Egress and East-West¶
In a centralized model, Valtix uses a Service VPC as a centralized inspection point and connects all spoke VPCs to the Service VPC through the use of AWS Transit Gateway. Spoke VPC refers to the VPC where your workload resides in. Valtix will orchestrate the deployment of a Service VPC(and all necessary components) and attach to an existing or new AWS Transit Gateway(Valtix can also help in deploying the Transit Gateway). From Valtix Controller, users can select the spoke VPCs they want Valtix to protect and Valtix will help make all the necessary route changes to the spoke routing table and attach to Transit Gateway. Once Valtix is setup, spoke VPC traffic will be redirected to Service VPC through Transit Gateway for protection.
The same Valtix Gateway can be used for both egress and east-west protection. In the egress scenario, traffic will be routed to the Service VPC through the Transit Gateway and to the internet. Depending on the policy, Valtix Gateway will either perform NAT for forwarding or act as a proxy for forward proxy rule. For east-west scenario, traffic from one spoke VPC traffic will be redirected to the Service VPC and after inspection, traffic will be forwarded back to Transit Gateway and to the destination VPC.
This centralized model scales out easily. Any new spoke VPC can be protect by Valtix simply by attaching VPC to the Transit Gateway. When new VPC is deployed, Valtix's discovery will automatically detect new VPC and users can attach VPC to Transit Gateway in Valtix Controller. Valtix will take care of all the orchestration of attachment and route changes.
The diagram shows both Ingress Gateway and Egress+East-West Gateway. User can choose to deploy Ingress and Egress+East-West Gateway in the same VPC. If protection is for Egress/East-West only, Ingress Gateway is not needed.