Skip to content

Valtix Documentation

Reference Architecture - AWS Centralized Egress / East-West (NAT Gateway)

Valtix Documentation

Valtix Home
Documentation
Documentation
- Solution Overview
- Getting Started
  Getting Started
  - Easy Setup
- Account Onboarding
  Account Onboarding
  - AWS
    AWS
    
    Overview
    
    Account Onboarding
    
    Tech Notes
    Tech Notes
    
    IAM Roles
    
    Discovery Features
    
    VPC Setup
  - Azure
    Azure
    
    Overview
    
    AD Application
    
    Custom Role
    
    Marketplace Terms
    
    User Assigned Identity
    
    Account Onboarding
    
    VNet Setup
  - GCP
    GCP
    
    Overview
    
    Enable API
    
    Service Accounts
    
    Account Onboarding
    
    VPC Setup
  - OCI
    OCI
    
    Overview
    
    Setup Tenant
    
    Onboard Account
- Discovery
  Discovery
  - Overview
  - Enable Inventory
  - Discovered Assets
  - Security Insights
  - Rules and Findings
  - Enable DNS Logs
    Enable DNS Logs
    
    AWS
    
    Azure
    
    GCP
  - Enable VPC Flow Logs
    Enable VPC Flow Logs
    
    AWS
    
    Azure
    
    GCP
- Investigate & Analysis
  Investigate & Analysis
  - Flow Analytics
    Flow Analytics
    
    Overview
    
    Traffic Summary
    
    All Events
    
    Flow Logs
    
    Firewall Events
    
    Network Threats
    
    Web Attacks
    
    URL Filtering
    
    FQDN Filtering
    
    HTTPS Logs
  - Network Analytics
    Network Analytics
    
    Stats
  - System Status
    System Status
    
    Audit Logs
    
    System Logs
- Security Gateways
  Security Gateways
  - Overview
  - AWS
    AWS
    
    Service VPCs
    Service VPCs
    
    Manage Service VPCs
    
    Manage Spoke VPCs
    
    Ingress
    
    Egress / East-West
  - Azure
    Azure
    
    Service VNet
    Service VNet
    
    Manage Service VNets
    
    Manage Spoke VNets
    
    Ingress
    
    Egress / East-West
  - GCP
    GCP
    
    Service VPC
    Service VPC
    
    Manage Service VPCs
    
    Manage Spoke VPCs
    
    Ingress
    
    Egress / East-West
  - OCI
    OCI
    
    Ingress
    
    Egress / East-West
  - Upgrade
- Security Policy
  Security Policy
  - Ruleset
  - Rules
- Addresses and Services
  Addresses and Services
  - Address Objects
  - FQDN Objects
  - Service Objects
    Service Objects
    
    Reverse Proxy (Ingress)
    
    Forward Proxy (Egress/East-West)
    
    Forwarding (Egress/East-West)
  - Application ID
- Certificates and Decryption
  Certificates and Decryption
  - Certificates & Keys
  - Decryption
  - Tech Notes
    Tech Notes
    
    Azure Key Vault
    
    AWS KMS
    
    Self-Signed Certificates
- Application Threats
  Application Threats
  - WAF (Web Application Firewall)
  - L7 DoS (L7 Denial of Service)
- Network Threats
  Network Threats
- FQDN and URL Filtering
  FQDN and URL Filtering
  - FQDN
  - URL
  - Categories
- Log Forwarding
  Log Forwarding
  - Overview
    Overview
    
    Events and Logs
    
    Discovery Logs
  - Destinations / SIEMs
    Destinations / SIEMs
    
    AWS S3 Bucket
    
    Datadog
    
    GCP Logging
    
    Microsoft Sentinel
    
    Splunk
    
    Sumo Logic
    
    Syslog
- NTP
  NTP
  - Overview
- Packet Capture
  Packet Capture
  - Overview
- Reports
  Reports
  - Overview
- Administration
  Administration
  - Users
    Users
    
