Skip to content

Azure Centralized Ingress Protection

The Valtix Gateway is deployed in a VNet to protect the internet facing applications. For Centralized model, deploy Gateway in Service VNet. The Gateway acts as a Reverse Proxy. Users on the internet access the application via the Valtix Gateway. You configure the backend destination (the original application) as a proxy target on the Valtix Gateway. The proxy enables Valtix to decrypt TLS traffic and perform deep packet inspection. The proxied traffic to the backend/target can be sent as plain text HTTP, HTTPS, TCP or TLS.

Valtix Gateway consist of a Load Balancer that is used to front our Valtix Gateway instances. This allows for a more scalable design and ensures that traffic is loadbalanced between all the Gateway instances.

Azure Gateway

To add a Gateway:

  1. Navigate to Manage > Gateways > Gateways.
  2. Click Add Gateway.
  3. Select the account you previously created.

  4. Click Next.

    Parameter Description
    Instance Type Choose the type from the drop down. Supported instance type:
    • AZURE_D2S_V3
    • AZURE_D4S_V3
    • AZURE_D8S_V3
    • AZURE_D2S_V5
    • AZURE_D4S_V5
    • AZURE_D8S_V5
    Gateway Type Auto Scaling. (Look at the implementation guide for single instance Gateway and the use case for that)
    Minimum Instances Select the minimum number of instances that you plan to deploy.
    Maximum Instances Select the maximum number instances that you plan to deploy. This is the maximum number that is used for auto-scaling in each availability zone.
    HealthCheck Port Default is 65534.
    Packet Capture Profile (Optional) Packet Capture Profile for threat and flow PCAPs
    Diagnostics Profile (Optional) Diagnostics Profile used to store Technical Support information
    Log Profile (Optional) Log Forwarding Profile used to forward Events/Logs to a SIEM

  5. Click Next

  6. Provide the following parameters

    Parameter Description
    Security Ingress
    Gateway Image Image to be deployed.
    Policy Ruleset Select the policy ruleset to associate with this Gateway.
    Region Select the region this Gateway will be deployed into.
    Resource Groups Select the resource group to associate the Gateway with.
    SSH Public Key Paste the SSH public key. This public key is used by the controller to access the CLI of the deployed Gateway instances for debug and monitoring.
    VNet ID Select the VNet to associate with the Gateway.
    User Assigned Identity ID Enter the Azure identity to associate with this Gateway. This is the Resource ID found in the Azure Portal > Managed Identities > Settings > Properties
    Mgmt. Security Group Select the security group to associate with the management interface.
    Datapath Security Group Select the security group to associate with the datapath interface.
    Disk Encryption Select either Azure managed encryption or Customer managed encryption key. For customer managed encryption key, the user will need to input the resource ID of the encryption key. ID will be in this format: /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/diskEncryptionSets/<DISK_ENCRYTION_SET>

  7. Select the Availability Zone, the Mgmt Subnet and the Datapath Subnet. The available subnets will be based on the VNet selected above. For HA purposes the Gateway instances can be deployed in multiple AZs. Click the plus button to add a new AZ and select the parameters for the selected AZ. Some Azure regions do not support multiple AZs. In such regions the Gateway instances are deployed in only a single AZ.

Tech Notes

Using the Azure portal, view the VM instances page and check the Gateway instances created. The VMs have a Name tag that begins with valtix.

Check Load Balancers section and note that an internal Network Load Balancer has been created.

Advanced Settings

Advanced Settings allow for customized default settings in Valtix Gateway. Some of these settings may not be editable after deployment of Gateway.

Parameter Description
Use Internal LoadBalancer This option will use internal Load Balancer when deploying Valtix Gateway. This is typically used when your application is used for private use and not intended for public access.
Management DNS Server Users can configure Valtix Gateway to point to a designated DNS server instead of the default cloud DNS. If DNS is changed, please ensure DNS can resolve the following URL:
  • prod1-dashboard.vtxsecurityservices.com
  • prod1-apiserver.vtxsecurityservices.com
  • prod1-watchserver.vtxsecurityservices.com
    • These URLs are needed to ensure the Valtix Gateway is operational.

    * Azure DNS settings can only be set when deploying new gateway instances. If you need to edit, please disable the gateway to edit the DNS.