Overview of Public Subnet Filtering/Ingress Gateway
Public Subnet Filtering Gateways (PSF gateways) provide ingress and egress security for AWS public subnets where instances have public IP addresses.
Egress FQDN is a legacy FQDN feature applied to the public subnets.
After a PSF gateway is deployed, you can configure its settings. |
Deploying a Public Subnet Filtering Gateway (AWS)
To deploy a Public Subnet Filtering Gateway:
-
In CoPilot, navigate to Cloud Fabric > Gateways > Speciality Gateways tab.
-
Click +Gateway and select Public Subnet Filtering Gateway.
-
Provide the following information to set up your Public Subnet Filtering Gateway.
Parameter Description Name
Enter a name for this new gateway.
Cloud
Select the Cloud Service Provider (CSP) in which to create this gateway.
When you select AWS, you can use the dropdown menu to select Standard, GovCloud, or China.
Account
Select the cloud access account for this gateway.
Region
Select the cloud region in which to create this gateway.
VPC
Select the VPC in the selected region in which to create this gateway.
Instance Size
Select the gateway instance size.
Attach to Unused Subnet
Aviatrix Controller creates a public subnet and creates a route table associated with the subnet to launch the Public Subnet Filtering gateway.
Route Table
Select a route table whose associated public subnets are protected.
-
Click Save.
After the Public Subnet Filtering Gateway is deployed, Ingress traffic from IGW is routed to the gateway in a pass through manner. Egress traffic from instances in the protected public subnets is routed to the gateway in a pass through manner.
Enabling Egress FQDN
Once the PSF gateway is launched, you can configure the FQDN feature.
In the Aviatrix Controller, navigate to Security > Egress Control and follow the instructions in the FQDN workflow.
Viewing Blocked Malicious IPs
After the Public Subnet Filtering (PSF) gateway is launched, view or block malicious IPs by going to Security > ThreatIQ.
The PSF gateway generates Netflow data, which is fed to FlowIQ. ThreatIQ monitors FlowIQ for any matches, and then alerts or programs a block on the corresponding gateway.
Since PSF gateways are open to inbound Internet traffic, they can generate a lot of alerts even if traffic is blocked at a later step (such as a Security Group). |