Valtix Gateway instances require two (2) Security Groups and 2 Subnets per Availability Zone (AZ). This is required only if you are planning to deploy the Valtix Gateway in the same VPC as your applications.
The two (2) subnets required for Valtix deployment are management and datapath. During the Gateway deployment the Controller asks you to provide the names of these subnets. Each AZ requires these 2 subnets.
Management subnet is a public subnet and must be associated with the route table that has a default route to the internet gateway (IGW). Valtix Gateway instances have a network interface attached to this subnet for communicaiton to the Controller. This is used for policy pulls and other management and telemetry activities between the Controller and the Gateways. Customer application traffic does not flow through this interface/subnet. The interface is associated with management security-sroup (described in section below).
Datapath subnet is a public subnet and must be associated with the route table that has a default route to the internet gateway (IGW). Valtix Controller creates a Network Load Balancer (NLB) in this subnet and the Gateway instances have a network interface attached to this subnet. The customer application traffic flows through this interface. The Valtix Gateway security policy is applied for the traffic that flows through this interface. The interface is associated with datapath security-group (described in section below)
The management and datapath security groups are associated to the interfaces on the Gateway instance as described above.
The management security group needs to allow Outbound traffic permitting the Gateway instances to communicate with the Controller.
The datapath security group is attached to the datapath interface and allows the traffic into the Gateway instance. Currently this security group is not managed by the Controller. An Outbound rule must exist to allow the traffic to egress this interface. Inbound ports must be opened for each port that you configure in the Valtix security policy. For example, if you configure a Valtix Service to listen on port 443, then port 443 must be opened on the datapath security group.
Optionally, you can create an S3 bucket to store PCAP (packet capture) files, Tech Support and Diagnostics information. You can provide this S3 bucket in the Controller configuration.
For a "green field" or POC deployment, use this CloudFormation template https://valtix-public.s3.amazonaws.com/cloud-formation/valtix-datapath.yml. The template also provides additional options to create a EC2 for a test application.
- Internet Gateway (IGW) and attach it to the VPC
- Management Subnet AZ1
- Management Route Table AZ1 attached to the Management Subnet AZ1 with default route to IGW
- Management Subnet AZ2
- Management Route Table AZ2 attached to the Management Subnet AZ2 with default route to IGW
- Datapath Subnet AZ1
- Datapath Route Table AZ1 attached to the Datapath Subnet AZ1 with default route to IGW
- Datapath Subnet AZ2
- Datapath Route Table AZ2 attached to the Datapath Subnet AZ2 with default route to IGW
- Apps Subnet AZ1
- Apps Route Table AZ1 attached to the Apps Subnet AZ1 with default route to IGW
- Apps Subnet AZ2
- Apps Route Table AZ2 attached to the Apps Subnet AZ2 with default route to IGW
- Management Security Group with Outbound rules
- Datapath Security Group with Outbound rules and Inbound rules for port 80 and 443
- Apps Security Group with outbound rules and inbound rules for port 22, 80, 443, 8000
- Create a EC2 in the Apps Subnet using a default Valtix image based on CentOS. You can choose your own AMI if needed
The subnets are created in two (2) AZs so you can operate the Valtix Gateways and apps in multiple Availability Zones.
You can run this template multiple times to create multiple VPC's that can be attached to the AWS Transit Gateway for Centralized Security (Hub) deployment architecure.
- Stack Name - Provide a name for the stack (eg. valtix-dp-resources)
- Prefix - A prefix to apply to all the resources' Name Tags (e.g valtix)
- Create Valtix Resources - Yes/No. Choosing Yes would create the mgmt/dp subnets, mgmt/dp security groups. Choosing No would not create these resources.
- Create Bastion Host - Bastion Host that can be used to SSH to the App VMs (App VMs already get a public IP and have route to the Internet Gateway. You can later delete the route so the VMs can be private. Bastion host can be used to SSH to these VMs)
- VPC CIDR - CIDR for the VPC
- Subnet Mask bits - Number of bits to use for each of the subnet. This is NOT the subnet mask. If you want the subnet to have mask /24, then choose 8 for the bits. (Other masks and bits: /27 use 5, /26 use 6 and so on (32 - number of bits in the mask))
- Availability Zone 1 and Zone 2 - Choose the AZs
- AMI for App Instance - valtix-default AMI is available in us-east1, us-east2, us-west1 and us-west2. This is a CentOS 7 with docker and a sample
Hello Worldapplication. You can provide your own AMI or any other AMI in the region
- Instance Type - Choose the option. If the choices are limited, you can download the CloudFormation template and edit to add new choices
- EC2 Key Pair - Choose the SSH keypair to associate to the EC2 instances