Skip to content

AWS Service VPC

For the Centralized (hub) mode deployment using AWS Transit Gateway, the Valtix Gateway is deployed in a new VPC. This VPC is called Services or Security VPC. The Services VPC and the application (Spoke) VPCs are connected to the AWS Transit Gateway in a Hub-Spoke model as shown in the below.

tgw

Valtix orchestrates the creation of the Services/Security VPC, create (or reuse) AWS Transit Gateway (TGW) and attach the Spoke VPCs and the Services VPC to the Transit Gateway. It updates the routing between the Services VPC and Spoke VPCs. Customers need to change the route tables associated with subnets in the Spoke VPCs to add a default route and set the destination to the Transit Gateway.

Tech Notes

Routing tables inside Spoke VPCs were intentionally left untouched as part of the orchestration since they are often under the control of teams different from the Cloud NetSec team

Create a Service VPC

  1. Click Manage -> Service VPCs
  2. Click Create VPC
  3. Provide a name for the Service VPC (e.g valtix-egress-svpc1)
  4. Select the AWS account
  5. Select the Region where the Service VPC needs to be created (e.g us-east-1)
  6. Provide a CIDR block with mask minimum of /25 and maximum of /16. Make sure this does not overlap with any of the spoke VPC CIDRs that you plan to attach to the Transit Gateway (e.g 172.16.0.0/16)
  7. Select the Availability Zones. It's recommended to select atleast two (2) AZs for HA purposes (e.g us-east-1a and us-east-1b)
  8. Select a Transit Gateway or create a new one. You can reuse an existing Transit Gateway for all kinds of security types
  9. Select the Auto accept shared attachments, if you are planning to use the Transit Gateway shared across multiple AWS accounts
  10. Click Save to create the Service VPC

Tech Notes

  • Valtix creates the following resources when a Service VPC is created:
    • VPC
    • Four (4) subnets in each AZ
    • One (1) route table for each of the subnets
    • Two (2) security-groups (management and datapath traffic)
  • It's required to create a different Service VPC for each of the security types (Ingress, Egress and East-West)
  • The Transit Gateway (created/selected during a Service VPC creation) can be reused with other Service VPCs
  • Review the Transit Gateway and note that a new TGW (if create new was selected) is created
  • A Transit Gateway Attachment to the Service VPC is created
  • A Transit Gateway route table is created and associated with the Attachment