About Public Subnet Filtering Gateways

Public Subnet Filtering Gateways (PSF gateways) are a type of Speciality Gateway that provides ingress and egress security for AWS public subnets where instances have public IP addresses.

If you enabled the Distributed Cloud Firewall (DCF) feature in Controller version 7.2.4820, the DCF on PSF Gateways feature is also available (you must enable it from the Security > Distributed Firewall > Settings tab). These features enable you to create SmartGroups that contain PSF Gateway VPCs, and to then use those SmartGroups in DCF rules that allow or block specific traffic from being sent to or from the public subnet.

Prior to Controller version 7.2.4820 you used AWS GuardDuty and the Egress FDQN Legacy feature to protect the public subnets and filter traffic. You should only continue using these tools if you have not purchased and enabled the DCF feature.

Creating a Public Subnet Filtering Gateway (AWS)

To create a Public Subnet Filtering (PSF) Gateway:

  1. In CoPilot, navigate to Cloud Fabric > Gateways > Specialty Gateways tab.

  2. Click + Gateway and select Public Subnet Filtering Gateway.

  3. Provide the following information to set up your Public Subnet Filtering Gateway.

    Parameter Description

    Name

    Enter a name for this new PSF gateway.

    Cloud

    Use the dropdown menu to select AWS Standard, GovCloud, or China.

    Account

    Select the cloud access account for this gateway.

    Region

    Select the cloud region in which to create this gateway.

    VPC

    Select the VPC in the selected region in which to create this gateway.

    Instance Size

    Select the gateway instance size.

    The gateway instance size must be at least t3.medium if you want to create a DCF rule to apply to a PSF gateway, and you select Intrusion Detection or TLS Decryption when creating that rule.

    Attach to Unused Subnet

    Aviatrix Controller creates a public subnet and creates a route table associated with the subnet to launch the PSF gateway.

    Route Table

    Select route tables whose associated public subnets are protected.

    Route tables must be selected here to be monitored and enforced by any DCF rules the PSF gateway is part of.

  4. Click Save.

After the Public Subnet Filtering Gateway is deployed, Ingress traffic from IGW is routed to the gateway in a pass through manner. Egress traffic from instances in the protected public subnets is routed to the gateway in a pass through manner.

Editing a Public Subnet Filtering Gateway

To edit a Public Subnet Filtering (PSF) Gateway:

  1. Go to Cloud Fabric > Gateways > Specialty Gateways.

  2. Find the PSF gateway you want to modify and click the Edit 25icon.

  3. Edit the gateway’s configuration as needed. See Public Subnet Filtering Gateway Settings for more instructions on PSF gateway settings.

  4. Click Save.

Deleting a Public Subnet Filtering Gateway

Remove any attachments to other Specialty Gateways before deleting.

To delete a Public Subnet Filtering (PSF) Gateway:

  1. Go to Cloud Fabric > Gateways > Specialty Gateways.

  2. In the row of the PSF gateway you want to delete, click the Delete 25icon.

  3. To delete the PSF Gateway, confirm that you want to delete the selected PSF Gateway and click Delete.