Distributed Cloud Firewall Support for Serverless Resources

Distributed Cloud Firewall (DCF) extends network security controls to serverless computing environments, enabling organizations to enforce granular egress policies on serverless applications. Serverless computing is a cloud-native execution model where developers deploy code without managing underlying infrastructure. Cloud providers handle infrastructure provisioning, scaling, and maintenance automatically.

Aviatrix Controller 8.2 introduces support for AWS Lambda functions, allowing customers to inventory serverless resources and enforce network security policies using SmartGroups. This capability extends DCF’s microsegmentation approach to ephemeral workloads.

This is an early access feature. Contact Aviatrix support to enable this feature in your development and test environments.

Key Characteristics of Serverless Applications

  • Event-driven: Functions run in response to specific triggers such as HTTP requests, file uploads, or database changes

  • Ephemeral: Instances spin up on demand and terminate after execution completes

  • Cloud-managed: Providers like AWS, GCP, and Azure abstract infrastructure management

Supported Serverless Platforms

Aviatrix Controller 8.2 provides initial support for AWS Lambda. Additional serverless platforms are planned for future releases:

  • AWS Lambda (Controller 8.2)

  • Google Cloud Run (future release)

  • Azure Functions (future release)

Security Challenges in Serverless Environments

Serverless architectures introduce unique security considerations:

  • Expanded attack surface: Each serverless function represents a potential entry point due to direct internet exposure

  • Limited visibility: Ephemeral workloads make traditional monitoring and logging more challenging

  • Configuration risks: Over-permissive IAM roles or shared network subnets can expose sensitive data

Benefits of DCF for Serverless

Aviatrix DCF addresses serverless security challenges through:

  • Egress traffic control: Filter outbound traffic from serverless functions through customer-owned VPCs

  • Dynamic resource grouping: Use SmartGroups to automatically group for policy enforcement

  • Infrastructure as code: Automate policy deployment and updates using Terraform

  • Granular segmentation: Implement function-level security controls with dedicated subnets

  • Traffic visibility: Monitor and log serverless traffic patterns for security analysis

  • Multi-cloud governance: Enforce consistent security policies across multi-cloud environments

  • Data protection: Reduce risk of data exfiltration and ensure compliance with regulatory requirements

How It Works

The Aviatrix Controller automatically discovers and inventories AWS Lambda functions deployed in your cloud accounts. Once discovered, these functions can be organized into SmartGroups and protected with DCF policies, allowing you to enforce network security rules on serverless traffic.

Traffic Filtering Capabilities and Limitations

DCF can only filter egress (outbound) traffic from Lambda functions. Ingress traffic filtering is not currently supported.

Egress Traffic Filtering

DCF filters outbound traffic from Lambda functions when the function is configured to use a user-owned VPC for network connectivity. By default, Lambda functions route both ingress and egress traffic through AWS’s internal network infrastructure.

To enable DCF filtering of egress traffic, attach your Lambda function to a VPC that you control. This allows DCF to inspect and enforce policies on outbound connections.

Ingress Traffic Limitations

Lambda functions that are exposed via HTTP endpoints receive incoming requests through AWS’s internal network infrastructure. DCF cannot intercept or filter this ingress traffic. Only egress traffic from these functions can be monitored and secured.

Create SmartGroups for Lambda Functions

SmartGroups enable dynamic grouping of Lambda functions based on their resource attributes. The following example shows how to create a SmartGroup using Terraform:

resource "aviatrix_smart_group" "serverless" {
  name = "serverless"

  selector {
    match_expressions {
      type = "serverless"
      name = "gatus_lambda"
    }
  }
}

This SmartGroup automatically includes all subnet CIDR blocks associated with the specified Lambda function (gatus_lambda in this example). You can then use this SmartGroup in DCF policies to control traffic to internal VPCs or the internet.

Best Practices

Use Dedicated Subnets per Function

When DCF evaluates a SmartGroup containing a Lambda function, it includes all CIDR blocks from all subnets configured for that function. For optimal security and manageability:

  • Associate dedicated subnets to each Lambda function rather than sharing subnets across multiple functions

  • This approach provides more granular control over DCF policies

  • Dedicated subnets simplify troubleshooting and traffic analysis

  • Function isolation creates clearer security boundaries between different serverless workloads

Prerequisites and Requirements

AWS IAM Permissions

The Aviatrix Controller requires specific IAM permissions to discover and inventory Lambda functions. Ensure your AWS access account includes the following permissions:

IAM Permission Purpose

lambda:ListFunctions

Enumerate all Lambda functions in the account

lambda:GetFunction

Retrieve configuration details for each function

lambda:ListTags

Read resource tags for filtering and organization

Lambda VPC Configuration

To enable DCF filtering, Lambda functions must be attached to a user-owned VPC. Functions using only AWS’s default network infrastructure cannot be protected by DCF egress policies.

Business Impact

  • Improved security posture: Gain visibility and control over outbound traffic from ephemeral serverless workloads

  • Operational efficiency: Automate policy enforcement for serverless resources using infrastructure as code

  • Compliance alignment: Reduce risk of data exfiltration and address misconfigurations through centralized policy management