Public Subnet Filtering / Egress FQDN for Public Instances
Many customers learned about Aviatrix when they wanted an easy solution to Egress filtering. This article shows how Aviatrix makes it easy to perform Egress filtering on your public instances.
Introducing Aviatrix Public Subnet Filtering with Fully Qualified Domain Name (FQDN) Gateway, that can be used for Egress filtering as well.
In this article, a “virtual cloud” refers to VPCs/VCNs/VNets.
What does the Aviatrix FQDN feature do?
Aviatrix Fully Qualified Domain Name (FQDN) is a security service specifically designed for workloads or applications in the public cloud. It filters Internet bound egress traffic initiated from workloads in a virtual cloud.
Aviatrix FQDN filters any TCP and UDP traffic including HTTP, HTTPS and SFTP traffic. The filtering function allows the destination host names to be whitelisted or blacklisted.
For HTTP/HTTPS (TCP port 80/443), FQDN feature also supports wild cards, such as *. For example, you can specify *.salesforce.com to allow traffic to any domain names that ends in “salesforce.com”.
You can also allow/deny specific subdomains only. For example, you can say that *images.google.com is blocked while *google.com is allowed.
How does it work?
The function is transparent to individual instances and is carried out inline without requiring any certificate or keys to decrypt the traffic.
Non-HTTP/HTTPS traffic can also be filtered based on exact domain names. Use cases are secure file transfer (SFTP) to external sites, secure login in (SSH) to external sites.
What is a Public Subnet Filtering Gateway?
Public Subnet Filtering gateway (PSF/Egress FQDN gateway), provides Egress security to public subnets where instances have public IP addresses. This is applicable for all major cloud service providers (CSPs).
A PSF Gateway is deployed within the local virtual cloud (VPC/VNet/VCN). It is not deployed at the transit layer. For this reason, this filtering mechanism is also called Local Egress Filtering. (Note: In contrast, Centralized Egress Filtering is done at the transit layer, and that is for private subnets only.)
The following two diagrams show that PSF Gateways (Egress FQDN) are deployed locally. One architecture has the transit layer and the other does not have a transit layer, but the PSF Gateway is never part of the transit layer.
Deploying a PSF Gateway for Local Egress Filtering
In Aviatrix Controller, deploying a PSF Gateway is easy. One simply heads to Security > Public Subnet Filter and adds a new gateway by filling out the simple form. And done!
Aviatrix makes it so easy to apply Egress filtering rules on your FQDN gateways. Head over to Security > Egress Control to attach a new “tag” (i.e., name of a filter rule). Then simply “Attach” the PSF Gateway to the filter rule, and viola!
If you are flabbergasted how this can be so easy, believe me it is very easy! If you have a more advanced use case with NGFW or AWS TGW and require Egress filtering, then contact us to find out how we can integrate Aviatrix to your needs.
Schedule with us a demo: http://www.aviatrix.com/schedule-demo