How to whitelist VPC outbound traffic

Question

How can we restrict outbound traffic from AWS VPC to the internet, for example limiting outbound traffic to certain trusted domains (URL “whitelisting”). I was thinking on AWS WAF but it seems it filter trrafic traffic traveling to the web application not from web application. Any thoughts, suggestions, Thanks in advance.

Yes is there any AWS managed service can provide this functionality? — Asri Badlah, Dec 31 '20 at 00:33
See my answer please. Actually such questions are for https://serverfault.com/ — x4k3p, Dec 31 '20 at 00:39

x4k3p · Answer 1 · 2020-12-31T01:00:09.050

3

It seems to be that you‘re looking for a proxy solution. As I know there aren‘t any managed proxy AWS services offered yet but you can use cloudformation, terraform or similar to setup it your own way with open source solutions f.e..

There is a good blog post on AWS about exactly your issue: https://aws.amazon.com/de/blogs/security/how-to-set-up-an-outbound-vpc-proxy-with-domain-whitelisting-and-content-filtering/

Maybe there is something useful for you on AWS Marketplace: https://aws.amazon.com/marketplace/search/results?x=0&y=0&searchTerms=Proxy

edited Dec 31 '20 at 01:00

answered Dec 31 '20 at 00:39

x4k3p

1,598
2
22
42

That's look fine, but here you need to add every URL you need to whitelist, I am looking for a solution that has predefined URLs link windows update URLs, instead of whitelisting URLs one by one – Asri Badlah Dec 31 '20 at 00:47
Well, it depends on your needs what URLs you need. For Windows Updates, if I understand correctly, you can use WSUS https://aws.amazon.com/de/quickstart/architecture/windows-server-update-services/ Maybe there is a complete list on github/internet with required URLs for Microsoft Update but I have no idea, sorry – x4k3p Dec 31 '20 at 00:56
3

You could try AWS Marketplace to see if anyone is offering that as a product. – Adam Luchjenbroers Dec 31 '20 at 00:56
Very good point @Adam, I‘ll add it to the answer – x4k3p Dec 31 '20 at 00:57
Yes Adam I think Marketplace seems good option, thanks – Asri Badlah Dec 31 '20 at 01:04

score 1 · Answer 2 · answered Jan 06 '21 at 11:28

The simplest and easiest way is to implement an Aviatrix FQDN egress filter. It just serves the purpose from a centralized user interface to discover then whitelist/blacklist the URLs/FQDN in every VPC.

Proxy implementation could become complex, esp. when you have to manage it seprately in every VPC. and doesn't provide centralized control, every VPC has to be managed separately.

The easiest way is to get an Aviatrix launch partner like SDxWORx, enable it with discounted PAYG pricing.

https://aws.amazon.com/marketplace/pp/prodview-laruhupdkcpuy/

Is there an option to filter FQND without any 3rd party solution? — carmel, Jan 18 '21 at 13:02

How to whitelist VPC outbound traffic

2 Answers2