Aviatrix Cloud Sandbox Starter - Spin up Cloud Networks in Minutes

Userlevel 6
Badge +6



Aviatrix Sandbox Starter Tool (SST) is a community-based and community-supported tool that deploys following small test/lab cloud network environment in minutes.

This SaaS like lightweight tool first deploys an Aviatrix Controller in AWS. Once the Controller is up, the tool uses Terraform to create Aviatrix transit (Hub and Spoke) topology in AWS.

Two EC2 test instances will be deployed and connected, that can be used to run test cases, POC or SRE work using the Aviatrix platform with simplicity, automation, visibility, and control.

The self-guided UI workflow can also deploy Azure Network and connect to AWS.

Additional use-cases can then be added directly from Controller UI or Terraform following step by step tool user guide.

SST itself can be deployed using three different options

  1. AWS EC2 Instance
    1. This method is documented in this article itself.
  2. Cloud AMI via Terraform Module
  3. Local Machine 

This document uses the recommended Cloud AMI Option#1 to deploy the SST and Cloud Networks.


The Sandbox Starter Tool itself is free but there is a cost of running the lab. Please refer to this link for a detailed cost breakdown.

Before You Begin


When subscribing to the platform, you must set up your account after clicking subscribe to generate your controller license key (which will be emailed to the address used in the set up process). This will be used as input to the sandbox starter and subsequently configured during your controller launch.

This tool works the best for a brand new Aviatrix Controller deployment. If you previously deployed Aviatrix Controller, make sure you delete the following first

  • Aviatrix EC2 roles
  • Aviatrix EC2 policies are deleted
  • Delete Aviatrix default key-pair

Launch Sandbox Starter Using AWS EC2 Instance

You can deploy this tool in any AWS region. Make sure you have a proper EIP and VPC quota for your region. In our example, we will be deploying the Sandbox Starter tool in the N. Virginia region (us-east-1).

  • Click here to search for the Sandbox Starter Public AMI under the Images section and select the latest Sandbox Starter AMI

  • Click the "Launch Instance from Image" button and select t3.micro or t2.micro instance size


  • Click Configure Instance Details and provide the following information. Leave everything else as default
    • Network: Select the default VPC.
    • Subnet: Select the public subnet
    • Auto-assign Public IP: Enable

  • Click Add Storage button. Do not change anything here
  • Click Add Tags. Do not change anything here
  • Click Configure Security Group and block inbound access to SST EC2
  • Create a new security group with the following information
    • Security Group Name: Aviatrix_Sandbox_Starter_SG
    • Delete the SSH TCP 22 rule and add a new HTTPS TCP 443 rule. You must make sure that only your IP address has access to Sandbox Tool
    • Ignore the warning

Reference: Authorize inbound traffic for your Linux instances

  • Review and launch now

  • Select the Key Pair and Launch

  • Click on the instance ID to show the details and copy the Public IPv4 address

  • Once the instance "Running", browse to https://<Public IPv4 address>
    • In our example it is
    • The tool uses a self-signed certificate
      • Accept the warning and proceed
      • If using Chrome and you get a connection error message, you can bypass that by clicking anywhere and typing thisisunsafe

You should see the "Aviatrix Sandbox Starter" user interface (UI) now.

Standard Mode Wizard with AWS

Standard is the recommended workflow. This will deploy the controller and topology in the regions specified in the diagram.



Provide AWS Credentials

You can get the Access Key under the "Security Credential" area in AWS console. If you don't have one, you should create one.

Launch the Controller in AWS


  • The controller version will default to that which is needed for ACE courses. You can choose other available versions with the understanding that they may not be compatible those courses.
  • Be sure to subscribe to the AWS marketplace offerings mentioned in the Before You Begin section above and set up your account to generate the Controller License required as input.
  • In the future, we might add the option to launch Controller in other Clouds

Launch Global Transit (Hub) and two Spokes in AWS

Launch Test EC2 instances

Test EC2 (Amazon Linux VMs) will be launched in their respective Spoke VPCs

Provide an Existing Key Pair Name

This must be configured in your AWS account in us-east-2 (Ohio) region as per-requisite. You will need this Key Pair to login to test EC2 instances to verify the end-to-end connectivity.

Select No for "Launch Aviatrix Transit in Azure"

Success Message

Upon success, you will receive the necessary public and private IP addresses. The entire process should take somewhere between 22-30 minutes.

Now you can log in to Aviatrix Controller UI by clicking the controller URL.

Note: The user name is admin and the password is the one you selected earlier in the process.

Lock Inbound Access to Controller

After the Controller is deployed, you must do the following to lock the inbound access so that no one has access to it.

