Overview of Public Subnet Filtering/Ingress Gateway
Public Subnet Filtering Gateways (PSF gateways) provide ingress and egress security for AWS public subnets where instances have public IP addresses.
|
If you are using the Distributed Cloud Firewall (DCF) feature in Controller version 7.2.4820, Aviatrix recommends enabling the DSF on PSF Gateways feature. After doing this you can create SmartGroups that contain PSF Gateway VPCs, and then use those SmartGroups in DCF rules that allow or block specific traffic from being sent to or from the public subnet. Prior to Controller version 7.2.4820 you used AWS GuardDuty and the Egress FDQN Legacy feature to protect the public subnets and filter traffic. You should only continue using these tools if you have not purchased and enabled the DCF feature. |
Creating a Public Subnet Filtering Gateway (AWS)
To create a Public Subnet Filtering Gateway:
-
In CoPilot, navigate to Cloud Fabric > Gateways > Speciality Gateways tab.
-
Click +Gateway and select Public Subnet Filtering Gateway.
-
Provide the following information to set up your Public Subnet Filtering Gateway.
Parameter Description Name
Enter a name for this new PSF gateway.
Cloud
Use the dropdown menu to select AWS Standard, GovCloud, or China.
Account
Select the cloud access account for this gateway.
Region
Select the cloud region in which to create this gateway.
VPC
Select the VPC in the selected region in which to create this gateway.
Instance Size
Select the gateway instance size.
The gateway instance size must be at least t3.medium if you want to create a DCF rule to apply to a PSF gateway, and you select Intrusion Detection or TLS Decryption when creating that rule. Attach to Unused Subnet
Aviatrix Controller creates a public subnet and creates a route table associated with the subnet to launch the PSF gateway.
Route Table
Select route tables whose associated public subnets are protected.
Route tables must be selected here to be monitored and enforced by any DCF rules the PSF gateway is part of. -
Click Save.
After the Public Subnet Filtering Gateway is deployed, Ingress traffic from IGW is routed to the gateway in a pass through manner. Egress traffic from instances in the protected public subnets is routed to the gateway in a pass through manner.
Enabling Egress FQDN for Public Subnet Filtering Gateway (Legacy)
Once the PSF gateway is launched, you can configure the Egress FQDN (Legacy) feature. Egress FQDN (Egress Control Filter) is a legacy FQDN feature applied to the public subnets.
| Only use this tool if you have not purchased and enabled the DCF feature. |
In the Aviatrix Controller, navigate to Security > Egress Control and follow the instructions in the FQDN workflow.
Viewing Blocked Malicious IPs
After the Public Subnet Filtering (PSF) gateway is launched, view or block malicious IPs by going to Security > ThreatIQ.
After the Public Subnet Filtering (PSF) gateway is launched, view or block malicious IPs:
-
(Controller version 7.2.4820 or later) Navigate to Security > Distributed Cloud Firewall and configure DCF rules that use ThreatGroups or GeoGroups. This is the recommended method.
-
(prior to 7.2.4820) Navigate to Security > ThreatIQ. Aviatrix strongly recommends upgrading to the DCF method as per above.
The PSF gateway generates Netflow data, which is fed to FlowIQ. ThreatIQ monitors FlowIQ for any matches, and then alerts or programs a block on the corresponding gateway.
| Since PSF gateways are open to inbound Internet traffic, they can generate a lot of alerts even if traffic is blocked at a later step (such as a Security Group). |