AWS Infrastructure

How do I increase the size of the disk on my Gateway?

Follow these instructions to increase the size of your instance’s disk.

  • Login to the AWS console and locate the Aviatrix gateway instance
  • Click on Root device: /dev/sda1 and then click on EBS ID vol-xxxxxxxxxx link
  • With the volume selected, click Action > “Modify Volume” to change the Disk Size
  • Increase the value in the Size field. Click OK to start the resize process. Please make sure you wait until the state of the volume is “in-use - completed (100%)”
  • Select the Aviatrix gateway instance in the EC2 page. Click Reboot for the disk space to take effect. This will cause downtime (< 5 minutes) due to the reboot process
  • Confirm that the gateway is in a running state in AWS console
  • Login to your controller to run gateway diagnostics and submit to us. Please also upload the gateway tracelog

How do I save an EIP used for a Gateway?

  • When creating a new Gateway, the default option for “Allocate New EIP” is “on” – this would mean that the Aviatrix Controller would check out a new EIP from AWS Infrastructure. If this gateway is deleted, the Controller will release this EIP to the AWS Infrastructure. If you expect to keep the EIP in future, it is recommended that the “Allocate New EIP” option is unchecked and an available EIP is picked during the Gateway creating process.
  • If you are having issues with the Gateway and would like a new Gateway to replace the existing one and with the same EIP, the best way to do this is via “Controller GUI / Troubleshoot / Diagnostics / Gateway Tab / Gateway Replace”
  • If you want to transfer the EIP from one Aviatrix Gateway to another one, please follow the following steps (Example: GatewayA-EIPA, GatewayB-EIPB. Move EIPA to GatewayB) Note: Only supported in releases 4.0 and up. Using this for release 3.5 and lower will result in the loss of the EIP:
    • From the AWS Console, create a new EIP (Continuing the example: call this EIP-new)
    • From the Aviatrix Controller, go to “Controller GUI / Troubleshoot / Diagnostics / Gateway Tab / Migration,” pick the Gateway that you want to pick the EIP from, enter this new-EIP and click on OK. (Pick GatewayA and enter EIP-new. This will release EIPA)
    • On the Aviatrix Controller, on the same page, pick the Gateway that you want to receive the old EIP and enter the old-EIP. (Example: Pick Gateway B and enter EIPA. This will release EIPB)

How can I encrypt an EBS Volume on Controller/Gateway?

AWS does not allow EBS encryption during instance launch time. Follow instructions for Controller and Gateway

Why are IAM Roles/Policies important?

  • The Aviatrix Controller and its Gateways need access to AWS’s resources and to function as designed. Any loss in these access privileges could cause unpredictable behavior and performance of your network. This access is granted and managed through IAM roles and policies. For more information please refer the following documents
  • AWS has an IAM corner case - if an EC2 instance had an IAM role attached and then the role was deleted and added again, that EC2 instance’s roles and policies will not function in a predictable way. If you have deleted and added Aviatrix IAM roles, it might be good to detach the roles from your Controllers and Gateways and attach them again.
  • Aviatrix IAM policies might be updated - please make it a point to update them when you update the software on Aviatrix system

What do I do if my gateway instance is identified for retirement by AWS?

AWS will inform you when one of your instances is scheduled for retirement if the underlying hardware has issues or is being upgraded. Usually a start/stop from the AWS console will migrate the instance to newer hardware. Please check here for more information. Also, please open a support ticket with AWS for more information

How can I monitor the destination ports and ip addresses for instances in my VPC?

Aviatrix provides a Discovery function to do this. But you could also consider AWS’s flowlogs functionality on a vpc which will capture all incoming and outgoing traffic out of the vpc and will log either into S3 or into CloudWatch. Please follow the directions here and capture these logs. Capturing the outgoing port and IP address information will help you craft better Egress Control Policies.

Why do I get an email alert about my gateway with “Cloud Message Queue Failure” message?

Typically, this message is sent when a gateway is not able to access the messages from the controller via AWS’ SQS. Please check the following:

  • Please run gateway diagnostics by going to “Controller/Troubleshoot/Diagnostics/Gateway” and pick the gateway and run diagnostics test and “submit” them to us. You can also review the results by referring to the service descriptions in diagnostics <http://docs.aviatrix.com/HowTos/Troubleshooting_Diagnostics_Result.html>`_.
  • Go to “Controller/Troubleshoot/Diagnostics/Network/GatewayUtility”, pick the gateway and ping www.google.com - to see if it can resolve names and if it has network connectivity.
  • Check that this gateway has the right IAM policies
    • Check that your controller and the gateway instances have “aviatrix-role-ec2” role attached to it on the AWS console
    • Check that the policies attached to this role are correct by going to “Controller/Accounts/AccountAudit” and run account audit on the account that this gateway belongs to. If needed, please update the policies - To update IAM policy to latest please got to “Controller/Accounts/Access Accounts/SelectAccount Name/click 3 dots/UpdatePolicy” and click OK.
    • Go to AWS Console > IAM > Roles > click on aviatrix-role-ec2 > check that aviatrix-assume-role-policy policy is attached > click on the policy name > {} JSON > it should be like https://s3-us-west-2.amazonaws.com/aviatrix-download/iam_assume_role_policy.txt
    • Go to AWS Console > IAM > Roles > click on aviatrix-role-app > check that aviatrix-app-policy policy is attached > click on the policy name > {} JSON > it should be like https://s3-us-west-2.amazonaws.com/aviatrix-download/IAM_access_policy_for_CloudN.txt
    • If the gateway is not on the same account as the Controller, please makse sure that this access account has trust relationship to the primary account (the Controller’s AWS account).
  • Please make sure that both your contoller and gateway have an EIP associated and not just a PublicIP/PrivateIP
  • Please note that this check is done once a day - after you address the issues, please wait for 24 hours from the previous alert to see if you will receive another alert
  • If you are not able to find and address the issue, please upload the tracelogs for this gateway and send an email to support@aviatrix.com to open a new ticket.