Skip to content

Protect VPCs in Hub Mode

When a Gateway is added in Hub Mode that uses AWS Transit Gateway, Valtix takes can orchestrate the Transit Gateway, Services VPC. It can also create Attachments for the Spoke VPCs and manage Transit Gateway route tables. This is a fully managed Transit Gateway solution that makes it very easy to use a Services VPC for Centralized security.

Tech Notes

Wait for the Gateway to become Active before proceeding with the following steps.

Add Spoke VPCs

  1. Navigate to Manage -> Gateways
  2. On the Valtix Gateway menu (Hamburger menu to left of Gateway name), select Protected VPCs
  3. For the Spoke VPCs in the current account where the transit Gateway is created, add the VPCs under Current Account VPCs to Protect
  4. Select the VPC from the dropdown, you cannot change the account and the region in this table. Click Add to add more VPCs e.g. (spoke1-vpc and spoke2-vpc)
  5. For the Spoke VPCs in the other accounts, add those under External Account VPCs to Protect table (The accounts must be added to the Valtix Controller prior to adding the VPCs. Please check the Add Cloud Account section on how to add a new Cloud account to the Valtix Controller)
    1. Select the account, region and the VPCs in that region
    2. Valtix sets up automatic acceptance of the attachment invitations. So you don't need to do any manual steps to accept the attachments
  6. Click Save
  7. Once the Attachments are added, go to your Spoke VPCs and add routes in the subnet route tables of the Spoke VPCs to send traffic to the Transit Gateway. (The Attachments would take a minute or two to complete. So wait a few minutes before changing the routes on the Spoke vpcs)
  8. The routes must be defined as follows:
    • For Egress: 0.0.0.0/0 next-hop Transit Gateway used while creating Egress Valtix Gateway

Tech Notes

When enabling Protected VPCs, Valtix Controller orchestrates the following:

  • Creates Transit Gateway VPC Attachment for each of the Spoke VPCs
  • Adds a Transit Gateway route table for each of the Attachments and associate with the Attachments
  • Adds a default route in the TGW route table (associated with the Spoke VPC) to go to the Service VPC Attachment (and thus to the Service VPC)

Here is a sample routing setup after attaching two (2) Spoke VPCs

egress-hub-routes

Next section explains the spoke vpc routing in detail.