Egress FQDN Filtering
Aviatrix Fully Qualified Domain Name (FQDN) filters Internet-bound egress traffic initiated from workloads in a VPC/VNet. Workloads in CSP are mostly composed of applications where it is deterministic which outbound APIs the application calls. This is very different from on-prem where end user traffic and application traffic are blended together.
Egress FDQN is not a full-fledge firewall
A tag is defined as a list of FQDNs and it is created and managed on the Controller console. One or more gateways may be attached to a tag; each gateway can be attached to more than one tag.
Design Patterns
- Local Egress FQDN Filtering (Distributed)
- Local Egress FQDN Filtering (Distributed)
- Centralized Egress with Aviatrix Transit
Recommendations
- Monitor activity to assess the sites your apps are accessing and see how they align with your business needs using Egress FQDN Discovery
- Identify Whitelist Applications: identify the applications you want to allow and create tags and FQDN rules.
Configuration
I’m going to deploy a new and dedicated gateway for Egress in an existent spoke:
Egress Discovery
To gain visibility and build the list of sites apps and or users require to access, one can use the Egress Discovery. Egress Discovery can only be done when a GW is not attached to a tag:
Once the GW is selected, we need to “start” the collection and we can use the “show” button to see the results without stopping the assessment. Once the discovery ran for a valid period of time (the time period depends on the enterprise, its apps, and users), we can download the results to properly edit and use it back to configure the egress fqdn filtering.
Tags and FQDN
The Egress Control configuration is under Security. The first step is to create tag(s):
Once the tag is created, edit it to add domains:
and or we can import a report generated by the Discovery:
Attach to a gateway:
Finally, enable it:
Testing
From the test CE instance I try to “curl” a site that is allowed:
From the test CE instance I try to “curl” a site that is not in the allowed list:
FQDN Stats
FQDN Stats is a tool under Security that presents graphically statistics from the FQDN gateways utilization:
It has a filter utility to help searching through connections:
Troubleshooting
GCP Compute Engine Instance Route table before Egress:
GCP Compute Engine Instance Route table after Egress:
For GCP deployment Compute Engine Instances require the tag “avx-snat-noip” for routing properly through an Egress FQDN gateway.
Egress FireNet
FireNet by default inspects traffic between on-prem and VPC/VNet and East West but it can also can be configured to inspect internet outbound traffic. FireNet is discussed on the following blogs:
http://rtrentinsworld.com/2022/05/28/deploying-an-aviatrix-firenet-on-gcp-with-checkpoint/
http://rtrentinsworld.com/2022/05/28/deploying-an-aviatrix-firenet-on-gcp-with-fortinet-fortigate/
http://rtrentinsworld.com/2022/05/28/terraforming-an-aviatrix-firenet-on-gcp-with-pans/
To enable it:
- Firewall Network -> List -> Egress Through Firewall
For GCP deployment Compute Engine Instances require the tag “avx-snat-noip” for routing properly through an Egress FireNet.
We can also exclude subnets from east-west inspection and configure on-prem networks to egress through a Egress GW:
Testing
From the CE Instance I “curl” https://google.com. We can see the CE instance ip address 172.21.140.3 flow log entries in the PAN GUI:
Troubleshooting
- Egress FireNet Disabled: default points to ethernet1/2 (lan) interface
- Egress FireNet Enabled: default points to ethernet1/1 (wan) interface
- Egress NAT:
References
http://rtrentinsworld.com/2022/05/28/deploying-an-aviatrix-firenet-on-gcp-with-pans/
2 thoughts on “The Easy Way of Securing Cloud Egress”