogin IdP provides IdP Metadata through URL obtained in `Retrieve OneLogin IdP metadata (Step 2) <#onelogin-idp-metadata>`_. + OneLogin IdP provides IdP Metadata through URL obtained in `Retrieve OneLogin IdP metadata (Step 3) <#onelogin-idp-metadata>`_. Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case: @@ -175,7 +190,8 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l | IPD Metadata Type | URL | +----------------------------+-----------------------------------------+ | IdP Metadata Text/URL | Paste in the **Issuer URL** obtained | - | | from the `OneLogin app <#onelogin-idpimetadata>`_. | + | | from the `OneLogin app | + | | <#onelogin-idpimetadata>`_. | +----------------------------+-----------------------------------------+ | Entity ID | Select `Hostname` | +----------------------------+-----------------------------------------+ @@ -191,21 +207,25 @@ Continue with updating Aviatrix SAML Endpoint by visiting one of the following l .. _onelogin_test_integration: -Test the Integration -#################### +Step 5. Test the Integration +############################# .. tip:: Be sure to assign users to the new application in OneLogin prior to validating. If you do not assign your test user to the Aviatrix SAML application, you will receive an error. Continue with testing the integration by visiting one of the following links based on your use case: -1. If integrating OneLogin IdP with `Controller Login SAML Config `_ +1. If integrating OneLogin IdP with `Controller Login SAML Configuration `_ + #. Click `Settings` in the left navigation menu #. Select `Controller` #. Click on the `SAML Login` tab -2. If integrating OneLogin IdP with `OpenVPN with SAML Authentication `_ + +2. If integrating OneLogin IdP with `OpenVPN with SAML Auth `_ + #. Expand `OpenVPN®` in the navigation menu and click `Advanced` #. Stay on the `SAML` tab + You can quickly validate that the configuration is complete by clicking on the **Test** button next to the SAML endpoint. |imageAvtxTestSAML| @@ -218,4 +238,6 @@ You can quickly validate that the configuration is complete by clicking on the * .. |imageAvtxTestSAML| image:: onelogin_saml_media/avtx_saml_endpoint_test.png .. |imageAvtxSAMLEndpoint| image:: onelogin_saml_media/avtx_saml_endpoint.png .. |imageOLAddAppsMenu| image:: onelogin_saml_media/onelogin_select_add_apps.png -.. |imageOLSSOTab| image:: onelogin_saml_media/onelogin_issuer_url.png +.. |imageOLSSOTab| image:: onelogin_saml_media/onelogin_issuer_url.png\ +.. |imageConfiguration| image:: onelogin_saml_media/onelogin_configuration.png + diff --git a/HowTos/SAML_Integration_PingOne_IdP.rst b/HowTos/SAML_Integration_PingOne_IdP.rst new file mode 100644 index 000000000..08f978628 --- /dev/null +++ b/HowTos/SAML_Integration_PingOne_IdP.rst @@ -0,0 +1,260 @@ +.. meta:: + :description: PingOne for Customers for SAML Integration + :keywords: PingOne, SAML, user vpn, PingOne saml, Aviatrix, OpenVPN, Controller + +.. toctree:: + :numbered: + +============================================================================== +PingOne for Customers IdP for SAML Integration +============================================================================== + +Overview +------------ + +This guide provides an example on how to configure PingOne for Customers as an IdP for an Aviatrix SAML SP (endpoint). When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., PingOne for Customers) for authentication. + +Before configuring SAML integration between Aviatrix and PingOne for Customers, make sure you have a valid PingOne for Customers account with administrator access. + +Configuration Steps +------------------- + +Follow these steps to configure Aviatrix to authenticate against your PingOne for Customers IdP: + +Step 1. Create a `temporary Aviatrix SP Endpoint <#aviatrix-endpoint>`__ in the Aviatrix Controller + +Step 2. Create a `PingOne Web SAML App <#pingone-web-saml-app>`__ for Aviatrix in the PingOne for Customers Portal + +Step 3. Retrieve `PingOne IdP metadata URL <#pingone-idp-metadata>`__ + +Step 4. Update `Aviatrix SP Endpoint <#pingone-update-saml-endpoint>`__ in the Aviatrix Controller + +Step 5. `Test the Integration <#pingone-test-integration>`__ is Set Up Correctly + +.. _aviatrix_endpoint: + +Step 1. Create an Aviatrix SP Endpoint +######################################## + +Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link's Configuration section: + + If integrating PingOne IdP with `Controller Login SAML Config `_ + + If integrating PingOne IdP with `OpenVPN with SAML Authentication `_ + +.. _pingone-web-saml-app: + +Step 2. Create a PingOne Web SAML App for Aviatrix +############################################### + +.. note:: + + This step is usually done by the PingOne for Customers Admin. + +#. Login to the PingOne Admin portal + +#. Follow `PingOne documentation `__ to add a Web SAML application + +#. On the top of the page, click Connections. + +#. On the left, click Applications and then + Application. + + |pingone_idp_adding_web_saml_app_01| + +#. Click WEB APP, and then for SAML, click Configure. + + |pingone_idp_adding_web_saml_app_02| + +#. Create the application profile by entering the following information: + + +----------------------+---------------------------------------------------------+ + | Field | Value | + +======================+=========================================================+ + | Application name | A unique identifier for the application. | + +----------------------+---------------------------------------------------------+ + | Description | (optional)A brief characterization of the application. | + +----------------------+---------------------------------------------------------+ + | Icon | (optional)A pictorial representation of the application.| + | | Use a file up to 1MB in JPG, JPEG, GIF, or PNG format. | + +----------------------+---------------------------------------------------------+ + +#. For Configure SAML Connection, enter the following: + + +------------------------------+---------------------------------------------------+ + | Field | Value | + +------------------------------+---------------------------------------------------+ + | ACS URLs | ``https://[host]/flask/saml/sso/[Endpoint Name]`` | + +------------------------------+---------------------------------------------------+ + | Signing certificate | PingOne SSO Certificate for Default environment | + +------------------------------+---------------------------------------------------+ + | Signing | Sign Assertion | + +------------------------------+---------------------------------------------------+ + | Signing Algorithm | RSA_SHA256 | + +------------------------------+---------------------------------------------------+ + | Encryption | DISABLED | + +------------------------------+---------------------------------------------------+ + | Entity ID | ``https://[host]/`` | + +------------------------------+---------------------------------------------------+ + | SLO endpoint | Not Specified | + +------------------------------+---------------------------------------------------+ + | SLO response endpoint | Not Specified | + +------------------------------+---------------------------------------------------+ + | SLO binding | HTTP POST | + +------------------------------+---------------------------------------------------+ + | Assertion validity duration | 300 | + +------------------------------+---------------------------------------------------+ + | Target Application URL | Not Specified | + +------------------------------+---------------------------------------------------+ + | Enforce signed Authn request | Disabled | + +------------------------------+---------------------------------------------------+ + | Verification certificate | No Verification Certificates Selected | + +------------------------------+---------------------------------------------------+ + + .. note:: + + ``[host]`` is the hostname or IP of your Aviatrix controller. For example, ``https://controller.demo.aviatrix.live`` + + ``[Endpoint Name]`` is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller. + + ``[Entity ID]`` is using ``https://[host]/`` as default if you select `Hostname` option when configuring SAML in the Aviatrix controller. + + |pingone_idp_configuring_saml_connection| + +#. Click Save and Continue. + +#. For attribute mapping, click the button "+ADD ATTRIBUTE" and then select "PingOne Attribute" to map PingOne user attribute to an attribute in this application as below. + + +------------------------+-----------------------+ + | PINGONE USER ATTRIBUTE | APPLICATION ATTRIBUTE | + +------------------------+-----------------------+ + | User ID | saml_subject | + +------------------------+-----------------------+ + | Given Name | FirstName | + +------------------------+-----------------------+ + | Family Name | LastName | + +------------------------+-----------------------+ + | Email Address | Email | + +------------------------+-----------------------+ + + .. note:: + + Notes: User ID is a default required in PingOne + + |pingone_idp_configuring_attribute_mapping| + +#. Click Save and Close. + +#. Enable the WEB SAML APP + + |pingone_idp_enable| + +.. _pingone_idp_metadata: + +Step 3. Retrieve PingOne IdP metadata +##################################### + +.. note:: + + This step is usually completed by the PingOne for Customers admin. + +#. After the application is created in PingOne, click Connections on the top of the page and then click Applications on the left. + +#. Locate the Web SAML application that we just created. + +#. Click the details icon to expand the Web SAML application and then click the button "Configuration". + +#. Copy the URL from the IDP Metadata URL from the CONNECTION DETAILS. This value will be used to configure the Aviatrix SP Endpoint. + + |pingone_idp_retrieve_idp_metadata_url| + +.. _pingone_update_saml_endpoint: + +Step 4. Update Aviatrix SP Endpoint +################################### + +.. note:: + This step is usually completed by the Aviatrix admin. PineOne IdP provides IdP Metadata through URL obtained in Retrieve `PingOne IdP metadata URL <#pingone-idp-metadata>`__ step. PingOne for Customers IdP requires a custom SAML request template. + +Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case: + +#. If integrating PineOne IdP with `Controller Login SAML Config `_ + +#. If integrating PineOne IdP with `OpenVPN with SAML Authentication `_ + + +-------------------------+-------------------------------------------------+ + | Field | Value | + +=========================+=================================================+ + | Endpoint Name | ``[Endpoint Name]`` (Use the same name you | + | | entered in the PingONe Application previously) | + +-------------------------+-------------------------------------------------+ + | IdP Metadata Type | URL | + +-------------------------+-------------------------------------------------+ + | IdP Metadata URL | ``URL copied from PingOne`` (IdP metadata URL) | + +-------------------------+-------------------------------------------------+ + | Entity ID | Select `Hostname` | + +-------------------------+-------------------------------------------------+ + | Custom SAML Request | Check the box and either copy the below format | + | Template | into the prompt text box or modify it | + +-------------------------+-------------------------------------------------+ + + |pingone_idp_reformat_custom_saml_request_template| + +.. code-block:: xml + + + + $Issuer + + urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + + + +.. _pingone_test_integration: + +Step 5. Test the Integration +############################# + +Continue with testing the integration by visiting one of the following links based on your use case: + +1. If integrating PingOne IdP with `Controller Login SAML Config `_ + + #. Click `Settings` in the left navigation menu + + #. Select `Controller` + + #. Click on the `SAML Login` tab + +2. If integrating PingOne IdP with `OpenVPN with SAML Authentication `_ + + #. Expand `OpenVPN®` in the navigation menu and click `Advanced` + + #. Stay on the `SAML` tab + +You can quickly validate that the configuration is complete by clicking on the **Test** button next to the SAML endpoint. + +OpenVPN is a registered trademark of OpenVPN Inc. + +.. |logoAlias1| replace:: Aviatrix logo with red background +.. _logoAlias1: https://www.aviatrix.com/news/press-kit/logo-aviatrix.png + +.. |logoAlias2| replace:: Aviatrix logo with transparent background +.. _logoAlias2: https://www.aviatrix.com/images/logo-reverse.png + +.. |pingone_idp_adding_web_saml_app_01| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_01.png + +.. |pingone_idp_adding_web_saml_app_02| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_02.png + +.. |pingone_idp_configuring_saml_connection| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_saml_connection.png + +.. |pingone_idp_configuring_attribute_mapping| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_attribute_mapping.png + +.. |pingone_idp_enable| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_enable.png + +.. |pingone_idp_retrieve_idp_metadata_url| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_retrieve_idp_metadata_url.png + +.. |pingone_idp_reformat_custom_saml_request_template| image:: SAML_Integration_PingOne_IdP_media/pingone_idp_reformat_custom_saml_request_template.png + +.. |imageControllerNavOpenVPNAdvanced| image:: SAML_Integration_PingOne_IdP_media/OpenVPN_Advanced_SAML_AddNew.png + :scale: 50% + +.. disqus:: diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_01.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_01.png new file mode 100644 index 000000000..570849294 Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_01.png differ diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_02.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_02.png new file mode 100644 index 000000000..241b7bde3 Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_adding_web_saml_app_02.png differ diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_attribute_mapping.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_attribute_mapping.png new file mode 100644 index 000000000..f1e48333e Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_attribute_mapping.png differ diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_saml_connection.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_saml_connection.png new file mode 100644 index 000000000..bfd453c1e Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_configuring_saml_connection.png differ diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_enable.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_enable.png new file mode 100644 index 000000000..69781a7cb Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_enable.png differ diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_reformat_custom_saml_request_template.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_reformat_custom_saml_request_template.png new file mode 100644 index 000000000..462adbb99 Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_reformat_custom_saml_request_template.png differ diff --git a/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_retrieve_idp_metadata_url.png b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_retrieve_idp_metadata_url.png new file mode 100644 index 000000000..e5e6dc98c Binary files /dev/null and b/HowTos/SAML_Integration_PingOne_IdP_media/pingone_idp_retrieve_idp_metadata_url.png differ diff --git a/HowTos/Service_Chaining_Ref_Design.rst b/HowTos/Service_Chaining_Ref_Design.rst index 7f36f0516..f50d664c6 100644 --- a/HowTos/Service_Chaining_Ref_Design.rst +++ b/HowTos/Service_Chaining_Ref_Design.rst @@ -74,7 +74,7 @@ steps highlighted. 2. Note: You can create more peering connections from VPC-1, all traffic will be inspected. -3. For support, send email to support@aviatrix.com. +3. For support, please open a support ticket at `Aviatrix Support Portal `_ 4. Enjoy! diff --git a/HowTos/Settings_CoPilot.rst b/HowTos/Settings_CoPilot.rst new file mode 100644 index 000000000..5b003f0ac --- /dev/null +++ b/HowTos/Settings_CoPilot.rst @@ -0,0 +1,19 @@ +.. meta:: + :description: Documentation for associating CoPilot with controller + :keywords: CoPilot, association + +################################### +CoPilot +################################### +This document describes the **CoPilot** configurations under Settings in Aviatrix Controller. + +CoPilot Association +=========================== +When “Status” is enabled, the CoPilot with the "IP Address/Hostname" you specify is associated with the Controller. After the association is enabled, a user can sign into the CoPilot without a username and password from the Controller homepage (by clicking on the CoPilot button in the action bar). + + |image0| + +.. |image0| image:: CoPilot_media/image0.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/Settings_Controller.rst b/HowTos/Settings_Controller.rst deleted file mode 100644 index 9a9b1cfc4..000000000 --- a/HowTos/Settings_Controller.rst +++ /dev/null @@ -1,17 +0,0 @@ -.. meta:: - :description: Documentation for System Time, License, Email, 2FA Login - :keywords: System Time, NTP, UTC, timezone, sync, License, customer id, Email, 2FA, Duo - -################################### -Controller -################################### - -- System Time - -- License - -- Email - -- 2FA Login - -.. disqus:: diff --git a/HowTos/Settings_Maintenance.rst b/HowTos/Settings_Maintenance.rst index 22d6bcb69..6770d760f 100644 --- a/HowTos/Settings_Maintenance.rst +++ b/HowTos/Settings_Maintenance.rst @@ -10,5 +10,26 @@ Maintenance - `Controller HA. `__ +- `Software Patches. `__ + +- `Security Patches. `__ + +Gateway Upgrade Status +=========================== +Gateway's information about upgrade and release can be checked in controller's console Settings -> Upgrade -> Gateways Upgrade Status. Gateway Upgrade Status shows the following: + + 1. Total number of gateways + #. Gateway Names + #. Gateway's current and previous software v`ersion and build number + #. Gateway's upgrade status + +Security and Software Patches Status +======================================= +Aviatrix System releases patches time to time to fulfil the security compliance and to block any security found in a code. The software and security patches status can be checked in Controller's console. + +For Security Patches Status go to Settings -> Maintenance -> Security Patches, select controller or gateway under Gateway / Controller Status and click Collect to check the patch status. + +For Software Patches Status go to Settings -> Maintenance -> Software Patches, select controller or gateway under Gateway / Controller Status and click Collect to check the patch status. + .. disqus:: diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute.rst b/HowTos/Setup_Okta_SAML_Profile_Attribute.rst similarity index 77% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute.rst rename to HowTos/Setup_Okta_SAML_Profile_Attribute.rst index d01bafa70..3ea512878 100644 --- a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute.rst +++ b/HowTos/Setup_Okta_SAML_Profile_Attribute.rst @@ -1,4 +1,4 @@ -.. meta:: +.. meta:: :description: Setup Okta SAML with Profile Attribute :keywords: Okta, Profile @@ -152,7 +152,7 @@ Here are the steps for setting up the example: |assign-app| -#. Follow Steps 1 and 2 in `Setup Okta Profile attribute `__ to define the **Profile** +#. Follow Steps 1 and 2 in `Setup Okta Profile attribute <#okta-setup>`__ to define the **Profile** attribute in Okta. #. Follow `Assign VPN profile <#okta-fill-attribute>`__ to @@ -173,58 +173,58 @@ Here are the steps for setting up the example: |dashboard_user_without_profile| -.. |open_profile_editor| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/open_profile_editor.png +.. |open_profile_editor| image:: Setup_Okta_SAML_Profile_Attribute_media/open_profile_editor.png :scale: 70% -.. |open_user_template| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/open_user_template.png +.. |open_user_template| image:: Setup_Okta_SAML_Profile_Attribute_media/open_user_template.png :scale: 70% -.. |profile_editor_add| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add.png +.. |profile_editor_add| image:: Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add.png :scale: 70% -.. |add_profile_attribute_to_user_template| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user_template.png +.. |add_profile_attribute_to_user_template| image:: Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user_template.png :scale: 70% -.. |add_profile_attribute_to_app| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_app.png +.. |add_profile_attribute_to_app| image:: Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_app.png :scale: 70% -.. |add_profile_attribute_to_user| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user.png +.. |add_profile_attribute_to_user| image:: Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user.png :scale: 70% -.. |dashboard_user_with_profile| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_with_profile.png +.. |dashboard_user_with_profile| image:: Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_with_profile.png :scale: 70% -.. |browser_user_with_profile| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/browser_user_with_profile.png +.. |browser_user_with_profile| image:: Setup_Okta_SAML_Profile_Attribute_media/browser_user_with_profile.png :scale: 70% -.. |dashboard_user_without_profile| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile.png +.. |dashboard_user_without_profile| image:: Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile.png :scale: 70% -.. |browser_user_without_profile| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/browser_user_without_profile.png +.. |browser_user_without_profile| image:: Setup_Okta_SAML_Profile_Attribute_media/browser_user_without_profile.png :scale: 70% -.. |vpn-5-1-okta| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/vpn-5-1-okta.png +.. |vpn-5-1-okta| image:: Setup_Okta_SAML_Profile_Attribute_media/vpn-5-1-okta.png :scale: 70% -.. |cert-sharing| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/cert-sharing.png +.. |cert-sharing| image:: Setup_Okta_SAML_Profile_Attribute_media/cert-sharing.png :scale: 70% -.. |default-profile| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/default-profile.png +.. |default-profile| image:: Setup_Okta_SAML_Profile_Attribute_media/default-profile.png :scale: 70% -.. |access-profile| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/access-profile.png +.. |access-profile| image:: Setup_Okta_SAML_Profile_Attribute_media/access-profile.png :scale: 70% -.. |vpn-user| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/vpn-user.png +.. |vpn-user| image:: Setup_Okta_SAML_Profile_Attribute_media/vpn-user.png :scale: 70% -.. |download-cert| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/download-ovpn.png +.. |download-cert| image:: Setup_Okta_SAML_Profile_Attribute_media/download-ovpn.png :scale: 70% -.. |add-person| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/add-person.png +.. |add-person| image:: Setup_Okta_SAML_Profile_Attribute_media/add-person.png :scale: 70% -.. |assign-app| image:: Howto_Setup_Okta_SAML_Profile_Attribute_media/assign-app.png +.. |assign-app| image:: Setup_Okta_SAML_Profile_Attribute_media/assign-app.png :scale: 70% .. disqus:: diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/access-profile.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/access-profile.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/access-profile.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/access-profile.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add-person.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/add-person.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add-person.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/add-person.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_app.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_app.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_app.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_app.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user_template.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user_template.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user_template.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/add_profile_attribute_to_user_template.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/assign-app.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/assign-app.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/assign-app.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/assign-app.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/browser_user_with_profile.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/browser_user_with_profile.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/browser_user_with_profile.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/browser_user_with_profile.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/browser_user_without_profile.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/browser_user_without_profile.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/browser_user_without_profile.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/browser_user_without_profile.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/cert-sharing.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/cert-sharing.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/cert-sharing.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/cert-sharing.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_with_profile.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_with_profile.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_with_profile.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_with_profile.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile2.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile2.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile2.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/dashboard_user_without_profile2.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/default-profile.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/default-profile.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/default-profile.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/default-profile.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/download-ovpn.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/download-ovpn.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/download-ovpn.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/download-ovpn.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/open_profile_editor.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/open_profile_editor.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/open_profile_editor.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/open_profile_editor.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/open_user_template.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/open_user_template.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/open_user_template.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/open_user_template.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/profile_editor_add.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/vpn-5-1-okta.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/vpn-5-1-okta.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/vpn-5-1-okta.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/vpn-5-1-okta.png diff --git a/HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/vpn-user.png b/HowTos/Setup_Okta_SAML_Profile_Attribute_media/vpn-user.png similarity index 100% rename from HowTos/HowTo_Setup_Okta_SAML_Profile_Attribute_media/vpn-user.png rename to HowTos/Setup_Okta_SAML_Profile_Attribute_media/vpn-user.png diff --git a/HowTos/Setup_PingOne_SAML_Profile_Attribute.rst b/HowTos/Setup_PingOne_SAML_Profile_Attribute.rst new file mode 100644 index 000000000..579e95c3b --- /dev/null +++ b/HowTos/Setup_PingOne_SAML_Profile_Attribute.rst @@ -0,0 +1,160 @@ +.. meta:: + :description: Setup PingOne for Customers web SAML app with Profile Attribute + :keywords: Profile, PingOne, PingOne for Customers, SAML, user vpn, PingOne saml, Aviatrix, OpenVPN, Controller + +=============================================================== +Setup PingOne for Customers web SAML app with Profile Attribute +=============================================================== + +This guide demonstrates the use of the **Profile** attribute in **PingOne for Customers** so each SAML user can be assigned a different VPN profile. + +How VPN profile works +--------------------- + +The VPN profiles defined at the **Controller/OpenVPN/Profiles** contain egress control policy. They are attached to the VPN users defined at **Controller/OpenVPN/VPN Users** for controlling their VPN egress traffic. Users without a profile is the same as having a profile with an **allow-all** policy, i.e., their egress traffic are unrestricted. + +For SAML VPN, the SAML user definition at the IDP has a **Profile** attribute for specifying a VPN profile, overriding the corresponding user's VPN profile assigned at the controller. If unspecified, the corresponding VPN profile assigned at the controller will be used. + +.. _pingone_for_customers_setup: + +Setup PingOne for Customers Profile attribute +--------------------------------------------- + +#. `Define a new User attribute <#pingone-for-customers-new-user-attribute>`__ in the PingOne for customers portal for storing the VPN profile name. + +#. `Define an attribute mapping <#pingone-for-customers-map-attribute>`__ for the new attribute using the name **Profile** so that the web SAML application knows how to compose the **Profile** information in the SAML response. + +#. `Assign VPN profile <#pingone-for-customers-user-fill-attribute>`__ to each SAML user. + +#. `Validate <#pingone-for-customers-validation>`__ the setup. + +.. _pingone_for_customers_new_user_attribute: + +Define a new User attribute +---------------------------- + +.. note:: + + This step is usually completed by the PingOne for Customers Admin. + +#. Login to the PingOne Admin portal + +#. Follow `PingOne documentation `__ to add an User attribute. + +#. On the top of the page, click Settings. + +#. On the left, under Directory, click Attributes. + +#. Click + Add Attribute. + + |pingone_idp_adding_attribute| + +#. Click DECLARED + + |pingone_idp_adding_attribute_declared| + +#. Click button "Next" + +#. Enter the following information to create custom user attribute: + + +-----------------------+---------------+---------------------------------------------------------------------------+ + | Field | Value | Description | + +-----------------------+---------------+---------------------------------------------------------------------------+ + | Name | accessprofile | A unique identifier for the attribute. | + +-----------------------+---------------+---------------------------------------------------------------------------+ + | Display name | accessprofile | The name of the attribute as you want it to appear in the,user interface. | + +-----------------------+---------------+---------------------------------------------------------------------------+ + | Description | (optional) | A brief characterization of the application. | + +-----------------------+---------------+---------------------------------------------------------------------------+ + | Enforce unique values | Uncheck | Option to require the attribute,values be unique across the environment | + +-----------------------+---------------+---------------------------------------------------------------------------+ + + .. note:: + + In this example, the new user attribute is named **accessprofile**. + + |pingone_idp_setting_attribute| + +#. Click Save and Close. + +.. _pingone_for_customers_map_attribute: + +Define an attribute mapping +--------------------------- + +.. note:: + + This step is usually completed by the PingOne for Customers Admin. + +#. On the top of the page, click Connections. + +#. Click Applications on the left. + +#. Locate the Web SAML application to add this custom User attribute. + +#. Click the details icon to expand the Web SAML application, and then click the pencil icon. + +#. Click the "Attribute Mappings" + +#. For updating attribute mapping, click the button "+ADD ATTRIBUTE" and then select "PingOne Attribute" to map PingOne user attribute to an application attribute as below. + + +------------------------+-----------------------+ + | PINGONE USER ATTRIBUTE | APPLICATION ATTRIBUTE | + +------------------------+-----------------------+ + | accessprofile | Profile | + +------------------------+-----------------------+ + + .. note:: + + The application attribute **Profile** is required to be an exact match so that Aviatrix Controller can process in the SAML response. + + |pingone_idp_saml_attribute_mapping| + +.. _pingone_for_customers_user_fill_attribute: + +Assign VPN profile to each SAML user +------------------------------------- + +.. note:: + + This step is usually completed by the PingOne for Customers Admin. + +For each SAML application user, edit the user profile for assigning the VPN profile + +#. On the top of the page, click Identities. + +#. Locate the user you want to edit. You can browse or search for users. + +#. Click the details icon to expand the user you want to edit, and then click the pencil icon. + +#. On the Profile tab, scroll down to the "OTHER" section + +#. Find the new User attribute "accessprofile" and assign the VPN profile + + .. note:: + + In this example, the VPN profile defined at the controller is named **access-profile**. + + |pingone_idp_vpn_profile| + +.. _pingone_for_customers_validation: + +Validation +---------- + +Please refer to this `doc `__ for more validation detail. + + +.. |pingone_idp_adding_attribute| image:: Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute.png + +.. |pingone_idp_adding_attribute_declared| image:: Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute_declared.png + +.. |profile_editor_add| image:: Setup_PingOne_SAML_Profile_Attribute_media/profile_editor_add.png + +.. |pingone_idp_setting_attribute| image:: Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_setting_attribute.png + +.. |pingone_idp_saml_attribute_mapping| image:: Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_saml_attribute_mapping.png + +.. |pingone_idp_vpn_profile| image:: Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_vpn_profile.png + +.. disqus:: diff --git a/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute.png b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute.png new file mode 100644 index 000000000..e97508001 Binary files /dev/null and b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute.png differ diff --git a/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute_declared.png b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute_declared.png new file mode 100644 index 000000000..85f89614a Binary files /dev/null and b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_adding_attribute_declared.png differ diff --git a/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_saml_attribute_mapping.png b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_saml_attribute_mapping.png new file mode 100644 index 000000000..3e9daeab3 Binary files /dev/null and b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_saml_attribute_mapping.png differ diff --git a/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_setting_attribute.png b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_setting_attribute.png new file mode 100644 index 000000000..82e8b81e5 Binary files /dev/null and b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_setting_attribute.png differ diff --git a/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_vpn_profile.png b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_vpn_profile.png new file mode 100644 index 000000000..49483fea3 Binary files /dev/null and b/HowTos/Setup_PingOne_SAML_Profile_Attribute_media/pingone_idp_vpn_profile.png differ diff --git a/HowTos/Setup_Transit_Network_Terraform.rst b/HowTos/Setup_Transit_Network_Terraform.rst index ff8722222..4493924eb 100644 --- a/HowTos/Setup_Transit_Network_Terraform.rst +++ b/HowTos/Setup_Transit_Network_Terraform.rst @@ -19,7 +19,7 @@ Setup Terraform Provider # Configure Aviatrix provider provider "aviatrix" { controller_ip = "1.2.3.4" - username = "admin" + username = "username" password = "password" version = "2.2" } @@ -43,7 +43,7 @@ Manages an Aviatrix Transit Gateway. provider "aviatrix" { controller_ip = "1.2.3.4" - username = "admin" + username = "username" password = "password" version = "2.2" } @@ -90,7 +90,7 @@ Manages VGW connection provider "aviatrix" { controller_ip = "1.2.3.4" - username = "admin" + username = "username" password = "password" version = "2.2" } @@ -134,7 +134,7 @@ Manages an Aviatrix Spoke Gateway provider "aviatrix" { controller_ip = "1.2.3.4" - username = "admin" + username = "username" password = "password" version = "2.2" } @@ -184,6 +184,10 @@ Manages an Aviatrix Spoke Gateway Sample configuration to create complete transit VPC solution ============================================================ +.. Note:: + In this example, you must specify the username and password, controller_ip, account_email and other parameters. + + :: # Sample Aviatrix terraform configuration to create complete transit VPC solution @@ -195,14 +199,14 @@ Sample configuration to create complete transit VPC solution # Edit to enter your controller's IP, username and password to login with. provider "aviatrix" { controller_ip = "w.x.y.z" - username = "admin" - password = "Aviatrix123%23" + username = "username" + password = "password" version = "2.2" } resource "aviatrix_account" "test_acc" { account_name = "devops" - account_password = "Aviatrix123" + account_password = "account_password" account_email = "abc@xyz.com" cloud_type = 1 aws_account_number = "123456789012" diff --git a/HowTos/TransPeering.rst b/HowTos/TransPeering.rst index 9e301690f..01abd7045 100644 --- a/HowTos/TransPeering.rst +++ b/HowTos/TransPeering.rst @@ -96,7 +96,7 @@ with major steps highlighted. 3. Repeat step 3 above for more co-locations. -4. For support, send an email to support@aviatrix.com. +4. For support, please open a support ticket at `Aviatrix Support Portal `_. 