Automate your network setup in AWS Control Tower using Aviatrix
AWS services support customer needs across various business functions and initiatives. To support this growth, customers are using AWS Control Tower to set up their multi-account environments in a fast and secure way. Customers must also build a framework that enables the network topology to be scalable as they grow their infrastructure footprint on the cloud.
AWS Marketplace now offers customers a networking solution designed for an AWS Control Tower environment. In this blog post, Abhishek and I show you how the Aviatrix Cloud Network Platform helps set up the network connectivity in your AWS Control Tower environment. This software is available in AWS Marketplace and automates the creation of Virtual Private Clouds in accounts created using the Account Factory from AWS Control Tower. The Aviatrix network automation is now available for AWS Marketplace solutions for AWS Control Tower, providing automation for a multi-Region enterprise grade network.
AWS Control Tower provides a way to set up and govern a new, secure, multi-account AWS environment. It is based on best practices established through working with thousands of enterprises as they move to the cloud. My customers have told me they are looking for ways to automate the provisioning of network resources in a multi-account environment. This solution reduces the manual effort required to make new AWS accounts move-in ready.
Aviatrix network automation in AWS Control Tower
The Aviatrix Cloud Network Platform delivers the networking, security, and operational visibility services while maintaining the simplicity and automation of cloud. It uses AWS API operations to interact with and directly program native cloud networking constructs.
This solution uses the Aviatrix Platform to provide networking functionality and serve as a network factory for newly provisioned accounts through Account Factory in AWS Control Tower. It also can enroll existing ones as managed accounts using the Enroll Existing Account Functionality.
The Aviatrix controller is the brain of the cloud network platform. The platform dynamically programs both native cloud network constructs and Aviatrix’s own services. The controller enables network automation services across your AWS Control Tower environment by integrating with AWS Control Tower lifecycle events. This performs the following functions:
- Automated creation of a Virtual Private Cloud (VPC) in every newly created or enrolled account through AWS Control Tower Account Factory.
- Application of any network baselines or requirements configured in the solution if necessary. The solution explained in this post validates that VPCs created within AWS Control Tower do not have overlapping classless inter-domain routing (CIDR) blocks.
- Attachment of the VPCs to a centralized AWS Transit Gateway to provide connectivity across VPCs in your multi-account architecture in addition to connectivity to on-premises locations.
- Configuration of AWS Transit Gateway and VPC route tables based on certain network topology requirements or criteria. The solution described here configures the default route table of AWS Transit Gateway to allow for seamless traffic flow between the newly created VPC and rest of the VPCs attached to the AWS Transit Gateway.
This solution provides a common pattern of network topology and can be extended further to support customer requirements with respect to the network topology.
The solution lays the Aviatrix components on top of the multi-account structure and creates a multi-VPC architecture with AWS Transit Gateway or Aviatrix Transit as the hub. It relies on the AWSControlTowerExecution cross-account AWS Identity and Access Management (IAM) role created by AWS Control Tower in every child account. This cross-account IAM role is used to create additional IAM roles that Aviatrix Controller uses to provision and orchestrate the network infrastructure. The key points are as follows:
- AWS Control Tower sets up a multi-account environment with several business Organizational Units (OUs) and corresponding AWS accounts. An Infrastructure OU with a network account is established as an entity and is shared by rest of the organization. The Aviatrix Controller is set up in the network account.
- An AWS Lambda function deployed in the master account in a VPC as a key component of the network automation. The corresponding VPC-to-VPC communication is enabled to allow the Lambda function to interface with the Aviatrix Controller. Lambda also integrates with AWS Control Tower lifecycle events via CloudWatch Events.
- When a new AWS Account is created through Account Factory or an existing account is enrolled, the Lambda receives the trigger from the lifecycle events and invokes the Aviatrix controller. The Aviatrix controller then creates a VPC in the Region where AWS Control Tower is set up.
