AWS Well-Architected: FQDN Egress Filtering
Security Pillar — Financial Services Industry Lens
To quote FSISEC13: Data Protection (Use Fully Qualified Domain Name (FQDN) ingress and egress filters) from the Security Pillar of the Financial Services Industry Lens in the AWS Well-Architected framework,
Specifying policies by IP may not be practical because domain names can often be translated to many different IP addresses, and maintaining security groups at each egress point can be challenging. Filtering outbound traffic by an expected list of domain names can be an efficient way to secure egress traffic from a VPC because the hostnames of these services are typically known at deployment, and the list of hosts that need to be accessed by an application are not extensive and rarely change.
Filtering traffic by a list of domain names enables companies to centralize the maintenance and deployment of rules. Use a third-party solution to implement highly available, secure FQDN Egress Filtering service.
Secure FQDN Egress Filtering
The discrimiNAT firewall enables developers and security architects alike in implementing a cloud-native FQDN egress filtering solution.
It enforces internet-bound traffic security by only allowing connections that are TLS 1.2, TLS 1.3 or SSH v2 with bidirectional in-band checks. Present-day HTTPS connections are HTTP encapsulated in at least TLS 1.2. Misconfigured clients or very old server endpoints, i.e. utilising older and now insecure protocols, will have their connections denied through this firewall.
FQDNs of services on the internet are associated with applications right at the Security Groups level, so the maintenance and deployment is in the hands of the same team that deploys the applications. This also allows for granular egress control over multiple applications in the same VPC.
An Auto-Scaling Group ensures this firewall, a NAT Gateway replacement, remains highly-available. There are no data processing or transfer charges either. And changes to configuration are logged straight into CloudWatch, as are the flow logs.