AWS Hub Ingress¶
The Valtix Gateway is deployed in a Shared Service VPC to protect the Internet-facing applications. The Gateway acts as a Reverse Proxy. Users on the internet access the application via the Valtix Gateway. Configure the backend destination (the application) as a proxy target on the Valtix Gateway. The proxy enables Valtix to decrypt TLS traffic and perform deep packet inspection. The proxied traffic to the backend/target can be sent as plain text HTTP, HTTPS, TCP or TLS.
- Navigate to Manage -> Gateways
- Click Add Gateway
- Select the account you previously created
Parameter Description Instance Type Choose the type (AWS_M5_2XLARGE) from the drop down Gateway Type Auto Scaling. (Look at the implementation guide for single instance Gateway and the use case for that) Minimum Instances Select the minimum number of instances that you plan to deploy Maximum Instances Select the maximum number instances that you plan to deploy. This is the maximum number that is used for auto-scaling in each availability zone HealthCheck Port Default is 65534 Packet Capture (optional) Packet capture profile for threat pcaps Diagnostics (optional) Diagnostics profile for debugging Log (optional) Log profile to forward to Splunk or syslog
Provide the following parameters
Parameter Description Use AWS Gateway Load Balancer Check this box to use the AWS Gateway Load Balancer. This will consolidate Egress and East-West into a single Gateway. This is not available in all the AWS regions yet. Please check your AWS account if this option is available Security Choose Ingress Gateway Image Image to be deployed Policy Ruleset Select the policy ruleset to associate with this Gateway. If you don't have any policy ruleset you can create a new by choosing Create New Region Select the region this Gateway will be deployed into VPC Select the Service VPC in which the Valtix Gateway is deployed Transit Gateway Select a transit Gateway or create a new one. You can reuse the same Transit Gateway for all kinds of security types Key Pair Select the key pair to associate with this Gateway IAM Role for Gateway Select the IAM role to associate with this Gateway Mgmt. Security Group Automatically selected Datapath Security Group Automatically selected
Availability Zones and subnets are automatically selected from the Service VPC.
Click Next. The review page shows you the details of all the selected parameters. Review the available resources and see information about any AWS limits exceeded.
- Click Finish. The Gateway deployment starts and takes approximately 5-7 minutes for the Gateway to become ACTIVE
On your AWS console, view the EC2 instances page and check the Gateway instances created. The instances have a Name tag that begins with valtix.
Check the Load Balancers section and see that an internet facing Network Load Balancer is created. It does not yet have any listeners or target groups. The listeners and target groups (targeting the EC2 Valtix Gateway instances) are created when you add a service with the listener port and backend application.
Review the Transit Gateway and note that a new TGW (if create was selected) is created. An Attachment to the Service VPC is created and a TGW route table is created and associated with the Attachment.