Egress FQDN Filtering (Legacy)
For questions, see the Egress FQDN FAQ.
This document describes Egress functionality available in the Aviatrix Controller prior to Controller 7.1. Aviatrix strongly recommends migrating to the Distributed Cloud Firewall feature in CoPilot to enforce Egress network security policy. As of Controller 7.1, Distributed Cloud Firewall with WebGroups, configured in CoPilot, is the recommended method for configuring and implementing Egress Security. If you configured Egress (in Aviatrix Controller or CoPilot) prior to Controller 7.1, you continue configuring rules in the Aviatrix Controller with the Egress FQDN Filtering solution. If a Spoke Gateway already has FQDN enabled via Egress FQDN Filtering in the Controller, it cannot be used in your Distributed Cloud Firewall configuration. |
Configuration Workflow
The instructions below assume there is already an Aviatrix Gateway running in the VPC/VNet where you wish to deploy the FQDN filter. If not, follow the Egress FQDN Filter workflow to first launch a gateway.
Adding a New Egress FQDN Filter Tag to a Gateway
-
In the Controller, go to Security > Egress Control and click New Tag, as shown below:
-
Click + New Tag, and enter a name for the tag, for example, prod-whitelist, as shown below:
This procedure effectively turns the selected gateway in to an FQDN Gateway. For more information see About FQDN Gateways.
Adding a URL List to the New Tag for Egress FQDN Filter
-
Enable the new tag and click Edit, as shown below:
-
Click + Add New to add each URL. A wild card is allowed for HTTP/HTTPS (TCP 443), as shown below. The Update action saves the rules in the tag. If gateways are attached to the tag, "Update" applies to the rules in the gateways.
Base Policy for Egress FQDN Filter
If you are configuring FQDN Allowlist rules, set the Base Policy to Deny All. If you are configuring FQDN Denylist rules, set the Base Policy to Allow All. See Configuring Base Policy for where to set the Base Policy. |
Base Policy is an Action field of a rule and is the only value supported for rules not on ports 80 or 443.
The default Action field is Base Policy which means if the tag is an Allow (which is the majority of the use cases), this specific rule is to allow the domain name to pass. For the most part, you should not edit this field.
There is a use case where you want to leverage the Active field. For
example, you need to allow most of the FQDN names in salesforce.com
except for one domain name, finance.salesforce.com. If salesforce.com
provides hundreds of domain names, you would have to allow all of
them and you cannot use *.salesforce.com
as it will leak
finance.salesforce.com.
With this feature, you can configure two rules to accomplish filtering out finance.salesforce.com while allowing the rest of salesforce.com supported domain names, as shown below (only applies to HTTPS rules):
Domain Name | Protocol | Port | Action |
---|---|---|---|
finance.salesforce.com |
tcp |
443 |
Deny |
|
tcp |
443 |
Base Policy |
Configuring Base Policy
-
If you are configuring FQDN AllowList Filters (Allow), set the Stateful Firewall Base Policy under Security > Stateful Firewall > Policy > Select Gateway > Edit > Base Policy > Deny all.
-
If you are configuring FQDN DenyList Filters (Deny), set the Stateful Firewall Base Policy under Security > Stateful Firewall > Policy > Select Gateway > Edit > Base Policy > Allow all.
Attaching to Gateways in the Egress FQDN Filter
-
Click Attach Gateway to attach a gateway to the tag.
-
When a gateway is attached to a tag, the gateway in the tag will be pushed for enforcement (Whitelist or Blacklist), as shown below:
-
Repeat this step if you have more gateways that should be attached to this tag.
Exception Rule for Egress FQDN Filter
Exception Rule is a system-wide mode. Exception Rule only applies to Allowlist.
By default, the Exception Rule is enabled, as shown.
When Exception Rule is enabled, packets passing through the gateway without an SNI field are allowed to pass. This usually happens when an application uses hard-coded destination IP addresses for HTTPS connection instead of domain names.
When Exception Rule is disabled, packets passing through the gateway without SNI field are dropped unless the specific destination IP address of the packet is listed in the Whitelist. The use case could be that certain old applications use hard coded destination IP address to access external services.
