How to Setup FQDN in AWS for Compliance

When is FQDN needed in the cloud?

For Internet bound egress traffic, specifying outbound policy at the IP address level is not sufficient as the domain names of a site can be translated to many different IP addresses.

An AWS NAT gateway does not offer security group functions; it relies on security groups by each instance. An AWS NAT instance’s security group does not have enough entries to support the large set of IP address lists. The egress filtering needs to happen at Layer 7.

On the other hand, workloads in AWS are mostly applications or programs where it is deterministic what outbound APIs the application program makes. For example, an application runs API queries to www.salesforce.com for data retrieving and runs API queries to www.google.com for app authentication. In these cases, making sure that only these sites are allowed for egress traffic is sufficient from security standpoint. Note that this is very different from on-prem situations where end user traffic and application traffic are mingled together; you may need a full fledged firewall for Internet bound traffic.

Consider any company that is trying to meet the stringent requirements of compliance standards such as Payment Card Industry (PCI) and Health Insurance Portability and Accountability Act (HIPAA). These standards may require administrators to deny certain outbound internet traffic. Maintaining a list of IP addresses and updating security groups for multiple servers isn’t practical and puts additional burden on resources at deployment and audit times. Instead, a better approach is to maintain a list of allowed domain names in one place where administrators, auditors, and others can see exactly what is allowed. Rules can automatically be maintained and deployed to VPCs from a central controller.

What does Aviatrix FQDN feature provide?

Aviatrix Fully Qualified Domain Name (FQDN) is a centrally managed security service specifically designed for workloads or applications in the public cloud. It filters Internet bound egress traffic initiated from workloads in a VPC. This service is centrally managed by the Controller and executed by an Aviatrix gateway instance in the VPC in the distributed architecture..

Aviatrix FQDN filters any TCP and UDP traffic including HTTP, HTTPS and SFTP traffic. The filtering function allows only the destination host names (whitelist) specified in the list to pass and drop all other destinations.

Each destination is specified as fully qualified domain name. For example, if you only allow Internet bound traffic to www.salesforce.com, you can list the domain name www.salesforce.com in the whitelist.

For HTTP/HTTPS (TCP port 80/443), FQDN feature also supports wild cards, such as *. In this example, you can specify *.salesforce.com to allow traffic to any domain names that ends in “salesforce.com”.

Steps to Setup FQDN in AWS

Aviatrix FQDN solution is a metered pay-as-you-go offer available in AWS Marketplace. No upfront commitment and turn it off at any time.

To deploy Aviatrix FQDN solution, follow the steps below and in 15 minutes you will be done.

Step 1. Click subscribe which takes you to AWS Marketplace and to the Aviatrix AMI on AWS Marketplace. Click “Continue to Subscribe”.

Step 2. Click “Accept Terms” as shown below. Wait for a couple of minutes for the offer to become available.

Step 3. Click “Continue to Configuration” to move to the deployment method selection.

Step 4. Select “CloudFormation Template” for Delivery Method. Select a region. Click “Continue to Launch”.

Step 5. Take action “Launch CloudFormation” to launch the CloudFormation Stack.

Step 6. Click “Next” to start creating the stack.

Step 7. Follow the screenshot below to fill in the parameters and click “Next”.

Step 8. For “Configuration stack options” page, leave everything as default and click “Next”.

Step 9. For “Review Aviatrix-Controller” page, leave everything as default. Scroll down to acknowledge and accept the terms. Click “Create Stack”. Wait for a few minutes for the stack creation to complete.

Step 10. Once the Aviatrix-Controller stack creation is complete. Go to the stack Output to review the resources. “AviatrixControllerEIP” is the public IP address you use for Controller web console access. Note “AviatrixControllerPrivateIP” is the initial password.

Step 11. Access the Controller web console: https://{AviatrixControllerEIP}

Username: admin, password: AviatrixControllerPrivateIP

Step 12. Follow the initial setup stage: add the admin email, change password, and then click Run to download the latest software. The software download can take up to 5 minutes.

Step 13. Re-login to the Controller. At the Welcome page, select AWS tile to go through the onboard. Then select “VPC Egress Security” for “What would you like to build next”.

Step 14. Follow the FQDN workflow to launch the gateway and start egress filtering.

Enjoy!

For issues, send email to support@aviatrix.com