Background
This document will guide you through the Virtru Gateway installation from Google Marketplace
Specific steps for this section include:
Sync your Google Workspace domain with Virtru
Deploying Virtru Private Keystore (for Google Workspace CSE)
Sync your Google Workspace domain with Virtru
If you have not already done so, please follow this guide to sync your Google Workspace domain with Virtru, this is a prerequisite for provisioning your Virtru Gateway in GKE.
Log into marketplace
Direct link
Or Search the marketplace
-
- https://cloud.google.com/marketplace
- Search for “Virtru”
- Click “Configure”
Configure gateway
-
- Either create cluster or use existing
- Pick a zone
- Namespace
- <Gateway mode>
- Example "Virtru-oe”
- App instance Name
- “<Leave Default Value>”
- Gateway Hostname
- The FQDN that your application will run as.
- Gateway Token Name and Token Secret
- Token ID <Provided by Virtru>
- Token <Provided by Virtru>
- Primary Mailing Domain
- The primary email domain of your Google Workspace tenant
- Amplitude Token
- Provided by Virtru
- Gateway Usage
- Select gateway mode/topology
- Outbound - Data Loss Prevention (Using rules set in the Virtru control center)
- Outbound - Encrypt Everything
- Outbound - Decrypt Everything
- Inbound - Encrypt Everything
- Inbound - Decrypt Everything
- Select gateway mode/topology
- Virtru Pricing Plan
- Select the option that applies to your price plan.
- Reference link for Pricing
- See Chart for Config map to Price breakdown
- Select the option that applies to your price plan.
- Click “Deploy”
Note:
If you are going to use the marketplace deployment for billing ONLY or for CSE (Client Side Encryption) only and do not intend to use the Virtru Gateway you can use the following values in this configuration.
- Gateway Token ID
- GATEWAY_TOKEN_ID
- Gateway Token
- GATEWAY_TOKEN
- Amplitude API Key
- AMPLITUDE_TOKEN
Example of a non gateway configuration:
Deploying CSE
At this step if you are deploying a CSE configuration in addition to your gateway pods follow the next steps here:
Default configuration
The default configuration can be modified once your application is installed.
Once you click "Deploy" you will be set up with the following.
- 2 Nodes in a new cluster (optional)
- 2 Pods
- Each pod represents 1 Virtru gateway application running in outbound encrypt mode
- 1 pod per node in the cluster for build in redundancy
- 1 External load balancer service with an external IP listening on port 2525 ingress
- 1 configmap yaml file with your gateway environment variables.
Ingress
You will need to get your public IP that your External load balancer is using for your new service.
- Navigate to Compute Engine> Services & Ingress
- Copy your static IP of your “External load balancer”
- Create an A record for gw.customer.com that points to this new IP
Egress (Options)
The Virtru gateway is set by default to relay through Google workspace, you will need to follow these instructions to get your IPs for the VM instances that your cluster is installed on before relaying through your Google Workspace tenant.
- Relay through Google workspace
- Navigate to Compute Engine> VM instances
- Copy the static IPs from your cluster and add them to the SMTP relay service in your Google Workspace tennant as an Allowed IP to relay through your tennant before final delivery.
- https://support.google.com/a/answer/2956491?hl=en
- Navigate to Compute Engine> VM instances
- Send to your existing relay
- Navigate to Applications>Gateway>Config Map
- Click "gateway"
- Edit the YAML file
- Change the value next to the "GATEWAY_TRANSPORT_MAPS" variable to use your relay
- [next-hop-relay.customer.com]:587 (Example)
- Click "Save"
Other delivery options
- Follow Google’s Documentations for other recommended methods of Sending mail from your GCP Application
Virtru Pricing Chart
Pricing Options | Virtru Pricing Plan Dropdown |
Gateway & Gmail Encryption (Per User Per Day) |
gateway___gmail_encryption__per_user_per_day_
|
Gateway & Google Encryption (Per User Per Day) |
gateway___gdrive_encryption__per_user_per_day_
|
Gateway & Gmail & Google Drive Encryption (Per User Per Day) |
gateway___gmail___gdrive_encryption__per_user_per_day_
|
Gateway Network Level Encryption Per Day |
gateway_network_level_encryption_per_day_
|
Gateway, Gmail Encryption with Customer-Hosted Keys (Per User Per Day) |
gateway__gmail_encryption_with_customer_hosted_keys___per_user_per_day_
|
Gateway, Google Drive Encryption with Customer Hosted Gateway (Per User Per Day) |
gateway__gdrive_encryption_with_customer_hosted_keys___per_user_per_day_
|
Gateway, Gmail & Google Drive Encryption with Customer-Hosted Keys (Per User Per day) |
gateway__gmail___gdrive_encryption_with_customer_hosted_keys__per_user_per_day_
|
Gateway Network Level Encryption with Customer-Hosted Keys (Per User Per Day) |
gateway_network_level_encryption_with_customer_hosted_keys__per_user_per_day_
|
Next Step