5. For feature requests and feedback, click Make a wish at the bottom of each page. diff --git a/HowTos/Transit_ExternalDevice_CiscoRouter.rst b/HowTos/Transit_ExternalDevice_CiscoRouter.rst index 1a962add1..8ce3a4bcb 100644 --- a/HowTos/Transit_ExternalDevice_CiscoRouter.rst +++ b/HowTos/Transit_ExternalDevice_CiscoRouter.rst @@ -33,26 +33,28 @@ Transit Connection to Cisco Router over the internet. |image8| .. |image1| image:: ./S2C_TGW_CiscoRouter_media/cisco1.png - :width: 7.00000 in - :height: 5.00000 in + :scale: 30% + .. |image2| image:: ./S2C_TGW_CiscoRouter_media/cisco2.png - :width: 7.00000 in - :height: 5.00000 in + :scale: 30% + .. |image3| image:: ./S2C_TGW_CiscoRouter_media/cisco3.png - :width: 12.00000 in - :height: 5.00000 in + :scale: 30% + .. |image4| image:: ./S2C_TGW_CiscoRouter_media/cisco4.png - :width: 7.00000 in - :height: 5.00000 in + :scale: 30% + .. |image5| image:: ./S2C_TGW_CiscoRouter_media/cisco5.png - :width: 100% + :scale: 30% + .. |image6| image:: ./S2C_TGW_CiscoRouter_media/cisco6.png - :width: 100% + :scale: 30% + .. |image7| image:: ./S2C_TGW_CiscoRouter_media/cisco7.png - :width: 100% + :scale: 30% + .. |image8| image:: ./S2C_TGW_CiscoRouter_media/cisco8.png - :width: 12.00000 in - :height: 5.00000 in + :scale: 30% diff --git a/HowTos/Transit_ExternalDevice_PaloAlto.rst b/HowTos/Transit_ExternalDevice_PaloAlto.rst index 6f9f9014d..33f831c97 100644 --- a/HowTos/Transit_ExternalDevice_PaloAlto.rst +++ b/HowTos/Transit_ExternalDevice_PaloAlto.rst @@ -37,6 +37,10 @@ Configuration WorkFlow: |image2| + .. note:: + + If using private IP as remote gateway IP, please make sure to check "Over DirectConnect". + 3. Download the configuration by going to Site2Cloud -> Click on the Connection. Select generic and Download Configuration and configure on the router accordingly. @@ -87,9 +91,12 @@ Configuration WorkFlow: Interface Palo Alto Networks WAN port Peer IP Address Aviatrix Gateway public IP Pre-shared Key Key from site2cloud configuration downloaded at Step 3 - Peer Identification IP Address & Aviatrix Gateway private IP + Peer Identification IP Address & Aviatrix Gateway public IP =============================== ========================================= + .. note:: + If using remote private IP on Step 2, Peer IP Address should be the remote private IP while Peer Identification should be remote public IP. + |image9| =============================== ========================================= diff --git a/HowTos/Transit_ExternalDevice_PaloAlto_media/8.png b/HowTos/Transit_ExternalDevice_PaloAlto_media/8.png index eb29cdbac..21e8cc09f 100644 Binary files a/HowTos/Transit_ExternalDevice_PaloAlto_media/8.png and b/HowTos/Transit_ExternalDevice_PaloAlto_media/8.png differ diff --git a/HowTos/Transit_ExternalDevice_PaloAlto_media/9.png b/HowTos/Transit_ExternalDevice_PaloAlto_media/9.png index e1a7508ae..a01b305d3 100644 Binary files a/HowTos/Transit_ExternalDevice_PaloAlto_media/9.png and b/HowTos/Transit_ExternalDevice_PaloAlto_media/9.png differ diff --git a/HowTos/Troubleshoot_Diagnostics.rst b/HowTos/Troubleshoot_Diagnostics.rst index 01274c178..8d46e393d 100644 --- a/HowTos/Troubleshoot_Diagnostics.rst +++ b/HowTos/Troubleshoot_Diagnostics.rst @@ -12,6 +12,7 @@ Network This section provides tools to test the network connectivity of the controller and gateways. + Gateway Utility ~~~~~~~~~~~~~~~~~ @@ -23,6 +24,7 @@ Network Connectivity Utility The Network Connectivity (nc) tool allows you to test if the controller/gateway is able to reach a host with a specified protocol and port number. +Please note that tests using UDP protocol cannot be used to reliably determine connectivity as Load balancers or Security groups could consume the UDP packet, indicating a false positive. So a UDP test that says success does not gurantee UDP connectivity. However a UDP test showing failure means there are issues with UDP connectivity Packet Capture ~~~~~~~~~~~~~~~~ @@ -56,6 +58,13 @@ Controller IP Migration .. important:: The user MUST execute this feature after re-associating a new public IP for the controller through AWS/Azure/GCloud GUI console or API. This feature updates the configurations for the controller and gateways. .. +Remote Support +~~~~~~~~~~~~~~~~~ + +By enable Remote Support, you grant permission for Aviatrix support team to access the Controller for debugging +purpose. + +Make sure you disable the option when the debugging session is complete. Controller Public IP ~~~~~~~~~~~~~~~~~~~~~~ @@ -95,18 +104,10 @@ Keep Gateway on Error By default, the controller will roll back all the operations (gateway, EIP, security-group creations, etc...) if an error occurs during a gateway creation. However, this function allows you to keep the gateway instance for debugging purposes. In another word, this feature disables the roll back operation if the Status is set to True. -Gateway IP Migration -~~~~~~~~~~~~~~~~~~~~~~ - -.. important:: The user MUST execute this feature after re-associating a new public IP for the gateway through AWS/Azure/GCloud GUI console or API. This feature updates the configurations for controller and gateways. -.. - - Gateway Replace ~~~~~~~~~~~~~~~~~ -This feature allows you to replace a gateway by launching a new gateway and restoring the configuration and operation in the event that a gateway becomes inoperational and you have exhausted all other ways to recover. Contact support@aviatrix.com -before you use this feature. +This feature allows you to replace an existing gateway when it becomes not functional by launching a new gateway and restoring the configuration to the new gateway. Use this feature only when you have exhausted all other options. Please open a support ticket at `Aviatrix Support Portal `_ if you ahve any questions or if you need support Select a gateway in the drop down menu and click Replace. @@ -115,6 +116,32 @@ Select a gateway in the drop down menu and click Replace. Please refer to `Service Description of Diagnostic Result `__ +Note when the Controller performs a gateway replacement procedure, efforts are made to minimize the downtime. For example, +when a failed Spoke gateway is being replaced, the Controller first redirects the traffic to the healthy Spoke gateway by +modifying the Spoke VPC route table to route all instance or VM traffic to the healthy gateway, it also +move the routes from the Transit Gateways pointing to the failed Spoke gateway to the healthy Spoke gateway for traffic +moving from Transit Gateway to Spoke gateway. After the failed gateway is terminated and a new gateway is launched and +configuration installed, the Controller then programs the Spoke VPC route table to load balancing some subnets/route table +to point to the new gateway and also move the routes back on the Transit Gateways. + +Similar process happens when a Transit Gateway is being replaced. + +As a result the downtime is under 10 seconds for each gateway replacement in the Multi-cloud Transit solution. + +Similarly, when a failed gateway with Site2Cloud connections are being replaced, traffic is first redirected to +the other healthy gateway before the failed gateway is terminated and replaced. + +Session View +~~~~~~~~~~~~ + +This feature allows you to view active connection sessions running through Aviatrix gateways. This is useful for troubleshooting connectivity issue. + +To view sessions: + + - go to Troubleshoot -> Diagnostics -> Gateway -> Session View + + - or go to Security -> Stateful Firewall -> Session View + .. raw:: html @@ -162,6 +189,9 @@ The diagnostic result of this feature provides the information of a specified VP VNet Route Diagnostics ~~~~~~~~~~~~~~~~~~~~~~~~ +.. note:: This feature supports Azure Classic only. +.. + This feature provides the following operations that can be applied to a VNet: 1. Display all route tables 2. Display route table details @@ -177,6 +207,11 @@ This feature provides the following operations that can be applied to a VNet: 12. Associate a subnet to a route table 13. Dissociate a subnet from a route table +Refresh Tags +~~~~~~~~~~~~~ + +This feature syncs up AWS VPC name tags if users change the VPC name in AWS. + .. raw:: html @@ -225,14 +260,14 @@ This section provides the ability to view BGP configurations for diagnostics or System Resources ------------------ -This feature allows you to set the threshold for notifications when the disk/memory of a controller/gateway has reached certain percentage of the total usage. The default behavior is to alert administrators when the usage reaches 95% or higher. +This feature allows you to set the threshold for notifications when the disk/memory of a controller/gateway has reached certain percentage of the total usage. The default behavior is to alert administrators when the disk usage crosses 90% or if memory usage crosses 80%. -Connectivity Test --------------------- +Network Validation: Connectivity Test +--------------------------------------- When you select the Source Network and Destination Network, the Aviatrix Controller will spin up two instances -and run a connectivity test. After the test completes, you can re-run the test. There is only one pair of test endpoints that is valid at any given time. If you want to test a different endpoint, delete the current pair and launch a new pair. +and run a connectivity test. After the test completes, you can re-run the test. There is only one pair of test endpoints that is valid at any given time. If you want to test a different endpoint, delete the current pair and launch a new pair. These instances are visible in Gateway page, under "View Instances" .. |wireshark_filter| image:: troubleshoot_diag_media/wireshark_filter.png diff --git a/HowTos/Troubleshoot_ELB_Status.rst b/HowTos/Troubleshoot_ELB_Status.rst index d09463962..78d4770df 100644 --- a/HowTos/Troubleshoot_ELB_Status.rst +++ b/HowTos/Troubleshoot_ELB_Status.rst @@ -6,6 +6,7 @@ ELB Status ################################### - +This page enables users to view load balancer info including target health status after users launch an `Aviatrix OpenVPN Gateway `_ with the option `Enable ELB `_. +Additionally, users are able to delete/clean up load balancer by clicking the button "DELETE" next to the load balancer name, but usually this is not required as load balancer is automatically deleted on the last user/gateway deletion. .. disqus:: diff --git a/HowTos/Troubleshoot_Logs.rst b/HowTos/Troubleshoot_Logs.rst index 799894fa9..ad725fe54 100644 --- a/HowTos/Troubleshoot_Logs.rst +++ b/HowTos/Troubleshoot_Logs.rst @@ -6,9 +6,37 @@ Logs ################################### +Upload tracelog +--------------- +On the controller console left side menu, click Troubleshoot, click Logs and select a gateway at Upload Tracelog. The controller and gateway tracelog will be uploaded to Aviatrix. The Aviatrix support team will be alerted. If no gateway is selected, only the controller log is uploaded. - * `Upload tracelog. `__ +Please refer to `Troubleshoot `__ for troubleshooting detail. + +Display Aviatrix Command Log +---------------------------- + +DISPLAY +~~~~~~~ + +This feature enables users to view Aviatrix Command Log on GUI. + +DISPLAY AUDIT +~~~~~~~~~~~~~ + +This feature enables users to view Aviatrix Audit log on GUI. + +DOWNLOAD AUDIT +~~~~~~~~~~~~~~ + +This feature enables users to download Aviatrix Audit log to local. + +DISPLAY EVENT +~~~~~~~~~~~~~~ + +This feature enables users to view Aviatrix Event log on GUI. + + +Please refer to `Logging `__ for logging detail. - .. disqus:: diff --git a/HowTos/Troubleshooting_Diagnostics_Result.rst b/HowTos/Troubleshooting_Diagnostics_Result.rst index 2a3f2f0d7..225e0a5d7 100644 --- a/HowTos/Troubleshooting_Diagnostics_Result.rst +++ b/HowTos/Troubleshooting_Diagnostics_Result.rst @@ -23,75 +23,181 @@ Diagnostic Result |:: | | | | "controller": { | -| "SumoLogic Collector": "Not running", | | "Database": "Up", | -| "logstash-forwarder": "Not running", | -| "Rsyslog Status": "Not running", | -| "CloudWatch Service": "Not running", | -| "splunkd": "Not running", | | "Connectivity": "Up", | | "SSH": { | | "port": { | -| "22": "Down" | +| "22": [ | +| "Down", | +| ] | | }, | | "service": "Up" | | }, | -| "datadog-agent": "Not running", | | "Public IP": "Pass", | | "PKI": "Pass", | -| "rsyslogd": "Running" | -| } | +| "Rsyslog Service": "Not running", | +| "CloudWatch Service": "Not running", | +| "splunkd": "Not running", | +| "filebeat": "Not running", | +| "SumoLogic Collector": "Not running", | +| "rsyslogd": "Running", | +| "datadog-agent": "Not running", | +| "HTTPS": { | +| "port": { | +| "443": [ | +| "up", | +| "reachable" | +| ] | +| }, | +| "service": "Up" | +| }, | | | +-----------------------------+----------------------------------------------------------------+ |Indicates Controller status. | | | +| >The SSH service port 22 status "Down" is expected as Aviatrix doesn't allow user to connect | +| | +| ssh port to Controller or Gateway | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Gateway Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "SSH": { | +| "port": { | +| "22": [ | +| "up", | +| "reachable" | +| ] | +| }, | +| "service": "Up" | +| }, | +| "GatewayIamRole": "Passed", | +| "HTTPS": { | +| "port": { | +| "443": [ | +| "up", | +| "reachable" | +| ] | +| }, | +| "service": "Up" | +| }, | +| "Upload": "Pass", | ++-----------------------------+----------------------------------------------------------------+ +|Indicates Gateway port 22 and 443 status. | +| | +| > Expected value: Up and reachable | +| | +| > If Fail, please make sure the gateway has its security group port 22 & 443 open to the | +| | +| controller's EIP in AWS console. | +| | +| > It's expected that SSH port 22 is reachable as controller will use the port to do | +| | +| diagnostic on the Gateway. Please make sure HTTPS port 443 is reachable in this section | +| | +| since it indicates that controller is able to reach to Gateway for the configuration and | +| | +| software package delivery. | +| | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Netflow Output** | | +|**Upload Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Netflow Service": "Not running", | +| "Upload": "Pass", | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates Netflow service status. | -| > Default: Not running | +|Indicates that Aviatrix controller is able to upload files to the gateway. | +| | +| > Expected value: Pass | +| | +| > If fail, please check the port 443 is open in both security group and VPC ACL between | +| | +| controller and the gateway instance in AWS console. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Utility Output** | | -+-----------------------------+----------------------------------------------------------------+ +|**DNS Service** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Files not found": [ | -| "/etc/openvpn/utils.py", | -| ... (the rest is omitted.) | -| ], | +| "DNS Service": { | +| "/etc/resolvconf/resolv.conf.d/head": [ | +| "nameserver 8.8.8.8", | +| ], | +| "/etc/hosts": [ | +| "127.0.0.1\tlocalhost", | +| "::1 ip6-localhost ip6-loopback", | +| "fe00::0 ip6-localnet", | +| "ff00::0 ip6-mcastprefix", | +| "ff02::1 ip6-allnodes", | +| "ff02::2 ip6-allrouters", | +| "ff02::3 ip6-allhostsip-172-31-45-222", | +| "10.17.1.204 ip-10-17-1-204", | +| "" | +| ], | +| "/etc/hostname": [ | +| "ip-10-17-1-204", | +| "" | +| ], | +| "/etc/systemd/resolved.conf": [ | +| "[Resolve]", | +| "" | +| ], | +| "/etc/resolv.conf": [ | +| "nameserver 8.8.8.8", | +| "nameserver 127.0.0.53", | +| "search ca-central-1.compute.internal", | +| "options edns0", | +| "" | +| ] | +| }, | | | +-----------------------------+----------------------------------------------------------------+ -|N/A | +|Indicates DNS service status and related configuration on the gateway. | +| | +| > Default nameserver: 8.8.8.8 | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**LogStash Output** | | -+-----------------------------+----------------------------------------------------------------+ +|**NTP Config** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "logstash-forwarder": "Not running", | +| "NTP config": { | +| "/etc/ntp.conf": [ | +| "driftfile /var/lib/ntp/ntp.drift\n", | +| "leapfile /usr/share/zoneinfo/leap-seconds.list\n", | +| "statistics loopstats peerstats clockstats\n", | +| "filegen loopstats file loopstats type day enable\n", | +| "filegen peerstats file peerstats type day enable\n", | +| "filegen clockstats file clockstats type day enable\n", | +| "restrict -4 default kod notrap nomodify nopeer noquery limited\n", | +| "restrict -6 default kod notrap nomodify nopeer noquery limited\n", | +| "restrict 127.0.0.1\n", | +| "restrict ::1\n", | +| "restrict source notrap nomodify noquery\n", | +| "server 169.254.169.123 prefer iburst\n" | +| ] | +| }, | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates Logstash logging service status. | -| > Default: Not running | +|Indicates NTP config. | | | -| > Related Link `LogStash Integration`_. | +| > Default server: 169.254.169.123 | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**DNS Resolution Output** | | +|**DNS Resolution** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | @@ -99,6 +205,7 @@ Diagnostic Result | | +-----------------------------+----------------------------------------------------------------+ |Indicates if the gateway can resolve public domain names. | +| | | > Expected value: Pass | | | | > If the result is Fail, check whether the DNS resolution is enabled for the VPC where this | @@ -110,86 +217,192 @@ Diagnostic Result +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Hostname-filter Output** | | +|**HTTPS GET** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Hostname-filter Report": [ | -| "{\n", | -| " \"smtp.gmail.com\": {\n", | -| " \"ip_list\": [\n", | -| " \"74.125.126.109\", \n", | -| " \"74.125.126.108\", \n", | -| " \"173.194.194.109\", \n", | -| " \"173.194.205.109\"\n", | -| " ], \n", | -| " \"thread_state\": \"ALIVE\"\n", | -| " }\n", | -| "}" | +| "HTTPS GET": "Pass", | +| | ++-----------------------------+----------------------------------------------------------------+ +|Indicates connectivity for HTTPS request from gateway to the controller. | +| | +| > Expected value: Pass if GW can communicate with Controller without issue. | +| | +| When It shows “Fail” please check both Controller and Gateway security group | +| | +| > If Fail, please make sure the controller has its security group port 443 open to the | +| | +| gateway’s EIP in AWS console | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Supervisorctl Status** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "supervisorctl status": [ | +| "fqdn_stats RUNNING pid 2121, uptime 16:39:29\n", | +| "gwmon RUNNING pid 2117, uptime 16:39:29\n", | +| "local_launch EXITED Mar 25 08:47 AM\n", | +| "openvpn RUNNING pid 2123, uptime 16:39:29\n", | +| "perfmon RUNNING pid 2119, uptime 16:39:29\n", | +| "rtmon FATAL Exited too quickly (process log may have | +| details)\n", | +| "sw-wdt4perfmon RUNNING pid 2124, uptime 16:39:29\n", | +| "time_action RUNNING pid 2118, uptime 16:39:29\n" | | ], | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the Hostname filter configuration. | +|Indicates the supervisor status. | +| | +| > All services should be in RUNNING state except local_launch. | +| | +| > rtmon is the monitor process for Transit and Spoke Gateway, the status should be running | +| | +| when in transit or spoke gateway. The state can be FATAL in other type of gateway. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Rsyslog Output** | | -+-----------------------------+----------------------------------------------------------------+ +|**MsgQueue Output** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Rsyslog Status": "Disabled", | -| | +| "MsgQueue": { | +| "ApproximateNumberOfMessagesNotVisible": "0", | +| "KmsDataKeyReusePeriodSeconds": "300", | +| "KmsMasterKeyId": "alias/aws/sqs", | +| "ContentBasedDeduplication": "false", | +| "PubSubErrorCount": 0, | +| "ConnectionSuccessCount": 17, | +| "ApproximateNumberOfMessagesDelayed": "0", | +| "ApproximateNumberOfMessages": "0", | +| "ExpiredTokenErrorCount": 16, | +| "ConnectionStatus": "Connected", | +| "ReceiveMessageWaitTimeSeconds": "0", | +| "DelaySeconds": "0", | +| "FifoQueue": "true", | +| "VisibilityTimeout": "30", | +| "PollFailureCount": 16, | +| "PollingStatus": "Active", | +| "ConnectionFailureCount": 0, | +| "MaximumMessageSize": "262144", | +| "CreatedTimestamp": "1584614502", | +| "NumMessagesReceived": 0, | +| "MessageRetentionPeriod": "1209600", | +| "LastModifiedTimestamp": "1584614609", | +| "QueueArn": "arn:aws:sqs:ca-central-1:2767xxxxxxxx:aviatrix-1x-2xx-1xx-2xx.fifo" | +| }, | +| | +-----------------------------+----------------------------------------------------------------+ -|Indicates the Remote Syslog feature is enabled. | -| > Related Link `Remote Syslog Integration`_. | +|Indicates AWS SQS message queue status. | +| | +| > ApproximateNumberOfMessages indicates the number of pending messages | +| | +| in the queue. | +| | +| > Expected value is 0. | +| | +| > If this value is not 0, it means there's issue on the AWS SQS Service, please update | +| | +| your IAM policy (refer to `IAM Policy`_. and check if the DNS resolution | +| | +| passed on the gateway.) You may also check if this SQS queue is still in your AWS | +| | +| SQS Service or the IAM policy is correctly attached on the Gateway. | | | +-----------------------------+----------------------------------------------------------------+ | | -+-----------------------------+----------------------------------------------------------------+ -|**ipset Output** | | -+-----------------------------+----------------------------------------------------------------+ ++-----------------------------+----------------------------------------------------------------+ +|**Route Output** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "ipset rules": [ | -| "Name: avx_hnf_ipset_d_accept\n", | -| "Type: hash:ip,port\n", | -| "Revision: 5\n", | -| "Header: family inet hashsize ... (the rest is omitted.) | -| "Size in memory: 4564\n", | -| "References: 1\n", | -| "Number of entries: 36\n", | -| "Members:\n", | -| "64.233.181.108,tcp:25 comment \"smtp.gmail.com\"\n", | -| "108.177.111.109,tcp:25 comment \"smtp.gmail.com\"\n", | -| "108.177.121.108,tcp:25 comment \"smtp.gmail.com\"\n", | -| "173.194.198.109,tcp:25 comment \"smtp.gmail.com\"\n", | -| "209.85.144.109,tcp:25 comment \"smtp.gmail.com\"\n" | +| "route": [ | +| "Kernel IP routing table\n", | +| "Destination Gateway Genmask Flags Metric Ref Use Iface\n", | +| "0.0.0.0 10.187.64.1 0.0.0.0 UG 0 0 0 eth0\n", | +| "10.187.64.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0\n", | +| "192.168.43.0 192.168.43.2 255.255.255.0 UG 0 0 0 tun0\n", | +| "192.168.43.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0\n", | +| "10.20.0.0 0.0.0.0 255.255.0.0 U 100 0 0 tun-xxx\n" | +| "10.20.51.91 0.0.0.0 255.255.255.255 U 100 0 0 tun-xxx\n" | +| ], | +| | ++-----------------------------+----------------------------------------------------------------+ +|Indicates the route table on the gateway. | +| | +| > tun0 is the interface for OpenVPN | +| | +| > tun-xxx is the interface Transit-Spoke connection | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**IP Rule Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "ip rule": [ | +| "0:\tfrom all lookup local \n", | +| "32766:\tfrom all lookup main \n", | +| "32767:\tfrom all lookup default \n" | | ], | -| | +| | +-----------------------------+----------------------------------------------------------------+ |N/A | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**SpanPort Output** | | -+-----------------------------+----------------------------------------------------------------+ +|**IP Route Main Output** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "SpanPort Service": { | -| "port": "unknown", | -| "service": "Down" | -| }, | -| | +| "ip route main": [ | +| "default via 10.187.64.1 dev eth0 \n", | +| "10.187.64.0/20 dev eth0 proto kernel scope link src 10.187.77.1xx \n", | +| "192.168.43.0/24 via 192.168.43.2 dev tun0 \n", | +| "192.168.43.2 dev tun0 proto kernel scope link src 192.168.43.1 \n" | +| ], | +| | +-----------------------------+----------------------------------------------------------------+ -|Currently not used. | +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**iptables Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "iptables rules": [ | +| "-P INPUT ACCEPT\n", | +| "-P FORWARD ACCEPT\n", | +| "-P OUTPUT ACCEPT\n", | +| "-N RULE-LOG-ACCEPT\n", | +| "-N RULE-LOG-DROP\n", | +| "-A FORWARD -m state --state ESTABLISHED -j ACCEPT\n", | +| "-A FORWARD -s 192.168.43.6/32 -i tun0 -j ACCEPT\n", | +| "-A RULE-LOG-ACCEPT -m limit --limit 2/sec -j LOG --log-prefix \"AvxRl gw1 | +| A:\" --log-level 7\n", | +| "-A RULE-LOG-ACCEPT -j ACCEPT\n", | +| "-A RULE-LOG-DROP -m limit --limit 2/sec -j LOG --log-prefix \"AvxRl gw1 | +| D:\" --log-level 7\n", | +| "-A RULE-LOG-DROP -j DROP\n" | +| ], | +| | ++-----------------------------+----------------------------------------------------------------+ +|Indicates Stateful firewall configuration | +| | +| > mainly used for debugging | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ |**iptables nat Output** | | -+-----------------------------+----------------------------------------------------------------+ ++-----------------------------+----------------------------------------------------------------+ |:: | | | | "iptables nat rules": [ | @@ -198,67 +411,97 @@ Diagnostic Result | "-P OUTPUT ACCEPT\n", | | "-P POSTROUTING ACCEPT\n", | | "-N CLOUDN-LOG-natVPN\n", | -| "-N CLOUDX-SNAT\n", | | "-A POSTROUTING -s 192.168.43.0/24 -j CLOUDN-LOG-natVPN\n", | -| "-A POSTROUTING -m addrtype --src-type LOCAL -j ACCEPT\n", | -| "-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n", | -| "-A POSTROUTING -j CLOUDX-SNAT\n", | -| "-A CLOUDN-LOG-natVPN -j LOG --log-prefix \"AviatrixUser: \"\n", | -| "-A CLOUDN-LOG-natVPN -j MASQUERADE\n", | -| "-A CLOUDX-SNAT -o eth0 -j MASQUERADE\n" | +| "-A CLOUDN-LOG-natVPN -j LOG --log-prefix \"AviatrixUser: \"\n", | +| "-A CLOUDN-LOG-natVPN -j MASQUERADE\n" | | ], | -| | +| | +-----------------------------+----------------------------------------------------------------+ |Indicates NAT configuration. | +| | | > mainly used for debugging | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Hostname-filter Status** | | -+-----------------------------+----------------------------------------------------------------+ +|**iptables mangle Output** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Hostname-filter Status": [ | -| " avx-hostname-filter.service - Aviatrix Hostname Filter\n", | -| " Loaded: loaded (/lib/systemd/system/a ... (the rest is omitted.) | -| " Active: inactive (dead)\n" | -| | +| "iptables mangle rules": [ | +| "-P PREROUTING ACCEPT\n", | +| "-P INPUT ACCEPT\n", | +| "-P FORWARD ACCEPT\n", | +| "-P OUTPUT ACCEPT\n", | +| "-P POSTROUTING ACCEPT\n", | +| "-N MSSCLAMPING\n", | +| "-A FORWARD -j MSSCLAMPING\n", | +| "-A MSSCLAMPING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1370\n" | +| ], | +| | +-----------------------------+----------------------------------------------------------------+ -|Indicates Hostname-filter service status | -| > Default: inactive | +|Indicates iptables mangle configuration. | +| | +| > For debugging purpose | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**iptables Output** | | -+-----------------------------+----------------------------------------------------------------+ +|**ipset Output** | | ++-----------------------------+----------------------------------------------------------------+ |:: | | | -| "iptables rules": [ | -| "-P INPUT ACCEPT\n", | -| "-P FORWARD ACCEPT\n", | -| "-P OUTPUT ACCEPT\n", | -| "-N AVX-FILTER-BASE-LOG-ACCEPT\n", | -| "-N AVX-FILTER-BASE-LOG-DROP\n", | -| "-N AVX-FILTER-CHAIN\n", | -| "-N AVX-FILTER-MATCH-LOG-ACCEPT\n", | -| "-N AVX-FILTER-MATCH-LOG-DROP\n", | -| "-N CLOUDN-AVX-NFQ\n", | -| "-N RULE-LOG-ACCEPT\n", | -| "-N RULE-LOG-DROP\n", | -| ... (the rest is omitted.) | +| "ipset rules": [ | +| "Name: avx_hnf_ipset_d_accept\n", | +| "Type: hash:ip,port\n", | +| "Revision: 5\n", | +| "Header: family inet hashsize ... (the rest is omitted.) | +| "Size in memory: 4564\n", | +| "References: 1\n", | +| "Number of entries: 36\n", | +| "Members:\n", | +| "64.233.181.108,tcp:25 comment \"smtp.gmail.com\"\n", | +| "108.177.111.109,tcp:25 comment \"smtp.gmail.com\"\n", | +| "108.177.121.108,tcp:25 comment \"smtp.gmail.com\"\n", | +| "173.194.198.109,tcp:25 comment \"smtp.gmail.com\"\n", | +| "209.85.144.109,tcp:25 comment \"smtp.gmail.com\"\n" | +| ], | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**IPlink Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "ip link display": [ | +| "1: lo: mtu 65536 qdisc noqueue state | +| UNKNOWN mode DEFAULT group default qlen 1000\n", | +| " link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n", | +| "2: eth0: mtu 9001 qdisc mq state UP | +| mode DEFAULT group default qlen 1000\n", | +| " link/ether 06:b3:ec:15:fe:bc brd ff:ff:ff:ff:ff:ff\n", | +| "3: tun0: mtu 1500 qdisc fq_codel | +| ztate UNKNOWN mode DEFAULT group default qlen 100\n", | +| " link/none \n", | +| "4: cxm0: mtu 1500 qdisc noop state DOWN mode | +| DEFAULT group default qlen 1000\n", | +| " link/ether b2:9a:79:d7:68:a8 brd ff:ff:ff:ff:ff:ff\n" | | ], | -| | +| | +-----------------------------+----------------------------------------------------------------+ -|Indicates Stateful firewall configuration | -| > mainly used for debugging | +|Indicates the ip link status of the gateway. | +| | +| > Status should be UP. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ |**ifconfig Output** | | -+-----------------------------+----------------------------------------------------------------+ ++-----------------------------+----------------------------------------------------------------+ |:: | | | | "ifconfig display": [ | @@ -268,12 +511,12 @@ Diagnostic Result | " inet6 fe80::8a4:d3ff:f... (the rest is omitted.) | | " ether 0a:a4:d3:1b:df:0... (the rest is omitted.) | | " RX packets 326021 byt... (the rest is omitted.) | -| " RX errors 0 dropped 0... (the rest is omitted.) | +| " RX errors 0 dropped 0... (the rest is omitted.) | | " TX packets 185361 byt... (the rest is omitted.) | | " TX errors 0 dropped 0... (the rest is omitted.) | | "\n", ... (the rest is omitted.) | | "lo: flags=4169 There should be very limit number of TX and RX errors/dropped. | -| | -| > If there are a lot of TX errors or dropped in tun0, it may be due to authentication | -| | -| mismatch on the tunnel. | -| | -+-----------------------------+----------------------------------------------------------------+ -| | -+-----------------------------+----------------------------------------------------------------+ -|**Disk Usage Output** | | -+-----------------------------+----------------------------------------------------------------+ -|:: | -| | -| "top disk usage": [ | -| "4.7G\t/usr\n", | -| "2.3G\t/usr/share\n", | -| "1.3G\t/var\n", | -| "1.2G\t/usr/share/doc\n", | -| "1.1G\t/usr/src\n", | -| "1.1G\t/usr/lib\n", | -| | -| ... (the rest is omitted.) | -| ], | -| | -+-----------------------------+----------------------------------------------------------------+ -|Indicates disk usage on the gateway. | -| > The maximum size of /usr should be lower than 6G, please contact | -| | -| support@aviatrix.com if you see abnormal usage in a folder. | -| | -+-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**MsgQueue Output** | | -+-----------------------------+----------------------------------------------------------------+ -|:: | -| | -| "MsgQueue": { | -| "ApproximateNumberOfMessagesNotVisible": "0", | -| | -| "ContentBasedDeduplication": "false", | -| "MessageRetentionPeriod": "345600", | -| "ApproximateNumberOfMessagesDelayed": "0", | -| "MaximumMessageSize": "262144", | -| "CreatedTimestamp": "1545101799", | -| "ApproximateNumberOfMessages": "0", | -| "ReceiveMessageWaitTimeSeconds": "0", | -| "DelaySeconds": "0", | -| "FifoQueue": "true", | -| "VisibilityTimeout": "30", | -| "LastModifiedTimestamp": "1545101878", | -| "QueueArn": "arn:aws:sqs:us-west-2:xxxxxx:aviatrix-34-xxx-xxx-16.fifo" | -| }, | +|Indicates gateway's interfaces. | | | -+-----------------------------+----------------------------------------------------------------+ -|Indicates AWS SQS message queue status. | -| > ApproximateNumberOfMessages indicates the number of pending messages | +| > There should be very limit number of TX and RX errors/dropped. | | | -| in the queue. | -| | -| > Expected value is 0. | +| > If there are a lot of TX errors or dropped in tun0, it may be due to authentication | | | -| > If this value is not 0, it means there's issue on the AWS SQS Service, please update | -| | -| your IAM policy (refer to `IAM Policy`_. and check if the DNS resolution | -| | -| passed on the gateway.) You may also check if this SQS queue is still in your AWS | -| | -| SQS Service or the IAM policy is correctly attached on the Gateway. | +| mismatch on the tunnel. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Supervisorctl Output** | | +|**Processes** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "supervisorctl status": [ | -| "gwmon RUNNING pid 2857, uptime 5:25:55\n", | -| "local_launch EXITED Dec 18 02:58 AM\n", | -| "openvpn RUNNING pid 5430, uptime 5:20:42\n", | -| "perfmon RUNNING pid 2876, uptime 5:25:53\n", | -| "sw-wdt4perfmon RUNNING pid 2894, uptime 5:25:51\n", | -| "time_action RUNNING pid 2816, uptime 5:25:56\n" | -| ], | +| "Processes": [ | +| "top - 01:27:05 up 16:39, 0 users, load average: 0.15, 0.03, 0.01\n", | +| "Tasks: 114 total, 1 running, 74 sleeping, 0 stopped, 0 zombie\n", | +| "%Cpu(s): 0.3 us, 0.1 sy, 0.0 ni, 99.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st\n", | +| "KiB Mem : 3907116 total, 2590900 free, 325604 used, 990612 buff/cache\n", | +| "KiB Swap: 0 total, 0 free, 0 used. 3295864 avail Mem \n", | +| "\n", | +| " PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND\n", | +| " 1 root 20 0 159868 9120 6680 S 0.0 0.2 0:03.61 /sbin/init\n", | +| " 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kthreadd]\n", | +| ... (the rest is omitted.) | +| ] | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the supervisor status. | -| > All services should be in RUNNING state except local_launch. | +|N/A | | | +-----------------------------+----------------------------------------------------------------+ | | @@ -397,184 +580,246 @@ Diagnostic Result | "4500": "Up" | | }, | | "service": "Up" | -| }, | +| }, | | | +-----------------------------+----------------------------------------------------------------+ |Indicates IKE daemon service and port status | +| | | > Default: Up for all | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**SumoLogic Output** | | +|**Top mem processes** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "SumoLogic Collector": "Not running", | +| "top mem processes": [ | +| " 2.2 0.2 1320032 2117 python -W ignore /home/ubuntu/cloudx-aws/gwmon.py info\n", | +| " 1.4 0.0 141076 431 /lib/systemd/systemd-journald\n", | +| " 1.3 0.2 267644 2118 python -W ignore /home/ubuntu/cloudx-aws/timer_action.py\n", | +| " 1.0 0.0 387132 2011 /usr/sbin/apache2 -k start\n", | +| ], | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates SumoLogic logging service status. | -| > Default: Not running | +|Indicates the memory and CPU usage of the gateway. | +| | +| > The memory usage of processes (first column) is changing dynamically and the overall | | | -| > Related Link `Sumologic Integration`_. | +| usage should be lower than 50% | +| | +| > Mainly used for debugging | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Upload Output** | | +|**Sysinfo CPU Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Upload": "Pass", | +| "SysInfo": [ | +| "***CPU***\n", | +| "Architecture: x86_64\n", | +| "CPU op-mode(s): 32-bit, 64-bit\n", | +| "Byte Order: Little Endian\n", | +| "CPU(s): 2\n", | +| "On-line CPU(s) list: 0,1\n", | +| "Thread(s) per core: 1\n", | +| "Core(s) per socket: 2\n", | +| ... (the rest is omitted.) | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates that Aviatrix controller is able to upload files to the gateway. | -| > Expected value: Pass | -| | -| > If fail, please check the port 443 is open in both security group and VPC ACL between | -| | -| controller and the gateway instance in AWS console. | +|N/A | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Datadog Output** | | +|**Kernel Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Datadog Service": "Not running", | +| "***Kernel***\n", | +| "Linux ip-10-187-77-159 4.15.0-1044-aws #46 SMP Sun Dec 8 00:42:58 UTC 2019 x86_64 | | | +-----------------------------+----------------------------------------------------------------+ -| Indicates Datadog logging service status. | -| > Default: Not running | -| | -| > Related Link `Datadog Integration`_. | +|N/A | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**iptables mangle Output** | | +|**Uptime Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "iptables mangle rules": [ | -| "-P PREROUTING ACCEPT\n", | -| "-P INPUT ACCEPT\n", | -| "-P FORWARD ACCEPT\n", | -| "-P OUTPUT ACCEPT\n", | -| "-P POSTROUTING ACCEPT\n", | -| "-N MSSCLAMPING\n", | -| "-A FORWARD -j MSSCLAMPING\n", | -| "-A MSSCLAMPING -p ... (the rest is omitted.) | -| ], | +| "***Uptime***\n", | +| " 01:27:05 up 16:39, 0 users, load average: 0.14, 0.03, 0.01\n", | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates iptables mangle configuration. | -| > For debugging purpose | +|Indicates Uptime of the gateway. | +| | +| > It indicates the time that the system has been working and available | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**HTTPS Output** | | +|**Reboot History** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "HTTPS": { | -| "port": { | -| | -| "443": [ | -| "up", | -| "reachable" | -| ] | -| }, | -| "service": "Up" | -| }, | +| "***Reboot History***\n", | +| "reboot system boot 4.15.0-1044-aws Wed Mar 25 08:47 still running\n", | +| "shutdown system down 4.15.0-1044-aws Wed Mar 25 08:45 - 08:47 (00:01)\n", | +| "reboot system boot 4.15.0-1044-aws Tue Mar 24 01:30 - 08:45 (1+07:14)\n", | +| "shutdown system down 4.15.0-1044-aws Mon Mar 23 10:06 - 01:30 (15:24)\n", | +| "reboot system boot 4.15.0-1044-aws Thu Mar 19 10:41 - 10:06 (3+23:24)\n", | +| "\n", | +| "wtmp begins Thu Mar 19 10:41:57 2020\n", | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the HTTPS status and reachability on the gateway. | -| > Expected value: Up and reachable | -| | -| > If Fail, please make sure the gateway has its security group port 443 open to the | +|Indicates Reboot History of the gateway. | | | -| controller's EIP in AWS console. | +| > It shows the date/time of gateway reboot history | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**HTTPS Get Output** | | +|**Memory Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "HTTPS GET": "Pass", | +| " total used free shared buff/cache available\n" | +| "Mem: 3.7G 318M 2.5G 25M 967M 3.1G\n" | +| "Swap: 0B 0B 0B\n", | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates connectivity for HTTPS request from gateway to the controller. | -| > Expected value: Pass if GW can communicate with Controller without issue. | +|Shows current memory usage | | | -| When It shows "Fail" please check both Controller and Gateway security group | +| > If memory is lower than 95%, you will receive an warning email to indicate the memory | | | -| > If Fail, please make sure the controller has its security group port 443 open to the | +| threshold is passed. Please consider to increase the instance size to have better available | | | -| gateway's EIP in AWS console. | +| memory size. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**CloudWatch Output** | | +|**Disk Usage** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "CloudWatch Service": "Not running", | +| "***Disk Usage***\n", | +| "5.4G\t/\n", | +| "2.9G\t/usr\n", | +| "1.9G\t/var\n", | +| "1.6G\t/var/log\n", | +| "1.3G\t/usr/src\n", | +| "863M\t/usr/lib\n", | +| | +| ... (the rest is omitted.) | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the AWS CloudWatch service status. | -| > Default: Not running | +|Indicates disk usage on the gateway. | | | -| > Related Link `Cloudwatch How To`_. | +| > The maximum size of /usr should be lower than 6G, please open a support ticket at | +| | +| https://support.aviatrix.com if you see abnormal usage in a folder. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Top Memory Output** | | + ++-----------------------------+----------------------------------------------------------------+ +|**File System** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "top mem processes": [ | -| "20.2 0.1 398548 432 /lib/systemd/systemd-journald\n", | -| | -| " 4.6 0.0 454976 1761 /usr/sbin/apache2 -k start\n", | -| " 4.3 0.1 807656 2857 python -W ... (the rest is omitted.) | -| " 2.8 0.0 90920 2876 python -W ... (the rest is omitted.) | -| " 2.6 0.0 84700 2816 python -W ... (the rest is omitted.) | -| " 2.2 0.0 457688 5299 /usr/sbin/apache2 -k start\n", | -| " 2.1 0.0 65268 1992 /usr/bin/p ... (the rest is omitted.) | -| " 2.1 0.0 457688 5297 /usr/sbin/apache2 -k start\n", | -| " 1.9 0.0 548016 1183 /usr/lib/snapd/snapd\n", | -| " 1.8 0.0 457452 5300 /usr/sbin/apache2 -k start\n" | -| ], | +| "***File System***\n", | +| "Filesystem Size Used Avail Use% Mounted on\n", | +| "udev 1.9G 0 1.9G 0% /dev\n", | +| "tmpfs 382M 7.1M 375M 2% /run\n", | +| "/dev/xvda1 16G 5.7G 9.8G 37% /\n", | +| "tmpfs 1.9G 0 1.9G 0% /dev/shm\n", | +| "tmpfs 5.0M 0 5.0M 0% /run/lock\n", | +| "tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup\n", | +| "tmpfs 382M 0 382M 0% /run/user/1000\n", | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the memory and CPU usage of the gateway. | -| > The memory usage of processes (first column) is changing dynamiclly and the overall | +|N/A | | | -| usage should be lower than 50% | ++-----------------------------+----------------------------------------------------------------+ | | -| > Mainly used for debugging | ++-----------------------------+----------------------------------------------------------------+ +|**Virtual Mem statistics** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "***Virtual Memory statistics***\n", | +| "procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----\n", | +| " r b swpd free buff cache si so bi bo in cs us sy id wa st\n", | +| " 0 0 0 2220768 181288 1178804 0 0 6 23 85 128 0 0 100 0 0\n", | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Software Version** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "***Software Version***\n", | +| "================================================================================\n", | +| "Branch: UserConnect-5.3\n", | +| "Commit: commit d02bf8434\n", | +| "Commit Date: Tue Mar 10 11:15:11 2020 -0700\n", | +| "Build Date: Tue Mar 10 11:31:16 PDT 2020\n", | +| "Built By: Reyweng\n", | +| "================================================================================\n", | +| "\n", | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Splunk Output** | | +|**EC2 Instance Metadata** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "splunkd": "Not running", | +| "***EC2 Instance Metadata***\n", | +| "{\n", | +| " \"architecture\" : \"x86_64\",\n", | +| " \"availabilityZone\" : \"ca-central-1b\",\n", | +| " \"billingProducts\" : null,\n", | +| " \"devpayProductCodes\" : null,\n", | +| " \"imageId\" : \"ami-01axxxxxxxxxxxxxx\",\n", | +| " \"instanceId\" : \"i-046xxxxxxxxxxxxxx\",\n", | +| " \"instanceType\" : \"t2.medium\",\n", | +| " \"kernelId\" : null,\n", | +| " \"pendingTime\" : \"2020-03-25T08:47:05Z\",\n", | +| " \"privateIp\" : \"10.187.77.159\",\n", | +| " \"ramdiskId\" : null,\n", | +| " \"region\" : \"ca-central-1\",\n", | +| " \"version\" : \"2017-09-30\"\n", | +| "}{\n", | +| " \"Code\" : \"Success\",\n", | +| " \"LastUpdated\" : \"2020-03-26T00:47:40Z\",\n", | +| " \"InstanceProfileArn\" : \"arn:aws:iam::xxxxxxxxxxxx:instance-profile/ | +| aviatrix-role-ec2\", | +| " \"InstanceProfileId\" : \"XXXXXXXXXXXXXXXXXXXXX\"\n", | +| "}{\n", | +| " \"Code\" : \"Success\",\n", | +| " \"LastUpdated\" : \"2020-03-26T00:53:47Z\",\n", | +| "}" | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates Splunk logging service status. | -| > Default: Not running | +|Indicates EC2 Instance Metadata status. | +| | +| > Aviatrix support will need AMI ID and instance type and other EC2 metadata for debugging | | | -| > Related Link `splunk Integration`_. | +| purpose. | | | +-----------------------------+----------------------------------------------------------------+ | | @@ -588,15 +833,16 @@ Diagnostic Result | | | "943": [ | | | -| "up", | +| "up", | | "reachable" | | ] | | }, | -| "service": "Down" | +| "service": "Down" | | }, | | | +-----------------------------+----------------------------------------------------------------+ |Indicates OpenVPN service status. | +| | | > Status is down if the gateway is non SSLVPN gateway | | | | > For SSLVPN gateway with ELB enabled, port 943 should be UP and the gateway's security | @@ -610,43 +856,58 @@ Diagnostic Result +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**IP Link Output** | | +|**VPN Status Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "ip link display": [ | -| "1: lo: mtu 150... (the rest is omitted.) | -| " link/ether b2:61:0b:3f:69:a3 brd ff:ff:ff:ff:ff:ff\n", | -| "13: tun0: Status should be UP. | +|Indicates the VPN configuration status. Expected value: Pass | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Route Output** | | +|**Auth Config** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "route": [ | -| "Kernel IP routing table\n", | -| "Destination Gateway Genmask Flags Metric Ref Use Iface\n" | -| "0.0.0.0 10.10.10.1 0.0.0.0 UG 0 0 0 eth0\n", | -| "10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0\n", | -| "192.168.43.0 192.168.43.2 255.255.255.0 UG 0 0 0 tun0\n", | -| "192.168.43.