To disable the Exception Rule:
-
Under Egress FQDN Filter, click Global Configs.
-
Clear the Exception Rule checkbox.
-
Click Close.
If Blacklist is configured, client hello packets without SNI are allowed to pass as it should not match any rules.
Exporting Egress FQDN Filtering Rules
Export allows you to download the configured FQDN rules on a per tag basis, in a human-readable text file format, as shown in the example below:
Importing FQDN Rules in Egress FQDN Filter
Import allows you to upload a text file that contains FQDN rules to a specific tag. The text file can be:
-
The downloaded file from FQDN Discovery.
-
The download file from Export from a different tag.
-
A text file in the format compatible to Export.
Edit Source for Egress FQDN Filter
Edit Source allows you to control which source IP in the VPC/VNet is qualified for a specific tag. The source IP can be a subnet CIDR or host IP addresses. This provides fine-grained configuration.
If Edit Source is not configured (i.e., no source IP address ranges are selected) all packets arriving at the FQDN gateway are applied to the filter tag. However if there are one or more source IP address ranges selected, any packets with source IP addresses outside those ranges are dropped. In this regard, the distinguished Source is exclusive. |
For example, one use case is if you have two private subnets in a VPC/VNet: one deploys dev instances and another deploys prod instances. With the Edit Source feature, the dev instances can have different tags than the prod instances.
Edit Source assumes you already attached a gateway to a tag.
To go to the Edit Source page, click Edit Source at Egress FQDN Filter on a specific tag and follow the example in the illustration below. The network shown on the right hand of the panel goes through the FQDN tag filtering while the networks on the left side of the panel are dropped.
Enabling Private Network Filtering for Egress FQDN Filter
This is a global configuration that applies to all FQDN gateways.
By checking this option, destination FQDN names that translate to private IP address range (RFC 1918) are subject to the FQDN whitelist filtering function. The use case is if your destination hostname is indeed a private service and you wish to apply FQDN filtering.
To configure this option, in the Aviatrix Controller go to Security > Egress Control > Global Configs > Enable Private Network Filtering. FQDN names that are resolved to RFC 1918 range will be subject to FQDN filter function.
Disabling Private Network Filtering for Egress FQDN Filter
This is a global configuration that applies to all FQDN gateways.
By checking this option, packets with destination IP address of RFC 1918 range are not inspected. This is the default behavior.
To configure, in the Aviatrix Controller go to Security > Egress Control > Global Configs > Disable Private Network Filtering. FQDN names that are resolved to RFC 1918 range will not be subject to FQDN filter function.
Customizing Network Filtering for Egress FQDN Filter
This is a global configuration that applies to all FQDN gateways.
When this option is selected, you can customize packet destination address ranges not to be filtered by FQDN.
To configure, in the Aviatrix Controller go to Security > Egress Control > Global Configs > Customize Network Filtering. Select pre-defined RFC 1918 range, or enter your own network range.
This feature is disabled by default.
FQDN Name Caching in Egress FQDN Filter
This is a global configuration that applies to all FQDN gateways.
If FQDN Name caching is enabled, the resolved IP address from FQDN filter is cached so that if subsequent TCP session matches the cached IP address list, FQDN domain name is not checked and the session is allowed to pass.
We recommend disabling Caching to prevent unwanted domain names to bypass filter as they resolve to the same IP address. For example, youtube.com shares the same destination IP address range as google.com. There is minimal performance impact by disabling the cache.
To configure this option, in the Aviatrix Controller go to Security > Egress Control > Global Configs > Caching > and set the toggle switch to Disabled.
This feature is Enabled by default.
Exact Match in Egress FQDN Filter
This is a global configuration that applies to all FQDN gateways.
If a FQDN rule does not show an asterisk (*) an exact match is expected. If this global option is not enabled, FQDN rules use regex to match any FQDN names that are subset of the name. For example, if salesforce.com is a rule and Exact Match option is enabled, finance.salesforce.com is not a match and will be dropped.
This feature is disabled by default.
For Support, open a support ticket at Aviatrix Support Portal.