Skip to content

Valtix Documentation

Reference Architecture - AWS Centralized Egress / East-West

Valtix Documentation

Valtix Home
Documentation
Documentation
- Solution Overview
- Getting Started
  Getting Started
  - Easy Setup
  - AWS
    AWS
    
    Overview
    
    Account Onboarding
    
    Tech Notes
    Tech Notes
    
    IAM Roles
    
    Discovery Features
    
    VPC Setup
  - Azure
    Azure
    
    Overview
    
    AD Application
    
    Custom Role
    
    Marketplace Terms
    
    User Assigned Identity
    
    Account Onboarding
    
    VNet Setup
  - GCP
    GCP
    
    Overview
    
    Enable API
    
    Service Accounts
    
    Account Onboarding
    
    VPC Setup
  - OCI
    OCI
    
    Overview
    
    Setup Tenant
    
    Onboard Account
- Discovery
  Discovery
  - Overview
  - Enable Inventory
  - Discovered Assets
  - Security Insights
  - Rules and Findings
  - Enable DNS Logs
    Enable DNS Logs
    
    AWS
    
    Azure
    
    GCP
  - Enable VPC Flow Logs
    Enable VPC Flow Logs
    
    AWS
    
    Azure
    
    GCP
- Security Gateways
  Security Gateways
  - Overview
  - AWS
    AWS
    
    Service VPCs
    Service VPCs
    
    Manage Service VPCs
    
    Manage Spoke VPCs
    
    Ingress
    
    Egress / East-West
  - Azure
    Azure
    
    Service VNet
    Service VNet
    
    Manage Service VNets
    
    Manage Spoke VNets
    
    Ingress
    
    Egress / East-West
  - GCP
    GCP
    
    Service VPC
    Service VPC
    
    Manage Service VPCs
    
    Manage Spoke VPCs
    
    Ingress
    
    Egress / East-West
  - OCI
    OCI
    
    Ingress
    
    Egress / East-West
  - Upgrade
- Security Policy
  Security Policy
  - Ruleset
  - Rules
- Addresses & Services
  Addresses & Services
- TLS and Decryption
  TLS and Decryption
  - Certificates & Keys
  - Decryption
  - Tech Notes
    Tech Notes
    
    Azure Key Vault
    
    AWS KMS
    
    Self-Signed Certificates
- Network Threats
  Network Threats
- WAF and Application Threats
  WAF and Application Threats
  - WAF (Web Application Firewall)
  - L7 DoS (L7 Denial of Service)
- FQDN and URL Filtering
  FQDN and URL Filtering
  - FQDN
  - URL
  - Categories
- Packet Capture
  Packet Capture
  - Packet Capture
- Investigate & Analysis
  Investigate & Analysis
  - Flow Analytics
    Flow Analytics
    
    Overview
    
    Traffic Summary
    
    All Events
    
    Flow Logs
    
    Firewall Events
    
    Network Threats
    
    Web Attacks
    
    URL Filtering
    
    FQDN Filtering
    
    HTTPS Logs
  - Network Analytics
    Network Analytics
    
    Stats
  - System Status
    System Status
    
    Audit Logs
    
    System Logs
- Log Forwarding
  Log Forwarding
  - Overview
    Overview
    
    Events and Logs
    
    Discovery Logs
  - Destinations / SIEMs
    Destinations / SIEMs
    
    AWS S3 Bucket
    
    Datadog
    
    GCP Logging
    
    Microsoft Sentinel
    
    Splunk
    
    Sumo Logic
    
    Syslog
- Reports
  Reports
  - Reports
- Administration
  Administration
  - Users
    Users
    
    Overview
    
    Multi-Factor Authentication (MFA)
    
    Single Sign-On (SSO)
    Single Sign-On (SSO)
    
    Azure AD (SAML)
    
    Okta (SAML)
    
    OneLogin (SAML)
  - Roles
  - Account
- Alerting
  Alerting
  - Overview
  - Destinations / SIEMs
    Destinations / SIEMs
    
    Microsoft Sentinel
    
    Pagerduty
    
    ServiceNow
    
    Slack
- Terraform
  Terraform
  - Terraform
Tutorials
Tutorials
- Overview
- AWS
  AWS
  - Workshop
    Workshop
    
