Extending Distributed Cloud Firewall to your Network Edge
Distributed Cloud Firewall (DCF) allows you to define granular policies for the distributed applications in the cloud. In addition to Network Segmentation Domains, you can leverage the DCF feature for additional security to allow or deny network traffic from cloud and on-premises. You can create DCF rules to specify the cloud resources and on-premises CIDRs that can communicate with each other within a Network Segmentation Domain or as a policy that is created outside a segmentation domain. These policies are then enforced at the edge by the Aviatrix Edge Gateway.
Distributed Cloud Firewall extended to the edge offers these key benefits:
-
Aviatrix Distributed Cloud Firewall integration with Aviatrix Hybrid Cloud Edge.
-
Allows you to leverage security built into the Aviatrix Hybrid Cloud Edge to filter traffic between LAN segments and CSP resources.
-
Provides cloud to edge and advanced threat filtering capabilities.
-
Allows you to manage and operate DCF from the cloud and deploy with cloud automation.
Setting Up Distributed Cloud Firewall for Edge
The following are the high-level steps to set up Distributed Cloud Firewall at the Edge:
-
Create SmartGroups for the applications in the cloud and on-premises to filter the traffic between these SmartGroups.
You can define a SmartGroup by specifying Cloud tags, WebGroups, and CIDRs. SmartGroups for network edge is defined using CIDRs. Enforcement of the policy by Edge Gateway will make use of the SmartGroups and filter traffic based on the DCF rules that are defined for the SmartGroups.
-
(optional) Create WebGroups to filter traffic between web applications and the SmartGroups.
-
(optional) Create ExternalGroups to filter traffic between external resources and the SmartGroups.
-
Create DCF rules to allow or deny network traffic flow between the groups.
| DCF on Edge in Controller 8.1 does not support hostname filtering, L7 filtering, SNI-based filtering, or DNS reachability. If you want to filter traffic for DCF on Edge, you must use SmartGroups or the Domain feature of WebGroups. |
To learn more about creating SmartGroups and DCF rules, see Configuring Distributed Cloud Firewall.
DCF Rules Enforcement on Edge in Different Controller Versions
In previous Controller versions, DCF is enabled by default (cannot be disabled) on Edge platforms and all DCF rules are deployed to the Edge gateways, regardless of their applicability to the Edge gateway.
In Controller version 8.1, DCF on Edge is disabled by default. DCF rules will not be enforced unless DCF on Edge is explicitly enabled. It can be enabled via the Enforcement on Clouds card in the Distributed Cloud Firewall > Settings tab.
The following table summarizes DCF support on the different Controller versions:
| Controller Version | Edge Platforms | DCF Enforcement |
|---|---|---|
8.1 |
All Edge platforms |
Disabled |
8.0 |
All Edge plaforms |
Enabled, all rules |
7.2 |
Aviatrix Edge Platform (AEP), Self Managed |
Enabled, all rules |
Enable DCF on Edge
To enable DCF on Edge gateway:
-
In Aviatrix CoPilot, go to Distributed Cloud Firewall > Settings tab.
-
On the Enforcement on Clouds card, click Manage.
-
In Manage Enforcements on Clouds, turn on Edge (Hybrid Cloud) toggle to make sure that relevant DCF rules are enforced by the Edge gateways.
-
Click Save.