- The Aviatrix controller then creates the VPC and private subnets in each Availability Zone. It ensures that the CIDR block does not overlap with any existing VPCs.
- AWS Resource Access Manager shares AWS Transit Gateway in the network account with the newly created account. VPC attachments are created between the VPC and the shared AWS Transit Gateway to allow for seamless connectivity with rest of the VPCs across accounts.
- All these networking constructs are available and visible in the Aviatrix dashboard for monitoring and management.
Refer to the following architecture diagram.
The Aviatrix Transit Network and Network Service Gateway are add-on components of this architecture, which when included, act as an overlay. Gateways are primarily deployed to deliver transit network and security services. These services include intelligent dynamic routing, active-active network high availability, and end-to-end and high-performance encryption. They also collect operational visibility telemetry and secure network traffic filtering and external service insertion.
Deploying Aviatrix in your AWS Control Tower
Set up your AWS Control Tower in your AWS account by following the steps in AWS Control Tower getting started documentation. You can also do this by participating in an AWS Control Tower activation day or by scheduling an AWS Control Tower immersion day with your account team and AWS Solutions Architect.
To deploy this solution in your AWS Control Tower environment, follow these steps.
Deploy Aviatrix Cloud Network Platform and use the Aviatrix Controller to create AWS Transit Gateway
- Choose an AWS account in which you want to launch the Aviatrix Controller. Following the multi-account guidance, we recommend you create a separate account for this purpose. A network account in an infrastructure OU is ideal. Having this boundary allows you to apply specific Service Control Policies (SPCs) on the Infrastructure OU. It also keeps the shared networking resources in the same account for better visibility, control, and billing segregation.
- Navigate to AWS Marketplace. Go to the Aviatrix Secure Networking Platform Metered – 24×7 support product. Subscribe by selecting the Continue to Subscribe button. Proceed to the next step once you see the message You’re subscribed to this software. Please see the terms and pricing details below or click the button above to configure your software.
- Launch the Aviatrix Controller using this template. Follow these startup guide instructions. The installation does the following:
- Creates two IAM roles:
- Launches new Amazon Elastic Compute Cloud (Amazon EC2) instance t3.large for the Aviatrix Controller.
- Assigns new Elastic IP address (EIP) to instance. You can get this Elastic IP address in the outputs section of the CloudFormation stack.
- Creates a new security group called AviatrixSecurityGroup.
- The instructions in the startup guide also ensure that the AWS account on which Aviatrix Controller is launched is onboarded to the Aviatrix platform. Once the Aviatrix Controller is up and running, access the user interface (UI) via https://<EIP of Aviatrix Controller>.
- Log in to the Aviatrix Controller. Use the username admin and password as the private IP address of your Aviatrix Controller and do the following:
- To onboard all the existing AWS Control Tower accounts such as master account, log archive, and audit, follow these setup guide instructions.
- For this solution, the AWS Transit Gateway in your environment must be created using Aviatrix Controller. To create a new AWS Transit Gateway managed by the Aviatrix Controller and migrate your existing VPCs to the new AWS Transit Gateway, follow these instructions.
- Navigate to the Aviatrix Controller UI. Create an AWS Transit Gateway in AWS Control Tower home Region. To do this, in the left sidebar, select TGW Orchestrator and then select Plan. Scroll to the section Create AWS Transit Gateway. For Cloud Type, select AWS. For Account Name, select the network account in which you launched the Aviatrix Controller. For Region, select the home Region of AWS Control Tower. Enter a name for the AWS Transit Gateway. For AWS Side AS Number, enter 64512. Select Create. The following screenshot shows the successful creation of an AWS Transit Gateway.
- Alternatively, if you are using the Aviatrix data plane to connect VPCs, do the following.
- Create a Transit VPC. To do that, navigate to the Aviatrix Controller UI and in the left sidebar select Useful Tools and then select Create a VPC. For Cloud Type, choose AWS. For Account Name, choose the Network Account. For VPC Name, enter Transit_VPC. For VPC Region, choose the home Region of AWS Control Tower. For VPC CIDR, enter a CIDR block which is non-overlapping with rest of the network. Select the box next to Aviatrix Transit VPC. Then choose Create.
