Skip to content

Manage (Protect) Spoke VPCs in Hub Mode

When a Service VPC is created with a new Transit Gateway OR existing Transit Gateway, Valtix takes care of the orchestration of the Transit Gateway and Services VPC. It can also create Attachments for the Spoke VPCs and manage Transit Gateway route tables. This is a fully managed Transit Gateway solution that makes it very easy to use a Services VPC for Centralized security.

Tech Notes

  • Wait for the Service VPC be created successfully and state is ACTIVE before proceeding with the following steps
  • Valtix Gateway can be deployed later in Service VPC that you just created

To protect spoke VPCs, we need to associate spoke VPCs to the Service VPC. This allows Valtix to orchestrate the routing and create Attachments for spoke VPC's traffic to be inspected by Valtix. There are two ways to associate VPCs to the Service VPC.

  • Add Spoke VPCs from Service VPC Menu
  • Add Spoke VPCs from Inventory Menu

Add Spoke VPCs from Service VPC Menu

  1. Navigate to Manage -> Service VPCs
  2. Select a Service VPC and click on Manage Spoke VPCs
  3. For the Spoke VPCs in the current account where the transit Gateway is created, add the VPCs under Current Account VPCs to Protect
  4. Select the VPC from the dropdown, you cannot change the account and the region in this table. Click Add to add more VPCs
  5. For the Spoke VPCs in the other accounts, add those under External Account VPCs to Protect table (The accounts must be added to the Valtix Controller prior to adding the VPCs. Please check the Add Cloud Account section on how to add a new Cloud account to the Valtix Controller)
    1. Select the account, region and the VPCs in that region
    2. Valtix sets up automatic acceptance of the attachment invitations. So you don't need to do any manual steps to accept the attachments
  6. Click on View/Edit link under the Route Tables column.
  7. Select the route table to update default route to Transit Gateway.
  8. (Optional) Select TGW Attachment Subnet to select which subnet to place the ENI
  9. Click Save

Add Spoke VPCs from Inventory Menu

  1. Navigate to Manage -> Cloud Accounts -> Inventory
  2. Click on VPCs/VNets. This will list all the VPCs in your cloud accounts.
  3. Click on the Secure button to secure VPC.
  4. Select Service VPC.
  5. Select route table to update default route next hop to Transit Gateway
  6. (Optional) Expand Customize Transit Gateway Attachment Subnets to customize Transit Gateway Subnet selection
  7. Click Save.

Tech Notes

When enabling Protected VPCs, Valtix Controller orchestrates the following:

  • Creates Transit Gateway VPC Attachment for each of the Spoke VPCs
  • Adds a Transit Gateway route table for each of the Attachments and associate with the Attachments
  • Adds a default route in the TGW route table (associated with the Spoke VPC) to go to the Service VPC Attachment (and thus to the Service VPC)

Here is a sample routing setup after attaching two (2) Spoke VPCs

egress-hub-routes

Subnet Selection for Transit Gateway Attachment

When protecting spoke VPCs in centralized model (either through Service VPC Menu or Inventory Menu), Valtix attach VPCs to the Transit Gateway that is associated to the Service VPC. When attaching VPCs to the Transit Gateway, users can choose which subnet in each Avaliability Zone to place the ENIs. By default, Valtix will randomly select a subnet in each AZ for Transit Gateway attachment.

To customize the Transit Gateway subnet selection, please see Add Spoke VPCs from Serice VPC Menu or Add Spoke VPCs from Inventory Menu