Egress Security
The Problem

Controlling Outbound VPC Traffic


An important security measure for your VPCs is to effectively control outbound network traffic (egress), delineating legitimate from illegitimate requests. If internal users or cloud instances are compromised, they can pose a significant threat if attackers are able to exfiltrate data. Many compliance frameworks like PCI DSS and HIPPA require egress security controls.That said, there are many reasons why cloud users or instances within VPCs need Internet access.

The reasons range from getting basic software updates from Microsoft, Google or Ubuntu, to needing application access to another third party or SaaS service over the Internet. If you have more than a handful of VPCs, management of whitelists on a per-VPC basis can become a major source of pain. Also, it can be cost prohibitive to deploy next generation firewall solutions per VPC. What’s needed is centrally managed, scalable, cost-effective solution.

Begin quotationSquid jerky is too tough to chew.End quotation

—Charlie, Cloud Ops

Open source project Squid is just hard to manage and limited for cloud VPCs:

  • Manual admin of policies, per VPC
  • Tedious config of each new instance to use Squid, new instances can appear without reconfig’ing Squid = big security risk
  • Troubleshooting and debugging Squid will make you salty
  • Limited protocol support — example: Squid doesn’t handle SFTP so someone could easily export data!
The Aviatrix Solution

VPC Egress Security

Aviatrix VPC Egress Security

The Aviatrix solution provides inline AVX Gateways with egress firewall functions in each VPC with centralized management of policies in the AVX Controller. It blocks all outbound internet traffic except specific whitelisted domain names (FQDN). This solution directs the outbound traffic through the AVX filtering and monitoring instance on a per VPC basis. The inline Gateways are highly available, designed to leverage Availability Zones (AZs) and automatic failover.

The Controller provides CloudOps teams with centralized policy management, from the ability to tag VPCs and assign policies to tags. The Controller also provides centralized audit logs. Finally, using AVX Cloud Formation Templates, CloudOps teams can automate the deployment of VPC egress security with new VPCs. This is a cost-effective solution, priced at a fraction of next generation firewalls.

How AVX stacks up to other popular solutions.


Aviatrix Squid + NAT Instance(s) AWS NAT Gateway
Highly Available; Fault Tolerant Automatic Use a script and custom monitoring code Automatic
Filter Traffic by IP Address Yes Yes Partial: must update security group of each instance (maximum 50 IPs)
Filter Traffic by FQDN Yes Yes No
FQDN filtering Using Wildcards Yes Yes No
Supports HTTP/HTTPS Protocols Yes Yes No
Supports Additional Protocols (sftp, ftp, icmp, etc.) Yes No No
Central Management Console Yes No: must manage each VPC separately Yes
Integrated Audit Logging Yes Yes Partial: must update security group of each instance (maximum 50 IPs)
Non-Networking Engineer Friendly Yes No Yes
How we’re different

Centrally Managed Security for AWS


Cloud Native Design

Push policies instantly to one VPC or hundreds of VPCs.


Reduces AWS Costs

AVX Gateways run on t2.micro instances. Per-hour metering on your cloud bill.


Centralized Management Console

Click and done. With AVX point-and-click interface, configuring and monitoring of all policies and traffic can be administered centrally by both engineers and non-engineers.

FQDN Discovery

Discover what Internet sites your apps visit before you configure.


Security Policy Tagging

Create tags for different policies like “dev” and “prod.” Apply those tags to VPCs.


Easily Audit Security Events

Everything is logged – including the packets. View in AVX or export logs to Splunk, Sumologic, Datadog and other tools to standardize reporting and event correlation.

Learn More

What is VPC Egress Filtering & Security?


When businesses consider their network traffic security measures for AWS VPCs, they need to ensure that outbound network traffic is recognized alongside inbound network traffic. Egress is the outbound network traffic that originates from internally networked instances in your AWS VPC to another network. In the case of servers and VPCs, this is generally internet bound egress.

It is important that outbound network traffic is effectively controlled, characterizing allowed requests from prohibited requests. If internal users or cloud instances in VPCs are compromised, they can pose a significant threat if attackers are able to exfiltrate data or use your outbound network traffic for their malicious activities. Learn more about VPC Egress Filtering.

Ready to get started?

Choose your deployment model to build this networking use case on AWS in minutes.

Free 14-Day Trial – Cancel Anytime.

2 Tunnels Free Forever – Cancel Anytime.

Free 14-Day Trial – Cancel Anytime.

2 Tunnels Free Forever – Cancel Anytime.