- Alternatively, if you are using the Aviatrix data plane to connect VPCs, do the following.
- Launch a pair of Aviatrix Transit Gateways in your AWS Control Tower home Region. To do this, in the left sidebar select Transit Network and then select Setup. In the section Launch a Transit VPC GW, for Cloud Type, choose AWS. For Gateway Name, enter transit-gw. For Access Account Name, select Networking account. For Region, choose home Region of AWS Control Tower. For VPC ID, select the VPC created in the prior step. For Public Subnet, select a non-overlapping /28 CIDR block. For Gateway Size, select c5n.large. Select the box next to Allocate New EIP and the one next to Enable ActiveMesh Mode. Then choose Create.
- Create a high availability gateway for redundancy. To do that, in the Aviatrix UI left sidebar under Transit Network, choose Setup. Scroll to the section (Optional) enable HA at Transit GW. For Transit VPC GW, select the name of the gateway created in the previous step. For HA Gateway Subnet, choose the subnet of the Transit VPC not used by the first Transit Gateway. Choose Enable.
Deploy the Lambda function and attach the Aviatrix Controller VPC and the Lambda VPC to the AWS Transit Gateway
- Securely store the Aviatrix Controller EIP and credentials in the AWS Systems Manager Parameter Store. To do this, navigate to AWS Command Line Interface (AWS CLI) and enter the following:
aws ssm put-parameter --type "SecureString" --name "/aviatrix/controller/username" --value "admin"
aws ssm put-parameter --type "SecureString" --name "/aviatrix/controller/password" --value "XXXXX"
aws ssm put-parameter --type "SecureString" --name "/aviatrix/controller/ip_address" --value "<EIP>"
Each of the above commands should return successfully with an output shown below
- In the AWS Control Tower master account, deploy the solution AWS CloudFormation template. Use the following input parameters for the template:
- CIDR for VPC into which the Lambda is launched.
- Address space allocation for two private subnets in this VPC.
- AWS account number Aviatrix Controller resides in.
- Name of AWS or Aviatrix Transit Gateway to which newly created VPCs should attach.
- If you are using the Aviatrix Data plane and Aviatrix Transit Network, set avtxtransit to true, as the default is false.
- Address range in which VPC CIDRs will be assigned. The default is: 10.0.0.0/8.
- Generated VPC CIDR mask length. The default is 24.
The template creates a Lambda function. This Lambda function uses the Amazon CloudWatch event CreateManagedAccount from AWS Control Tower. This triggers an invocation when a new account is created or enrolled within AWS Control Tower. When triggered, the Lambda function does the following in the newly created account:
- Assumes AWSControlTowerExecution role to create aviatrix-role-ec2 and aviatrix-role-app roles.
- Onboards the newly created AWS account onto the Aviatrix Controller.
- Creates a VPC with first available /24 CIDR and validates that it is unique among all the VPCs across all AWS accounts already onboarded on the Controller.
- Attaches the VPC to the AWS Transit Gateway that is automatically shared across all accounts.
- Once the CloudFormation stack is successfully deployed, attach the Aviatrix Controller VPC and the Lambda VPC to the AWS Transit Gateway in the default route domain. To do this for the Aviatrix Controller VPC, in the Aviatrix UI left sidebar, select TGW Orchestrator and then select Build. On the Attach VPC to TGW page, choose Cloud Type AWS. Choose the Region as the home Region of AWS Control Tower. Choose VPC Account as the AWS account that contains the Aviatrix Controller VPC (Network Account). For VPC Name, select the name of the Aviatrix Controller VPC. For TGW Name, select the name of the AWS Transit Gateway created in the earlier step. For Security Domain Name, select Default_Domain. Choose Attach. You receive a message saying you have successfully attached your VPC, as shown in the following screenshot.
