Network
Use this network diagram to configure your system. Make sure to replace the IP addresses in the sample environment with the IP addresses in your environment.
Network Diagram
Network routing diagram.
In the diagram:
The cluster
Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. in this diagram protects two web applications.
Each web application has:
-
Public IP address
-
Web server
-
Application server
Note - Use this network diagram to configure your system. Make sure to replace the IP addresses in the sample environment with the IP addresses in your environment.
(See the Routing Tables).
Diagram Components
The diagram shows:
-
Virtual Network
Environment of logically connected Virtual Machines. in Azure Stack Hub that is divided into four subnets -
Frontend
-
Backend
-
Web
-
App
Check Point High Availability consists of two Cluster Members, Member 1 and Member 2. Each Cluster Member Security Gateway that is part of a cluster. has two interfaces.
When the Cluster Members are in the same Availability Set, it guarantees that the two Cluster Members are in separate fault domains. For more information, see Manage the availability of Windows Virtual Machines in Azure Stack.
Static IP Addresses:
|
Name |
Attached to |
Use |
|---|---|---|
|
Member 1 public address |
The external interface of Member 1 |
Do not disable or delete this resource. It will be tested and verified according to QA tests. |
|
Member 2 public address |
The external interface of Member 2 |
Do not disable or delete this resource. It will be tested and verified according to QA tests. |
|
Web |
Azure Load Balancer |
Public service Web |
|
App |
Azure Load Balancer |
Public service App |
Use the Azure Stack Hub Load Balancer rules to forward traffic that comes from the Internet:
|
Important - You cannot use ports 80, 443, 444, 8082, or 8117. |
Azure Load Balancer rules:
|
Frontend IP address |
Frontend TCP ports |
Destination IP address |
Destination port |
|---|---|---|---|
|
Web |
HTTPS |
Active Cluster Member |
8081 |
|
App |
HTTP |
Active Cluster Member |
8083 |
Load Balancing Rules for the External Load Balancer
|
1 |
Example 1 |
Frontend Web:443 |
Backend port 8081 |
|
2 |
Example 2 |
Frontend App:80 |
Backend port 8083 |
Routing Tables
Backend Routing Table - User Defined Routes (UDR)
|
4
|
Destination |
Nexthop |
|
|
Active Member Internal Private Address |
Routing Table for Web and App - User Defined Routes (UDR)
Web and App routing tables have the same Virtual Network address, but different subnet addresses.
Web
|
5
|
Frontend |
Nexthop |
|
|
IP of the Active Member Internal Private Address |
|
|
|
IP of the Active Member Internal Private Address |
|
|
|
IP of the Active Member Internal Private Address |
|
|
|
Virtual Network |
App
|
6
|
Frontend |
Nexthop |
|
|
IP of the Active Member Internal Private Address | |
|
|
IP of the Active Member Internal Private Address | |
|
|
IP of the Active Member Internal Private Address |
|
|
|
Virtual Network |
Failover
This is what happens during cluster failover:
The Cluster Member that is promoted to Active member, uses the Azure Stack Hub API to update the route tables routes to its Internal Private IP address. This affects outbound, inbound and East-West traffic inspection.
Expected failover times - based on use cases:
|
Use Case |
Expected Failover Time |
Comments |
|---|---|---|
|
Inbound inspection through the External Load Balancer |
Less than 15 seconds |
Depends on the Load Balancer health probe |
|
Outbound inspection through the Active Cluster Member |
Less than 8 seconds per route table |
Depends on the Azure Stack Hub API |
|
East-West inspection through the Active Cluster Member |
Less than 8 seconds per route table |
Depends on the Azure Stack Hub API |
Traffic Flows
If the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is in the Virtual Network, make sure to have specific routes to allow traffic between the Management Server Virtual Machine and the Cluster Members.
|
|
Important - You cannot deploy other Virtual Machines in the Check Point solution subnets. |
Inbound traffic flow:
-
Traffic travels into the External Load Balancer.
-
The External Load Balancer forwards the traffic to the Active Cluster Member.
-
The Active Cluster Member inspects the traffic, and forwards it to the destination.
Inbound Traffic Reply:
-
The traffic travels from the Web Server to the Active Cluster Member.
-
The Active Cluster Member inspects the traffic, and forwards it to the destination.
Outbound Traffic Flow:
-
Traffic travels to Active Cluster Member based on the UDR.
-
The Active Cluster Member inspects the traffic and forwards it to the destination.
East-West Traffic Flow:
-
Traffic travels from one of the internal servers to the Active Cluster Member based on the UDR.
-
The Active Cluster Member inspects the traffic and forwards the traffic to the destination.
Intra-Subnet Traffic
Traffic travels freely in the subnet without inspection.