Enabling Transit Egress
|
You must have at least Controller version 7.0.1577 to use this feature. Aviatrix recommends that you only use the Transit Egress feature in CoPilot if you are currently using the Egress FQDN Filtering (Legacy) feature in Aviatrix Controller. New users should use the Distributed Cloud Firewall for Egress. |
On the Transit Egress tab, you can enable Egress Control on Transit Gateways that have:
-
Transit Egress Capability selected; they can be Transit FireNet Gateways (have firewalls attached as per the FireNet workflow).
-
Attached Spoke Gateways that do not already have Egress enabled.
-
Transit Egress Capability enabled but no enabled Gateway Load Balancer. The Gateway Load Balancer is not supported in the Transit Egress workflow.
This Transit Gateway can then send its attached Spoke Gateway traffic to the Internet. The Spoke Gateways will own all routes but send all egress traffic to this Transit Gateway.
| You can only edit AWS Transit gateways (on the Cloud Fabric > Gateways > Transit Gateways tab) to add Transit Egress Capability. The other cloud Transit gateways (Azure, GCP, OCI) cannot be edited to add this functionality. You must select the Transit Egress Capability when first creating Transit gateways in those cloud providers. |
Configuring Transit Egress
-
On the Security > Egress > Transit Egress tab, click Enable Egress on Transit.
-
Configure the following:
Field Description Transit Gateway
Select a Transit/Transit FireNet gateway from the list.
Primary Egress (AWS only)
Enable the selected Transit gateway to provide Egress control for its attached Spoke gateways.
Secondary Egress (AWS only)
Enable the selected Transit gateway to send traffic to the Primary Egress Transit gateway that is providing Egress control.
Attach Secondary Egress (AWS only)
Select the Secondary Egress Transit gateways that will send traffic to the Primary Egress Transit gateway.
Gateway Load Balancer (AWS and Azure only)
Off and disabled if you chose to not enable the Gateway Load Balancer for this AWS Transit gateway.
On and disabled if you chose to enable the Gateway Load Balancer for this Transit gateway.
Off and disabled if you have selected an Azure Transit gateway.
Egress (AWS and Azure only)
On by default.
Egress VPC (GCP only)
Select the Egress VPC for the GCP Transit gateway. This is the VPC that will be used to send egress traffic to the Internet.
Egress Instance Size (AWS and Azure only)
Select the instance size for the Egress instance. The size you select is applied to all Egress Subnets you select.
Attach to Subnet
Select the Egress Subnet(s) to which the Transit gateway will attach.
Zone (GCP only)
Select the zone in which the GCP Transit gateway will be deployed.
-
Click Enable. This adds FQDN capability to the selected Transit gateway, which handles egress traffic for the Spokes that send traffic to this Transit gateway.