Skip to main content
Controller 8.0 and the enablement of the DCF feature is required to monitor VPC/VNets.
On the Security > Egress > Egress VPC/VNets tab, you monitor onboarded VPC/VNets to apply egress and monitor the traffic of these VPC/VNets to the Internet.

Prerequisites

Before attempting to monitor your egress traffic:
  • Ensure that your IAM policies are up to date (for AWS)
  • Ensure that ports 50441-50443 on CoPilot are open to the Aviatrix Controller
  • Ensure that the VPC/VNet you want to monitor does not have a customized SNAT configuration
  • If you have a GCP cloud account, ensure that these APIs are enabled:
    • Container: container.googleapis.com
    • Cloud Resource Manager: cloudresourcemanager.googleapis.com

Monitoring VPC/VNets

When you monitor your VPC/VNets, the following actions are performed:
Action
Local egress is applied
Default route is modified
SNAT is enabled
Monitor-VPCs Watch Rules are created in the Egress Protection Policy List ruleset against the selected VPC/VNets: Monitor-VPCs-ICMP-Rule, Monitor-VPCs-UDP-Rule, Monitor-VPCs-Domains-Rule
VPC/VNets are added to the Monitored-VPCs SmartGroup
To monitor VPC/VNets:
  1. On the Security > Egress > Egress VPC/VNets tab, do one of the following:
    • Select one or more VPC/VNets and then select Monitor from the Actions menu.
    • Click Monitor in the Recommended Action column next to a VPC/VNet.
    The Monitor VPC/VNets dialog displays.
  2. Click Monitor.
The status changes to Monitored for this VPC/VNet on the Egress VPC/VNets tab. This may take a minute or two to complete. A timestamp is displayed next to the VPC/VNet on the Egress VPC/VNets tab to indicate how long it has been monitored.

Disabling Monitoring of Egress Traffic

You disable monitoring for all VPCs/VNets by going to Security > Distributed Cloud Firewall > Policies and deleting the Monitor-VPCs Watch Rules that were created when monitoring was enabled. You cannot disable monitoring for individual VPC/VNets.

Next Steps