Amazon Web Services

Domain Name Filtering with Aviatrix

Domain name filtering (URL filtering) allows Cloud IT to control access to web resources over Internet by permitting or denying access to specific resources based on information contained in an URL list.

Aviatrix Security Policy feature is enabled at a gateway for a stateful firewall filter at layer 4 level. You specify an action for each rule, allow or deny, for each packet as it passes through the gateway. The rules are based on network, IP addresses, protocol and ports. This feature is useful to firewalling different private networks.

For Internet bound egress traffic, specifying at IP address level is not sufficient as the domain names of a site can be translated to many different IP addresses. The domain name filtering (URL filtering) needs to happen at Layer 7.

On the other hand, workloads in AWS are mostly applications where it is deterministic which outbound APIs the application program calls. For example, the application runs API queries to www.salesforce.com for data retrieving; parallely, application also runs API queries to www.google.com for authentication. In these cases, making sure only these sites are allowed for egress traffic is sufficient from security point of view. Note this is very different from on-prem situation where end user traffic and application traffic are mingled together, you may need a full fledged firewall for Internet bound traffic.

What does Aviatrix FQDN feature do?

Aviatrix domain name filtering (URL filtering) is a security feature specially designed for workloads in public cloud. It filters Internet bound egress traffic initiated from workloads in a VPC.

Aviatrix domain name filters on HTTP and HTTPS traffic and allows only the destination host names (whitelist) specified in the list to pass and drop all other destinations. Each host name is specified as fully qualified domain name (FQDN). For example, if you only allow Internet bound traffic to www.salesforce.com, you can list the domain name in the whitelist.

It also supports wild card, such as *. In this example, you can specify *.salesforce.com to allow traffic to any domain names that ends salesforce.com.

NOTE: Aviatrix gateway must have NAT enabled if you want to turn on FQDN whitelists.

How does it work?

This features works for HTTP and HTTPS traffic on public IP addresses.

A tag is defined as a list of FQDNs. One or more gateways is attached to a tag. Any updates to a tag automatically triggers updates to all gateways attached to the tag. Multiple tags can be defined for the controller. The domains in the tag are the destinations that are allowed for traffic to pass.

Configuration Workflow

Before you start make sure you have the latest software by checking the Dashboard. If an alert message (New!) appears, click New! To upgrade to the latest software.

  1. To configure, go to “Advanced Config” -> “FQDN Filter”.
  2. Create a tag with a name. Click Enable.
  3. Edit the tag by adding FQDN hostname part of URLs (e.g. www.aviatrix.com, or *.google.com).
  4. Attach Gateway. One or more gateways can be attached to a tag.
  5. Note: Step 2, 3 and 4 can be done first without enabling the tag. Once the tag is enabled, HTTP and HTTPS traffic to these FQDN will be allowed, and any destination outside the FQDN will be denied.
  6. For additional support, contact Aviatrix at support@aviatrix.com