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0\n" | +| "Auth Config": [ | +| { | +| "cfg": "Pass", | +| "method": "SAML auth" | +| } | | ], | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the route table on the gateway. | +|Indicates the authentication method configured on the VPN gateway. | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Server Cert Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "Server Cert": "good", | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Files Not Found** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "Files not found": [ | +| "/etc/openvpn/utils.py", | +| "/home/ubuntu/cloudx-aws/boto-2.42.tar.gz" | +| ], | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | | | +-----------------------------+----------------------------------------------------------------+ | | @@ -660,7 +921,7 @@ Diagnostic Result | | | " Loaded: loaded (/lib/systemd/system/avx-nf... (the rest is omitted.) | | " Active: active (running) since Wed 2018-12... (the rest is omitted.) | -| " Main PID: 8495 (avx-nfq)\n", | +| " Main PID: 8495 (avx-nfq)\n", | | " Tasks: 1 (limit: 1149)\n", | | " CGroup: /system.slice/avx-nfq.service\n", | | " └─8495 /home/ubuntu/cloudx-aws/nfq-module/avx-nfq\n", | @@ -671,6 +932,7 @@ Diagnostic Result | | +-----------------------------+----------------------------------------------------------------+ |Indicates the FQDN Egress Control status | +| | | > Status is active when FQDN egress control is enabled. | | | | > Status is inactive when FQDN egress control is disabled or failed. | @@ -678,115 +940,233 @@ Diagnostic Result +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**SSH Output** | | +|**Hostname-filter Report** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "SSH": { | -| "port": { | +| "Hostname-filter Report": [ | +| "{\n", | +| " \"smtp.gmail.com\": {\n", | +| " \"ip_list\": [\n", | +| " \"74.125.126.109\", \n", | +| " \"74.125.126.108\", \n", | +| " \"173.194.194.109\", \n", | +| " \"173.194.205.109\"\n", | +| " ], \n", | +| " \"thread_state\": \"ALIVE\"\n", | +| " }\n", | +| "}" | +| ], | | | -| "22": [ | -| "up", | -| "reachable" | -| ] | -| }, | -| "service": "Up" | ++-----------------------------+----------------------------------------------------------------+ +|Indicates the Hostname filter configuration. | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Hostname-filter Status** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "Hostname-filter Status": [ | +| "● avx-hostname-filter.service - Aviatrix Hostname Filter\n", | +| " Loaded: loaded (/lib/systemd/system/avx-hostname-filter.service; | +| disabled; vendor preset: enabled)\n", | +| " Active: inactive (dead)\n" | +| ], | +| | ++-----------------------------+----------------------------------------------------------------+ +|Indicates Hostname-filter service status | +| | +| > Default: inactive | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**SpanPort Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "SpanPort Service": { | +| "port": "unknown", | +| "service": "Down" | | }, | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the SSH port status on the gateway. | -| > Required for gateway diagnostics to function properly. | +|Currently not used. | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**Ulimit Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | | | -| > Default: Up and reachable. | +| "Ulimit": [ | +| "65536\n" | +| ], | | | -| > If Fail or unreachable, the gateway diagnostics will not produce useful results | ++-----------------------------+----------------------------------------------------------------+ +|N/A | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Auth Output** | | +|**Services Status Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Auth Config": [ | -| { | -| "cfg": "Pass", | -| "method": "LDAP auth" | -| } | -| ], | +| "Rsyslog Service": "Service: Disabled, Process: Running", | +| "Splunk Service": "Service: Disabled, Process: Not Running", | +| "Filebeat Service": "Service: Disabled, Process: Not Running", | +| "Sumologic Service": "Service: Disabled, Process: Not Running", | +| "Datadog Service": "Service: Disabled, Process: Not Running", | +| "Netflow Service": "Service: Disabled, Process: Not Running", | +| "CloudWatch Service": "Service: Disabled, Process: Not Running", | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the authentication method configured on the VPN gateway. | +|Indicates logging service status. | +| | +| > Default: Not running | +| | +| > Related Link `Remote Syslog Integration`_. | +| | +| > Related Link `Splunk Integration`_. | +| | +| > Related Link `Filebeat Integration`_. | +| | +| > Related Link `Sumologic Integration`_. | +| | +| > Related Link `Datadog Integration`_. | +| | +| > Related Link `Cloudwatch How To`_. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**VPN Status Output** | | +|**mpm_prefork Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "VPN config": "Pass", | +| "mpm_prefork config": { | +| "/etc/apache2/mods-enabled/mpm_prefork.conf": [ | +| "", | +| "\tStartServers\t\t 5", | +| "\tMinSpareServers\t\t 5", | +| "\tMaxSpareServers\t\t 10", | +| "\tMaxRequestWorkers\t3000", | +| "\tServerLimit 3000", | +| "\tMaxConnectionsPerChild 0", | +| "", | +| "" | +| ] | +| }, | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates the VPN confguration status. Expected value: Pass | +|Indicates Apache MaxRequest Workers. | +| | +| >The MaxRequestWorkers directive sets the limit on the number of simultaneous requests | +| | +| that will be served. The value of MaxRequestWorkers should be 3000, if not, you'll just | +| | +| need to restart the Cloudxd service on the Controller. this can be done by the following | +| | +| steps: Controller UI > Troubleshoot > Diagnostics > Services > Restart cloudxd | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**DNS Output** | | +|**CIS Patch Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "DNS Service": { | -| "/etc/resolvconf/resolv.conf.d/head": [ | -| "nameserver 8.8.8.8\n" | -| ], | -| "/etc/hosts": [ | -| "127.0.0.1 localhost\n", | -| "\n", | -| "::1 ip6-localhost ip6-loopback\n", | -| "fe00::0 ip6-localnet\n", | -| "ff00::0 ip6-mcastprefix\n", | -| "ff02::1 ip6-allnodes\n", | -| "ff02::2 ip6-allrouters\n", | -| "ff02::3 ip6-allhosts\n", | -| "ip-10-10-10-72\n", | -| "ip-10-10-10-72\n", | -| "10.10.10.72 ip-10-10-10-72\n" | +| "CIS Patch status": { | +| "Not patched": [ | +| "Enable support for FIPS 140-2", | +| "X-XSS-Protection and X-Content-Type-Options Headers", | +| "Increase File Descriptor limit" | | ], | -| "/etc/hostname": [ | -| "ip-10-10-10-72\n" | -| ], | -| "/etc/systemd/resolved.conf": [ | -| "\n", | -| "[Resolve]\n", | -| "DNS=8.8.8.8\n" | +| "Patched": [] | +| }, | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**SW Patch status** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "SW Patch status": { | +| "Not patched": [ | +| "Apply xml file patch for Splunk year 2020 bug" | | ], | -| "/etc/resolv.conf": [ | -| "\n", | -| "nameserver 8.8.8.8\n", | -| "nameserver 10.10.0.2\n", | -| "search us-west-2.compute.internal\n" | +| "Patched": [ | +| "Mitigation for Datadog Agent installation issue on Ubuntu 14.04" | | ] | | }, | | | +-----------------------------+----------------------------------------------------------------+ -|Indicates DNS service status and related configuration on the gateway. | +|Indicates Software status | +| | +| > The patches are good to apply - we usually try to address the vulnerabilities through our | +| | +| software upgrades, but for ones which need to be done outside of an upgrade, we use the | +| | +| patch process. | | | +-----------------------------+----------------------------------------------------------------+ | | +-----------------------------+----------------------------------------------------------------+ -|**Server Cert Output** | | +|**Ingress Control Output** | | +-----------------------------+----------------------------------------------------------------+ |:: | | | -| "Server Cert": "good" | +| "Ingress Control": { | +| "Routing": "disabled", | +| "GuardDuty Service": { | +| "Account": "robin-aws", | +| "Region": "ca-central-1", | +| "Account status": "disabled", | +| "AWS status": "disabled" | +| } | +| }, | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**rp_filter Output** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "rp_filter": [ | +| "net.ipv4.conf.all.rp_filter = 0\n", | +| "net.ipv4.conf.eth0.rp_filter = 0\n" | +| ], | +| | ++-----------------------------+----------------------------------------------------------------+ +|N/A | +| | ++-----------------------------+----------------------------------------------------------------+ +| | ++-----------------------------+----------------------------------------------------------------+ +|**FQDN service status** | | ++-----------------------------+----------------------------------------------------------------+ +|:: | +| | +| "FQDN stats service": [ | +| "fqdn_stats RUNNING pid 2121, uptime 16:39:45\n" | +| ] | | | +-----------------------------+----------------------------------------------------------------+ |N/A | | | +-----------------------------+----------------------------------------------------------------+ - .. _LogStash Integration: https://docs.aviatrix.com/HowTos/AviatrixLogging.html#logstash-forwarder @@ -796,5 +1176,6 @@ Diagnostic Result .. _Datadog Integration: https://docs.aviatrix.com/HowTos/DatadogIntegration.html .. _Cloudwatch How To: https://docs.aviatrix.com/HowTos/cloudwatch.html .. _Splunk Integration: https://docs.aviatrix.com/HowTos/AviatrixLogging.html#splunk-logging +.. _Filebeat Integration: https://docs.aviatrix.com/HowTos/AviatrixLogging.html#filebeat-forwarder .. disqus:: diff --git a/HowTos/UCC_Release_Notes.rst b/HowTos/UCC_Release_Notes.rst index d061c6383..129b1bcc3 100644 --- a/HowTos/UCC_Release_Notes.rst +++ b/HowTos/UCC_Release_Notes.rst @@ -2,20 +2,1302 @@ Release Notes ======================================= +6.6.5224 (01/23/2022) +===================== + +**Enhanced Features in Release 6.6** + +- Added support for Aviatrix Spoke Gateway to External Device (BGP-Enabled Spoke). Introduced in Aviatrix release 6.6, you can now create spoke gateways that are BGP-enabled and NAT-enabled. Aviatrix Cloud Network Platform has always supported NAT in a way that most enterprises need in order to meet their business and technical requirements. Using BGP-enabled and NAT-enabled spoke gateways gives you yet more capabilities to implement policy based SNAT/DNAT functions in strategic places in your network architecture. For more information, see the discussion about `Aviatrix Spoke Gateway to External Device `_. +- Added support for Google Cloud Platform (GCP) BGP over LAN to support multi peer instance. This allows Aviatrix Transit Gateways to communicate with a pair of instances in the same VPC in GCP without running any tunneling protocol such as IPSec or GRE. For more information, see the discussion about `GCP Multi-cloud Transit BGP over LAN Workflow `_. +- Added support for AWS TGW Connect over Direct Connect. Amazon Web Services (AWS) enables AWS customers to integrate their Software Defined Wide Area Network (SD-WAN) devices with AWS Transit Gateway and AWS Direct Connect so they can use their existing SD-WAN devices to connect their on-premises networks to an AWS Transit Gateway. In support of this, Aviatrix enables you to create one or multiple Transit Gateway Connect attachments over Direct Connect. You can also create Transit Gateway Connect peer attachments. For instructions, see the topic `Enable AWS TGW connect over Direct Connect `_. +- Added support for Aviatrix Controller Security Assertion Markup Language (SAML) based authentication user VPN access in Azure. For instructions, see the topic `Azure SAML Authorization VPN Access `_. +- Added support for FireNet with PAN in AWS China. +- Added support for Checkpoint integration with private SSH keys. + +**UI Enhancements in Release 6.6** + +- Improved FireNet and Multi-Cloud Transit workflows reducing clicks and navigation steps. +- Decommissioning and Renaming of CLOUDWAN to CLOUDN. +- Notification bar includes message history. +- Guided “What’s New” information for first Aviatrix Controller user login. +- Launch CoPilot from the Aviatrix Controller App Drawer. +- Enable daily backup added to notification menu. +- Use consistent naming in action menu and config box for the list view of Transit Gateway. + +**Changed Behaviors in Release 6.6** + +- The primary gateway will always be active to forward traffic to on-prem, unless its tunnel to on-prem goes down. When its tunnel to on-prem comes up, it will start to forward the traffic again. This is different from 6.5 release and before where when forwarding failover to HA gateway, it won't switch back to primary gateway when its tunnel comes up. +- Before 6.6, when BGP ECMP is enabled, routes from different domain can be combined to form ECMP at gateway. This is incorrect behavior and is fixed in 6.6, such that only BGP routes from the same domain can be combined for ECMP. + +**Upgrade Behaviors and Restrictions in Release 6.6** + +- To upgrade to 6.6, you must manually enter “6.6” in the Aviatrix Controller upgrade window. +- You cannot rollback to Aviatrix version 6.5 after upgrading to 6.6. +- The 6.6 release introduces a behavior change in the Multi-Cloud Transit Active-Standby Site2Cloud behavior, if the setting is enabled. After a failover, when the primary gateway is back up, the traffic is switched over automatically back to the primary Site2Cloud connection. This brings more predictability and fits into the model of most on-prem firewalls. In 6.6, this behavior cannot be adjusted. If Active-Standby is disabled (which is the default setting), there is no behavior change. If you have questions about this behavior, please contact your Aviatrix account team. + +**Known Issues in Release 6.6** + +- Cannot add more than 2 remote and 2 local subnet pair tunnels to a Site2Cloud policy based connection with the Aviatrix Controller. + + - Workaround: Use Site2Cloud to delete or add new subnet pair tunnels to a Site2Cloud policy based connection. + +- OCI is not yet compatible with the 6.6 release. Until a new image is available, initializing your controller to the latest will fail. + + - Workaround: initialize your controller to 6.5 first and upgrade to 6.6. Controllers already installed with 6.3 or newer should be able to upgrade to 6.6 without issue. + +**Issues Corrected in Release 6.6** + +- **AVX-14515** - Exception seen when configuring vendor integration with a Palo Alto Firewall VM which has no route tables. +- **AVX-14568** - If there are any GWs that are not reachable by the controller before the Controller HA Migration starts, the control planes of these GWs will be out of sync because there will be an implicit control-plane certificate re-bootstrap as a part of Control HA Migration process. The issue exists before 6.5.2835 (exclusive) and all 6.4 releases. +- **AVX-14754** - When Controller Security Group Management is enabled and launching a gateway causes controller SG to reach limit, it will show correct error "The maximum number of rules per security group has been reached. +- **AVX-14822** - Controller Security Group Management will add gateway IP rule to customer attached controller SGs as well as controller created SGs. +- **AVX-15180** - Allows you to configure default route as destination CIDR in customized SNAT. +- **AVX-15454** - Deleted dependency of storage account for Azure China gateways. +- **AVX-15639** - When replacing a gateway using image upgrade the new gateway was missing the Aviatrix-Created-Resource tag. +- **AVX-15651** - Incorrect existing references to default Aviatrix AWS IAM role names. +- **AVX-15704** - While creating an IKEv2 enabled site2cloud connection, you will see "Failed to establish a new connection" error.snat +- **AVX-15978** - The conntrack "allow all" rule should always be placed above the "drop all" rule in the order of operations. +- **AVX-16100** - You can configure DNAT on transit GW, either ActiveMesh or non-ActiveMesh connection. +- **AVX-16375** - For policy based site2cloud connection, if one of the s2c tunnel is down on a transit gateway, traffic from attached spoke, or peering transit, or AWS TGW to the transit gateway will be dropped. +- **AVX-16450** - Addressed issues with CloudN registration in some scenarios. +- **AVX-16486** - Improved IPSec performance on high latency links. +- **AVX-16494** - Performance optimization in monitoring IPSec states. +- **AVX-16496** - When upgrading a standalone CloundN implementation: + + - For CloudN versions < 6.5.2613: Full outbound access on TCP ports 80 and 443 on CloudN Management is required. + - For CloudN versions >= 6.5.2613: Please follow the `Internet Acces `_ instructions. For a list of required FDQNs, please see `Required Access for External Sites `_. + +- **AVX-17027** - The UI upgrade progress bar getting stuck at 99% during standalone CloudN upgrade. +- **AVX-17302** - Secondary cidrs in OCI VCN not advertised to transit gateway. +- **AVX-17420** - If the account is deleted or deactivated from AWS, VPC attachment from AWS TGW is getting deleted. You must manually clean up all blackhole routes (RFC1918 or customized routes) on AWS. +- **AVX-17432** - For route based, unmapped S2C, when the connection is down, the routes for the remote CIDRs are still associated with the connection, i.e. the routes are not removed. +- **AVX-17512** - Addressed an issue in NAT programming on Spoke-HA when sync-to-ha is enabled. +- **AVX-17582** - Closed potential security issue the controller UI console. +- **AVX-17628** - Closed potential SSH security issue for users upgrading from previous releases. +- **AVX-17740** - Launching a gateway on a Native GWLB FireNet VPC is incorrectly allowed. Disabling Native GWLB FireNet before detaching the VPC from its TGW (if it was attached to one) was incorrectly allowed. +- **AVX-17849** - Existing issues in Flightpath for Azure NSG's. +- **AVX-18148** - Excessive load on cloudxd induced due to rsyslog monitoring certain user visible changes.Excessive email alerts generated about rsyslog while trying to reduce rsyslog monitoring load on core processes. +- **AVX-18149** - Controller becoming slow or non-responsive when executing large number of certain API requests. +- **AVX-18164** - The performance of the API to list the security policies of a gateway is not satisfactory. + +6.5.2898 (01/11/2022) +===================== + +**Issues Corrected in Aviatrix Release 6.5** + +- **AVX-9033** - Some logs are too big on CloudN. +- **AVX-14426** - Tunnels take a long time to become established and on occasion can flap even during establishment in IPSEC IKE interoperability. +- **AVX-14659** - Tunnel flaps when attaching spoke gateways running IPSec strongSwan to transit gateways running IPSec racoon, or transit gateways running IPSec strongSwan to transit gateways running IPSec racoon. +- **AVX-16967** - When a SNAT rule is added/removed for a gateway, it needs to check if the NAT rule is duplicated in the route tables. The checking is dependent on the NAT routes if load balanced or generic (not load balanced). You must miss the checking for duplicated routes to include the HA gateways in the interface list. It may give a wrong conclusion that some NAT rules were duplicated. +- **AVX-17214** - If any conntrack module related errors are observed in 6.5. (g's build number) and after, AVXERR format can be used for first level debugging. 'AVXERR-CONNTRACK-0001': 'Gateway Error: {}', 'AVXERR-CONNTRACK-0002': 'Required/Invalid option: {}' 'AVXERR-CONNTRACK-0003': 'Not found/File error: {}' 'AVXERR-CONNTRACK-0004': 'Not Supported: {}' +- **AVX-17349** – Closed vulnerability AVI-2021-0008, allowing an unauthenticated attacker partial access to configuration information on controllers and an unauthenticated network-adjacent attacker API access on gateways. +- **AVX-17420** - If the account is deleted or deactivated from AWS, VPC attachment from AWS TGW is getting deleted. You must manually clean up all blackhole routes (RFC1918 or customized routes) on AWS. +- **AVX-17628** - Hardened SSH security for legacy users. +- **AVX-17740** - Launching a gateway on a Native GWLB FireNet VPC was incorrectly allowed. Disabling Native GWLB FireNet before detaching the VPC from its TGW (if it was attached to one) was incorrectly allowed. +- **AVX-18149** - Controller becoming slow or non-responsive when executing large number of certain API requests. + +**Known Behaviors in Aviatrix Release 6.5** + +- If your Controller is running 6.4 and you have ControllerHA enabled, there is a very small chance that your HA recovery might fail if your Controller goes down by any chance. If that happens, you can manually restore the backup on your new Controller. To avoid this, please upgrade to the 6.5 release. +- **AVX-16496** - When upgrading a standalone CloundN implementation: + + - For CloudN versions < 6.5.2613: Full outbound access on TCP ports 80 and 443 on CloudN Management is required. + - For CloudN versions >= 6.5.2613: Please follow the instructions at Standalone `CloudN Deployment Checklist `_. For a list of required FDQNs, please see `Required Access for External Sites `_. + +- **AVX-15458** - After Controller and standalone CloudN’s are upgraded from 6.3 to 6.4, to access CloudN device in web UI: + + - Use CloudN management IP address inside on-premises network. + - Use CloudN LAN IP address from Spoke workplace in the CSP network. + +- **AVX-17221** - If you have Managed CloudN, Aviatrix requires you to follow the Managed instructions and allow access to the sites mentioned for the CloudN Managed Port. If your Managed CloudN ends up in a "config_fail" state after your Controller is upgraded, you have the following options: + + Option 1: + + #. Deregister your CloudN. Follow the instructions to allow management port outbound access. + #. Follow NTP sync instructions at `Managed CloudN Workflows `_. + #. Register your CloudN. + + Option 2: Open a ticket with `Aviatrix Support `_. + +6.4.2995 (01/11/2022) +===================== + +**Issues Corrected in Aviatrix Release 6.4** + +- **AVX-14537** - Error establishing Raccoon native CaaG attachment with larger transit instance size (Ex: c5.4xlarge, Standard_D8_v3) and number of IPSec Tunnels > 32. +- **AVX-17349** – Closed vulnerability AVI-2021-0008, allowing an unauthenticated attacker partial access to configuration information on controllers and an unauthenticated network-adjacent attacker API access on gateways. + +6.5.2835 (12/10/2021) +===================== + +**Issues Corrected in Aviatrix Release 6.5** + +- **AVX-9033** - The routing logs are not rotated on CloudN and are not included in the trace logs. +- **AVX-14298** - The following CVEs were addressed in this release: `CVE-2007-2243 `_ and `CVE-2004-1653 `_. +- **AVX-14659** - IPSec tunnel flapping between gateways running different flavors of IPSec infra. +- **AVX-16121** - After a successful image upgrade, the gateway state changes from success to config_fail after about 5 minutes. +- **AVX-16563** - Security Group Management feature fails on an Aviatrix Controller deployed in GCP after a Controller Migration operation. +- **AVX-16912** - Cannot create Transit GW with HA in OCI using Terraform scripts. +- **AVX-16967** - Deleting one or more Customized SNATs generates a “route already exists in route table” error. +- **AVX-17489** - When deleting one CIDR from the spoke customized advertise CIDR list, the CIDR should only be removed from the transit gateway and the rest of the network. However, during deletion the CIDR was removed from the spoke itself, which deletes the routes added for static S2c. + +**Known Issues in Aviatrix Release 6.5** + +- If your Controller is running 6.4 and you have ControllerHA enabled, there is a very small chance that your HA recovery might fail if your Controller goes down by any chance. If that happens, you can manually restore the backup on your new Controller. To avoid this, please upgrade to the 6.5 release. +- **AVX-16121** - In Aviatrix version 5.x, Logstash Forwarder was replaced by `Filebeat Forwarder `_ in the supported logging services. If you enabled logstash before this switch, please disable/enable logstash on the Filebeat Forwarder in “Controller/Logging” before upgrading your Aviatrix Controller, otherwise your Gateways might come up in the “config_fail” state after the upgrade. You might need to update your configuration on your collection side to accommodate this change. If you already upgraded and have Gateways in the “config_fail” state, you can do an “Image Upgrade” on the impacted Gateway to resolve the issue. +- **AVX-17221** - If you have Managed CloudN, Aviatrix requires you to follow the Managed instructions and allow access to the sites mentioned for the CloudN Managed Port. If your Managed CloudN ends up in a "config_fail" state after your Controller is upgraded, you have the following options: + + Option 1: + + #. Deregister your CloudN. Follow the instructions to allow management port outbound access. + #. Follow NTP sync instructions at `Managed CloudN Workflows `_. + #. Register your CloudN. + + Option 2: Open a ticket with `Aviatrix Support `_. + +6.4.2973 (11/19/2021) + +- If your Controller is running 6.4 and you have ControllerHA enabled, there is a very small chance that your HA recovery might fail if your Controller goes down by any chance. If that happens, you can manually restore the backup on your new Controller. To avoid this, please upgrade to the 6.5 release. +- **AVX-16121** - In Aviatrix version 5.x, Logstash Forwarder was replaced by `Filebeat Forwarder `_ in the supported logging services. If you enabled logstash before this switch, please disable/enable logstash on the Filebeat Forwarder in “Controller/Logging” before upgrading your Aviatrix Controller, otherwise your Gateways might come up in the “config_fail” state after the upgrade. You might need to update your configuration on your collection side to accommodate this change. If you already upgraded and have Gateways in the “config_fail” state, you can do an “Image Upgrade” on the impacted Gateway to resolve the issue. +- **AVX-17221** - If you have Managed CloudN, Aviatrix requires you to follow the Managed instructions and allow access to the sites mentioned for the CloudN Managed Port. If your Managed CloudN ends up in a "config_fail" state after your Controller is upgraded, you have the following options: + + Option 1: + + #. Deregister your CloudN. Follow the instructions to allow management port outbound access. + #. Follow NTP sync instructions at `Managed CloudN Workflows `_. + #. Register your CloudN. + + Option 2: Open a ticket with `Aviatrix Support `_. + +6.4.2973 (11/19/2021) + +**Issues Corrected in Aviatrix Release 6.4** + +- **AVX-15653** - Controller image migration fails to progress past the initialization state. +- **AVX-16494** - CPU overconsumption by IP processes on gateways. +- **AVX-16601** - In some corner cases, if the API enable_gateway_auto_recovery option is used on the Controller to overcome the Azure maintenance windows it causes the ethernet interfaces on the gateways to go missing. In some cases, the API failed to stop and start the affected gateways. If you have this feature enabled, please disable it and then enable it again after the upgrade or open a Support ticket at https://support.Aviatrix.com to get assistance. + +6.5.2721 (11/18/2021) +===================== + +**Issues Corrected in Aviatrix Release 6.5** + +- **AVX-15735** - CoPilot unable to display gateway active sessions from the Aviatrix Controller. +- **AVX-16494** - CPU overconsumption by IP processes on gateways. +- **AVX-16572** - Listing interfaces on a gateway takes a long time with large number of Site2Cloud connections. +- **AVX-16601** - In some corner cases, if the API enable_gateway_auto_recovery option is used on the Controller to overcome the Azure maintenance windows it causes the ethernet interfaces on the gateways to go missing. In some cases, the API failed to stop and start the affected gateways. If you have this feature enabled, please disable it and then enable it again after the upgrade or open a Support ticket at https://support.Aviatrix.com to get assistance. + +**Feature Enhancements in Aviatrix Release 6.5** + +- **AVX-9927** - Added message for unstable network connectivity prompting user to refresh page to reconnect. +- **AVX-10080** - Added support for Transit Firenet in AWS China for Checkpoint. + +6.3.2551 (11/12/2021) +===================== + +**Issues Corrected in Aviatrix Release 6.3** + +- **AVX-16569** - Controller image migration fails to progress past the initialization state. + +6.3.2548 (11/04/2021) +===================== + +**Issues Corrected in Aviatrix Release 6.3** + +- **AVX-15897** - Fixed an issue for Gateway Replace/Create/ForceUpgrade operations if Splunk logging was enabled on it, which was seen on all releases after 10/13/2021 (when Splunk behavior changed). +- **AVX-15985** - Fixed the issue where the Controller get_gateway_stats API was returning stats for deleted interfaces. +- **AVX-16017** - Users were unable to create Microsoft Azure Resource Manager (ARM) China Gateway for the 6.3 version. This issue was fixed by updating an Azure China image link for 6.3. +- This release includes a fix for the security vulnerability AVI-2021-0006 that would allow an unauthenticated attacker to execute arbitrary code on the Controller (this vulnerability was also fixed by our security patch released on 10/25/2021 as described here https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-patch-note-10-25-2021). + + +Security Patch Note for Controllers (11/01/21) +===================================================================== + +**Subject**: AVI-2021-0005 Apache Request Smuggling Vulnerability Security Patch. + +**Issues**: This patch addresses vulnerabilities fixed by Apache version 2.4.51. + +Aviatrix released new AMIs for AWS on 10/13/21 to address vulnerabilities (`CVE-2021-40438 `_ and `CVE-2021-33193 `_). You are fully covered if you migrated your Controller to use the new AMIs mentioned in `Controller Images: AWS AMI – Version 100621 `_, following the instructions for `existing customers to perform a Controller image upgrade `_. + +This patch will address the same issue without requiring a Controller migration. + +For Controllers running in AWS, Aviatrix recommends that you migrate your Controllers as instructed in `Existing Customers - Controller Image upgrade (Migration) `_. + +For Controllers running in cloud service providers other than AWS (Azure, GCP, etc.), you can apply this security patch. + +To apply the security patch: + + #. Secure a maintenance window and execute the following during the maintenance window. + + #. Go to your Controller (any version) management console. + + #. Go to Settings > Maintenance > Backup & Restore. Make sure you have a backup of your current settings. + + #. Go to Settings > Maintenance > Security Patches and click on "Update available patches". + + #. From the list of patches, apply the "AVI-2021-0005 Apache Request Smuggling Vulnerability" patch. + + #. Back up your Controller again. + + +(CloudN standalone mode) To apply the security patch if you have CloudN running in a standalone mode, Aviatrix suggests you run the following in a maintenance window: + + #. Go to CloudN > Maintenance > Security Patches and click on "Update available patches". + + #. Please make sure that CloudN has outbound access to 0.0.0.0/0 for ports 80 and 443 before applying the patch. + + #. From the list of patches, apply the "AVI-2021-0005 Apache Request Smuggling Vulnerability" patch. + + +(CloudN in CaaG mode) To apply the security patch if you have CloudN running in a CaaG mode, Aviatrix suggests you run the following during a maintenance window: + + #. Detach CaaG from the Transit Gateway. + + #. Deregister the CaaG Gateway. + + #. Reload the CloudN UI page. + + #. Go to CloudN > Maintenance > Security Patches and click on "Update available patches". + + #. Please make sure that CloudN has outbound access to 0.0.0.0/0 for ports 80 and 443 before applying the patch. + + #. From the list of patches, apply the "AVI-2021-0005 Apache Request Smuggling Vulnerability" patch. + + #. Register CaaG back to the Controller. + + #. Attach CaaG back to the Transit Gateway. + + +6.4.2945 (10/31/2021) +===================== + +**Issues Corrected in Aviatrix Release 6.4** + +- **AVX-11175** - FQDN feature will handle any case changes to the UserAgent field made by a proxy. +- **AVX-15438** - For gateways with HPE connections to other gateways or CloudN gateways, a resize-up operation will make use of excess capacity, but a later replace operation might cause gateway to go to config_fail state. This fix addresses the issue. +- **AVX-15528** - The real-time status of the gateway is not returned in GCP when there are a large number of instances in the VPC. +- **AVX-15599** - Cannot launch a gateway on private OOB Controller. +- **AVX-15897** - Fixed an issue for Gateway Replace/Create/ForceUpgrade operations if Splunk logging was enabled on it, which was seen on all releases after 10/13/2021 (when Splunk behavior changed). +- **AVX-15978** - The conntrack allow all rule should always be above DROP all rule. The order should be honored. Fixed in this release. +- **AVX-15985** - Fixed the issue where Controller get_gateway_stats API was returning stats for deleted interface. +- **AVX-16066** - Stateful-Firewall ESTABLISHED rule deleted from FORWARD chain. +- **AVX-16100** - Fix that allows configuration of DNAT on transit GW on non-active mesh connection. + + +6.5.2613 (10/28/2021) +===================== + +**Issue Corrected in Aviatrix Release 6.5** + +- **AVX-15444** - This fixes CaaG registration version check error. + + +6.5.2608 (10/27/2021) +===================== + +**Feature Enhancements in Aviatrix Release 6.5** + +- Added support for AWS BGP over LAN to support multiple peer instances. Scale up to 10 BGP over LAN peers per Transit Gateway, and 20 total per Transit Gateway pair. This provides a higher throughput, better redundancy, and a consolidation of BGP over LAN peers for on-prem connectivity on a pair of Transit Gateways. For more information, see the discussion about `BGP over LAN Multi-Peer `_. +- Added fields “ec2 role” and “app role” in the Controller UI to support custom roles for AWS IAM based accounts. It is highly recommended to use a customized name for "ec2 role" and "app role" instead of the Aviatrix default roles for better security. +- **AVX-15101** - Added support for Azure Government Cloud Availability Zones. + +**Issues Corrected in Aviatrix Release 6.5** + +- **AVX-9927** - The Controller does a page refresh automatically when detecting a network issue. +- **AVX-11175** - FQDN feature will handle any case changes to the UserAgent field made by a proxy. +- **AVX-13851** - Site2cloud edit to update Local Identifier as private IP for External Device connection will update all tunnels correctly. +- **AVX-14224** - Improvements to Spire Gateway Service for handling a large number of gateways. +- **AVX-14240** - Improved messaging for CloudN without public IP. +- **AVX-14397** - CaaG’s state changed to config_fail due to a wrong certificate name. +- **AVX-14600** - Support Palo Alto Firewall vendor integration with multiple IPs configured on the eth interfaces +- **AVX-14610** - Corrected non-ASCII characters while displaying the logs from Troubleshoot->Logs. +- **AVX-14619** - Fixed an issue causing packet drops when migrating from ActiveMesh 1.0 to 2.0. +- **AVX-14678** - Support multiple firewalls to be created and attached to Transit Gateway in Azure when Panorama vendor integration is configured. +- **AVX-14700** - Addressed an issue where some Gateways could be reported in a down state if Certificate Domain is updated. +- **AVX-14729** - Fixed an issue with cloudN upgrade failing dry run caused due to SSLError (Cert Expired). +- **AVX-14820** - Addressed an issue with Gateways being in up state during an upgrade from 6.4 to 6.5. +- **AVX-15012** - Exception error during disabling OCI transit firenet function. +- **AVX-15071** - Fixed firewall tuple setting from changing during Controller upgrade. +- **AVX-15083** - Fixed issues with Site2Cloud with “Single IP HA” feature having issues with customized SNAT features when “sync to HA gateway” configuration is enabled. +- **AVX-15138** - Fixed route table priority to deal with CIDR overlap between advertised routes from Transit and CaaG/CloudN eth2 MGMT interface. +- **AVX-15198** - Process optimization to avoid db updates when transit gateway details are listed by the Aviatrix Controller or CoPilot. +- **AVX-15238** - Fixed a CaaG registrion failure issue after the cert domain is changed from default. +- **AVX-15332** - Fixed an issue that was causing the Controller migration process to fail. +- **AVX-15454** - Deleted dependency of storage account for Azure China gateways. +- **AVX-15528** - The real-time status of the gateway is not returned in GCP when there are a large number of instances in the Project. +- **AVX-15639** - When replacing a gateway using image upgrade the new gateway was missing the Aviatrix-Created-Resource tag. This has been fixed by ensuring the tag is added while launching the new gateway. +- **AVX-15653** - Fixed an issue where Controller migration fails when custom IAM roles and limited permissions are used. +- **AVX-15704** - Fixed the issue when creating an IKEv2 enabled site2cloud connection, where "Failed to establish a new connection" error displays. +- **AVX-15897** - Fixed an issue for Gateway Replace/Create/ForceUpgrade operations if Splunk logging was enabled on it, which was seen on all releases after 10/13/2021 (when Splunk behavior changed). +- **AVX-15978** - The conntrack allow all rule should always be above DROP all rule. The order should be honored. Fixed in this release. +- **AVX-15985** - Fixed the issue where Controller get_gateway_stats API was returning stats for deleted interface. +- **AVX-16100** - Fix that allows configuration of DNAT on transit GW on non-ActiveMesh connection. +- **AVX-16130** - Fixed an issue where S2C GRE tunnel was showing it was down even though the S2C connection passing traffic with BGPoGRE was up. +- This release includes a fix for the security vulnerability AVI-2021-0006 that would allow an unauthenticated attacker to execute arbitrary code on the Controller (this vulnerability was also fixed by our security patch released on 10/25/2021 as described here https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-patch-note-10-25-2021). + + +- The following CVEs were addressed in this release: `CVE-2007-2243 `_ and `CVE-2004-1653 `_. + +**Known Behaviors in Aviatrix Release 6.5** + +- **AVX-16151** - The [NAT] incorrect tunnel is used during DNAT rule programming for Transit Gateway with HA. When DNAT is configured on non-active-mesh Transit Gateway with "Sync to HA" enabled, the DNAT rule may not be programmed correctly on HA Gateway and the Transit Gateway failover may see traffic impact. **Workaround** The workaround for this issue is that the DNAT config needs to be separately programmed on the primary and HA Gateway rather than programming on the primary Gateway side with "Sync to HA" enabled. + + +Security Patch Note (10/25/2021) +===================================================================== + +**Subject**: AVI-2021-0006 Critical Vulnerability Security Patch + +**Issues**: This security patch contains a fix for a Controller vulnerability. + +This security patch was made available Monday, October 25th, 2021 at 05:00PM PST. The critical vulnerability addressed by this patch was privately disclosed to Aviatrix and is not known to be exploited. It affects services of our Controller available on port 443 and would allow an unauthenticated attacker to execute code on the controller. This could be mitigated by limiting access to the https/port 443 of the Controller, or by running a Web Application Firewall (WAF) in front of it. + +For more information about securing Controller access, see https://docs.aviatrix.com/HowTos/FAQ.html#how-do-i-secure-the-controller-access. + +Aviatrix strongly recommends you install the **AVI-2021-0006 Critical Vulnerability Security Patch**. + +To apply a security patch, please refer to the following steps: + +* First, do a backup on your Controller in “Controller/Settings/Maintenance/Backup&Restore/Backup Now” +* Go to “Controller/Settings/Maintenance/Security Patches” and click on “Update Available Patches” +* You should see a new patch called: “AVI-2021-0006 Critical Vulnerability Security Patch” +* Apply the patch, by clicking on the icon on the right and selecting “Apply Patch” +* Take a backup again at “Controller/Settings/Maintenance/Backup&Restore/Backup Now” + +**Note:** + +* The security patch does not impact the data path or control path and can be executed without a maintenance window +* This patch can be applied on releases 6.2 and higher +* Aviatrix **strongly recommends** you to upgrade to releases 6.4 or higher. Please check out the `release notes `_ and follow the `upgrade instructions `_ + + +Security Note 6.5.1936, 6.4.2869, 6.3.2526, and 6.2.2052 (10/11/2021) +===================================================================== + +**Subject**: Security release for Aviatrix versions 6.5.1936, 6.4.2869, 6.3.2526, and 6.2.2052. + +**Issues**: The latest 6.5, 6.4, 6.3, and 6.2 versions contain fixes for two vulnerabilities. + +**AVX-15638** – Corrected vulnerability that could result in a Denial-of-Service (DoS) in Aviatrix's controller API which allows an attacker to fill the disk of the controller. The API vulnerability is blocked in the latest controller software versions. + +For more information, see `CVE-2021-40870 `_ + +**AVX-15740** - The latest version of the Aviatrix AWS CloudFormation stack improves security by removing 0.0.0.0 entry on port 443 so the Aviatrix controller is not open to the world by default. However, this means related gateway IP entries need to be added to the security group when a new gateway is deployed for the gateway to talk to controller. To achieve this automatically, the Controller Security Group Management feature will be auto enabled when a user creates the first AWS account. If you are performing the manual backup and restore procedure, please inherit all the original security groups in the newly launched controller. + +Mitigation: Please upgrade to the latest release. For detailed instructions related to this security upgrade, please see