Secure Networking with Distributed Cloud Firewall

Distributed Cloud Firewall uses micro-segmentation to provide granular network security policies for distributed applications in the Cloud. Distributed Cloud Firewall enables network policy enforcement between SmartGroups you define in a single cloud or across multiple clouds. In Distributed Cloud Firewall, a SmartGroup represents a logical grouping of your applications. The application(s) you include in a SmartGroup can span different cloud accounts, regions, and VPC/VNets within your Aviatrix multicloud network. You can configure policies to filter traffic between applications residing in the SmartGroups.

Distributed Cloud Firewall is supported for AWS, Azure, and GCP.

Under Security > Distributed Cloud Firewall, you can:

Spoke Gateway Sizing

Distributed Cloud Firewall is supported on the following gateway types:

  • Spokes attached to a Transit gateway

  • Spokes detached from a Transit gateway

Recommended Spoke gateway sizing is provided in the following table.

Gateway Size L4 Policy WebGroups IDS

t3.micro or equivalent

Yes (non-production only)

No

No

t3.small or equivalent

Yes

Yes

No

t3.medium or larger

Yes

Yes

Yes

Distributed Cloud Firewall can be used to control Egress traffic by enabling Source NAT on the gateway configuration, and creating policies with WebGroups.

As of Controller 7.1 and CoPilot 3.11, Distributed Cloud Firewall with WebGroups is the recommended method for configuring and implementing Egress Security.

This document describes Egress functionality available in the Aviatrix Controller in Controller 7.1/CoPilot 3.11 and later. For information on configuring the legacy Egress FQDN solution, click here.

Distributed Cloud Firewall is in Preview mode for earlier Controller versions. See Aviatrix Feature Availability by Controller Version for more information.

Micro-Seg Topology

Use Cases

Use cases where you might implement Distributed Cloud Firewall are:

  • Workload isolation: in a typical tiered application, you may want to isolate tiers that do not require access to each other. For example, in a Shopping Cart application, there could be workloads for product inventory, billing, and a Product Logging app. Since the Shopping Cart application does not need to communicate with the Product Logging app, this traffic should be blocked.

  • Quarantine compromised machines: You can isolate a compromised machine by placing it in its own SmartGroup and blocking communication to that SmartGroup.

Enabling the Distributed Cloud Firewall Feature

If you see a message on the Distributed Cloud Firewall page (Security > Distributed Cloud Firewall) that you require the Aviatrix Universal Subscription, in the cloud marketplace you must subscribe to and accept terms for the correct Aviatrix subscription:

  • In AWS, subscribe to the Aviatrix Cloud Network License Service offer.

  • In Azure or GCP, subscribe to the Aviatrix Secure Networking Platform 2208-Universal 24x7 Support offer.

Take note of your Customer ID for this offer.

If there is no pre-existing customer ID (you are a new user), you entered this customer ID when logging on to CoPilot. You do not need to reset the Customer ID on the License tab before enabling the feature.

If you have already subscribed to the Aviatrix Universal Subscription license, you do not need to subscribe again. You can just enable the feature from Configuration > Settings > License in CoPilot.

After subscribing to the license (if you are a new user), do the following to enable the Distributed Cloud Firewall feature:

  1. In CoPilot, go to Settings > Configuration > License.

    controller-customer-id-field
  2. In the Add-on Features list, click Enable for the Distributed Cloud Firewall feature.

Enabling the Feature after Changing Licenses

If you are a current user and you change licenses, you must reset the Customer ID before enabling the feature:

  1. After subscribing to the new license, log on to CoPilot and go to Settings > Configuration > License.

  2. Click Reset next to Customer ID.

  3. Enter the new customer ID.

  4. Select the I understand the implications checkbox.

  5. Click Reset.

  6. Under Add-on Features, enable the feature.

Distributed Cloud Firewall Greenfield Rule

If you have not yet configured Distributed Cloud Firewall, when you first navigate to the Distributed Cloud Firewall > Rules tab you are prompted to begin using the feature.

If you have already started using Distributed Cloud Firewall, you can skip this section.

300
You must first have created your WebGroups.
  1. Click Begin Using Distributed Firewall.

  2. A message displays indicating that a Greenfield Rule will be created to allow traffic that maintains the current state, which facilitates the creation of custom rules for specific security needs.

  1. Click Begin. The Greenfield Rule is added to the Rules list. This rule prevents traffic from being dropped before you start configuring the rest of your rules. By default (if you selected the recommended Permit All Traffic option), the rule has the following attributes:

    • Source/Destination SmartGroups: Anywhere (0.0.0.0/0)

    • Protocol: Any

    • Action: Permit

    • Logging: On

After you create additional rules you can move the Greenfield Rule where needed in your rule priority list.

You can delete the rule later if desired.

The Greenfield Rule is only enforced on gateways, and not on Security Groups in the cloud.

Editing the Greenfield Rule

To edit the Greenfield Rule, click the pencil icon next to the rule. You can edit the following fields and click Save in Drafts.

  • Source and Destination SmartGroups

  • Protocol

  • Action: Deny or Accept

  • TLS Encryption: On/Off

  • Enforce: On/Off

  • Logging: On/Off

  • Rule Priority

When you are ready to commit the rule, click Commit.

Deleting the Greenfield Rule

You can delete the Greenfield Rule after creating other rules.

Distributed Cloud Firewall Prerequisites

Before applying Distributed Cloud Firewall:

  • Your version of CoPilot must be 2.0 or greater.

  • Your version of Aviatrix Controller must be 6.7 or greater.

  • Gateways must have their image updated to version 6.7 or greater.

  • Network reachability should be configured between the VPCs that contain applications that require connectivity. You configure network reachability using Connected Transit/MCNS.

  • If you plan to use Cloud Tags in your SmartGroups, Cloud resources must be tagged appropriately.

  • You must have already created WebGroups, if you want to use them in your Distributed Cloud Firewall configuration.

  • If you select a WebGroup when creating a rule, the Destination SmartGroup must be 'Public Internet'. Any Spoke gateways that are part of the Source SmartGroup must contain a VPC/VNet Resource Type that has Local Egress enabled (Spoke gateway).

Intrusion Detection

If you plan to enable Intrusion Detection in a Distributed Cloud Firewall policy, remember:

  • IDS cannot be applied to east-west traffic if HA VPC/VNets are being used.

  • IDS can work with HA for egress traffic.

Distributed Cloud Firewall Components

Distributed Cloud Firewall introduces two important configuration componentsā€”SmartGroups and policies.

Configuring Distributed Cloud Firewall

To configure Distributed Cloud Firewall, click here.