✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Agent harnesses are privileged non-human operators. Contain them.
OpenClaw, NemoClaw, and Hermes can read sensitive data, call APIs, execute code, browse the web, and persist state across sessions — without a human prompting every step. This VCA places the agent runtime in a private AWS subnet behind Aviatrix, enforces a default-deny egress policy with Distributed Cloud Firewall, and logs every connection in CoPilot FlowIQ with agent identity. No HTTPS proxy. No SDK change. No redeploy.
The problem isn’t hallucination. It’s unbounded network reachability.
Agent harnesses are non-human operators that decide which API to call, which file to read, which command to execute, and which endpoint to contact — without prompting every step. A prompt injection, malicious skill, compromised dependency, or unsafe browser page can redirect that authority toward exfiltration or lateral movement. In-harness allowlists sit inside the runtime an attacker may already control. Aviatrix enforcement sits outside it.
Prompt injection → exfiltration
Untrusted content in a web page, ticket, document, or email redirects the agent to send retrieved data to an attacker-controlled host. Indistinguishable from legitimate agent activity at the process layer.
Supply-chain / skill compromise
A malicious package, plugin, or skill phones home or downloads a payload from inside the terminal environment. No CVE at install time — package scanners pass it. The agent runtime now executes attacker-controlled code.
Shadow model call
Agent code or manipulated instructions send prompts or retrieved data to an unapproved model provider — OpenAI, Anthropic, Mistral, DeepSeek, or others. The named deny rule at priority 10 fires before any allow rule.
DNS exfiltration
Encoded data leaves through an external DNS resolver on UDP/TCP 53 — bypassing controls that only inspect HTTPS. Rules 20/21 deny external DNS to any destination other than the VPC resolver.
Lateral Movement
A compromised agent tries to reach your databases or other internal servers. It's blocked from moving sideways into the rest of your network.
Exfiltration attempt — blocked
The agent initiates outbound HTTPS to an attacker-controlled endpoint. TCP SYN traverses the Aviatrix Spoke Gateway. Destination is not in any permit WebGroup — POST_RULES default-deny fires. Connection never completes.
Audit trail
Blocked connection logged at the Spoke Gateway with agent subnet identity, destination FQDN or IP, policy rule name, action, and timestamp. CoPilot FlowIQ provides per-agent class traffic analysis with full attribution for SOC 2, HIPAA, PCI-DSS, FedRAMP, and DORA audit requirements.
One enforcement point. Outside the harness trust boundary.
Enforcement runs at the cloud network layer, outside the runtime the agent can influence. No HTTPS proxy to configure, no SDK to rewrite, no agent-code change required.
Transparent egress enforcement — zero bypass risk
The agent runtime (OpenClaw / NemoClaw / Hermes) runs in a private AWS subnet with no public IP and no internet gateway route. The subnet default route 0.0.0.0/0 points to the Aviatrix Spoke Gateway — every outbound connection is intercepted transparently. Administration is through SSM Session Manager; no inbound rule and no public SSH required. No software process inside the agent can circumvent the route table.
Ordered policy evaluation · shadow-model deny at priority 10
Traffic passing through the Spoke Gateway is evaluated against an ordered DCF policy list. SmartGroups identify the source (agent subnet CIDR). WebGroups define approved destinations per agent class. The shadow-model deny rule fires at priority 10, ahead of all permit rules. The POST_RULES default-deny catches every destination not explicitly declared. In monitor mode, every rule logs but permits — baseline real agent workflows first, then enforce.
Same policy model · pod identity via SmartGroups
The same SmartGroup / WebGroup model extends to EKS. Map agent pods to namespace or label-based SmartGroups; policy follows pod identity instead of static pod IPs. Requires Controller 9.0+ for TLS decryption, URL-path filtering, and egress IDS/IPS on the K8s shape.
Enforcement architecture — AWS VM shape
Ordered evaluation. Shadow-model deny at priority 10.
Rules evaluate top to bottom. The vca-openclaw-shadow-model-deny rule fires at priority 10, ahead of all permit rules. WebGroups are SNI/FQDN-oriented — exact domain names, not wildcards, ports, or URL paths. In monitor mode every rule logs but permits.
