Skip to content

Deploy Valtix Gateway

Valtix Gateway is used for inspecting traffic to provide advanced networking protection for your assets. The policy rules and service objects define if the traffic is treated as Proxy or Forwarding, which we'll look at in our defend phase of discover, deploy, and defend. Here you'll need to decide whether you want to protect ingress or egress & east-west traffic. Gateway deployments and policy constructs are different for ingress and egress. Regardless of flow direction, steps are the same.

Add Gateway

  1. Navigate to Manage -> Gateways
  2. Click Add Gateway
  3. Select the account you previously created

  4. Click Next

    Parameter Description Sample Value
    Name Valtix Gateway name egress-gw1
    Description Description of the Gateway Tutorial
    Instance Type AWS instance type for Valtix Gateway AWS_M5_2XLARGE
    Gateway Type Auto Scaling Auto Scaling
    Minimum Instances Minimum number of instances that you plan to deploy per availability zone 1
    Maximum Instances Maximum number instances that you plan to deploy availability zone 3
    HealthCheck Port Default is 65534 65534
    Packet Capture (optional) Packet capture profile for threat and flow PCAPs Leave it blank
    Diagnostics (optional) Diagnostics profile for debugging Leave it blank
    Log (optional) Log profile to forward to Splunk or syslog Leave it blank

  5. Click Next

  6. Provide the following parameters

    Parameter Description Sample Value
    Security Two options: Ingress or East-West & Egress East-West & Egress
    Gateway Image Image to be deployed. Choose the latest gateway image 2.8-01
    Policy Ruleset Select the policy ruleset to associate with this Gateway. If you don't have any policy ruleset you can create a new by choosing Create New Create New
    Region Select the region this Gateway will be deployed into us-east-1
    VPC Select the Service VPC in which the Valtix Gateway is deployed demo-vpc
    Key Pair Select the key pair to associate with this Gateway. If key pair does not exist, follow instruction to create new one select an existing key pair
    IAM Role ARN for Gateway Select the IAM role to associate with this Gateway. (If CF template was used to create the IAM roles, this is the value of the ValtixGatewayRoleName) arn:aws:iam::<accountID>:role/valtix-firewall-role
    Mgmt. Security Group Automatically created as part of the Service VPC and selected here Leave it as the automated selection
    Datapath Security Group Automatically created as part of the Service VPC and selected here Leave it as the automated selection
    EBS Encryption EBS encryption for Valtix Gateway Check and select "AWS managed CMK"

  7. Instance Details table will allow you to select which AZ the gateway will be deployed. You can add more entries to the table if you want gateway to be deployed in multi AZ for resiliency. For centralized model, if you select the service vpc created by Valtix Controller, this table should be automatically populated.

  8. Click Next. The review page shows you the details of all the selected parameters. Review the available resources and see information about any AWS limits exceeded.

  9. Click Finish. The Gateway deployment starts and takes approximately 5-7 minutes for the Gateway to become ACTIVE

Tech Notes

On your AWS console, review EC2 instances page and check the Gateway instances created. The instances have a Name tag that begins with valtix.

  • Gateway Load Balancer (GWLB), GWLB Endpoint Service and GWLB Endpoints are created
  • The route table (named as <prefix>-nat-ingress) in Service VPC has a default route to the GWLB endpoint

AWS Gateway Load Balancer (GWLB) does not support add/remove of AZs after initial deployment of a GWLB. You will need to redeploy the Service VPC if you need to change AZs.