Deploy Service VPC¶
For the Centralized (hub) mode deployment, Valtix Gateway is deployed in a newly created VPC. This VPC is often refer to as Services or Security VPC. The Services VPC and the application (Spoke) VPCs are connected to the AWS Transit Gateway in a Hub-Spoke model as shown in the below.
Valtix orchestrates the creation of the Services/Security VPC, create (or reuse) AWS Transit Gateway (TGW) and attach the Spoke VPCs and the Services VPC to the Transit Gateway. It updates the routing between the Services VPC and Spoke VPCs. Customers need to change the route tables associated with subnets in the Spoke VPCs to add a default route and set the destination to the Transit Gateway.
Tech Notes
- Routing tables inside Spoke VPCs were intentionally left untouched as part of the orchestration since they are often under the control of teams different from the Cloud NetSec team
- If protection is needed for ingress and egress, deploy 2 Service VPC: ingress VPC and egress VPC. Both Ingress and Egress service VPC can be share the same AWS Transit Gateway
Deploy Service VPC¶
- Click Manage -> Gateways -> Service VPCs
- Click Create VPC button. A new create window will slide out from the right.
-
Enter the following information:
Parameter Description Sample Value Name Name of security VPC used as a reference in Valtix Controller. egress-vpc CSP Account This dropdown menu will allow you to select which account the security VPC will be created. AWS_Tutorial Region The AWS region that the security VPC. This should match the region that inventory discovery was enabled us-east-1 CIDR Block The CIDR for the security VPC. This CIDR needs to be unique to the transit gateway that’s attached. The subnet mask range from /25 to /16. 172.16.0.0/16 Availability Zones It is recommended to select at least two AZs for resiliency. us-east-1a and us-east-1b Transit Gateway Transit Gateway the security VPC will be attached to. User can choose to create a new Transit Gateway or select an existing one. Select create new Transit Gateway Transit Gateway Name This option is only available for new transit gateway. This name will be used when creating Transit Gateway in AWS. Tutorial_TGW Auto accept shared attachments This is required for multi AWS account hub mode gateway deployment. Leave it as default -
Click Save to create the Service VPC
Tech Notes
- Valtix creates the following resources when a Service VPC is created:
- VPC
- Four (4) subnets in each AZ
- One (1) route table for each of the subnets
- Two (2) security-groups (management and datapath traffic)
- The Transit Gateway (created/selected during a Service VPC creation) can be reused with other Service VPCs
- Review the Transit Gateway and note that a new TGW (if create new was selected) is created
- A Transit Gateway Attachment to the Service VPC is created
- A Transit Gateway route table is created and associated with the Attachment
- AWS Gateway Load Balancer (GWLB) does not support add/remove of AZs after initial deployment of a GWLB. You will need to redeploy the Service VPC if you need to change AZs.