Azure Service VNet¶
The Valtix Gateway can be deployed in a Shared Services VNet instead of deploying it in every single VNet. This is called a Centralized (Hub) mode deployment. Setup VNet peering with all the VNets that require security.
Centralized/Hub Deployment¶
- Create a VNet with non-overlapping CIDR with all the VNets you intend to peer with.
- Deploy the Valtix Gateway in this VNet as described in the earlier sections
- Setup VNet Peering between the Security VNet and all the other app VNets (Spoke VNets)
- In the Spoke VNets add a route table and associate it with all the subnets
- Add a route appropriately for the intended traffic:
- For Egress traffic: Add a route 0.0.0.0/0 next-hop to the Valtix Egress Gateway Endpoint
- For Ingress traffic:
- Delete the internet route in the Spoke VNets such that internet users cannot access the app directly.
- Setup proxy targets on the Valtix Gateways
- Change DNS entries of the apps to point to the Valtix Ingress Gateway Endpoint
- For East-West traffic:
- Add route to the each of the Spoke VNet CIDRs with next-hop set to the Valtix East-West Gateway Endpoint. This enables the traffic to be forwarding.
- East-West can also be used as reverse proxy by setting the Spoke VNet apps as proxy targets and the client apps access the Valitx East-West Gateway Endpoint