reference deployment

Aviatrix FQDN Egress Filtering on AWS

Centralized controller and wizard for managing egress traffic

This Quick Start builds a highly available, secure Fully Qualified Domain Name (FQDN) Egress Filtering service on the Amazon Web Services (AWS) Cloud in about 10 minutes. It automatically deploys an Aviatrix Controller for enabling Egress Filtering in a new or existing virtual private cloud (VPC).

One important network security measure is to effectively control inbound (ingress) and outbound (egress) VPC network traffic, in order to distinguish between legitimate and illegitimate requests. With this Quick Start, you can connect to VPCs in the AWS Cloud with enhanced security, and access your Amazon Elastic Compute Cloud (Amazon EC2) instances, applications, and services. The Aviatrix Controller deploys Aviatrix gateways in your VPCs, and configures egress security policies across all gateways.

After you’ve used this Quick Start to deploy the Aviatrix Controller in one of your VPCs, the Egress Security wizard helps you deploy and configure Aviatrix gateways for Egress Filtering.

Egress Filtering also includes the Egress FQDN Discovery service. You can use Egress FQDN Discovery to see the external sites (URLs) that users and applications access in your VPCs, which helps you configure Egress Filtering.

For best practices and approaches for controlling egress traffic as part of a holistic network security strategy, see the Controlling VPC Egress Traffic webpage on AWS Answers.


This Quick Start was developed by Aviatrix Systems Inc. in collaboration with AWS. Aviatrix Systems Inc. is an AWS Partner.

AWS Service Catalog administrators can add this architecture to their own catalog.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • The Quick Start creates, deploys, and configures the following functional and automation components and services:

    • An Amazon Elastic Compute Cloud (Amazon EC2) instance for the Aviatrix Controller
    • An Aviatrix security group (named AviatrixSecurityGroup)
    • An Elastic IP address assigned to the Aviatrix Controller
    • An Aviatrix IAM EC2 role and attached policy
    • An Aviatrix IAM App role and attached policy
    • AWS Key Management Service (AWS KMS)



  •  How to deploy
  • To build an Aviatrix FQDN Egress Filtering service on AWS in about 10 minutes:

    1. If you don't already have an AWS account, sign up at
    2. Subscribe to the Amazon Machine Image (AMI) for Aviatrix in AWS Marketplace. Choose the Aviatrix Secure Networking Platform PAYG - Metered license.
    3. Launch the Quick Start. You can choose from two options:
    4. Set up the Aviatrix Controller.
    5. Create a primary access account.
    6. Deploy Aviatrix Egress Filtering.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change.

    Additionally, to help protect network configuration information, this Quick Starts creates a unique AWS Key Management Service (AWS KMS) customer master key (CMK), which has a low monthly cost. For details, see the AWS KMS pricing webpage.

    You are also responsible for the Aviatrix license that is required to deploy Aviatrix Egress Filtering. Subscribe to an Amazon Machine Image (AMI) for Aviatrix software in AWS Marketplace, choosing the following licensing option: