Centralized FQDN (Egress Filtering) for Your Private Instances in Cloud

Ever wanted an easy way to perform Egress filtering for ALL your private instances in the cloud?

Now you can.

Introducing Aviatrix Centralized Fully Qualified Domain Name (FQDN) Gateway, that can be used for Egress filtering as well.

In this article, a “virtual cloud” refers to VPCs/VCNs/VNets.


What does the Aviatrix FQDN feature do?

Aviatrix Fully Qualified Domain Name (FQDN) is a security service specifically designed for workloads or applications in the public cloud. It filters Internet bound egress traffic initiated from workloads in a virtual cloud.

Aviatrix FQDN filters any TCP and UDP traffic including HTTP, HTTPS and SFTP traffic. The filtering function allows the destination host names to be whitelisted or blacklisted.

For HTTP/HTTPS (TCP port 80/443), FQDN feature also supports wild cards, such as *. For example, you can specify *.salesforce.com to allow traffic to any domain names that ends in “salesforce.com”.

Each destination is specified as fully qualified domain name. For example, if you only allow Internet bound traffic to www.google.com, you can list the domain name www.google.com in the whitelist.

You can also allow/deny specific subdomains only. For example, you can say that *images.google.com is blocked while *google.com is allowed.


How does it work?

The function is transparent to individual instances and is carried out inline without requiring any certificate or keys to decrypt the traffic.

Non-HTTP/HTTPS traffic can also be filtered based on exact domain names. Use cases are secure file transfer (SFTP) to external sites, secure login in (SSH) to external sites.


What do you mean Centralized?

Aviatrix’s secret sauce are the Aviatrix Transit (the heart of the data-plane which is connected to the regional virtual clouds of your infrastructure) and Aviatrix Gateways deployed at various virtual clouds (which form the control-plane).

Now, you can deploy an FQDN Gateway inside the Aviatrix Transit, and all traffic of your private instances in various virtual clouds that will need to access the internet will pass through the FQDN gateway. Because the FQDN Gateway is inside the Aviatrix Transit, it serves ALL virtual clouds, and hence, is centralized.



Deploying a Centralized FQDN Gateway

In Aviatrix Controller, deploying a Centralized FQDN Gateway is very easy.

1)    Enable Transit FireNet at one of your Aviatrix Transit Gateways where you want to deploy Centralized FQDN in Step 2

2)    Select the Aviatrix Transit Gateway where you want to deploy the Centralized FQDN, specify a few details and you are good to go!



Egress Filtering

Aviatrix makes it so easy to apply Egress filtering rules on your FQDN gateways. Simply “Attach” the gateway to an Egress filter rule, and viola!


Looking Forward

If you are flabbergasted how this can be so easy, believe me it is very easy! If you have a more advanced use case with NGFW or AWS TGW and require Egress filtering, we support that as well!


Contact us for a demo: http://www.aviatrix.com/schedule-demo

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like Follow
  • 3 mths agoLast active
  • 57Views
  • 1 Following