Skip to content

AWS Hub/Centralized Egress Gateway

The Valtix Egress Gateway is used for inspecting Outgoing traffic (from the VPC instances). The policy rules and service objects define if the traffic is treated as Proxy or Forwarding. Note: AWS Gateway Load Balancer (GWLB) is not yet available in all the regions. If your region supports this, please use this option during the Valtix Gateway creation process. This option enables Valtix Gateway to work in both proxy and forwarding mode. Without GWLB, Valtix can act only as a proxy Gateway and requires all the traffic to be either HTTP or TLS, with SNI header.

Tech Notes

  • Proxy Mode ➡ GWLB is optional and works only for TLS with SNI or HTTP traffic
  • Forwarding Mode ➡ GWLB is required

Add Gateway

  1. Navigate to Manage -> Gateways
  2. Click Add Gateway
  3. Select the account you previously created
  4. Click Next

    Parameter Description
    Name Valtix Gateway name (e.g egress-gw1)
    Description Description of the Gateway
    Instance Type Choose the type (AWS_M5_2XLARGE) from the drop down
    Gateway Type Auto Scaling
    Minimum Instances Select the minimum number of instances that you plan to deploy
    Maximum Instances Select the maximum number instances that you plan to deploy. This is the maximum number that is used for auto-scaling in each availability zone
    HealthCheck Port Default is 65534
    Packet Capture (optional) Packet capture profile for threat pcaps
    Diagnostics (optional) Diagnostics profile for debugging
    Log (optional) Log profile to forward to Splunk or syslog
  5. Click Next

  6. Provide the following parameters

    Parameter Description
    Use AWS Gateway Load Balancer Check this box to use the AWS Gateway Load Balancer. This is not available in all the AWS regions yet. Please check your AWS account if this option is available
    Security Choose Egress
    Gateway Image Image to be deployed
    Policy Ruleset Select the policy ruleset to associate with this Gateway. If you don't have any policy ruleset you can create a new by choosing Create New
    Region Select the region this Gateway will be deployed into
    VPC Select the Service VPC in which the Valtix Gateway is deployed
    Transit Gateway Select a transit Gateway or create a new one. You can reuse the same Transit Gateway for all kinds of security types
    Key Pair Select the key pair to associate with this Gateway
    IAM Role for Gateway Select the IAM role to associate with this Gateway. (If CF template was used to create the IAM roles, this is the value of the ValtixGatewayRoleName)
    Mgmt. Security Group Automatically created as part of the Service VPC and selected here
    Datapath Security Group Automatically created as part of the Service VPC and selected here

    Availability Zones are automatically selected from the Service VPC. Subnets are automatically created as part of the Service VPC and selected here.

  7. Click Next. The review page shows you the details of all the selected parameters. Review the available resources and see information about any AWS limits exceeded.

  8. Click Finish. The Gateway deployment starts and takes approximately 5-7 minutes for the Gateway to become ACTIVE

Tech Notes

On your AWS console, review EC2 instances page and check the Gateway instances created. The instances have a Name tag that begins with valtix.

If GWLB is used (default):

  • GWLB, GWLB Endpoint Service and Endpoints are created
  • A new Transit Gateway (TGW) is created (if create was selected)
  • A TGW Attachment to the Service VPC is created
  • A TGW route table is associated with the Attachment
  • The route table (named as <prefix>-nat-ingress) in Service VPC has a default route to the GWLB endpoint

If GWLB is not used:

  • A helper EC2 instance named NAT instance is create in the Service VPC
  • An internal Network Load Balancer is created. It does not yet have any listeners or target groups. The listeners and target groups (targeting the EC2 Valtix Gateway instances) are created when you add a service
  • A new Transit Gateway (TGW) is created (if create was selected)
  • A TGW attachment to the Service VPC is created
  • A TGW route table is associated with the Attachment
  • The route table (named as <prefix>-nat-ingress) in Service VPC has a default route to the ENI of the NAT instance