Validated Egress Filtering Design Guide for AWS, Azure and GCP

This document demystifies the different approaches and provides a framework to help practitioners map their egress filtering technical requirements (eg, performance, high availability, cost) to one of four design implementations – providing a blueprint for a successful deployment.

Cloud applications with unrestricted access to Internet-based services expose your environment to risk, compliance violations and data exfiltration. Aviatrix Egress FQDN Filtering is a multi-cloud service that delivers centralized control over Internet-bound traffic from VPCs or VNets using Fully Qualified Domain Name (FQDN) filtering. Customers such as Avis, ReAssure, Chewy and VirginAtlantic have switched from NAT Gateway or software proxies to Aviatrix.

This Aviatrix Validated Design was created based on hundreds of egress filtering deployments in AWS, Azure, Google and Oracle clouds. The document demystifies the different approaches and provides a framework to help practitioners map their egress filtering technical requirements (eg, performance, high availability, cost) to one of four design implementation:

  • Local (Distributed) Egress FQDN Filtering without Transit Networking
  • Local (Distributed) Egress FQDN Filtering with Aviatrix Transit
  • Centralized Egress FQDN Filtering
  • Centralized Egress FQDN Filtering with Cloud Provider Transit Gateway

Get Design Guide Now!

By submitting this form, you agree to our privacy policy

Customers who trust Aviatrix

Compare Aviatrix to Alternatives

Aviatrix

Squid + NAT

AWS NAT Gateway

Highly Available; Fault Tolerant

Automatic

Using scripts and custom monitoring code

Automatic

Filter Traffic by IP Address

Yes

Yes

PARTIAL – must update security group of each instance (maximum 50 IPs)

Filter Traffic by FQDN

Yes

Yes

No

FQDN filtering Using Wildcards

Yes

Yes

No

Supports HTTP/HTTPS Protocols

Yes

Yes

No

Supports Additional Protocols
(sftp, ftp, icmp, etc.)

Yes

No

No

Egress Traffic Discovery

Yes

No

No

Central Management Console

Yes

NO – must manage each VPC separately

Yes

Integrated Audit Logging

Yes

Yes

PARTIAL – must use VPC flow logs

Non-Networking Engineer Friendly

Yes

No

Yes

Terraform Automation

Yes

No

Yes

Get Guide

What makes Aviatrix Unique and Better?

image description

Filter on domains, not just IPs

Native cloud constructs such NAT Gateways only filter on IP address, but not on Fully Qualified Domain Names (FQDN). This creates a gap in visibility and control for cloud operations and security teams.

image description

Centralized Security Policies

Centrally manage distributed Egress FQDN filtering to deliver consistent, repeatable policies across all gateways and clouds. Easily customize specific VPC/VNets with unique requirements.

image description

Log All Activity for Compliance

Achieve corporate and regulatory compliance for PCI, HIPAA and SOC2. Audit logs from the Aviatrix Controller are exportable to Splunk, Sumologic, and Datadog for reporting and event correlation.

Get Guide

When we discovered Aviatrix, we had an immediate need to secure access to Internet-based resources from our applications in the cloud. Aviatrix was simple to deploy and delivered exactly the solution we needed.

Chris Salomon,
Director of Software and Reliability Engineering

Get Guide