Skip to content

Protect Spoke VPCs in Centralized Mode

When a Service VPC is created with a new Transit Gateway or existing Transit Gateway, Valtix takes care of the orchestration of the Transit Gateway and Services VPC. It can also create Attachments for the Spoke VPCs and manage Transit Gateway route tables. This is a fully managed Transit Gateway solution that makes it very easy to use a Services VPC for Centralized security.

For distributed model, this step is not needed. Valtix Gateway will be deployed inside the application VPC.

Tech Notes

  • Wait for the Service VPC be created successfully and state is ACTIVE before proceeding with the following steps
  • Valtix Gateway can be deployed later in Service VPC that you just created

Protect Spoke VPCs

  1. If you don't have any existing VPC, go through Create Spoke VPCs section below before continuing on.
  2. Navigate to Manage -> Service VPCs
  3. Select a Service VPC and click on Manage Spoke VPCs
  4. For the Spoke VPCs in the current account where the transit Gateway is created, add the VPCs under Current Account VPCs to Protect
  5. Select the VPC from the dropdown, you cannot change the account and the region in this table. Click Add to add more VPCs e.g. (spoke1-vpc and spoke2-vpc)
  6. If Spoke VPCs in another AWS accounts, add those under External Account VPCs to Protect table. For this tutorial, both spoke and service VPC will be in the same account. (The accounts must be added to the Valtix Controller prior to adding the VPCs. Please check the Add Cloud Account section on how to add a new Cloud account to the Valtix Controller)
    1. Select the account, region and the VPCs in that region
    2. Valtix sets up automatic acceptance of the attachment invitations. So you don't need to do any manual steps to accept the attachments
  7. Click Save
  8. Once the Attachments are added, go to your Spoke VPCs and add routes in the subnet route tables of the Spoke VPCs to send traffic to the Transit Gateway. (The Attachments would take a minute or two to complete. So wait a few minutes before changing the routes on the Spoke vpcs)
  9. The routes must be defined as follows:
    • For Egress: 0.0.0.0/0 next-hop Transit Gateway used while creating Egress Valtix Gateway
    • Once default route is set to Transit Gateway, you will lose access to the EC2 instance. Set a route to allow login machine through Internet Gateway. If you are logging in from laptop, look for your public IP by searching "What is my ip?" in google and set a route for that ip to use Internet Gateway.

Tech Notes

When enabling Protected VPCs, Valtix Controller orchestrates the following:

  • Creates Transit Gateway VPC Attachment for each of the Spoke VPCs
  • Adds a Transit Gateway route table for each of the Attachments and associate with the Attachments
  • Adds a default route in the TGW route table (associated with the Spoke VPC) to go to the Service VPC Attachment (and thus to the Service VPC)

Here is a sample routing setup after attaching two (2) Spoke VPCs

egress-hub-routes


Create Spoke VPCs

Once the Service VPC is created by the Valtix Controller, create two Spoke VPCs using the AWS console. These two spoke is for demonstration purpose only.

Tech Notes

  • You can start with one (1) spoke VPC
  • Usd the CIDRs in the example below since there will be no communication with your existing VPCs
  1. The AWS account is assumed to have a SSH keypair already available. If not, please create a SSH keypair in your account before running the CloudFormation template. Both spoke1 and spoke2 can share the same SSH keypair for this tutorial
  2. Click this link to launch a Cloud Formation template to create spoke1-vpc
  3. By default the above link opens in us-east-1. Change the region on the AWS console to the same one where you created the Service VPC in the previous section and select the Availability Zones appropriately
  4. Template input value:
    1. Prefix: spoke1
    2. Create Valtix Resources: no
    3. Create Bastion Host: no
    4. VPC CIDR: 10.0.0.0/16
    5. Subnet Bits: 8
    6. Availability Zone 1: us-east-1a
    7. Availability Zone 2: us-east-1b
    8. AMI for App Instance
  5. The template creates the following resources:
    1. VPC, Internet Gateway
    2. App subnet in Zone1 and Zone2
    3. App route tables associated with the above subnets
    4. Bastion subnet and route table
    5. Add default route to IGW in all the route tables (this can be modified later)
    6. EC2 instance in each of the subnets
  6. Click this link to launch a Cloud Formation template to create spoke2-vpc. This is not required and the tutorial can be completed with just one (1) spoke VPC
  7. Make a note of the IP addresses of the app instances from the Output section of the CloudFormation stack. The default user would be centos.
  1. Using the AWS console, select the Region where the Service VPC was created in the previous step
  2. Select the VPC service and create a new VPC with the Name tag spoke1-vpc (or any other name confirming to your org standards)
  3. Enter the CIDR as 10.0.0.0/16
  4. Create an Internet Gateway with Name tag spoke1-igw and attach to the VPC
  5. Create a subnet spoke1-z1-apps in the above VPC with the CIDR as 10.0.0.0/24 in AZ1 (e.g us-east-1a)
  6. Create a route table spoke1-z1-apps1 and associate with the subnet above
  7. Add a route for 0.0.0.0 in the above route table with destination as the Internet Gateway (we will change this later)
  8. Add a security group spoke1-apps and add inbound rules for 0.0.0.0/0 and port 22
  9. Create a subnet spoke1-z2-apps in the above VPC with the CIDR as 10.0.3.0/24 in AZ2 (e.g us-east-1b)
  10. Create a route table spoke1-z2-apps and associate with the subnet above
  11. Add a route for 0.0.0.0 in the above route table with destination as the Internet Gateway (we will change this later)
  12. Launch an Ubuntu 18.04 EC2 instance (spoke1-z1-app) in the spoke1-z1-apps subnet and associate with the security-group spoke1-apps
  13. Launch an Ubuntu 18.04 EC2 instance (spoke1-z2-app) in the spoke1-z2-apps subnet and associate with the security-group spoke1-apps
  14. EC2 instances need a SSH keypair. Either create this before the instance launch or use the one you already have
  15. Choose to assign a Public IP address to the EC2 instance to allow SSH session.
  16. To create spoke2-vpc, repeat the above steps with CIDR as 192.168.0.0/16 and replace spoke1 with spoke2

SSH to the EC2 instances and ensure it works. From the instances, curl http://www.google.com should provide a response.