    Overview
    
    Multi-Factor Authentication (MFA)
    
    Single Sign-On (SSO)
    Single Sign-On (SSO)
    
    Azure AD (SAML)
    
    Okta (SAML)
    
    OneLogin (SAML)
  - Roles
  - Account
- Alerting
  Alerting
  - Overview
  - Destinations / SIEMs
    Destinations / SIEMs
    
    Datadog
    
    Microsoft Sentinel
    
    Pagerduty
    
    ServiceNow
    
    Slack
    
    Webex
- Terraform
  Terraform
  - Terraform
Tutorials
Tutorials
- Overview
- AWS
  AWS
  - Workshop
    Workshop
    
    Introduction
    
    Workshop Breakdown
    
    Prerequisites
    
    Lab
    Lab
    
    Lab 1: Discover
    
    Lab 2: Deploy
    
    Lab 3: Defend
    
    Clean Up
    
    Conclusion
  - Advanced Network Setup
    Advanced Network Setup
    
    Egress & East-West
    Egress & East-West
    
    Discover
    Discover
    
    Step 1: AWS Setup
    
    Step 2: Add AWS Account
    
    Step 3: Discovery
    
    Deploy
    Deploy
    
    Step 1: Deploy Service VPC
    
    Step 2: Deploy Valtix Gateway
    
    Step 3: Protect Spoke VPCs
    
    Defend
    Defend
    
    Step 1: Policy Rule
    Step 1: Policy Rule
    
    Forward Proxy
    
    Forwarding
    
    Step 2: Security Profiles
    Step 2: Security Profiles
    
    IPS
    
    FQDN-Filtering
    
    Data Loss Prevention
    
    Ingress
    Ingress
    
    Discover
    Discover
    
    Step 1: AWS Setup
    
    Step 2: Add AWS Account
    
    Step 3: Discovery
    
    Deploy
    Deploy
    
    Step 1: Deploy Service VPC
    
    Step 2: Deploy Valtix Gateway
    
    Step 3: Protect Spoke VPCs
    
    Defend
    Defend
    
    Step 1: Policy Rule
    
    Step 2: Security Profiles
    Step 2: Security Profiles
    
    IPS
    
    WAF
- GCP
  GCP
  - Workshop
    Workshop
    
    Introduction
    
    Workshop Breakdown
    
    Prerequisites
    
    Lab
    Lab
    
    Lab 1: Discover
    
    Lab 2: Deploy
    
    Lab 3: Defend
    
    Clean Up
    
    Conclusion
Reference Architecture
Reference Architecture
- Overview
- AWS
  AWS
  - Centralized
    Centralized
    
    Ingress
    
    Egress / East-West
    
    Subnet Segmentation
    
    Egress / East-West (NAT Gateway) Egress / East-West (NAT Gateway)
    Table of contents
    
    Deployment Architecture
    
    Traffic Flow
    
    Routing Configuration
    
    GWLB-based Ingress / Egress
- Azure
  Azure
  - Centralized
    Centralized
    
    Ingress
    
    Egress / East-West
- GCP
  GCP
  - Centralized
    Centralized
    
    Combined
- OCI
  OCI
  - Centralized
    Centralized
    
    Ingress
    
    Egress / East-West
FAQ
FAQ
- FAQ
Releases
Releases
- Overview
  Overview
- Supported Releases
  Supported Releases
  - Controller / UI
    Controller / UI
    
    24.02 - February 26, 2024
  - Gateways
    Gateways
    
    24.02-02 - April 18, 2024
    
    23.10-03 - January 11, 2024
    
    23.08-15 - March 27, 2024
  - Terraform Provider
    Terraform Provider
    
    24.2.1 - Feburary 31, 2024
    
    23.10.1 - November 6, 2023
    
    23.8.1 - August 22, 2023
- End-of-Support Releases
  End-of-Support Releases
  - Gateways
    Gateways
    
