Valtix Gateway instances can be deployed using Edge or Hub mode. In the Edge mode, the Gateway instances run in the same VPC as your applications.
This document focuses on the Edge mode deployment and guides you to prepare the VPC for the Valtix Gateway deployment.
VPC and Subnets¶
When deploying the Valtix Gateway, the Valtix Controller will prompt for the management and datapath VPC information. Valtix Gateway instances require two (2) network interfaces. In GCP, the network interfaces of a VM instance need to be in different VPC's unlike other Cloud Providers where they can be in just different subnets. If you already have a VPC where the application is running, you have the datapath VPC and the Subnet. You must create another VPC (or use an another existing VPC) for management purposes. You can either use the auto-created subnets or create them manually.
datapath vpc is the VPC where your applications are running and will be referred to as such in the following sections
In each of the VPC's, Valtix requires a subnet. Create subnets in all the regions where you plan to deploy the Valtix gateway.
The management subnet is a public subnet that must be associated with the route table that has a default route to the Internet. The Valtix Gateway instance has an interface attached to this subnet that it uses to communicate with the Valtix Controller. This interface is used for policy pushes and other management and telemetry activities between the Valtix Controller and the Valtix Gateway instances. Customer application traffic does not flow through this interface and subnet. The interface is associated with the valtix-management network tag (or any tag based on your team requirements), which is described in the network tags section below.
The datapath subnet is a public subnet that must be associated with the route table that has a default route to the Internet. The Valtix Controller creates a network load balancer (NLB) in this subnet. In addition, a Valtix Gateway instance has an interface attached to this subnet. The customer applications traffic flows through this interface. A security policy is applied to the traffic ingressing through this interface. The interface is associated with the valtix-datapath network tag (or any tag based on your team requirements), which is described in the network tags section below.
Network Tags (for GCP Gateways)¶
The management and datapath network tags are associated wtih the respective interfaces on the Valtix Gateway instance, as described in the Subnets section above.
Create a Gateway rule in the management vpc and associate that with valtix-management network tag. This must allow all outbound traffic that makes the Gateway instance communicate with the Controller. Optionally, for inbound rules, enable port 22 (SSH) to allow SSH access to the Gateway instance. SSH is not required for the Valtix firewall to function properly.
Create a Gateway rule in the datapath vpc and associate that with valtix-datapath network tag. This must allow the traffic to the Valtix Gateway for all the services that you enable (are going to enable).
For example, if an application is running on port 3000 and is proxied by the Valtix Gateway on port 443, port 443 must be opened on the valtix-datapath network security tag.
Sample VPC and Subnets using CLI¶
- Create VPC apps and subnet apps-us-east1
- Create VPC valtix-mgmt and subnet valtix-mgmt-us-east1
- Firewall rules for VPC valtix-mgmt with target-tags as valtix-mgmt
- Egress rule to allow all the outbound traffic
- Ingress rule to allow SSH into the firewall instances
- Firewall rules for VPC apps
- Egress rule to allow all the outbound traffic with target-tags as valtix-datapath
- Ingress rule to allow HTTP and HTTPS into the Gateway instances (via NLB) with target-tags as valtix-datapath
- Egress rule to allow all the outbound traffic with target-tags as app-instance
- Ingress rule to allow tcp:8000 with target-tags as app-instance
gcloud config set project <project-name> # incase the project is not set in the gcloud cli shell gcloud compute networks create apps --subnet-mode custom gcloud compute networks subnets create apps-us-east1 --network apps --range 10.0.0.0/24 --region us-east1 gcloud compute networks create valtix-mgmt --subnet-mode custom gcloud compute networks subnets create valtix-mgmt-us-east1 --network valtix-mgmt --range 172.16.0.0/24 --region us-east1 gcloud compute firewall-rules create valtix-mgmt-out --direction EGRESS --network valtix-mgmt \ --target-tags valtix-mgmt --allow tcp,udp gcloud compute firewall-rules create valtix-mgmt-in --direction INGRESS --network valtix-mgmt \ --target-tags valtix-mgmt --allow tcp:22 gcloud compute firewall-rules create valtix-datapath-out --direction EGRESS --network apps \ --target-tags valtix-datapath --allow tcp,udp gcloud compute firewall-rules create valtix-datapath-in --direction INGRESS --network apps \ --target-tags valtix-datapath --allow tcp:80,tcp:443 gcloud compute firewall-rules create app-instance-out --direction EGRESS --network apps \ --target-tags app-instance --allow tcp,udp gcloud compute firewall-rules create app-instance-in --direction INGRESS --network apps \ --target-tags app-instance --allow tcp:8000,tcp:22
Once you run the above commands, you can create a VM instance in the apps VPC and launch a test web application on port 8000
gcloud compute instances create app-instance1 \ --zone=us-east1-b \ --image-project=ubuntu-os-cloud \ --image-family=ubuntu-2004-lts \ --network apps \ --subnet=apps-us-east1 \ --tags=app-instance gcloud compute ssh app-instance1 --zone us-east1-b echo hello world > index.html python3 -m http.server 8000
Using the Valtix Gateway creation page use the following parameters:
- Datapath VPC: apps
- Datapath Network Tag: valtix-datapath
- Management VPC: valtix-mgmt
- Management Network Tag: valtix-mgmt
- Use us-east1-b zone
- Management Subnet: valtix-mgmt-us-east1
- Datapath Subnet: apps-us-east1
You can create subnets in other regions to test the Valtix Gateway in multi-AZ mode.