Cloud Configuration

To have access to the cloud services, the CloudEOS and vEOS Router must be provided with credentials. Additionally, a proxy may be configured for the connection to the cloud services to go through.

AWS Specific Cloud

Complete the following tasks to configure AWS Specific Cloud services.

  • Configure Credentials
  • Access to AWS Specific Cloud API Server
  • If CloudEOS and vEOS is associated with a public IP address, no special configuration is required.
  • If CloudEOS and vEOS is not associated with an public IP address, either use AWS Private Link or Proxy configuration

Configure Credentials

In the AWS Specific Cloud configuration, a region must be specified. It is recommended to authorize the CloudEOS and vEOS Router by assigning it an IAM role, but an explicit credential can also be specified.

  • IAM Role Configuration - No credentials. See Cloud Provider Helpful Tips for additional information.
  • Explicit Credential Configuration

AWS Specific Cloud IAM Role Configuration

The IAM role should be configured on the AWS Specific as shown below. This is the recommended configuration.

  • "Trust Relationships" has "" as trusted entities.
  • "Policy" with "Permissions" for the network related EC2 actions.
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"Resource": "*"

This is applicable only when running in AWS cloud environment and configures various aspects of Cloud HA feature to interact with AWS web services.

Note: The access-key-id and secret access-key commands are either both configured or both are omitted. If omitted, the Cloud HA Agent will try to use AWS IAM role for security tokens to access and control AWS route tables. Verify the IAM role for the CloudEOS and vEOS router Virtual Machine( VM ) is configured properly on the AWS cloud. Refer to AWS documentation to configure IAM role.

switch(config)#cloud provider aws
switch(config-cloud-aws)#access-key 0 ATPAILIL5E982IPT7P3R
switch(config-cloud-aws)#secret access-key 0 M0RRUtAA8I8wYxJB8
switch(config-cloud-aws)#region us-west-1
switch(config-cloud-aws)#proxy test

Configure the backup-gateway, primary-gateway, Route Table ID(rtb) and local interface for AWS.

The Route Table ID specifies for AWS the backup-gateway and primary gateway, then the destination selects the individual route within the route table to control. The local-cloud-interface then points to the interface ID eni-867caa86 (from AWS perspective) of the vEOS router that the traffic should be directed.

switch(config)#cloud high-availability
switch(config-cloud-ha)#peer veos2
switch(config-cloud-ha-peer-veos2-aws)#backup-gateway rtb-40b72d24 local-cloud-interface eni-867caa86
switch(config-cloud-ha-peer-veos2-aws)#primary-gateway rtb-2843124c local-cloud-interface eni-867caa86

Explicit Credential Configuration

The explicit credential should be configured as shown below.

switch(config)#cloud provider aws
switch(config-cloud-aws)#region us-west-1 
switch(config-cloud-aws)#access-key 0 MYEXAMPLESECRETKEY
switch(config-cloud-aws)#secret access-key 0 MYEXAMPLESECRETKEY


There are two authorization models that can be used in Azure: SDK Auth Credentials and Active Directory Credentials. SDK Auth Credentials are the recommended authorization model.
  • SDK Auth Credentials

    To generate SDK Auth Credentials, use the sdk authentication credential-file flash:startup-config command in the config-cloud-azure configuration mode.

    switch(config)#cloud provider azure
    switch(config-cloud-azure)#sdk authentication credential-file
  • Active Directory Credentials

    The following example places the vEOS router into the config-cloud-azure configuration mode and sets the active directory credentials.

    switch(config)#cloud provider azure
    switch(config-cloud-azure)#active-directory credential 
    email subscription-id ef16892c-aa46-4aba-ae9a-d4fhsb1c612c