    23.06 - November 12, 2023
    
    23.04 - September 3, 2023
  - Terraform Provider
    Terraform Provider
    
    23.7 - July 27, 2023
    
    23.6 - July 17, 2023
    
    23.5 - June 12, 2023
    
    23.4 - May 23, 2023
- End-of-Life Releases
  End-of-Life Releases
  - Controller / UI
    Controller / UI
    
    23.12 - December 14, 2023
    
    23.10 - October 31, 2023
    
    23.09 - September 30, 2023
    
    23.08 - August 21, 2023
    
    23.07 - July 19, 2023
    
    23.06 - June 26, 2023
    
    23.05 - June 8, 2023
    
    23.04 - April 20, 2023
    
    23.02 - February 15, 2023
    
    22.12 - December 15, 2022
    
    22.10 - November 7, 2022
    
    22.09 - October 6, 2022
    
    22.08 - September 7, 2022
    
    22.07 - August 7, 2022
    
    22.06 - July 6, 2022
    
    22.05 - June 2, 2022
    
    22.04 - May 5, 2022
    
    22.03 - March 31, 2022
    
    22.02 - March 2, 2022
    
    22.01 - January 31, 2022
    
    2.11 - December 26, 2021
  - Gateways
    Gateways
    
    23.02 - July 10, 2023
    
    22.12 - July 27, 2023
    
    22.10 - March 7, 2023
    
    22.09 - October 17, 2022
    
    22.08 - January 4, 2023
    
    22.06 - November 8, 2022
    
    22.04 - September 3, 2022
    
    22.02 - April 22, 2022
    
    2.11 - July 25, 2022
  - Terraform Provider
    Terraform Provider
    
    23.2 - February 17, 2023
    
    22.12 - December 29, 2022
    
    22.10 - December 6, 2022
    
    22.9 - October 6, 2022
    
    22.8 - September 10, 2022
    
    22.7 - August 10, 2022
    
    22.6 - July 6, 2022
    
    22.5 - June 6, 2022
    
    22.4 - May 13, 2022
    
    22.3 - March 31, 2022
    
    22.1 - February 7, 2022
  - 2.10 - 2021-10-21
    2.10 - 2021-10-21
    
    Features and Changes
    
    Controller / UI
    
    Gateway
    
    Terraform Provider
  - 2.9 - 2021-08-25
    2.9 - 2021-08-25
    
    Features and Changes
    
    Controller / UI
    
    Gateway
    
    Terraform Provider
  - 2.8 - 2021-06-08
  - 2.7 - 2021-03-29
  - 2.6 - 2021-02-08
  - 2.5 - 2020-11-10
  - 2.4 - 2020-09-03
  - 2.2 - 2020-06-23
  - 2.1 - 2020-06-05
  - 2.0 - 2020-04-17
  - 1.2 - 2020-01-23
  - 1.1 - 2019-11-05
Support
Support
- Overview

AWS Centralized Egress / East-West (NAT Gateway)¶

When using Valtix to protect Egress traffic, traffic sent to the Internet will have a source IP of the Valtix Gateway instance. If there is a need for the Gateway instances to be deployed as private, and the IP address used to send traffic to the Internet needs to be static (does not change), the Service VPC can be deployed using a NAT Gateway. When the NAT Gateway option is enabled, the Valtix Gateway is deployed into private subnets and public subnets will be created to host the NAT Gateways (per AZ). All traffic to the Internet will be sent from the Gateway instances through the NAT Gateways using the NAT Gateway public IP addresses. This allows the IP address of the NAT Gateways to be whitelisted, which is often required when interfacing a cloud resource to a SaaS-delivered Identity Provider for authentication.

Deployment Architecture¶

Valtix_NAT_gw

Traffic Flow¶

Valtix_NAT_gw

Routing Configuration¶

Valtix_NAT_gw