Egress Control Filter

For questions, check out Egress FQDN FAQ.

Configuration Workflow

Important

The VPC you want to apply FQDN filter must have an Aviatrix gateway launched with NAT enabled before starting the following steps.

Step 1. Add a new tag

Go Security -> FQDN, click New Tag, as shown below:

fqdn-new-tag

Click “+New Tag”, and enter a name for the tag, for example, prod-whitelist, as shown below:

fqdn-add-new-tag

Step 2. Add URL list to the new tag

Enable the new tag and click Edit, as shown below:

fqdn-enable-edit

Click “+Add New” to add each URL, wild card is allowed for HTTP/HTTPS (TCP 443), as shown below. (Action “Update” means to save the rules in the tag and if gateways are attached to the tag, “Update” applies the rules to the gateways.)

fqdn-add-domain-names

Step 3. Attach to gateways

Click “Attach Gateway” to attach a gateway to the tag.

When a gateway is attached to a tag, in the tag will be pushed for enforcement (whitelist or blacklist), as shown below.

fqdn-attach-spoke1

Repeat Step 3 if you have more gateways that should be attached to this tag.

fqdn-attach-spoke2

Add more tags

Repeat from Step 1 to create more tags and attach different gateways. Note each gateway can only be attached to one tag.

Exception Rule

Exception rule is a system wide mode.

When Exception Rule is enabled, packets passing through the gateway without SNI field are allowed to pass. This usually happens when an application uses hard coded destination IP address for HTTPS connection instead of domain names. This could be a security loop hole.

When Exception Rule is disabled, packets passing through the gateway without SNI field are dropped unless the specific destination IP address of the packet is listed in the Whitelist. The use case could be certain old application uses hard coded destination IP address to access outside services.

Export

This feature is available in Release 3.4 and later.

Export allows you to download the configured FQDN rules on a per tag bases, in a human readable text file format, as shown in the example below:

export

Import

This feature is available in Release 3.4 and later.

Import allows you to upload a text file that contains FQDN rules to a specific tag. The text file can be:

  1. The downloaded file from FQDN Discovery
  2. The download file from Export from a different tag.
  3. A text file in the format compatible to Export.

For support, send email to support@aviatrix.com

Enjoy!