LAB4 – GCP FQDN Based Egress Security

by Shahzad Ali
on November 28, 2020

This lab will demonstrate how to provide Fully Qualified Domain Name (FQDN) based Egress Filtering security using Aviatrix. Only those FQDNs will be allowed which are permitted in the configured policy.

Egress FQDN Filtering Overview

Aviatrix FQDN Egress is a highly available security service specifically designed for workloads or applications in
the public clouds.

Aviatrix Egress FQDN Filtering is Centrally managed by the Aviatrix Controller and executed on Aviatrix FQDN gateway
in the VNET/VPC/VCN in the distributed or centralized architecture. All the internet bound traffic (TCP/UDP
including HTTP/HTTPS/SFTP) is first discovered and based on the results admin can create egress filters using
whitelist or blacklist model.

Egress FQDN filtering allows organizations to achieve PCI compliance by limiting application’s access to
approved FQDNs. This is a common replacement for SQUID proxy type of manual solutions. There are several
ways to deploy Egress FQDN filtering depending on requirements.

This lab will use existing GCP Spoke GWs to provide filtering to protect instances that are on private subnet but require Egress Security. For more scalable solution, enterprises opt for a dedicated Egresss FQDN GW rather than using the existing Spoke GW for this function.

Topology

  • The workload in gcp-spoke2-vpc will follow zero trust security model
    • Workload/VM in gcp-spoke2-vpc will only have access to https://*.ubuntu.com and https://*.google.com FQDN.
    • Rest of the traffic will be blocked with the base zero trust policy
  • We will configure the gcp-spoke2-gw as Egress FQDN GW as well to enforce this security policy
  • We will use VM in gcp-spoke3-vpc as “Jump Host” for this testing

Enable Egress FQDN Filtering

Controller –> Security –> Egress Control –> New TAG

Controller –> Security –> Egress Control –> Egress FQDN Filter –> Edit “Allow-List” TAG –> Add New

Now click “SAVE”, then “UPDATE” and CLOSE.

Now make sure that the base policy is “White” which stands for “Zero Trust”. This will make sure only the FQDNs in the “Allowed List” are accessible and rest of the FQDNs are blocked.

Now we will attach this filter policy to gcp-spoke-2-gw and then enable it.

It will look like following

The status is still disabled and now we need to enable it.

Testing and Verification

We have completed the following topology

  • ssh into the gcp-spoke3 VM using its public ip address (vm_gcp_public_ip_spoke3)
    • User: ubuntu / pass: Password123!
  • Then from there ssh into the gcp-spoke2 VM using its private ip address (vm_gcp_private_ip_spoke2)
    • User: ubuntu / pass: Password123!
  • gcp-spoke2 is where we have enforced the Egress FQDN policy
    • Since both spoke2 and spoke3 are in Blue segment, they can communicate to each others. If you would try to ssh into gcp-spoke2-vm from gcp-spoke1-vm, it will not work
shahzadali@shahzad-ali ~ % ssh ubuntu@34.86.180.56

ubuntu@34.86.180.56's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-1087-gcp x86_64)
Documentation: https://help.ubuntu.com
Management: https://landscape.canonical.com
Support: https://ubuntu.com/advantage
3 packages can be updated.
0 updates are security updates.
New release '18.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
*** System restart required ***
Last login: Sat Jan 2 16:41:56 2021 from 172.124.233.126
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.

ubuntu@vm-gcp-spoke-3:~$ ifconfig

ens4 Link encap:Ethernet HWaddr 42:01:0a:2a:00:82
inet addr:10.42.0.130 Bcast:10.42.0.130 Mask:255.255.255.255
inet6 addr: fe80::4001:aff:fe2a:82/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1460 Metric:1
RX packets:1461966 errors:0 dropped:0 overruns:0 frame:0
TX packets:846760 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:510003616 (510.0 MB) TX bytes:107570824 (107.5 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:126 errors:0 dropped:0 overruns:0 frame:0
TX packets:126 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14552 (14.5 KB) TX bytes:14552 (14.5 KB)
ubuntu@vm-gcp-spoke-3:~$


ubuntu@vm-gcp-spoke-3:~$ ssh ubuntu@10.20.12.130

ubuntu@10.20.12.130's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-1087-gcp x86_64)
Documentation: https://help.ubuntu.com
Management: https://landscape.canonical.com
Support: https://ubuntu.com/advantage
3 packages can be updated.
0 updates are security updates.
New release '18.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
*** System restart required ***
Last login: Sat Jan 2 16:42:30 2021 from 10.20.12.2
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
ubuntu@vm-gcp-spoke-2:~$
ubuntu@vm-gcp-spoke-2:~$

ubuntu@vm-gcp-spoke-2:~$ wget https://www.google.com
--2021-01-02 17:46:12-- https://www.google.com/
Resolving www.google.com (www.google.com)… 74.125.197.147, 74.125.197.103, 74.125.197.104, …
Connecting to www.google.com (www.google.com)|74.125.197.147|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.21’
index.html.21 [ <=> ] 12.54K --.-KB/s in 0s
2021-01-02 17:46:12 (29.4 MB/s) - ‘index.html.21’ saved [12844]

ubuntu@vm-gcp-spoke-2:~$ wget https://cloud.google.com
--2021-01-02 17:46:59-- https://cloud.google.com/
Resolving cloud.google.com (cloud.google.com)… 74.125.20.113, 74.125.20.102, 74.125.20.100, …
Connecting to cloud.google.com (cloud.google.com)|74.125.20.113|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 706920 (690K) [text/html]
Saving to: ‘index.html.22’
index.html.22 100%[==============================================================>] 690.35K 3.44MB/s in 0.2s
2021-01-02 17:47:00 (3.44 MB/s) - ‘index.html.22’ saved [706920/706920]
ubuntu@vm-gcp-spoke-2:~$

