AWS VPC Restrict outbound access to certain URL

Question

I am trying to restrict my outbound access for my VPC.

I would like to restrict the outbound access to certain URL but the security group only let you set IPs and no URL.

Is there any way to restrict outbound access by URL instead of IPs?

Answer 1

The firewall does not resolve URLs. That would require a higher order firewall that is aware of the HTTP protocol contents. More Info on the OSI Model: http://en.wikipedia.org/wiki/OSI_model

The closest you will get with the network ACL's in VPC, is to resolve the domains you want to block to its IP addresses. However, this will block the entire site as well as any other domains that may also be hosted on the IP address. Also many sites will likely resolve to more than 1 IP address.

You may be able to install some kind of proxy/filter on the instances directly and handle the IP url filtering from there.

Answer 2

The simplest and easiest way is to implement an Aviatrix FQDN egress filter. It just serves the purpose from a centralized user interface to whitelist/blacklist the URLs in every VPC.

Next Generation Firewall (NGFW) implementation, just to achieve URL / FQDN filtering is an overkill, esp. from the cost point of view whereas proxy implementation has its complexity and doesn't provide centralized control, every VPC has to be managed separately.

The easiest way is to get an Aviatrix launch partner like SDxWORx, enable it with discounted PAYG pricing.

https://aws.amazon.com/marketplace/pp/prodview-laruhupdkcpuy/