Distributed Cloud Firewall and Transit Egress

Aviatrix now supports Distributed Cloud Firewall enforcement on Transit Egress, allowing you to apply DCF rules on a centralized egress gateway. This feature is designed to enhance egress traffic management in multi-cloud environments by enabling consistent policy enforcement and inspection across all connected gateways.

This feature is useful for customers who previously used Aviatrix legacy FQDN to create centralized egress gateways, either with an Aviatrix Transit Gateway with FireNet enabled or an AWS Transit Gateway (TGW) with FireNet enabled.

The Enforcement on Transit Egress feature allows you to enforce DCF rules on a centralized gateway—typically a standalone (FQDN) gateway deployed in a Transit FireNet—rather than at the edge. DCF rules are enforced on traffic from Spoke and Transit gateways connected to the Transit Egress gateway, ensuring consistent policy enforcement and inspection across your environment.

This feature is supported in Controller version 8.1 and later. It is not available in earlier versions.

Key Capabilities

  • Centralized Deployment: DCF can now be deployed on a Transit gateway with egress enabled, which enforces both Layer 4 and Layer 7 egress policies at a single point.

  • Policy Enforcement: All Transit Egress gateways will receive the full set of DCF egress policies. This ensures consistent inspection across multi-region deployments.

  • Proximity-Based Routing: Traffic is inspected based on proximity—workloads exit through the nearest Transit Egress gateway, which enforces the appropriate policies.

Logging and Visibility

  • Permit Logging: Logging is currently functional for permitted and denied traffic.

  • Log Details: Logs from the centralized egress gateway include SNI information and web group matches, confirming that enforcement is occurring at the gateway level.

Prerequisites

  • Enable Transit Egress Capability on your Transit gateway and configure it as a Transit FireNet gateway.

Key Enforcement Behaviors

If the Enforcement on Transit Egress feature is enabled, the following behaviors apply:

  • Automatic Rule Enforcement: Once a DCF rule is created and enforced, it is automatically pushed to Transit Egress gateways configured for outbound inspection.

  • Centralized Policy, Distributed Execution: DCF policies are enforced on the Transit Egress gateway. This means that the rules are enforced on traffic from connected Spoke and Transit gateways, ensuring consistent security across all egress traffic without needing to deploy rules on each individual gateway.

    If there are multiple Transit FireNets, the egress rules are pushed to all gateways in all Transit FireNets, ensuring consistent enforcement across the network.

Centralized Egress Use Case

In Transit Egress scenarios:

  • A single set of SNAT rules are applied across all connected gateways, simplifying policy management and reducing operational complexity.

  • A default route (0.0.0.0/0) is programmed to send outbound traffic from Spoke VPCs to a centralized egress gateway.

  • DCF rules applied to this gateway determine whether traffic is allowed, denied, or logged.

Best Practices

  • Use the Public Internet SmartGroup instead of 0.0.0.0/0 for egress destinations.

  • Place catch-all rules (e.g., Global-Catch-All) at the bottom of the rule hierarchy to ensure specific rules are evaluated first.

  • Log deny and egress rules for visibility.

Known Limitations

  • This feature is designed for egress traffic only. It does not support ingress inspection or east-west traffic filtering.

  • While this feature leverages components of FireNet, it does not offer full FireNet capabilities such as traffic redirection or ingress inspection.

  • If Enforcement on Transit Egress is disabled, any DCF rules that contain WebGroups will not enforce L7 traffic on Spoke gateways.