AWS Centralized Ingress Protection¶
The Valtix Gateway may be deployed in a central Service VPC or distributed inside spoke VPCs to protect customer facing applications. The Gateway acts as a Reverse Proxy. The users on the internet access the application via the Valtix Gateway. Configure the backend destination (the original application) as a proxy target on the Valtix Gateway. The proxy enables Valtix to decrypt TLS traffic and perform deep packet inspection. The proxied traffic to the backend/target can be sent as plain text HTTP, HTTPS, TCP or TLS.
- Navigate to Manage -> Gateways -> Gateways
- Click Add Gateway
- Select the account you previously created
Parameter Description Instance Type Choose the type from the drop down. Supported instance type:
Gateway Type Auto Scaling. (Look at the implementation guide for single instance Gateway and the use case for that) Minimum Instances Select the minimum number of instances that you plan to deploy Maximum Instances Select the maximum number instances that you plan to deploy. This is the maximum number that is used for auto-scaling in each availability zone HealthCheck Port Default is 65534 Packet Capture Profile (Optional) Packet Capture Profile for threat and flow PCAPs Diagnostics Profile (Optional) Diagnostics Profile used to store Technical Support information Log Profile (Optional) Log Forwarding Profile used to forward Events/Logs to a SIEM
Provide the following parameters
Parameter Description Security Choose Ingress Gateway Image Image to be deployed Policy Ruleset Select the policy ruleset to associate with this Gateway. If you don't have any policy ruleset you can create a new by choosing Create New Region Select the region this Gateway will be deployed into VPC Select the VPC in which the Valtix Gateway is deployed Key Pair Select the key pair to associate with this Gateway IAM Role for Gateway Select the IAM role to associate with this Gateway Mgmt. Security Group Select the security group to associate with the management interface Datapath Security Group Select the security group to associate with the datapath interface EBS Encryption Enable EBS encryption for the gateway instance. If enabled, the user will select either AWS managed CMK or Customer managed encryption key. For Customer managed encryption key, KMS key ARN needs to be provided.
Select the Availability Zone, the Mgmt Subnet and the Datapath Subnet. The available subnets will be based on the VPC selected above. For HA purposes the Gateway instances can be deployed in multiple AZs. Click the plus button to add a new AZ and select the parameters for the selected AZ.
Click Next. The review page shows you the details of all the selected parameters. Review the available resources and see information about any AWS limits exceeded.
- Click Finish. The Gateway deployment starts and takes approximately 5-7 minutes for the Gateway to become ACTIVE
On your AWS console, view the EC2 instances page and check the Gateway instances created. The instances have a Name tag that begins with valtix.
Check Load Balancers section and see that an internet facing Network Load Balancer is created. It does not yet have any listeners or target groups. The listeners and target groups (targeting the EC2 Valtix Gateway instances) are created when you add a service with the listener port and backend application.
Valtix can integrate with a set of one or more AWS Global Accelerators to use as an ingress point to load balance traffic across the Valtix Gateway instances. This is similar to the AWS Network Load Balancer that is created and managed by Valtix when an Ingress Gateway is deployed, but offers an alternative ingress point for the Ingress Gateway to protect applications and workloads. When Valtix integrates with a Global Accelerator, it will manage the Global Accelerators' Listener Endpoint Group to ensure the Endpoint Group has the active set of Gateway Instances. Client IP addresses will be preserved as they pass through the Global Accelerator to the Valtix Ingress Gateway.
In order to integrate Valtix with a Global Accelerator, the user must have first created the Global Accelerator within AWS, defined a desired Listener and created an empty Endpoint Group (or an Endpoint Group that contains the existing Valtix Ingress Gateway instances). Once the AWS resources exist, then the Valtix Ingress Gateway can be configured to integrate with the Global Accelerator.
|Global Accelerator||Select the Global Accelerator to attach to Gateway.|
|Listener Name||Friendly name for the listener. This name will only exist in Valtix.|
|Listener||The listener in Global Accelerator.|
|Endpoint Group ARN||Valtix will automatically select the endpoint group ARN once listener is selected.|
- The AWS Network Load Balancer will still be deployed as part of Gateway deployment even if AWS Global Accelerator integration is enabled
- When configuring the Endpoint Group in the AWS Global Accelerator Listener, it is best to assign port TCP/65534 as the Health Check port. The Valtix Gateway is configured to respond to TCP/65534 to inform health status to the AWS Network Load Balancer and AWS Global Load Balancer. The same port can be used to inform health status to the AWS Global Accelerator.