Distributed Cloud Firewall Prerequisites

Before applying Distributed Cloud Firewall:

  • Your version of CoPilot must be 2.0 or greater.

  • Your version of Aviatrix Controller must be 6.7 or greater.

  • Gateways must have their image updated to version 6.7 or greater.

  • Network reachability should be configured between the VPCs that contain applications that require connectivity. You configure network reachability using Connected Transit/MCNS.

  • If you plan to use Cloud Tags in your SmartGroups, Cloud resources must be tagged appropriately.

  • You must have already created WebGroups, if you want to use them in your Distributed Cloud Firewall configuration.

  • If you select a WebGroup when creating a rule, the Destination SmartGroup must be 'Public Internet'. Any Spoke gateways that are part of the Source SmartGroup must contain a VPC/VNet Resource Type that has Local Egress enabled (Spoke gateway).

Intrusion Detection

If you plan to enable Intrusion Detection in a Distributed Cloud Firewall policy, remember:

  • IDS cannot be applied to east-west traffic if HA VPC/VNets are being used.

  • IDS can work with HA for egress traffic.