https://aviatrix.zendesk.com/hc/en-us/articles/4410621458317. + +-If you are running 6.2, upgrade to 6.2.2052 or later. Aviatrix strongly recommends you upgrade to 6.4.2869 or later, 6.2 `EoL `_ is 10/15/2021. + +-If you are running 6.3, upgrade to 6.3.2526 or later. Aviatrix strongly recommends you upgrade to 6.4.2869 or later, 6.3 `EoE `_ was 7/31/2021. + +-If you are running 6.4, upgrade to 6.4.2869 or later. + +-If you are running 6.5, upgrade to 6.5.1936 or later. + +6.4.2859 (9/22/2021) +===================== + +**Feature Enhancements in Aviatrix Release 6.4** + +- **AVX-15101** - Added support for Azure Government Cloud Availablility Zones. +- Enhanced stateful firewall functionality. +- Enhanced certificate functionality. + +**Issues Corrected in Aviatrix Release 6.4** + +- **AVX-14678** - Unable to create multiple firewalls attached to the same transit gateway in Azure environments. +- **AVX-15138** - When a spoke or transit gateway advertises a CIDR that overlaps with a CaaG or StandAlone CloudN MGMT eth2 subnet, and the client application accesses the device through the eth2 MGMT interface, the reply traffic is not returned through the eth2 MGMT interface. +- **AVX-15198** - When transit gateway details are listed by the Aviatrix Controller or CoPilot, an exception may occur because the request is in replica mode and incorrectly tries to update the Mongo DB. + +Security Note 6.2.2043, 6.3.2490, 6.4.2838, and 6.5.1922 (9/11/2021) +=================================================================== + +**Subject**: Security release for Aviatrix versions 6.5, 6.4, 6.3, and 6.2. + +**Issues**: The latest 6.5, 6.4, 6.3, and 6.2 versions contain fixes for several vulnerabilities in the controller API: + +- Several APIs used to upload configurations of certain services did not verify the authentication of the service or user executing the API call properly. +- `CVE-2021-40870 `_: Similar APIs designed to upload files from authenticated users did not properly sanitize their destination input, which could eventually allow an unauthenticated user to execute arbitrary code via directory traversal. +- Fix for Aviatrix issue AVX-14852 described in Aviatrix FN 0032: In rare occasions, Controller backup file could get corrupted, resulting in gateways being shown as “down” if used for a Controller restore. + +**Mitigation**: Please upgrade to the latest release. For instructions, go to `support.aviatrix.com `_ and search for *Aviatrix Controller Upgrade*. + + +- If you are running 6.2, upgrade to 6.2.2043 or later. Aviatrix strongly recommends you upgrade to 6.4.2838 or later, 6.2 `EoL `_ is 10/15/2021. +- If you are running 6.3, upgrade to 6.3.2490 or later. Aviatrix strongly recommends you upgrade to 6.4.2838 or later, 6.3 `EoE `_ was 7/31/2021. +- If you are running 6.4, upgrade to 6.4.2838 or later. +- If you are running 6.5, upgrade to 6.5.1922 or later. + +**Credit**: Aviatrix would like to thank the team at Tradecraft (https://www.wearetradecraft.com/) for the responsible disclosure of these issues. + +6.5.1905 (8/24/2021) +===================== + +**New Features in Aviatrix Release 6.5** + +**Selective Upgrades** + +To facilitate less disruptive upgrades and reduce maintenance windows Aviatrix provides a rolling selective upgrade process. You can choose to upgrade all Aviatrix gateways simultaneously or select specific gateways and regions to upgrade in logical groups conforming to your network update policies and maintenance windows. For more information, see `Upgrading the Aviatrix Cloud Network Platform `_. + +**Feature Enhancements in Aviatrix Release 6.5** + +- **AVX-9881** - Added support for using the same Azure Virtual Network name and resource group names under different subscriptions. +- **AVX-10188** - Added warning message when disabling the import certificate which includes the impact and effects of disabling the certificate. +- **AVX-10493** - Added support for Alibaba cloud including China regions in Aviatrix FlightPath. +- **AVX-10799** - Added support for Alibaba cloud including Global and China regions to Aviatrix VPC Tracker. +- **AVX-13615** - Added AWS GuardDuty support for AWS GovCloud monitoring. + +**Modified Behaviors in Aviatrix Release 6.5** + +- **AVX-9894** - Removed deprecated optional custom logging fields for Splunk, Sumo, and FielBeat from the user interface. +- **AVX-10113** - When you import security certificates on the gateways and controller, the certificate must include the proper FQDN. + + For example: + openssl req -new -subj "/C=GB/CN=foo" \ + -addext "subjectAltName = DNS:foo.co.uk" \ + -addext "certificatePolicies = 1.2.3.4" \ + -newkey rsa:2048 -keyout key.pem -out req.pem + +Alternatively, you can add the SubjectAlternateName (SAN) tag in the openssl.cnf file before generating the certificate. The SAN tag makes sure your certificate includes the SubjectAlternateName which is validated by the Apache server on the controller. Versions of UserConnect-6.4 and later require the proper SubjectAlternateName including altNames be set in the certificates when they are imported. If the SAN is not specified, importing the certificates fails. + +- **AVX-14009** - Added option to allow all traffic from the local VPC CIDR block to the network security group created during the OCI gateway creation process. Previously, only TCP port 443 traffic from the controller was added to the security group. By default, OCI allows all traffic from RFC1918 blocks. This change only applies to non-RFC1918 VPC CIDR block configurations. + +**Known Behaviors in Aviatrix Release 6.5** + +*Upgrading to Aviatrix Release 6.5* + +- This behavior does not affect ActiveMesh gateways. In non-ActiveMesh environments, only one transit or spoke gateway can have the image upgraded or the software rolled back at a time. If you select multiple gateways, you receive an error message. For multiple API calls to replace gateways using Terraform, only one gateway is allowed and the others fail. For Terraform calls, Aviatrix recommends you set parallelism=1. + +*Gateway Issue Discovered After Upgrade* + +In rare cases where the controller and a group of gateways are selected for upgrade and a fatal bug is discovered in the new software, a situation where the controller and gateways remain running different versions could develop. If this condition occurs assistance from Aviatrix Support is required. +For example: +A controller and gateways are running version 6.5.200. + +- You upgrade the controller and a subset of gateways to 6.5.300. +- You rollback the gateways to 6.5.200 because of a bug in the 6.5.300 software. +- Now the controller is running 6.5.300 and all gateways are running 6.5.200, and the gateways cannot successfully be upgraded to 6.5.300 because of the bug. +- The bug is resolved in controller version 6.5.400, so you want to upgrade to 6.5.400 to resolve the issue. However, this is not supported because the controller and gateways must be running the same software version before the controller can be upgraded. +- In this corner case, you must contact Aviatrix Support to upgrade the controller to the newer version. Support will diagnose the issue and provide the API operation required to perform the con-troller upgrade. + +*Gateway Rollbacks* + +Gateway rollback operations are not supported after Controller restore operations. + +**Issues Corrected in Aviatrix Release 6.5** + +- **AVX-10552** - Changed TGW VPN tunnel details response in API so list_attachment_route_table_detail returns are in dictionary format rather than a long string. + + +6.4.2830 (08/28/2021) +===================== + +**Issues Corrected** + +- **AVX-13787** Incorrect gateway status is reported for default routes when an OCI gateway in insane mode is attached to a Transit FireNet gateway. +- **AVX-14295** When on-premise routes are a injected or withdrawn, they are incorrectly removed in connected domain route tables. +- **AVX-14426** Newly deployed cloud gateways use a new IKE implementation and may cause negotiation issues when spoke or on-premise tunnels are configured with an older IKE implementation on one side and the new Aviatrix IKE implementation on the transit side. You may observe tunnels taking a long time to become established, and on occasion may observe route flapping even after the tunnel is established. +- **AVX-14689** Creating an Aviatrix gateway in the Alibaba Cloud may fail because the public IP address may not get converted to an elastic IP address. + +6.4.2791 (08/20/2021) +===================== + +- **Bug fix** The FQDN egress filtering gateway blocks traffic after adding whitelisting tags to the egress filtering gateway. + + +6.4.2783 (07/15/2021) +===================== + +- **Bug fix** This issue is related to our smallest supported instance size in AWS which is t2.micro. In 6.4 the t2.micro instances were under additional memory pressure because of new services enabled in 6.4. As a result, some customers may experience gateway down events after upgrading to 6.4. This issue resolves those issues by optimizing several scheduled jobs which burden the t2.micro appliances. +- **Enhancement** In order to alleviate memory pressure on our smallest supported AWS instance size; t2.micro, we now enable swap memory on instances with less than 1G of memory. This allows short periods of over-provision to be tolerated by the operating system ensuring continuous operations. + + +R6.4.2776 (07/13/2021) +======================== + +.. note:: + - If upgrading from 6.3 to 6.4, please make sure to upgrade the image to 6.3 latest first before upgrading it to release 6.4. + - Starting 6.4, Standalone CloudN no longer support HPE over Internet + +- **Bug fix** NAT rule is missing after replacing a gateway with and S2C mapped tunnel. +- **Bug fix** When an S2C mapped tunnel route is modified the old iptable entry is not removed. +- **Bug fix** HA Controller restorations partially fail when DataDog API is integrated. +- **Bug fix** In Azure clouds the Controller does not deploy more than one firewall instance in the same availability set as the Controller. +- **Bug fix** False license expiration alerts can be sent to subscribers. +- **Bug fix** When adding a FireNet instance to the routing path, the default value of the "Attach" flag should be "false". +- **Bug fix** In some implementations, the firewall does not block traffic to subdomains of domains that are on the whitelist. +- **Bug fix** The RBAC permissions for Site2cloud configuration download are not correct. +- **Bug fix** Failed to attach HPE Spoke to Transit due to route already exists error. +- **Bug fix** Controller unable to push RFC-1918 route to Panorama. +- **Bug fix** Azure Peering UI filter not working. +- **Bug fix** Unable to enter User VPN filter content fields on the Controller dashboard. +- **Enhancement** Reduced memory consumption for BGP event monitoring process and other processes. +- **Enhancement** Improved reliability by requiring the OVPN file to use the Global Accelerator DNS name to resolve to the 2 static IP addresses of the accelerator. +- **Enhancement** Allow changes to the MTU setting in the Aviatrix OVPN client during runtime. +- **Enhancement** Shortened execution time and memory usage for removing list_vpc and list_saml_info users. +- **Enhancement** Allow the same PSK to be used for primary and backup Aviatrix gateways based on S2C tunnel policy. +- **Enhancement** Allow use of colon in tags. + + +R6.4.2674 (06/26/2021) +======================== + +- **Bug fix** In AWS and Azure clouds, gateway and FireNet tag keys and values do not support the colon (:) and other special characters. +- **Bug fix** Added support for Azure Controller Security Group Management allowing the Network Security Group and the Azure Controller to use different Resource Groups. +- **Bug fix** Added support for Multiple Dynamic SAML Profile attributes for controller login in list format. +- **Bug fix** Added size suggestions for deploying ActiveMesh Insane Mode gateway instances in Azure India regions. +- **Bug fix** Transit list page displays exceptions during gateway deployment. + + +R6.4.2672 (06/11/2021) +======================== + +- **Bug fix** Gateway FQDN logs fail to download resulting in an error message. +- **Bug fix** Availability Domain and Fault Domain not available in OCI gateway and firewall instances. +- **Bug fix** Terraform bug fix, cannot delete all gateway tags. +- **Bug fix** SNAT cannot be disabled on Azure spoke gateway. +- **Bug fix** OCI Gateways deployed with Active Mesh are not being deployed in separate Availability Domains. +- **Bug fix** CAAG OCI, OCI tunnels missing after replacing the OCI transit gateway +- **Bug fix** Aviatrix Controller in Azure unable to push RFC-1918 route to Panorama in OCI. +- **Bug fix** Intermittent connectivity issues from CoPilot to Controller. +- **Bug fix** Enabling FQDN Discovery fails, some configuration changes are not removed, and the network connection breaks. +- **Bug fix** Upgrade fails when upgrades from 6.3 to 6.4 using the upgrade to latest release feature. +- **Bug fix** Cannot add certificates to LDAP configuration, error C:\fakepath\user.crt does not exist. +- **Enhancement** Aviatrix Controller blocks multiple simultaneous logins from one account. + + +R6.4.2618 (05/30/2021) +======================== + +.. note:: + Customers using Azure Controller Release 6.3 and managed CloudN, should hold off upgrading Controller with CloudN to 6.4 until next 6.4-patch + +- **Bug fix** Enabling segmentation caused some routes missing in the spoke routing table +- **Bug fix** Fixed exception for SAML VPN connection. +- **Bug fix** In Ali Cloud, Transit gateway showed all connections down. +- **Bug fix** In some corner cases Controller HA, backup/restore broke the control connection between the controller and CloudN. +- **Bug fix** Fixed exception when downloading the OCI OVPN file. +- **Bug fix** Fixed Managed CloudN exception during registration. +- **Enhancement** In IAM policy, enable parallel role swapping after role name change. + + +R6.4.2561 (05/18/2021) +======================== + +.. note:: + Customers should hold off upgrading Controller with CloudN to 6.4 until next 6.4-patch + +- **Bug fix** When FQDN gateways deployed in HA topologies have private route tables with the IAM deny policy applied, the default route restoration fails when the FQDN feature is disabled. Default route restoration only works only in non-HA topologies. +- **Bug fix** In the Alibaba cloud, after running for a while BGP sessions on the IPSEC tunnel can go down at random. +- **Bug fix** When using insane mode over the internet, missing Elastic IP addresses can cause some tunnels not to come up. +- **Bug fix** When a new transit gateway for FireNet is launched on Azure, a false notification indicating that interface eth1 is down and needs to be restarted manually is sent. +- **Bug fix** Disconnecting last BGP connection does not clear the IP prefix configuration. +- **Bug fix** When a new best path is selected, old routes are deleted causing traffic interruptions. +- **Bug fix** In GCP, when FireNet and FQDN Filtering are enabled the gateway is no longer associated with the existing instance group after the gateway is replaced. +- **Bug fix** Deleting then recreating transit peering connections blocks some tunnels from delivering traffic. +- **Bug fix** In GCP, after a NIC connection goes down the gateway fails to restart. +- **Bug fix** Route updates can take excessive time after upgrading to 6.4. +- **Bug fix** Unable to attach OCI spoke gateway to OCI transit gateway after upgrading to 6.4. +- **Bug fix** When a spoke is attached to an egress IP, the skip public route table update operation is not working. +- **Bug fix** Some gateways may not be upgraded during the 6.4 upgrade process. +- **Bug fix** When FQDN gateways deployed in HA topologies have private route tables with the IAM deny policy applied, the default route restoration fails when the FQDN feature is disabled. Default route restoration only works only in non-HA topologies. +- **Bug fix** Block creating a global network from AWS China controllers. +- **Bug fix** In Alibaba clouds, after deleting a transit gateway you may find invalid paths to certificates. +- **Bug fix** Enable the custom Gateway IAM role feature for AWS China and Government clouds through the API. + + +R6.4.2499 (05/10/2021) +======================== + +1. Multi-Cloud Transit Network +-------------------------------- +- **Alibaba Cloud Support** expands the Aviatrix Multi-Cloud Transit solution to support the Alibaba Cloud. This includes support for Ali Global and Ali China region. For more information, check out `Alibaba Cloud Account Credential Setup `_ + +- **China Multi-Cloud Network Architecture Support** expands the Aviatrix Multi-Cloud Transit solution to AWS, Azure, and Alibaba public clouds in China regions. For more information, check out `Aviatrix China Overview `_. Support includes: + + * Aviatrix Controller image and CoPilot image in AWS China Marketplace. + + * Multi-Cloud Transit solution in AWS China, Azure China and Alibaba China regions. + +- **Multi-Tier Transit** supports the hierarchical Multi-Cloud Transit gateway deployment model, and adds the ability to traverse more than two Aviatrix Multi-Cloud Transit gateways. This feature improves operational simplicity by aggregating multiple Aviatrix Transits. One use case is centralized firewall design for multiple Aviatrix-Transits in a single region, which allows in-region traffic without any inspection. To configure Multi-Tier Transit, go to Multi-cloud Transit -> Advance Config. Select the Transit Gateway and enable the Multi-Tier Transit feature. For more information, refer to `Multi-Tier Transit doc `_ +- **Transit Peering Insane Mode Support over Public Network** provides high performance Transit Gateway peering to multi-cloud networks with public network connectivity between AWS and Azure only. To configure Insane Mode over public networks, go to Multi-cloud Transit -> Transit Peering -> +Add New. Select the option Insane mode over Internet for a new peering connection. For more information, refer to `Peering over Public Network or Internet doc `_ +- **OCI Transit Insane Mode Support** expands our Insane Mode Encryption Service to OCI networks. The support includes Insane Mode for VCN to VCN encrypted peering and Transit Peering connections. Launch an OCI gateway with Insane Mode enabled to get started. For more information, refer to `OCI Performance Test Results `_ +- **IAM Role and Policy for Gateways** separate IAM policy for Aviatrix gateway. API support only. +- **BGP Connection Holdtime** can now be modified through the Aviatrix Controller. One use case of modifying BGP Hold Timer is to have a quicker BGP failover time. For more information, refer to `BGP Hold Time doc `_ + +2. FireNet +------------- +- **Aviatrix Transit FireNet for OCI** allows you to deploy firewall instances in OCI. The OCI FireNet can be used for East-West, North-South and Ingress-Egress inspection with Palo Alto Networks VM-Series only. For more information, check out `Transit FireNet Workflow for OCI `_ and `Example Config for Palo Alto Network VM-Series in OCI `_. +- **FireNet Fortinet Integration Enhancement** now supports Fortinet firewall integration with the Aviatrix Transit FireNet solution. This integration allows automatic route updates in Fortigate routing tables by the Aviatrix Controller. You no longer need to statically configure RFC 1918 or any other routes in Fortigate. This integration is supported for AWS, Azure, and GCP Public clouds only. For more information, check out `Transit FireNet Workflow for AWS, Azure, GCP, and OCI `_ + +- **Check Point CloudGuard in GCP** is now available when deploying Aviatrix Transit FireNet. Refer to this example `CheckPoint workflow in GCP `_ for more details. +- **Fortinet Fortigate for GCP** is now available in GCP when deploying Aviatrix Transit FireNet. +- **Custom AMI Support for Firewall Instances** allows customer to launch the special images provided by firewall vendors. API support only. + +3. Site2Cloud +--------------- +- **Dynamic routes update for Site2Cloud Connections** adds the capability to auto advertise or remove the remote subnet automatically based on the Up/Down status of the Site2Cloud tunnel. To configure dynamic routes for Site2Cloud, go to Multi-Cloud Transit -> List -> Spoke -> Select Spoke Gateway and click "Auto Advertise Spoke S2C CIDRs" to enable dynamic routes. For more information, refer to `Auto Advertise Spoke Site2Cloud CIDRs doc `_ +- **Site2Cloud Single Public IP Failover Support** enhances the HA mechanism to use a single public IP address and single tunnel from the remote site (on-prem) point of view. To configure Site2Cloud Single Public IP Failover, go to Site2Cloud -> Add New -> Enable HA. Check the box to Enable Single IP HA to activate Single Public IP Failover. This applies to AWS and Azure only. For more information, refer to `Site2Cloud IPSec VPN Instructions `_ +- **Jumbo Frame Support** adds the ability to turn on/off Insane Mode jumbo frame support for the Site2Cloud tunnel between the Aviatrix Transit Gateway and CloudN. To enable jumbo frame support, go to Site2Cloud -> Select Site2Cloud connection to CloudN. Click Edit and enable jumbo frame support. For more information, refer to `Jumbo Frame doc `_ + +4. Security +--------------- +- **Egress FQDN Enhancement** is now supported for multiple Egress FQDN gateways in GCP. This feature includes support for GCP Shared VPC as well as Distributed and Centralized Egress for FQDNs. + +5. Operations +----------------- +- **Create a VPC Enhancement** adds an option in "Create a VPC" to select an existing Resource Group for Azure under Advanced options. +- **Co-Pilot integration with Controller** delivers the operational simplicity you need by presenting Aviatrix Controller as a single-pane of glass for managing the Day 0, Day 1 and Day 2 operations of the cloud fabric. The integration with Co-Pilot brings additional capabilities including the SAML and DUO integration, and RBAC control. To configure the CoPilot Controller integration, log into the Aviatrix Controller console and go to Settings -> CoPilot -> Enable CoPilot Association to integrate CoPilot with Aviatrix Controller. For more information, refer to `CoPilot doc `_ +- **Performance and Scalability Improvements** Significant performance improvements for the Aviatrix Multi-Cloud Network Architecture (MCNA) especially for a very large enterprise networks. +- **Route Table Optimization** allows customer to skip public route table programming. This is supported in AWS only. For more information, refer to `Transit List doc `_ +- **Notification Enable/Disable Option** gives an ability to customers to disable exception emails send to Aviatrix. For more information, refer to `How to not send exception notification to Aviatrix doc `_ + +6. Behavior Change Notice +-------------------------- +- Aviatrix is setting the public IP address of a peer device as the default remote identifier for an S2C connection. If the peer device uses its private IP address as the local identifier, the user needs to manually update the private IP of the peer device to use the remote identifier. In the Aviatrix Controller, go to the Aviatrix S2C page -> Edit connection -> Remote Identifier and update the private IP of the peer device to use the remote identifier. + +- The API "get_transit_or_spoke_gateway_details" result format changed. + +- Two CaaG can’t have the same public IP, e.g. mgmt interface behind the same NAT gateway. + +7. Before you Upgrade +-------------------------- +- Gateway FQDN names (gateway_name + aviatrixnetwork.com) longer than 64 characters will prevent gateways from booting up correctly. +- Standalone CloudN cannot be upgrade to 6.4. +- Please review the latest field notices (FN#22 - 28), and take a recommended action for any `field notices `_ applicable to your environment. +- Aviatrix released new gateway and Controller images/AMIs for AWS and Azure. + +R6.3.2475 (05/22/2021) +======================= +- **End of life** Gateway images based on Ubuntu 14 and Ubuntu 16 are deprecated. You MUST replace these with Ubuntu 18 based images before upgrading to 6.4. Refer to FN28 for more details. +- **Bug fix** Fixed exception for OCI gateway launch. +- **Bug fix** Fixed bug in GCP FireNet with Palo Alto VM-Series image version listing. +- **Bug fix** In some corner cases Controller HA, backup/restore breaks the control connection between the controller and Cloudn. +- **Bug fix** Fixed an issue with BGP route advertisement after spoke attachment +- **Bug fix** When a gateway NIC goes down, an alert will be triggered and the gateway will be taken down and brought back up again after self-remediation. +- **Bug Fix** If a VNet route table is deleted unexpectedly, VNets could connect to the wrong transit gateway spoke for the subscription. When VNets under different subscriptions use the same Resource group name, and both Spoke VNets connect to different transit gateways, the controller cannot distinguish which VNet should attach to which gateway. + +R6.3.2415 (04/19/2021) +======================= + +- **Co-Pilot integration with Controller** delivers operational simplicity by presenting Aviatrix Controller and CoPilot in a single pane of glass for managing the Day 0, Day 1 and Day 2 operations of the cloud fabric. The Aviatrix Controller integration with Co-Pilot adds capabilities to the Controller including SAML and DUO integration, and RBAC control. To configure the CoPilot Controller integration, log into the Aviatrix Controller console and go to Settings -> CoPilot -> Enable CoPilot Association to integrate CoPilot with Aviatrix Controller. +- **Enhancement** Improved CloudN to controller reachability mechanism for public and private subnets. +- **Enhancement** Improved error handling for Aviatrix Controller HA process. +- **Bug fix** Fixed the backup restoration API response for Aviatrix Controller HA mechanism. +- **Bug fix** Blocked the exclude CIDR feature for Native GWLB FireNet. +- **Bug fix** Fixed exception for Site2Cloud remote subnet modifications. +- **Bug fix** Corrected invalid netflow data sent to CoPilot. +- **Bug fix** Fixed GCP security rule for Site2Cloud over private IP. +- **Bug fix** Corrected route table programming for native GWLB. +- **Bug fix** Fixed gateway creation issue when customized IAM policy is used in AWS. +- **Bug fix** Fixed default route restoration for FQDN when discovery is disabled. +- **Bug fix** Improved error messages for native GWLB egress. +- **Bug fix** Allowed ActiveMesh 2.0 migration without disabling Transit FireNet for older releases. + + + +R6.3.2364 (03/18/2021) +======================= + +- **Aviatrix Transit FireNet for GCP** allows you to deploy firewall instances in GCP. For more information, check out `Transit FireNet Workflow `_. +- **Segmentation Enhancement** Add the Multi-Cloud Transit segmentation support for CloudN +- **Site2Cloud Enhancement** Clear Session option is added in Site2Cloud connection to clear the active connection sessions running through Aviatrix gateways. +- **Multi-Cloud Transit Enhancement** New capability to attach managed CloudN with Multi-Cloud Aviatrix Transit without High Performance Encryption (HPE) for Oracle cloud only. +- **FlightPath Enhancement** Add support for IP address as a source +- **TGW Enhancement** Add support for AWS TGW connect +- **Bug fix** Enhanced AWS ENA conntrack data into the syslog +- **Bug fix** Improve the route programming mechanism for Spoke VPC to filter the customize CIDRs first before installing into the Spoke VPC route table. +- **Bug fix** Fix the Dashboard status display issue for BGP over LAN. +- **Bug fix** Fix the Aviatrix Gateways "Polling" status after Controller Backup & Restore and IP migration +- **Bug fix** Add the missing parameters in template for “Export to Terraform” feature +- **Bug fix** Fix exception for CloudN registration after controller migration. + +R6.3.2247 (03/01/2021) +======================= + +- **Bug fix** Race condition causing exception for Aviatrix Transit Gateway peering. +- **Bug fix** Fix the TGW attachment deletion issue when customize IAM policy is used in AWS. +- **Bug fix** Fix the Site2Cloud diagnostics display issue. +- **Bug fix** Missing "Aviatrix-Created-Resource" tag for Aviatrix Gateway keypair in AWS. +- **Bug fix** Fix exception for CloudN when eth0 is down. + +R6.3.2216 (2/22/2021) +======================= + +- **Enhancement** Significant improvements in failover time through a series of optimization for overlapping networks. +- **Enhancement** Add Clear Session capability in Site2Cloud connection to clear all the conntrack sessions entry. +- **Enhancement** Add the Active-Standby mode on ActiveMesh 2.0 support for BGP over LAN scenario. +- **Enhancement** Add API support to unify programming RFC1918 routes in native egress domain +- **Enhancement** New capability to split sending gateway metrics and syslog to different log management systems +- **Bug fix** Allow more than 16 network CIDRs in the Site2Cloud configuration. +- **Bug fix** Address Route programming failure in OCI VCN route entry in Site2Cloud configuration. +- **Bug fix** Unable to launch Palo Alto VM-Series in AWS GovCloud. +- **Bug fix** Revert check introduced in 6.3.2092 for ActiveMesh 2.0 that blocks the Aviatrix Transit Peering if ASN# for Aviatrix Transit Gateways are same or not set. +- **Bug fix** Fix the long security domain names display issue in Aviatrix Controller. +- **Bug fix** Fix exception when using “Export to Terraform” feature for fqdn_tag_rule. +- **Bug fix** Fix the route propagation for HPE Aviatrix Transit Gateway eth0 in Azure. +- **Bug fix** Update RFC1918 routes in OCI VCN for non-default security list. +- **Bug fix** Fix the default route entry removal issue when "Use VPC/VNET DNS Server" feature in-use. +- **Bug fix** Security patch for SAML vulnerablity + + +R6.3.2092 (1/31/2021) +======================= + +1. Multi-Cloud Transit Network +-------------------------------- + +- **Transit in Azure with Express Route** allows you to build an Aviatrix Transit and Transit FireNet solutions while leveraging the native Azure Express Route for on-prem to cloud connectivity and route propagation. One use case is to deploy in an environment where encryption between data center and cloud is not required but using native high performance Express Route is required. Both native Spoke VNet and Aviatrix Spoke gateways are supported as Spoke attachment. For configuration workflow, follow the `Multi-cloud Transit Integration with Azure Expressroute workflow `_. + +- **Transit BGP over GRE Tunnel** provides an alternative tunneling protocol to IPSec when connecting Aviatrix Transit Gateway to on-prem. One use case is for an organization that requires high performance but not encryption. With GRE tunneling, Multi-cloud Transit Gateways in AWS connects with on-prem network devices without deploying Aviatrix CloudN appliances. Only available in AWS (Azure and GCP do not support GRE). For configuration information, refer to `Aviatrix Transit Gateway to External Devices `_. For end-to-end configuration workflow and performance benchmark, refer to `GRE Tunneling workflow `_. + +- **Transit BGP to LAN** allows Aviatrix Transit Gateways to communicate with other instances in the same VPC or VNet without running any tunneling protocol. One use case is to interoperate with cloud virtual appliances such as a SD-WAN cloud gateway instances that do not have the capability to support BGP over IPSec or GRE protocols. For configuration and performance information, refer to `BGP over LAN in AWS Workflow `_. For Azure, refer to `BGP over LAN in Azure Workflow `_. + +- **Manual Advertise Routes per BGP Connection** expands the existing gateway based manual advertising routes feature to apply it to each BGP connection. One use case is to have better route advertising control for each remote BGP peer. For configuration details, refer to `Connection Base Manual BGP Advertisement `_. + +- **Transit Approval per BGP Connection** expands the existing Aviatrix Transit Gateway based Transit Approval feature to apply it to each on-prem BGP connection for fine grain control of network CIDRs admitted to the cloud network. To configure, go to Multi-cloud Transit -> Approval. Select a Transit Gateway, select Mode Connection and select a connection, enable Learned CIDRs Approval. For more information, refer to `Transit Approval `_. + +- **Private Transit Gateway Peering with Single-Tunnel Mode** expands the existing Insane Mode Transit Gateway Peering Over Private Network to apply it to single IPSec tunnel. One use case is for low speed encryption between cloud networks (up to 4Gbps). For more information, refer to `Transit Peering in Single-Tunnel mode. `_. + +- **Transit to External Device Using IKEv2** provides an option to run IKEv2 with the on-prem site. For more information, refer to `Aviatrix Transit Gateway to External Devices `_. + +- **Client Proxy** allow both the Controller and Aviatrix gateways to use external proxy server for Internet facing API access. One use case is to satisfy compliance requirements where all traffic destined to Internet is required to go through a proxy server. For configuration information, refer to `proxy configuration `_. + +- **Improve AWS t3 instances IPSec performance** to up to 6Gbps (MTU 1500 Bytes) for Multi-cloud Transit and Spoke gateway without additional license charge. The mechanism is to allow Insane Mode to be applied the t3 series without charging the Insane Mode license. For performance details on t3 series, refer to `t3 series Insane Mode performance `_. + +- **Support N2 and C2 instance types on GCP gateways** improves Insane Mode performance on GCP cloud. For new network throughput with these new instance types, refer to `GCP Insane Mode Performance. `_ + +- **Managed CloudN Appliance** supports in GCP. Refer to `Managed CloudN workflow `_. + +- **License Info** license change to inter-cloud for Aviatrix Transit to AWS VGW connection. + + +2. FireNet +============= + +- **FireNet integration with AWS Gateway Load Balancer** provides the capability where adding or removing a firewall to the FireNet does not impact the existing established network sessions. AWS Gateway Load Balancer (GWLB) integration is supported for both TGW based FireNet and Multi-cloud Transit FireNet. For configuration details on TGW based FireNet without Aviatrix FireNet gateways, refer to `Native AWS GWLB Integration `_. For configuration details on TGW based FireNet with Aviatrix FireNet gateways, refer to `FireNet with GWLB `_. For Multi-cloud Transit FireNet GWLB integration, refer to `Enable Transit FireNet `_. + +3. User VPN +============= + +- **Download Aviatrix SAML VPN Client from Controller** provides self-service ability for organizations to download Aviatrix SAML VPN Client software from the Controller directly for SAML authenticated users. This simplifies administration for on-boarding new VPN users. To enable, go to OpenVPN -> Advanced -> Global Config -> Download SAML VPN Client to enable. For more information, refer to `Self Service Download SAML Client `_. + +4. Site2Cloud +============= + +- **Route based IPSEC with IKEv2** provides an option to run route-based VPN with IKEv2. For more information, refer to `Create Site2Cloud Connection `_. +- **Change Local Identifier** provides the flexibility to update either gateway's public IP address or private IP address as local identifier. To configure, refer to `Local Identifier `_. +- **DPD Parameters** can now be modified through the Controller User Interface in additional to API and Terraform. One use case of modifying DPD parameters is to reduce tunnel failure detection time. To configure, refer to `DPD Configuration `_. +- **Event Trigger** is a new mechanism to reduce failure detection time. This is an alternative to the default setting where tunnel status change is detected by a periodic monitoring process running on the gateways. To configure, refer to `Event Triggered HA `_. +- **Failover Time Reduction for Overlapping Networks** Significant improvements in failover time reduction through a series of optimization. Refer to `Tuning For Sub-10 Seconds Failover Time in Overlapping Networks. `_. + +5. Security +============== + +- **Reduce Email API Blocking** is an enhancement for non HTTP/HTTPS traffic configured on a FQDN gateway where a set of large site's well known IP addresses are pre-populated to the FQDN gateways, thus significantly reducing the probability that applications still cannot make API calls (mostly email services) even though the FQDN rules for these sites are configured. The set of sites are: gmail.com, hotmail.com, microsoft.com, live.com, outlook.com, office.com ad office365.com. The applicable TCP ports are: 25, 465, 587, 143, 993 and 995. +- **Edit Stateful Firewall Rules Enhancement** simplifies editing and viewing IP address based stateful firewall rules, allowing large set of rules to be managed easily. To configure, go to Security -> Stateful Firewall -> Policy to edit policies. + + +R6.2.2016 (2/18/2021) +======================= + +- **Bug fix** Security patch for SAML Vulnerablity. + + +R6.2.2003 (2/15/2021) +======================= + +- **Enhancement** Add API support to turn off Jumbo frame support. +- **Bug fix** Allow more than 16 network CIDRs in the Site2Cloud configuration. +- **Bug fix** Route programming failure in OCI VCN route entry. +- **Bug fix** Unable to launch Palo Alto VM-Series in AWS GovCloud. + + +R6.2.1955 (1/16/2021) +====================== + + - **Bug fix** GCP Spoke gateway with SNAT configuration propagates route incorrectly. + - **Enhancement** Optimize Spoke gateway attach/detach functions when "Customize VPC Route table" feature is enabled. + - **Enhancement** Improve email authentication mechanism for emails generated by Controller. + - **Enhancement** Optimize Multi-cloud transit network failover time. + - **Bug fix** Unable to launch Palo Alto VM-Series with version 9.x + - **Bug fix** GCP Controller backup and restore fails. + +R6.2.1925 (12/12/2020) +======================== + +- **Enhancement** Execute all Azure Spoke VNet programming in parallel. The scope of the enhancement includes individual route entry update and multiple VNet route tables update. The result is a significant reduction in Spoke attachment time and certain failover convergence time. +- **Enhancement** Improve Controller daemon process robustness. + +R6.2.1914 (12/04/2020) +======================== + +- **Bug fix** Not able to detach a native Spoke VNet when its resource group is deleted on Azure console. +- **Bug fix** FQDN crashes when the number of FQDN rules exceed 1000. +- **Enhancement** Increase the number of FQDN rules to 1500. + +R6.2.1891 (11/20/2020) +======================== + +- **Bug fix** OCI Spoke VCN default route tables not programmed correctly. +- **Bug fix** After removing Spoke FQDN, Spoke gateway route table entries are missing. +- **Enhancement** Reduce excessive logging on Controller. +- **Enhancement** Add new regions to OCI. +- **Enhancement** Performance enhancement when interoperating with Copilot. +- **License Info** Site2Cloud license change to inter-cloud for Aviatrix Transit to AWS VGW connection. + + +R6.2.1837 (11/10/2020) +======================= + +- **Enhancement** Add conntrack_count to syslog. +- **Enhancement** FireNet LAN interface keep alive is enhancement with follow up TCP keep alive packets when ICMP ping fails, making the firewall detection more robust. Customer needs to open TCP port 443 from the gateway eth2 IP for this to take effect. No additional configuration required. +- **Enhancement** New AWS gateway AMI "hvm-cloudx-aws-102320" with the latest AWS SR-IOV device driver enhancement. +- **Bug fix** FQDN feature not working when ports are selected as all. +- **Enhancement** on interoperating with co-pilot. +- **Enhancement** Add disaster debugging capability when the Controller Apache daemon process fail to start. + + +R6.2.1742 (10/15/2020) +======================== + +1. Multi-cloud Transit Network +--------------------------------- + +- **Active-Standby Mode on ActiveMesh 2.0** provides the flexibility on Aviatrix Transit Gateways to connect to on-prem with only one active tunnel and the other one as backup. The use case is a deployment scenario where on-prem device such as firewalls does not support asymmetric routing on two tunnels. When Active-Standby mode is enabled, it applies to both BGP and Static Remote Route Based `External Device Connections `_ and for each connection, only one tunnel is active in forwarding traffic at any given time. To configure, go to Multi-cloud Transit -> Advanced Config, select the Aviatrix Transit Gateway to enable Active-Standby. For more information, refer to `Active-Standby `_. + +- **Segmentation based BGP CIDRs Advertisements** advertises only those Spoke CIDRs that have connection policy to a specific on-prem connection. For example, consider a multi-tenant deployment where Aviatrix Transit Gateway connects to multiple on-prem sites over BGP, each site connecting to a set of Spokes through `AWS TGW Edge Segmentation `_ or `Multi-cloud Segmentation `_. With this new feature, Aviatrix Transit Gateway only advertises Spoke CIDRs that are relevant to the on-prem site. This behavior is enabled as the default when launching a new Transit Gateway. For existing deployment, you can enable it by going to Multi-cloud Transit -> Advanced Config, select an Aviatrix Transit Gateway, scroll down to `Refresh BGP Advertise Network Routes`. + +- **Multi-cloud Transit Gateway Peering over Private Network** expands Transit Gateway peering over multi-cloud where there is private network connectivity cross cloud. One use case is two Aviatrix Transit Gateways deployed in two different public cloud where each has its private connectivity such as AWS Direct Connect and Azure Express Route connecting to on-prem or a co-location. By building a high performance Transit Gateway private peering, Aviatrix Transit Gateway forwards traffic over the private links to the other Aviatrix Transit Gateway and beyond with encryption for data in motion. To configure, go to Multi-cloud Transit -> Transit Peering -> +Add New. Select the option Peering over Private Network for a new peering connection. For an example configuration, refer to `Multi-cloud Transit