The Valtix Gateway is deployed in a VNet to protect the internet facing applications. The Gateway acts as a Reverse Proxy. Users on the internet access the application via the Valtix Gateway. You configure the backend destination (the original application) as a proxy target on the Valtix Gateway. The proxy enables Valtix to decrypt TLS traffic and perform deep packet inspection. The proxied traffic to the backend/target can be sent as plain text HTTP, HTTPS, TCP or TLS.
To add a Gateway:
- Navigate to Manage > Gateways > Gateways.
- Click Add Gateway.
- Select the account you previously created.
Parameter Description Instance Type Choose the type from the drop down. Gateway Type Auto Scaling. (Look at the implementation guide for single instance Gateway and the use case for that) Minimum Instances Select the minimum number of instances that you plan to deploy. Maximum Instances Select the maximum number instances that you plan to deploy. This is the maximum number that is used for auto-scaling in each availability zone. HealthCheck Port Default is 65534. Packet Capture (optional) Packet capture profile for threat and flow pcaps. Diagnostics (optional) Diagnostics profile for debugging. Log (optional) Log profile to forward to Splunk or syslog.
Provide the following parameters
Parameter Description Security Ingress Gateway Image Image to be deployed. Policy Ruleset Select the policy ruleset to associate with this Gateway. Region Select the region this Gateway will be deployed into. Resource Groups Select the resource group to associate the Gateway with. SSH Public Key Paste the SSH public key. This public key is used by the controller to access the CLI of the deployed Gateway instances for debug and monitoring. VNet ID Select the VNet to associate with the Gateway. User Assigned Identity ID Enter the Azure identity to associate with this Gateway. This is the Resource ID found in the Azure Portal > Managed Identities > Settings > Properties Mgmt. Security Group Select the security group to associate with the management interface. Datapath Security Group Select the security group to associate with the datapath interface.
Select the Availability Zone, the Mgmt Subnet and the Datapath Subnet. The available subnets will be based on the VNet selected above. For HA purposes the Gateway instances can be deployed in multiple AZs. Click the plus button to add a new AZ and select the parameters for the selected AZ. Some Azure regions do not support multiple AZs. In such regions the Gateway instances are deployed in only a single AZ.
Using the Azure portal, view the VM instances page and check the Gateway instances created. The VMs have a Name tag that begins with valtix.
Check Load Balancers section and note that an internal Network Load Balancer has been created.