Workflow for Setting Up a High Availability Cluster in Azure

Step 1: Deploy with a Template in Azure

Deploy this solution through the Azure Portal. If you use a different environment than the Standard Azure environment, see Using a Different Azure Cloud Environment.


  • Standard Load Balancers and High Availability ports are not available on the Azure Government Cloud environment.

  • By default, every Check Point Security Gateway and Security Management Server's WebUI is accessible from the internet by browsing to http://<virtual-machine-public-ip>. Restricting access to the WebUI is possible by configuring a Network Security Group, or by configuring the Check Point Gateway and Management Server settings.

Components of the Check Point Solution

Important - If you deploy the solution to an existing Virtual Network, confirm that an NSG is associated with the frontend subnet that allows all inbound and outbound TCP and UDP traffic. An NSG is necessary to connect to Cluster Members successfully.

Step 2: Set Credentials in Azure

By default, the automatic service principal is deployed. If you want to create your own service principal, make sure you set credentials and assign privileges to necessary resources. Managed service identity for Virtual Machines is only available in the Azure Cloud environment.

If you deploy in other environments, you have to create your own service principal manually. See Creating Your Own Service Principal.

Azure Credentials and the Automatic Service Principal

The Check Point cluster template automatically creates a service principal for each Virtual Machine, and assigns a Contributor role to the cluster resource group. Therefore, you do not need to create a service principal, assign it a role, and attach it to each of your individual cluster resources. For more information, see What is managed identities for Azure resources?

After you deploy a Check Point cluster, the automatic credentials can be found in Azure Portal > Resource groups > cluster_resource_group > Access control (IAM). There are two service principals for each Cluster Member, each with a Contributor role.

Important - When deploying the solution using an existing VNetET, you must assign a Contributor role to the clusterVNET resource group for each cluster’s managed identity created by the deployment, since they are not automatically assignsed.

Creating Your Own Service Principal

See How to: Use the portal to create an Azure AD application and service principal that can access resources.

Best Practice - We recommend that you set the key to never expire. Go to your resource.

We recommend that you set the key to never expire. Go to your resource.

Step 3: Set Up Internal Subnets and Route Tables

You can use the Azure portal or the CLI to add internal subnets. You will now add the Web and App subnets to your Virtual Network.

For each internal subnet, you have to create an Azure routing table with these UDRs:

Important - Associate the newly created routing table with the subnet to which it belongs.

If the subnet houses the Security Management Server that manages the Cluster Members, add these routes below as well. This allows the Security Management Server to communicate directly with each Cluster Member, without passing through the Active Cluster Member.

Step 4: Set Up Routes on Cluster Members to the Internal Subnets

Step 5: Configure Cluster Objects in SmartConsole

Step 6: Configure NAT Rules

Note - See Creating Objects in SmartConsole.

Step 7: Set Up the External Load Balancer in Azure

By default, the template you deploy creates an External Load Balancer, with the name frontend-lb, which faces the Internet.

The External Load Balancer sends health probes to TCP port 8117 to determine the health of the CloudGuard IaaS Security Gateways.

Create the load balancing rules in the Azure portal to allow incoming connections:

  1. Go to External Load Balancer > Load balancing rules > Add.

  2. Click Add.

For more information, see Multiple Frontends for Azure Load Balancer. For an example, go to Step 9: Configure the Load Balancer to Listen on Multiple IP Addresses in Azure.

Step 8: Create Dynamic Object LocalGatewayExternal in SmartConsole

In SmartConsole, create the Dynamic object called LocalGatewayExtenal.

This object represents the private Cluster Member's IP addresses.

You use this Dynamic object in the next step.

  1. In SmartConsole, click the Objects menu > Object Explorer.

  2. From the top toolbar, click New > Network Object > Dynamic Objects > Dynamic Object.

  3. In the Enter Object Name field, enter (case-sensitive):


  4. Click OK.

  5. Close the Object Explorer.

Step 9: Configure the Load Balancer to Listen on Multiple IP Addresses in Azure

Configure the Load Balancer to listen on additional public IP addresses. This setup is useful if you want the Security Gateway to secure multiple web applications, each with its own public IP address.

Configure the Load Balancer to listen on a second public IP address on TCP port 80, and then forward the traffic to the Check Point CloudGuard Security Gateway to TCP port 8083.

Configure Access Control Rule in SmartConsole

Load Balancer Conditions

The Active Cluster Member uses NAT to forward traffic that belongs to the two web applications, to the right web server.

NAT rules are defined with the special Dynamic Object.

The Dynamic object LocalGatewayExternal represents the private IP addresses of the external interface of Member 1 and Member 2.

For more information, see Step 8: Create Dynamic Object LocalGatewayExternal in SmartConsole.












TCP 8081

= Original

s App


Policy Targets




TCP 8083

= Original

s Web


Policy Targets

Step 10: Configure VPN

In SmartConsole, create a Network Group object to represent the encryption domain for the cluster.