Implementing Egress in an Aviatrix-Managed Network

CoPilot shows traffic details for Egress, and provides a way to configure Egress rules to apply to your workloads.

As of Controller 7.1 and CoPilot 3.11, Distributed Cloud Firewall is the preferred method for configuring Egress in CoPilot. If you want to implement Egress this way, you must:

If you configured Egress (in Aviatrix Controller or CoPilot) prior to Controller 7.1/CoPilot 3.11, you continue configuring rules in the Aviatrix Controller with the Egress FQDN Filtering (Legacy) solution. If a Spoke Gateway already has FQDN enabled via the legacy solution in the Controller, it cannot be used in your Distributed Cloud Firewall configuration.

For more information on configuring the Egress FQDN Filtering (Legacy) solution, go here.

You can do the following regardless of whether you originally configured egress rules in Aviatrix Controller, or use Distributed Cloud Firewall with WebGroups:

Transit Egress

Aviatrix recommends that you only use the Transit Egress feature in CoPilot if you are currently using the Egress Control feature in Aviatrix Controller. New users should use the Distributed Cloud Firewall for Egress.

When you enable Egress on Transit Gateways, these gateways gather data from attached Spoke Gateways and send it to the Internet, provided that none of the attached Spoke Gateways have Egress enabled. Only Transit Gateways that have Transit Egress Capability enabled are available for Transit Egress.

Local Egress

Before enabling Egress Control on Spoke Gateways, ensure that you have created the additional CPU resources on the Spoke Gateway required to support Egress Control.

On the Egress VPC/VNets tab you enable Spoke Gateways to send traffic to the Internet. For example, a Spoke Gateway belonging to a SmartGroup that will be used in a Distributed Cloud Firewall egress rule needs to have Local Egress enabled.

When you add Egress Control here it changes the default route on the selected VPC/VNet to point to the Spoke Gateway, and enables SNAT.

When you enable Local Egress on Spoke Gateways, their traffic flow is visible in FlowIQ.


Alibaba Cloud is not supported.