Enabling Local Egress

On the Security > Egress > Egress VPC/VNets tab you can enable Local Egress on selected Spoke VPC/VNets that do not already have Egress enabled, and that are not attached to a Transit FireNet gateway.

When you add Local Egress on a VPC/VNet this:

  • Changes the default route on the VPC/VNET to point to the Spoke Gateway

  • Enables SNAT

If a WebGroup is already configured on a VPC/VNet, make sure that at a minimum they have the following instance size or larger before enabling Local Egress:

  • VPC (AWS): t3.medium

  • VNet (Azure): Standard_B2ms

Ensure that additional CPU resources are created on the Spoke gateway to support Local Egress.

Controller 8.0 and the enablement of the DCF feature is required to enable Local Egress as described below. If neither of these are present you click the Local Egress on VPC/VNets button on the Egress VPC/VNets tab and then select the VPC/VNets.

To enable Local Egress:

  1. On the Security > Egress > Egress VPC/VNets tab, do one of the following:

    • Select one or more VPC/VNets and then select Enable Local Egress from the Actions menu.

    • Click the vertical ellipsis next to a VPC/VNet and select Enable Local Egress.

      The Enable Local Egress on VPC (VNets) dialog displays.

  1. Click Enable to acknowledge that enabling local egress changes the default route and enables SNAT.

    After enabling local egress, the status of the VPC/VNet changes from No Egress to Unprotected.

If you select a VPC/VNet that is part of a Transit Egress this overrides the Transit Egress.

You cannot enable egress on Global VPCs because SNAT is not currently supported for Global VPCs.

Removing Local Egress

The following occurs when you remove Local Egress support:

  • SNAT is disabled

  • Default route is reset to Transit Egress (if the Spoke gateway is attached to a Transit FireNet that has Egress enabled) or Native Cloud Egress

  • Any Spoke gateways

To remove Local Egress from a Spoke gateway:

  1. On the Security > Egress > Egress VPC/VNets tab, do one of the following:

    • Select one or more VPC/VNets and then select Remove Local Egress from the Actions menu.

    • Click the vertical ellipsis next to a VPC/VNet and select Remove Local Egress.

      The Enable Local Egress on VPC (VNets) dialog displays.

  2. Select the checkbox to confirm that the selected VPC/VNet(s) no longer has Local Egress protection.

  3. Click Remove.