Peering over Private Networks `_. + +- **Insane Mode in GCP** is now available for Multi-cloud Transit solution. For performance benchmark, refer to `GCP Insane Mode performance test results `_. Insane Mode is enabled when launching a new Aviatrix Transit Gateway or Spoke gateway in GCP. + +- **Managed CloudN Appliance** simplifies CloudN configuration and operation by allowing it to be managed by the Controller. Active-Active deployment model supports up to 25Gbps encryption performance. Refer to `Managed CloudN workflow `_. GCP support is in the future release. + +- **Custom Mapped Site2Cloud in Spoke** solves all issues of overlapping network addresses with remote networks by expanding Site2Cloud `Mapped `_ function in a Spoke. + +- **TGW with Multicast capability** allows you to launch an AWS TGW with multicast capability. A use case is to support applications running on multicast protocols. API support only. + +- **Update Attached Spoke VNet CIDR** allows you to update Spoke VNet CIDR when there is a change without having to detach the Spoke and attach again, thus removing any down time or outage. API support only. + +- **Default Tagging in Azure** adds Aviatrix default tag when Controller creates resources such as launching an Aviatrix gateway, create route entries, load balancer and route tables. + +- **Enhancement in Creating a VNet** defines public and private subnets and their associated route tables. This helps clarify how Aviatrix Controller manages route table and their programming. For details, refer to `Aviatrix Default Route Handling `_. + +- **Default Routing Handling** enforces rules on how Aviatrix Controller handles the propagation and programming of cloud networks. Specifically the Controller only overwrite the default route on private subnets. For details, refer to `Aviatrix Default Route Handling `_. + + +2. FireNet +------------- + +- **FireNet 2-tuple Forwarding Algorithm Support** expands FireNet forwarding algorithm to include forwarding decision based on only the source and destination IP address. One use case is to support an application where multiple TCP sessions are used for an egress Internet service therefore requiring all sessions to go through one firewall with the same source NAT IP address. To configure, go to Firewall Network -> Advanced. Select the FireNet gateway, click the 3 dots skewer, scroll down to Firewall Forwarding, select 2-Tuple. For more information, refer to `Firewall Forwarding Algorithms `_. + +- **Centralized FQDN on Azure FireNet** allows Aviatrix FQDN gateways to be deployed in FireNet solution in Azure. One use case is to consolidate egress control to reduce cost with centralized statistical multiplexing. To configure, go to Firewall Network -> Setup -> 7c. For more information, refer to `Launch & Associate Aviatrix FQDN gateway `_. + +- **Bootstrap support in Azure FireNet on Palo Alto Networks VM-Series, Check Point and FortiGate** simplifies FireNet deployment in Azure. For details, refer to `VM-Series bootstrap in Azure `_, `Check Point bootstrap in Azure `_ and `FortiGate bootstrap in Azure `_. + +- **Bootstrap support in AWS FireNet on Check Point and FortiGate** simplifies FireNet deployment in AWS. For details, refer to `Check Point bootstrap in AWS `_ and `FortiGate bootstrap in AWS `_. + + +3. Operations +------------------ + +- **Discover Unencrypted Flows** is a useful tool to provide visibility on any non TCP port 443 and port 22 traffic running in a VPC in AWS. By running, recording and analyzing VPC flow logs in an on-demand fashion, this tool helps infrastructure engineers to understand application traffic patterns without cost incurring for long running VPC Flow Logs. By excluding TCP port 443 and port 22 traffic, the tool highlights any unencrypted traffic in the network. + +- **Session Visibility** displays active connection sessions running through Aviatrix gateways. This is useful for troubleshooting connectivity issue. To view sessions, go to Troubleshoot -> Diagnostics -> Gateway -> Session View. Or go to Security -> Stateful Firewall -> Session View. + +- **16,000,000 Max Connection Session Table Size** This improves the ability of Aviatrix gateways to handle the concurrent sessions going through the gateway. + +R6.1.1425 (11/9/2020) +========================= + +- **Bug fix** CloudN failover route selection is not based on best route algorithm. +- **Bug fix** Retry when Controller DNS lookup fails intermittently. + +R6.1.1415 (10/25/2020) +======================== + +- **Enhancement** Increase the max connection session table size to 16,000,000. Also include connection track entry count in the gateway diagnostics information. + +R6.1.1409 (10/20/2020) +========================= + +- **Bug fix** FireNet VPC does not advertise its CIDR to on-prem when FireNet Management is enabled on the Aviatrix Edge Security Domain. +- **Bug fix** Custom upgrade is broken. +- **Bug fix** Site2Cloud Custom Mapped option becomes unavailable after upgrading. + +R6.1.1401 (10/4/2020) +====================== + +- **Bug fix** When attaching an Insane Mode Spoke gateway to Transit Gateway, the action succeeds even though the underlying cloud provider peering (AWS PCX and Azure VNet Peering) fails. +- **Bug fix** Controller does not update the egress default route when Spoke gateways experience a failover. +- **Bug fix** Enabling advertising transit CIDR breaks Azure transit network. +- **Bug fix** Single AZ gateway replace function is broken. +- **Enhancement** Improve IKEv2 compatibility with Cisco ASA when re-establishing a tunnel after it goes down without restarting the VPN service. +- **Enhancement** Enable multi-core processing capability on the Controller to handle co-pilot queries. API support to enable/disable multi-core processing in case of failure. + +R6.1.1338 (9/24/2020) +====================== + +- **Bug fix** Aviatrix Transit connecting to external device with 2 different ASNs doesn't work properly +- **Bug fix** TGW attaching sometimes fails due to RAM authentication timeout. +- **Bug fix** Custom SNAT is not able to select eth0 on Aviatrix Transit Gateway. +- **Bug fix** Cannot edit mapped tunnels built before 6.0 + +R6.1.1309 (9/7/2020) +====================== + +- **Gateway Rename feature removal** Gateway Rename feature has been removed from UI. +- **Account Rename feature removal** Account Rename feature has been removed from UI. +- **Enhancement** Consistent Login Banner when custom banner login is enabled. +- **Enhancement** Enable multicast option when creating an AWS Transit Gateway (TGW). API support only. +- **Bug fix** fix Insane Mode gateway replacement function bug. +- **Bug fix** fix Transit Gateway Manual Summarize route bug. +- **Bug fix** fix FireNet error programming firewall instances when they go through stop and start process. +- **Bug fix** fix gateway launch tag attachment to ensure when a gateway is launched tag is part of the AWS API call. + + +R6.1.1280 (8/17/2020) +======================= + +- **Bug fix** fix multiple issues with TGW Approval, TGW Peering inspection and FireNet integration. +- **Bug fix** Transit Peering with SNAT creates redundant rules. +- **Bug fix** FQDN with Edit Source behavior change. +- **Enhancement** Add support for Aviatrix gateway certificate import. +- **Bug fix** CloudN asymmetric routing for management interface. + + + +R6.1.1163 (8/5/2020) +===================== + +- **Bug fix** fix upgrade issue. + +R6.1.1162 (8/1/2020) +======================= + +1. Multi-cloud Network +-------------------------------- + +- **Scale out Firewalls in Azure FireNet** allows FireNet to support multiple firewall virtual machines in Azure. The use case is to support more than 2 firewall deployment to meet performance requirements. Only new FireNet gateways in Azure supports scale out firewall feature. Refer to `this document `_. + +- **Azure GovCloud** is now supported for both Controller and Aviatrix gateways. Controller can be launched from Azure GovCloud marketplace. Follow `Azure Startup Guide `_ to get started. + + +- **Prepend ASN on BGP Connection** expands Prepend ASN to specific BGP connection. Previously the ASN prepend applies to the entire Aviatrix Transit Gateway, this feature brings the flexibility to prepend different ASN for different BGP connections. The use case is to provide more flexibility on the Aviatrix Transit Gateway to influence the next hop selection of the upstream BGP neighbour. To configure, go to Multi-Cloud Transit -> Advanced Config. Select an Aviatrix Transit Gateways, scroll down to Connection AS PATH Prepend, select a connection and enter one or more enter AS numbers separated by space. For more details, refer to `Connection AS PATH Prepend `_. + +- **Multi-cloud Segmentation Enhancement** now handles egress default route in a consistent way by introducing individual route tables for each Security Domain on an Aviatrix Multi-cloud Transit Gateway. This release is not backward compatible to the implementation in Release 6.0. To migrate, `disable Multi-cloud Segmentation `_ on each Aviatrix Transit Gateway, upgrade to Release 6.1 and `enable `_ again. To learn more on deployment limitation, refer to `this link. `_ + +- **FireNet Check Point Integration Enhancement** now support Check Point firewall or security gateway automatic route updates to its routing tables by the Controller. You no longer need to statically configure RFC 1918 or any other routes. + +- **FireNet for AWS TGW Inter Region Traffic Inspection** allows you to specifically inspect traffic crossing TGW Peering regions. One use case is in certain deployment, it is not desirable to specify all traffic going in and out of a Security Domain, rather the requirement is to only inspect traffic that moves across the regions. For configuration details, refer to `Inspect Inter Region Traffic `_. + +2. Security +---------------- + +- **Auto PrivateS3** significantly improves PrivateS3 usability and security by automatically retrieving S3 bucket names for PrivateS3 filtering. One use case is to support large set of S3 buckets owned by organizations without having to manually import into the Controller. The second use case is to prevent accidental or intentional manual input S3 buckets that are not owned by organization. For workflow, check out `PrivateS3 workflow `_. + +- **Subnets Pass-through** allows you to specify certain subnets in a VPC to bypass any FQDN filter rules. One use case is that certain subnets, for example, are for Dev environment, therefore does not require to be FQDN filtered or logged. To configure, go to Security -> Egress Control -> Egress FQDN Gateway View. Select a gateway, click Actions -> Edit Pass-through. Select subnet or multi select subnets to allow bypass the filter. For more details, refer to `FQDN Source Pass-through `_. + +- **Exact Port Match** now applies to each FQDN rule. One use case is if you only specify an FQDN rule for TCP port 443, packets with the same FQDN rule for TCP port 80 are dropped unless you have the specific FQDN rule on TCP port 80. This is a bug fix, no configuration required. For more information, refer to `Exact Match `_. + +- **FQDN Option for Exact Match** is a new feature where if a FQDN rule does not have * an exact match is expected. If this global option is not enabled, FQDN rules use regex to match any FQDN names that are subset of the name. For example, if salesforce.com is a rule and Exact Match option is enabled, finance.salesforce.com is not a match and will be dropped. For configuration details, refer to `FQDN Exact Match `_. + + +3. Operations +----------------- + +- **Account Name Alias** allows you to change the account name after it is created by providing an alias name and allowing it to be modified at any given time. The use case is customers often need to change some account names after the network has been built out to certain scale. By allowing account name alias to be modified without having to delete the account and thus reduces network downtime. To change account name alias, go to Accounts -> Access Accounts, hover the mouse at a specific account, click the Pen icon and start typing. Refer to `this document `_. + +- **Gateway Name Alias** allow you to change an Aviatrix gateway name after it is created by providing an alias name and allowing it to be modified at any time. The use case is customers often need to change some gateway names after the network has been built out to certain scale. By allowing gateway name alias to be modified without having to delete the gateway and thus reduces network downtime. To change gateway name alias, go to Gateway, hover the mouse at a specific gateway name, click the Pen icon and start typing. Note the original gateway name is still maintained as "Original Name". Refer to `this document `_. Note this feature does not interoperate with Co-Pilot at this time. For customers who deploy Co-Pilot, making changes the gateway names breaks Co-Pilot. The work around is not to use this feature or change back the gateway name. + + +- **Create a VPC Enhancement** now creates multiple route tables associated with public and private subnets. One use case is to allow traffic load balancing when Aviatrix Spoke gateways are deployed. To configure, go to Useful Tools -> Create a VPC. For more details, check out `Create a VPC `_. + +- **Controller Access Security on Azure** extends the Access Security feature to Azure. When an Aviatrix gateway is launched, security rule is automatically added to the Controller inbound rule. This allows Controller admin to only open inbound TCP port 443 to Aviatrix gateways and no-prem public IP addresses, thus improving Controller security. To configure, go to Settings -> Controller -> Access Security. Select the Controller account and enable. For more details, refer to `Enable Controller Security Group Management `_. + +- **Login Banner** allows you to customize banner text for first time login for compliance. Any user who login for the first time must acknowledge the text before proceeding to Controller. To configure, go to Settings -> Controller -> Login Customization -> Login Banner. For more information, refer to `Login Banner `_. + +4. User VPN +-------------- + +- **Max Routes Pushing to VPN Client** has now been increased to 250. This allow a larger network deployment. Requires Aviatrix VPN client 2.11. No configuration change is needed. + +- **GeoVPN to use DHCP Setting** for DNS name resolution from the VPC where the VPN gateway is deployed. This reduces latency as DNS service is likely to be closer to the source of the VPN user location. For configuration examples, refer to `VPN Access Gateway Selection by Geolocation of User `_. + +R6.0.2483 (8/4/2020) +====================== + +- **Bug fix** fix upgrade jump version issue. + +R6.0.2481 (8/1/2020) +====================== + +- **Bug fix** Latest Chrome browser login issue. + + +R6.0.2466 (7/22/2020) +======================= + +- **Bug fix** Missing MSS clamping configuration resulted in egress traffic loss. +- **Bug fix** Handle VNet UDR routes programming when Azure Netapp service is deployed in the Spoke VNet. +- **Bug fix** AWS GovCloud cannot list firewall options. +- **Bug fix** Configure the system to prevent memory leak. +- **Enhancement** API support for t3a.x gateway instance types. +- **Bug fix** Missing configuration parameters in download file for Site2Cloud for Cisco ASA devices. + +R6.0.2387 (7/10/2020) +====================== + +- **Bug fix** New gateway launching is missing MSS clamping rule which affects connectivity for potentially different types of traffic including egress and multi region transit gateway peering, etc. + +R6.0.2383 (7/2/2020) +====================== + +- **Bug fix** for error out when using Diagnostics to force upgrade an gateway. + +R6.0.2373 (6/30/2020) +======================= + +- **Enhancement on TGW VPN Approval** improves TGW VPN Approval for overlapping CIDRs to prevent black holing traffic. For details, refer to `this link `_. For the enhancement to take effect, you need to first disable TGW Approval for each connection, upgrade to 6.0 and enable it again. Note you must first disable Approval before upgrading to 6.0. +- **Bug fix** for FQDN thread process stuck. +- **Bug fixes** to improve stability and use cases. + +R6.0.2269 (6/19/2020) +===================== + +1. Aviatrix Multi-Cloud Transit +----------------------------------------- + +- **ActiveMesh 2.0** unifies the Aviatrix Transit Gateway next hop route selection by conforming to BGP next hop selection algorithm for all traffic sources. The use case is to provide a predictable routing path in a multi regions, multi cloud and multi sites environments. All new Transit Network deployed is launched with ActiveMesh 2.0. For a one time migration from the existing deployment, go to Settings -> Migration -> ActiveMesh 2.0 Migration. Click Migrate. To learn more details, check out `ActiveMesh 2.0 Details `_. +- **Multi-Cloud Transit Segmentation** allows you to segment the Aviatrix multi-cloud transit network (where Aviatrix Transit Gateways and Spoke gateways are deployed) by specifying domains and connection policy across all clouds and regions. To learn more, check out `Aviatrix Transit Network Segmentation FAQ `_. +- **External Device to Support Static Remote Route-Based** provides the interoperability between a route-based Aviatrix Transit Gateway and a remote route-based IPSEC tunnel connection. The use case is to allow the remote site to participate in the ActiveMesh 2.0 route selection in a unified manner. To configure, go to Multi-Cloud Transit -> Setup -> Step 3 -> External Device -> Static Remote Route-Based. +- **Dual Transit FireNet** allows you to attach an Aviatrix Spoke gateway to two Aviatrix Transit Gateways, each with Transit FireNet service enabled but with a different purpose. One carries Egress/Ingress inspection and the other carries East-West and North-South inspection. The use case is to allow different policies to be implemented easily. To configure, go to Multi-Cloud Transit -> Transit FireNet -> `Step 1b. `_ +- **Aviatrix Transit Gateway ECMP Disable Option** allows you to turn off ECMP for next hop selection. The use case is if on-prem deploy a firewall devices that require symmetric routing. The BGP ECMP is disabled by default. To enable, go to Multi-Cloud Transit -> Advanced Config -> Edit Transit -> BGP ECMP. For more information, refer to `BGP ECMP `_. +- **Advanced NAT Function for Azure and GCP** is now available for Aviatrix Spoke gateways. The use case is to resolve overlapping network CIDRs between on-prem network and Spoke network. To learn more on Aviatrix advanced SNAT/DNAT functions, check out `Aviatrix Advanced SNAT `_ and `Aviatrix Advanced DNAT `_. +- **GCP Multi Region Transit HA** leverages the GCP capability of multi regions in a single VPC and provide Aviatrix Transit/Spoke Gateway HA in a different region. The use case is to improve regional failure by the ability to failover to a different region. +- **Azure Availability Zone Support** allows you to deploy an Aviatrix gateway in Azure in a specified availability zone where it is applicable. Not all regions support availability zones and where it is not, availability set is supported. +- **Change Aviatrix Transit Gateway AS Number** provides the ability to change AS number of Aviatrix Transit Gateways. The use case is to avoid human errors when there are multiple BGP connections. To configure, go to Multi-Cloud Transit -> Advanced Config -> Edit Transit -> LOCAL AS NUMBER, enter the desired AS number and click Change. +- **Sync Controller Best Routes to Aviatrix Transit Gateway** allows the Controller to reprogram an Aviatrix Transit Gateway route table in case they go out of sync. The use case is to recover the routes from an unforeseeable errors in the deployment. To configure, go to Multi-Cloud Transit -> Advanced Config. Select the Aviatrix Transit Gateway, scroll down to `Sync Controller Best Routes to Transit Gateway`, click Sync Routes. + + +2. Firewall Network (FireNet) +------------------------------ + +- **Firewall Instances Health Check Enhancement** checks a firewall instance's health by pinging its LAN interface from the connecting Aviatrix FireNet gateway. This is an alternative option to checking health through firewall's management interface, which improves firewall failure detection time and detection accuracy. Available for both FireNet and Transit FireNet deployment and in both AWS and Azure. To configure, go to Firewall Networks -> Advanced, select the FireNet gateway, click the 3-dot skewer, scroll to Keep Alive via Firewall LAN Interface, click Enable. To learn more, refer to `Firewall Health Check with LAN Interface `_. +- **FireNet Exclude CIDRs** allows you to exclude a list of network CIDRs to be excluded from going through firewall inspection even though its associated Security Domain or network requires inspection. One use case is to exclude the Aviatrix Controller deployed in the Shared Service VPC to be excluded from inspection while Shared Service VPC traffic is inspected. This improves the Controller reachability by not subjecting the Controller access to unintentional firewall policy errors. For details, check out `Exclude CIDR `_. +- **Check Point CloudGuard in Azure** is now available in Azure when deploying Aviatrix Transit FireNet. Refer to `this example CheckPoint workflow in Azure `_ for more details. +- **Fortinet Fortigate in Azure** is now available in Azure when deploying Aviatrix Transit FireNet. +- **Check Point Dynamic Route Update** enhances FireNet Check Point integration by dynamically updates CloudGuard route tables by the Controller. The use case is for networks with non-RFC 1918 routes that require specific route table programming on the Check Point appliance. + +3. User VPN +-------------- + +- **Signed Cert for SAML Authentication** improves security of User VPN SAML authentication when it authenticates with the IDPs by providing a signed cert. To configure, go to OpenVPN -> Advanced -> SAML -> Add a New SAML Endpoint, select the option "Sign Authn Requests". For SAML login to the Controller, go to Settings -> Controller -> SAML Login -> Add a New SAML Endpoint, select the option "Sign Authn Requests". +- **Dashboard to Display user speed** allows you to access individual User VPN client performance. To view the client VPN speed, go to Dashboard, scroll down to the Use VPN section to view. +- **Terraform for Attaching a user to profile** allows you to update the user profile in modular fashion. + +4. Site2Cloud +--------------- + +- **Route Based IPSEC** provides flexibility to configuration. One use case for selecting route based VPN is to solve overlapping network CIDRs with on-prem as referred in `this example `_. To learn more about route based VPN, check out `the FAQ `_. +- **Mapped Configuration for Route Based IPSEC** supports both SNAT and DNAT on the network address ranges. The use case is to connect two IP address overlapping networks, for example a cloud VPC and on-prem, where on-prem cannot implement any network address translation. Comparing with individual IP address based translation, this significantly simplifies configuration. Note this configuration is implemented on route based IPSEC tunnel of an Aviatrix gateway site2cloud connection. To configure, go to Site2Cloud -> Add New. For Connection Type, select `Mapped`. For an example configuration, refer to `Solving Overlapping Networks with Network Mapped IPSec. `_ For more complex solutions, read `Overlapping Network Connectivity Solutions `_. +- **Intelligent Troubleshooting** provides expert analysis to the IPSEC syslog and reduces diagnosis time. To use, go to Site2Cloud -> Diagnostics. Select one connection, select `Run Analysis`. +- **Shared the Same Pre-Shared Keys** provides an option for both primary and backup IPSEC tunnel to share the same pre-shared keys. The use case is to reduce the configuration burden for on-prem devices. To configure, go to Site2Cloud -> Add New. Check the option `Same Pre-shared Key as Primary` when creating a connection. For configuration details, check out `Site2Cloud configuration workflow `_. + +5. Egress Control +------------------- +- **FQDN Search** supports general search for a specified destination FQDN during a specified period of time. One use case is to troubleshoot on an FQDN tag entry without the need to upload tracelog. +- **Disable Caching FQDN Entries** prevents potential data leakage to large domain names that contain unrelated sites. To configure, go to Security -> Egress Control -> Egress FQDN Filter -> Global Configs -> Caching. Click to Disable. + +6. Operations +----------------- + +- **Multi Remote Syslog Servers Support** allows an Aviatrix gateway to forward its syslog to a different remote syslog server than other gateways. The use case is customer may have multiple syslog servers deployed in different regions and Aviatrix gateways deployed in regions should forward syslog data to the server it is assigned to. +- **Netflow v9 Support** adds new capability in addition to the current v5 support. +- **CloudWatch Customize Configuration** now supports group name customization. The use case is to provide flexibility for customer to name their log folders. To configure, go to Settings -> Logging -> CloudWatch -> Advanced -> Log Group Name, enter a name of your choice. +- **New User Interface** aims to reduce web interface screen load time and improve user experience. +- **Datadog multi site support** to allow Datadog agent to send syslog to a destination site. To configure, go to Settings -> Logging -> Datadog Agent -> Enable Datadog Agent. Select a site datadoghq.com or datadoghq.eu. + +7. AWS Transit Gateway (TGW) +------------------------------- + +- **Intra Domain Firewall Inspection** allows AWS VPCs in the same Security Domain to be inspected by FireNet. The use case is a Security Domain in which all VPCs can communicate with each other, but all traffic requires logging and inspection. To enable, go to TGW Orchestrator -> List -> TGW Security Domains. Select one Security Domain, click Actions -> Edit Intra Domain Inspection. For additional information, refer to `Edit Intra Domain Firewall Inspection `_. +- **Change Spoke VPC's Security Domains** provides the ability to change a Spoke VPC's Security Domain without detaching the VPC from the TGW. The use case is to reduce Spoke VPC connectivity downtime when it needs to change its associated domains. To configure, go to TGW Orchestrator -> List -> Select the attached Spoke VPC -> Actions -> Switch Security Domain. In the pop up window, select the desired Security Domain to associate. For more information, refer to `Switch Security Domain `_. +- **Update Spoke VPC Route Tables** provides the ability to update a Spoke VPC route tables without detaching the VPC from TGW. The use case is to reduce Spoke VPC connectivity downtime when its subnets and route tables are added or deleted. To configure, go to TGW Orchestrator -> List -> Select the attached Spoke VPC -> Actions -> Update VPC CIDR. For more information, refer to `Update VPC CIDR `_. +- **Edit Spoke VPC Local Route Propagation** provides the ability to enable and disable attached Spoke VPC local route propagation without detaching the VPC. The use case is to disable local route propagation after a Spoke VPC is attached to TGW. To configure, go to TGW Orchestrator -> List -> Select the attached Spoke VPC -> Actions -> Edit Spoke VPC Local Route Propagation. For more information, refer to `Edit Spoke VPC Local Route Propagation `_. + +R5.4.1290 (8/5/2020) +===================== + +- **Bug fix** fix the issue of jumping versions when upgrading. + +R5.4.1283 (7/17/2020) +===================== + +- **Bug fix** upgrade failure from R5.3 to R5.4 + +R5.4.1281 (7/15/2020) +======================= + +- **Bug fix** Gateway memory leak when rsyslog is not initialized properly. +- **Bug fix** Gateway memory configuration change to allow smaller memory footprint. +- **Bug fix** Sometimes firewall instances in FireNet become inaccessible. + + +R5.4.1251 (6/19/2020) +======================== + +- **Bug fix** nightly cron job hit exception. + +R5.4.1249 (6/15/2020) +====================== + +- **Enhancement** to support us-west-4 region in GCP. +- **Bug fix** on gateway replacement that has AWS LB deployed. + +R5.4.1240 (6/1/2020) +===================== + +- **Bug fix** Insane Mode to support Transit FireNet in Azure has an issue when the FireNet gateway is rebooted. + +R5.4.1238 (5/27/2020) +====================== + +- **Enhancement** Insane Mode to support Transit FireNet in Azure. +- **Bug fix** CloudN to work with RBAC. + +R5.4.1234 (5/20/2020) +====================== + +- **Bug fix** when importing user excel sheet for User VPN. +- **Enhancement** to support the new Palo Alto VM-Series Bundle 1 and Bundle 2. + +R5.4.1232 (5/18/2020) +======================= + +- **Enhancement to Gateway Syslog Download** allows you to a gateway syslog directly from the Gateway. API support only. +- **Bug fix** Aviatrix Transit Gateway update learned routes incorrectly in certain cases. +- **Route Update Convergence Enhancement** to improve route propagation and convergence time when routes are changed to the Transit network. + + +R5.4.1204 (5/8/2020) +====================== + +- **Bug fix** fix API bug in enable_fqdn_cache_global. + +R5.4.1201 (5/7/2020) +====================== + +- **Enhancement on FQDN** to disable learned FQDN entry IP address caching. API support only. +- **Enhancement on User VPN** to improve page load time by caching VPC tags. +- **CloudN Enhancement** to support Netflow to export logs. +- **Enhancement to Gateway page** to allow gateway AMI image name to be displayed. This is useful to identify if a gateway runs on older AMI image that needs replacement to newer AMI image. + +R5.4.1140 (4/21/2020) +====================== + +- **Support More AWS TGW Peering Regions** Newly available regions of AWS TGW Peering is now supported. +- **User VPN Customizing Notification** You can now customize pop up messages after a VPN user is connected. To configure, go to OpenvVPN -> Advanced -> System Use Notification. One use case is for customer to write their own messages for compliance. Please ensure that you are running Aviatrix VPN Client version 2.9 or higher to view the usage notification +- **VPN DPD Interval Configuration** allows you to specify DPD interval. API support only. +- **Gateway Default Memory Alert Threshold** is changed to 80% to provide earlier warning to the Controller admin. +- **Change Gateway Default Size** at launch time to t3.small. +- **Bug fix** User VPN to Save Configuration Template to allow multiple gateways to have the same configuration when attached to the same NLB. +- **Performance Optimization** in handling the route programming time for large deployment of Aviatrix Transit Gateway peering. +- **CloudN Enhancement** in handling tunnel down message with Insane Mode. + +R5.4.1074 (4/3/2020) +===================== + +- **Bug fix** Restore a list of APIs that was deleted incorrectly. + +R5.4.1066 (4/1/2020) +===================== + +1. Operations +------------------ + +- **Role Based Access Control** allows you to both limit access to the Controller functions and enable self-service for users with different permission privileges. Read `RBAC FAQ `_ for more details. + +2. Networking +---------------- + +- **User VPN Performance Improvements** improves gateway performance when User VPN is enabled on the gateway. To receive enhanced performance, replace an existing gateway or launch a new gateway with `VPN Access `_ enabled. +- **Aviatrix Transit Network Spoke Gateways to Support SNAT/DNAT Functions** enable you to support additional use cases in Aviatrix Transit network. These use cases are `"accessing cloud applications with virtual IP addresses" `_ and `"connecting overlapping addresses from on-prem to Spoke VPCs in ActiveMesh network" `_. +- **Azure Virtual WAN Integration with CloudWAN** expands Aviatrix CloudWAN solution to allow branch office Cisco IOS routers to automatically connect to Azure Virtual WAN by automatically programming IPSEC and BGP on IOS routers. +- **Azure Gateways Enhancement** Azure gateways is now launched by the Controller managed disk option instead of storage account for enhanced security. +- **User VPN Profile Multi Attribute Support** allows multiple attributes to be specified in the SAML IDP user database. Simply include a list of the names of User VPN Profiles in the user data profile field at the IDP database. + +3. Security Integration +------------------------- + +- **CheckPoint CloudGuard Integration** now supports CloudGuard All-In-One R80.40. In addition, the initial SSH access process is removed for all CloudGuard AMIs. Check out `CheckPoint CloudGuard Configuration Examples `_ for more details. +- **FortiGate Bootstrap Configuration** is now supported. For details on how to configure, read `Bootstrap Configuration Example for FortiGate Firewall `_. + +R5.3.1551 (6/4/2020) +====================== + +- **Bug fix** Change user password should require login CID. +- **Enhancement** Multiple enhancement back porting to 5.3. + + +R5.3.1524 (4/26/2020) +======================== + +- **Bug fix** Enhancement for Controller migration. +- **Bug fix** CloudN missing routes after Transit gateway is rebooted. + +R5.3.1516 (4/3/2020) +====================== + +- **Bug fix** Transit Peering not learning routes correctly when remote transit peering configured static routes. +- **Bug fix** Back out auto refresh of BGP sessions after upgrading. +- **Enhancement** to the ability to update Aviatrix Transit VPC CIDR. + +R5.3.1499 (3/17/2020) +======================= + +- **Bug fix** FQDN statistics on the dashboard could cause the Controller to freeze. +- **Bug fix** Cannot edit network CIDRs in Site2Cloud configuration. +- **Bug fix** Azure FireNet firewall instance launch with enforcement for username/password. + +R5.3.1491 (3/11/2020) +======================= + +- **Bug fix** Gateway launch failure triggered rollback function delete all VPC routes. +- **Bug fix** GCP VPN gateway shows in unhealthy state when it is still forwarding traffic. +- **Bug fix** Azure gateway floods with IPSEC keep alive messages. + +R5.3.1468 (3/4/2020) +====================== + +- **Bug fix** for Controller Migration feature. + R5.3.1428 (2/21/2020) ======================= -**Bug fix** AWS GovCloud IAM roles is broken. +- **Bug fix** AWS GovCloud IAM roles is broken. R5.3.1399 (2/20/2020) ====================== -**Bug fix** CloudWAN gateway instance not programming ingress security group. -**Enhancement** to support Azure Africa region. +- **Bug fix** CloudWAN gateway instance not programming ingress security group. +- **Enhancement** to support Azure Africa region. R5.3.1391 (2/17/2020) ======================== +**Important Notice** +---------------------- + +Release 5.3 is the last software version that supports older Controller AMIs. If your Controller AMI is one of the following, we have +provided an `one click migration `_ to migrate to a new Controller after the Controller is upgraded to 5.3. The following Controller AMIs requires +migration beyond release 5.3: + + - Controller AMI ID contains "aviatrix_cloud_services_gateway_081517" + - Controller AMI ID contains "aviatrix_cloud_services_gateway_111517" + - Controller AMI ID contains "aviatrix_cloud_services_gateway_043018" + 1. AWS Transit Gateway (TGW) Orchestrator -------------------------------------------- @@ -63,7 +1345,7 @@ R5.2.2153 (2/7/2020) R5.2.2122 (1/25/2020) ======================== - - **Enhancement** Allow site2cloud gateways to support Active-Active mode where both tunnels are up and packets are routed to both gateways via respective VPC route tables. To enable, go to Site2Cloud, click on the connection, scroll down to Actitve Active HA and click Enable. + - **Enhancement** Allow site2cloud gateways to support Active-Active mode where both tunnels are up and packets are routed to both gateways via respective VPC route tables. To enable, go to Site2Cloud, click on the connection, scroll down to Active Active HA and click Enable. - **Enhancement** Allow the service account credential to be re-used by GCP projects. - **Bug fix** Fix Azure gateway memory leak issue. - **Bug fix** Enhancement to FQDN warning messages. @@ -134,6 +1416,11 @@ R5.1.1183 (12/2/2019) - **Bug fix** BGP learned routes parsing error. - **Bug fix** Transit Peering filter not updating new learned routes. +R5.1.1169 (11/25/2019) +======================= + +- **Bug fix** Transit gateway filter does not work properly + R5.1.1016 (11/21/2019) ======================= @@ -183,9 +1470,9 @@ R5.1.935 (10/19/2019) Transit Gateway Enhancement ------------------------------ - - **Transit Gateway Peering with Network Filter** allows you block route propagation from one transit gateway side to the other. This use case is to allow two regions of transit network to connect with each other when there are exact overlapping network CIDRs by blocking on each Transit Gateway these CDIRs. To configure, go to Transit Network -> Transit Peering -> Add New, or Edit an existing peer. For more info, refer to `Filtered CIDRs `_. + - **Transit Gateway Peering with Network Filter** allows you block route propagation from one transit gateway side to the other. This use case is to allow two regions of transit network to connect with each other when there are exact overlapping network CIDRs by blocking on each Transit Gateway these CIDRs. To configure, go to Transit Network -> Transit Peering -> Add New, or Edit an existing peer. For more info, refer to `Filtered CIDRs `_. - - **Route Table Selection** allows VPC route tables to be selected when attaching attaching a Spoke VPC gateway. Only the selected route tables are programmed for learning routes and reprogramming routes at failover time. `API support `_ only. + - **Route Table Selection** allows VPC route tables to be selected when attaching attaching a Spoke VPC gateway. Only the selected route tables are programmed for learning routes and reprogramming routes at failover time. API support only. - **TGW DXGW and VPN Enhancment** allows DXGW and VPN to be deployed in any Security Domain. One use case is if you have multiple VPN connection and do not wish to have the remote sites to have connectivity with each other, you can now create VPN connections in different Security Domains. - **ASN Path Prepend** adds ASN number when Aviatrix transit gateway redistribute routes to its BGP peer. For new Transit connection, the Aviatrix Transit gateway automatically inserts its ASN number. To insert ASN path in an existing connection, go to Transit Network -> Advanced Config -> Prepend AS Path @@ -252,7 +1539,7 @@ R5.0.2667 (9/9/2019) ---------------------------- - **Official Terraform Provider** Aviatrix has become the official Terraform provider! Visit `Aviatrix Provider `_. Terraform v0.12 is needed, please visit `Compatibility Chart `_, `Terraform Provider 2.x Upgrade Guide `_. - - **New REST API site** visit `api.aviatrix.com `_ to see our brand new API doc site! + - **New API site** visit `api.aviatrix.com `_ to see our brand new API doc site! - **Access Account Audit** continuously monitors the health of Controller and individual access account. The Controller sends email alert to the admin user and logs the event when errors in the account setting are detected. - **Gateway Audit** continuously monitors the status of gateway cloud credentials and security groups. For AWS, this credential is the gateway's IAM roles and policies. The Controller sends email alert to the admin user and logs the event when errors of gateway cloud credentials are detected. To view the health of the gateway, go to Gateway page and check the field `Audit. `_ - **Logs display the source IP address when a user login** to improve visibility. @@ -352,7 +1639,7 @@ R4.7.378 (6/16/2019) - **Customize Spoke VPC Route Table** allows you to program route entries in Spoke VPC route table that points to TGW as target. By default, Aviatrix Orchestrator programs RFC 1918 routes in the VPC route table to point to TGW, any routes that are outside of this range is dynamically programmed into the VPC route table. When you enable this feature, all dynamic route propagation will be stopped. One use case is if you simply want to program the default route to point to TGW. Another use case is if you do not wish Aviatrix Orchestrator to program any VPC routes, in which case you should enter 0.0.0.0/32 for the "Customizing Spoke VPC Rotues" field. To configure, enter a list of comma separated CIDRs at `Attach VPC to TGW `_ during TGW Orchestrator Build. - - **Customize TGW VPN Creation** with additional parameters, such as inside_ip_cidr and pre_shared_key. For more information, checkout the API `Attach Native VPN to TGW `_. + - **Customize TGW VPN Creation** with additional parameters, such as inside_ip_cidr and pre_shared_key. 2. Insane Mode Enhancement ---------------------------- @@ -415,8 +1702,8 @@ R4.3.1230 (5/5/2019) - **User Accelerator Preview** integrates AWS Global Accelerator with Aviatrix User VPN to reduce user access latency. - **Azure Native Peering** supports VNET to VNET native peering in the same Azure subscription. Cross subscription is not supported. To configure, go to Peering -> Azure Peering. - **C5n Instance** is now supported. With C5n.18xlarge, InsaneMode IPSEC performance reaches 25Gbps. - - **Select Subnets for TGW Attachment** provides by REST API the flexibility to select which subnet to attach to AWS Transit Gateway (TGW). - - **Reuse Azure Resource Group** provides by REST API the ability to reuse the VNET resource group when launching an Azure gateway. + - **Select Subnets for TGW Attachment** provides by API the flexibility to select which subnet to attach to AWS Transit Gateway (TGW). + - **Reuse Azure Resource Group** provides by API the ability to reuse the VNET resource group when launching an Azure gateway. 