Skip to main content

Overview

Egress filtering controls outbound traffic from your cloud environments, providing security by restricting which external destinations your applications can access. This guide walks through implementing egress filtering policies using three different approaches.

Prerequisites

Before configuring egress filtering, ensure you have:
  • Administrative access to CoPilot console or API credentials
  • Understanding of your application’s external dependencies
  • Network topology and traffic flow documentation
  • Backup connectivity plan for critical services

Egress Filtering Configuration

Step 1: Access Egress Filtering Configuration

  1. Navigate to Security > Egress in the CoPilot console
  2. Select the VPC or region where you want to configure filtering
  3. Click Create New Policy to begin configuration

Step 2: Define Traffic Categories

Configure different traffic categories based on requirements:

Create Allow List Policy

  1. Policy Name: production-allow-list
  2. Policy Type: Allow List
  3. Scope: Select target VPCs or gateways
  4. Default Action: Deny All

Configure Allowed Destinations

  1. Essential Services:
    • DNS: 8.8.8.8, 8.8.4.4
    • NTP: pool.ntp.org
    • Package Repositories: *.ubuntu.com, *.centos.org
  2. Business Applications:
    • SaaS Platforms: *.salesforce.com, *.office365.com
    • API Endpoints: api.stripe.com, api.twilio.com
    • CDN Services: *.cloudfront.net, *.fastly.com

Step 3: Configure Deny List Policy

Create Deny List Rules

  1. Policy Name: security-deny-list
  2. Policy Type: Deny List
  3. Priority: High (applies before allow rules)

Add Blocked Destinations

  1. Known Malicious Domains:
    • Threat Intelligence Feeds
    • Blacklisted IP ranges
    • Suspicious TLDs (.tk, .ml, .ga)
  2. Compliance Restrictions:
    • Restricted geographic regions
    • Unauthorized cloud storage
    • Social media platforms (if required)

Step 4: Application-Specific Policies

Web Application Policy

  1. Create Policy: web-app-egress
  2. Target: Web tier VPCs
  3. Allowed Destinations:
    • HTTPS traffic: ports 443, 80
    • API endpoints: specific domains only
    • CDN services: for static content

Database Policy

  1. Create Policy: database-egress
  2. Target: Database tier VPCs
  3. Restrictions:
    • Block all internet traffic
    • Allow only internal network communication
    • License server access if required

Step 5: Monitoring and Logging

Enable Traffic Logging

  1. Navigate to Security > Logging
  2. Enable egress traffic logging for all policies
  3. Configure log retention: 90 days
  4. Set up alerts for blocked traffic patterns

Create Monitoring Dashboard

  1. Blocked Traffic: Real-time view of denied connections
  2. Top Destinations: Most frequently accessed external services
  3. Policy Violations: Failed connection attempts
  4. Bandwidth Usage: Egress traffic volume by policy

Limit content for API