Network management is complex and multi-layered. Our Tech Deep Dive series is made for cloud architects, engineers, developers, operations, platform, and security teams who want the deeper technical explanation of the Aviatrix solution. We’ll explore the particular details of what makes our data plane, feature set, and configuration work, and how they empower networking teams.
In this post, Tim McConnaughy, Technical Marketing Engineer, explains why egress security is essential and how the Aviatrix solution provides it.
Egress security is the practice of inspecting and controlling outbound cloud traffic to stop data exfiltration, malware and lateral movement. Understandably, most organizations focus on ingress security, or preventing threat actors from getting into their apps and services. However, egress security is just as important as ingress because it prevents data exfiltration, malware, and lateral movement within your network.
Here, we’ll explore how edge or egress security works and give a detailed summary of how Aviatrix’s Cloud Firewall solution secures network data.
What You’ll Learn:
How edge security works
The difference between centralized and decentralized security in the cloud
Benefits of a decentralized solution
How the Aviatrix Cloud Firewall delivers cloud-native, decentralized security to protect the network egress
Edge Security Is Not New
Networks Have Always Required Security
As long as workloads have needed to connect to the Internet, there has been a need to secure that workload. In traditional on-premises deployments, the perimeter of the network has been tightly controlled and safeguarded from attack, while allowing internal resources to access external ones securely.
The traditional network design is also multi-tiered, giving rise to designs where security can be deployed as a defense-in-depth approach. This allowed security teams to gate each layer as compliance requirements dictate up to the edge from the inside out.
Edge Security as the Only Defense
Because of budget constraints, however, businesses could only invest in edge security. Therefore, security teams could only focus their efforts on preventing attacks at the edge of the network. Once an attacker got inside a network, there was minimal security and maximum lateral attack surface for other resources.
Edge Security Is Not Enough
While many edge security vendors were excellent at preventing attacks initiated from the outside, most of them failed to provide adequate security for internally initiated attacks such as phishing and rootkits. Such attacks rely on users initiating the traffic outward to the attacker purposefully by clicking a bad URL, or without their knowledge such as when the workload has installed malicious software, and that software initiates the connection instead.
How the Cloud Brought New Freedom but Greater Security Risks
The cloud brought a lot of freedom and speed to agile development. No longer were developers required to request resources from system administrators and network engineers, nor did they have to adhere to stringent security policy because the cloud was not part of the corporate bastion environment.
Over time, cloud teams were formed to govern the deployments, but their mandate was around enablement, standardization, and control, with very little security focus.
This approach gave rise to a minimal security focus in architecture when it should have been one of the most important considerations. The cloud breaks the concept of a perimeter entirely, and that causes a lot of headaches for security teams.
When workloads have direct access to the Internet without edge security, a breach is only a matter of time.
The Problems of Centralized Security
Centralized security using known on-premises security vendors was the next step taken by the network and security teams. Network and security experts finally became part of the conversation as these cloud workloads started to become business critical. This security pattern involved using a virtualized firewall appliance and centralizing traffic flows from workloads to that firewall for egress traffic.
This pattern was duplicated as needed, mostly between regions and clouds, which necessitated more firewall deployments. There were (and are) are few problems with using this architecture in the cloud:
Compute power – Virtualized firewall appliances from traditional vendors require large compute footprints as they are modeled after hardware
Costs – Centralized inspection architecture requires data transfer which often results in extra per-GB charges
Complexity – Deployment of the virtualized firewalls and orchestration of the traffic to the centralized architecture is complex
The loose coupling architecture recommended for cloud deployments and the lack of a well-defined perimeter make traditional egress security deployment patterns less ideal and more cumbersome.
Aviatrix offers a superior cloud firewall design pattern using the Aviatrix Cloud Firewall.
The Aviatrix Cloud Firewall: Decentralized, Cloud-Native Security
The base component of the Aviatrix Cloud Firewall solution is the Aviatrix gateway. In this use case, the gateway serves as a security appliance, offering a web-layer proxy with TLS decryption as well as a firewall. The gateway takes the place of a traditional in-line security appliance or first-party NAT technology such as AWS NAT Gateway which may already be deployed to a VPC, VNet, or VCN in support of workload egress.
The greatest difference between the Aviatrix approach and traditional security deployments is the decentralization of policy enforcement. In a traditional, on-premises deployment, decentralized security enforcement was notoriously difficult due to the scale and management options available.
The Aviatrix approach to providing a secure cloud egress solution is to focus on where the workloads are deployed, not a porous, loosely defined edge. This allows practitioners to ensure that security policy and enforcement happens as close to the data as possible, minimizing data movement and potentially saving money on data transfer.
