Monitoring Egress Traffic

Controller 8.0 and the enablement of the DCF feature is required to monitor VPC/VNets.

Before attempting to monitor your egress traffic:

  • Ensure that your IAM policies are up to date (for AWS)

  • Ensure that ports 50441-50443 on CoPilot are open to the Aviatrix Controller

  • If you have a GCP cloud account, ensure that these APIs are enabled:

    • Container: container.googleapis.com

    • Cloud Resource Manager: cloudresourcemanager.googleapis.com

On the Security > Egress > Egress VPC/VNets tab, you monitor onboarded VPC/VNets to apply egress and monitor the traffic of these VPC/VNets to the Internet.

Monitoring your VPC/VNets:

  • Applies local egress

  • Modifies the default route

  • Enables SNAT

  • Creates Monitor-VPCs Watch Rules (in the V1 Policy List if you are on Controller 8.0) against the selected VPC/VNets:

    • Monitor-VPCs-ICMP-Rule

    • Monitor-VPCs-UDP-Rule

    • Monitor-VPCs-Domains-Rule

  • Adds the VPC/VNets to the Monitored-VPCs SmartGroup

To monitor VPC/VNets:

  1. On the Security > Egress > Egress VPC/VNets tab, do one of the following:

    • Select one or more VPC/VNets and then select Monitor from the Actions menu.

    • Click Monitor in the Recommended Action column next to a VPC/VNet.

    The Monitor VPC/VNets dialog displays.

  1. Click Monitor.

The status changes to Monitored for this VPC/VNet on the Egress VPC/VNets tab.

A timestamp is displayed next to the VPC/VNet on the Egress VPC/VNets tab to indicate how long it has been monitored.

Disabling Monitoring of Egress Traffic

You disable monitoring for all VPCs/VNets by going to Security > Distributed Cloud Firewall > Policies and deleting the Monitor-VPCs Watch Rules that were created when monitoring was enabled. You cannot disable monitoring for individual VPC/VNets.

Next Steps