- Repeat this step for the Lambda VPC by selecting VPC Account as the AWS account that contains the Lambda VPC (AWS Control Tower Master Account). This validates that the Lambda is able to communicate with the Aviatrix Controller using the AWS network. You receive a message saying you have successfully attached your VPC, as shown in the following screenshot.
- From the Aviatrix Controller, confirm that both VPCs are attached to the TGW in the Default_Domain. To do this, in the Aviatrix UI left sidebar, select TGW Orchestrator then select List/Edit. This page should show the two VPC attachments that you have created, as shown in the following screenshot.
Testing the solution
In order to make sure that the solution is working properly, you can test it by using the test events function in AWS Lambda.
- Use the following truncated CreateManagedAccount event for your test. To do this, navigate to the AWS Management Console for the AWS Control Tower master account. Navigate to the AWS Lambda console and select the Lambda function created as part of this solution. Select the dropdown for Test Event and choose Configure Test Event. Create a new test event in the screen using the following JSON template. Update the following parameters in the JSON for your environment.
- accountId: Account ID of a managed AWS account within AWS Control Tower
- accountName: Name of the AWS account
- awsRegion: Region in which you have the AWS Control Tower set up.
"detail-type": "AWS Service Event via CloudTrail",
"invokedBy": "AWS Internal"
This function creates a VPC in the account specified in the event and a corresponding VPC attachment to the AWS Transit Gateway.
- Once this is verified, use the following workflow to delete the resources created by the test.
- Detach the VPC created preceding from the shared TGW. To do this, go to the Aviatrix Controller UI. From the left sidebar, select TGW Orchestrator and then select Build. Scroll to the section Detach VPC from TGW. For TGW Name, select the name of your AWS Transit Gateway. For VPC Name, select the VPC which was created as part of the lambda execution. Choose Detach.
- In the upper right Useful Tools menu, select the three vertical dots. Select Delete from the drop-down menu to delete the VPC.
- Delete the account that was onboarded by the Lambda function. To do this, select Accounts and then select Access accounts. On the page, select the AWS account that was onboarded to the Aviatrix Controller as part of the Lambda execution and choose Delete.
In this post, we showed you how the Aviatrix Cloud Network Platform helps set up the network connectivity in your AWS Control Tower environment. Once the solution is deployed in AWS Control Tower, it does the following:
- Creates VPCs in every new AWS account and in the Region where AWS Control Tower is set up. Connects with the rest of the network topology within AWS Control Tower.
- Ensures VPCs have separate CIDR block ranges so that there are no routing conflicts.
- Manages IP address space for VPCs and manages AWS Transit Gateway routing tables, VPC attachments, and other configuration changes.
You can deploy and integrate AWS Marketplace solutions for AWS Control Tower into any AWS account enrolled by AWS Control Tower. If you want to get started on AWS or are in the process of building your Landing Zone, visit the Getting Started with AWS Control Tower page for guidance on building a well-architected AWS environment. You can integrate Aviatrix Cloud Network Platform for AWS Control Tower in AWS Marketplace by visiting the solution page and using the implementation guide that accompanies the solution.
About the authors
As an AWS Solutions Architect, Anandprasanna Gaitonde is responsible for helping customers design and operate well-architected solutions to help them adopt AWS Cloud successfully. He focuses on AWS networking and Serverless technologies to design and develop solutions in the cloud across industry verticals. He has Solutions Architect Professional, Advanced Networking and Advanced Security Specialty certifications and holds a Master of Engineering in Computer Science and post-graduate degree in Software Enterprise Management.
Abhishek Bhat is a Principal Solutions Architect leading the automation practice at Aviatrix bringing 15 years of experience designing, operating, and developing software for large-scale networks. At Aviatrix, Abhishek is focused on helping enterprises build efficient network architectures and adopt automation best practices. He specializes in Serverless technologies, building event-based automation and Infrastructure as Code (IaC) build pipelines.