Add a Multicloud Defense Gateway

Use the following procedure to add a Multicloud Defense Gateway for your cloud service provider:

Before you begin

If you are planning on using an AWS global accelerator or Azure load balancer, be sure the load balancer is already configured prior to adding it to a Multicloud Defense Gateway. See Advanced Gateway Configuration: Use Your Own Load Balancer for more information.

Procedure

Step 1

Navigate to Infrastructure > Gateways > Gateways.

Step 2

Click Add Gateway.

Step 3

Select the cloud service provider you want to add the gateway to.

Step 4

Click Next.

Step 5

Enter the following information:

  • Instance Type - Choose the type of cloud service provider. Note that there may be multiple variations of instances depending on which cloud service provider you are using.

  • Gateway Type - Select either Ingress or Egress.

    Note

    Select Egress if you have an east-west network flow.

  • Minimum Instances - Select the minimum number of instances that you plan to deploy.

  • Maximum Instances - Select the maximum number instances that you plan to deploy. This is the maximum number that is used for auto-scaling in each availability zone.

  • HealthCheck Port - Default is 65534. The port number used by Multicloud Defense load balancer to check the health of the instances. Datapath security groups assigned to the instance(s) must allow traffic on this port.

  • (Optional) Packet Capture Profile - Packet Capture Profile for threat and flow PCAPs.

  • (Optional) Diagnostics Profile - Diagnostics Profile used to store Technical Support information.

  • (Optional) Log Profile - Log Forwarding Profile used to forward Events/Logs to a SIEM.

  • (Optional) NTP Profile - Network Time Protocol (NTP) for time synchonization.

  • (Optional) BGP profile - Border Gateway Protocol (BGP) used to support VPN Connections. If you intend on utizilign site-to-site VPN tunnels with a Multicloud Defense Gateway you must include this profile.

Step 6

Click Next.

Step 7

Provide the following parameters:

  • Security - Select either Egress or Ingress.

    Note

    Select Egress if you have an east-west network flow.

  • Gateway Image - Image to be deployed.

  • Policy Ruleset - Select the policy ruleset to associate with this gateway.

  • Region - Select the region this gateway will be deployed into.

  • Resource Groups - Select the resource group to associate the gateway with.

  • SSHPublic Key - Paste the SSH public key. This public key is used by the controller to access the CLI of the deployed gateway instances for debug and monitoring.

  • VNet ID - Select the VNet to associate with the gateway.

  • (Azure only) User Assigned Identity ID - Enter the cloud service provider identity to associate with this gateway. User-assigned managed identities can be used in place of credentials for resources. User-assigned managed identities can be used in place of credentials for resources for Azure services such as a private key stored in Azure Key Vault or to write PCAP files to an Azure Blob Storage.

  • Mgmt. Security Group - Select the security group to associate with the management interface.

  • Datapath Security Group - Select the security group to associate with the datapath interface.

  • Disk Encryption - Select the appropriate option from the drop-down menu. For customer managed encryption key, the user will need to input the resource ID of the encryption key.

Step 8

Select the Availability Zone, the Mgmt Subnet and the Datapath Subnet. The available subnets will be based on the VPC or VNet selected above. For high availabilty purposes the gateway instances can be deployed in multiple availability zones. Click the plus button to add a new availability zone and select the parameters for the selected zones. Note that some cloud service provider regions do not support multiple availability zones. In such regions the gateway instances are deployed in only a single zone.

Note

If your gateway is deployed in hub mode, availability zones cannot be edited after the initial deployment. Reconfirm your zones before deploying.

Step 9

(Azure only, optional) If you are deploying in distributed model with Multicloud Defense Gateway in the same VNet as application, ensure you complete the following:

  • Add a route table in the Azure portal and associate the route table with all the subnets.

  • Add a default route for 0.0.0.0/0 with next-hop as the IP address of the Gateway Network Load Balancer.

Step 10

Click Next to view the Advanced Settings.

Step 11

By default, the Multicloud Defense Gateway enables the use of the public IP of the router available. If you do not want this enabled, check the Disable Public IP box.

Step 12

(AWS and Azure only) Attach Load Balancer. Click Add Load Balancer to create a row for your custom load balancer. Alternatively, check any rows that are unecessary and click Remove to delete them from the gateway.

  1. Expand the Load Balancer drop-down to select a load balancer from your AWS or Azure cloud service provider.

  2. Expand the Backend Pool drop-down to select a backend pool to be associated with your gateway.

Step 13

Click Save.

What to do next

Multicloud Defense deploys the gateway.

You must attach at least one ruleset to the gateway before you secure a spoke VPC/VNet. See Rule Sets and Rule Set Groups for more information.