Create a Service VPC or VNet

Use the following procedure to create a service VPC or service VNet, depending on the gateway you are creating this for.

Before you begin

Be aware the options listed in this procedure may be specific to your cloud service provider:

  • If you opt to configure a VPC or VNet with a native gateway (NAT gateway), you must have a native gateway configured from your cloud service provider. See your cloud service provider documentation for more information.

  • If you intend to deploy a service VNet with an Azure NAT gateway, confirm you have all of the permissions in your custom role within the Azure dashboard prior to creating and deployng. See Create a custom role to assign to the Application for the complete list of permissions.

  • If you provide your own transit gateway, you are able to attach more than one VPC or VNet to it. It is even possible to replace an existing VPC or VNet with a new one without re-deploying the gateway.

If you intend to implement AWS CloudWAN as part of your service VPC, ensure the following is configured prior to this procedure:

  • Global Network

  • Core Network

  • Core Network Edge (CNE) Regions

  • Segments

  • Workload VPCs

  • (Optional) Network Function Groups (NFGs). Note that Multicloud Defense Controller allows you to create new ones as part of this procedure.

Procedure

Step 1

From the Multicloud Defense Controller, navigate to Infrastructure > Gateways > VPCs/VNets.

Step 2

Click Create Service VPC/VNet.

Step 3

Input parameter values:

  • Name - Assign a name to the Service VPC/VNet.

  • CSP Account - Select the CSP account to create the Service VPC/VNet.

  • Region - Select the region the Service VPC will be deployed to.

  • (Azure only) CIDR Block – The CIDR Block for Service VNet. This must not overlap with your Spoke(application) VNets.

  • (AWS/GCP only) Datapath CIDR Block - The CIDR Block for the Multicloud Defense Gateway datapath Service VPC. This CIDR block must not overlap with address ranges in your Spoke (application) VPCs.

  • (AWS/GCP only) Management CIDR Block - The CIDR Block for the Multicloud Defense Gateway management Service VPC. This CIDR block must not overlap with address ranges in your Spoke (application) VPCs.

  • Availability Zones - If you are creating a VPC, you must configure one availabilitliy zone only. For a VNet, Multicloud Defense recommends to select at least two availability zones for resiliency.

    Note

    If you are attaching an AWS or Azure NAT gateway to this VPC, you must have at least one availability zone configured. Note that once you add availability zones to an AWS service VPC you cannot edit the zones to add or remove them if you deploy in an edge or centralized mode.

  • (AWS CloudWAN only) Network Type - Select CloudWAN.

  • (AWS CloudWAN only) Network ID - Expand the drop-down menu to select the core network that is associated with the global network in your AWS account.

  • (AWS CloudWAN only) Network Function Group - Use the drop-down menu to select an existing network function group. This selection attaches the service VPC to the network function group in the core network. Alternatively, select Create New to create a new group for this VPC. If you create a new network function group, you will be prompted in this Service VPC window to enter a new name for the network function group.

  • (Azure only) Resource Group - The resource group to deploy service VNet.

  • (AWS only)Transit Gateway - The Transit Gateway connects virtual private cloud and on-premises networks through a central hub. Use the drop-down menu to select an existing gateway for this VPC. If there is no pre-existing gateway for you to select, choose Create_new. This option allows Multicloud Defense to create one as part of the VPC creation process.

  • (AWS only) Transit Gateway Name - If you opted to create a new Transit Gateway, enter a name for the gateway in this field.

  • (AWS only) Auto accept shared attachments - If you opted ot create a new Transit Gateway and intend to use this VPC for a multi-account hub gateway deployment, check this option.

  • (AWS and Azure only) Use NAT Gateway - Enable this option if you want all egress traffic will go through NAT Gateway. If you are using a NAT gateway for an Azure account, confirm you have all of the permissions in your custom role within the Azure dashboard before finish creating this service VNet. See Create a custom role to assign to the Application for the complete list of permissions.

    Caution

    Do not enable this NAT Gateway option if you intend to deploy this Service VPC to deploy a Multicloud Defense VPN gateway in your AWS or Azure environment.

Step 4

Click Save.

What to do next

If you have just created a service VPC for an AWS or GCP account, you must first Manage the Service VPC/VNet and then Add a Gateway and associate the VPC or VNet with the gateway.

If you have created a service VNet for Azure, we strongly recommend you Add a Gateway.