1-  Enable the security group management feature so all of the gateways' IP addresses are allowed to reach the controller on HTTPS/port 443

2- Lock all inbound access to Controller except your own IP address


Experience the Platform and Deploy Use Cases

Follow the instructions in the Test Plan to experience the Aviatrix Multi-Cloud platform and deploy recommended use case.

Besides that, users are highly encouraged to deploy more use-cases based on their needs and requirement by following the official documentation at

Standard Mode Deployment with AWS and Azure

Azure deployment is optional. You must have an Azure subscription and related information if you are planning on extending the network in Azure.

For Sandbox deployment both in AWS and Azure, follow the video here


Destroy / Delete the entire LAB


Once you are done testing and validating Cloud Networks, you may destroy or delete the entire lab. First, turn off AWS access security on the controller by logging into the controller and clicking on "Settings" in the left-hand nav. Click on "Controller," then "Access Security" in the top tabs. Under "Controller Security Group Management," click "Disable".

Back in the sandbox starter, use the "Destroy" option on the top right of the browser UI.

If you destroyed SST before getting a chance to destroy your environment, you will need to manually delete these resources in order (always check you are in the appropriate region first):

  1. Terminate the Spoke and Transit gateways in AWS (if applicable)
  2. Remove the Resource Groups in Azure (if applicable)
  3. Disable Termination Protection on the EC2 instance for the Controller
  4. Terminate the Controller EC2 instance
  5. Remove the SSH keypair
  6. Delete the Security Groups
  7. Delete the VPC where the Gateways and Controller was deployed
  8. Delete the IAM Roles and Policies starting with ‘aviatrix’

Note that if you deployed CoPilot, it must be deleted manually by logging into AWS/Azure Console.

Support Model

This community-based and open-source tool is NOT supported by the Aviatrix Enterprise support team. For any questions or issues related to this tool, please use the Aviatrix Community platform.

Open Source

  1. Code for this open-source tool is available at
  2. Terraform module for Sandbox Starter launch is available here at
  3. The container code is available here

60 replies

Amazing, Shahzad Ali, I really enjoyed this post

Userlevel 6
Badge +6

Rolando Kohl Thanks!

Shahzad Ali can the controller for the sandbox be deployed in Azure or only in AWS? Everything seems to reference AWS for the controller and only Azure for additional gateways. 

Userlevel 6
Badge +6

Raphael Evans With this tool, the controller can only be deployed in AWS. For Azure controller, follow this procedure please

Great tutorial; the sandbox build and use case testing went well. Now I'm trying to figure out how to destroy the build; I get "this site can't be reached". The controller and all the gateways are up, but I can't get back to the Sandbox Starter screen to click the "Destroy" button. I try to manually shutdown the instances, but they auto start. How do I run the Destroy command from the Docker CLI?

Userlevel 6
Badge +6

Mike Arnold You should be able to get to the UI if you reboot. If not, then try this manual method.

Your terraform state should be there in the Docker. The terraform destroy should destroy it all.

Shahzad Ali I'm not sure, but I think my issue may be that I ran the sandbox startup from a cloud9 instance; I can't find the terraform files, so it looks like I may need to shut everything down manually from AWS console.

Userlevel 2
Badge +1

Mike Arnold From your screenshot, it looks like you're just at the root of your cloud9 ec2 instance itself. Since you can't get to the UI, I'm guessing that the sandbox-starter docker container isn't running anymore. You could check with the following command.

docker ps

If there's nothing listed, you could try to start it with this command.

docker start $(docker container ls -aq)

If that doesn't get you the UI (to try and execute the 'destroy' button), but the container is running (verified from the output of 'docker ps'), then you could try this - from your bash prompt (as shown in your screenshot) execute this command:

docker exec -it <container_id> /bin/bash

..where <container_id> is the id of your container as shown from the 'docker ps' command. This puts your bash prompt inside the container. Then

cd controller
terraform destroy

If your terraform state is still available, you'll get a listing of all the infrastructure you provisioned and be able to reply yes to have it destroyed. I'm making assumptions as to the current state of your environment, so you may run into issues with these commands.

If you want to destroy you environment manually, you'll need to start with the controller first. It's the one that is restarting other instances.

Let us know how it goes

John, thanks for the tips

I was able to start the container after running the image; however, it looks like I need to re-initialize the terraform script. 

NOTE: because I was getting billed to my personal account, I used the controller to detach and delete all the gateways; this gave me a little breathing room to play with this. I configured backups to an S3 bucket before I deleted the gateways. I'm wondering if I performa a restore if I would be able to run the destroy command; or, if it even matters. Can I run the destroy command if some objects have been removed manually?

