General Guidelines for Migrating from Legacy Egress to Distributed Cloud Firewall
|
If you configured Egress FQDN filtering in the Aviatrix Controller, Aviatrix strongly recommends that you upgrade to Distributed Cloud Firewall (DCF) with its accompanying WebGroups functionality (available as of Controller version 7.1.1710). If you migrate to DCF you can no longer use Legacy Egress FQDN. You should only migrate if you meet the below prerequisites. |
Distributed Cloud Firewall allows for more granular security policies and a higher level of threat protection.
| These are generalized guidelines only. Reach out to Aviatrix Support for assistance with this migration. |
Comparison
Any Egress FQDN filters you created in the Aviatrix Controller under Security > Egress Control can be replaced by DCF rules.
| Capability | Legacy Egress | DCF |
|---|---|---|
FQDN filtering |
Create tags and attach domains/gateways |
WebGroups |
Resources |
Assigning Spoke Gateways to a tag |
Create SmartGroups for your resource types (VPC/VNet, Subnets, Virtual Machines, IP/CIDR, External Connection) |
Allow/Deny |
Selecting Allowlist/Denylist after creating a tag |
Selecting Allow or Deny when creating the DCF rule |
Enforcement |
Select Enabled/Disabled after creating the tag |
Enforcing the DCF rule |
|
In WebGroups, only leading wildcards (*.example.com) are currently supported. If a Legacy Egress FQDN filter contains a wildcard (asterisk) in the middle of the address, you can adjust the filter to using a leading wildcard. WebGroups are only supported on Spoke Gateways and Public Subnet Filtering (PSF) Gateways. If you are using Standalone Gateways (Speciality Gateways that are not PSF Gateways), you must redeploy these gateways as the Spoke type. If you are using FireNet Egress gateways, you may consider migrating to Distributed Egress in each VPC. |
Prerequisites
| If you do not currently meet the prerequisites for migration, continue using Legacy Egress. |
-
Can only migrate Egress FQDN filters that use TLS/HTTP protocols and/or ports 80/443/8443.
You can migrate filters that use the UDP protocol, but you must use a CIDR-based SmartGroup as the Destination in the DCF rule.
-
Only for FQDN filters on Spoke and Public Subnet Filtering Gateways.
-
If you are using Hostname filtering in Legacy Egress:
-
If using the TCP protocol, you may be able to migrate if the traffic is TLS-encrypted (which is supported by WebGroups). Validate if the traffic is supported by configuring a DCF rule with the Any-Web WebGroup; the TCP protocol; the specific ports; and with Enforcement disabled. In DCF > Monitor, filter the logs for that specific rule. If the Domain field is populated in the DCF logs, this traffic can be migrated to leverage a WebGroup.
-
You may be able to migrate by using CIDR-based SmartGroups as the Destination if the filter can be represented as an IP address, or set of IP addresses.
-
Preparation and Migration
Contact Aviatrix Support to prepare for and execute the migration process.