Before You Begin

The supported cloud service providers are separate entities that use their own vocabulary and gateway environment. Not every option available in the Multicloud Defense Controller is compatible with your cloud service provider. For example, AWS uses its own Transit Gateway and you can add VPCs to it while Azure utilizes a load- balancer to manage web traffic and applications and you can add VNets to it. Keep this in mind when proceeding.

Note

For AWS environments, when securing spoke VPCs in centralized mode, Multicloud Defense attaches VPCs to the Transit Gateway that is associated to the service VPC. By default, Multicloud Defense will randomly select a subnet in each availability zone for Transit Gateway attachment. You can change this option when you add a VPC or you can modify a VPC that is already assigned to the gateway.

You can also orchestrate a transit gateway through the Multicloud Defense Gateway or attach an existing Transit Gateway.

Limitations

Be aware of the following limitations when creating a Multicloud Defense Gateway:

  • If you deploy a Multicloud Defense Gateway that uses a site-to-site VPN tunnel containing an IPSec profile, you must deploy the gateway with a service VPC or service VNet and without a Network Address Translation (NAT) gateway on either side of the VPN connection.

  • Autoscaling is not supported for gateways containing an IPSec profile.

  • Policy rules within the gateway must be Forwarding only.

  • If you intend to include an IPSec profile in a Multicloud Defense Gateway for an AWS or Azure account, the gateway instance must be configured with core 8. Multicloud Defense Gateway does not currently support gateways with core 2 or core 4 options.