Userlevel 2
Badge +1

Mike Arnold I wouldn't expect destroy via the tool to be an option based on your screenshot. Having removed the gateways via the controller, the only objects left are the controller ec2 instance, 2 iam roles, 2 iam policies, and the ec2 keypair. Once you remove those, you'd be able to run the tool again if you want.

John Smoker  yep, gotcha. I could run a restore then a destroy, but to tell you the truth, I'm getting a little bored with this; I'll go ahead and do the cleanup manually. 

I'm not sure if my reasoning for using cloud9 is valid, but it was quick and easy to get sandbox started; docker was pre-installed. I just had to run the commands.

I think my first mistake was setting a 30min time for sleep mode; it made since at the time. I didn't realize that the container wouldn't startup automatically

Thanks for your help; I have a much better understanding of how this process works. I'm going to dig a little more into the terraform  scripts then clean it all up manually

Userlevel 2
Badge +1

Mike Arnold Yeah, the starter is really just that - a jumpstart to demo the product. Once you're looking at the terraform code itself, you've got the tool and patterns for deploying the infrastructure directly (no docker required). Good luck!

Hi Shahzad,

I just deployed with the Standard option by following the instructions and the result was instances (Spokes) that are disconnected from Transit.
I also checked this to be sure..the route tables for them have just 0/0 via IGW :)
I assume there should have been some routes via the ENI of the Spoke GW (wanted to reverse engineer a bit).
I can also see this with FlightPath.
Is there any quick way to correct this?


Userlevel 6
Badge +6

Mihai The tool automatically connects Spoke to Transit. How did you verify that Aviatrix Spoke GWs (EC2) are disconnected from Aviatrix Transit GWs (EC2)? Can you send u screen shot please?

In any case, you can connect them in the Controller UI under Multi-Cloud Transit --> Setup section.

John Smoker Umair Hoodbhoy

Userlevel 2
Badge +1

Mihai Confirming that this is a bug in the current version and that the spokes do not attach to the transit as you've described. You can fix this manually by going to 'Multi-Cloud Transit' on the left-hand navigation, choosing 'Setup', scrolling to '6a Attach Spoke Gateway to Transit Network', selecting a spoke and transit and clicking 'Attach'. Repeat for the other spokes. Be sure to only attach aws gateways to aws transit and the same for azure (if applicable). Version 0.5 (latest) of the sst image fixes this issue. If you launched from the ami, that will be updated in the next few hours, depending on the launching region.

John Smoker

Thank you for confirming this and the "fix" worked 🙂 (I have to recognise that I did spot that menu but did not try it out to see what happens, I rushed a bit through).
I had launched it from ami (used the latest guide, I know that before there was a docker container -> Terraform that did all the magic in the background).

Userlevel 2
Badge +1

Mihai Glad that worked for you! The ami is just a packaging of the sst container. Which, you're correct, is powered by Terraform. The code is open source and you'll find it here.


Obviously the Starter Tool in AWS doesn't destroy itself, just the components it deploys.

Apart from destroying that SST EC2 instance, whatever else should be destroyed?

I set this up which went well, but I (and two other colleagues) all had issues with destroying the environment. The destroy button only removed the controller itself, but nothing else in AWS and Azure. I went into docker on the Sandbox instance and only saw terraform deploying the controller and as such it only wanted to destory that, but nothing else. I had to remove the rest manually.

I found that the rest of the state is in the mcna folder, but it seems like terraform destroy doens't get executed in that folder for some reason.

Userlevel 2
Badge +1

Erik Lawaetz If you've executed the 'Destroy' from the sst UI, the only thing remaining is the sst ec2 instance. If there was an issue during that process (your aws access key or azure credentials not having permissions to clean up), the components that the sst deploys are resource groups (and infrastructure contained within) in azure, and ec2 instances, keypairs, and vpcs (in the regions you've selected), 2 iam roles and 2 policies in aws.

Userlevel 2
Badge +1

Adam Stipkovits The destroy button code calls terraform destroy from both the mcna and controller folders. Interesting that didn't occur in your case. Was there any error message in the debug output (blue bug button in the bottom right corner)? Since you're inside the container, what's the output for:

terraform state list

...inside the mcna folder? If there are items in that list, what happens if you:

terraform destroy -auto-approve


there are reference to the IAM user credentials in the beginning of the guide, but not a single word about which IAM permissions this user should have assigned, could you please clarify this point?

Userlevel 2
Badge +1

vjacheslav Great question! I've updated the Before you begin section to provide guidance under the access/secret key topic. Hope this helps clarify. Let me know if you have further questions.

hello John Smoker much appreciated for the update!