ubuntu@vm-gcp-spoke-2:~$ wget https://www.ubuntu.com
--2021-01-02 17:48:34-- https://www.ubuntu.com/
Resolving www.ubuntu.com (www.ubuntu.com)… 91.189.88.180, 91.189.88.181, 91.189.91.45, …
Connecting to www.ubuntu.com (www.ubuntu.com)|91.189.88.180|:443… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://ubuntu.com/ [following]
--2021-01-02 17:48:35-- https://ubuntu.com/
Resolving ubuntu.com (ubuntu.com)… 91.189.88.180, 91.189.91.44, 91.189.91.45, …
Connecting to ubuntu.com (ubuntu.com)|91.189.88.180|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 121017 (118K) [text/html]
Saving to: ‘index.html.23’
index.html.23 100%[==============================================================>] 118.18K 319KB/s in 0.4s
2021-01-02 17:48:36 (319 KB/s) - ‘index.html.23’ saved [121017/121017]
ubuntu@vm-gcp-spoke-2:~$

Now if we try to access any other FQDN, that should fail

ubuntu@vm-gcp-spoke-2:~$ wget https://www.espn.com
--2021-01-02 17:49:27-- https://www.espn.com/
Resolving www.espn.com (www.espn.com)… 13.224.10.82, 13.224.10.114, 13.224.10.88, …
Connecting to www.espn.com (www.espn.com)|13.224.10.82|:443… connected.


ubuntu@vm-gcp-spoke-2:~$ wget https://www.cnn.com
--2021-01-02 17:51:00-- https://www.cnn.com/
Resolving www.cnn.com (www.cnn.com)… 151.101.1.67, 151.101.65.67, 151.101.129.67, …
Connecting to www.cnn.com (www.cnn.com)|151.101.1.67|:443… connected.

Egress FQDN Stats on Controller

Controller –> Security –> FQDN Stats

Per Gateway Stats

Egress FQDN Search

==============================
Search results on Gateway gcp-spoke-2
==============================
2021-01-02T16:42:54.990606+00:00 GW-gcp-spoke-2-34.83.204.207 avx-nfq: AviatrixFQDNRule3[CRIT]nfq_ssl_handle_client_hello() L#291  Gateway=gcp-spoke-2 S_IP=10.20.12.130 D_IP=13.224.10.88 hostname=www.espn.com state=MATCHED drop_reason=BLACKLISTED Rule=*.espn.com,SourceIP:IGNORE;0;0;443
2021-01-02T16:43:12.620897+00:00 GW-gcp-spoke-2-34.83.204.207 avx-nfq: AviatrixFQDNRule0[CRIT]nfq_ssl_handle_client_hello() L#291  Gateway=gcp-spoke-2 S_IP=10.20.12.130 D_IP=13.224.10.82 hostname=www.espn.com state=MATCHED drop_reason=BLACKLISTED Rule=*.espn.com,SourceIP:IGNORE;0;0;443
2021-01-02T17:49:27.437085+00:00 GW-gcp-spoke-2-34.83.204.207 avx-nfq: AviatrixFQDNRule0[CRIT]nfq_ssl_handle_client_hello() L#291  Gateway=gcp-spoke-2 S_IP=10.20.12.130 D_IP=13.224.10.82 hostname=www.espn.com state=NO_MATCH drop_reason=NOT_WHITELISTED

2021-01-02T17:49:41.679243+00:00 GW-gcp-spoke-2-34.83.204.207 avx-nfq: message repeated 7 times: [ AviatrixFQDNRule0[CRIT]nfq_ssl_handle_client_hello() L#291  Gateway=gcp-spoke-2 S_IP=10.20.12.130 D_IP=13.224.10.82 hostname=www.espn.com state=NO_MATCH drop_reason=NOT_WHITELISTED]
2021-01-02T17:49:55.759092+00:00 GW-gcp-spoke-2-34.83.204.207 avx-nfq: AviatrixFQDNRule0[CRIT]nfq_ssl_handle_client_hello() L#291  Gateway=gcp-spoke-2 S_IP=10.20.12.130 D_IP=13.224.10.82 hostname=www.espn.com state=NO_MATCH drop_reason=NOT_WHITELISTED
2021-01-02T17:50:02.669462+00:00 GW-gcp-spoke-2-34.83.204.207 avx-nfq: message repeated 6 times: [ AviatrixFQDNRule0[CRIT]nfq_ssl_handle_client_hello() L#291  Gateway=gcp-spoke-2 S_IP=10.20.12.130 D_IP=13.224.10.82 hostname=www.espn.com state=NO_MATCH drop_reason=NOT_WHITELISTED]
2021-01-02T17:50:05.926066+00:00 GW-gcp-spoke-2-34.83.204.207 avx-nfq: AviatrixFQDNRule0[CRIT]nfq_ssl_handle_client_hello() L#291  Gateway=gcp-spoke-2 S_IP=10.20.12.130 D_IP=13.224.10.82 hostname=www.espn.com state=NO_MATCH drop_reason=NOT_WHITELISTED

CoPilot Egress FQDN Stats

https://copilot-pod24.mcna.cc/#/login   user: copilot / pass: Copilot123!  (Read-Only on Controller)

CoPilot –> Security –> Egress

CoPilot Live Status

CoPilot Search

Categories:

Cloud-Networking

Tags:

No Tag

Comments are closed