This document describes the requirements and resources (subnets, security-groups) to be created in your VNet so that you can create Valtix Gateways in the VNet.
When configuring your Gateway deployment, the Valtix Controller will prompt you for the management and datapath subnet information.
The management subnet is a public subnet that must be associated with the route table that has a default route to the Internet. The Valtix Gateway instance has an interface attached to this subnet that it uses to communicate with the Valtix Controller. This interface is used for policy pushes and other management and telemetry activities between the Valtix Controller and the Valtix Gateway instances. Customer application traffic does not flow through this interface and subnet. The interface is associated with the management security group, which is described in the Security Groups section below.
The datapath subnet is a public subnet that must be associated with the route table that has a default route to the Internet. The Valtix Controller creates a network load balancer (NLB) in this subnet. In addition, a Valtix Gateway instance has an interface attached to this subnet. The customer applications traffic flows through this interface. A security policy is applied to the traffic ingressing through this interface. The interface is associated with the datapath security group, which is described in the Security Groups section below.
The management and datapath security groups are associated with the respective interfaces on the Valtix Gateway instance, as described in the Subnets section above.
The management security group must allow outbound traffic that allows the Gateway instance to communicate with the Controller. Optionally, for inbound rules, enable port 22 (SSH) to allow SSH access to the Gateway instance. SSH is not mandatory for the Valtix Gateway to function properly.
The datapath security group is attached to the datapath interface and allows traffic from the Internet to the Valtix Gateway. Currently the Valtix Controller does not manage this security group. An outbound rule must exist, allowing the traffic to egress this interface. Inbound ports must be opened for each port that is configured in the Valtix Controller security policy and used by the Valtix Gateway.
For example, if an application is running on port 3000 and is proxied by the Valtix Gateway on port 443, port 443 must be opened on the datapath security group. This example also implies that port 3000 is open on the security group attached to your application.
Use the ARM template https://valtix-public.s3.amazonaws.com/azure-rm/datapath.json to create all of the resources described on this page.
This template creates a new VNet. This is very useful to get started on Valtix without touching your existing production environment.
The template creates the following resources:
- Management Subnet
- Datapath Subnet
- Management Security Group with Outbound rules
- Datapath Security Group with Outbound rules and Inbound rules for port 443
You can create additional subnets to run apps and create app-specific security groups, as needed.
Launch ARM Template¶
- Search for Deploy a custom template in Azure Portal or Click here
- Click Build your own template in the editor
- Copy the content from the ARM template and paste into the editor
- Click Save
- Select the Subscription, Resource group and the Region
- Click Review + create
- Wait for a few minutes for all the resources to be created