Skip to content

GCP Egress

The Valtix Gateways can be deployed to protect workloads egressing from your VPC to the internet/datacenter. Valtix Gateway acts as a Forward Proxy for these applications in a transparent fashion. Only applications which use SNI or HTTP based applications are currently supported.

Valtix Gateways can be deployed in Egress mode for both an Edge VPC (standalone VPC) or in a Centralized (Hub) VPC with Spoke VPCs peered to the Hub VPC.

To deploy a Valtix Gateway in GCP in Egress mode, choose Egress as the Security type while creating a Gateway. Valtix internally creates an internal TCP/UDP load balancer which can send traffic to a set of scale out Valtix Gateway instances in multiple availability zones.

Proceed with the Valtix Gateway creation.

VPC Setup

Once the Valtix Gateway has been deployed in the VPC, there are few configuration changes that need to be made in the VPC to ensure that all Egress traffic is protected by Valtix Gateways. These steps apply to both distributed security model (Edge VPC) or centralized security (Hub VPC).

Routing changes

To redirect the internet traffic from the instances to go via the Valtix Gateways, the default route to the internet Gateway needs to be deleted and a new default route needs to be added in which the next hop is the internal Load Balancer created by Valtix.

Instructions to create this default route:

CLI:

gcloud compute routes create default-to-valtix-Gateway --project=<project> \
    --network=<vpc> --priority=1000 --destination-range=0.0.0.0/0 \
    --next-hop-ilb=<Valtix Gateway’s ILB forwarding rule> \
    --next-hop-ilb-region=<region>

To allow the Valtix Gateway instances egress the secured traffic to the internet, a higher priority route than the one created in the previous step needs to be created which should be made applicable only to the Valtix Gateways.

All Valtix Gateway instances are created with the network tag associated with it when the Gateway was created. This network tag should be used to create the higher priority route to restrict traffic only from instances with that tag to egress to the internet using the default internet Gateway.

In the example below, the Valtix Gateway was configured with the “valtix” tag.

CLI:

gcloud compute routes create default-for-valtix-Gateway --project=<project> \
    --network=<vpc> --priority=900 --tags=valtix --destination-range=0.0.0.0/0 \
    --next-hop-Gateway=default-internet-Gateway

Network tag for Valtix Gateway

Since the default route for Valtix Gateway tag is a higher priority route, care must be taken to ensure that this tag is applied exclusively for Valtix Gateway only and not to any client instances. If the same tag is applied to any other instances, traffic from those clients will directly egress to the internet bypassing the Valtix Gateway.

Health Check - Gateway rule changes

To allow health check traffic from the internal load balancer to reach the Valtix Gateway instances, a GCP firewall rule must be added to allow traffic from the following CIDR ranges for the health check port. (By default the health check port is 65534 and can be overridden during the Gateway creation on the Valtix dashboard)

35.191.0.0/16, 130.211.0.0/22

Please refer to GCP Load Balancer Health Checks for more details.

This firewall rule is in addition to the application specific firewall rules for the application traffic.

Centralized security

Valtix Gateway can be deployed in a central security VPC (Hub VPC) to centralize all the security enforcement in a single VPC. This has a distinct advantage of deploying a separate security domain/VPC.

The deployment of the Valtix Gateway is the same in both the distributed and centralized VPC case, but a few extra configuration steps need to be performed in the VPC to ensure that Valtix Gateways can protect egress traffic from all the Spoke VPCs.

Peering

To protect Spoke VPC egress application traffic, they need to be peered with the Hub VPC in which the Valtix Gateway has been deployed. This allows the traffic from those VPCs to reach the Hub VPC.

Import/Export routes

While peering the Spoke VPC to the Hub VPC, the Spoke VPC needs to import the routes from the Hub VPC. Similarly, when the Hub VPC is being peered with a Spoke VPC, the Hub VPC needs to export its routes. This will allow the default route to the internal load balancer deployed by Valtix to be imported inside each of the Spoke VPC.

CLI:

gcloud compute networks peerings create Hub-to-spoke --network=Hub-network \
    --peer-network=spoke-network --export-custom-routes
gcloud compute networks peerings create spoke-to-Hub --network=spoke-network \
    --peer-network=Hub-network --import-custom-routes

Delete the Default Internet Gateway route in Spoke VPC

After the VPCs have been peered, the default Internet Gateway in the Spoke VPC needs to be deleted so that traffic from the Spoke VPC will use the default route exported by the Hub VPC.

CLI:

export spoke_default_route=$(gcloud compute routes list \
    --format="value(name)" \
    --filter="network:spoke-vpc AND nextHopGateway:default-internet-Gateway")

gcloud compute routes delete $spoke1_default_route -q