2. Routing Policies --------------------- @@ -704,7 +1991,7 @@ R3.3 (6/10/2018) - **Access Account Name** is now searchable. -- **New REST APIs** are available for all features in 3.3. +- **New APIs** are available for all features in 3.3. - **List Spoke Gateways** allows you to easily see what are the Spoke gateways are attached to a selected Transit gateway. To view, scroll down to Step 9 at Transit Network workflow, select a Transit GW and view the attached Spoke gateways. @@ -737,10 +2024,10 @@ R3.2 (4/18/2018) - **UCC Controller Public IP Migration** can be used after Controller's public IP is changed. To migrate, go to Troubleshoot -> Diagnostics -> Network -> Migrate. -4. REST API +4. API ------------ -- 50 REST APIs have been added to the Controller. For details, refer to `API Doc `_ +- 50 APIs have been added to the Controller. R3.1 (3/6/2018) @@ -800,7 +2087,7 @@ R3.0 (12/1/2017) 3. Controller -------------- -- **Audit** user actions on the Controller. All commands from web console or REST API are now logged to syslog and can be forwarded to integrated log services. +- **Audit** user actions on the Controller. All commands from web console or API are now logged to syslog and can be forwarded to integrated log services. - **Name your controller** for ease of use. Click "Your controller name goes here" on the Controller console and start typing a new name. Hit return to save the name. @@ -862,7 +2149,7 @@ R2.7 - Support resizing UDP based OpenVPN® gateway instance. -5. NEW REST APIs +5. NEW APIs ------------------ - Set VPC Access Base Policy. @@ -888,7 +2175,7 @@ Security - FQDN blacklist. In addition to FQDN whitelist, FQDN whitelist is added as a base configuration for each FQDN tag. To configure, go to Advanced Config -> FQDN Filter. After you create a new tag, you can select either White List or Black List. With Black List, the URLs on the Black List will be rejected. -REST API +API --------- - New APIs are published. list active VPN users, edit Open VPN configuration, backup and restore, list vpc peers, list image. For API details, click `this link. `_ for details. @@ -1111,8 +2398,7 @@ Controller Administration user, go to Accounts -> Account Users -> "New User". Select "read\_only" from the dropdown list of "Account Name". -- CloudN's console password can be changed from the default - "Aviatrix123#". To do so, type "enable" to enter config mode and then +- CloudN's console password can be changed from the default. To do so, type "enable" to enter config mode and then issue "change\_console\_password" command. - Capability has been added for HTTPS certificate check for control @@ -1401,7 +2687,7 @@ UserConnect-102416 the specific cloud provider VPN gateways to ensure encrypted tunnel work correctly. -- Add REST API for CloudN64 Join features: allow subnet to VPC and +- Add API for CloudN64 Join features: allow subnet to VPC and delete subnet to VPC. For the complete APIs, refer to `API Document `__ @@ -1411,13 +2697,13 @@ UserConnect-101016 - Add Mumbai (ap-south-1) to AWS region support list. - Support multiple Splunk indexers by importing Splunk config file. - This enables Aviatrix controller and gateway logs to be integrated + This enables Aviatrix Controller and gateway logs to be integrated with multiple Splunk servers that many enterprises deploy. To configure, go to Settings -> Loggings -> Splunk. Select Import files to import a Splunk configuration file. You may also choose Manual Input, in this case each indexer must be listening on the same port. -- Support DataDog agent for both controller and gateways. To enable, go +- Support DataDog agent for both Controller and gateways. To enable, go to Settings -> Loggings -> DataDog, provide an API Key. - Enhancement for VPN user profile editing: when adding a user to a @@ -1468,7 +2754,7 @@ UserConnect-090416 - Support HA for GCloud gateways with a zone selection option. -- Update REST API to accommodate GUI 2.0 development +- Update API to accommodate GUI 2.0 development UserConnect-082116 ================== @@ -1936,12 +3222,12 @@ UserConnect-082515 - Detailed display of VPC/gateway on Dashboard. Clicking on the gateway name displays the complete configuration of the gateway. -- Support REST API for all CloudOps commands. +- Support API for all CloudOps commands. - Support the option to launch gateway when creating CloudOps VPC pool. - Support CloudOps Access IP address map history and initiator (from - Console or from REST API). + Console or from API). - Hash all password. @@ -2048,7 +3334,7 @@ UserConnect-051515 - Support configurable base policy for user profiles -- REST API to change a VPN user’s profile +- API to change a VPN user’s profile UserConnect-050915 ================== diff --git a/HowTos/UserSSL_VPN_Azure_AD_SAML_Config.rst b/HowTos/UserSSL_VPN_Azure_AD_SAML_Config.rst index 078f45cbc..a70883aab 100644 --- a/HowTos/UserSSL_VPN_Azure_AD_SAML_Config.rst +++ b/HowTos/UserSSL_VPN_Azure_AD_SAML_Config.rst @@ -155,6 +155,10 @@ Click **Single sign-on** below **Manage** |imageUserAttrs| +Note: Recently Azure change to New UI "attributes & claims". The following picture is the new reference setting example. + + |imageUserClaims| + **SAML Signing Certificate** #. Find the **Metadata XML** link @@ -199,15 +203,10 @@ Aviatrix Controller SAML Endpoint #. Copy the following into the **Custom SAML Request Template** field: .. code-block:: xml - + + $Issuer - - - - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport - - .. note:: @@ -233,6 +232,7 @@ You can quickly validate that the configuration is complete by clicking on the * .. |imageAddAppSetName| image:: azuread_saml_media/azure_ad_add_new_step_1.png .. |imageAssignUser| image:: azuread_saml_media/azure_ad_assign_user.png .. |imageUserAttrs| image:: azuread_saml_media/azure_ad_saml_user_attrs.png +.. |imageUserClaims| image:: azuread_saml_media/azure_ad_saml_user_claims.png .. |imageSAMLSettings| image:: azuread_saml_media/azure_ad_saml_settings.png .. |imageSAMLMetadata| image:: azuread_saml_media/azure_ad_saml_metadata.png diff --git a/HowTos/UserSSL_VPN_Okta_SAML_Config.rst b/HowTos/UserSSL_VPN_Okta_SAML_Config.rst index 12ccf8f00..6183ac3d4 100755 --- a/HowTos/UserSSL_VPN_Okta_SAML_Config.rst +++ b/HowTos/UserSSL_VPN_Okta_SAML_Config.rst @@ -284,10 +284,10 @@ See this `article `__ is setup and running - #. You haveHave a valid `IdP account <#pdc-22>`__ with admin access + #. You have a valid `IdP account <#pdc-22>`__ with admin access #. You have `Downloaded and installed <#pdc-23>`__ the Aviatrix SAML client @@ -40,11 +40,10 @@ If you haven’t already deployed the Aviatrix controller, follow `these instruc 2.2 IdP Account ############### -An IdP refers to an identity provider for SAML. This could be any provider that supports a SAML endpoint like `Okta <./SAML_Integration_Okta_IdP.html>`__, +An identity provider (IdP) is any provider that supports a SAML endpoint like `Okta <./SAML_Integration_Okta_IdP.html>`__, `OneLogin <./SAML_Integration_OneLogin_IdP.html>`__, `Google <./SAML_Integration_Google_IdP.html>`__, -`AWS SSO <./SAML_Integration_AWS_SSO_IdP.html>`__, and `Azure AD <./SAML_Integration_Azure_AD_IdP.html>`__. -You will require administrator access to create IdP endpoints for SAML. Check `IdP-specific SAML Integration <#IdP-integration>`__ to see a list of guides for supported IdP's - +`AWS SSO <./SAML_Integration_AWS_SSO_IdP.html>`__, `Azure AD <./SAML_Integration_Azure_AD_IdP.html>`__, and `PingOne <./SAML_Integration_PingOne_IdP.html>`__. +Administrator access is required to create IdP endpoints for SAML. For a list of supported IdPs, see `IdP-specific SAML App Integration `_. .. _PDC_23: @@ -105,7 +104,10 @@ The configuration consists of 8 parts: +-------------------------+--------------------------------------------------------+ | Entity ID | Select `Hostname` for now | +-------------------------+--------------------------------------------------------+ - | Access | Select admin or read-only access | + | Sign Authn Requests | Sign the cert when requesting to IDP from client | + +-------------------------+--------------------------------------------------------+ + | Access | (Removed from 6.0 and later) Select admin or read-only | + | | access | +-------------------------+--------------------------------------------------------+ | Custom SAML Request | For now leave blank, depending on your specific | | Template | IdP, you may have to check this option | @@ -181,9 +183,10 @@ These are guides with specific IdP's that were tested to work with Aviatrix SAML #. `Google <./SAML_Integration_Google_IdP.html>`__ #. `Okta <./SAML_Integration_Okta_IdP.html>`__ #. `OneLogin <./SAML_Integration_OneLogin_IdP.html>`__ +#. `PingOne <./SAML_Integration_PingOne_IdP.html>`__ Other tested IdP's include: -Ping Identity, VmWare VIDM, ForgeRock's OpenAM etc. +VmWare VIDM, ForgeRock's OpenAM etc. .. _Config_33: @@ -198,7 +201,7 @@ After creating the IdP, you need to retrieve IdP Metadata either in URL or text #. Google - provides IdP metadata text #. Okta - provides IdP metadata text #. OneLogin - provides IdP metadata URL - +#. PingOne - provides IdP metadata URL .. _Config_34: @@ -330,10 +333,17 @@ Note that if the IDP sends an invalid or empty Profile attribute, the default pr This way Profile associations can be configured at IDP instead of configuring at the controller. -Currently only a single Profile is supported when using Profile as attributes. +Multiple Profiles is supported when using Profile as attribute starting with `release 5.4 `__ + +Multiple profiles can be added seperated by commas. Note that mixing of base rules is not allowed. The profile association can be verified from the Dashboard page after the VPN user has connected. +These are guides with specific IdP's that were tested to work with Aviatrix SAML integration: + +#. `Okta <./Setup_Okta_SAML_Profile_Attribute.html>`__ +#. `PingOne <./Setup_PingOne_SAML_Profile_Attribute.html>`__ + OpenVPN is a registered trademark of OpenVPN Inc. .. |image3-1-1| image:: SSL_VPN_SAML_media/image3-1-1.png diff --git a/HowTos/account_audit.rst b/HowTos/account_audit.rst index cca1b8fe9..32a885475 100644 --- a/HowTos/account_audit.rst +++ b/HowTos/account_audit.rst @@ -16,13 +16,25 @@ The Aviatrix Controller periodically checks the accounts it manages to make sure #. An access account IAM role aviatrix-role-ec2 has associated policies. #. An access account IAM role aviatrix-role-app has associated policies. #. An access account has trust relationship to the primary account (the Controller's AWS account). + #. An access account has expired, deleted or invalid credential. If any of the above condition fails, the Controller sends out alert email and logs the event. In addition, the controller will also send alert email on behalf of any of the above condition failures reported by a gateway upon the first detection and subsequently every 24 hours until the problem is rectified. Note the event requires immediate attention; otherwise, it can lead to catastrophic operation outage. Go through the above conditions to repair the configuration. -If you need help, email to support@aviatrix.com. +If you need help, please open a support ticket at `Aviatrix Support Portal `_ + + +.. Note:: + + - Account auditing does not work with the new enhancement "customized IAM role name" in 6.4. In the current design, the account auditing feature looks for the Aviatrix standard IAM role names which are aviatrix-role-app and aviatrix-role-ec2 and the Aviatrix standard policy name which is aviatrix-app-policy. + + - The account auditing feature also does not work if the IAM app role has more than one policy attached because only the first policy is used. + +.. + + .. |secondary_account| image:: adminusers_media/secondary_account.png :scale: 50% diff --git a/HowTos/activemesh_design_notes.rst b/HowTos/activemesh_design_notes.rst index 480d05ff4..cf76cb863 100644 --- a/HowTos/activemesh_design_notes.rst +++ b/HowTos/activemesh_design_notes.rst @@ -15,12 +15,33 @@ ActiveMesh is the default mode when launching an Aviatrix Transit gateway. This While AWS Transit Gateway (TGW) does not propagate routes to Spoke VPCs, TGW Direct Connect via DXGW and TGW VPN have full functions of failover, multi-path and ECMP in supporting connection to on-prem. This includes: - - TGW DXGW prefers to TGW VPN when both advertising the same network. When DXGW goes down, one of the VPN routes take over. + - TGW prefers DXGW to TGW VPN when both advertising the same network. When DXGW goes down, one of the VPN routes take over. - When there are multiple VPN routes, TGW routing policy selects the shortest AS_PATH length. - When there are multiple VPN routes with identical AS_PATH length, TGW VPN distributes traffic with ECMP when it is enabled. In this case, Aviatrix Controller performs the orchestration function in managing route propagation and Aviatrix Transit gateways are used to connect two TGWs. +Design Note: Implementing TGW with VPN backup design could lead to asymmetric routing i.e with traffic from AWS to on-premises +traversing the DX as inteneded while traffic from on-premises to AWS traversing the IPSec VPN tunnel instead. + +Traffic from AWS to on-premise prefers the AWS DXGW over the VPN connection because the TGW effectively sets a higher “local +preference” (LOCAL_PREF) on the DXGW BGP sessions (refer to Route Evaluation Order as outlined in the AWS Transit Gateway +documentation). + +For traffic from on-premises to AWS, the DX path should be preferred because AWS sets a Multi Exit Discriminator (MED) value +of 100 on BGP sessions over VPN links as compared to the default value of 0 over the DX path. This works well in the case DX +and VPN are used with a Virtual Private Gateway (VGW) as the same AS is announced over both connections but in case of the +TGW, the DX path uses a different ASN compared to the VPN path. + +The advertised ASN over VPN is the TGW AS while the ASN over DX is the ASN of the DXGW. Note that in case of TGW, the AS path +over the DXGW path only consists of the DXGW AS instead of AS path length of two with TGW AS + DXGW AS. This is the result of +manually setting the CIDRs to be announced by the AWS DXGW towards on-premises which effectively causes DXGW to originate the +routes resulting in a reduced path length of one over DX which is the same AS path length as over the VPN link but different +AS path. + +To ensure that the on-premises routers always cosnider the MED value, set the “bgp always-compare-med” knob. This forces the +router to compare the MED if multiple routes to a destination have the same local preference and AS path length. + The deployment is shown in the diagram below. |activemesh_tgw_onprem| @@ -84,8 +105,7 @@ learned by the local Aviatrix Transit Gateway. 2.4 Overlapping Spoke VPC CIDRs ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -If there are overlapping Spoke VPCs CIDRs attached to the TGWs in two regions and you wish to connect them via Aviatrix Transit Gateway Pee -ring, use `Exclude Network CIDRs `_ on both +If there are overlapping Spoke VPCs CIDRs attached to the TGWs in two regions and you wish to connect them via Aviatrix Transit Gateway Peering, use `Exclude Network CIDRs `_ on both Aviatrix Transit Gateways to exclude these overlapping Spoke VPC CIDRs. 3. NAT Functions @@ -93,7 +113,15 @@ Aviatrix Transit Gateways to exclude these overlapping Spoke VPC CIDRs. SNAT function is supported on the individual connection between the Aviatrix Transit Gateway and the remote sites. -SNAT function is not supported on the Spoke gateway tunnel interface to the Aviatrix Transit Gateway. +Starting Release 5.4, SNAT and DNAT functions are supported on the Spoke gateway tunnel interface to the Aviatrix Transit Gateway. + +4. Egress Routes Propagation Behavior +---------------------------------------- + +If Firewalls are deployed for Internet bound Egress traffic in either FireNet and Transit FireNet deployment, the default routes are propagated +to the remote peer by Transit Gateway peering. This allows Firewalls to be shared across regions. + +If you have regional Firewalls for Egress traffic, make sure you apply filter to filter out the default routes. 4. Configuration Notes ----------------------- diff --git a/HowTos/activemesh_faq.rst b/HowTos/activemesh_faq.rst index 660d72a84..d27df5d69 100644 --- a/HowTos/activemesh_faq.rst +++ b/HowTos/activemesh_faq.rst @@ -54,15 +54,28 @@ What are the advantages of ActiveMesh? The key benefits of ActiveMesh are improved network resiliency, failover convergence time and performance. -How to enable ActiveMesh? --------------------------- +How to enable ActiveMesh 1.0? +-------------------------------- -ActiveMesh is not enabled by default. Follow the `Aviatrix Encrypted Transit Network workflow `_ to enable ActiveMesh mode. +ActiveMesh enabled by default. For Aviatrix Transit or Spoke gateway launched before ActivMesh +mode become available, follow the `Aviatrix Encrypted Transit Network workflow `_ to enable ActiveMesh mode. -How to troubleshoot ActiveMesh deployment? --------------------------------------------- +How to troubleshoot ActiveMesh Transit Gateway? +------------------------------------------------- + + 1. **Check IPSec Tunnel**. For BGP learned routes, check if the IPSEC tunnel is up. Go to Site2Cloud -> Setup. Find the connection and make sure it is in Up state. If it is not, go to Site2Cloud -> Diagnostics and run "Show log". Since all BGP sessions run inside IPSEC tunnel, this is the first thing you should check. + #. **Check BGP Session**. For BGP learned routes, check if BGP session is established. Go to (Multi-Cloud) Transit Network -> Advanced Config -> BGP. Look for the BGP session and make sure it is in Established State. If it is not, go to (Multi-Cloud) Transit Network -> Advanced Config -> Diagnostics. Select the transit gateway, run commands, such as "show ip bgp". + #. **Check BGP Learned Routes** For BGP learned routes, check if routes are learned. Go to (Multi-Cloud) Transit Network -> Advanced Config -> Diagnostics. Select the transit gateway, run "show ip bgp" to make sure the transit gateway under inspection has learned the routes you are looking for. + #. **Check Route Database** For all routes, check if the Controller see all the learned routes from TGW, BGP, Transit Peering and Static. Go to Multi-Cloud Transit -> List. Select the Transit Gateway, click Show Details. Scroll down and refresh `Route Info DB Details`. This table contains learned routes from all sources. + #. **Check Aviatrix Transit Gateway Programmed Routes** Go (Multi-Cloud) Transit Network -> List. Select the Transit Gateway, click Actions -> Show Details. Scroll down to the Gateway Routing Table and click to open. Make sure the routes you are looking for is in the table and has a next hop with metric 100 or lower. + #. **Sync Routes** If for any reason the Route Database on the Controller become inconsistent with the Aviatrix Transit Gateway route table, sync the routes to force program the routes on the gateway again. Go to Multi-Cloud Transit -> Advanced Config. Select the Aviatrix Transit Gateway in question, scroll down to the `Sync Controller Best Routes to Transit Gateway`, click `Sync Routes`. + +If any of the above steps show failure, there is an error, please open a support ticket at `Aviatrix Support Portal `_ for more debugging assistance. + +If all above steps succeed, the connectivity issue lies somewhere else. Check Spoke VPC route table and TGW route table if applicable. + +If this is TGW based deployment, run an Audit by going to TGW Orchestrator -> Audit. Any missing routes in either VPC route table or TGW route table should be discovered. -Go to Transit Network -> List. Select either the Transit GW or a spoke gateway, click Show Details. How to migrate from the encrypted transit network to ActiveMesh mode? ---------------------------------------------------------------------- @@ -73,8 +86,8 @@ Here are the steps: 1. Launch a new Transit GW and enable ActiveMesh on it. #. Detach a current spoke and attach it to the new Transit GW. -Can ActiveMesh be applied to Azure? -------------------------------------- +Can ActiveMesh be applied to Azure, GCP and OCI? +---------------------------------------------------- Yes. @@ -98,7 +111,11 @@ Does ActiveMesh support route based VPN or policy based VPN? ActiveMesh enables the Aviatrix Transit GW to connect to multiple remote sites over IPSec VPN tunnels. -When you configure VPN to remote sites from Transit Network -> Setup -> Step 3 (Connect to VGW/External Device/Aviatrix CloudN) in the `Transit Network workflow Step 3 `_, the VPN tunnel is built with route based VPN. +When you configure VPN to remote sites from Transit Network -> Setup -> Step 3 (Connect to VGW/External Device/Aviatrix CloudN) in the `Transit Network workflow Step 3 `_, the VPN tunnel is built with route based VPN on the Aviatrix Transit Gateway. + +Starting from Release 6.0, ActiveMesh Transit Gateway supports both remote route based VPN and remote policy based VPN tunnels. In both cases, +the Aviatrix Transit Gateway operates in route based mode. Note if the remote site is policy based static VPN, +traffic must be initiated from the remote site. On the other hand, when you configure VPN to remote sites from Site2Cloud page and select a Transit GW, the VPN tunnel is built with policy based VPN. @@ -112,6 +129,52 @@ it participates in packet forwarding again. To stop an ActiveMesh gateway, you should disable the Gateway Single AZ HA feature. Highlight the gateway at the Gateway page, click Edit. Scroll down to Gateway Single AZ HA, click Disable. +What is ActiveMesh 2.0? +------------------------- + +ActiveMesh 2.0 is a new iteration of ActiveMesh. The main advancement of ActiveMesh 2.0 is its deterministic nature of Next Hop selection. + +Here is how Aviatrix Transit Gateway routing engine treats the following types of routes. + +======================================================== =============== ========== +**Networks** **Route Type** **Aviatrix Transit Gateway Route Propagation** +======================================================== =============== ========== +Local TGW attached VPC CIDR tgwvpc Local +Aviatrix Spoke gateway associated VPC/VNet CIDR vpc Local +Azure Native Spoke associated VNet CIDR vpc Local +Local TGW VPN dynamically learned network CIDR tgwedge Advertises TGW VPN ASN and its remote peer ASN to a remote BGP peer if it's the best route. +Local TGW DXGW learned network CIDR tgwedge Advertises TGW DXGW ASN and its remote peer ASN to a remote BGP peer if it's the best route. +Remote Aviatrix Transit Gateway Peering learned routes peer Advertises remote Aviatrix peer's network CIDRs to a remote BGP peer if it's the best route. +Aviatrix Transit Gateway BGP learned from on-prem bgp Advertises to its remote peers by Aviatrix Transit Gateway peering if it's the best route. +Aviatrix Transit Gateway statically learned from on-prem static Local +Aviatrix Transit Gateway associated VPC/VNet CIDR linklocal Local +Local Firewall Egress route (0.0.0.0/0) transit Local +Aviatrix Transit Gateway SNAT IP address linklocal Local +======================================================== =============== ========== + +With this approach, there is more visibility on learned routes regarding what paths the routes are learned from. + +The next hop best path selection follows the priorities listed below. + + 1. Local + #. Shortest number of ASN list + #. For two identical length ASN routes, select the next hop with the lowest Metric Value + #. For two identical ASN length and Metric Value routes, if ECMP is disabled (this is the default configuration), select the current best route. If there is no current best route, the next hop IP addresses are compared, the lower integer IP address is selected. + #. For two identical ASN length and Metric Value routes, if ECMP is enabled, traffic is distributed to both routes using ECMP. + +How to migrate to ActiveMesh 2.0? +-------------------------------------- + +There are 3 scenarios: + +================================= =============================================================================================== ========== +**Deployment** **Notes** **ActiveMesh 2.0 Migration** +================================= =============================================================================================== ========== +Non ActiveMesh deployment the Aviatrix Transit Gateway in the deployment has been launched before Release 5.1 (10/1/2019) follow `this instructions `_ +ActiveMesh 1.0 deployment the Aviatrix Transit Gateway was launched with ActiveMesh option enabled prior to Release 6.0 migrate to ActiveMesh 2.0 by going to Settings -> Maintenance -> Migration -> ActiveMesh 2.0 Migration, click Migrate. +New ActiveMesh 2.0 deployment the Aviatrix Transit Gateway was launched with ActiveMesh option enabled after Release 6.0 ActiveMesh 2.0 is automatically enabled for brand new deployment on a Controller. +================================= =============================================================================================== ========== + .. |activemesh_spoke_transit| image:: activemesh_faq_media/activemesh_spoke_transit.png :scale: 30% diff --git a/HowTos/activemesh_migration.rst b/HowTos/activemesh_migration.rst index 5729a8b2f..c2c5bd504 100644 --- a/HowTos/activemesh_migration.rst +++ b/HowTos/activemesh_migration.rst @@ -42,8 +42,9 @@ The steps are documented in detail below. 9. Repeat steps 5 through 8 for all spokes -10. You can go to "Controller/Gateway" and select your old Transit and Transit-HA gateways and delete them -11. Please check your network routes and connectivity and open a ticket if you run into any issues, by sending an email to support@aviatrix.com +10. Prior to Deleteing the old gateways please go to Multi Cloud Network >> Advanced and select the old gateway from the drop down. Make sure that the option Advertise Transit VPC CIDR is disabled. Once this is verified you can go to "Controller/Gateway" and select your old Transit and Transit-HA gateways and delete them. + +11. Please check your network routes and connectivity and open a ticket on `Aviatrix Support Portal `_ if you run into any issues .. |image1| image:: ./activemesh_migration_media/image1.png diff --git a/HowTos/adminusers_media/account_name_alias.png b/HowTos/adminusers_media/account_name_alias.png new file mode 100644 index 000000000..ff2c9ae65 Binary files /dev/null and b/HowTos/adminusers_media/account_name_alias.png differ diff --git a/HowTos/advanced_config.rst b/HowTos/advanced_config.rst index 49790ad3e..412ade2f9 100644 --- a/HowTos/advanced_config.rst +++ b/HowTos/advanced_config.rst @@ -14,13 +14,64 @@ tunnel down detection time. Aviatrix gateways samples the tunnel status every 10 seconds. +Anti-replay Window +------------------ + +Specify the IPSec tunnel anti-replay window size. + +- The size range is 0 to 4096. +- The default value is 0. +- Set the size to 0 to disable anti-replay protection. +- If “controller” of “Aviatrix Entity” is selected, all gateways share the same tunnel anti-replay window. + Keepalive ------------- +--------- In normal state, Aviatrix gateways send keep alive messages to the Controller. Keep Alive Speed determines when Controller determines if a gateway is down. See `Gateway State `_ for more information. +Password Requirements +---------------------- + +Aviatrix uses a password meter to enforce password requirements. The default password requirements are: + +- Minimum characters - 4. +- Maximum characters - 16,777,216 or 16MB. +- At least 1 upper and 1 lower case character. +- At least 1 numeral character. +- At least one special character. + +Password Management +---------------------- + +By default, password management is disabled for controller's account users which means there is no restriction for password length and expiration validity check. + +If company's requires strict regulation for passwords then password restriction can be managed and enabled in Controller's console. + +Navigate to Settings -> Advanced -> Password Management to enable password management. Password Management allows to put the following restriction for account's user: + + #. Minimum Password Length + #. Maximum Password Age(Days) and + #. Enforce Password History which force users to use new strong password. + +If you are using the Password Management option, the policy default values are: + +- Minimum characters – 8. +- Age limit - 180 days. +- Not repeatable times – 5. + +If you are using the Password Management option, the policy ranges are: + +- Minimum characters – 8. +- Maximum characters – 32. +- Age limit is 1 - 365 days. +- Not repeatable times is 1 – 12. + +Credentials +--------------- +In order to exercise 90 days security compliance requirement for key rotation policy, API key pair and other internal passwords for company IAM account needs to be refreshed frequently. + BGP Config ------------ @@ -59,10 +110,59 @@ Overlapping Alert Email Aviatrix, by default, will alert you if you add a spoke that overlaps with your on-premise network (or, if you start advertising a network from on-premise that overlaps with a spoke). However, there are some cases where you expect overlaps and the alert emails are not helpful. For these cases, you can disable the overlap checking. To do this go to -**Advanced Config** > **BGP Alert Email** > **BGP Overlapping Alert Email** +**Settings** > **Controller** > **Alert Bell** > **Overlapped CIDR Check** Toggle the switch to **Disabled** to disable overlap checking. +Proxy +-------- + +Proxy configuration is available for Release 6.3 and later. It is a global setting that applies to Controller and all gateways. + +There are scenarios where a corporation requires all Internet bound web traffic be inspected by a proxy server before being allowed +to enter Internet. Such requirement may apply to cloud deployment, and when it happens, both Controller and gateways need to comply to +the policy. This is accomplished by enabling and configuring proxy server on the Controller. + +When a proxy server is configured on the Aviatrix platform (Controller and gateways), all Internet bound HTTP and HTTPS traffic initiated by +the Controller and gateways is forwarded to the proxy server first before entering Internet. Such traffic includes all cloud provider +API calls made by the Controller and gateways. + +.. important:: + + The domain name .aviatrix.com must be excluded by the proxy server from SSL or HTTPS termination. + +Configuration +################ + +========================================= ========================= +**Field** **Value** +========================================= ========================= +HTTP Proxy proxy server IP address for HTTP traffic +HTTPS Proxy proxy server IP address for HTTPS traffic (usually the same as HTTP Proxy field) +(Optional) Proxy CA Certificate This field is optional. When a CA Certificate is uploaded, the Controller and gateway expect that the proxy server will terminate a HTTPS request initiated by them and will initiate a new HTTPS request on behalf of them. When this option is not used, the proxy server simply forwards HTTP/HTTPS traffic. +========================================= ========================= + +Test +~~~~~~ + +The Test option runs a few HTTPS request to make sure your proxy configuration is correct. + +Once all fields are configured, click Test to validate if your configuration is correct. If not, results are displayed. Correct the +configuration and try again. + +Apply +~~~~~~~ + +Apply is clickable only after Test is passed. When Apply is applied, the proxy configuration takes effect. + +Delete +~~~~~~~ + +To disable proxy, click Delete. + + + + .. |imageGrid| image:: advanced_config_media/grid.png .. disqus:: diff --git a/HowTos/alert_and_email.rst b/HowTos/alert_and_email.rst index 236eb99b6..938502468 100644 --- a/HowTos/alert_and_email.rst +++ b/HowTos/alert_and_email.rst @@ -15,6 +15,8 @@ By default, the alert email is sent to the admin of the Controller. The email ca By default, the source email address is no-reply@aviatrix.com. +By default, the SMTP service is provided by a third-party, Sendgrid. Even though Aviatrix implements third-party risk monitoring, we are not responsible for Sendgrid controls. Aviatrix recommend customer to configure your own SMTP service. + How to change alert email configuration ---------------------------------------- @@ -28,6 +30,20 @@ If you would like the alert messages to be sent to a different email, |change_alert_email| +How to manage Alert Bell notification? +------------------------------------------------------ + +The Alert Bell notification can be managed under Settings -> Controller -> Alert Bell. + +By default, Alert Bell notification is enabled for the following features: + 1. **Overlapped CIDR Check** - Alert when BGP routes overlap in Site2Cloud. + #. **Guard Duty Check** - Alert gets logged as Alert Bell notification and block malicious IP addresses when offending IPs are detected by Guard Duty. To learn more about Guard Duty integration with Aviatrix click `here `_. + #. **Log Service Check** - This alarm generates a warning as a Alert Bell notification for remote syslog server down event. + #. **Reach of Route Limit Check** - Alert when VPC and BGP route limits reach a threshold. + #. **Blackhole Route Entry Check** - Alert when VPC route table has inactive routes. To learn more about Blackhole Routes click `here `_. + +|alert_bell_notify| + How to Change Email Notification Source ----------------------------------------- @@ -66,8 +82,11 @@ Note that newly created SES accounts are placed in an "AWS SES Sandbox" and will g. Protocol: TLS h. Click “Save” +How to not send exception notification to Aviatrix +------------------------------------------------------------- - +Software exception notification button gives an ability to customers to disable exception emails send to Aviatrix. To disable notification, go to Settings -> Controller -> Email, scroll down to find the software exception field and click Disable. +  @@ -86,5 +105,7 @@ Note that newly created SES accounts are placed in an "AWS SES Sandbox" and will .. |aws_verify_email| image:: alert_and_email_media/aws_verify_email.png :scale: 30% +.. |alert_bell_notify| image:: alert_and_email_media/alert_bell_notify.png + :scale: 30% .. disqus:: diff --git a/HowTos/alert_and_email_media/alert_bell_notify.png b/HowTos/alert_and_email_media/alert_bell_notify.png new file mode 100644 index 000000000..6929dbef5 Binary files /dev/null and b/HowTos/alert_and_email_media/alert_bell_notify.png differ diff --git a/HowTos/aviatrix_account.rst b/HowTos/aviatrix_account.rst index 813ebafe0..c2391902e 100644 --- a/HowTos/aviatrix_account.rst +++ b/HowTos/aviatrix_account.rst @@ -74,12 +74,15 @@ The CloudFormation is necessary to create IAM roles, policies and establish a tr .. |secondary_account| image:: adminusers_media/secondary_account.png - :scale: 50% + :scale: 30% .. |account_structure| image:: adminusers_media/account_structure.png - :scale: 50% + :scale: 30% .. |access_account_35| image:: adminusers_media/access_account_35.png - :scale: 50% + :scale: 30% + +.. |account_name_alias| image:: adminusers_media/account_name_alias.png + :scale: 30% .. disqus:: diff --git a/HowTos/aviatrix_account_alibaba.rst b/HowTos/aviatrix_account_alibaba.rst new file mode 100644 index 000000000..77196806d --- /dev/null +++ b/HowTos/aviatrix_account_alibaba.rst @@ -0,0 +1,62 @@ +.. meta:: + :description: Aviatrix Cloud Account for Alibaba + :keywords: Aviatrix account, Alibaba, Aviatrix Alibaba account credential, API credential + +=========================================================== +Alibaba Cloud Account Credential Setup +=========================================================== + +Creating an Alibaba Primary Access Account +===================================================== + +1. Access your Alibaba account info in the Alibaba UI. Click on the User Icon so you can access the Alibaba Cloud Account ID, Cloud Access Key ID, and Cloud Secret Key. You need the Alibaba account information to create the Alibaba Primary Access Account in the Aviatrix Controller. + + |alibaba_user_icon| + +2. In the Alibaba UI, create an AccessKey pair for authenticating the Aviatrix Controller. Click on the User Icon and navigate to AccessKey Management > Create Access Key. + + |alibaba_accesskey| + +3. In the Aviatrix Controller, navigate to Accounts > Access Accounts and select Alibaba Cloud. Add an Account Name and enter the Alibaba Cloud Account ID, Cloud Access Key ID, and Cloud Secret Key. Optional - add any RBAC Groups that should have access to the Primary Access Account. + + +Deploying the Aviatrix Gateway in your Alibaba Cloud +===================================================== + +You must satisfy the prerequisites in “Creating an Alibaba Primary Access Account” before Deploying the Aviatrix Gateway in your Alibaba Cloud. + +1. Access your Alibaba account info in the Alibaba UI. Click on the User Icon and record your Alibaba Account ID. + +2. Communicate your Alibaba Account ID to your Aviatrix Support representative. + +3. Your Aviatrix Support representative shares the Aviatrix gateway image with your Alibaba account. + +4. Verify your Alibaba account can access the Aviatrix gateway image. Go to Elastic Compute Service > Instances & Images > Images > Shared Image to view the image. + + |alibaba_share_image| + +5. Create an Alibaba Primary Access Account in the Aviatrix Controller. + +6. Deploy the Aviatrix Gateway in the Alibaba cloud. + +Alibaba Cloud Default Limitations +================================= + +- The EIP bandwidth limit is 200 Mbit/s. The Aviatrix Spoke to Transit and Transit to Spoke connections maximum bandwidth is 400 Mbit/s. You can purchase different plans to increase throughput and bandwidth. + +- A maximum of 48 routes in each route table is supported by default. If you require more routes in each route table, contact Alibaba Support. + +- The Alibaba API takes 1-2 seconds to add or delete one route in one VPC route table. No route update requests are accepted while a route is being added or deleted. + +- Outgoing traffic to public non-RFC1918 IP address from an instance with a public IP does not look at the VPC route table. Even non-RFC1918 routes are configured on VPC route table. If you want to improve this non-RFC1918 traffic routing behavior on public instance, contact Alibaba Support. + +.. |alibaba_user_icon| image:: aviatrix_account_alibaba_media/alibaba_user_icon.png + :scale: 50% + +.. |alibaba_accesskey| image:: aviatrix_account_alibaba_media/alibaba_accesskey.png + :scale: 50% + +.. |alibaba_share_image| image:: aviatrix_account_alibaba_media/alibaba_share_image.png + :scale: 50% + +.. disqus:: diff --git a/HowTos/aviatrix_account_alibaba_media/alibaba_accesskey.png b/HowTos/aviatrix_account_alibaba_media/alibaba_accesskey.png new file mode 100644 index 000000000..2c91f0504 Binary files /dev/null and b/HowTos/aviatrix_account_alibaba_media/alibaba_accesskey.png differ diff --git a/HowTos/aviatrix_account_alibaba_media/alibaba_share_image.png b/HowTos/aviatrix_account_alibaba_media/alibaba_share_image.png new file mode 100644 index 000000000..42bbee675 Binary files /dev/null and b/HowTos/aviatrix_account_alibaba_media/alibaba_share_image.png differ diff --git a/HowTos/aviatrix_account_alibaba_media/alibaba_user_icon.png b/HowTos/aviatrix_account_alibaba_media/alibaba_user_icon.png new file mode 100644 index 000000000..4e0f19b34 Binary files /dev/null and b/HowTos/aviatrix_account_alibaba_media/alibaba_user_icon.png differ diff --git a/HowTos/aviatrix_apis_datacenter_extension.rst b/HowTos/aviatrix_apis_datacenter_extension.rst deleted file mode 100644 index 2394f18ca..000000000 --- a/HowTos/aviatrix_apis_datacenter_extension.rst +++ /dev/null @@ -1,207 +0,0 @@ -.. meta:: - :description: Datacenter extension API reference design - :keywords: datacenter extension, Aviatrix API, Aviatrix, VLAN stretching - -================================================= - REST API Example -================================================= - - - -Introduction -============ - -The APIs for Aviatrix can be used for the tasks -that are done through the Web UI. - -The following is an example of utilizing the APIs to create a VPC/VNet -under Datacenter Extension. For the complete REST API documentation, check out `this link. `_ - -Datacenter Extension capability manages your cloud address range. It -creates VPC/VNet, subnets, routing tables and creates an IPSec tunnel to -the virtual appliance (ACX), so that on-premise VMs and -servers can communicate with instances in the created VPC with packet -encryption and private IP addresses. - -Workflow for Datacenter Extension -================================= - -Make sure the latest version of Aviatrix software is installed or -upgraded before you start. You should see the alert for software upgrade -on the menu bar of the controller if a newer version is available. Click -**Upgrade** and wait for the upgrade to complete. - -Here are the steps to successfully use the APIs to achieve the same -result without the Web UI. - -1. Log in to get the session ID - -2. Enter the license (customer ID) - -3. Set up the maximum number of VPC/VNet - -4. Create a user account - -5. Create a VPC/VNet for Datacenter Extension - -Use the APIs to Create a VPC/VNet -================================= - -The APIs in this section are to demonstrate how to use them to accomplish the steps described above. -The data used here is for demonstration purposes only. Replace the values in your case. - -For more information, refer to “Cloud Services Gateway Controller API -reference” for details. You can retain a copy of this document under -**?Help > API Reference** on the menu bar after you log on the Web -console. - -1. Log in to get the session ID - - :: - - https://IP_Address_of_ACX/v1/api?action=login&username=admin&password=password - - Replace IP_Address_of_ACX with your own IP address of ACX. - Replace the values of username and password with the credentials you use to log in the Web console. - - It should return a CID upon successful login. - :: - - { - "return": true, - "results": "User login:admin in account:admin has been authorized - successfully - Please check email confirmation.", - "CID": "584b4b57a42f2" - } - -Note the value of the CID for the API calls hereafter. - -2. Enter the license - - Obtain a valid license (customer ID) from Aviatrix in advance then enter the value in the API - - :: - - https://IP_Address_of_ACX/v1/api? - CID=584b4b57a42f2&action=setup_customer_id&customer_id=carmelodev-1234567898.64 - -Replace the value of CID with the one in step 1. -Replace the value of customer_id with your license. -Make sure the license is successfully entered and it returns the license information correctly. - - :: - - { - "return": true, - "results": { - "license_list": [ - { - "Lic-1436678987.59": { - "Verified": 