Check Point CloudGuard IaaS for AWS 

Check Point CloudGuard for AWS easily extends comprehensive Threat Prevention security to the AWS cloud and protects assets in the cloud from attacks, and at the same time enables secure connectivity.

CloudGuard IaaS lets you enforce consistent Security Policies across your entire organization. It protects data between the corporate network and the Amazon VPC. CloudGuard IaaS inspects data that enters and leaves the private subnet in the Amazon VPC to prevent attacks and mitigate data loss or leakage. CloudGuard IaaS protects services in the public cloud from the most sophisticated threats, unauthorized access, and prevents application layer Denial of Service (DoS) attacks.

Check Point CloudGuard for AWS meets organizational cloud security needs:

  • Automatically deployed tags-based IPsec VPN between AWS Transit Gateway and the security VPC.

  • Automatic configuration of AWS VPN Gateways on spoke VPCs. This includes planning of IP addresses to prevent subnet IP address conflicts.

  • Next Generation Firewall with Application Control, Data Awareness, HTTPS Inspection, NAT, and logging.

  • IPS and virtual patching of cloud resources.

  • URL Filtering for Internet-bound traffic.

  • Anti-Bot and Anti-Virus, and Zero-day Threat Emulation and Threat Extraction.

  • Remote Access VPN to connect remote clients.

  • IPsec VPN for VPC-to-VPC, and VPC-to-on-premises connections with optional Direct Connect support.

  • High Availability deployment.

  • Automated solution deployment with CloudFormation.

Costs and Licenses

You are responsible for the cost of the AWS services that you use, when you deploy the solution described in this guide.

The AWS CloudFormation template for the Security VPC includes parameters that you can configure. Some of these settings, such as instance type, affect the cost of deployment. For estimated costs, see the AWS pricing calculator.

This Transit VPC - Transit Gateway solution uses Amazon Machine Images (AMIs) from the AWS Marketplace. You must subscribe to Check Point CloudGuard in the AWS Marketplace before you start the deployment.

Check Point CloudGuard Security Gateways, Check Point CloudGuard Security Management Server, and AWS CloudFormation templates described in this guide must have a license. There are two licensing options:

  • Pay As You Go (PAYG)

  • Bring Your Own License (BYOL)

To buy BYOL licenses, contact Check Point Sales


Before you use this solution, make sure you are familiar with these AWS terms and services:

  • Amazon EC2

  • Amazon VPC

  • AWS CloudFormation


  • AWS Transit Gateway

If you are new to AWS, see Getting Started with AWS.


The diagram shows Transit Gateway architecture for Check Point CloudGuard AWS.

an end-to-end solution, which includes:

  • AWS Transit Gateway (TGW) object.

  • Spoke (Consumer) VPCs attached to the AWS Transit Gateway.

  • Outbound Security VPC with the CloudGuard Transit Gateways Auto Scaling group.

  • Automatic provisioning of VPN tunnels.

  • BGP routing configuration between the AWS Transit Gateway and the CloudGuard IaaS Security Gateways.

  • Inbound Security VPC with CloudGuard Security Gateways Auto Scaling group attached to the AWS Transit Gateway.

  • Corporate VPN between on-premises perimeter and the AWS Transit Gateway.

Note - Red arrows show the provisioning flow from an on-premises Management Server.

A Transit Gateway acts as a regional virtual router for traffic that flows between your Virtual Private Clouds (VPC) and VPN connections. A Transit Gateway scales elastically based on the volume of network traffic. Routing through a Transit Gateway operates at Layer 3, where the packets are sent to a specific next-hop attachment, based on their destination IP addresses.

Use Cases

VPN Community

A VPN Domain is a collection of internal networks that use VPN Security Gateways to send and receive their traffic. VPN Security Gateways are joined into a VPN Community. A VPN Community is a collection of VPN tunnels and their attributes. Networks from different VPN Domains can communicate securely with each other through VPN tunnels that end at the Security Gateways in the VPN communities.

VPN communities used for this Transit solution are based on a Star topology. In a Star VPN Community, each satellite gateway, an AWS VPN connection represented by an Interoperable Device object, has a VPN tunnel to the central CloudGuard Security Gateway, and through it to other satellite gateways in the Star VPN Community.

Transit solution uses Route Based VPN, where VPN traffic is routed based on the BGP routing settings of the CloudGuard Gateway. The CloudGuard Gateway uses a VPN Tunnel Interface (VTI) to send the VPN traffic, as if it were a physical interface.

Because of the Route Based VPN, it is not necessary to set a VPN Domain on the CloudGuard Security Gateway. The Transit service creates an empty Group object that is used when you configure the CloudGuard Gateway in SmartConsole. This ensures that Domain Based VPN is not used.

The script creates a Star VPN Community with these required settings for Transit:

  • Encryption: IKE Security Association Phase 2 enabled, set to Group 2 (1024 bit)

  • Tunnel management: One VPN tunnel per gateway pair enabled

  • Shared Secret: Use only Shared Secret for all external members enabled

  • Advanced: IKE (Phase 1) set to 480

For information on this script, see the Configuring the VPN Community with the '' Script section.

For more information on Check Point VPN solutions, see the R80.20 Site to Site VPN Administration Guide.

Security Policy

A Security Policy package is a collection of different types of policies that are enforced after you install the policy on the Security Gateways.

A policy package can have one or more of these policy types:

  • Access Control

  • Quality of Service (QoS)

  • Desktop Security

  • Threat Prevention

The Standard policy package is the default Security Policy defined in a newly deployed Security Management Server. Every policy package has a default cleanup rule that drops all traffic.

When you configure the Check Point Security Management Server with the autoprov_cfg utility, specify the name of the Security Policy package to be installed on the Transit Gateways with the -po parameter. For the default Security Policy, use the value "Standard" (a capital "S" is required), for this parameter.

If you want to configure additional policy packages and install a different policy package on the Security Gateways deployed for the transit solution, then specify the name that you want to give that policy package when you run autoprov_cfg. Afterwards, create and configure the policy by connecting to your Security Management Server with SmartConsole.

For more information, see Configuring the Security Management Server with the 'autoprov_cfg' Utility.



AWS Transit Gateway R80.10 and Above Deployment Guide