Solution Briefs

Technical Brief: Aviatrix Secure Egress

Information on multi-cloud networking, cloud network platform, cloud networking, cloud network security, cloud network operations, aviatrix secure cloud networking

Issue link:

Contents of this Issue


Page 1 of 6

© Aviatrix, 2023. Design Requirements • Filtering Control: Native cloud constructs like Internet or NAT Gateways provide limited visibility and filtering control, creating a gap in visibility for cloud operations and security teams. Provide FQDN context in centralized security policies for your VPC/VNET egress traffic across regions and clouds. • Visibility and Policy Discovery: Log internet sites (domains, URLs) apps in VPCs or VNets visit to help create filtering policies. • Geoblocking: Reduce exposure to unnecessary geographies. • Blocking Threats: Before creating an allow-list, blocking known threats reduces overall risk. • Allow Listing: Create FQDN "Allow" lists to reduce an attacker's ability to exfiltrate data. This limits the ability for malicious traffic to communicate with your cloud applications and resources. • Security Policies: Centrally manage whitelisted domains that enable policies to be applied easily to any VPC or VNet through deployment workflows or Terraform automation. • Compliance: Ensure egress filtering meets corporate or regulatory compliance, such as PCI, HIPAA, and SOC2. • High Performance at Low Cost: Optimize costs by enabling distributed FQDN filtering to operate on low-cost cloud compute platforms. Replace expensive NAT gateways that don't provide visibility or security. • Automation: Support for Terraform Infrastructure as Code automation and integration with CI/CD pipeline. Design Elements and Features Aviatrix Intelligent Centralized Controller The Aviatrix controller is the brain of the cloud network platform. The controller leverages centralized intelligence and knowledge of native cloud network constructs to deploy, manage dynamically, and program the Aviatrix gateways. This SDN- style approach creates a separation of duty between the control plane (controller) and data plane (gateways), creating an agile and secure network fabric with service-like qualities. Combined with Aviatrix's Terraform provider, this design enables network and security Infrastructure-as-Code automation across a multicloud environment. Aviatrix Gateways Aviatrix gateways deliver advanced cloud networking and security services. For this validated design, Aviatrix Gateways are deployed to provide real-time visibility into egress traffic and distributed filtering services based on policies (FQDN allow-lists or IP addresses) to limit VPC or VNet egress traffic to known domain names or domain paths with wild card support. Aviatrix gateways replace native NAT gateways, providing high throughput with minimal compute requirements. Secure Egress gateways can be deployed independent of other Aviatrix solutions, or operate as spoke gateways to deliver to deliver transit network and security services such as dynamic routing, active-active network high-availability, full mesh high- performance encryption. FQDN/URL Filtering Control Native cloud constructs such as Internet or NAT gateways have no built-in security and require additional services such as security groups to implement control. Security groups can enforce policy based on IP, but not on application-level data like FQDNs or URL. This creates a gap in visibility for cloud operations and security teams. Aviatrix builds in security and allows the use of FQDN along with cloud-native tags and attributes in centralized security policies for VPC/VNet egress traffic across regions and clouds. FQDN filtering rules support wildcard matching for more streamlined policy creation. The rules support HTTP/HTTPS and additional protocols such as SFTP, FTP, ICMP, etc. Traffic can be filtered by IP/port/protocol.

Articles in this issue

view archives of Solution Briefs - Technical Brief: Aviatrix Secure Egress