Enabling Transit Egress

You must have at least Controller version 7.0.1577 to use this feature.

Aviatrix recommends that you only use the Transit Egress feature in CoPilot if you are currently using the Egress FQDN Filtering (Legacy) feature in Aviatrix Controller. New users should use the Distributed Cloud Firewall for Egress.

On the Transit Egress tab, you can enable Egress Control on Transit Gateways that:

This Transit Gateway can then send its attached Spoke Gateway traffic to the Internet. The Spoke Gateways will own all routes but send all egress traffic to this Transit Gateway.

You can edit AWS Transit gateways (on the Cloud Fabric > Gateways > Transit Gateways tab) to add Transit Egress Capability, but you cannot edit other cloud Transit gateways to add this functionality. You must select the Transit Egress Capability when first creating Transit gateways in those cloud providers.

Configuring Transit Egress

  1. On the Security > Egress > Transit Egress tab, click Enable Egress on Transit.

  2. Configure the following:

    Field Description

    Transit Gateway

    Select a Transit gateway from the list.

    Primary Egress (AWS only)

    Enable the selected Transit gateway to provide Egress control for its attached Spoke gateways.

    Secondary Egress (AWS only)

    Enable the selected Transit gateway to send traffic to the Primary Egress Transit gateway that is providing Egress control.

    Attach Secondary Egress (AWS only)

    Select the Secondary Egress Transit gateways that will send traffic to the Primary Egress Transit gateway.

    Gateway Load Balancer

    Off by default.


    On by default.

    Egress Instance Size

    Select the instance size for the Egress instance. The size you select is applied to all Egress Subnets you select.

    Egress Subnet

    Select the Egress Subnet(s).

  3. Click Enable. This adds FQDN capability to the selected Transit gateway, which handles egress traffic for the Spokes that send traffic to this Transit gateway.