Deploying the Aviatrix Stateful Firewall

Defining a Tag

You give a tag a name and a list of one or more network addresses. The network address can be a subnet or a host IP address. In the Aviatrix Controller, navigate to Security > Stateful Firewall > Tag Management > +Add New.

A tag is a global resource to the Aviatrix Controller and can be applied to any gateway.

Editing a Tag

Once a tag is created, you can edit the tag.

Editing is about adding a name to a CIDR address (network address or host address). Multiple Name/CIDR pairs can be added. When you are done editing, click Update to implement your changes.

Applying a Policy

In the Aviatrix Controller, navigate to Security > Stateful Firewall > Policy.

You should see a list of gateways that the Controller manages. Highlight a gateway and click Edit.

To configure security policies, select a Base Policy. A Base Policy is always attached as the last rule as a catch-all policy.

Select Enable Packet Logging if you want to forward logs to well known log management systems, such as Remote Syslog.

If you click Add New, you can specify Source by manually entering a specific CIDR. You can also click the table icon to select one of the tags you created earlier.

Both Source and Destination can be configured either manually or by using tags. Once a rule is saved, you must remember to click Update for the policy to take effect.

For the Destination field, if a host name is specified either manually or with a tag, the IP address of the host name will be resolved when programming the security policy. A host name is not suitable if it is a public website, such as www.google.com. To filter on public host names, refer to FQDN Whitelists.

Viewing Policy and Tags

To view the names in a tag, select Tag Management, highlight a tag and click Edit.

To view the policies of gateway, select Policy, highlight a gateway, and click Edit.

Example Use Case

You have a group of virtual machine (EC2/GCE) instances or a group of AWS Workspace instances. You would like to set up policies to allow them to access a database which itself consists of a group of nodes.

You can create a tag, name it my-app, and configure the list of IP addresses associated with each instance with a name. You can then create a second tag, name it my-database, and configure the list of IP addresses associated with each instance with a name.

You then can simply apply one policy at the gateway that says my-app to my-database is allowed. The Controller will automatically push the policies to the gateway.