Azure Service VNet

The Valtix Gateway can be deployed in a Shared Services VNet instead of deploying it in every single VNet. This is called a Centralized (Hub) mode deployment. Setup VNet peering with all the VNets that require security.

Centralized/Hub Deployment

1. Create a VNet with non-overlapping CIDR with all the VNets you intend to peer with.
2. Deploy the Valtix Gateway in this VNet as described in the earlier sections
3. Setup VNet Peering between the Security VNet and all the other app VNets (Spoke VNets)
4. In the Spoke VNets add a route table and associate it with all the subnets
5. Add a route appropriately for the intended traffic:
   • For Egress traffic: Add a route 0.0.0.0/0 next-hop to the Valtix Egress Gateway Endpoint
   • For Ingress traffic:
     • Delete the internet route in the Spoke VNets such that internet users cannot access the app directly.
     • Setup proxy targets on the Valtix Gateways
     • Change DNS entries of the apps to point to the Valtix Ingress Gateway Endpoint
   • For East-West traffic:
     • Add route to the each of the Spoke VNet CIDRs with next-hop set to the Valtix East-West Gateway Endpoint. This enables the traffic to be forwarding.
     • East-West can also be used as reverse proxy by setting the Spoke VNet apps as proxy targets and the client apps access the Valtix East-West Gateway Endpoint