Skip to content

HTTP Proxy Policy Rule

The final step in the security posture is to add a rule to the policy set with the HTTP service that was created in the previous section. The policy rule specifies what source address objects are allowed/denied access to the service. There are other security profiles that can be attached (like IPS, WAF) that we will do in the later part of the tutorials.

  1. Click Manage -> Security Policies -> Rules
  2. Find the ruleset name that's associated with the Egress Gateway
  3. Click the rule set name
  4. There is already a rule here to allow the health check traffic from the load balancer on port 65534 (this port number was specified during the gateway creation)
  5. Click Create to create a new rule
  6. A new rule editor opens in the slide over panel on the right
  7. Add a name to the rule (e.g. any-egress-http)
  8. In the Type dropdown select Forward Proxy
  9. In the Service dropdown select egress-proxy-http (or the name provided to the http service created)
  10. In the Source dropdown select any (We will look in the later sections on how to restrict the Source by defining source address objects with cloud native attributes like VM Tags etc)
  11. Destination would be hard coded to any as gateway acts as a proxy and Valtix transparently changes the destination to the Gateway
  12. In the Action select Allow Log. This allows the Gateway to accept the traffic and log the flows that can be checked in the Investigate section of the Valtix Dashboard
  13. Leave all the profiles to empty, the rules will be enhanced to use these profiles in the later part of the tutorial
  14. Click Add
  15. You can create more rules if required. In this section of the tutorial you will not add any more rules
  16. Click Save to save all the rules and click Yes in the confirmation
  17. It takes a few seconds to save the policy. Once the rule set is saved, the Gateway instances pull the ruleset from the controller during the regular message exchange process

Tech Notes

If you are not using GWLB, then check the Internal Load Balancer using the AWS console. It should have a listener on Port 80 and a target group with the Valtix Gateway EC2 instances as the targets