Network-Diagram

Traffic flow explanation

Inbound:

  1. The External Load Balancer redirects all packets to the Gateway Load Balancer.

VXLAN tunnel preserves the original source and destination addresses.

  1. The Gateway Load Balancer send packet to next healthy CloudGuard GatewayClosed Check Point Virtual Security Gateway that protects dynamic virtual environments with policy enforcement. CloudGuard Gateway inspects traffic between Virtual Machines to enforce security, without changing the Virtual Network topology..

  2. CloudGuard Gateway decides if to forward or drop packet.

  3. External Gateway Load Balancer sends the inspected packet to next VM in the Backend Pool.

  4. External Load Balancer redirects reply packets to the Gateway Load Balancer.

  5. Symmetrical hashing return packet to the original CloudGuard Gateway to keep state.

  6. External Load Balancer sends return packet to original source address.

When inbound traffic arrives, the CloudGuard Gateway receives it follows:

  1. A VXLAN tunneled traffic with:

    1. Source: The Gateway Load Balancer frontend IP.

    2. Service: UDP services with the VXLAN tunnel interfaces port numbers (internal & external).

    3. Destination: The VMSS instance.

  2. Encapsulated traffic with:

    1. Source: Original source.

    2. Service: Original service.

    3. Destination: Original (The Frontend IP of the External Load Balancer).

Note - Traffic flow is the same for Load Balancing ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. and Inbound NAT rules.

Outbound:

  1. The External Load Balancer receives traffic from a Backend Pool VM.

    The External Load Balancer redirects all packets to the Gateway Load Balancer.

VXLAN tunnel preserves the original source and destination addresses.

  1. Gateway Load Balancer sends packet to next healthy CloudGuard Gateway.

  2. CloudGuard Gateway decides forward or drop packet.

  3. External Load Balancer sends request packet to original destination address.

  4. External Load Balancer redirects reply packet to Gateway Load Balancer.

  5. Symmetrical hashing return packet to original CloudGuard Gateway to keep state.

  6. External Gateway Load Balancer sends inspected reply packet to original source address, a Backend Pool VM.

When outbound traffic arrives, the CloudGuard Gateway receives it follows:

  1. A VXLAN tunneled traffic with:

    1. Source: The Gateway Load Balancer frontend IP.

    2. Service: UDP services with the VXLAN tunnel interfaces port numbers (internal & external).

    3. Destination: The VMSS instance.

  2. Encapsulated traffic with:

    1. Source: Original source (The Frontend IP of the External Load Balancer).

    2. Service: Original service.

    3. Destination: Original destination.

Gateway Load Balancer Frontend Routing Table - User Defined Routes (UDR):

Name Destination Nexthop

Local-Subnet

Gateway Load Balancer Frontend subnet

Virtual network

To-VNet

Gateway Load Balancer VNet:

None (drop)