Azure Centralized Egress / East-West Protection¶
The Valtix Gateway is deployed in a VNet to protect the outgoing traffic. For Centralized model, the Gateway is deployed in the Service VNet. The Gateway acts as a Forward Proxy. For HTTP or TLS applications with SNI extension header, the Valtix Gateway can act as a Transparent Forward Proxy. The applications access the internet without any change on their side. Valtix intercepts the traffic and considers that as proxied traffic. It creates a new session to the internet. For TLS traffic and the certificate to be trusted by the client applications, a trusted root/intermediate certificate must be configured on Valtix and the root certificate installed on all the client application instances.
Valtix Gateway consist of a Load Balancer that is used to front our Valtix Gateway instances. This allows for a more scalable design and ensures that traffic is loadbalanced between all the Gateway instances.
To add a Gateway:
- Navigate to Manage -> Gateways -> Gateways
- Click Add Gateway
- Select the account you previously created
Parameter Description Instance Type Choose the type from the drop down. Supported instance type:
Gateway Type Auto Scaling. (Look at the implementation guide for single instance Gateway and the use case for that) Minimum Instances Select the minimum number of instances that you plan to deploy Maximum Instances Select the maximum number instances that you plan to deploy. This is the maximum number that is used for auto-scaling in each availability zone HealthCheck Port Default is 65534 Packet Capture Profile (Optional) Packet Capture Profile for threat and flow PCAPs Diagnostics Profile (Optional) Diagnostics Profile used to store Technical Support information Log Profile (Optional) Log Forwarding Profile used to forward Events/Logs to a SIEM
Provide the following parameters
Parameter Description Security Egress Gateway Image Image to be deployed Policy Ruleset Select the policy ruleset to associate with this Gateway Region Select the region this Gateway will be deployed into Resource Groups Select the resource group to associate the Gateway with SSH Public Key Paste the SSH public key. This public key is used by the controller to access the CLI of the deployed Gateway instances for debug and monitoring VNet ID Select the VNet to associate with the Gateway User Assigned Identity ID Enter the Azure identity to associate with this Gateway. This is the Resource ID found in the Azure Portal > Managed Identities > Settings > Properties Mgmt. Security Group Select the security group to associate with the management interface Datapath Security Group Select the security group to associate with the datapath interface Disk Encryption Select either Azure managed encryption or Customer managed encryption key. For customer managed encryption key, the user will need to input the resource ID of the encryption key. ID will be in this format: /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/diskEncryptionSets/<DISK_ENCRYTION_SET>
Select the Availability Zone, the Mgmt Subnet and the Datapath Subnet. The available subnets will be based on the VNet selected above. For HA purposes the Gateway instances can be deployed in multiple AZs. Click the plus button to add a new AZ and select the parameters for the selected AZ. Some Azure regions do not support multiple AZs. In such regions the Gateway instances are deployed in only a single AZ.
Using the Azure portal, view the VM instances page and check the Gateway instances created. The VMs have a Name tag that begins with valtix.
Check Load Balancers section and note that an internal Network Load Balancer has been created.
This step is only needed if you are deploying in distributed model(Valtix Gateway in the same VNet as application). In Centralized model, please follow Manage Spoke VNets to protect VNet. For distributed model, traffic from the apps/subnets in the VNet needs to be routed to the Valtix Gateway:
- Add a route table in the Azure portal
- Associate the route table with all the subnets
- Add a default route for 0.0.0.0/0 with next-hop as the IP address of the Valtix Gateway Network Load Balancer
Advanced Settings allow for customized default settings in Valtix Gateway. Some of these settings may not be editable after deployment of Gateway.
|Management DNS Server
|Users can configure Valtix Gateway to point to a designated DNS server instead of the default cloud DNS. If DNS is changed, please ensure DNS can resolve the following URL:
* Azure DNS settings can only be set when deploy of new gateway instances. Please disable the gateway to edit this setting.