Aviatrix announced a new security capability for its AVX SD cloud routing solution. The AVX virtual private cloud (VPC) egress security feature makes it easy to both discover and control internet traffic leaving Amazon Web Services (AWS) VPCs, allowing organizations to secure egress traffic against internal threats and external attacks.
The AVX VPC egress security capability also enables organizations to comply with internal practices and industry regulations such as Payment Card Industry (PCI) standards, which require controls and restrictions in place to deny unauthorized outbound traffic related to cardholder data.
“Moving resources to the public cloud doesn’t absolve organizations of the strict security and regulatory requirements governing how they manage their enterprise data traffic,” said Aviatrix CEO Steven Mih.
“Internet-bound VPC egress traffic has been a blind spot, making it nearly impossible for cloud engineers to distinguish between legitimate and illegitimate destinations. As organizations move more of their workloads to the public cloud, they need cloud-specific tools to give them both visibility into and control over AWS VPC egress traffic.”
Growth in VPCs drives urgency for easier cloud security and compliance
One example of the need for VPC egress security is compliance with PCI standards dictating how companies must collect, store, process and transmit credit card-related information.
Organizations failing to comply with PCI standards, or unable to prove compliance, risk financial penalties.
The PCI Data Security Standard calls out requirements for internet-bound traffic, specifying that companies must restrict traffic to only the data necessary for cardholder transactions, while actively denying all other traffic.
As organizations add more and more VPCs—usually as silos spun up by various DevOps and cloud teams within an organization—legacy networking tools make it difficult for cloud teams to provide corporate compliance officers with information about whether network traffic is violating regulatory requirements or exposing confidential intellectual property or personally identifiable information (PII).
Legacy networking approaches—including cloud routers based on virtualized hardware routers and virtualized firewall products—also strain operational efficiency by requiring egress traffic requests to undergo a process of trouble tickets and manual configuration and testing.
Similarly, open-source web proxies, which cache and forward website requests, require manual configuration of policies on a per-VPC basis and offer limited protocol support, making them insufficient for use in cloud deployments.
In contrast, Aviatrix boosts operational efficiency of cloud teams by automating the process: evaluating egress traffic filtering requests—across any port and protocol, including Simple File Transfer Protocol (SFTP)—against a list of allowed or denied sites, then configuring the AVX Gateway to respond accordingly.
Aviatrix AVX makes ‘missing’ egress traffic visible
Aviatrix enables enterprises to visualize and centrally manage security for all their AWS VPCs and Microsoft Azure Virtual Networks (VNets), including discovery and control over egress traffic.
In-line AVX Gateways implement both SD cloud routing and the new VPC egress security functions—in addition to providing IPSec encryption for data in motion, VPC segmentation, Layer 4 security policies and logging.
The AVX Gateways are deployed, configured and managed by the AVX Controller, a point-and-click, centralized management console with REST API support that can be operated by either cloud ops or network engineers.
Using the Aviatrix solution, it’s easy to distinguish legitimate outbound VPC traffic—such as conducting enterprise software updates, making API calls, or using a third-party application or software-as-a-service (SaaS) solution over the internet—from illegitimate requests that can put enterprise data at risk or result in a failed compliance audit.
While previous approaches specified egress policies at the IP address level, AVX VPC egress security can handle domain names with multiple IP addresses, as well as public cloud providers’ limitations on the number of IP addresses that can be filtered.
By providing Layer 7, qualified domain name (FQDN) discovery from AWS EC2 instances in the VPC, Aviatrix enables organizations to filter for IP addresses, hostnames and websites across any port and protocol.
The new VPC egress security feature is available now as part of the Aviatrix software-defined cloud routing solution, deployed with an Amazon Machine Image (AMI) or with the Aviatrix Hosted Service (SaaS), with pricing based on FQDN egress filtering per gateway, per hour.