Lab 2: Deploy¶

In Lab 1, the enablement of Valtix’s discovery features provided an inventory of the account and what traffic is being seen on the network. In a single click, you can see if any instances are potentially connecting to malicious destination. In this lab, we will secure the network by deploying a Service VPC with Valtix Gateway in a hub-and-spoke model. Below is what we will achieve after this lab.

Centralized_VPC

Procedure¶

On your Terraform execution server, navigate to GCP-workshop/valtix-tutorial folder.

Enable the Terraform files service_vpc.tf and protect_vpc.tf.

mv service_vpc.tf.disabled service_vpc.tf
mv protect_vpc.tf.disabled protect_vpc.tf

The following files should now be enabled:

Files	State	Description
provider.tf	enabled	Define the Terraform Provider package
discover.tf	enabled	Onboard GCP Account onto Valtix
service_vpc.tf	enabled	Creates Service VPC, and Valtix Gateway
protect_vpc.tf	enabled	VPC peering between Valtix Service VPC and spoke/application VPC

Here are the content of the files being enabled.

service_vpc.tf - This file will create the Service VPC and deploy Valtix Gateway inside the Service VPC

#############################################
# 2a. Service VPC
#############################################
resource "valtix_service_vpc" "service_vpc" {
  name               = "valtix-service-vpc"
  csp_account_name   = var.valtix_account_name
  region             = var.region
  cidr               = "10.10.0.0/24"
  management_cidr    = "10.10.1.0/24"
  availability_zones = [var.zone]
  depends_on = [valtix_cloud_account.gcp_demo]
}

###################################
# 2b. Gateway
###################################
resource "valtix_policy_rule_set" "egress_rule_set" {
  name = "egress-policy-ruleset"
}

resource "valtix_gateway" "gcp-gw1" {
  name                      = "gcp-gw"
  description               = "GCP gateway"
  csp_account_name          = var.valtix_account_name
  instance_type             = "GCP_E2_8"
  gateway_image             = "22.06-01"
  gateway_state             = "ACTIVE"
  security_type             = "EGRESS"
  policy_rule_set_id        = valtix_policy_rule_set.egress_rule_set.rule_set_id
  gcp_service_account_email = var.service_account_email
  region                    = var.region
  vpc_id                    = valtix_service_vpc.service_vpc.id
  mode                      = "HUB"
}

protect_vpc.tf - This creates VPC peering between spoke VPC and the Service VPC and makes route orchestration for spoke VPC traffic to be inspected by Valtix.

###################################
# 2c. VPC Peering
###################################
data "google_compute_network" "spoke_network" {
  name = "valtix-demo-production-network"
}

# VPC Peering between Spoke VPC and Service VPC
resource "valtix_spoke_vpc" "valtix_spoke" {
  service_vpc_id = valtix_service_vpc.service_vpc.id
  spoke_vpc_id   = data.google_compute_network.spoke_network.id
  depends_on     = [valtix_gateway.gcp-gw1]
}

# Orchestrate route for Spoke VPC traffic to be inspected by Valtix
resource "google_compute_route" "production_to_valtix" {
  name         = "route-spoke-to-valtix"
  dest_range   = "0.0.0.0/0"
  network      = data.google_compute_network.spoke_network.name
  next_hop_ilb = valtix_gateway.gcp-gw1.gateway_endpoint
  priority     = 950
  depends_on   = [valtix_spoke_vpc.valtix_spoke]
}

Perform a terraform init.
Perform a terraform apply --auto-approve.
- This will create the Service VPC and deploy Valtix Gateway inside the Service VPC. After gateway deployment completes, VPC peering happens between spoke VPC and Service VPC. Routing table orchestration is also performed to route traffic through the Valtix Gateway for protection.

Verification¶

Navigate to Manage -> Gateways -> Service VPCs
Verify the Service VPC exist in the table. Check that the status is ACTIVE
Navigate to Manage -> Gateways -> Gateways.
Check the Gateway is shown in the table and that status is ACTIVE.