Public Subnet Filtering Gateway FAQ

What does Public Subnet Filtering gateway do?

Public Subnet Filtering gateway, PSF gateway, provides both Ingress and Egress security for AWS public subnets where instances have public IP addresses. It includes two parts: Ingress filtering via GuardDuty enforcement and Egress FQDN.

Public Subnet Filtering function is described in the diagram below.

public_subnet_filter

Ingress protection via GuardDuty enforcement is a feature where Aviatrix Controller periodically polls the AWS GuardDuty findings and blocks the malicious source IP addresses from attacking the public subnet instances by programming stateful firewall rules in the filtering gateway.

Egress FQDN is an existing FQDN feature applied to the public subnets. Previously this feature was only available to filter Egress traffic initiated from instances in the private subnets.

How to deploy Public Subnet Filtering gateway?

Follow the workflow below.

1. Launch a Public Subnet Filtering gateway

Go to Security -> Public Subnet -> Add New

Setting Value
Cloud Type AWS
Gateway Name Input a unique gateway name
Account Name Select the Access Account
Region Select the AWS region
VPC ID Select the VPC in the chosen AWS region
Unused Subnet Aviatrix Controller creates a public subnet and creates a route table associated with the subnet to launch the filtering gateway
Gateway Size Select an instance type
Route Table Select a route table whose associated public subnets are protected.

After the PSF gateway is launched, Ingress traffic from IGW is routed to the gateway in a pass through manner. Egress traffic from instances in the protected public subnets is routed to the gateway in a pass through manner.

2. Enable GuardDuty Enforcement

Go to Security -> AWS GuardDuty, select an Access Account and AWS Region. Click Enable.

Once GuardDuty is enabled, malicious source IP addresses attacking instances in the public subnets in the region will be polled by the Controller. The Controller then programs rules into the filtering gateway to drop these packets.

Note

if you enable AWS GuarDuty without launching the PSF gateway, GuardDuty does not have enforcement functionality.

3. Enable Egress FQDN

Once the PSF gateway is launched, you can configure the FQDN feature.

Go to Security -> Egress Control, follow the instructions in FQDN workflow.

How to view blocked malicious IPs?

After the filtering gateway is launched and AWS GuardDuty is enabled from the previous steps, view blocked malicious IPs by going to Security -> Public Subnet. Highlight the PSF gateway, click the 3 dots skewer, click Show Details. Scroll down to Blocked Malicious IPs.