About Egress Security Score

Controller 8.0 is required to view the Egress Security Score.

When you choose to monitor your VPC/VNets, this information is added to your egress security score. The Egress Security Score card shows you how well your VPC/VNets are protected.

Each VPC/VNet is assigned an egress security score based on the calculation explained below. The higher the egress security score, the more well-protected your VPC/VNets are.

300

Click Manage VPC/VNets to open the Egress VPC/VNets tab and manage the protection of your VPC/VNets.

Egress Security Score Calculation

You can create Default Deny rules for specific VPC/VNets to protect your VPC/VNets.

  • Egress Score = (Sum of all scores of individual non-ignored VPC or VNets / Total number of non-ignored VPCs) * 100

  • 0 is the lowest score for a VPC/VNet

  • 1 is the highest score for a VPC/VNet

  • Gateway subnets are excluded

  • In AWS, focus on routes that have a next hop of "nat-*".

VPC Status Egress Protection Monitoring Score Definition Protection Status

Unmanaged

Yes

N/A

N/A

0

Networking and Security not managed by Aviatrix

N/A

Unmanaged

Yes

Partial/Full

Unknown

0

No Aviatrix gateways in the VPC/VNet; VPC route points to the internet via a native egress point

Unprotected

Onboarded

Yes

None (0)

None (0)

0

VPC has Aviatrix deployed AND has direct access to internet AND NO traffic to the internet is logged

Unprotected

Onboarded

Yes

None (0)

Partial (.125)

.13

VPC has Aviatrix deployed AND has direct access to internet AND SOME traffic to the internet is logged

Monitored

Onboarded

Yes

None (0)

Full (.25)

.25

VPC has Aviatrix deployed AND has direct access to internet AND ALL traffic to the internet is logged

Monitored

Onboarded

Yes

Partial (.375)

None (0)

.38

VPC has Aviatrix deployed AND SELECTIVE traffic to internet is blocked and NO traffic to the internet is logged

Partially Protected

Onboarded

Yes

Partial (.375)

Partial (.125)

.5

VPC has Aviatrix deployed AND SELECTIVE traffic to internet is blocked AND SOME traffic to internet is logged

Partially Protected

Onboarded

Yes

Partial (.375)

Full (.25)

.63

VPC has Aviatrix deployed AND SELECTIVE traffic to internet is blocked AND ALL traffic to internet is logged

Partially Protected

Onboarded

Yes

Full (.75)

None (0)

.75

VPC has Aviatrix deployed AND SELECTIVE traffic to internet is blocked with Default Deny AND SOME traffic to internet is logged

Fully Protected

Onboarded

Yes

Full (.75)

Partial (.125)

.88

VPC has Aviatrix deployed AND SELECTIVE traffic to internet is blocked with Default Deny AND SOME traffic to the internet is logged

Fully Protected

Onboarded

Yes

Full (.75)

Full (.25)

1

VPC has Aviatrix deployed AND SELECTIVE traffic to internet is blocked with Default Deny AND ALL traffic to internet is logged

Fully Protected

Any

None

N/A (.75)

N/A (.25)

1

VPC does NOT have direct access to internet

No Egress

Any

Yes

Unknown; assume traffic is partially protected (.375)

Unknown; assume traffic is fully monitored (.25)

.63

VPC has a route to the internet but the destination is not a native Egress point (administrator should verify that the traffic is sent to a destination that is actively filtering traffic)

Unknown

Any + Ignore

Any

Any

Any

N/A

VPC is ignored from Egress Score calculation

Ignored

Including VPC/VNets in the Egress Security Score

You can include selected VPC/VNets in the Egress Security Score calculation.

On the Security > Egress > Egress VPC/VNets tab, click the vertical ellipsis 15 next to the VPC/VNet and select Include in Egress Score. The VPC/VNet will be included in the Egress Security Score calculation.

Excluding VPC/VNets from the Egress Security Score

You can exclude selected Unprotected VPC/VNets from being included in the Egress Security Score calculation.

On the Security > Egress > Egress VPC/VNets tab, click the vertical ellipsis 15 next to the VPC/VNet and select Exclude From Egress Score. The VPC/VNet will not be included in the Egress Security Score calculation.