Rules (in priority order)
| Priority | Rule name | Action | Destination | Notes |
|---|---|---|---|---|
| 10 | vca-openclaw-shadow-model-deny | DENY + LOG | wg-unapproved-model-providers | api.openai.com, api.anthropic.com, generativelanguage.googleapis.com, api.mistral.ai, openrouter.ai, api.deepseek.com … Fired before any allow rule. |
| 18/19 | allow-vpc-dns-udp/tcp | PERMIT | sg-vpc-dns-resolver UDP/TCP 53 | VPC resolver only. Precedes external DNS deny. |
| 20/21 | deny-dns-exfil-udp/tcp | DENY + LOG | Any UDP/TCP 53 except VPC resolver | Closes DNS tunneled exfiltration channel. |
| 30 | allow-aws-infra | PERMIT | SSM, EC2, Logs, STS, ECR/S3 endpoints | Region-generated from aws_region variable. |
| 40/41 | allow-model-gateways | PERMIT | sg-approved-model-gateways TCP 443 | integrate.api.nvidia.com, inference-api.nvidia.com, or enterprise gateway. |
| 50 | allow-core | PERMIT | wg-openclaw-core TCP 443 | openclaw.ai, docs.openclaw.ai, clawhub.ai, www.nvidia.com |
| 60 | allow-packages | PERMIT | wg-approved-package-registries TCP 443 | registry.npmjs.org, pypi.org, github.com, *.githubusercontent.com, huggingface.co, registry-1.docker.io — coding-class agents only. |
| 70/80 | allow-saas / allow-mcp | PERMIT | wg-approved-saas-apis & wg-approved-mcp-gateways | CRM, ticketing, approved KB, and MCP gateways — defined per agent class. |
| 100 | deny-eastwest | DENY + LOG | Adjacent / internal CIDRs | Isolates agent VPC from adjacent workloads. Extendable with SmartGroup east-west microsegmentation. |
| POST | Default action | DENY + LOG | Any unmatched destination | All protocols. Every match logged to CoPilot FlowIQ with identity, destination, rule name, and timestamp. |
SmartGroup and WebGroup objects
| Object | Type | Purpose |
|---|---|---|
sg-agent-vm-subnet | CIDR SmartGroup | Source identity for the VM or container shape. Scoped to the private agent subnet CIDR. |
sg-vpc-dns-resolver | CIDR SmartGroup | VPC DNS resolver destination. Permitted before external DNS is denied. |
sg-approved-model-gateways | CIDR / FQDN | Enterprise or NVIDIA model gateway. Prefer an enterprise gateway where available. |
wg-openclaw-core | WebGroup | OpenClaw / NemoClaw core services, docs, and required terminal UI endpoints. |
wg-approved-package-registries | WebGroup | npm, PyPI, GitHub, Hugging Face, Docker Hub — coding-class agents only. |
wg-approved-saas-apis | WebGroup | CRM, ticketing, document stores, and workflow APIs defined per agent class. |
wg-approved-mcp-gateways | WebGroup | Enterprise MCP / tool gateways without flat internal network reachability. |
wg-unapproved-model-providers | WebGroup | Known unapproved model APIs. Denied at priority 10, ahead of all allow rules. |
Agent-class presets
| Agent class | Typical permits | Typical denies |
|---|---|---|
| Locked-down demo | Model gateway, OpenClaw/NemoClaw core, AWS private ops | Package registries, broad web, SaaS APIs |
| Coding agent | GitHub, package registries, internal artifacts, model gateway, docs | Shadow models, external DNS, unapproved SaaS, production networks |
| Research agent | Approved search/data APIs, document stores, model gateway, telemetry | Package registries unless needed, arbitrary uploads |
| Support agent | CRM, ticketing, approved KB, MCP gateway, model gateway | Source-code systems and package registries unless required |
| Regulated-data agent | Specific internal APIs, approved model gateway, observability | Public package registries, public SaaS, external upload, shadow models |
Everything your team needs.
