Market Overview

Aviatrix Software-Defined Cloud Routing Solution Adds Important Security Measures for AWS VPCs


Enterprises can now eliminate the blind spots in VPC egress traffic,
with centralized egress traffic management to boost security and achieve

the pioneer in software-defined (SD) cloud routing and an inaugural AWS
Network Competency partner, today announced a new security capability
for its AVX SD cloud routing solution. The AVX virtual private cloud
(VPC) egress
feature makes it easy to both discover and control internet
traffic leaving Amazon Web Services (AWS) VPCs, allowing organizations
to more effectively secure egress traffic against internal threats and
external attacks.

The AVX VPC egress security capability also enables organizations to
comply with internal best practices and industry regulations such as
Payment Card Industry (PCI) standards, which require controls and
restrictions in place to deny unauthorized outbound traffic related to
cardholder data.

"Moving resources to the public cloud doesn't absolve organizations of
the strict security and regulatory requirements governing how they
manage their enterprise data traffic," said Aviatrix CEO Steven Mih.
"Internet-bound VPC egress traffic has been a blind spot, making it
nearly impossible for cloud engineers to distinguish between legitimate
and illegitimate destinations. As organizations move more of their
workloads to the public cloud, they need cloud-specific tools to give
them both visibility into and control over AWS VPC egress traffic."

Growth In VPCs Drives Urgency for Easier Cloud Security and Compliance

One important example of the need for easy-to-manage VPC egress security
is compliance with PCI standards dictating how companies must securely
collect, store, process and transmit credit card-related information.
Organizations failing to comply with PCI standards, or unable to prove
compliance, risk significant financial penalties. The PCI
Data Security Standard
explicitly calls out requirements for
internet-bound traffic, specifying that companies must restrict traffic
to only the data necessary for cardholder transactions, while actively
denying all other traffic.

As organizations add more and more VPCs—usually as silos spun up by
various DevOps and cloud teams within an organization—legacy networking
tools make it difficult for cloud teams to provide corporate compliance
officers with information about whether network traffic is violating
regulatory requirements or exposing confidential intellectual property
or personally identifiable information (PII).

Legacy networking approaches—including cloud routers based on
virtualized hardware routers and virtualized firewall products—also
strain operational efficiency by requiring egress traffic requests to
undergo a tedious process of trouble tickets and manual configuration
and testing. Similarly, open-source web proxies, which cache and forward
website requests, require manual configuration of policies on a per-VPC
basis and offer limited protocol support, making them insufficient for
use in cloud deployments.

In contrast, Aviatrix boosts operational efficiency of cloud teams by
automating the process: evaluating egress traffic filtering
requests—across any port and protocol, including Simple File Transfer
Protocol (SFTP)—against a master list of allowed or denied sites, then
configuring the AVX Gateway to respond accordingly.

Aviatrix AVX Makes ‘Missing' Egress Traffic Visible

Aviatrix enables enterprises to visualize and centrally manage security
for all their AWS VPCs and Microsoft Azure Virtual Networks (VNets),
including discovery and control over egress traffic. In-line AVX
Gateways implement both SD cloud routing and the new VPC egress security
functions—in addition to providing IPSec encryption for data in motion,
VPC segmentation, Layer 4 security policies and logging. The AVX
Gateways are deployed, configured and managed by the AVX Controller, a
point-and-click, centralized management console with REST API support
that can be easily operated by either cloud ops or network engineers.

Using the Aviatrix solution, it's easy to distinguish legitimate
outbound VPC traffic—such as conducting enterprise software updates,
making API calls, or using a third-party application or
software-as-a-service (SaaS) solution over the internet—from
illegitimate requests that can put enterprise data at risk or result in
a failed compliance audit.

While previous approaches specified egress policies at the IP address
level, AVX VPC egress security can handle domain names with multiple IP
addresses, as well as overcoming public cloud providers' limitations on
the number of IP addresses that can be filtered. By providing Layer 7,
fully qualified domain name (FQDN) discovery from AWS EC2 instances in
the VPC, Aviatrix enables organizations to filter for specific IP
addresses, hostnames and websites across any port and protocol.

The new VPC egress security feature is available now as part of the Aviatrix
software-defined cloud routing solution
, deployed with an Amazon
Machine Image (AMI) or with the Aviatrix Hosted Service (SaaS), with
pricing based on FQDN egress filtering per gateway, per hour. Free
are available at the Aviatrix website.

About Aviatrix

Aviatrix, the pioneer in software-defined cloud routing, was founded by
ex-Cisco network engineer Sherry Wei to make cloud networking as simple
and dynamic as cloud storage and compute. Purpose-built for Amazon Web
Services (AWS), Microsoft Azure and Google Cloud Platform public clouds,
Aviatrix provides point-and-click, secure networking software for cloud
engineers to run hybrid and multicloud environments. Aviatrix shortens
cloud connectivity setup time from weeks to minutes, while automating
configuration and management of network connectivity, security and
troubleshooting. Aviatrix is based in Palo Alto, Calif. Learn more at
or follow the company on Twitter @aviatrixsys.

View Comments and Join the Discussion!