Overview of Public Subnet Filtering/Ingress Gateway

Public Subnet Filtering Gateways (PSF gateways) provide ingress and egress security for AWS public subnets where instances have public IP addresses.

Egress FQDN is a legacy FQDN feature applied to the public subnets.

After a PSF gateway is deployed, you can configure its settings.

Deploying a Public Subnet Filtering Gateway (AWS)

To deploy a Public Subnet Filtering Gateway:

In CoPilot, navigate to Cloud Fabric > Gateways > Speciality Gateways tab.
Click +Gateway and select Public Subnet Filtering Gateway.

Provide the following information to set up your Public Subnet Filtering Gateway.

Parameter	Description
Name	Enter a name for this new gateway.
Cloud	Select the Cloud Service Provider (CSP) in which to create this gateway. When you select AWS, you can use the dropdown menu to select Standard, GovCloud, or China.
Account	Select the cloud access account for this gateway.
Region	Select the cloud region in which to create this gateway.
VPC	Select the VPC in the selected region in which to create this gateway.
Instance Size	Select the gateway instance size.
Attach to Unused Subnet	Aviatrix Controller creates a public subnet and creates a route table associated with the subnet to launch the Public Subnet Filtering gateway.
Route Table	Select a route table whose associated public subnets are protected.

Parameter

Description

Name

Enter a name for this new gateway.

Cloud

Select the Cloud Service Provider (CSP) in which to create this gateway.

When you select AWS, you can use the dropdown menu to select Standard, GovCloud, or China.

Account

Select the cloud access account for this gateway.

Region

Select the cloud region in which to create this gateway.

VPC

Select the VPC in the selected region in which to create this gateway.

Instance Size

Select the gateway instance size.

Attach to Unused Subnet

Aviatrix Controller creates a public subnet and creates a route table associated with the subnet to launch the Public Subnet Filtering gateway.

Route Table

Select a route table whose associated public subnets are protected.

Click Save.

After the Public Subnet Filtering Gateway is deployed, Ingress traffic from IGW is routed to the gateway in a pass through manner. Egress traffic from instances in the protected public subnets is routed to the gateway in a pass through manner.

Enabling Egress FQDN

Once the PSF gateway is launched, you can configure the FQDN feature.

In the Aviatrix Controller, navigate to Security > Egress Control and follow the instructions in the FQDN workflow.

Viewing Blocked Malicious IPs

After the Public Subnet Filtering (PSF) gateway is launched, view or block malicious IPs by going to Security > ThreatIQ.

The PSF gateway generates Netflow data, which is fed to FlowIQ. ThreatIQ monitors FlowIQ for any matches, and then alerts or programs a block on the corresponding gateway.

Since PSF gateways are open to inbound Internet traffic, they can generate a lot of alerts even if traffic is blocked at a later step (such as a Security Group).

Public Subnet Instances and FQDN

When you enable legacy FQDN filtering for public subnets, packets initiated from the instances on the public subnet do not get NATed when going through the FQDN filtering gateway, and the source public IP address of a public subnet instance is preserved.