AWS Hub/Centralized Egress Gateway¶
The Valtix Egress Gateway is used for inspecting Outgoing traffic (from the VPC instances). The policy rules and service objects define if the traffic is treated as Proxy or Forwarding.
Add Gateway¶
- Navigate to Manage -> Gateways
- Click Add Gateway
- Select the account you previously created
-
Click Next
Parameter Description Name Valtix Gateway name (e.g egress-gw1) Description Description of the Gateway Instance Type Choose the type (AWS_M5_2XLARGE) from the drop down Gateway Type Auto Scaling Minimum Instances Select the minimum number of instances that you plan to deploy Maximum Instances Select the maximum number instances that you plan to deploy. This is the maximum number that is used for auto-scaling in each availability zone HealthCheck Port Default is 65534 Packet Capture (optional) Packet capture profile for threat and flow pcaps Diagnostics (optional) Diagnostics profile for debugging Log Profile (optional) Log Forwarding Profile used to forward events/logs to a SIEM -
Click Next
-
Provide the following parameters
Parameter Description Security Choose East-West & Egress Gateway Image Image to be deployed Policy Ruleset Select the policy ruleset to associate with this Gateway. If you don't have any policy ruleset you can create a new by choosing Create New Region Select the region this Gateway will be deployed into VPC Select the Service VPC in which the Valtix Gateway is deployed Key Pair Select the key pair to associate with this Gateway IAM Role for Gateway Select the IAM role to associate with this Gateway. (If CF template was used to create the IAM roles, this is the value of the ValtixGatewayRoleName) Mgmt. Security Group Automatically created as part of the Service VPC and selected here Datapath Security Group Automatically created as part of the Service VPC and selected here Availability Zones are automatically selected from the Service VPC. Subnets are automatically created as part of the Service VPC and selected here.
-
Click Next. The review page shows you the details of all the selected parameters. Review the available resources and see information about any AWS limits exceeded.
- Click Finish. The Gateway deployment starts and takes approximately 5-7 minutes for the Gateway to become ACTIVE
Tech Notes
On your AWS console, review EC2 instances page and check the Gateway instances created. The instances have a Name tag that begins with valtix.
- Gateway Load Balancer (GWLB), GWLB Endpoint Service and GWLB Endpoints are created
- The route table (named as <prefix>-nat-ingress) in Service VPC has a default route to the GWLB endpoint
AWS Gateway Load Balancer (GWLB) does not support add/remove of AZs after initial deployment of a GWLB. You will need to redeploy the Service VPC if you need to change AZs.