Egress FQDN Discovery (Legacy)

This document describes Egress functionality available in the Aviatrix Controller prior to Controller 7.1/CoPilot 3.11.

As of Controller 7.1 and CoPilot 3.11, Distributed Cloud Firewall with WebGroups is the recommended method for configuring and implementing Egress Security.

Discover what Internet sites your apps visit before you configure the Egress FQDN Filter.

If you already know the sites you apps visit or the FQDN names you need to apply, skip the Discovery step.

  1. In the Aviatrix Controller, go to Security > Egress Control > Egress FQDN Discovery.

  2. Select a gateway from the dropdown menu and click Start. After the monitoring starts, click Show at any time to see the captured destination sites. Only HTTP (port 80) and HTTPS (port 443) results will display in the report.

  3. Click Stop to stop the Discovery process.

Starting Egress FQDN Discovery Mode

When you click Start, the Controller will automatically enable SNAT function on the gateway. The Controller looks for all private subnets in the VPC/VNet and replaces any 0.0.0.0/0 > NAT Gateway to instead point to the Aviatrix Gateway.

During the Discovery step, the Exception Rule must be enabled (the checkbox should be marked, which is the default setting).

Stopping Egress FQDN Discovery Mode

When you click Stop, the VPC/VNet private route table entry for the default route (0.0.0.0/0) will be restored to its previous setting.

Showing the Discovered Internet Sites

While the Egress FQDN Discovery is in progress, click Show at any time to see the captured destination sites.

Downloading FQDN Discovery File

Click Download during or after the Discovery and the destination list will be downloaded. You can later import the list to configure the FQDN Filter.

If a gateway is already attached to a FQDN tag, you cannot run the Discovery process, but you can view FQDN results immediately by going to Step 4, Egress FQDN View Log.
discovered_sites