AWS Service VPC¶
For the Centralized (hub) mode deployment using AWS Transit Gateway, the Valtix Gateway is deployed in a new VPC. This VPC is called Services or Security VPC. The Services VPC and the application (Spoke) VPCs are connected to the AWS Transit Gateway in a Hub-Spoke model as shown in the below.
Valtix orchestrates the creation of the Services/Security VPC, create (or reuse) AWS Transit Gateway (TGW) and attach the Spoke VPCs and the Services VPC to the Transit Gateway. It updates the routing between the Services VPC and Spoke VPCs. Customers need to change the route tables associated with subnets in the Spoke VPCs to add a default route and set the destination to the Transit Gateway.
Routing tables inside Spoke VPCs were intentionally left untouched as part of the orchestration since they are often under the control of teams different from the Cloud NetSec team
Create a Service VPC¶
- Click Manage -> Service VPCs
- Click Create VPC
- Provide a name for the Service VPC (e.g valtix-services-vpc1)
- Select the AWS account
- Select the Region where the Service VPC needs to be created (e.g us-east-1)
- Provide a CIDR block with mask minimum of /25 and maximum of /16. Make sure this does not overlap with any of the spoke VPC CIDRs that you plan to attach to the Transit Gateway (e.g 172.16.0.0/16)
- Select the Availability Zones. It's recommended to select atleast two (2) AZs for HA purposes (e.g us-east-1a and us-east-1b)
- Click Save to create the Service VPC
- Valtix creates a VPC, four (4) subnets in each AZ, one (1) route table for each of the subnets, two (2) security-groups (management and datapath traffic)
- It's recommended to create a different Service VPC for each of the security types (Ingress, Egress and East-West)
- The Transit Gateway (created/selected during Gateway creation) can be reused