    Introduction
    
    Workshop Breakdown
    
    Prerequisites
    
    Lab
    Lab
    
    Lab 1: Discover
    
    Lab 2: Deploy
    
    Lab 3: Defend
    
    Clean Up
    
    Conclusion
  - Advanced Network Setup
    Advanced Network Setup
    
    Egress & East-West
    Egress & East-West
    
    Discover
    Discover
    
    Step 1: AWS Setup
    
    Step 2: Add AWS Account
    
    Step 3: Discovery
    
    Deploy
    Deploy
    
    Step 1: Deploy Service VPC
    
    Step 2: Deploy Valtix Gateway
    
    Step 3: Protect Spoke VPCs
    
    Defend
    Defend
    
    Step 1: Policy Rule
    Step 1: Policy Rule
    
    Forward Proxy
    
    Forwarding
    
    Step 2: Security Profiles
    Step 2: Security Profiles
    
    IPS
    
    FQDN-Filtering
    
    Data Loss Prevention
    
    Ingress
    Ingress
    
    Discover
    Discover
    
    Step 1: AWS Setup
    
    Step 2: Add AWS Account
    
    Step 3: Discovery
    
    Deploy
    Deploy
    
    Step 1: Deploy Service VPC
    
    Step 2: Deploy Valtix Gateway
    
    Step 3: Protect Spoke VPCs
    
    Defend
    Defend
    
    Step 1: Policy Rule
    
    Step 2: Security Profiles
    Step 2: Security Profiles
    
    IPS
    
    WAF
- GCP
  GCP
  - Workshop
    Workshop
    
    Introduction
    
    Workshop Breakdown
    
    Prerequisites
    
    Lab
    Lab
    
    Lab 1: Discover
    
    Lab 2: Deploy
    
    Lab 3: Defend
    
    Clean Up
    
    Conclusion
Reference Architecture
Reference Architecture
- Overview
- AWS
  AWS
  - Centralized
    Centralized
    
    Ingress
    
    Egress / East-West
    
    Subnet Segmentation
    
    Egress / East-West (NAT Gateway)
    
    GWLB-based Ingress / Egress
- Azure
  Azure
  - Centralized
    Centralized
    
    Ingress
    
    Egress / East-West
- GCP
  GCP
  - Centralized
    Centralized
    
    Combined
- OCI
  OCI
  - Centralized
    Centralized
    
    Ingress
    
    Egress / East-West
FAQ
FAQ
- FAQ
Releases
Releases
- Overview
  Overview
- Supported Releases
  Supported Releases
  - Controller / UI
    Controller / UI
    
    23.02 - February 15, 2023
  - Gateways
    Gateways
    
    23.02-03 - March 7, 2023
    
    22.12-09 - March 24, 2023
    
    22.10-10 - March 7, 2023
    
    22.08-05 - January 4, 2023
  - Terraform Provider
    Terraform Provider
    
    23.2.1 - February 17, 2023
    
    22.12.2 - December 29, 2022
    
    22.10.2 - December 6, 2022
    
    22.9.1 - October 6, 2022
    
    22.8.1 - September 10, 2022
- End-of-Support Releases
  End-of-Support Releases
  - Gateways
    Gateways
    
    22.06 - November 8, 2022
    
    22.09 - October 17, 2022
    
    22.04 - September 3, 2022
  - Terraform Provider
    Terraform Provider
    
    22.7 - August 10, 2022
    
    22.6 - July 6, 2022
- End-of-Life Releases
  End-of-Life Releases
  - Controller / UI
    Controller / UI
    
    22.12 - December 15, 2022
    
    22.10 - November 7, 2022
    
    22.09 - October 6, 2022
    
    22.08 - September 7, 2022
    
    22.07 - August 7, 2022
    
    22.06 - July 6, 2022
    
    22.05 - June 2, 2022
    
    22.04 - May 5, 2022
    
    22.03 - March 31, 2022
    
    22.02 - March 2, 2022
    
    22.01 - January 31, 2022
    
    2.11 - December 26, 2021
  - Gateways
    Gateways
    
    22.02 - April 22, 2022
    
    2.11 - July 25, 2022
  - Terraform Provider
    Terraform Provider
    
    22.5 - June 6, 2022
    
    22.4 - May 13, 2022
    
    22.3 - March 31, 2022
    
    22.1 - February 7, 2022
  - 2.10 - 2021-10-21
    2.10 - 2021-10-21
    
    Features and Changes
    
    Controller / UI
    
    Gateway
    
    Terraform Provider
  - 2.9 - 2021-08-25
    2.9 - 2021-08-25
    
    Features and Changes
    
    Controller / UI
    
    Gateway
    
    Terraform Provider
  - 2.8 - 2021-06-08
  - 2.7 - 2021-03-29
  - 2.6 - 2021-02-08
  - 2.5 - 2020-11-10
  - 2.4 - 2020-09-03
  - 2.2 - 2020-06-23
  - 2.1 - 2020-06-05
  - 2.0 - 2020-04-17
  - 1.2 - 2020-01-23
  - 1.1 - 2019-11-05
Support
Support
- Overview

AWS Centralized Egress / East-West¶

In a centralized Egress / East-West deployment, a Service VPC will be used as a centralized security hub to connect all spoke VPCs and route traffic using an AWS Transit Gateway (TGW). Valtix will orchestrate the deployment of the Service VPC and attach the Service VPC to an existing or new TGW (orchestrated by Valtix). The Service VPC will use an AWS Gateway Load Balancer (GWLB). The GWLB will load balance the traffic across one or more Valtix Gateway instances deployed to accommodate protection. The Valtix Gateway will operate in Forwarding or Forward Proxy to inspect and protect southbound and east-west traffic.

Valtix_Egress

Note

The diagram shows both Ingress Gateway and Egress / East-West Gateway. User can choose to deploy Ingress and Egress+East-West Gateway in the same VPC. If protection is for Egress/East-West only, Ingress Gateway is not needed.