Lab 2: Deploy

In Lab 1, we enabled the discovery features in Valtix to provide visibility of the inventory of your AWS account and the type of traffic present in the network. With a single click, you can see if any instances are communicating with potentially malicious hosts. In this lab, we will secure the network by deploying a Service VPC with the Valtix Gateway in a hub-and-spoke model. Below is what we will achieve after this lab:

Procedure

1. Navigate to Getting Started -> Easy Setup -> Service VPC

2. Provide the information below:

   Parameter	Description
   Name	Name for the Service VPC
   CSP Account	Select the AWS account onboarded in Lab 1
   Region	Select the region where you deployed your CloudFormation template
   CIDR Block	Provide any /16 subnet. Example 10.100.0.0/16
   Availability Zones	Select any one zone
   Transit Gateway	Select “create-new”
   Transit Gateway Name	Provide a name for Transit Gateway. Example valtix-workshop-tgw
   Auto Accept shared attachments	Leave this unchecked

3. Click on Save & Continue. This process may take a few minutes. During this time, please do not navigate to a different link.

4. After completing the deployment of Service VPC, you should be taken to Create Gateway page where Valtix will orchestrate the deployment of Valtix Gateway in the Service VPC that was created.

5. Provide information to create the Valtix Gateway:

   Parameter	Description
   Account	Select the AWS account that was onboarded in Lab 1
   Service VPC	Select the Service VPC that was created in step 3.
   Valtix Gateways	Check “East-West & Egress” only
   East-West & Egress Gateway Name	Provide a name for the East-West & Egress Gateway. Example: aws-workshop-gw
   East-West & Egress Gateway Policy Ruleset	Leave it as default, which is valtix-sample-egress-policy-ruleset
   Gateway IAM Role Name	The value of ValtixFirewallRoleName from the CFT outputs, by default is valtix-firewall-role
   SSH Key Pair	Select the ssh key pair you wish to use

6. Click on Save & Continue

7. You will be directed to the inventory page. Click on VPCs/VNets
   
8. A list of all the VPCs in your account is shown here. This table will indicate whether the VPC is being secured by Valtix. Find the spoke VPC that was deployed in the prerequisite section.
9. Click on Secure button and select the Service VPC that was created in step 3.
   
   
10. Login to AWS console and find the Route Table of the spoke VPC. Change the default route (0.0.0.0/0) to point to Transit Gateway.
    Note: After changing the default route, you may lose connection to the EC2 instance. To avoid being disconnected, add a route to your public IP address via the Internet Gateway.
    
    

---

Verification

1. Navigate to Manage -> Gateways -> Service VPCs
2. Verify the Service VPC exist in the table. Check that the status is ACTIVE
3. Navigate to Manage -> Gateways -> Gateways.
4. Check the Gateway is shown in the table and that status is ACTIVE.

5. From the EC2 instance, generate traffic to Google and Facebook.

   curl http://www.google.com
   curl http://www.facebook.com
   

6. Navigate to Investigate -> Flow Analytics -> Traffic Summary. This gives an overview of traffic inspected by Valtix Gateway.

7. Click on Logs. You should see your sessions to Google and Facebook in the Logs table.