Skip to content

GCP Centralized Egress / East-West Protection

The Valtix Gateway is deployed in to a VPC to protect outbound and East-West traffic inside your VPCs. For HTTP or TLS applications with SNI extension header, the Valtix Gateway can act as a transparent forward proxy. Valtix will terminate outbound sessions, and proxy the request on behalf of the client inside the VPC. For this decryption/encryption operation to function, trusted root/intermediate certificates need to be installed on the Valtix Gateway and the client application instances.

  1. Navigate to Manage -> Gateways -> Gateways
  2. Click Add Gateway
  3. Select the account you previously created

  4. Click Next

    Parameter Description
    Instance Type Choose the type from the drop down. Supported instance type:
    • GCP_E2_2
    • GCP_E2_4
    • GCP_E2_8
    Minimum Instances Select the minimum number of instances that you plan to deploy. This is the minimum number of instances in each availability zone
    Maximum Instances Select the maximum number instances that you plan to deploy. This is the maximum number that is used for auto-scaling in each availability zone
    Health Check Port Default 65534. Port number used by Valtix Load Balancer to check the health of the instances. Datapath security group assigned to the instances must allow traffic on this port.
    Packet Capture Profile (Optional) Packet Capture Profile for threat and flow PCAPs
    Diagnostics Profile (Optional) Diagnostics Profile used to store Technical Support information
    Log Profile (Optional) Log Forwarding Profile used to forward Events/Logs to a SIEM
    Disk Encryption Select either GCP managed encryption or Customer managed encryption key. For customer managed encryption key, the user will need to input the resource ID of the encryption key.

  5. Click Next

    Parameter Description
    Type Ingress
    Gateway Image Select the image from the dropdown
    Policy Ruleset Select an existing ruleset or choose to create new one
    Region Region where the Gateway is deployed
    Gateway Service Account Email Enter the Gateway service account email. Ensure that the Service Account has the necessary IAM roles: "Secret Manager Secret Accessor" and "Storage Object Creator"
    Datapath VPC Select the VPC to associate with the datapath interface of the Gateway
    Datapath Network Tag The tag assigned to the network interface of the Gateway in the datapath VPC
    Management VPC Select the VPC to associate with the management interface of the Gateway
    Management Network Tag The tag assigned to the network interface of the Gateway in the management VPC

  6. Select the Availability Zone, the Mgmt Subnet and the Datapath Subnet for the Valtix Gateway. The available subnets will be based on the VPC selected above. The Valtix Gateways should be deployed into multiple Availability Zones.

  7. The Gateway deployment takes a few minutes to reach an Active state.