AWS Centralized Egress / East-West Protection¶
The Valtix Gateway is deployed in a single VPC to protect the outgoing traffic of the applications running inside the VPC. The Gateway acts as a forward proxy. For HTTP or TLS applications with SNI extension header, the Valtix Gateway can act as a transparent forward proxy. The applications access the internet without any change on their side. Valtix intercepts the traffic and considers that as proxied traffic. It creates a new session to the internet. For TLS traffic and the certificate to be trusted by the client applications, a trusted root/intermediate certificate must be configured on Valtix and the root certificate installed on all the client application instances.
- Navigate to Manage -> Gateways -> Gateways
- Click Add Gateway
- Select the account you previously created
Parameter Description Instance Type Choose the type from the drop down. Supported instance type:
Gateway Type Auto Scaling. (Look at the implementation guide for single instance Gateway and the use case for that) Minimum Instances Select the minimum number of instances that you plan to deploy Maximum Instances Select the maximum number instances that you plan to deploy. This is the maximum number that is used for auto-scaling in each availability zone HealthCheck Port Default is 65534 Packet Capture Profile (Optional) Packet Capture Profile for threat and flow PCAPs Diagnostics Profile (Optional) Diagnostics Profile used to store Technical Support information Log Profile (Optional) Log Forwarding Profile used to forward Events/Logs to a SIEM
Provide the following parameters
Parameter Description Security Choose Egress Gateway Image Image to be deployed Policy Ruleset Select the policy ruleset to associate with this Gateway. If you don't have any policy ruleset you can create a new by choosing Create New Region Select the region this Gateway will be deployed into VPC Select the VPC in which the Valtix Gateway is deployed Key Pair Select the key pair to associate with this Gateway IAM Role for Gateway Select the IAM role to associate with this Gateway Mgmt. Security Group Select the security group to associate with the management interface Datapath Security Group Select the security group to associate with the datapath interface EBS Encryption Enable EBS encryption for the gateway instance. If enabled, the user will select either AWS managed CMK or Customer managed encryption key. For Customer managed encryption key, KMS key ARN needs to be provided.
Select the Availability Zone, the Management Subnet and the Datapath Subnet. The available subnets will be based on the VPC selected above. For HA purposes the Gateway instances can be deployed in multiple AZs. Click the plus button to add a new AZ and select the parameters for the selected AZ.
Click Next. The review page shows you the details of all the selected parameters. Review the available resources and see information about any AWS limits exceeded.
- Click Finish. The Gateway deployment starts and takes approximately 5-7 minutes for the Gateway to become ACTIVE
Check the AWS Console Load Balancers section and note that an internal Network Load Balancer has been created. It does not yet have any listeners or target groups. The listeners and target groups (targeting the EC2 Valtix Gateway instances) are created when you add a service with the listener port and backend application.
On your AWS console, check the EC2 instances page and check the Gateway instances created. The instances have a Name tag that begins with valtix. Along with Gateway instances, another helper/supporting instance is created. This is called a NAT instance. After the Gateway is created and becomes ACTIVE change/add route in the route tables associated with the application subnets to have the default route's next-hop as the interface of the NAT instance. When the traffic exits the application subnets, it reaches the NAT instance. The destination IP in the packets is changed to the internal network load balancer's IP. This causes the traffic to reach the Gateway instance. The Gateway inspects the SNI, or the HTTP host header, to find the destination address and sends the packet out. When the applications communicate over TLS, the Gateway waits until the Client Hello reaches the Gateway and then creates a new connection to the target (defined in the SNI field). The incoming certificate from the internet server is impersonated with the root/intermediate certificate installed on the Valtix Gateway and sent to the application.