Skip to main content

Distributed Cloud Firewall Overview

The Distributed Cloud Firewall (DCF) is an Aviatrix security feature that provides centralized policy management and distributed enforcement of network security rules across your multi-cloud environment.

What is Distributed Cloud Firewall?

Distributed Cloud Firewall enables you to define and manage security policies from a central location while enforcing those policies at distributed points throughout your network. This approach provides:
  • Centralized Policy Management: Define security rules once and apply them consistently across your entire cloud infrastructure.
  • Distributed Enforcement: Security policies are enforced at each Aviatrix gateway, reducing latency and improving performance.
  • Multi-Cloud Support: Apply consistent security policies across AWS, Azure, GCP, and OCI environments.
  • Microsegmentation: Create fine-grained security policies to control traffic between workloads.

Key Components

The Distributed Cloud Firewall consists of several key components:
ComponentDescription
SmartGroupsLogical groupings of resources based on tags, attributes, or other criteria
Security RulesPolicies that define allowed or denied traffic between SmartGroups
WebGroupsGroups that define web-based destinations for egress control
ThreatGroupsPre-defined groups based on threat intelligence for blocking malicious traffic

Benefits

  • Simplified Security Management: Manage security policies from a single pane of glass rather than configuring individual cloud-native security groups.
  • Consistent Policy Enforcement: Ensure consistent security posture across heterogeneous cloud environments.
  • Reduced Operational Overhead: Eliminate the need to manage hundreds of security groups across multiple clouds.
  • Enhanced Visibility: Gain insight into traffic flows and security policy effectiveness through integrated logging and monitoring.

How It Works

  1. Define SmartGroups: Create logical groupings of your cloud resources based on tags, VPC/VNet attributes, or other criteria.
  2. Create Security Rules: Define rules that specify which SmartGroups can communicate with each other and on which ports/protocols.
  3. Distributed Enforcement: Aviatrix gateways automatically enforce these rules at the network layer, inspecting and filtering traffic in real-time.
  4. Monitor and Audit: Use CoPilot to monitor traffic flows, audit policy compliance, and troubleshoot connectivity issues.

Next Steps

  • Learn about SmartGroups for organizing your resources
  • Explore security rule configuration options
  • Review best practices for microsegmentation