0, - "Type": "c4.4xlarge", - "Expiration": "2017-12-09", - "Allocated": 0, - "IssueDate": "2016-12-09", - "Quantity": 20 - } - } - ], - "CustomerID": "carmelodev-1234567898.64" - } - } - -3. Set up the maximum number of VPC/VNet :: - - https://IP_Address_of_ACX/v1/api?CID=584b4b57a42f2&action=setup_max_vpc_containers&vpc_num=4 - -| Replace the value of CID with the one in step 1. -| Replace the value of vpc_num with the number you desire to set up. - - :: - - { - "return": true, - "result": { - "cidr_list": [ - "10.16.32.0\/19", - "10.16.64.0\/19", - "10.16.96.0\/19", - "10.16.128.0\/19" - ] - } - } - -4. Create a User Account - - Before calling the API to set up an account that enables ACX to access the cloud, gather the account information from the cloud - provider. - - | AWS ( cloud_type = 1 ): Account Number, Access key and Secret Key - | Azure ( cloud_type = 2 ): Azure Subscription ID - | Azure RM ( cloud_type = 8 ): Azure Subscription ID, Application Endpoint, Application Client ID and Application Client Secret - - This API needs to use POST method of HTTP to send the account information. Use any tool of your preference to send the POST HTTP - request - - :: - - POST https://192.168.0.251/v1/api - - Body - - { - "CID": "584b4b57a42f2", - "action": "setup_account_profile", - "account_name": "user2", - "account_password": "12345", - "account_email": "user2@123abc.com", - "cloud_type": "1", - "aws_account_number": "982805288348", - "aws_access_key": "AKIAIQDAABCPKKKWQA", - "aws_secret_key": "9ttSESnQvb\/OlWZKCjyPsbcdYgamthksK2+1G" - } - - | The above example is to set up an AWS account (cloud_type is 1 ). - | The others are the account information from AWS. - -:: - - { - "return": true, - "results": "An email with instructions has been sent to - user2@123abc.com" - } - -5. Create a VPC/VNet for Datacenter Extension - - | Currently, two cloud types are available for Datacenter Extension. - | They are AWS and Azure ARM. Hence, it either to create a VPC or VNet. - - | The CIDR of this VPC/VNet can only be one of the available CIDRs you set up in step 3. - - Enter the CIDR as the value of vpc_net in this API. :: - - POST https://172.16.150.15/v1/api - - Body - - { - "CID": "584b4b57a42f2", - "action": "create_container", - "cloud_type": "1", - "account_name": "user2", - "vpc_name": "dc-us-west-1", - "vpc_reg": "us-west-2", - "vpc_size": "t2.micro", - "vpc_net": "10.16.96.0\/19" - } - -| The result is expected to return after a while. - -| There are other options you can specify when you use this API to create a VPC/VNet. -| Refer to the reference document for more details about the options. - - -.. add in the disqus tag - -.. disqus:: diff --git a/HowTos/aviatrix_aws_outposts.rst b/HowTos/aviatrix_aws_outposts.rst new file mode 100644 index 000000000..b6c0ff3d5 --- /dev/null +++ b/HowTos/aviatrix_aws_outposts.rst @@ -0,0 +1,161 @@ +.. meta:: + :description: Aviatrix in AWS Outposts + :keywords: Outposts, AWS Transit Network, AWS LGW, Local Gateway, Aviatrix Outposts + + +========================================================= +Aviatrix in AWS Outposts +========================================================= + +AWS Outposts is a fully managed service that offers the same AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. AWS Outposts is ideal for workloads that require low latency access to on-premises systems, local data processing, data residency, and migration of applications with local system interdependencies. + +AWS compute, storage, database, and other services run locally on Outposts, and you can access the full range of AWS services available in the Region to build, manage, and scale your on-premises applications using familiar AWS services and tools. + +The Aviatrix platform runs on Outposts. This brings the repeatable multi-cloud network architecture to Outposts with the common control plane that supports native cloud APIs and advanced networking and security capabilities needed to form a common data plane with visibility and control required for an enterprise-class multi-cloud network. + +1. Architecture +================ + +The Aviatrix controller remains in the public region of any cloud. It deploys, manages and monitors Aviatrix gateways that physically reside in Outposts. An ActiveMesh Aviatrix transit network is built using those gateways in Outposts. This allows Aviatrix to provide networking and security in the following use cases: + + - Intra-Outposts. + - Inter-Outposts. + - Outposts to non-Outposts on-prem data center. + - Outposts to public AWS regions. + - Outposts to Azure. + - Outposts to GCP. + +|architecture| + +2. Intra-Outposts +=================== + +Using Aviatrix inside Outposts brings the following benefits: + + - Complete automation of Outposts networking. + - Simplified network management at the application layer. + - Higher scalability. + - Easy-to-use segmentation domains. + - Consistent operations, control plane, and data plane with the public cloud. + +An Aviatrix controller is already deployed in a public AWS region. Using the Aviatrix controller, an Aviatrix ActiveMesh network can be deployed in Outposts: + + - Redundant pairs of Aviatrix spoke gateways are launched in the spoke VPCs. + - A redundant pair of Aviatrix transit gateways is launched in the transit VPC. + - Redundant ActiveMesh peerings are established between the spoke gateways and the transit gateways. + +|intra-outposts| + +An Aviatrix controller is already deployed in a public AWS region. Using the Aviatrix controller, an Aviatrix ActiveMesh network can be deployed in Outposts: + - Redundant pairs of Aviatrix spoke gateways are launched in the spoke VPCs. + - A redundant pair of Aviatrix transit gateways are launched in the transit VPC. + - Redundant ActiveMesh peerings are established between the spoke gateways and the transit gateways. + +The Aviatrix control plane is learning and propagating the routes to the spoke gateways accordingly per Aviatrix segmentation domains. This enables encrypted, high-speed connectivity between workloads in Outposts-Spoke1-VPC and workloads in Outposts-Spoke2-VPC. + +Currently the ActiveMesh tunnels between the Aviatrix spoke gateways and transit gateways are established over public IPs. Support for private IP ActiveMesh tunnels in Outposts is under development. + + +3. Inter-Outposts +=================== + +The same Aviatrix ActiveMesh transit network can be deployed in multiple Outposts racks. Then, an encrypted transit peering can be established between Aviatrix transit gateways across different Outpost racks. The Aviatrix control plane propagates the VPC CIDRs across the Outposts racks, enabling inter-Outposts connectivity. Data plane traffic goes over the Outposts Local Gateways (LGWs). + +|inter-outposts| + +4. Outposts to non-Outposts on-prem data center +================================================== + +Aviatrix provides a NAT gateway functionality for traffic going from Outposts to on-prem, which brings the following benefits: + + - No need to allocate customer-owned IPs to instances. + - Scalability advantage. + - Operational advantage. + +The Aviatrix control plane automates the propagation of on-prem subnets to Outposts spoke VPCs. This can optionally be controlled by Aviatrix segmentation domains. + +Redundant Site2Cloud connections are established between the Aviatrix transit gateways and the on-prem router. BGP runs on top to exchange the routes in both directions. + +|outposts_to_non-outposts_dc| + + +5. Outposts to Public AWS regions +======================================= + +Aviatrix enables Outposts connectivity to public AWS regions. It offers the following benefits: + + - Repeatable architecture. + - Outposts connectivity to public AWS region with extreme simplicity: 1-click peering. + - Encrypted peering over Direct Connect or over the public Internet. + - Same user experience and feature-set. + - Consistent, end-to-end automated control plane. + +Using the Aviatrix controller, the same Aviatrix network architecture can be deployed in any public AWS region. An Aviatrix encrypted transit peering can be established between Aviatrix transit gateways across Outposts and the public region. The Aviatrix control plane propagates the VPC CIDRs across the Outposts racks and the region, enabling end-to-end connectivity. Data plane traffic can go over Direct Connect or over the public Internet. + +|outposts_to_public_aws| + +6. Outposts to Azure +======================== + +Aviatrix enables Outposts connectivity to Azure with the following benefits: + + - Repeatable architecture + - Outpost connectivity to Azure with extreme simplicity: 1-click peering. + - Encrypted peering over private or public connections. + - Same user experience and feature-set. + - Consistent, end-to-end automated control plane. + +Using the Aviatrix controller, the same Aviatrix network architecture can be deployed in any public Azure region. An Aviatrix encrypted transit peering can be established between Aviatrix transit gateways across Outposts and the public Azure region. The Aviatrix control plane propagates the VPC and VNet CIDRs across the Outposts racks and Azure, enabling Outposts multi-cloud connectivity. Data plane traffic can go the public Internet, or over private peering on AWS Direct Connect and Azure Express Route connected in a colocation facility. + +|outposts_to_azure| + +7. Outposts to GCP +==================== + +Aviatrix enables Outposts connectivity to GCP with the following benefits: + + - Repeatable architecture + - Outpost connectivity to GCP with extreme simplicity: 1-click peering. + - Encrypted peering over private or public connections. + - Same user experience and feature-set. + - Consistent, end-to-end automated control plane. + +Using the Aviatrix controller, the same Aviatrix network architecture can be deployed in any public GCP region. An Aviatrix encrypted transit peering can be established between Aviatrix transit gateways across Outposts and the public GCP region. The Aviatrix control plane propagates the VPC and VNet CIDRs across the Outposts racks and GCP, enabling Outposts multi-cloud connectivity. Data plane traffic can go the public Internet, or over private peering on AWS Direct Connect and GCP Cloud Interconnect connected in a colocation facility + +|outposts_to_gcp| + +8. Visibility and Troubleshooting +=================================== + +Aviatrix provides deep visibility and troubleshooting into the Outposts network. Aviatrix CoPilot is supported for Aviatrix networking in Outposts and offers the following functionalities for Outposts: + + - Network Health Monitor – Real-time cloud network resource inventory and status. + - Dynamic Topology Map – Accurate, multi-cloud network topology, layout control and search. + - FlowIQ – Detailed application traffic flow analysis, global heat map and trends. + - CloudRoutes – Detailed searchable routing tables. + - Notifications – Alert on resources status/utilization. + + +.. |architecture| image:: aws_outposts_media/architecture.png + :scale: 30% + +.. |intra-outposts| image:: aws_outposts_media/intra-outposts.png + :scale: 70% + +.. |inter-outposts| image:: aws_outposts_media/inter-outposts.png + :scale: 70% + +.. |outposts_to_non-outposts_dc| image:: aws_outposts_media/outposts_to_non-outposts_dc.png + :scale: 70% + +.. |outposts_to_public_aws| image:: aws_outposts_media/outposts_to_public_aws.png + :scale: 70% + +.. |outposts_to_azure| image:: aws_outposts_media/outposts_to_azure.png + :scale: 70% + +.. |outposts_to_gcp| image:: aws_outposts_media/outposts_to_gcp.png + :scale: 70% + + +.. disqus:: diff --git a/HowTos/aviatrix_china_overview.rst b/HowTos/aviatrix_china_overview.rst new file mode 100644 index 000000000..ffaeea8c1 --- /dev/null +++ b/HowTos/aviatrix_china_overview.rst @@ -0,0 +1,169 @@ +.. meta:: + :description: Aviatrix China Product Overview + :keywords: cloud networking, aviatrix, IPsec VPN, Global Transit Network, site2cloud + +============================================= +Aviatrix China Overview +============================================= + +What Features Are Supported in Which China Region Cloud? +======================================================== + ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| **Feature** | **AWS China** | **Azure China** | **Alibaba China Regions** | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Controller Marketplace Launch | Yes | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| CoPilot Marketplace Launch | Yes | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Transit Gateway Peering | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Multi Accounts | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Transit Network Spoke and Transit Gateways | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Transit to External IPsec Devices | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Site2Cloud VPN for All Gateways | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Create a VPC | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Terraform | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Backup and Restore | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Logging Service Integration (Rsyslog, Netflow, and CloudWatch) | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Native Peering | Yes | Yes | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| FlightPath Expert Diagnostics | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| VPC Tracker | Yes | Yes | Yes | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Controller Security Group Management | Yes | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Launch Controller with CloudFormation | Yes | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Firewall Network | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Firenet | No | Yes | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Insane Mode Encryption | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Managed CloudN | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Transit to AWS VGW | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| BGP over LAN | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| BGP over GRE | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| AWS TGW | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| FQDN Egress Control | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Stateful Firewall | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Advanced NAT | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Remote Access User VPN (OpenVPN) | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| PrivateS3 | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| IPv6 | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Controller Migrate | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ +| Logging Service Integration (Splunk, Firebeat, Sumologic, and Datadog) | No | No | No | ++------------------------------------------------------------------------+---------------+-----------------+---------------------------+ + +What is Aviatrix China Design Assumption? +============================================ + +- Aviatrix Controller in Global cannot deploy China gateway + +- Aviatrix Controller in China cannot deploy Global gateway + + +What is China Multi-Cloud Network Coverage? +============================================ + +You must overcome performance limitations and satisfy government requirements to create a global multi-cloud network that includes the China region. +Slow connection speeds and high-latency associated with the China region can be overcome by using a dedicated line to create an Aviatrix transit connection +and deploying services close to the China region. To satisfy legal regulations in China you must have an Internet Content Provider (ICP) license. + +For more information, see What is a China ICP License. + +What is a China ICP License? +============================ + +Regulations in China require you to acquire an Internet Content Provider (ICP) license from the government and register the license with your CSP +to provide internet services in China. In China, an ICP license is required to establish SSL connections between different regions, ISPs, CSPs, or to +cross national borders. Aviatrix supports transit gateways using AWS China, Azure China, and Alibaba multi-cloud networks in the China region. +Obtaining and implementing an ICP is a process and you should follow the directions of your compliance experts. + +There are some general guidelines Aviatrix recommends following to implement a multi-cloud network in the China region. + + - Create or use a Legal Entity in China to apply for the ICP license. + + - Apply for a Legal Domain name in the China Registration. + + - Acquire the ICP certificate from the China Ministry of Industry and Information Technology (MIIT). + + - Register the ICP certificate with your to CSP in the China region. + + - Use dedicated lines from certified telecom carries for connections between China and the rest of the world. + + - Deploy the Aviatrix Controller, CoPilot, and Multi-Cloud Network in China. + +What issue will hit if the company doesn't follow China Regulation? +=================================================================== + +Both Aviatrix Controller and Gateway in the China region cannot communicate to each other properly. + +How to find Aviatrix Controller and CoPilot on China Marketplace? +=================================================================== + +- Login AWS China Portal + +- Navigate to AWS marketplace for Ningxia and Beijing Region + +- Search for the keyword "Aviatrix" + + |aviatrix_aws_china_marketplace| + +.. Note:: Both Aviatrix Controller and CoPilot are published on AWS China Marketplace only. +.. + +Where is the URL for Aviatrix Controller and CoPilot on China Marketplace? +=========================================================================== + +- `Aviatrix Secure Networking Platform - BYOL `_ + +- `Aviatrix CoPilot - BYOL `_ + +Where is the URL to launch Aviatrix Controller from AWS CloudFormation in AWS China? +===================================================================================== + +- `aws-china-cloudformation-aviatrix-controller-and-IAM-setup-BYOL.template `_ + +What is the design recommendation for China region? +==================================================== + + |aviatrix_design_recommendation_china| + +What is the design recommendation to build connectivity between China and Global regions? +========================================================================================= + + |aviatrix_design_recommendation_china_global| + +.. |aviatrix_design_recommendation_china| image:: aviatrix_china_overview_media/aviatrix_design_recommendation_china.png + :scale: 50% + +.. |aviatrix_design_recommendation_china_global| image:: aviatrix_china_overview_media/aviatrix_design_recommendation_china_global.png + :scale: 50% + +.. |aviatrix_aws_china_marketplace| image:: aviatrix_china_overview_media/aviatrix_aws_china_marketplace.png + :scale: 50% + +.. disqus:: diff --git a/HowTos/aviatrix_china_overview_media/aviatrix_aws_china_marketplace.png b/HowTos/aviatrix_china_overview_media/aviatrix_aws_china_marketplace.png new file mode 100644 index 000000000..cfb9d7ddc Binary files /dev/null and b/HowTos/aviatrix_china_overview_media/aviatrix_aws_china_marketplace.png differ diff --git a/HowTos/aviatrix_china_overview_media/aviatrix_design_recommendation_china.png b/HowTos/aviatrix_china_overview_media/aviatrix_design_recommendation_china.png new file mode 100644 index 000000000..90e67a7bd Binary files /dev/null and b/HowTos/aviatrix_china_overview_media/aviatrix_design_recommendation_china.png differ diff --git a/HowTos/aviatrix_china_overview_media/aviatrix_design_recommendation_china_global.png b/HowTos/aviatrix_china_overview_media/aviatrix_design_recommendation_china_global.png new file mode 100644 index 000000000..fbd13db82 Binary files /dev/null and b/HowTos/aviatrix_china_overview_media/aviatrix_design_recommendation_china_global.png differ diff --git a/HowTos/aviatrix_iam_policy_requirements.rst b/HowTos/aviatrix_iam_policy_requirements.rst index 0473619f9..e82563094 100644 --- a/HowTos/aviatrix_iam_policy_requirements.rst +++ b/HowTos/aviatrix_iam_policy_requirements.rst @@ -43,8 +43,7 @@ permission applies to all use cases where there is an Aviatrix gateway. "sqs:SendMessage", "sqs:SetQueueAttributes", "sqs:TagQueue" - ], - "Resource": "*" + ] } @@ -113,8 +112,7 @@ Aviatrix gateway deployment requires permissions from the following categories: "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" - ], - "Resource": "*" + ] } @@ -140,8 +138,7 @@ The Aviatrix TransitNetwork feature requires the following additional permission "ec2:DeleteVpcPeeringConnection", "ec2:EnableVgwRoutePropagation", "ec2:DisableVgwRoutePropagation" - ], - "Resource": "*" + ] }, { "Effect": "Allow", @@ -165,8 +162,7 @@ The Aviatrix TransitNetwork feature requires the following additional permission "ec2:ReplaceTransitGatewayRoute", "ec2:EnableRoutePropagation", "ec2:*TransitGatewayPeeringAttachment" - ], - "Resource": "*" + ] }, { "Effect": "Allow", @@ -180,8 +176,7 @@ The Aviatrix TransitNetwork feature requires the following additional permission "ram:UntagResource", "ram:AcceptResourceShareInvitation", "ram:EnableSharingWithAwsOrganization" - ], - "Resource": "*" + ] }, { "Effect": "Allow", @@ -193,8 +188,7 @@ The Aviatrix TransitNetwork feature requires the following additional permission "directconnect:DeleteDirectConnectGatewayAssociation", "directconnect:DeleteDirectConnectGatewayAssociationProposal", "directconnect:AcceptDirectGatewayAssociationProposal" - ], - "Resource": "*" + ] } @@ -214,8 +208,7 @@ Aviatrix features such as Transit Network, Encrypted Peering, Transitive Peering "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:ReplaceRoute" - ], - "Resource": "*" + ] } @@ -234,8 +227,7 @@ An Aviatrix gateway needs to be in the STOP state before the instance type/size "Action": [ "ec2:StartInstances", "ec2:StopInstances" - ], - "Resource": "*" + ] } @@ -275,8 +267,7 @@ An Aviatrix gateway needs to be in the STOP state before the instance type/size "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeregisterTargets", "iam:CreateServiceLinkedRole" - ], - "Resource": "*" + ] } @@ -312,8 +303,7 @@ In order to enable a VPN with the AWS-Global-Accelerator feature, the following "globalaccelerator:UpdateAcceleratorAttributes", "globalaccelerator:UpdateEndpointGroup", "globalaccelerator:UpdateListener" - ], - "Resource": "*" + ] } @@ -338,8 +328,7 @@ In order to enable the Guardduty feature, the following permissions are needed. "ec2:CreateNetworkAclEntry", "ec2:ReplaceNetworkAclEntry", "ec2:DeleteNetworkAclEntry" - ], - "Resource": "*" + ] } @@ -357,8 +346,7 @@ In order to enable the Aviatrix Gateway Single AZ HA feature, the following perm "Effect": "Allow", "Action": [ "ec2:RebootInstances" - ], - "Resource": "*" + ] } @@ -380,8 +368,7 @@ In order to enable the Controller Backup & Restore feature, the following permis "s3:Get*", "s3:PutObject", "s3:DeleteObject" - ], - "Resource": "*" + ] } @@ -410,8 +397,7 @@ In order to enable the EBS Volume Encryption feature, the following permissions "ec2:CopySnapshot", "ec2:CreateSnapshot", "ec2:DeleteSnapshot" - ], - "Resource": "*" + ] } @@ -431,8 +417,7 @@ In order to create an AWS Peering, the following permissions are needed. "ec2:CreateVpcPeeringConnection", "ec2:AcceptVpcPeeringConnection", "ec2:DeleteVpcPeeringConnection" - ], - "Resource": "*" + ] } @@ -453,7 +438,7 @@ In order to enable the IAM Policy Scanning feature, the following permissions ar "iam:Get*", "iam:DeletePolicyVersion", "iam:CreatePolicyVersion" - ], + ] "Resource": "arn:aws:iam::*:policy/aviatrix-*" } @@ -473,8 +458,7 @@ In order to enable the UDP Load-Balancer feature, the following permissions are "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" - ], - "Resource": "*" + ] } diff --git a/HowTos/aviatrix_terraform.rst b/HowTos/aviatrix_terraform.rst deleted file mode 100644 index 2c346ef87..000000000 --- a/HowTos/aviatrix_terraform.rst +++ /dev/null @@ -1,111 +0,0 @@ -.. meta:: - :description: Aviatrix Terraform Provider - :keywords: terraform, terraform provider, api - -=========================== -Aviatrix Terraform Provider -=========================== - -Aviatrix `Terraform `_ Provider is used to interact with Aviatrix resources. - -Read the `Aviatrix Terraform Provider Tutorial `_ to setup the environment. - -The provider allows you to manage Aviatrix resources such as account, gateway, peering, etc. It needs to be configured with valid Aviatrix UCC/CloudN's IP, and account credentials. For Aviatrix Transit Network deployment, please click `here `_ to read how to setup transit VPC using Terraform. - -.. note:: - Aviatrix is now an official Terraform provider! The Terraform setup procedure has been significantly simplified and the documentation below has been updated accordingly. Customers who have previously set up our provider following our previous instructions may transition to our official provider by following Step 5 in the setup tutorial `here `_ - -Example Usage -============= - -:: - - # Configure Aviatrix provider - provider "aviatrix" { - controller_ip = "1.2.3.4" - username = "admin" - password = "password" - version = "2.2" - } - - # Create a record - resource "aviatrix_account" "myacc" { - # ... - } - -Documentation -============= -The complete documentation for all available Aviatrix resources and data sources may be viewed on the Hashicorp Terraform doc site `here `_. - - -Sample configuration to launch a full-mesh network on AWS -========================================================= - -:: - - # Sample Aviatrix terraform configuration to create a full mesh network on AWS - # This configuration creates a cloud account on the Aviatrix controller, - # launches 3 gateways with the created account and establishes tunnels - # between each gateway. - - - # Edit to enter your controller's IP, username and password to login with. - provider "aviatrix" { - controller_ip = "w.x.y.z" - username = "admin" - password = "Aviatrix123" - version = "2.2" - } - - # Increase count default value to add more VPCs and subnets to launch more gateways together. - - variable "count" { - default = 3 - } - - # Enter VPCs where you want to launch gateways. - variable "vpcs" { - description = "Launch gateways in different VPCs." - type = "list" - default = ["vpc-7a6b2513", "vpc-2ee4a147", "vpc-0d7b3664"] - } - - # Enter Subnets within VPCs added above. - variable "vpc_nets" { - description = "Launch gateways in different VPC Subnets." - type = "list" - default = ["10.1.0.0/24", "10.2.0.0/24", "10.3.0.0/24"] - } - - resource "aviatrix_account" "test_acc" { - account_name = "devops" - cloud_type = 1 - aws_account_number = "123456789012" - aws_iam = "true" - aws_role_app = "arn:aws:iam::123456789012:role/aviatrix-role-app" - aws_role_ec2 = "arn:aws:iam::123456789012:role/aviatrix-role-ec2" - } - - # Create count number of gateways - resource "aviatrix_gateway" "test_gw" { - count = var.count - cloud_type = 1 - account_name = "devops" - gw_name = "avtxgw-${count.index}" - vpc_id = "${element(var.vpcs, count.index)}" - vpc_reg = "ap-south-1" - gw_size = "t2.micro" - subnet = "${element(var.vpc_nets, count.index)}" - depends_on = ["aviatrix_account.test_acc"] - } - - # Create tunnels between above created gateways. - resource "aviatrix_tunnel" "test_tunnel" { - count = "${var.count * (var.count - 1)/2}" - gw_name1 = "avtxgw-${count.index}" - gw_name2 = "avtxgw-${(count.index+1)%3}" - depends_on = ["aviatrix_gateway.test_gw"] - } - - -.. disqus:: diff --git a/HowTos/avx_tgw_migration.rst b/HowTos/avx_tgw_migration.rst index c347ebbda..488185f09 100644 --- a/HowTos/avx_tgw_migration.rst +++ b/HowTos/avx_tgw_migration.rst @@ -3,7 +3,7 @@ :keywords: Transit Gateway, AWS Transit Gateway, TGW, Migration ======================================================================== -Migrating an Aviatrix Global Transit Network to Next Gen Transit for AWS +Migrating an Aviatrix Transit Network to AWS Transit Gateway (TGW) ======================================================================== This document assumes that you have deployed an `Aviatrix Global Transit Network solution `_ with Aviatrix Transit Gateway and VGW. diff --git a/HowTos/aws_dis_getting_started.rst b/HowTos/aws_dis_getting_started.rst new file mode 100644 index 000000000..7741382d1 --- /dev/null +++ b/HowTos/aws_dis_getting_started.rst @@ -0,0 +1,84 @@ +.. meta:: + :description: Aviatrix Controller and Gateway Deployment Guide in AWS Discrete Regions + :keywords: Aviatrix, AWS + + +===================================================================================== +Aviatrix Controller and Gateway Deployment Guide in Discrete Regions +===================================================================================== + +The Aviatrix Secure Networking Platform consists of two components: Aviatrix Controller and Gateway. The Aviatrix Controller manages the Aviatrix Gateway and orchestrates all connectivities. + +Launch Aviatrix Controller +=========================== + +These instructions apply when deploying in discrete regions in AWS. This guide takes you through the 3 steps to launch the Controller instance. + +Step 1. Subscribe to Aviatrix Secure Networking Platform - BYOL on AWS ICMP +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +If you have already subscribed the Aviatrix Secure Networking Platform - BYOL on AWS ICMP, skip this step and proceed to Step 2. + +Step 2. Launch the Controller +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Two options to search and deploy Aviatrix Controller: + +- (Option 1) Search the product “Aviatrix Secure Networking Platform - BYOL” on ICMP website + +- (Option 2) Log in to AWS ICMP console and navigate to EC2 dashboard page + +- (Option 2) Click the button “Launch Instances” and select the product “Aviatrix Secure Networking Platform - BYOL” on AWS ICMP + +- Follow EC2 configuration workflow to deploy Aviatrix Controller + + - Select the instance size “t3.large” of 8GB of memory, which is the recommended instance type + + - Select the VPC where the controller will be launched + + - Make sure the subnet you select is a public subnet with IGW as its default gateway, otherwise the controller will not be accessible as it won’t have a public IP address. + + - Edit security groups to allow inbound TCP port 443 open to anywhere + +- Assign an Elastic Public IP address to Aviatrix Controller + +- After launching the instance, note down the instance’s Private IP and Public IP. You can find that info by going to AWS EC2 console, clicking the Controller instance, and locating its private IP and public IP address + +Step 3. Onboarding +^^^^^^^^^^^^^^^^^^^ + +Now that Aviatrix Controller instance has been launched, let’s login and go through the onboarding process. + +- Access the Controller console by going to https://[*Controller_Public_IP*] on a browser + +- Log in with the username "admin" and the default password of your *Controller_Private_IP* + +- Enter your email address + +- Change password + +- Click the button Run to upgrade software version with latest + +.. tip:: + The Controller upgrade takes about 3-5 minutes. Once complete, the login prompt will appear. Use the username `admin` and your new password to login. + +Launch Aviatrix Gateway +=========================== + +To deploy Aviatrix Secure Companion Gateway from AWS ICMP successfully, make sure you follow the instructions as follows. When complete, you'll be ready to deploy use cases. + +Step 1. Follow the step Launch Aviatrix Controller above +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Step 2. Subscribe to Aviatrix Secure Companion Gateway on AWS ICMP +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Step 3. Start a Use Case +^^^^^^^^^^^^^^^^^^^^^^^^^ + +Congratulations! You are now ready to deploy use cases. + +- `Build Aviatrix Transit Network Solution `__ + + +.. disqus:: diff --git a/HowTos/aws_outposts_media/architecture.png b/HowTos/aws_outposts_media/architecture.png new file mode 100644 index 000000000..f0c245593 Binary files /dev/null and b/HowTos/aws_outposts_media/architecture.png differ diff --git a/HowTos/aws_outposts_media/inter-outposts.png b/HowTos/aws_outposts_media/inter-outposts.png new file mode 100644 index 000000000..88bea915a Binary files /dev/null and b/HowTos/aws_outposts_media/inter-outposts.png differ diff --git a/HowTos/aws_outposts_media/intra-outposts.png b/HowTos/aws_outposts_media/intra-outposts.png new file mode 100644 index 000000000..3c3cb6720 Binary files /dev/null and b/HowTos/aws_outposts_media/intra-outposts.png differ diff --git a/HowTos/aws_outposts_media/outposts_to_azure.png b/HowTos/aws_outposts_media/outposts_to_azure.png new file mode 100644 index 000000000..88336dba4 Binary files /dev/null and b/HowTos/aws_outposts_media/outposts_to_azure.png differ diff --git a/HowTos/aws_outposts_media/outposts_to_gcp.png b/HowTos/aws_outposts_media/outposts_to_gcp.png new file mode 100644 index 000000000..7cf2e78a9 Binary files /dev/null and b/HowTos/aws_outposts_media/outposts_to_gcp.png differ diff --git a/HowTos/aws_outposts_media/outposts_to_non-outposts_dc.png b/HowTos/aws_outposts_media/outposts_to_non-outposts_dc.png new file mode 100644 index 000000000..44f8d4bc8 Binary files /dev/null and b/HowTos/aws_outposts_media/outposts_to_non-outposts_dc.png differ diff --git a/HowTos/aws_outposts_media/outposts_to_public_aws.png b/HowTos/aws_outposts_media/outposts_to_public_aws.png new file mode 100644 index 000000000..73fa99e27 Binary files /dev/null and b/HowTos/aws_outposts_media/outposts_to_public_aws.png differ diff --git a/HowTos/azure_custom_role.rst b/HowTos/azure_custom_role.rst new file mode 100644 index 000000000..d1173012a --- /dev/null +++ b/HowTos/azure_custom_role.rst @@ -0,0 +1,225 @@ +.. meta:: + :description: Describe how to customize Azure IAM role + :keywords: account, aviatrix, AWS IAM role, Azure API credentials, Google credentials + + +================================= +Use Azure IAM Custom Role +================================= + +When Aviatrix Controller uses Azure API to manage networking and gateway resources, an application must be first created in +Azure AD with an identity of Service Principal. This service principal requires an Azure IAM role assignment together with a set of +permissions required by the Aviatrix Controller to provide service. By default we use the Azure built-in "Contributor" role. Contributor +roles has access to all resources of the subscription. + +If you wish to limit the Controller access permissions, you can do so by creating a custom role with a set of permissions required +by the Controller as shown below. This document describes how to accomplish this task through Azure portal. + +1. Aviatrix required custom role permissions +------------------------------------------------ + +:: + + { + "properties": { + "roleName": "Aviatrix Controller Custom Role", + "description": "Custom role for Aviatrix Controller", + "assignableScopes": [], + "permissions": [ + { + "actions": [ + "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/*", + "Microsoft.Compute/*/read", + "Microsoft.Compute/availabilitySets/*", + "Microsoft.Compute/virtualMachines/*", + "Microsoft.Compute/disks/*", + "Microsoft.Network/*/read", + "Microsoft.Network/publicIPAddresses/*", + "Microsoft.Network/networkInterfaces/*", + "Microsoft.Network/networkSecurityGroups/*", + "Microsoft.Network/loadBalancers/*", + "Microsoft.Network/routeTables/*", + "Microsoft.Network/virtualNetworks/*", + "Microsoft.Storage/storageAccounts/*", + "Microsoft.Resources/*/read", + "Microsoft.Resourcehealth/healthevent/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/tags/*", + "Microsoft.Resources/marketplace/purchase/*", + "Microsoft.Resources/subscriptions/resourceGroups/*" + ], + "notActions": [], + "dataActions":[], + "notDataActions":[] + } + ] + } + } +* For Azure China please remove "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/*" and "Microsoft.Resources/marketplace/purchase/*" from "actions" + +2. Create a Custom Role +---------------------------------------------------- + + a. Login to Azure portal. Go to Subscriptions. Select the subscription whose network already managed by Aviatrix Controller and click in. + b. Next click Access control (IAM) + c. Next click Roles as shown below. + + |iam_role| + + d. Next click +Add Role and select "Add custom role". + e. Next select Start from scratch and click Next, as shown below. + + |start_from_scratch| + + f. Next click JSON, click Edit. + + |click_json| + + g. Next remove the existing JSON template and copy and paste the above Aviatrix required permissions JSON into the Editor box, as shown below. Click Save. + + |aviatrix_custom_role| + + h. Next click Permissions. You should see the permissions have been populated, as shown below. + + |show_permission| + + i. Next click Assignable scopes, click Add assignable scopes, select the subscription. + + j. Next click JSON, you should say the subscription has been added to the assignableScopes, as shown below. + + |subscription_scope| + + k. Next click Review + create, click Create. + +3. Replace the Contributor Role +-------------------------------- + + a. (This step is optional, it is only applicable if you have already assigned "Contributor" role to the Aviatrix Controller service principal. If not, skip this step and proceed to the next step.) Now that you have created a custom role called Aviatrix Controller Custom Role, go ahead replace the Contributor role, as shown below. + + |remove_contributor| + + b. Click +Add, select Add role assignment. Fill in the fields as shown below + + |replace_role| + +Done. + +4. Multiple Custom Roles Approach +---------------------------------- + +The Aviatrix role permissions can be split into multiple custom roles each with a subset of permissions. Subscription permission must +be at the subscription scope. The additional permission may have +the scope of one or more Resource Groups. + +Below is an example where the "Aviatrix Custom Role for subscription" has the scope of subscription and the remaining permissions has the scope of +Resource Group. + +4.1 Subscription Scope IAM Custom Role +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + { + "properties": { + "roleName": "Aviatrix Custom Role for subscription", + "description": "Aviatrix Custom role for gateway subscription permission", + "assignableScopes": [], + "permissions": [ + { + "actions": [ + "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/*" + ], + "notActions": [], + "dataActions":[], + "notDataActions":[] + } + ] + } + } + + +4.2 Resource Group Scope IAM Custom role +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Note when creating a custom role for a resource group on Azure portal, start at Subscription -> Resource groups, select one resource group +and click "Access Control (IAM). Then follow the role creation process with the permission described in the file below +to create the role. When configuring Assignable scopes, select one or more resource groups (it is multi selectable) for this role. After the role is created, assign the role to the Service principal of the Aviatrix Controller application. + +.. note:: + + It takes a few minutes for the display to appear for the custom role just created. Once it can be displayed, you can find it by going to + Subscription -> Resource groups -> select one resource group assigned to the role, then click Access Control (IAM), then click Roles. + Then search for the role you just created. + +:: + + { + "properties": { + "roleName": "Aviatrix Custom Role for services", + "description": "Aviatrix Custom role for the network and gateway services", + "assignableScopes": [], + "permissions": [ + { + "actions": [ + "Microsoft.Compute/*/read", + "Microsoft.Compute/availabilitySets/*", + "Microsoft.Compute/virtualMachines/*", + "Microsoft.Network/*/read", + "Microsoft.Network/publicIPAddresses/*", + "Microsoft.Network/networkInterfaces/*", + "Microsoft.Network/networkSecurityGroups/*", + "Microsoft.Network/loadBalancers/*", + "Microsoft.Network/routeTables/*", + "Microsoft.Network/virtualNetworks/*", + "Microsoft.Storage/storageAccounts/*", + "Microsoft.Resources/*/read", + "Microsoft.Resourcehealth/healthevent/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/tags/*", + "Microsoft.Resources/marketplace/purchase/*", + "Microsoft.Resources/subscriptions/resourceGroups/*" + ], + "notActions": [], + "dataActions":[], + "notDataActions":[] + } + ] + } + } + +.. tip :: + + If you wish to use Contributor role for the above part of the permission, ignore the json file listed above. Simply use + Azure portal, Resource groups -> select the resource group. Click Access Control (IAM) -> +Add -> Add Role assignment. Then + select Contributor as Role and assign the Contributor role to the Aviatrix Controller service principal. + + +5. Additional References +-------------------------- + +To learn more on Azure custom role and how to configure it, refer to `Azure Custom Roles. `_ + +To view the complete Azure role permissions, refer to `Azure resource provider operations. `_. + +.. |aviatrix_custom_role| image:: azure_custom_role_media/aviatrix_custom_role.png + :scale: 30% + +.. |iam_role| image:: azure_custom_role_media/iam_role.png + :scale: 30% + +.. |remove_contributor| image:: azure_custom_role_media/remove_contributor.png + :scale: 30% + +.. |start_from_scratch| image:: azure_custom_role_media/start_from_scratch.png + :scale: 30% +.. |click_json| image:: azure_custom_role_media/click_json.png + :scale: 30% +.. |replace_role| image:: azure_custom_role_media/replace_role.png + :scale: 30% +.. |subscription_scope| image:: azure_custom_role_media/subscription_scope.png + :scale: 30% + +.. |show_permission| image:: azure_custom_role_media/show_permission.png + :scale: 30% + +.. disqus:: diff --git a/HowTos/azure_custom_role_media/aviatrix_custom_role.png b/HowTos/azure_custom_role_media/aviatrix_custom_role.png new file mode 100644 index 000000000..911f12952 Binary files /dev/null and b/HowTos/azure_custom_role_media/aviatrix_custom_role.png differ diff --git a/HowTos/azure_custom_role_media/click_json.png b/HowTos/azure_custom_role_media/click_json.png new file mode 100644 index 000000000..f32223e40 Binary files /dev/null and b/HowTos/azure_custom_role_media/click_json.png differ diff --git