Skip to content

Azure Centralized Egress / East-West Protection

The Valtix Gateway is deployed in a VNet to protect the outgoing traffic. For Centralized model, the Gateway is deployed in the Service VNet. The Gateway acts as a Forward Proxy. For HTTP or TLS applications with SNI extension header, the Valtix Gateway can act as a Transparent Forward Proxy. The applications access the internet without any change on their side. Valtix intercepts the traffic and considers that as proxied traffic. It creates a new session to the internet. For TLS traffic and the certificate to be trusted by the client applications, a trusted root/intermediate certificate must be configured on Valtix and the root certificate installed on all the client application instances.

Valtix Gateway consist of a Load Balancer that is used to front our Valtix Gateway instances. This allows for a more scalable design and ensures that traffic is loadbalanced between all the Gateway instances.

Azure Gateway

To add a Gateway:

  1. Navigate to Manage -> Gateways -> Gateways
  2. Click Add Gateway
  3. Select the account you previously created

  4. Click Next

    Parameter Description
    Instance Type Choose the type from the drop down. Supported instance type:
    • AZURE_D2S_V3
    • AZURE_D4S_V3
    • AZURE_D8S_V3
    • AZURE_D2S_V5
    • AZURE_D4S_V5
    • AZURE_D8S_V5
    Gateway Type Auto Scaling. (Look at the implementation guide for single instance Gateway and the use case for that)
    Minimum Instances Select the minimum number of instances that you plan to deploy
    Maximum Instances Select the maximum number instances that you plan to deploy. This is the maximum number that is used for auto-scaling in each availability zone
    HealthCheck Port Default is 65534
    Packet Capture Profile (Optional) Packet Capture Profile for threat and flow PCAPs
    Diagnostics Profile (Optional) Diagnostics Profile used to store Technical Support information
    Log Profile (Optional) Log Forwarding Profile used to forward Events/Logs to a SIEM

  5. Click Next

  6. Provide the following parameters

    Parameter Description
    Security Egress
    Gateway Image Image to be deployed
    Policy Ruleset Select the policy ruleset to associate with this Gateway
    Region Select the region this Gateway will be deployed into
    Resource Groups Select the resource group to associate the Gateway with
    SSH Public Key Paste the SSH public key. This public key is used by the controller to access the CLI of the deployed Gateway instances for debug and monitoring
    VNet ID Select the VNet to associate with the Gateway
    User Assigned Identity ID Enter the Azure identity to associate with this Gateway. This is the Resource ID found in the Azure Portal > Managed Identities > Settings > Properties
    Mgmt. Security Group Select the security group to associate with the management interface
    Datapath Security Group Select the security group to associate with the datapath interface
    Disk Encryption Select either Azure managed encryption or Customer managed encryption key. For customer managed encryption key, the user will need to input the resource ID of the encryption key. ID will be in this format: /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/diskEncryptionSets/<DISK_ENCRYTION_SET>

  7. Select the Availability Zone, the Mgmt Subnet and the Datapath Subnet. The available subnets will be based on the VNet selected above. For HA purposes the Gateway instances can be deployed in multiple AZs. Click the plus button to add a new AZ and select the parameters for the selected AZ. Some Azure regions do not support multiple AZs. In such regions the Gateway instances are deployed in only a single AZ.

Tech Notes

Using the Azure portal, view the VM instances page and check the Gateway instances created. The VMs have a Name tag that begins with valtix.

Check Load Balancers section and note that an internal Network Load Balancer has been created.

Route Changes

This step is only needed if you are deploying in distributed model(Valtix Gateway in the same VNet as application). In Centralized model, please follow Manage Spoke VNets to protect VNet. For distributed model, traffic from the apps/subnets in the VNet needs to be routed to the Valtix Gateway:

  • Add a route table in the Azure portal
  • Associate the route table with all the subnets
  • Add a default route for 0.0.0.0/0 with next-hop as the IP address of the Valtix Gateway Network Load Balancer

Advanced Settings

Advanced Settings allow for customized default settings in Valtix Gateway. Some of these settings may not be editable after deployment of Gateway.

Parameter Description
Management DNS Server Users can configure Valtix Gateway to point to a designated DNS server instead of the default cloud DNS. If DNS is changed, please ensure DNS can resolve the following URL:
  • prod1-dashboard.vtxsecurityservices.com
  • prod1-apiserver.vtxsecurityservices.com
  • prod1-watchserver.vtxsecurityservices.com
    • These URLs are needed to ensure the Valtix Gateway is operational.

    * Azure DNS settings can only be set when deploy of new gateway instances. Please disable the gateway to edit this setting.