The Benefits of Decentralized Security
Decentralized security allows for many benefits, such as:
Policy can be centrally defined, but granularly applied only where policy is intended to be enforced
Enforcement of policy where the data lives instead of where the data moves in transit
Minimization of data transfer to what is needed and allowed by policy
Reduce stress on traditional security enforcement appliances by denying traffic close to the source
Aviatrix is a hybrid, single cloud, and multicloud product. Defining and enforcing security policy across multiple vendor environments is an extremely challenging task in the best of circumstances; with cloud providers, it nears the impossible. Because Aviatrix supports networking within and across multiple clouds, however, it is part of our DNA to understand when to orchestrate native cloud constructs, and when it makes sense to leverage the Aviatrix cloud gateways for security outcomes.
One Security Policy Across a Diverse Network
The Aviatrix Cloud Firewall can define a single security policy and interpret and enforce that policy anywhere Aviatrix is deployed.
By creating SmartGroups, WebGroups, and an egress policy, you can provide granular, scalable egress security for your organization across any number of clouds and regions.
While planning for a secure cloud egress solution is important, how the solution is deployed is equally important. Because Aviatrix recommends a distributed security approach to cloud security, the best deployment will take advantage of the cloud service provider best practices, including loose coupling and designing for resilience. Aviatrix recommends two cloud-focused deployment principles to secure workloads:
Design for security as close to the source as possible to avoid data transfer charges
Design for resilience by creating Aviatrix gateways in each Availability Zone (AZ) where workloads require access to the Internet
Consider this reference architecture that shows how multicloud Aviatrix Cloud Firewall is typically deployed, as an example:
There are a few important things to understand as part of this architecture:
Targeted deployments – Each AZ with a workload has an Aviatrix gateway. . This allows for targeted deployments to minimize the cost of cross-AZ data transfer charges. It also allows workload traffic optimization. If AZ2 in the AWS App VPC has workloads that egress far more than workloads in another AZ, that Aviatrix gateway can be optimized for traffic throughput and appropriately sized without requiring oversizing the whole deployment. This also improves resiliency and minimizes cross-AZ data transfer charges.
Redundancy and resiliency – In AWS, the VPC requires an Internet Gateway first-party cloud construct to allow egress to the Internet; the Azure deployment does not (this will change in 2025 and require Azure NAT Gateway for VMs). In both deployments, Aviatrix took care of the first-party native cloud orchestration to ensure the traffic would egress via the Aviatrix gateway, and, in the case of a gateway failure,
Aviatrix can automatically direct traffic to another Aviatrix gateway without intervention. This is an example of how Aviatrix supports redundancy and resiliency in the product natively.
In both cases, the Aviatrix gateway has had the Local Egress feature enabled. This feature prepares the Aviatrix gateway to perform the NAT for workloads in the VPC/VNet and causes the Aviatrix controller to program the Route Tables of the VPC subnets to direct traffic to the Aviatrix gateway.
Note: Refer to the Aviatrix Technical Documentation to enable this feature.
Network Visibility: Security Starts with Sight
Aviatrix offers amazing visibility into all parts of the network by being part of the data plane. This means that unlike first-party native tools that hide the details of traffic, or require expensive and complex traffic mirror services, we provide network-layer visibility details down to the packet at no extra cost. We also integrate with industry-standard logging tools like SIEM to deliver security insights and alerts as part of the standard product.
Security and Visibility with Aviatrix CoPilot
CoPilot serves as both a configuration and visualization appliance for your Aviatrix Cloud Firewall deployment:
Network-wide policy enforcement – SmartGroups, WebGroups and policy are defined within CoPilot and pushed to the distributed Aviatrix gateways for enforcement.
Real-time telemetry – The gateways send telemetry about operations that is sent back to CoPilot for visualization and for delivery of any configured remote logging solutions.
Logging integrations – Aviatrix CoPilot delivers logs via Remote Syslog, Datadog Agent, CloudWatch Agent, and NetFlow Agent. This allows you to leverage any compatible logging ingestion service for insights and alerting.
Final Notes
The Aviatrix Cloud Firewall is a low-effort, low-risk, high-reward way to approach cloud security. Deploying a distributed firewall and egress solution is the most cost-effective way to approach cloud security at the workload level without having to centralize and manage a fleet of third-party traditional vendors to achieve the same outcomes.
The perimeter of the cloud is not the same walled garden that it was on-premises. Security design must change to account for the loose coupling, Internet-adjacent workloads and architecture of cloud while still offering the best security possible.
Schedule a demo to learn more about how the Aviatrix Cloud Firewall can protect your network.
Take a free security assessment for your network.
