Egress Security Score

The Egress Security Score on the Egress > Overview tab provides information on how well your VPC/VNets are protected by Aviatrix PaaS.

Click Protect VPC/VNets to open the Protected VPC/VNets tab.

Egress Security Score Calculation

Egress Score = (Sum of all scores of individual non-ignored VPC or VNets / Total number of non-ignored VPCs) * 100
0 is the lowest score for a VPC/VNet
1 is the highest score for a VPC/VNet
Gateway subnets are excluded
In AWS, focus on routes that have a next hop of "nat-*".

VPC/VNet State	Aviatrix Gateway	Criteria (AWS)	Definition	Score
Not Onboarded	None	No Aviatrix Gateways	VPC has no Aviatrix Gateways deployed and has direct access to the Internet.	0
Unprotected	Yes	0.0.0.0/0 points to the Aviatrix gateway AND there is no Default Deny Rule for the VPC OR 0.0.0.0/0 points to Internet Gateway	VPC has Aviatrix Gateways deployed and direct access to the Internet; traffic to Internet is not logged.	0
Monitored	Yes	0.0.0.0/0 points to the Aviatrix gateway AND VPC is in a 'Watch' Rule for Any-Web AND there is no Deny Any-Web Rule for the VPC	VPC has Aviatrix Gateways deployed and traffic to the Internet is being logged.	.5
Partially Protected	Yes	0.0.0.0/0 points to the Aviatrix Gateway AND there is no Default Deny Rule for the VPC AND the VPC is in another Deny Rule (but not Any-Web)	VPC has some selective traffic to the Internet blocked.	.75
Protected	Yes	0.0.0.0/0 points to the Aviatrix Gateway AND source VPC; Destination is Public Internet; there is a Deny Rule for the VPC	VPC may have only selective traffic to the Internet allowed.	1
No Egress	None / Yes	No 0.0.0.0/0 route in the VPC	VPC does not have direct access to the Internet	1
Ignored	None / Yes	Manually set state	VPC is ignored from Egress Score calculation	N/A

VPC/VNet State

Aviatrix Gateway

Criteria (AWS)

Definition

Score

Not Onboarded

None

No Aviatrix Gateways

VPC has no Aviatrix Gateways deployed and has direct access to the Internet.

Unprotected

Yes

0.0.0.0/0 points to the Aviatrix gateway AND there is no Default Deny Rule for the VPC

0.0.0.0/0 points to Internet Gateway

VPC has Aviatrix Gateways deployed and direct access to the Internet; traffic to Internet is not logged.

Monitored

Yes

0.0.0.0/0 points to the Aviatrix gateway AND VPC is in a 'Watch' Rule for Any-Web AND there is no Deny Any-Web Rule for the VPC

VPC has Aviatrix Gateways deployed and traffic to the Internet is being logged.

Partially Protected

Yes

0.0.0.0/0 points to the Aviatrix Gateway AND there is no Default Deny Rule for the VPC AND the VPC is in another Deny Rule (but not Any-Web)

VPC has some selective traffic to the Internet blocked.

.75

Protected

Yes

0.0.0.0/0 points to the Aviatrix Gateway AND source VPC; Destination is Public Internet; there is a Deny Rule for the VPC

VPC may have only selective traffic to the Internet allowed.

No Egress

None / Yes

No 0.0.0.0/0 route in the VPC

VPC does not have direct access to the Internet

Ignored

None / Yes

Manually set state

VPC is ignored from Egress Score calculation

N/A

Include VPC/VNets in the Egress Score

You can include selected VPC/VNets in the Egress Score calculation.

On the Security > Egress > Protected VPC/VNets tab, click the vertical ellipsis next to the VPC/VNet and select Include in Egress Score. The VPC/VNet will be included in the Egress Score calculation.

Ignore VPC/VNets for the Egress Score

You can exclude selected Unprotected VPC/VNets from being included in the Egress Score calculation.

On the Security > Egress > Protected VPC/VNets tab, click the vertical ellipsis next to the VPC/VNet and select Ignore for Egress Score. The VPC/VNet will not be included in the Egress Score calculation.

Egress Security Score

Egress Security Score Calculation

Include VPC/VNets in the Egress Score

Ignore VPC/VNets for the Egress Score

Related Topics