Valtix Gateway is deployed in a Service VPC. The Service VPC is created and managed by Valtix. The Spoke VPCs where your applications/instances reside are attached to the Service VPC using AWS Transit Gateway.
In the above picture, all the resources orchestrated by Valtix are shown in green. As an administrator, you are responsible to set the Spoke VPC destination toward the Transit Gateway.
List of Steps¶
- Setup/Prepare your AWS account by adding IAM roles allowing the Valtix Controller to manage resources in your account
- Onboard your AWS account to the Valtix Controller
- Optional Enable Inventory Discovery to view all cloud resources in your account
- Create the Service VPC in your AWS account using the Valtix Controller
- Add an Egress Valtix Gateway
- AWS supports Gateway Load Balancer (GWLB) in some regions. If your selected Region is supported select this option. Note: The Egress Valtix Gateway operates without GWLB in Proxy mode only.
- Add your Spoke VPCs as Protected VPCs on the Valtix Gateway
- Add a Service Object
- Valtix Gateway can be used as a Forward Proxy with deep packet inspection or in plain Forwarding mode
- This tutorial covers both the scenarios
- Add Source address objects
- We will start with any source
- Add source address objects using Tags and other dynamic types to control the egress traffic
- Add a rule in the Policy Ruleset.
- Configure FQDN filtering
- If the service is setup as Forward Proxy:
- You can enable Deep Packet Inspection and Data Loss Prevention to secure data exfiltration
- A certificate must be installed on the Valtix Gateway which is used to sign the certificates from the destination hosts
- The certificate must be installed on the source instances as a trusted root certificate
- An intermediate certificate with a chain can be used for this purposes
- Check the Traffic Summary and Logs
This tutorial assumes that you have permissions to create new VPCs and EC2 instances. This will ensure that you will not disrupt existing configuratiions.