Skip to content

VPC Setup

Valtix Gateway instances require two (2) Security Groups and 2 Subnets per Availability Zone (AZ). This is required only if you are planning to deploy the Valtix Gateway in the same VPC as your applications.

Subnets

The two (2) subnets required for Valtix deployment are management and datapath. During the Gateway deployment the Controller asks you to provide the names of these subnets. Each AZ requires these 2 subnets.

Management subnet is a public subnet and must be associated with the route table that has a default route to the internet gateway (IGW). Valtix Gateway instances have a network interface attached to this subnet for communicaiton to the Controller. This is used for policy pulls and other management and telemetry activities between the Controller and the Gateways. Customer application traffic does not flow through this interface/subnet. The interface is associated with management security-sroup (described in section below).

Datapath subnet is a public subnet and must be associated with the route table that has a default route to the internet gateway (IGW). Valtix Controller creates a Network Load Balancer (NLB) in this subnet and the Gateway instances have a network interface attached to this subnet. The customer application traffic flows through this interface. The Valtix Gateway security policy is applied for the traffic that flows through this interface. The interface is associated with datapath security-group (described in section below)

Security Groups

The management and datapath security groups are associated to the interfaces on the Gateway instance as described above.

The management security group needs to allow Outbound traffic permitting the Gateway instances to communicate with the Controller.

The datapath security group is attached to the datapath interface and allows the traffic into the Gateway instance. Currently this security group is not managed by the Controller. An Outbound rule must exist to allow the traffic to egress this interface. Inbound ports must be opened for each port that you configure in the Valtix security policy. For example, if you configure a Valtix Service to listen on port 443, then port 443 must be opened on the datapath security group.

CloudFormation Template

For a "green field" or POC deployment, use this CloudFormation template https://valtix-public.s3.amazonaws.com/cloud-formation/valtix-datapath.yml. The template also provides additional options to create a EC2 for a test application.

  1. VPC
  2. Internet Gateway (IGW) and attach it to the VPC
  3. Management Subnet AZ1
  4. Management Route Table AZ1 attached to the Management Subnet AZ1 with default route to IGW
  5. Management Subnet AZ2
  6. Management Route Table AZ2 attached to the Management Subnet AZ2 with default route to IGW
  7. Datapath Subnet AZ1
  8. Datapath Route Table AZ1 attached to the Datapath Subnet AZ1 with default route to IGW
  9. Datapath Subnet AZ2
  10. Datapath Route Table AZ2 attached to the Datapath Subnet AZ2 with default route to IGW
  11. Apps Subnet AZ1
  12. Apps Route Table AZ1 attached to the Apps Subnet AZ1 with default route to IGW
  13. Apps Subnet AZ2
  14. Apps Route Table AZ2 attached to the Apps Subnet AZ2 with default route to IGW
  15. Management Security Group with Outbound rules
  16. Datapath Security Group with Outbound rules and Inbound rules for port 80 and 443
  17. Apps Security Group with outbound rules and inbound rules for port 22, 80, 443, 8000
  18. Create a EC2 in the Apps Subnet using a default Valtix image based on CentOS. You can choose your own AMI if needed

The subnets are created in two (2) AZs so you can operate the Valtix Gateways and apps in multiple Availability Zones.

You can run this template multiple times to create multiple VPC's that can be attached to the AWS Transit Gateway for Centralized Security (Hub) deployment architecure.

CloudFormation Parameters

  1. Stack Name - Provide a name for the stack (eg. valtix-dp-resources)
  2. Prefix - A prefix to apply to all the resources' Name Tags (e.g valtix)
  3. Create Valtix Resources - Yes/No. Choosing Yes would create the mgmt/dp subnets, mgmt/dp security groups. Choosing No would not create these resources.
  4. Create Bastion Host - Bastion Host that can be used to SSH to the App VMs (App VMs already get a public IP and have route to the Internet Gateway. You can later delete the route so the VMs can be private. Bastion host can be used to SSH to these VMs)
  5. VPC CIDR - CIDR for the VPC
  6. Subnet Mask bits - Number of bits to use for each of the subnet. This is NOT the subnet mask. If you want the subnet to have mask /24, then choose 8 for the bits. (Other masks and bits: /27 use 5, /26 use 6 and so on (32 - number of bits in the mask))
  7. Availability Zone 1 and Zone 2 - Choose the AZs
  8. AMI for App Instance - valtix-default AMI is available in us-east1, us-east2, us-west1 and us-west2. This is a CentOS 7 with docker and a sample Hello World application. You can provide your own AMI or any other AMI in the region
  9. Instance Type - Choose the option. If the choices are limited, you can download the CloudFormation template and edit to add new choices
  10. EC2 Key Pair - Choose the SSH keypair to associate to the EC2 instances