This section covers the prerequisites for NSX Advanced Load Balancer integration with AWS.


For the NSX Advanced Load Balancer Controller to work with encrypted SQS queues and other artifacts of Amazon Simple Notification Service (SNS), either the user whose access/secret key is used or the AviController-Refined-Role must have the following policies attached to it:

  • AviController-SQS-Policy

  • AviController-SNS-Policy

  • AviController-KMS-Policy

The AviController-Refined-Role must be able to decrypt received messages when polling SQS queues. For this, the AviController-KMS-Policy must be updated to include within it a write action, kms:Decrypt. JSON files for this role and policy are shown in the IAM Role Setup for Installation into AWS section.