Overview of Public Subnet Filtering/Ingress Gateway

Public Subnet Filtering Gateways (PSF gateways) provide ingress and egress security for AWS public subnets where instances have public IP addresses.

Egress FQDN is a legacy FQDN feature applied to the public subnets.

After a PSF gateway is deployed, you can configure its settings.

Creating a Public Subnet Filtering Gateway (AWS)

To create a Public Subnet Filtering Gateway:

  1. In CoPilot, navigate to Cloud Fabric > Gateways > Speciality Gateways tab.

  2. Click +Gateway and select Public Subnet Filtering Gateway.

  3. Provide the following information to set up your Public Subnet Filtering Gateway.

    Parameter Description


    Enter a name for this new gateway.


    Select the Cloud Service Provider (CSP) in which to create this gateway.

    When you select AWS, you can use the dropdown menu to select Standard, GovCloud, or China.


    Select the cloud access account for this gateway.


    Select the cloud region in which to create this gateway.


    Select the VPC in the selected region in which to create this gateway.

    Instance Size

    Select the gateway instance size.

    Attach to Unused Subnet

    Aviatrix Controller creates a public subnet and creates a route table associated with the subnet to launch the Public Subnet Filtering gateway.

    Route Table

    Select a route table whose associated public subnets are protected.

  4. Click Save.

After the Public Subnet Filtering Gateway is deployed, Ingress traffic from IGW is routed to the gateway in a pass through manner. Egress traffic from instances in the protected public subnets is routed to the gateway in a pass through manner.

Enabling Egress FQDN for Public Subnet Filtering Gateway

Once the PSF gateway is launched, you can configure the Egress FQDN (Legacy) feature.

In the Aviatrix Controller, navigate to Security > Egress Control and follow the instructions in the FQDN workflow.

Viewing Blocked Malicious IPs

After the Public Subnet Filtering (PSF) gateway is launched, view or block malicious IPs by going to Security > ThreatIQ.

The PSF gateway generates Netflow data, which is fed to FlowIQ. ThreatIQ monitors FlowIQ for any matches, and then alerts or programs a block on the corresponding gateway.

Since PSF gateways are open to inbound Internet traffic, they can generate a lot of alerts even if traffic is blocked at a later step (such as a Security Group).

Public Subnet Instances and FQDN

When you enable Egress FQDN (Legacy) filtering for public subnets, packets initiated from the instances on the public subnet do not get NATed when going through the FQDN filtering gateway, and the source public IP address of a public subnet instance is preserved.