Lab 2: Deploy¶
In Lab 1, the enablement of Valtix’s discovery features provided an inventory of the account and what traffic type was in the network. In a single click, you can see if any instances are potentially connecting to malicious destination. In this lab, we will secure the network by deploying a Service VPC with Valtix Gateway in a hub-n-spoke model. Below is what we will achieve after this lab.
- Navigate to Getting Started -> Easy Setup -> Service VPC.
- Fill in all the information:
|Name||Provide a name for Service VPC|
|CSP Account||Select the account that was onboarded in Lab1.|
|Region||Select the region where you deployed your CFT.|
|CIDR Block||Provide any /16 subnet. Example 10.100.0.0/16|
|Availability Zones||Select any one zone.|
|Transit Gateway||Select “create-new”|
|Transit Gateway Name||Provide a name for Transit Gateway. Example valtix-workshop-tgw.|
|Auto Accept shared attachments||Leave it unchecked.|
- Click on “Save & Continue”. This process may take 5 minutes. During this time, please do not navigate to a different link.
- After completing the deployment of Service VPC, you should be taken to Create Gateway page where Valtix will orchestrate the deployment of Valtix Gateway in the Service VPC that was created.
- Fill in the information to create Valtix Gateway:
|Account||Select the account that was onboarded in Lab1.|
|Service VPC||Select the Service VPC that was created in step 4.|
|Valtix Gateways||Check only “East-West & Egress”.|
|East-West & Egress Gateway Name||Provide a name for the East-West & Egress Gateway. Example: aws-workshop-gw.|
|East-West & Egress Gateway Policy Ruleset||Leave it as default, which is valtix-sample-egress-policy-ruleset.|
|Gateway IAM Role Name||This value is from the CFT Outputs, use the value of "ValtixFirewallRoleName" (e.g valtix-firewall-role)|
|SSH Key Pair||Select any ssh key pair that you want to use.|
- Click “Save & Continue”
- You will be landed on the inventory page. Click on VPCs/VNets.
- A list of all the VPCs in your account is shown here. This table will indicate whether the VPC is secured by Valtix. Find the spoke VPC that was deployed in the pre-requisite section.
- Click on Secure button and select the Service VPC that was created in step 3.
- Login to AWS console and find the Route Table of the spoke VPC. Change the route 0.0.0.0/0 to point to Transit Gateway created.
Note: After changing the default route, you may lose connection to the ec2 instance. To avoid being disconnected, add a route from your public ip to the Internet Gateway for the VPC.
- Navigate to Manage -> Gateways -> Service VPCs
- Verify the Service VPC exist in the table. Check that the status is ACTIVE
- Navigate to Manage -> Gateways -> Gateways.
- Check the Gateway is shown in the table and that status is ACTIVE.
From the EC2 instance, generate traffic to Google and Facebook.
curl http://www.google.com curl http://www.facebook.com
Navigate to Investigate -> Flow Analytics -> Traffic Summary. This gives an overview of traffic inspected by Valtix Gateway.
- Click on Logs. You should see your sessions to Google and Facebook in the Logs table.