This terraform repository serves as the infrastructure as code (IaC) for a demonstration on how to implement Cloud Perimeter Security by migrating from an AWS NAT Gateway to an Aviatrix Secure Egress Gateway without incurring network downtime.
Initial topology:
A deployed and configured Aviatrix Controller (v7.1+) and CoPilot
| Terraform version | Controller version | Aviatrix terraform provider version |
|---|---|---|
| >= 1.5.0 | >= 7.1 | ~>3.1.0 |
-
The first terraform apply deploys:
- A vpc with 1 public and 1 private subnet.
- An AWS NAT gateway.
- An Aviatrix Secure Egress gateway.
- A test instance in the private subnet that is generating traffic to the Internet via the NAT gateway.
-
After setting the local variable
avx_egressfromfalsetotrue, the second terraform apply:- Instructs the Aviatrix controller to remove the
0.0.0.0/0route on the private subnet that points to theAWS NATand add a0.0.0.0/0route to theAviatrix Secure Egress Gateway. - Using CoPilot you now have visibility into the Internet-bound traffic flows traversing the Aviatrix egress gateway. Navigate to
Security-->Egress-->Monitorand select theavx-egressVPC to view the logs. - The same as with AWS NAT gateway, all access to the Internet is being allowed.
- Instructs the Aviatrix controller to remove the
-
After setting the local variable
aws_natfromtruetofalse, the third terraform apply:- Removes the aws nat gateway and its eip.
-
After updating the local variable
avx_security_enforce, fromfalsetotruethe fourth terraform apply:- Creates a set of rules to block all Internet traffic, except that which is explicitly allowed.
- Using CoPilot you now have visibility into the Internet-bound traffic flows being Permitted or Denied access to the Internet. Navigate to
Security-->Distributed Cloud Firewall-->Rulesto review the rules applied.
A video of this demo can be seen on youtube
** Note: This demo video was performed with Aviatrix's previous-gen Egress FQDN offering. The code in this repository implements Cloud Perimeter Security via an Aviatrix Secure Egress gateway.
In just the above few steps a VPC's Internet traffic can be discovered and secured using an Aviatrix Secure Egress Gateway without any network downtime.