FQDN/URL Based Egress Filtering FAQs
Is application-based filtering possible?
Aviatrix Egress FQDN can filter the traffic based on Layer 7 (L7) FQDN, IP, or even with wildcard FQDN.
One can also use NGFW with Aviatrix FireNet solution to provide deeper level filtering if needed.
Are there any 3rd party plug-ins for the FQDN filters? ie. DNS filtering based on domain classification?
No, but you can import your filters.
Does the controller identify URLs on the basis of families? How do we redirect the DNS request to Aviatrix FQDN Engine?
The Aviatrix Gateway replaces the native NAT GW and not only provides NAT but also advanced filtering capabilities using the L7 FQDN. Aviatrix Controller automatically programs all necessary VPC/VNET routes to redirect traffic towards the Egress GW for Internet bound traffic.
Will the DNS get resolved with the packet dropped based on the data plane’s traffic?
Yes. The DNS will be resolved the way it is today, but when traffic hits the Aviatrix Gateway it will inspect the HTTP header to make sure it complies with the configured FQDN filter.
Can the Aviatrix gateway identify phishing attacks?
Phishing will be identified by the FQDN filter.
Is the Aviatrix Gateway functioning as a router or firewall? If both, why use a 3rd party PAN?
The Aviatrix GW does routing and centralized L4 Firewalling plus URL Filtering. 3rd party PAN, etc. are true L7 FWs. Enterprises need them to do payload inspection and other deep security inspections.
Can we have private subnets (192.168.1.0/24) for VPC and NAT it before getting into the public network?
Yes, this is how we implement Egress.
Can Amazon GuardDuty be used in other clouds?
Amazon Guard Duty is AWS Cloud Native Service. Other clouds have similar services like AWS GuardDuty. Technically we could use the GuardDuty data to program ingress firewall rules in Aviatrix gateways that reside in other clouds. But the problem is that other clouds currently don’t always have the VPC ingress routing functionality to redirect ingress traffic to Aviatrix gateways. Also, the data from GuardDuty might be specific to the AWS environment.