a/HowTos/azure_custom_role_media/iam_role.png b/HowTos/azure_custom_role_media/iam_role.png new file mode 100644 index 000000000..f5c64b0a2 Binary files /dev/null and b/HowTos/azure_custom_role_media/iam_role.png differ diff --git a/HowTos/azure_custom_role_media/remove_contributor.png b/HowTos/azure_custom_role_media/remove_contributor.png new file mode 100644 index 000000000..1bcd38040 Binary files /dev/null and b/HowTos/azure_custom_role_media/remove_contributor.png differ diff --git a/HowTos/azure_custom_role_media/replace_role.png b/HowTos/azure_custom_role_media/replace_role.png new file mode 100644 index 000000000..2e0fbe506 Binary files /dev/null and b/HowTos/azure_custom_role_media/replace_role.png differ diff --git a/HowTos/azure_custom_role_media/show_permission.png b/HowTos/azure_custom_role_media/show_permission.png new file mode 100644 index 000000000..01ea97923 Binary files /dev/null and b/HowTos/azure_custom_role_media/show_permission.png differ diff --git a/HowTos/azure_custom_role_media/start_from_scratch.png b/HowTos/azure_custom_role_media/start_from_scratch.png new file mode 100644 index 000000000..ab21d71a9 Binary files /dev/null and b/HowTos/azure_custom_role_media/start_from_scratch.png differ diff --git a/HowTos/azure_custom_role_media/subscription_scope.png b/HowTos/azure_custom_role_media/subscription_scope.png new file mode 100644 index 000000000..4b777d8d1 Binary files /dev/null and b/HowTos/azure_custom_role_media/subscription_scope.png differ diff --git a/HowTos/azure_saml_auth_vpn_access.rst b/HowTos/azure_saml_auth_vpn_access.rst new file mode 100644 index 000000000..544df5cf9 --- /dev/null +++ b/HowTos/azure_saml_auth_vpn_access.rst @@ -0,0 +1,173 @@ +====================================================================== +Azure Controller Security for SAML Based Authentication VPN Deployment +====================================================================== + +The best security practice for the Aviatrix Controller is to prevent the controller from being widely accessible from the internet. Access on TCP port 443 should be limited to: + +- The range of management IPs coming from the enterprise or the datacenter. +- Ingress and egress access for basic communications and keep-alive signals from each gateway. + +The exception to this best practice is when the Aviatrix Controller is used for Security Assertion Markup Language (SAML) based authentication user VPN access. In this case, the VPN user first contacts the Aviatrix Controller which then redirects user browser traffic to an Identity Provider (IdP) system, Okta for example. The initial VPN authentication traffic runs on Aviatrix Controller TCP port 443 for VPN users located off-site, so controller TCP port 443 needs to be open to all which may cause security concerns. + +You must configure Aviatrix SAML authentication for your user VPN access. The SAML authentication should be configured through the Azure Application Gateway (AppGW) so the URLs generated for use in the IdP and domain information in the ovpn file point to the domain of the AppGW. The URLs generated use the AppGW domain instead of controller domain. VPN users should not access the controller directly, they should access the controller through the AppGW where access rules are enforced. + +In order prevent the controller from being widely accessible and allow SAML authentication user VPN access, please follow the instructions in this section to secure your controller when Security Assertion Markup Language (SAML) based authentication is being used. + +Azure Application Gateways and the Aviatrix Controller +====================================================== + +The Azure Application Gateway is a generic, workload agnostic reverse proxy and load balancer that includes a web application firewall (WAF). + +- The service consists of Azure-managed VMs running Nginx in a VNET. Unless restricted, these VMs have access to the public internet, the VNET address space, and anything else a VM in that VNET can talk to. +- In addition to VMs, backends can be IP addresses. +- The Application Gateway is also an Ingress Controller option for the Azure Kubernetes Service. + +From an Application Gateway perspective, the Aviatrix Controller is just another workload. The configurations in this section can be applied to any other HTTP or HTTPS workload. For example, you can use the Azure Application Gateway to: + +- Protect an application running in an on-prem datacenter. +- Protect a hosted PaaS web application injected into the VM. +- Add HTTPS support to an older application that can only run HTTP. +- Restrict or redirect URL patterns within an application. + +Prerequisites +============= + +You need to understand how to configure OpenVPN SAML authentication. For more information, see `OpenVPN with SAML Authentication `_. + +Securing the Aviatrix Controller for SAML Based Authentication Behind an Azure Application Gateway +================================================================================================== + +To secure your controller when Security Assertion Markup Language (SAML) based authentication is being used: + +1. Create valid SSL certificates for the Aviatrix Controller and Azure Application Gateway virtual machine. Use any valid SSL certificate generation application. +2. On the Azure portal, create a subnet for the Azure Application Gateway. Create the subnet in your Aviatrix Controller’s VNET for the Azure Application Gateway. The Azure Application Gateway requires its own subnet. +3. Apply the certificates to the Controller. + + A. On the Aviatrix Controller, go to the Controller Settings > Security > Advanced > Controller Certificate Import Methods. The preferred method is to select “Import Certificate with Key”, you can also select “Generate CSR and Import Certificate”. + B. Import the certificate files. + C. After you click OK, the Aviatrix Controller browser refreshes using the new certificate. Verify the correct certificates are in use with your favorite SSL validation site. + +For more information, see `Controller Certificate Management `_. + +4. On the Aviatrix Controller, go to Settings > Controller > Access Security > Security. Enable the Controller Primary Access Account on the Controller Security Group Management card to only allow access to the Controller Public IP from Aviatrix Gateways. In the Azure Portal, the Network Security Group (NSG) assigned to the Controller is usually -nsg. +5. On the Azure portal, create a new Azure Application Gateway: + + A. Specify the Basic details. + B. Configure Frontends and create a Public IP. + C. Create 2 backend pools. Create one pool to allow VPN user requests on the flask endpoint and the other pool to block access to any other endpoints on the Aviatrix controller. + + - Specify the NIC of the controller virtual machine as the target. + - Chose HTTP Settings: . + + - **** - Select the controller instance as target. + - **** - This backend pool is used to block endpoints on the controller except for ‘flask’. + + - Create a path based rule in listener rules. + + - Choose Backend target as , so that the App GW returns “502 Bad Gateway” response to any paths other than ‘/flask*’. + - Create a path based rule for the path “/flask*“, with the backend target set to . + + D. Add a Routing Rule. Create a rule Name and enter the required values on the Listener tab. + E. Enter the required values on the Backend targets tab. The Backend Target is the backend pool created earlier. + F. Click Add new and configure the HTTP Settings. + G. Set the Request timeout value to 3600. Otherwise, timeouts on legitimate requests may occur. + H. Set the "Override with new hostname" setting to "No". + +6. On the Azure portal, modify the associated Azure Network Security Group to allow the Azure Application Gateway subnet. +7. On the Azure portal, enable monitoring of the Application Gateway. Add a diagnostic setting and configure the desired logging settings. +8. On the Azure portal, disable rules for the Application Gateway to prevent errors with onboarding accounts. + + A. Enable advanced rule configuration. + B. Disable rules 200004, 931130, and 942430. + +9. On the Azure portal, enable URL Rewrite to avoid Cross-Origin Resource Sharing (CORS) errors. + + A. Create a Rewrite set. + B. Name the Rewrite set and assign it to the Aviatrix Controller routing rule. + C. Rename the rule to something descriptive. + D. On the Azure portal, enable URL Rewrite to avoid Cross-Origin Resource Sharing (CORS) errors. + +10. On the Azure portal, put the Aviatrix Controller behind the Application which includes a web application firewall (WAF). The WAF will block requests with special entity names. Do not create entity name with special strings because the API will be blocked with a 403 error. +11. Create SAML endpoint. For more information see OpenVPN with SAML Authentication https://docs.aviatrix.com/HowTos/VPN_SAML.html. + +After the Azure AppGW is configured and the Aviatrix Controller is placed behind the AppGW, you are ready to test your SAML based authentication for user VPN access. + + +.. Note:: For the HTTP Settings, when using the "Use well known CA certificate" option you may see a message about the root certificate of the server certificate used by the backend not matching the trusted root certificate added to the application gateway. To resolve this issue, use the fullchain certificate when importing the server certificate into the controller. +.. + +.. Note:: While authenticating the VPN user with an IdP and when sending the SAML response to the controller, you may see an error message about an invalid SAML response and the subject or username 'NoneType'. To resolve this issue, disable "override hostname" in the application gateway's HTTP settings. +.. + +Example +-------- + +The following example demonstrates securing the Aviatrix Controller for SAML based authentication behind an Azure application gateway with the Okta IdP. + +The objective is to limit access to Aviatrix Controller port 443 to authorized IPs and at the same time allow a VPN client to contact the controller for SAML authentication. In the following example, the Aviatrix Controller is placed and Azure application gateway with WAF enabled. All the steps used to create the Azure application gateway are not included, the example focuses on the special steps to implement the configuration. + +1. Create domain names for controller and App GW. For example: + + - Controller: azure-ctlr.customertest.com. + - App GW: azure-ctlr-appgw.customertest.com. + +2. Create certificates for controller and App GW. For example: + + - Let’s encrypt to create certificates. + - Validate using DNS validation. + +3. Import certificates into controller. For example: + + - Import certs at Controller > Settings > Advanced > Security > “Controller Imported Certificate Status”. + - Use ‘fullchain’ cert for server cert as well as controller seems to not send the full chain and App GW fails to validate the backend controller certs. + +4. Create the Application Gateway (App GW). Then access the controller through App GW for the configuration. + +5. When configuring SAML authentication and setting up App in Okta IdP: + + - set the Default Backend target in App GW rules to ‘controller’, + - set the WAF’s Firewall mode to ‘Detection.’ + - create HTTP Settings: + + - Name: controller-settings + - Backend port: 443 + - Use well known CA cert: Yes + - Cookie-based policy, Connection draining: Disable + - Request time-out: 3600 + - Override with new host name: No. Otherwise, the Backend Health status is bad. + - Custom probe: Create a custom probe. + +6. Create a custom health probe because the default probe checks that the Hostname matches what is seen in the certificate. + + - Name: + - Set protocol as “HTTPS” + - Set Host to the controller Domain name + - Pick host name from backend HTTP settings: No + - Pick port from backend HTTP settings: Yes + - Path: / + - interval, timeout, unhealthy threshold: Can leave these as defaults. + - Chose HTTP Settings: controller-settings + +7. Create 2 Backend pools. + + - Choose Backend target as ‘dont-allow‘, so that the App GW returns “502 Bad Gateway” response to any paths other than ‘/flask*’. + - Create a path based rule for the path “/flask*“, with the backend target set to . + +8. Create a path based rule in listener rules. + + - Choose Backend target as ‘dont-allow’, so that the App GW returns “502 Bad Gateway” response to any paths other than ‘/flask*’. + - Create a path based rule for the path “/flask*“, with Backend target set to . + +9. Setup SAML authentication by accessing the controller through the App GW domain name. + + - In the Okta application: + + - set the SSO, Destination, Recipient URLs to https://azure-ctlr.customertest.com/flask/saml/sso/aviatrix_saml_controller + - set Audience restriction and Default relay state to https://azure-ctlr-appgw.customertest.com/ + +10. Verify the SAML configuration by verifying VPN client authentication is successful. + + - In the App GW ‘rules’ section, set the Backend target to ‘dont-allow’ to not allow access endpoints that VPN users shouldn’t be able to access. + - In WAF section, set the Firewall mode to ‘Prevention’. + +11. Verify that when accessing through App GW, the VPN user is not able to access paths other than ‘/flask*’. diff --git a/HowTos/azure_transit_designs.rst b/HowTos/azure_transit_designs.rst new file mode 100644 index 000000000..21e14094d --- /dev/null +++ b/HowTos/azure_transit_designs.rst @@ -0,0 +1,104 @@ +.. meta:: + :description: Azure Transit Network + :keywords: Azure Transit Network, Transit hub, AWS Global Transit Network, Encrypted Peering, Transitive Peering + + +======================================= +Azure Transit Network Design Patterns +======================================= + +There are many design patterns for networking and networking security deployment in the cloud. +This document summarizes these design patterns that apply to Azure networks. + +Aviatrix Encrypted Transit Network +------------------------------------- + +In this design, all packets in flight between Spoke VNets and Transit to on-prem are encrypted. + +|aviatrix_transit_azure| + +.. Tip:: + + Aviatrix Transit supports high performance (Insane Mode) IPSEC performance over ExpressRotue and Azure Peering. + +Aviatrix Transit with Native Spokes +-------------------------------------- + +Aviatrix Transit also supports Azure native spoke VNets. + +|aviatrix_transit_native_spoke| + + +Transit FireNet with Aviatrix Spokes +------------------------------------ + +You can apply firewall inspections for east-west, north-south and ingress/egress traffic. + +|transit_firenet_aviatrix_spokes| + + +Transit FireNet with Native Spokes +------------------------------------------- + +Firewall inspections can be applied to native Spoke VNet, on-prem to transit and north-south traffic. + +|transit_firenet_native_spokes| + +Please refer to `Transit FireNet Workflow for Azure Native Spoke VNets `_ for more details. + +SD-WAN Integration +-------------------- + +If you have multiple sites to connect to the cloud, you can use an Aviatrix Transit Gateway to terminate the many site2cloud to branch offices. + +Alternatively, you can use a SD-WAN termination point in the VNets to connect to the branches. + +Both options can be described in the diagram below. + +|transit_sdwan| + +Aviatrix Transit Gateway for Azure Spoke to Spoke Connectivity +--------------------------------------------------------------- + +If you use Azure ExpressRoute gateway to connect Spoke VNets to on-prem, you can use Aviatrix Transit Gateway for Spoke to Spoke connectivity, +as shown in the diagram below. To connect Spoke VNet, follow the `Step 6b in the Multi-Cloud Transit Network workflow `_. + +|transit_azure_native_spoke| + +Multi-Cloud Transit with Native Spokes +---------------------------------------- + +Use Aviatrix Transit Gateways to inter-connect transit network for a multi cloud network deployment, as shown in the diagram below. + +|multi_cloud_transit_native| + +.. |aviatrix_transit_azure| image:: azure_transit_designs_media/aviatrix_transit_azure.png + :scale: 30% + +.. |aviatrix_transit_native_spoke| image:: azure_transit_designs_media/aviatrix_transit_native_spoke.png + :scale: 30% + +.. |transit_firenet_aviatrix_spokes| image:: azure_transit_designs_media/transit_firenet_aviatrix_spokes.png + :scale: 30% + +.. |transit_firenet_native_spokes| image:: azure_transit_designs_media/transit_firenet_native_spokes.png + :scale: 30% + +.. |transit_sdwan| image:: azure_transit_designs_media/transit_sdwan.png + :scale: 30% + +.. |transit_azure_native_spoke| image:: transitvpc_designs_media/transit_azure_native_spoke.png + :scale: 30% + +.. |multi_cloud_transit_native| image:: transitvpc_designs_media/multi_cloud_transit_native.png + :scale: 30% + +.. |transit_firenet| image:: transit_firenet_media/transit_firenet.png + :scale: 30% + +.. |transit_firenet_aviatrix_egress| image:: transit_firenet_media/transit_firenet_aviatrix_egress.png + :scale: 30% + + + +.. disqus:: diff --git a/HowTos/azure_transit_designs_media/aviatrix_transit_azure.png b/HowTos/azure_transit_designs_media/aviatrix_transit_azure.png new file mode 100644 index 000000000..bb7f4bd46 Binary files /dev/null and b/HowTos/azure_transit_designs_media/aviatrix_transit_azure.png differ diff --git a/HowTos/azure_transit_designs_media/aviatrix_transit_native_spoke.png b/HowTos/azure_transit_designs_media/aviatrix_transit_native_spoke.png new file mode 100644 index 000000000..f053a1bfe Binary files /dev/null and b/HowTos/azure_transit_designs_media/aviatrix_transit_native_spoke.png differ diff --git a/HowTos/azure_transit_designs_media/transit_firenet_aviatrix_spokes.png b/HowTos/azure_transit_designs_media/transit_firenet_aviatrix_spokes.png new file mode 100644 index 000000000..94646f8dd Binary files /dev/null and b/HowTos/azure_transit_designs_media/transit_firenet_aviatrix_spokes.png differ diff --git a/HowTos/azure_transit_designs_media/transit_firenet_native_spokes.png b/HowTos/azure_transit_designs_media/transit_firenet_native_spokes.png new file mode 100644 index 000000000..b1e1b6b27 Binary files /dev/null and b/HowTos/azure_transit_designs_media/transit_firenet_native_spokes.png differ diff --git a/HowTos/azure_transit_designs_media/transit_sdwan.png b/HowTos/azure_transit_designs_media/transit_sdwan.png new file mode 100644 index 000000000..06bc3621b Binary files /dev/null and b/HowTos/azure_transit_designs_media/transit_sdwan.png differ diff --git a/HowTos/azuread_saml_media/azure_ad_saml_user_claims.png b/HowTos/azuread_saml_media/azure_ad_saml_user_claims.png new file mode 100644 index 000000000..b3ead07d9 Binary files /dev/null and b/HowTos/azuread_saml_media/azure_ad_saml_user_claims.png differ diff --git a/HowTos/azuregwlaunch.rst b/HowTos/azuregwlaunch.rst index 6afd11b1d..ca4a8a4f2 100644 --- a/HowTos/azuregwlaunch.rst +++ b/HowTos/azuregwlaunch.rst @@ -47,7 +47,7 @@ From the Controller console, launch the gateway again and observe the failure. 4. Get Help from Aviatrix Support --------------------------------- -If you still cannot figure out the problem, send an email to support@aviatrix.com to get help. +If you still cannot figure out the problem, lease open a support ticket at `Aviatrix Support Portal `_ to get help. .. |image0| image:: azuregwlaunch_media/azuregwlaunch.png diff --git a/HowTos/beta_ipmotion.rst b/HowTos/beta_ipmotion.rst deleted file mode 100644 index d8f4ae5cf..000000000 --- a/HowTos/beta_ipmotion.rst +++ /dev/null @@ -1,25 +0,0 @@ -.. meta:: - :description: IP motion Ref Design - :keywords: AWS Migration, DR, Disaster Recovery, aviatrix, Preserving IP address, IPmotion, ip motion - - -============================================ -IPmotion Early Customer Trial Instructions -============================================ - - 1. **Get a trial license** Obtain a customer ID from Aviatrix support. Email to support@aviatrix.com - #. **Read** `IPmotion Setup Instructions `_ - #. **Complete the "Prerequisites"** in the above document that include download, install and bootup Aviatrix virtual appliance CloudN. - #. **Download IPmotion beta software** Login to the web console of CloudN. Go to Settings -> Maintenance -> Upgrade to Custom Release field, enter **3.0**, click "Upgrade to a custom release". This will download the IPmotion beta software. When it finishes, repeat this step to upgrade again. - #. **Setup IPmotion** Once upgrade is successful, login to the console, at the left navigation menu, click IPmotion, follow the step by step `instruction `_ to starting moving IP addresses! - - -.. |image0| image:: ipmotion_media/ipmotion.png - :width: 5.55625in - :height: 3.26548in - -.. |image1| image:: ipmotion_media/ipmotion-range-display.png - :width: 5.55625in - :height: 3.26548in - -.. disqus:: diff --git a/HowTos/bgp_transitive_instructions.rst b/HowTos/bgp_transitive_instructions.rst index 91811c940..da6261ad5 100644 --- a/HowTos/bgp_transitive_instructions.rst +++ b/HowTos/bgp_transitive_instructions.rst @@ -8,7 +8,7 @@ Transit Network with BGP Setup Instructions .. Important:: - this document is obsolete with 3.1 release. Follow `Transit Network workflow instructions `__ to setup a Transit Network. + This document is obsolete for release 3.1 and later releases. Follow `Transit Network workflow instructions `__ to setup a Transit Network. Introduction ============= diff --git a/HowTos/bootstrap_example.rst b/HowTos/bootstrap_example.rst index 75d243fb6..5e3445ec2 100644 --- a/HowTos/bootstrap_example.rst +++ b/HowTos/bootstrap_example.rst @@ -4,7 +4,7 @@ ========================================================= -Bootstrap Configuration Example for VM-Series +Bootstrap Configuration Example for VM-Series in AWS ========================================================= Using bootstrap option significantly simplifies VM-Series initial configuration setup. @@ -55,7 +55,7 @@ Attach an IAM policy with the name, for example, "bootstrap-VM-S3-policy". The p 2. Create bootstrap bucket structure ------------------------------------- -In AWS S3, at the top level create a bucket for bootstrap with a **unique** name, for example "bootstrap_bucket", with the following structure: +In AWS S3, at the top level create a bucket for bootstrap with a **unique** name, for example "bootstrap-bucket", with the following structure: :: @@ -77,8 +77,8 @@ In AWS S3, at the top level create a bucket for bootstrap with a **unique** name **3.2** For the example init-cfg.txt file, click :download:`init-cfg.txt `. .. Note:: + In the example bootstrap.xml, you must specify custom usernames and passwords for the and , and generate hash strings for the passwords. - In the example bootstrap.xml, the API admin user name is avxadmin and the password is Aviatrix123#. You can customize it. **3.3** upload these two files to your config folder in the bootstrap-bucket. @@ -99,7 +99,7 @@ Bootstrap Bucket Name bootstrap-bucket (must be a unique name in S3) Launch the VM-Series instance. Wait for 15 minutes for it to boot up and initialize. -Login to the HTTPS interface of VM-Series management public IP with username "admin", password "Aviatrix123#" +Login to the HTTPS interface of VM-Series management public IP with the username and password specified in the bootstrap.xml file. 5. Configure API Vendor Integration @@ -109,10 +109,10 @@ In order for the Aviatrix Controller to automatically update firewall instance r Go to Controller -> Firewall Network -> Vendor Integration -> Firewall. Note the following fields. - - Firewall Login User Name field, use "avxadmin" without the double quotes. - - Firewall Login Password field, use "Aviatrix123#" without the double quotes. + - Firewall Login User Name field, use the username specified in the bootstrap.xml file. + - Firewall Login Password field, use the password specified in the bootstrap.xml file. -Follow `the instructions here `_ to enable API access. +If you are manually configuring the firewall from scratch, follow `the instructions here `_ to enable API access. 6. Ready to go! diff --git a/HowTos/bootstrap_example_media/bootstrap-azure.xml b/HowTos/bootstrap_example_media/bootstrap-azure.xml new file mode 100644 index 000000000..59ef3a37d --- /dev/null +++ b/HowTos/bootstrap_example_media/bootstrap-azure.xml @@ -0,0 +1,506 @@ + + + + + + * + + + yes + + + + + password_hash + + + yes + + + + + + yes + 8 + + + + + + + + + + + + yes + 5 + + + yes + 5 + + + yes + 5 + + + yes + 10 + + + yes + 5 + + + + yes + + + + 10 + 10 + + 100 + 50 + + + + 10 + 10 + + 100 + 50 + + + + + + 100 + yes + + + + + + + + + + + + + + + + + + + no + + + no + + HCheck + + no + + + + + + + no + + + no + + + no + + + + + + + + + 3 + 5 + wait-recover + + + + + yes + + + + + + + + + aes-128-cbc + 3des + + + sha1 + + + group2 + + + 8 + + + + + aes-128-cbc + + + sha256 + + + group19 + + + 8 + + + + + aes-256-cbc + + + sha384 + + + group20 + + + 8 + + + + + + + + aes-128-cbc + 3des + + + sha1 + + + group2 + + 1 + + + + + + aes-128-gcm + + + none + + + group19 + + 1 + + + + + + aes-256-gcm + + + none + + + group20 + + 1 + + + + + + + aes-128-cbc + + + sha1 + + + + + + + + + + + + + real-time + + + high + + + high + + + medium + + + medium + + + low + + + low + + + low + + + + + + + + + + + + no + + + 1.25 + 0.5 + 900 + 300 + 900 + yes + + + + + + ethernet1/2 + ethernet1/1 + + + + + + + 10.26.0.81 + + + None + + ethernet1/2 + + no + any + 2 + + 10 + 172.16.0.0/12 + + + + + + + 10.26.0.81 + + + None + + ethernet1/2 + + no + any + 2 + + 10 + 192.168.0.0/16 + + + + + + + 10.26.0.81 + + + None + + ethernet1/2 + + no + any + 2 + + 10 + 168.63.129.16/32 + + + + + + + 10.26.0.81 + + + None + + ethernet1/2 + + no + any + 2 + + 10 + 10.0.0.0/8 + + + + + + + + + + + + + + + yes + no + no + no + + + updates.paloaltonetworks.com + + + + + wednesday + 01:02 + download-only + + + + + US/Pacific + + yes + yes + + PAN-Azure-Firenet + + + + yes + + + FQDN + + + + yes + no + no + no + + + PAN-Azure-Firenet + ahmed + + + + + + + + + + + + + ethernet1/2 + + + + + + + ethernet1/1 + + + + + + + + + + + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + + application-default + + + any + + allow + + + + + + + + ethernet1/2 + ethernet1/1 + + + + + + + + diff --git a/HowTos/bootstrap_example_media/bootstrap.xml b/HowTos/bootstrap_example_media/bootstrap.xml index 4becf77ed..559a6d5b8 100644 --- a/HowTos/bootstrap_example_media/bootstrap.xml +++ b/HowTos/bootstrap_example_media/bootstrap.xml @@ -2,16 +2,16 @@ - - $1$hsyqpcpu$1kuBjBkoDzFdKA0Is2540/ + + https_interface_admin_password_hash/ yes - c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDUXNMUjhOOFhhRWtkVTJKT0t6TXF5N21SSEx5aFMrc01reUh2dHl4Ni8xc2dtQU0wQ1N3WXdYcmhoeG4wYnpNdDl4TFl2V0taaGUrektmeCszdWhySHg5Yi83djhEUzlZbmVudzQ5ejl1MTJUaEFSV3BMUUxHRU9SdnpwK0FGTGlmSjhRR3lSR0hIMnU2NTA2amNFTkNqRy9mbnVPSTA0NTZHdnZ6ZlM5ejVPOXkzYnRtWUZZM3ZqQU43WEtKNksxd1UyRExLZXFMcVo0S25WMjZ1T1dBbFMvL1c0bGtYTHhBNjVLc01PMjc4TnNWR3JSRlNBOXFjRGFNdEpQMUtJd201T0grWmF4R2VOUVNISm9Zd083KzVNTk9iZ0xHbVZNb0JTOXRod1ROY1RYZFN1Tkd3czNURVU0eWdVMEVWUWIvU2E0bm1kdEptT1pHWXJpd29FSmYgd2VzdC1zZXJ2ZXItMQ== + https_interface_public_key - + @@ -19,7 +19,7 @@ - $1$snyiktft$0c6C0a4SnkT4K37tqdmY00 + api_admin_password_hash diff --git a/HowTos/bootstrap_example_media/bootstrap_all.xml b/HowTos/bootstrap_example_media/bootstrap_all.xml index 4becf77ed..c754a8114 100644 --- a/HowTos/bootstrap_example_media/bootstrap_all.xml +++ b/HowTos/bootstrap_example_media/bootstrap_all.xml @@ -2,16 +2,16 @@ - - $1$hsyqpcpu$1kuBjBkoDzFdKA0Is2540/ + + password_hash/ yes - c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDUXNMUjhOOFhhRWtkVTJKT0t6TXF5N21SSEx5aFMrc01reUh2dHl4Ni8xc2dtQU0wQ1N3WXdYcmhoeG4wYnpNdDl4TFl2V0taaGUrektmeCszdWhySHg5Yi83djhEUzlZbmVudzQ5ejl1MTJUaEFSV3BMUUxHRU9SdnpwK0FGTGlmSjhRR3lSR0hIMnU2NTA2amNFTkNqRy9mbnVPSTA0NTZHdnZ6ZlM5ejVPOXkzYnRtWUZZM3ZqQU43WEtKNksxd1UyRExLZXFMcVo0S25WMjZ1T1dBbFMvL1c0bGtYTHhBNjVLc01PMjc4TnNWR3JSRlNBOXFjRGFNdEpQMUtJd201T0grWmF4R2VOUVNISm9Zd083KzVNTk9iZ0xHbVZNb0JTOXRod1ROY1RYZFN1Tkd3czNURVU0eWdVMEVWUWIvU2E0bm1kdEptT1pHWXJpd29FSmYgd2VzdC1zZXJ2ZXItMQ== + key - + @@ -19,7 +19,7 @@ - $1$snyiktft$0c6C0a4SnkT4K37tqdmY00 + password_hash diff --git a/HowTos/bootstrap_example_media/cp-bootstrap-example.png b/HowTos/bootstrap_example_media/cp-bootstrap-example.png new file mode 100644 index 000000000..da3750d57 Binary files /dev/null and b/HowTos/bootstrap_example_media/cp-bootstrap-example.png differ diff --git a/HowTos/bootstrap_example_media/file-share-folder-example.png b/HowTos/bootstrap_example_media/file-share-folder-example.png new file mode 100644 index 000000000..aeb7eeed9 Binary files /dev/null and b/HowTos/bootstrap_example_media/file-share-folder-example.png differ diff --git a/HowTos/changelog.rst b/HowTos/changelog.rst index e7cd35a90..d851702b1 100755 --- a/HowTos/changelog.rst +++ b/HowTos/changelog.rst @@ -1,9 +1,54 @@ Aviatrix VPN Client Changelog ----------------------------- +2.14.14 - April 27 2021 + - Support non-ASCII Windows user login account + - Support non-ASCII VPN connection profile name on the client UI + - Support Ubuntu 20.04.01 deb format installer + - `Enhance the Windows client security `_ + +2.13.12 - Jan 28 2021 + - Provide a MD5 checksum along with every single installer + - Support MacOS Big Sur + - Verify the settings before exiting the Settings UI + +2.12.10 - September 3 2020 + - Support Ubuntu 20.04 FIPS + - A toggle to support Cisco Umbrella DNS servers or the VPC DNS servers on MacOS + - Support multiple MacOS system login accounts + - Allow override of manually set DNS flag to be enabled by default on MacOS + +2.11.6 - July 22 2020 + - OpenSSL lib of the MacOS client is updated to 1.1.11g + - OpenSSL lib of the Windows client is updated to 1.1.11f + - Enhance the security to prevent Man-in-the-middle attack + - Boost the Windows client data throughput + - Improve the connectivity of the MacOS client under the unstable WiFi connection + - Improve the connectivity of the Windows client under the high data throughput + - New clients to support Ubuntu 20.4 LTS + +2.10.8 - May 14 2020 + - Address client vulnerabilities of elevation in privilege and arbitrary file write. + +2.9.6 - April 23 2020 + - Support displaying system use notifications + + +2.8.2 - April 10 2020 + - Boost VPN throughput + + +2.7.9 - March 4 2020 + - UI enhancements for password-based authentication + - Support the OVPN parameter: 'route' + - Fixed issue where tray icon sometimes did not accurately reflect the VPN status + - Fixed issue where VPN client becomes unresponsive if quit from the MacOS taskbar + - VPN client will now no longer erroneously prompt for another authentication retry after previous fail + - Fixed issue where the old VPN client will not quit, and crashes, if not uninstalled prior to the installation of a newer client + 2.6.6 - Jan 29 2020 - Improve the user experience to add a new VPN profile - - Security fixes for the OpenVPN params + - `Security fixes for the OpenVPN params `_ 2.5.7 - Nov 20 2019 @@ -15,7 +60,7 @@ Aviatrix VPN Client Changelog 2.4.10 - Nov 2 2019 - Security fixes - - Remove config caching causing issues on MacOS + - Remove config caching causing issues on MacOS - Fixes an issue preventing connection after switching between auth types @@ -64,7 +109,7 @@ Aviatrix VPN Client Changelog 1.8 - Jun 22 2018 - Windows VPN Service to run the client without Admin access - - Graceful VPN exit on windows(8.0 and above) disconnect + - Graceful VPN exit on windows(8.0 and above) disconnect - Add platform, GUI version and peer info - Add resolvconf dependency for Ubuntu18 - Fix some connection issues on Mac @@ -90,48 +135,47 @@ Aviatrix VPN Client Changelog - Debian installation files - Fixed viewing logs in Linux - + 1.4 - Aug 8 2017 - Signed Mac application - Parallel windows execution fix - - + + 1.3 - Jun 15 2017 - Disconnection fixes - Timeout fixes - Connection profile is displayed - IE support for SAML - Signed Windows application - - + + 1.2 - Mar 15 2017 - HTTPS Version for SAML - Multiple Profiles - Linux version - Connection status detection - Unblock disconnection while connecting - - Retry prompt for LDAP - - Multi process feature for Mac/Linux. + - Retry prompt for LDAP + - Multi process feature for Mac/Linux. - Removed VPN Lockdown - Permissions fixes - Fixes in logging - + 1.1 - Jan 30 2017 - Settings window for troubleshooting - Mac default application behavior - Bug fixes for hangs - In built resources - - Connection timeout issues fixed + - Connection timeout issues fixed - Kill other OpenVPN® on start - Connection status fix - - VPN lockdown feature + - VPN lockdown feature + - 1.0 - Dec 15 2016 - Initial release - HTTP Version OpenVPN is a registered trademark of OpenVPN Inc. - diff --git a/HowTos/checkpoint_bootstrap_azure.rst b/HowTos/checkpoint_bootstrap_azure.rst new file mode 100644 index 000000000..0867c2155 --- /dev/null +++ b/HowTos/checkpoint_bootstrap_azure.rst @@ -0,0 +1,73 @@ +.. meta:: + :description: Firewall Network + :keywords: Azure Transit Gateway, Aviatrix Transit network, Transit DMZ, Egress, Firewall, Bootstrap, Check Point, Security Gateway + + +=============================================================================== +Bootstrap Configuration Example for Check Point Security Gateway in AWS/Azure +=============================================================================== + +This document applies to both AWS and Azure. + +Using bootstrap option significantly simplifies Check Point Security Gateway initial configuration setup. + +In this document, we provide a basic bootstrap example for Check Point. Bootstrap Configuration can be a vendor specific script or configuration. + +For a manual setup, follow `manual setup example. `_ + + +Configure Check Point Security Gateway using Custom Data +--------------------------------------------------------- + +Follow the Aviatrix Firewall Network (FireNet) workflow +to `Step 7a. `_ to launch the firewall instance. + +To Configure Check Point Security Gateway using Custom Data, go to the Aviatrix Controller -> Firewall Network -> Setup -> Launch & Associate Firewall Instance. + +Fill in the required fields. Click Advanced. Fill in the following parameters. You must specify a custom username and password, and generate a hash string for the password. + +================================ ====================== +**Advanced Field** **Example Value** +================================ ====================== +User Data Bootstrap Configuration +================================ ====================== + +Sample Check Point Bootstrap Configuration to configure firewall "Allow-all" policy, health check policy and RFC 1918 static routes is shown below: + + :: + + #!/bin/bash + + clish -c "set user password-hash <100+ character hash string>" -s + clish -c 'set interface eth1 state on' -s + clish -c 'set hostname checkpoint' -s + blink_config -s 'upload_info=false&download_info=false&install_security_gw=true&install_ppak=true&install_security_managment=false&ipstat_v6=off&ftw_sic_key=' + + +|cp_bootstrap_example| + +Launch the instance. Wait for 15 minutes for it to boot up and initialize. + +Login to the HTTPS interface of the public IP with the username and password specified in the Bootstrap Configuration file. + + + +Ready to go! +---------------- + +Now your firewall instance is ready to receive packets! + +Next step is to validate your configurations in the Check Point Security Gateway, and configure polices for Ingress and Egress inspection. + +By default, all traffic is allowed in Check Point that can be verfied by launching one instance in PROD Spoke VNET and DEV Spoke VNET. Start ping packets from a instance in DEV Spoke VNET to the private IP of another instance in PROD Spoke VNET. The ICMP traffic should go through the Check Point and be inspected in Security Gateway. + + +Additional References +-------------------------- + +Check Point Reference `Custom Data `_ + +.. |cp_bootstrap_example| image:: bootstrap_example_media/cp-bootstrap-example.png + :scale: 40% + +.. disqus:: diff --git a/HowTos/cloud_wan_faq.rst b/HowTos/cloud_wan_faq.rst index 45697d93b..67f3c6384 100644 --- a/HowTos/cloud_wan_faq.rst +++ b/HowTos/cloud_wan_faq.rst @@ -10,12 +10,18 @@ Aviatrix CloudWAN FAQ What is the Aviatrix CloudWAN? --------------------------------------- -Aviatrix CloudWAN is a feature where Aviatrix Controller manages and help connect on-prem Cisco IOS Routers to the cloud directly. +Aviatrix CloudWAN manages and automates secure connectivity of on-prem Cisco IOS Routers to the cloud. The IPSEC connection terminates with +AWS Transit Gateway (TGW), Aviatrix Transit Gateway or Azure Virtual WAN. + +Starting in Release 6.2, CloudWAN also manages Aviatrix CloudN appliance for high performance encryption connection (up to 25Gbps) from on-prem to the cloud. + +This document focuses on CloudWAN for Cisco IOS devices. For configuration information on CloudN +appliance, refer to `Managed CloudN Workflow `_. CloudWAN can be used to fulfill the following tasks. 1. Manage multiple Cisco IOS Routers from the Aviatrix Controller. This includes uploading and viewing the IOS configuration, making configuration changes and monitoring the health and stats of these routers. - #. Auto connect Cisco IOS routers to the Aviatrix Transit Gateway or AWS TGW with IPSEC VPN over the Internet, thus allowing them to be part of the Transit Network where they gain connectivity to Spoke VPCs. + #. Automate secure connection of Cisco IOS routers to the Aviatrix Transit Gateway or AWS TGW with IPSEC VPN over the Internet, thus allowing them to be part of the Transit Network where they gain connectivity to Spoke VPCs. What are the CloudWAN deployment architectures? -------------------------------------------------- @@ -43,16 +49,31 @@ In this deployment IPsec tunnels are built directly to TGW VPN. |cloud_wan_3| +CloudWAN Deployment on Azure +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +CloudWAN can terminate branch router IPSEC connection with Aviatrix Transit Gateway deployed in Azure, as shown in +the diagram below. + +|cloud_wan_azure| + +CloudWAN Deployment on Azure Virtual WAN +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +CloudWAN is integrated with Azure Virtual WAN, as shown in the diagram below. For configuration example, refer to `CloudWAN on Azure vWAN Configuration Example `_. + +|cloudwan_azure_vwan| + What are the benefits of CloudWAN? ----------------------------------------- - **No Friction** Leverage what you have already invested in the on-prem edge router for connecting to the cloud. - - **Shortest Latency** Leverage AWS Global Accelerator to connect your on-prem routers to the nearest AWS edge and route through the AWS backbone with the optimal path. + - **Shortest Latency** Leverage AWS Global Accelerator or Azure backbone to connect your on-prem routers to the nearest cloud provider edge and route through the their backbone with the optimal path. - **Automation** Avoid human errors and the complexity of VPN configuration when building VPN connections to the cloud. - **Centrally Managed** Use the single pane of glass to both provision and monitor router health and stats. -How does CloudWAN work? --------------------------- +How does CloudWAN work in AWS? +--------------------------------- CloudWAN leverages AWS Global Accelerator and the AWS backbone for the shortest latency path to the cloud. @@ -160,6 +181,12 @@ Cisco routers that run IOS Classic and IOS XE are supported. For example, ISR G2 .. |cloud_wan_3| image:: cloud_wan_faq_media/cloud_wan_3.png :scale: 30% +.. |cloud_wan_azure| image:: cloud_wan_faq_media/cloud_wan_azure.png + :scale: 30% + +.. |cloudwan_azure_vwan| image:: cloud_wan_faq_media/cloudwan_azure_vwan.png + :scale: 30% + .. |global_accelerator| image:: cloud_wan_faq_media/global_accelerator.png :scale: 30% diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_check_connection_status.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_check_connection_status.png new file mode 100644 index 000000000..6453d7ea5 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_check_connection_status.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_check_status_branch_router.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_check_status_branch_router.png new file mode 100644 index 000000000..c0e038a3f Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_check_status_branch_router.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_click_discover_wan_interfaces_button.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_click_discover_wan_interfaces_button.png new file mode 100644 index 000000000..b2d3e9794 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_click_discover_wan_interfaces_button.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_attach_branch_to_cloud.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_attach_branch_to_cloud.png new file mode 100644 index 000000000..042399249 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_attach_branch_to_cloud.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_prepare_to_attach.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_prepare_to_attach.png new file mode 100644 index 000000000..b4946fbea Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_prepare_to_attach.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_register_branch_router.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_register_branch_router.png new file mode 100644 index 000000000..a13883e02 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_avx_example_register_branch_router.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_azure_check_connection_status.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_azure_check_connection_status.png new file mode 100644 index 000000000..4fa1646de Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_azure_check_connection_status.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_azure_troubleshoot_effective_route.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_azure_troubleshoot_effective_route.png new file mode 100644 index 000000000..601e366f6 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_azure_troubleshoot_effective_route.png differ diff --git a/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_hub.png b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_status_hub.png new file mode 100644 index 000000000..450828354 Binary files /dev/null and b/HowTos/cloud_wan_faq_media/azure_vWAN/cloudwan_azure_vwan_check_sta