AWS Blueprint Reference
Prerequisites, VPC and subnet design, Aviatrix Spoke Gateway insertion, full DCF ruleset in priority order, SmartGroup and WebGroup definitions, agent-class presets, validation tests, and monitor-to-enforce rollout sequence. For platform engineers deploying the VM or K8s shape.
Download PDF →Threat Model & Enforcement
Agent harness threat model, full kill chain with point of intervention, control boundary map showing what enforces where, why in-harness allowlists are insufficient, and compliance evidence artifacts for SOC 2, HIPAA, PCI-DSS, FedRAMP, DORA, NIST AI RMF, and EU AI Act. For security architects.
Download PDF →Field & Buyer Overview
The threat narrative, why in-harness allowlists sit inside the trust boundary Aviatrix operates outside of, the before/after for AI workflow engineers, compliance proof points, and discovery questions for security and platform buyers.
Download PDF →Full Terraform Blueprint
VPC, private subnet, OpenClaw/NemoClaw VM, SSM-only management, VPC Flow Logs, Aviatrix Spoke Gateway, DCF policy objects, agent-class preset tfvars profiles (locked-down, coding, research, support, regulated), validation tests, and operations docs including AGENTS.md, domain tiers, preflight checks, and rollback guidance.
View repository →Attack simulation
60-second lab recording. A prompt-injected OpenClaw agent attempts to exfiltrate credentials to an unapproved model provider. The priority-10 shadow-model deny rule fires before the TCP handshake completes. CoPilot FlowIQ logs the attempt with full agent-class identity and rule attribution.
Watch →Trusted by enterprise security teams
SOC 2 Type II
Independently audited
ISO 27001
Certified
500+ enterprises
Including 10% of the Fortune 500
Zero data-plane access
Aviatrix never touches your traffic
Documented before you find them in production.
Lab-validated limitations and workarounds for the OpenClaw agent runtime containment VCA. Published upfront so your deployment matches the docs.
Reference blueprint — statically reviewed, not live-tested
This architecture has been statically reviewed but not applied against a live AWS account or Aviatrix Controller. Run terraform fmt, validate, plan, and a non-production monitor-mode deployment before production use.
Developer workstations are out of scope
Unmanaged workstation and personal VPS agent runtimes are out of scope. Routing is not deterministic and enforcement cannot sit outside the host. The recommended enterprise posture is to avoid approving unmanaged workstation agents for regulated data or production access.
K8s shape requires Controller 9.0+ for TLS decryption
The VM shape works on Controller 8.1+. The Kubernetes extension requires Controller 9.0+ for selective TLS decryption, URL-path filtering, and egress IDS/IPS. Controller 8.2+ is required for the POST_RULES default-action resource.
Per-agent lifecycle automation is Phase 3
An Agent Egress Identity Service integrating with the enterprise agent registry, Kubernetes admission workflow, or AI platform control plane is a design candidate. This VCA delivers the network enforcement layer; agent lifecycle automation is a future phase.
Deploy in monitor mode first. Baseline. Then enforce.
Deploy the private VM or Kubernetes namespace through the blueprint with policy_mode = monitor. Exercise real terminal workflows — install, clone, pull packages, call the model gateway, use approved SaaS/MCP tools. Convert observed legitimate destinations into WebGroups by pull request. Switch to policy_mode = enforce, run the egress verification, and make the preset reusable for the next team.
The Terraform is built.
The policy pack is on GitHub.
Deploy the agent runtime in monitor mode this afternoon. Baseline your agent’s real destinations, then enforce. Pick the path that matches where you are.
New to Aviatrix
Start with Enterprise — VCAs included free
Subscribe on AWS Marketplace, deploy Enterprise in under 15 minutes, then deploy this VCA on top. 30-day free trial — VCAs included.
Subscribe on AWS Marketplace · 30-day free trial · No contract
Already on Enterprise
Pull the Terraform from GitHub
Full blueprint, agent-class preset profiles, validation tests, and AGENTS.md. Deploy in monitor mode, baseline, then enforce.
Get the Terraform →Controller 8.1+ · 1 managed network per deployment · Monitor-first rollout