Monitoring Egress Traffic
|
Controller 8.0 and the enablement of the DCF feature is required to monitor VPC/VNets. |
On the Security > Egress > Egress VPC/VNets tab, you monitor onboarded VPC/VNets to apply egress and monitor the traffic of these VPC/VNets to the Internet.
Prerequisites
Before attempting to monitor your egress traffic:
-
Ensure that your IAM policies are up to date (for AWS)
-
Ensure that ports 50441-50443 on CoPilot are open to the Aviatrix Controller
-
Ensure that the VPC/VNet you want to monitor does not have a customized SNAT configuration
-
If you have a GCP cloud account, ensure that these APIs are enabled:
-
Container:
container.googleapis.com -
Cloud Resource Manager:
cloudresourcemanager.googleapis.com
-
Monitoring VPC/VNets
When you monitor your VPC/VNets, the following actions are performed:
-
Local egress is applied
-
Default route is modified
-
SNAT is enabled
-
Monitor-VPCs Watch Rules are created in the Egress Protection Policy List ruleset against the selected VPC/VNets:
-
Monitor-VPCs-ICMP-Rule
-
Monitor-VPCs-UDP-Rule
-
Monitor-VPCs-Domains-Rule
-
-
VPC/VNets are added to the Monitored-VPCs SmartGroup
To monitor VPC/VNets:
-
On the Security > Egress > Egress VPC/VNets tab, do one of the following:
-
Select one or more VPC/VNets and then select Monitor from the Actions menu.
-
Click Monitor in the Recommended Action column next to a VPC/VNet.
The Monitor VPC/VNets dialog displays.
-
-
Click Monitor.
The status changes to Monitored for this VPC/VNet on the Egress VPC/VNets tab. This may take a minute or two to complete.
A timestamp is displayed next to the VPC/VNet on the Egress VPC/VNets tab to indicate how long it has been monitored.
Disabling Monitoring of Egress Traffic
You disable monitoring for all VPCs/VNets by going to Security > Distributed Cloud Firewall > Policies and deleting the Monitor-VPCs Watch Rules that were created when monitoring was enabled. You cannot disable monitoring for individual VPC/VNets.