Centralized FQDN (Egress Filtering) for Your Private Instances in Cloud
Ever wanted an easy way to perform Egress filtering for ALL your private instances in the cloud?
Now you can.
Introducing Aviatrix Centralized Fully Qualified Domain Name (FQDN) Gateway, that can be used for Egress filtering as well.
In this article, a “virtual cloud” refers to VPCs/VCNs/VNets.
What does the Aviatrix FQDN feature do?
Aviatrix Fully Qualified Domain Name (FQDN) is a security service specifically designed for workloads or applications in the public cloud. It filters Internet-bound egress traffic initiated from workloads in a virtual cloud.
Aviatrix FQDN filters any TCP and UDP traffic including HTTP, HTTPS and SFTP traffic. The filtering function allows the destination host names to be whitelisted or blacklisted.
For HTTP/HTTPS (TCP port 80/443), FQDN feature also supports wild cards, such as *. For example, you can specify *.salesforce.com to allow traffic to any domain name that ends in “salesforce.com”.
Each destination is specified as a fully qualified domain name (FQDN). For example, if you only allow Internet-bound traffic to www.google.com, you can list the domain name www.google.com in the whitelist.
You can also allow/deny specific subdomains only. For example, you can say that *images.google.com is blocked while *google.com is allowed.
How does it work?
The function is transparent to individual instances and is carried out inline without requiring any certificate or keys to decrypt the traffic.
Non-HTTP/HTTPS traffic can also be filtered based on exact domain names. Use cases are secure file transfer (SFTP) to external sites, and secure login in (SSH) to external sites.
What do you mean Centralized?
Aviatrix’s secret sauces is the Aviatrix Transit (the heart of the data plane which is connected to the regional virtual clouds of your infrastructure) and Aviatrix Gateways deployed at various virtual clouds (which form the control plane).
Now, you can deploy an FQDN Gateway inside the Aviatrix Transit, and all traffic of your private instances in various virtual clouds that will need to access the internet will pass through the FQDN gateway. Because the FQDN Gateway is inside the Aviatrix Transit, it serves ALL virtual clouds, and hence, is centralized.
Deploying a Centralized FQDN Gateway
In Aviatrix Controller, deploying a Centralized FQDN Gateway is very easy.
1) Go to Firewall Network > Setup > Transit FireNet tab > Step 3a: Enable Transit FireNet on Aviatrix Transit Gateway. This will be the Transit Gateway where you want to deploy Centralized FQDN in the next step (i.e., Step 2):
2) Go to Firewall Network > Setup > Firewall tab > Step 2c: Launch and Associate Aviatrix FQDN Gateway. Now that the FireNet option is enabled on Transit Gateway (which makes it now a Transit FireNet Gateway), select this Transit FireNet Gateway under "Gateway Name" and specify a few more details here about your new FQDN Gateway that will be deployed next to it. Hit launch and you are good to go!
Aviatrix makes it so easy to apply Egress filtering rules on your FQDN gateways.
- You can do this by going to Security > Egress Control > Step 3: Egress FQDN Filter.
- Click "New Tag" and provide a name of your filter.
- Click "Edit" and then add your domain names by clicking "Add New" with the action. The ordering of rules is important. Then hit "Update" and then "Close" to close the pop-up.
- Click “Attach Gateway" to the tag filter where you will select your Centralized FQDN Gateway (see Step 2 of Deploying Centralized FQDN Gateway above).
- Select the appropriate option in AllowList/DenyList column. This will be the Base Policy.
- Toggle to "Enabled" in Status column to enable the filter.
If you are flabbergasted how this can be so easy, believe me it is very easy! If you have a more advanced use case with NGFW or AWS TGW and require Egress filtering, we support that as well!
Contact us for a demo: http://www.aviatrix.com/schedule-demo