Skip to main content
Distributed Cloud Firewall (DCF) extends network security controls to serverless computing environments, enabling organizations to enforce granular egress policies on serverless applications. Serverless computing is a cloud-native execution model where developers deploy code without managing underlying infrastructure. Cloud providers handle infrastructure provisioning, scaling, and maintenance automatically. Aviatrix Controller 8.2 introduces support for AWS Lambda functions, allowing customers to inventory serverless resources and enforce network security policies using SmartGroups. This capability extends DCF’s microsegmentation approach to ephemeral workloads.
This is an early access feature. Contact Aviatrix support to enable this feature in your development and test environments.

Key Characteristics of Serverless Applications

  • Event-driven: Functions run in response to specific triggers such as HTTP requests, file uploads, or database changes
  • Ephemeral: Instances spin up on demand and terminate after execution completes
  • Cloud-managed: Providers like AWS, GCP, and Azure abstract infrastructure management

Supported Serverless Platforms

Aviatrix Controller 8.2 provides initial support for AWS Lambda. Additional serverless platforms are planned for future releases:
  • AWS Lambda (Controller 8.2)
  • Google Cloud Run (future release)
  • Azure Functions (future release)

Security Challenges in Serverless Environments

Serverless architectures introduce unique security considerations:
  • Expanded attack surface: Each serverless function represents a potential entry point due to direct internet exposure
  • Limited visibility: Ephemeral workloads make traditional monitoring and logging more challenging
  • Configuration risks: Over-permissive IAM roles or shared network subnets can expose sensitive data

Benefits of DCF for Serverless

Aviatrix DCF addresses serverless security challenges through:
  • Egress traffic control: Filter outbound traffic from serverless functions through customer-owned VPCs
  • Dynamic resource grouping: Use SmartGroups to automatically group for policy enforcement
  • Infrastructure as code: Automate policy deployment and updates using Terraform
  • Granular segmentation: Implement function-level security controls with dedicated subnets
  • Traffic visibility: Monitor and log serverless traffic patterns for security analysis
  • Multi-cloud governance: Enforce consistent security policies across multi-cloud environments
  • Data protection: Reduce risk of data exfiltration and ensure compliance with regulatory requirements

How It Works

The Aviatrix Controller automatically discovers and inventories AWS Lambda functions deployed in your cloud accounts. Once discovered, these functions can be organized into SmartGroups and protected with DCF policies, allowing you to enforce network security rules on serverless traffic.

Traffic Filtering Capabilities and Limitations

DCF can only filter egress (outbound) traffic from Lambda functions. Ingress traffic filtering is not currently supported.

Egress Traffic Filtering

DCF filters outbound traffic from Lambda functions when the function is configured to use a user-owned VPC for network connectivity. By default, Lambda functions route both ingress and egress traffic through AWS’s internal network infrastructure. To enable DCF filtering of egress traffic, attach your Lambda function to a VPC that you control. This allows DCF to inspect and enforce policies on outbound connections.

Ingress Traffic Limitations

Lambda functions that are exposed via HTTP endpoints receive incoming requests through AWS’s internal network infrastructure. DCF cannot intercept or filter this ingress traffic. Only egress traffic from these functions can be monitored and secured.

Create SmartGroups for Lambda Functions

SmartGroups enable dynamic grouping of Lambda functions based on their resource attributes. The following example shows how to create a SmartGroup using Terraform: