After completing the prerequisite setup, you can configure the IAM role for Avi Load Balancer Controller as IT-AviController-Role by following the steps mentioned in AWS Installation section. Ensure that the VPCs and subnets are configured in AWS, so that the Avi Load Balancer Controller management interface and Service Engine’s management networks will be reachable from other accounts.

Prerequisites

The prerequisite configuration is required on AWS to set up the IAM user or roles to access other accounts using Assume Role.

Procedure

  1. Create the AWS cloud by navigating to Infrastructure > Clouds and click CREATE > Amazon Web Services. Under AWS tab, choose the appropriate AWS Region, click SET CREDENTIALS and select Use IAM Roles check box. Ensure that the IT-AviController-Role is attached to the Avi Load Balancer Controller when it is launched for it to assume the role.
    Note:

    Both IAM role and access/secret key can used for cross-account role given the role/user has the necessary permissions (cross-account policy).



  2. Select the Use Cross-Account AssumeRole check box, if the cloud has been set up in another AWS account. However, in this case, the Avi Load Balancer SE cloud is created in the Prod AWS account (112233445566) from the Avi Load Balancer Controller hosted in IT AWS account (123456789012). As the cross-account AssumeRole has already been set up for IT-AviController-Role, on selecting the check box, the back-end APIs will fetch the associated AssumeRole accounts and their roles and display them in the drop-down menu. If there are no AssumeRoles attached, then the list would have been empty. The ARN of the role that the Controller instance's IAM role (in our example, AviController-Refined-Role) can assume the role, can be entered into a text box.
  3. Select the ARN for the account and role, where the SE targets will be deployed.


  4. If the role has appropriate access and is correctly setup, Avi Load Balancer Controller will fetch the AWS account details and configuration’s VPC networks. Similarly, this will continue for the older SE AWS cloud setup.

    • Cloud setup will progress, and the Avi Load Balancer SE AMI will be copied to the target account.

    • Once the transfer is completed, the cloud status will move to Cloud ready for Virtual Service placement.

  5. Virtual services can now be configured on this cloud by following the steps mentioned at Create a Virtual Service.