After completing the prerequisite setup, you can configure the IAM role for NSX Advanced Load Balancer Controller as AviController-Refined-Role by following the steps mentioned in AWS Installation section. Ensure that the VPCs and subnets are configured in AWS, so that the NSX Advanced Load Balancer Controller management interface and Service Engine’s management networks will be reachable from other accounts.
Procedure
- Create the AWS cloud by navigating to and click . Choose the appropriate AWS Region and select the check box for Use AWS Identity and Access Management (IAM) roles. This will ensure that the AviController-Refined-Role is attached to the NSX Advanced Load Balancer Controller when it is launched.
Note:
Both IAM role and access/secret key can used for cross-account role given the role/user has the necessary permissions (cross-account policy).
- Select the check box for Use Cross-Account AssumeRole, if the cloud has been set up in another AWS account. However, in this case, the NSX Advanced Load Balancer SE cloud is created in the Prod AWS account (112233445566) from the NSX Advanced Load Balancer Controller hosted in IT AWS account (123456789012). As the cross-account AssumeRole has already been set up for AviController-Refined-Role, on selecting the check box, the back-end APIs will fetch the associated AssumeRole accounts and their roles and display them in the drop-down menu. If there are no AssumeRoles attached, then the list would have been empty. The ARN of the role that the Controller instance's IAM role (in our example, AviController-Refined-Role) can assume the role, can be entered into a text box.
- Select the ARN for the account and role, where the SE targets will be deployed.
- If the role has appropriate access and is correctly setup, NSX Advanced Load Balancer Controller will fetch the AWS account details and configuration’s VPC networks. Similarly, this will continue for the older SE AWS cloud setup.
Cloud setup will progress, and the NSX Advanced Load Balancer SE AMI will be copied to the target account.
Once the transfer is completed, the cloud status will move to Cloud ready for Virtual Service placement.
- Virtual services can now be configured on this cloud by following the steps mentioned at Create a Virtual Service.