Configure Service VPCs and Service VNets

While not strictly mandatory, we do strongly recommend creating and attaching a VPC or VNet to your Multicloud Defense Gateway as part of the deployment process. VPCs and VNets provide the necessary framework to secure, organize, and efficiently manage your network resources while integrating with a firewall gateway.

When you attach a VPC or VNet, you open your network to the following bonuses:

  • Isolation and Security - A VPC/VNet allows you to create a logically isolated network within a cloud provider, ensuring that your resources are segregated from other users. You can also define security rules that control inbound and outbound traffic to and from your resources, using the firewall gateway to enforce these rules, thus controlling access.

  • Customizable Network Architecture - The ability to create subnets within a VPC or VNet and organize and segment your resources, while also managing IP address ranges as well as customizing routing tables to direct traffic efficiently within your network.

  • Scalability and Flexibility with Resource Management - Easily add or remove resources, scale your network, and adjust configurations to meet changing demands.

Without it, your environment faces increased security risks and reduced control.

Before You Begin

Before you create a VPC or VNet for your gateway, we recommend looking over the following prerequisites. Some of these are specific to the cloud service provider you use.

Prerequisites

  • If you opt to configure a Service VPC or VNet with a native gateway (NAT gateway), you must have a native gateway configured from your cloud service provider. See your cloud service provider documentation for more information.

  • If you intend to deploy a Service VNet with an Azure NAT gateway, confirm you have all of the permissions in your custom role within the Azure dashboard prior to creating and deployng. See Create a custom role to assign to the Application for the complete list of permissions.

  • If you provide your own transit gateway, you are able to attach more than one Service VPC or VNet to it. It is even possible to replace an existing Service VPC or VNet with a new one without re-deploying the gateway.

  • (Preview Only) If you create a Service VPC for an FTDv gateway, only AWS and Azure accounts are supported.

Shared VPCs in GCP

If you intend to create, or have already created, a shared VPC in your GCP environment, you must do an additional step to enable inventory in the Multicloud Defense Controller. Without these permissions, asset discovery fails and the Inventory page is not reliable. Access the IAM page of your GCP host project (shared VPC) and grant access to the Multicloud Defense Controller service account from the service project . This access is required to allow the service project to interact with shared network resources. You need to grant the following IAM roles for every GCP project that is affiliated with the shared VPC:

  • Compute Viewer

  • Compute Network User

Important

If you create an environment in GCP where there is a shared VPC setup on one GCP project and the instances are attached to a different GPC project, the Multicloud Defense Gateway ignores all received logs from GCP. This is a default action because Multicloud Defense expects DNS logs to come from a singular project where the instances and network are both located.